Full text of Portals and Rails : 2009 Compendium

View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

porta l s & r a i l s
2009 Compendium

Founded in 2008, the Retail Payments Risk Forum is
housed at the Federal Reserve Bank of Atlanta. The forum
is designed to bring together expertise residing within
the Federal Reserve, financial institutions, other industry
participants, regulators, and law enforcement. The forum
facilitates collaboration among these diverse parties, all of
whom share common interests in improved detection and
mitigation of emerging risks and fraud in retail payments
systems. The forum accomplishes this by providing
resources to research issues and sponsor dialogue.
Portals&Rails, a blog sponsored by the
Retail Payments Risk Forum of the Federal
Reserve Bank of Atlanta, can be found online:
portalsandrails.frbatlanta.org

porta l s & r a i l s
2009 Compendium

contents
First Quar ter 2009

Second Quar ter 2009

0 5 F e b r u a r y 0 2 , 2 0 0 9

10 A p r i l 14 , 2 0 0 9

Welcome to Portals and Rails

Why aren’t we seeing fraud
in remote deposit capture?

06 February 02, 2009

Retail Payments Risk and Fraud:
Detection and Mitigation
06 February 23, 2009

11 M ay 1 2 , 2 0 0 9

Patenting the payments system:
Navigating confusing and
congested waters

Why should I work with you?
1 2 M ay 19, 2 0 0 9
0 7 M a r c h 10 , 2 0 0 9

B2B: Will checks ever really go away?

State attorneys general shine light
on gray areas of payments risk

0 8 M a r c h 19, 2 0 0 9

1 3 M ay 2 6 , 2 0 0 9

Can information sharing
reduce fraud?

SARs trends, SAR Review
teams, and fraud

10 M a r c h 2 7, 2 0 0 9

14 M ay 2 9, 2 0 0 9

2008: A year of thought on
retail payments risk and fraud

Do market forces drive fraud?
15 J u n e 0 7, 2 0 0 9

How much risk lurks in the
shadows of daylight overdraft?
16 J u n e 15 , 2 0 0 9

Zero balance? Credit card companies
may zero in on “deadbeats”
17 J u n e 2 2 , 2 0 0 9

Payments fraud no longer
just a white collar crime
1 8 J u n e 2 9, 2 0 0 9

Fraud Enforcement and
Recovery Act of 2009

Third Quar ter 2009

Four th Quar ter 2009

1 8 J u ly 0 6 , 2 0 0 9

31 Oc t o b e r 0 5 , 2 0 0 9

Remotely created checks: Distinguishing
the good from the bad

Mobile top-up for international remittances:
New opportunities and new risks

19 J u ly 1 3 , 2 0 0 9

3 2 Oc t o b e r 1 3 , 2 0 0 9

Consumer complaints may be “canary
in a coal mine” for payments risk

Patenting the payments system: New
developments in patent law may have
dramatic impact on payments players

21 J u ly 2 4 , 2 0 0 9

Transparency: Seeing through International ACH

3 3 Oc t o b e r 2 0 , 2 0 0 9

Accounting for ACH losses: What are
the right numbers to crunch?

Building a bridge: Will proactive discussions
of fraud concerns help drive financial services
and telecom industry collaboration in the
emerging mobile payments context?

2 3 A u g u s t 10 , 2 0 0 9

3 4 Oc t o b e r 2 6 , 2 0 0 9

2 2 A u g u s t 0 3 , 2 0 0 9

Collaboration to address payments risks and fraud

Survey shows risk concerns slow adoption
of cell phones for mobile payments

2 4 A u g u s t 17, 2 0 0 9

Oliver: Funding of risk initiatives faces risky times
2 5 A u g u s t 2 4 , 2 0 0 9

Forum launches “Payments
Spotlight” podcast series

3 5 N o v e m b e r 0 2 , 2 0 0 9

Payments Spotlight Podcast: WACHA’s
Gilmeister discusses commercial account
takeovers and other emerging risks
3 6 N o v e m b e r 0 9, 2 0 0 9

2 6 A u g u s t 31 , 2 0 0 9

Will micropayments thrive in social
networks? (Part 1 of 2)

Will interchange provide the driver for
disruptive payments innovation?
3 7 N o v e m b e r 16 , 2 0 0 9

2 7 S e p t e m b e r 0 8 , 2 0 0 9

Will micropayments thrive in social
networks? (Part 2 of 2)

Threats to online banking security
may alter payment choice
3 8 N o v e m b e r 2 3 , 2 0 0 9

2 8 S e p t e m b e r 14 , 2 0 0 9

Stickers and skins: The next phase in
proximity payments and mobile payments

Banks run more than just security risk
with single-factor authentication
4 0 N o v e m b e r 3 0 , 2 0 0 9

2 9 S e p t e m b e r 21 , 2 0 0 9

Not all payments are equal
under “good funds” laws

KC Fed conference asks ‘What’s the future
role for central banks in retail payments?’
4 0 D e c e m b e r 0 7, 2 0 0 9

3 0 S e p t e m b e r 2 8 , 2 0 0 9

Coordinating roles in mobile
payments: Who will we trust?

