Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

About

Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

Disclaimer

Comment Standards

Subscribe by Email Email icon

Subscribe by RSS RSS icon


What's New

Federal Reserve Web Sites

Other Bank Regulatory Sites

Other Resources

October 15, 2012

When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore

Terri SandsThis post features a discussion with Terri Sands, senior vice president of electronic banking and fraud management at State Bank & Trust Company in Atlanta, on the landscape for risk management for community banks.

P&R: Terri, we talk a lot about how payments are migrating from paper to electronic methods. How does this affect community banks in payment services today?

Terri Sands: It wasn't long ago that community banks viewed fraud as an issue reserved for their larger brethren. Smaller institutions were able to deal with one-off issues such as the occasional stolen checkbook or bank card or other fraudulent transactions on a case-by-case basis. And while those events may have added some expense for the community bank's bottom line, it was rarely viewed as a material event affecting the institution and its brand.

But over the past several years, fraud's impact on community banking significantly changed. Fraud has become a constant threat to financial institutions and other industries regardless of the size and complexity of the organization. In the midst of increased attacks on financial institutions and their customers' accounts, the industry has become increasingly concerned over how to effectively protect against fraud. Basically, you can't read the newspaper or read e-mails without some form of fraudulent attack that has hit the financial sector—some are minor, others are major. However, when fraud hits close to home, it is always significant, regardless of the dollar amount.

P&R: We've been hearing a lot about corporate account takeovers in recent years. Is this affecting community banks, and what can they do about it?

Sands: For community banks, corporate account takeover attacks initiated by computer viruses have become a particularly sinister problem. In those circumstances, a corporate customer has inadvertently installed a virus on a computer by clicking on a link embedded in an e-mail that then provides a fraudster with critical online banking credentials. The fraudster uses the online banking credentials—that is, the user ID and password—to reroute credit transactions to an account and then immediately withdraws funds or pays a "money mule" to withdraw the funds and wire the money to a designated account.

Corporate customers may not even realize their money has been stolen until they check or the bank checks the account. Regardless of how this virus occurred, the customer may feel uncertainty about security and about the bank's ability to protect their money in the future. So for many community banks, this type of fraud has truly been the turning point as it is hitting their customers and therefore hits closer to home—it has become reality.

Community banks have the same fraud risk management responsibilities as the larger banks. They should network with the industry and law enforcement to share information on attacks in an effort to collaborate on mitigation strategies and share intelligence about other types of attacks affecting their customers. This is a great way to further enhance any bank's risk and fraud management program. Community banks should also include customer education as part of an effective fraud management strategy, to help them to be more proactive in their own defensive practices to ward against fraud. Of course, as the industry is well aware, the interagency regulatory guidance published in June 2011 on authentication in an online banking environment also provides community banks with a roadmap for assessing a bank's risk profile and ensuring adequate protection against risk vulnerabilities.

P&R: Is fraud mainly an online problem today?

Sands: Fraud can happen online or offline. The risk may result from a simple form of social engineering such as a phone call or e-mail attempting to gain customer information or from an internal gap in the payment process that can be exploited. Either way, fraud management is not a one-time fix but an ongoing process. Community banks must remain ever-vigilant in efforts to protect consumers from risk of fraud and possible financial loss.

October 15, 2012 in banks and banking, fraud, online banking fraud | Permalink | Comments (0) | TrackBack (0)

October 01, 2012

Summer Is Gone, but ACH Fraud Remains

As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.

In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.

Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:

  • ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
  • ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
  • RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
  • RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
  • RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.

In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.

The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 1, 2012 in ACH, consumer fraud, risk management | Permalink | Comments (0) | TrackBack (0)

September 24, 2012

Alternative Financial Services Grow, and So Do the Unbanked and Underbanked

The just-released 2011 FDIC national survey on unbanked and underbanked households reports that this demographic segment has shown modest growth since the 2009 survey. Despite improvements in the general economy, 20.1 percent of U.S. households are underbanked and 8.2 percent are unbanked completely. According to the FDIC's definition, underbanked consumers may have a traditional bank account, but they rely heavily on alternative providers for financial services (shortened to AFS in the FDIC report). As we described in a previous post on nonbanks, the landscape for AFS today is a highly dynamic free-market environment that fosters creativity and innovation. Will the confluence of a growing underserved market and the ever-expanding role of nonbanks in our U.S. payments system fuel the fire for increased reliance upon AFS in general?

Growing use of alternative financial services
The growing reliance on AFS became more widespread between 2009 and 2011. According to the 2011 FDIC report, about 25 percent of all households, including the unbanked and underbanked, reported using AFS in the last year. These AFS users report finding nonbank financial services more convenient, faster, and less expensive than traditional banks.

Figure 6.1: Timing of AFS Use ofr All Households

Every day, many new types of nonbanks, including telecom firms, are entering the payments space, as we noted in this 2009 post on mobile money transfers. More recently, social networks like Facebook and PayPal-like payment business models such as Dwolla are entering the fray. Regulators of money transfer operators are working diligently to ensure that the myriad of new firms in the business are appropriately licensed and regulated. The fast pace of nonbank entry is creating a confusing regulatory environment and potential vulnerabilities that bad actors may find opportunities to exploit.