If nonbanks drive payment innovation,
will banks pay for the risk management?
4 3 D e c e m b e r 14 , 2 0 0 9

Consumer preference for opt-in guides
Fed rule on overdraft protection
4 4 D e c e m b e r 21 , 2 0 0 9

“Money mules” carry load
for global cybercriminals
4 6 D e c e m b e r 2 8 , 2 0 0 9

Mobile money transfers: Benign
P2P or hawala money?

February 02, 2009

Welcome to Portals and Rails
It is my pleasure to welcome you to Portals and Rails, a
blog sponsored by the Retail Payments Risk Forum of the
Federal Reserve Bank of Atlanta. The purpose of Portals
and Rails is to encourage ongoing dialogue on emerging
issues in retail payments and to inform and guide the work
of the Retail Payments Risk Forum.
The Retail Payments Risk Forum was established to
address the challenges faced by the industry, bank
regulators, and law enforcement in managing retail
payments risks and to enhance collaboration among
these parties to detect and mitigate fraud. As the U.S.
retail payment systems continue to shift from paper
to electronics, bringing with them the introduction of
innovative payment instruments and channels, the risk
profiles of payment participants are also shifting. The
most recent Federal Reserve payments study, conducted in
2007, revealed that the use of electronic payment methods
is growing rapidly in response to technological advances
in computing power and telecommunications, as well as
changes in user preferences. This growth is accompanied
by increased nonbank participation in payment systems.
While nonbanks play a vital role in a variety of different
payment activities, their increased role in retail payment
systems introduces new and often unanticipated risks.
All this is not to say that legacy payment instruments
and channels are outside the scope of our radar. Paper

and electronic checks remain important components in
the retail payments landscape and unfortunately are
increasingly products targeted by bad actors as entries to
retail payment systems to conduct fraudulent transactions.
The Retail Payments Risk Forum is initially focusing on
trends in checks and in the ACH network, drawing on the
expertise housed within the Federal Reserve System’s
Retail Payments Office, also geographically situated at the
Federal Reserve Bank of Atlanta. The Retail Payments
Risk Forum will seek out opportunities for collaboration
with other existing forums, such as those for card-based
payments, where appropriate.
To meet the challenge of addressing the myriad new risks
in retail payment systems, the Retail Payments Risk
Forum has established Portals and Rails as a means
of introducing ideas, asking questions, and facilitating
communication among interested parties on various
topics relating to retail payments risk and fraud. We
hope Portals and Rails provides you a virtual arena for
collaboration and discussion of issues of common interest.
We encourage your participation in Portals and Rails and
look forward to ongoing collaboration with you.
By Richard R. Oliver, executive vice president of the
Retail Payments Risk Forum at the Atlanta Fed

frbatlanta.org/rprf

First Quarter 2009

February 02, 2009

February 23, 2009

Retail payments risk and fraud:
detection and mitigation

Why should I work with you?

The Retail Payments Risk Forum hosted a conference
titled “Risk and Fraud in Retail Payments: Detection and
Mitigation” at the Federal Reserve Bank of Atlanta on Oct.
6–7, 2008. This conference provided a collaborative forum
to facilitate information sharing among experts and foster
improved detection and mitigation of retail payments risks
and fraud in check and automated clearinghouse (ACH)
payment systems. Experts from banking agencies, state
and federal law enforcement, NACHA, the ACH operators,
and others explored barriers and discussed opportunities.
The meeting leveraged the assembled expertise to identify
opportunities for further collaboration.
Three expert panels discussed themes regarding thirdparty risks in retail payments, enforcement actions, and
consumer protection concerns. Participants were then
asked to discuss key topics in smaller breakout groups,
including information-sharing limitations, policing bad
actors, collaborative opportunities, substantive areas of
concern, and the role of the Retail Payments Risk Forum.
The proceedings of the conference are summarized in the
full-length conference summary, which can be found as
text or pdf. We encourage you to review the conference
summary and also to provide any comments you may
have within Portals and Rails. In particular, we want
to know what you thought of the topics addressed. Did
the discussions reflect your understanding of the issues?
Did we miss anything? What topics would you like to
see addressed in future such events? How do we best
ensure ongoing collaborative work among industry,
regulatory, and law enforcement parties in the detection
and mitigation of retail payments risks and fraud? Your
thoughts are very valuable to us!
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

At some level, we’re all selling something, even if it’s just
ourselves. Everyone has a reputation and a résumé to
build. Information is power. We all have bosses to please,
goals to meet. So when and how do these stars align such
that we can work together?
Payments is a network industry with chicken-and-egg
problems. It requires someone to step forward, perhaps
to risk losses, in order to build networks of users and
providers that enable a payments network to operate.
Think of a simplistic credit card network—users need to
know that merchants will accept it, banks need to know
that they can make money to provide the lending that
backs it, and merchants need to know that they’ll be
compensated with business in order to justify the costs.
The same dynamics apply to those who are minding
the store when it comes to addressing risk and fraud in
payments networks. Who’s willing to step out (at some
risk) to take on the tough challenge of pulling the variety
of industry, regulatory, law enforcement, merchant, and
consumer interests together? Where’s the money to be
made? Where’s the competitive advantage?
In the best sense, law enforcement is imbued with an
altruistic drive to do good by catching the bad guys, and
bank supervision is all about ensuring a safe and sound
banking system.
In the best sense, payment services providers seek to
provide a safe and efficient environment for the exchange
of value. But will any service provider risk exposure to
reputational and other risks just because it’s good for the
payment system?
Payments is also an industry that offers opportunities
to leverage positive “network effects”—the more users of
a payment mechanism make it more valuable for all as
it becomes more ubiquitous, commonly understood, and
efficient. The same network dynamics should apply to
those who are minding the store when it comes to retail
payment systems risks.
All these interests and perspectives can align if we are
realistic in our approach to interest alignment and continue
to collectively look for opportunities of mutual benefit.
Where do you see alignment and opportunity?
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

Porta ls&R a i ls 2009 Compendium

M a r c h 10 , 2 0 0 9

While check writing in the aggregate is on the decline, one
last bastian may remain in the business-to-business (B2B)
arena. While consumers are adopting electronic payments
at an increasing rate, most B2B payments continue to
be made by check— roughly 74 percent according to a
2007 survey conducted by the Association of Financial
Professionals (AFP). This study found that the average
business surveyed makes 65 percent of its B2B payments
to suppliers by check, with 18 percent by automated
clearinghouse (ACH) credit, and 11 percent by wire
transfer. With the myriad of payment choices available to
suit a variety of user preferences for both consumers and
businesses, why has the migration to electronic payments
by businesses lagged that of consumers?
The adoption of electronic payments by consumers has
exceeded analysts’ projections in recent years as a result
of a confluence of a number of different variables, namely
convenience, security, and efficiency, which have provided
the necessary incentives for adoption. The Internet has
emerged as an increasingly trusted payments and product
distribution channel as well, facilitating the initiation
of electronic payments via both card networks and the
ACH. While the same benefits of electronic commerce are
desirable to the B2B payments segment, the complexity
of the B2B payments landscape along with technology
constraints for smaller business partners contribute to a
less rapid adoption than seen in the consumer-to-business
segment. What are the major B2B barriers to adoption,
and how are they being addressed?

The problem with cards
Cards are an expensive proposition for payments between
trusted and known business partners, particularly for
large value payments. While they offer advantages such
as financial management and control, they also impose
a hefty interchange fee of roughly 2 percent of the
transaction. If you know and trust your customer, you
are probably more inclined to write a check, which has no
transaction fee. This scenario is likely to be particularly
true during times of economic downturn such as we are
now experiencing.

First Quarter 2009

B2B: Will checks ever really go away?
permits the transmission of payments and remittance
data, there are a number of other alternative methods to
deliver remittance information.

Obstacle: no standard remittance information
One clear obstacle to the migration from paper to
electronic payments is the lack of standardization in the
way remittance information is sent with the payment.
Because of variations in data formats, trading partners
may not be able to send or receive automated remittance
information with electronic payments, inhibiting the
automation of accounts receivable systems. Smaller
organizations typically lack full integration between
electronic payment and accounting systems, as their
incentives to invest in the enabling technology are likely
to differ from their large corporate counterparts.
Since electronic payments are typically faster than
checks, an accounts receivable function might embrace
an electronic payment in order to reduce the time to
collect receivables, in direct contrast to an accounts
payable function. Sophistication and size generally
correlate to willingness to invest in the technology to
adopt electronic payments.

Moving from checks to electronic payments
can reduce fraud
In the AFP’s 2008 Payments Fraud and Control Survey
organizations of all sizes reported more attempted or
actual payments fraud in 2007 from checks than from
other payment methods. However, the report also notes
that the majority of survey respondents did not actually
suffer financial loss from the fraudulent activitity,
suggesting that effective use of risk mitigants to control
fraud once it is identified.
Continued on next page

ACH and wire transfers
Wire transfers are important for payments that are high
dollar and require immediate settlement. Their high-cost
limits their use, however. Also, wire transfers tend to be
used by larger versus smaller business organizations. The
ACH is growing more popular for larger organizations for
payments between major trading partners but is used more
to receive than to make payments. It is also important to
note that NACHA rules currently prohibit the conversion
of business checks in the ACH. While the ACH format
frbatlanta.org/rprf

M a r c h 10 , 2 0 0 9

M a r c h 19, 2 0 0 9

First Quarter 2009

Can information sharing
reduce fraud?

Continued from previous page

Payment Methods Subject to More Payments
Fraud in 2007 Compared to 2006
(Percent of Organizations Subject to Greater Amount
of Attempted or Actual Payments Fraud)
All
Organizations

Revenues
over
$1 billion

Revenues
under
$1 billion

90%

88%

89%

ACH debits

Consumer ACH
and/or Card
Payments*

Corporate cards

Wire transfers

Prepaid Gift Cards

ACH credits

Checks

* receive only
Source: 2008 AFP Payments Fraud and Control Survey

B2B future is likely electronic
While the pace of migration to B2B electronic
payments may not accelerate in today’s distressed
financial environment, eventually the obstacles to the
electronification of B2B will be resolved. For now, the
bottom line is that businesses want to send payments in
the most cost-effective way possible, and no one payment
type may suit every payment need. Just as consumers
will continue to avail themselves to the full spectrum of
payment alternatives, depending upon what is cheapest,
trusted, and most convenient, so too will businesses choose
payment options that makes the most business sense.
Electronic payments are growing in the B2B space, but
not by leaps and bounds, even in recent times when the
economic outlook was favorable and financial institutions
were readily investing in payments technology. While
the future of B2B payments will likely be electronic
versus paper-based, there is no clear evidence to show
whether businesses will choose one electronic option
to the exclusivity of another. For now, checks continue
to represent a good value proposition to businesses,
particularly when they can be imaged during the collection
process to avoid transportation costs.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