The growing appeal of prepaid
The 2011 FDIC report also notes that the unbanked and underbanked households rely on prepaid cards more than do fully banked households. One in 10 households overall reported the use of a prepaid card. The proportion of unbanked household that have used a prepaid card climbed from 12.2 percent in 2009 to 17.8 percent in the last survey.

The fact is, prepaid card adoption has been on the rise for some time. The Fed's last triennial payment study reported it to be the fastest growing retail payment method. The expanded functionality for prepaid payments today make them practical for many uses, including payroll, travel, and the provision of benefits. Consumers can purchase prepaid cards from merchants and other nonbank locales where they might be more comfortable than they would be in a traditional financial institution.

This is all good news in the context of financial inclusion and expanded opportunity for the unbanked to participate in the electronic economy and shift from more informal transfer methods. However, payments experts still have concerns. In particular, there is the risk that violators of money laundering laws may go undetected as stored-value payments move from the plastic card to other access devices such as mobile handsets. FinCEN and other regulators will need to keep these issues front of mind as adoption grows and more nonbanks participate in the prepaid industry.

Implications for policymakers and financial institutions
The report concludes that one particularly noteworthy lesson for banks to consider is the need to make traditional financial products more convenient, faster, and less expensive in order to compete with AFS. They should try harder to appeal to the under- and unbanked by providing expedited availability for deposited funds to compete with check cashers. The report even goes on to say that banks might find it useful to promote mobile technology to increase convenience, the most commonly reported reason that households use nonbank check cashiers. With the growing use of prepaid cards for both federal and state government benefits, astute financial institutions may recognize other opportunities to provide prepaid services that may eventually shift the unbanked and underbanked to more a formal banking economy.

However, one clear trend is that technology is driving entrepreneurship in payments delivery methods in unexpected ways, with new AFS services announced all the time. In the long run, AFS may not be considered alternative any more, shedding the negative reputation that label traditionally implies. If new payments are cheaper and faster, perhaps they deserve a less jaundiced eye.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

September 24, 2012 in banks and banking, transmitters | Permalink | Comments (0) | TrackBack (0)

September 17, 2012

Change Is the Only Constant: Section 1073 Set to Take Effect

If you are reading this post, then no doubt you are familiar with the passage of the Dodd-Frank Act, specifically Section 1073, which is the basis for the new rule pertaining to consumer-originated funds transfers from the United States to consumers or businesses in foreign countries. I recently attended a meeting where representatives from the remittance transfer industry discussed the responsibilities, complexities, and challenges of complying with the remittance transfer rule by the inaugural date of February 7, 2013. Not surprisingly, complying with the rule is a massive undertaking—when you consider that the remittance transfer business is, by definition, a business with a global reach.

One premise behind the rule was to create more transparency in remittance costs and thereby encourage competition in the market, to the ultimate benefit of the consumer. Today’s procedures for sending money abroad are basic. Locate one of more than a half-million domestic locations—in addition to many financial institutions, almost every gas station, drug store, and grocery store offer this service—complete a remittance form, hand money and form to a clerk, and wait a few minutes for confirmation. The funds are then made available to the receiver. A recent report published by the World Bank concluded that the United States currently maintains an average total cost to send a remittance below the global average (6.93 percent of the remittance amount versus 9.3 percent), thanks to the high volume and intense competition among the current large number of products and services available in the United States.

However, unknown to both parties at the time of origination is the exact dollar amount that the recipient will receive, because of hidden fees, taxes, and other costs not necessarily apparent. The rule will replace this "unknown" with a required hard copy receipt outlining, in any language used to market, advertise, or solicit business, all fees, commissions, taxes, the exact dollar amount netted to the receiver, and the time that the funds will be available for pickup. (There are other specifics, but no need to reiterate the entire law in this short blog!) A common pain point yet to be resolved in the compliance effort revolves around the ability of the sending entity to provide accurate receiving-end tax information. As an example, some countries have multiple and changing tax rates for different regions or a variable-fee structure on the receiving end based on the receiver’s status and relationship with the receiving entity. These tax and fee issues suitably demonstrate how achieving compliance will require cooperation from foreign entities in more than 213 country corridors, not under a remittance transfer provider’s control or subject to U.S. jurisdiction. Many in attendance suggested that a central database of tax information may be a way to address the conundrum. Whether provided by a third party in the industry or a government entity, a central database would provide consistent data and minimize research and upkeep costs for all transmitters.

In addition to cooperation, education for all players will be instrumental. Consumers should be made aware of their new right to cancel any transaction within 30 minutes of submitting and that they have contact information on their receipt in the event of any errors. At the same time, all remittance providers, including agents, need to be trained and educated to ensure compliance with this new rule.

With system changes required to produce the disclosures, will remittance providers reduce the number of channels used for remittances until they can modify their systems? With the number of contractual agreements required, will providers reduce the number of countries served or products offered? And given the cost, will remittance providers raise prices? And will U.S. consumers find alternative ways to send money? Only time will tell as the deadline for complying approaches.

The rule may eliminate some existing players from the game, as protection never comes without a price. At the same time, pioneering and innovative competitors might provide new channels and more products that will benefit consumers. Like anything that forces us to reinvent ourselves, change brings with it new threats and challenges, but the opportunities can be vast and rich. With a little imagination and a lot of hard work, the rewards can be enormous.

Remember, "The only thing that is constant is change" – Heraclitus

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

September 17, 2012 in regulators, remittances, Section 1073 | Permalink | Comments (0) | TrackBack (0)

Next »