I was doing some research recently to see what I could find
on the legal impediments to information sharing among
law enforcement agencies and bank regulators when I
ran across a report published by the U.S. Government
Accountability Office (GAO) in March 2001 titled “Financial
Services Regulators: Better Information Sharing Could
Reduce Fraud.” The paper identified some benefits as
well as barriers to sharing information and proposed a
recommendation for moving forward. While little has
changed since the GAO first issued that report, there still
remains much to be gained in addressing these issues.
One of the things we hear from the financial services
industry, law enforcement, and bank regulators is that
we need to collaborate by sharing information to better
detect and mitigate fraud in retail payments. Most of
the law enforcement representatives we talk to say that
payments fraud is on the rise as global and domestic
fraud rings alike are gaining access to consumer data for
identity theft and financial transactions. According to
these representatives, the bottom line is that fraudsters
are talking to one another and sharing information over
a number of channels including the Internet, chat rooms,
and even within the prison system. With this information
in mind, perhaps now is the time to rethink the way we
share information to prevent and mitigate fraud and risk
in retail payments.

Databases for sharing information are
decentralized among separate bank regulators
Decentralization of information by bank regulators is
one of the barriers noted in the GAO report. Because
the systems and databases that maintain records on
individuals and businesses, consumer complaints, and
disciplinary actions are decentralized among the separate
regulators within the banking industry, an investigation of
a rogue actor realistically could involve separate inquiries
of the different bank regulators.

Most information sharing is limited to public information
The GAO report also concluded that while financial
regulators agreed about the benefits of sharing regulatory
and criminal data, there were concerns about how to do
that without creating confidentiality, liability, and privacy
issues as well as the potential for inappropriate use of
information. Regulators expressed concern about the
potential for premature disclosure of information obtained
through regulatory activities or criminal investigations.
Once they are final, formal enforcement actions taken
against banks, as well as cease and desist orders and civil
money penalties, are all public documents that identify

Porta ls&R a i ls 2009 Compendium

First Quarter 2009

individuals and entities responsible for criminal, civil,
and otherwise unsafe and unsound banking practices.
However, the lag time between the identification of the
risky or fraudulent practice and issuance of the formal
action can be considerable and does not make information
available for other victims or potential targets.

Information sharing is still in separate silos
at the institution level
One caveat to the potential benefits derived from an
industry-wide information sharing mechanism is the
fact that data are often isolated among disparate silos
within a financial services company. Enterprise-wide risk
management is often designed to aggregate information
from separate lines of business, each often equipped with
its own fraud prevention process and data collection. The
successful business model going forward might enable the
sharing of information across a bank’s payment products
and channels to prevent a fraudster from hitting the same
institution multiple times.

Private industry efforts are emerging to collaborate
There are a number of private industry initiatives in play,
such as third party–sponsored consortiums for financial
institutions to share information among one another.
These services are provided at a cost that some financial
institution participants are unwilling or unable to bear.
The cost for information serves as a barrier in this sense,
potentially driving the fraudsters to the weaker links in
the system that cannot afford to participate in the cost of
building a data-sharing mechanism.

Conclusion
Financial modernization efforts have resulted in more
electronic transactions of payments and information.
While non-technological means of fraudulently obtaining
confidential consumer information remain prevalent
(dumpster diving, etc), the use of the Internet and chat
rooms makes it increasingly easy for rogue actors to
communicate and share information to perpetrate fraud.
Social networks are growing in popularity as consumers
are increasingly comfortable in sharing information over
the Internet. This technologically inspired trend was not
entirely envisioned when the laws and rules designed
to protect rights to privacy were crafted. Changing the
legal boundaries established among regulatory and law
enforcement agencies may be necessary to enable truly
effective detection and mitigation of fraud, but this practice
can’t happen overnight.
What steps can we take to break down the barriers to
information sharing? How do we balance one party’s
“need to know” with another’s need to safeguard
sensitive information? How do we determine what
data are most universally useful in our mutual
efforts to predict and recognize fraudulent activity
and identify the bad actors? We would like to hear
from you, so please let us know your thoughts.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

frbatlanta.org/rprf

First Quarter 2009

M a r c h 2 7, 2 0 0 9

A p r i l 14 , 2 0 0 9

2008: A year of thought on retail
payments risk and fraud

Why aren’t we seeing fraud
in remote deposit capture?

Looking back, 2008 saw an array of Federal Reserve
Bank–sponsored conferences and events focused on retail
payments risk and fraud issues, as well as a number
of highly relevant papers. It’s worth compiling and
highlighting a few of those Federal Reserve efforts (at the
risk of leaving some out!). I think all these developments
reflect a renewed interest in public-private partnerships
both in the Fed and in the industry, interest that will
promote collaborative efforts to address common issues.

The growth in electronic payments and a distressed
economy together have created an environment ripe
for new payment fraud opportunities, according to the
Association for Financial Professionals’ 2009 Payments
Fraud and Control Survey. But while the report notes that
more than 70 percent of firms surveyed were the victims
of attempted or actual fraud during 2008, no increase was
reported in attempted fraud associated with the adoption
of remote deposit capture (RDC) services. While nearly
half of the respondents indicated that their organizations
had offered services to customers to transmit check images
using remote deposit, only 1 percent reported that they
experienced payment fraud as a result.

First, here are links to three conference summaries and
related papers resulting from Reserve Bank–hosted events
in 2008:
• April 2008 – Philadelphia Fed Payment Cards Center:
“Maintaining a Safe Environment for Payment Cards:
Examining Evolving Threats Posed by Fraud”
• June 2008 – Chicago Fed Payments Studies:
“Payments Fraud: Perception Versus Reality”
• October 2008 – Atlanta Fed Retail Payments
Risk Forum: “Retail Payments Risk and
Fraud: Detection and Mitigation”
In addition to the results of these conferences, there were a
number of papers published last year from Fed staff that I
would also highlight to our readers on relevant issues:
• Braun, et al., “Understanding Risk Management
in Emerging Retail Payments”
• Gerdes, “Recent Payment Trends in the United States”
• Jacob and Summers, “Assessing the landscape
of payments fraud”
• Weiner, “The Federal Reserve’s Role in Retail
Payments: Adapting to a New Environment”
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

Porta ls&R a i ls 2009 Compendium

Fraud as a Result of Remote Deposit Capture Service
(Percentage Distribution of Organizations
That Use Remote Deposit)
All
Respondents

Revenues
over
$1 billion

Revenues
under
$1 billion

Experienced fraud

Did not
experience fraud

99%

98%

99%

Source: AFPonline.org

Does nascence explain lack of reported fraud?
While RDC adoption has been rapid, it remains at an
early stage in the technology adoption lifecycle. Anecdotal
evidence suggests that some financial institutions and
their customers have initiated service offerings judiciously
to known business customers and thereby mitigated
the inherent risk exposure from RDC. However, less
sophisticated adopters may lack the operational systems
and control processes to identify fraud when it happens or
are otherwise not forthcoming to admitting when they are
victimized. Time will tell if fraud trends emerge or become
more transparent as RDC grows into a more mature
service offering by financial institutions.

M ay 1 2 , 2 0 0 9

Risk management and regulatory oversight

Conclusion
No one can be sure why firms that offer RDC aren’t
experiencing fraud as they are from other payment
services, particularly those that are check-related. It could
be the way that information is captured and reported
within an organization. One thing we know for sure is
that RDC adoption is expected to continue to grow as
businesses and consumers convert paper checks to more
cost-effective electronic payments. Will fraudsters find
vulnerabilities to exploit in the risk management efforts
on behalf of product vendors, bank regulators, thirdparty servicers, and the financial institutions themselves?
We would like to hear from you. Feel free to share your
thoughts with us.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

Anybody looking to innovate in the payments space may
need to tiptoe carefully to avoid stumbling upon patent
infringement. What’s more, the complex patent landscape
may raise interesting questions about the ability of the
payments industry to collaborate.
Some years ago I ran a thought experiment to consider
whether U.S. “payments patents” could be assessed easily
using the U.S. Patent and Trademark Office (USPTO)
classification system. Unfortunately, the classification
system does not label patents as “payments-related” per
se, so there is no scientific manner to search for related
patents without studying claims on thousands of patents
individually. However, one can derive an impression
of the landscape by using a simplified approach of
counting patents across a limited set of USPTO patent
classifications that most strongly exemplify “paymentsrelated patents” (drawing particularly on subclassifications
705/39-45 and 705/64-79). In these subclassifications,
3,659 patents were issued from 1998–2008, with 653
(17.8 percent) issued in 2008 alone. If one considers these
back-of-the-envelope calculations and even controls for the
“noise” between the USPTO classification system and what
is considered “payments-related,” there is nevertheless
a revealing picture of the complexity and potential for
patent infringement for any firm trying to innovate in the
payments space.
What’s more, an understanding of the payments patents
landscape is also useful when considering the possible
impact of patents on a highly segmented market like
payments, which is characterized by network effects, firstmover advantages, large sunk costs, and lock-in effects.
Some existing research examines the impact of patents on
financial services innovation generally.
In the payments market, on balance, will patent holders
hinder market entry, or will they enable new market entry
for new innovations? How do patent rights affect payments
industry efforts to set standards, develop and implement
innovative risk management tools, or create new products
that improve the integrity of the payments system overall?
Does a concern about patent rights further hinder industry
efforts to share information necessary to address risk
issues collectively?
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

frbatlanta.org/rprf

Second Quarter 2009

We spoke with examiners in the Atlanta Fed and learned
that they’ve had RDC on their radar for some time and
have promoted sound risk management practices during
bank examinations in advance of formalized interagency
guidance. In January, the Federal Financial Institutions
Examination Council (FFIEC) published its official
guidance for banks’ risk management of RDC services.
This guidance provides a comprehensive summary of the
risks inherent in this service and the necessary elements
of an effective risk management program. As prescribed
in the FFIEC guidance, the same disciplines that apply to
the risk management of other bank products and services
apply to RDC. First and foremost, it is critical to have
proper due diligence in the selection and monitoring of
third-party service providers to whom certain operational
functions are outsourced, along with accurate and ongoing
self-risk assessments of the financial institution’s internal
and external business environments.

Patenting the payments system:
Navigating confusing and
congested waters

M ay 19, 2 0 0 9

State attorneys general shine light on gray areas of payments risk

Second Quarter 2009

When considering due diligence standards in payments
relationships, banks and others may want to look beyond
bank regulators, legal requirements, and NACHA rules
to also include considerations developed out of the work
of state attorneys general. During the last several years,
state attorneys general have found their way into the
payments risk management space as they have sought to
inhibit merchants from evading taxes, promoting internet
tobacco sales to minors, and other illegal behaviors. In
their pursuit of wrongdoers, states have investigated the
payments processors who aggregate and/or initiate ACH
payments or remotely created checks, and the banks who
accept these items through their account relationships as
well. In doing so, these states have negotiated settlement
agreements, which include due diligence policies for banks
and payment processors. The results of these efforts may
raise interesting questions as to whether or not existing
regulatory guidance, NACHA rules, or legal requirements
are sufficiently specific or clear standing alone.
One instance is instructive. Beginning in 2006, the
states of California, Idaho, and New York began to
investigate Internet tobacco sales activities in violation of
various state laws. These investigations led to negotiated
settlements with ECHO Inc., a payments processor,
and with First Regional Bank, a California-based
financial institution. These settlements included detailed
requirements for the processor and the bank to perform
due diligence on their customers (or, for the bank, their
customers’ customers). In particular, First Regional Bank
was required to institute a “Tobacco Policy” under which
the bank would perform specific steps to ensure it did not
permit illegal tobacco sales activity to be facilitated using
payments originated via its accounts. As an example, the

Porta ls&R a i ls 2009 Compendium

bank’s policy would include terminating accounts with
any processor who failed to terminate processing for
any customer who a) switched ACH activity to “demand
drafts” (presumably focused on remotely created checks)
once notified of a problem or b) offered “demand drafts”
as a means to avoid ACH return scrutiny. This provision
highlights a particular concern with illegal activity,
including frauds, switching between ACH payments, and
remotely created checks to avoid the network scrutiny
instituted by the ACH operators and NACHA.
The efforts of the states, such as in the example above,
raise potential questions about the specificity and clarity
of the guidelines issued by the banking regulators, such
as those issued by the OCC and FDIC with regard to
payments processor relationships. The bank supervisors
promote banks taking a risk-based view of due diligence
requirements rather than prescribing specific actions.
NACHA rules require commercially reasonable standards
generally, suggest contracts should be in place with
third-party senders, and make clear the ODFI bears the
responsibility for the items it introduces into he ACH
network but do not otherwise prescribe due diligence
standards for processor relationships.
Subject to the principles-based standards described
in supervisory guidance, NACHA rules, and other
considerations, banks and even payments processors
themselves might want to consider the standards included
in state attorney general settlements in developing their
own due diligence policies.
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

M ay 2 6 , 2 0 0 9

SARs trends, SAR Review teams, and fraud

SARs were initially associated with
money laundering and terrorist
financing concerns, but now, some
experts note, SARs are increasingly
filed for other potential suspicious
activities such as identity theft and
consumer fraud. Possibly this trend is a further reflection
of the sophistication of integrated and automated
systems deployed by some financial institutions which
can detect suspicious activity of all types, or possibly this
development is a manifestation of the “defensive filing”
phenomenon. FinCEN Director James Freis was recently
quoted in the American Banker: “I think that more
bankers are realizing that the same due diligence required
for AML (Anti-Money Laundering) compliance is also a
powerful weapon against fraud.”
Another contributing factor not mentioned by the GAO
report is growth in the overall volume of banking
transactions such as mortgage activity. However this
factor is not likely to fully explain the very rapid growth in
SAR filings in these years. Moreover, there is the question
of whether the increase in SAR filings is reflective of an
increase in criminal activity itself.

Second Quarter 2009

A February 2009 report from the
U.S. Government Accountability
Office (GAO) found that between
2000 and 2007, suspicious activity
report (SAR) filings by depository
institutions nearly quadrupled, from
163,000 to 649,000 per year, with
2008 promising even further growth.
The GAO report posited two key
forces driving the overall increase in
filings: a) the deployment of automated
monitoring systems that can assess
suspicious activities using customer
profile information and b) heightened
diligence in light of several highprofile cases involving poor account
monitoring by some institutions, which
may have led to institutions filing more
SARs “defensively” to avoid criticism.

used as supporting documents for existing cases, these
SAR review teams look to SARs also for the purpose of
initiating new investigations. SAR reviews by these teams
may uncover links among superficially distinct SARs that
can lead to criminal prosecutions, civil forfeiture actions,
federal or state regulatory actions, warning letters, and/
or referrals to other agencies or districts. Further, these
teams help to coordinate efforts and more efficiently
allocate scarce resources.
Will the confluence of increased reporting, improved data
monitoring by many institutions, and proactive monitoring
of SARs by SAR review teams have a measurable impact
on abuse of payments systems and associated fraud?
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

The 2001 National Money Laundering Strategy called for
the establishment of “SAR review teams” in every federal
judicial district, drawing together federal law enforcement
(U.S. attorneys offices, Internal Revenue Service, U.S.
Immigration and Customs Enforcement, Federal Bureau
of Investigation, Secret Service, U.S. Postal Inspection
Service, etc.), federal banking regulators, and state and
local law enforcement. While SARs have typically been
frbatlanta.org/rprf

M ay 2 9, 2 0 0 9

Do market forces drive fraud?
In today’s U.S. markets for payment and credit services,
have we overshot the mark in keeping personally
identifiable information private, thereby lowering the bar
to fraudsters?

Second Quarter 2009

Providers of credit and payment services traditionally
required customers to have a public identity, such as by
providing references, allowing the provider to verify the
person’s identity and creditworthiness before opening
an account. This required the potential customer to be
socially engaged and sacrifice some privacy to establish
a public identity. Some non-Western cultures still look
to public personas to help ensure good conduct. Consider
Qifang, a new Chinese peer-to-peer lending business,
which requires potential borrowers to provide not only
personal information but also information about family
members, thereby raising the penalty for default as it may
cause the whole family to “lose face.”
U.S. consumers have come to expect instant gratification
in their ability to open accounts, obtain credit, and
complete payments. Further, they tend to demand privacy
and security of their personally identifiable information
and want to share the least information that will facilitate

the transaction. These market demands may drive
payment services providers to impose the least amount of
privacy requirements and security risk on their customers
to facilitate the most “frictionless” transactions possible.
While perhaps inevitable and likely a positive driver of
payments innovation, this confluence of market forces
may nevertheless increase the vulnerability of payment
systems to risks such as those resulting from identity theft
and new account fraud—less information is demanded
of a legitimate customer, so similarly the hurdles to
wrongdoers are lower.
Some thinkers in this arena have applied economic
analysis to the trade-offs between privacy, data security,
and fraud prevention. Others have advocated re-evaluating
entirely how we view privacy, by severing the link between
identification information (which should be harmless and
public) and privacy, in effect permitting individuals to
preempt imposters by making their identity fully public
and allowing anyone to verify it easily.
While there is great emphasis on protection of personally
identifiable information (driven by law and regulation,
consumer demand, fear of reputational impact from
data breaches, etc.), as long as such
information can be used effectively to
perpetrate fraud, risks will persist.
As payment providers simultaneously
compete for the most user-friendly,
hassle-free, fast, private, secure
services model, they also may have
incentives to require less personally
identifiable information. This is less
intrusive for their customers and also
helps avoid storage of such information.
This may drive providers to require
the lowest level of information and,
as mentioned before, lower the bar for
fraudsters as well.
Do these market incentives in effect
foster an environment where identity
theft and resultant payment frauds
can proliferate? If so, how can this
problem best be addressed?
By Clifford S. Stanford, assistant vice
president and director of the Retail
Payments Risk Forum at the Atlanta Fed

Porta ls&R a i ls 2009 Compendium

J u n e 0 7, 2 0 0 9

How much risk lurks in the shadows of daylight overdraft?

Second Quarter 2009

With the U.S. banking system in financial distress, the
Fed provides payments services to a greater number of
problem banks. So how much of an issue is the credit
risk associated with retail payments today? As you know,
financial institutions, much like the commercial and
retail customers they serve, from time to time experience
the need for overdraft credit—short-time loans to
accommodate the management of incoming and outgoing
funds. The Fed provides daylight overdraft protection to
financial institutions that experience timing differences
in ACH service offerings so that they can meet their cash
flow obligations, in the same way a financial institution
provides overdraft protection. The Fed, like any prudent
lender, also maintains a responsibility to carefully manage
the credit risk exposure from these provisions of credit.
The need for the Fed to monitor ACH activity for overdraft
exposure becomes critical when a financial institution’s
health is in question.

How does the Fed monitor the financial health
of financial institutions?
It is important to remember that the Fed is also a bank
regulator, and it works collaboratively with other bank
regulators to monitor bank conditions. When a bank’s
financial condition deteriorates, the agencies communicate
the institution’s regulatory rating and other relevant
information to the Fed in its U.S. payments oversight role.
Wearing that hat, the Fed may choose to restrict lending in
a number of ways, such as limiting access to daylight credit.

Real-time monitor
One tool that can be used to restrict daylight credit access
is “real-time monitoring” (RTM), which is implemented
through the Account Balance Monitoring System (ABMS).
With RTM, the Fed can reject certain transactions from
posting to an institution’s account if that posting would
cause the institution to exceed its daylight credit limits.
Under RTM, any funds transfers from the account or ACH
credit originations (which are required to be prefunded)
that would cause an institution to exceed its daylight
credit capacity would be rejected.

Interest on reserves and daylight overdrafts
One conundrum in this equation is that the need for
overdrafts has diminished recently as banks began
maintaining higher reserves, prompted by the Fed’s
decision to start paying interest on reserve balances.
Before, banks were reluctant to hold too many reserves
because they were a nonearning asset. Since the Fed
didn’t compensate banks for holding the reserves, banks
could find more rewarding uses for their funds. With more
reserves in the system, the need for intraday borrowing
from the Fed has decreased. Whether that trend will
continue as the economy improves and the financial
condition of the banking sector stabilizes, thereby creating
more lucrative uses for excess reserves, remains to be
seen—but then maybe we won’t have as many high-risk
banks as the economy improves. Let’s hope not.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

frbatlanta.org/rprf

J u n e 15 , 2 0 0 9

Zero balance? Credit card companies may zero in on “deadbeats”

Second Quarter 2009

Payment industry experts suggest that credit
card companies will make up for lost income
from congressionally-mandated curtailment
of fees and penalties by going after credit
card “deadbeats,” which may not mean
what you think. To credit card companies,
“deadbeats” are customers who pay off their
balances regularly and provide little or no
revenue to the card issuers. Because banks
are expected to lose substantial revenues
as a result of the new legislation, they are
looking to replace those revenues, more than
likely through a revival of annual fees and
the elimination of reward programs that the
credit card deadbeats currently enjoy.
Congress passed credit card reform
legislation in early June to limit some of
the unscrupulous pricing schemes that have
evolved in recent years—sudden, unexpected
hikes in interest rates and double-cycle
billing, for example. The law goes beyond
codifying the Federal Reserve’s regulatory
rules already scheduled to go into effect in
July 2010 by adding tougher restrictions and
extending consumer protections.
Reform may have been necessary, but will
the current legislation result in unintended
consequences for consumer retail payment behavior?

Pricing for risk
In the early days of the credit card product, banks charged
a flat interest rate and an annual fee, which made sense
since they only gave cards to their most creditworthy
customers. The development of credit scoring models in
the late 1980s enabled banks to expand their market by
allowing them to measure their potential credit risk for an
individual cardholder and price for that risk accordingly.
As the competition for credit card business heightened in
the 1990s, competitive pricing schemes evolved with teaser
periods permitting low- or no-interest payments on new
accounts and transferred balances. This practice permitted
consumers to transfer balances frequently for introductory
period financing. At some point, the transfer game would
inevitably get out of hand and the consumers would
become overextended financially. As those overextended
cardholders began to experience debt service problems,
the credit card issuers responded by repricing their card
products to compensate themselves for the additional risk.
In fact, some issuers targeted the subprime customer
segment exclusively.
16

Porta ls&R a i ls 2009 Compendium

Since the reform effectively reduces revenue potential
at a time when charge-offs are rising, card issuers will
likely rethink their pricing models. If they shift these
lost revenues as additional costs or reduced benefits for
creditworthy customers, will these customers opt for other
payment mechanisms?

Credit or debit?
Will increased costs for credit card products drive credit
card deadbeats to use their debit cards instead? While they
are different products governed by different sets of laws,
many issuers now provide the same consumer protections
for debit cards that they do for credit cards. Yet credit
cards still have their advantages in terms of the “pay now”
or “pay later” decision option. And if you have a dispute
over a credit transaction, you still don’t have to make the
payment until the problem is resolved. With a debit card
dispute, the money has already left your account, and
your arguments are focused on how to get it back. So a few
distinctions favoring credit cards remain. Whether or not
deadbeats will pay for them remains to be seen.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

June 22, 2009

Payments fraud no longer just a white collar crime
White collar crime: a crime committed by a person
of respectability and high social status in the course
of his occupation. — Edwin Sutherland, 1949

According to the press release, this was the first time a
violent street gang was targeted for its involvement in
complex bank fraud in California. The gang members
worked in cooperation with existing account holders to
deposit counterfeit checks into their accounts and then
withdraw the cash before the credit union could determine
the check was fraudulent. In return, the account holder
would receive a commission of up to several hundred
dollars on checks ranging from several thousand to tens
of thousands. The District Attorney concluded that the
size, scope, and sophistication of the operation indicated
that the criminal street gangs in San Diego are expanding
their criminal enterprise into white collar crime.
A similar case of check fraud and gang activity occurred in
Phoenix last year. “Operation Blank Check” was a yearlong investigation that uncovered a check fraud scheme
totaling nearly $3 million. Postal inspectors initially
contacted the Phoenix Police Gang Enforcement Unit
about gang members being involved in mail theft and
fraudulent schemes. Further investigation revealed that
the suspects had been involved in violent gang activity and
transitioned to white collar crime. A broad partnership
of local, state and federal law enforcement agencies
worked on the case and was able to arrest more than 100
individuals, 77 of whom were “hard core gang members”
representing 22 local gangs.
There have also been several cases of identity theft
involving street gangs in recent years. An April 2007
report by the President’s Identity Theft Task Force noted
that law enforcement agencies across the country have

The comparative ease of committing financial crimes has
made it more appealing to street gangs as a way to support
other criminal activities. The investigators in the Navy
federal case speculated that the gang members used the
half-million dollars to help fund illegal gang activities and
pay for a lavish lifestyle.

Multiagency collaboration key to combating fraud
The key to apprehending the defendants in this case
was a coordinated operation involving the U.S. Secret
Service, San Diego Regional Fraud Task Force, San Diego
Police Department Gang Detectives, San Diego District
Attorney Investigators, U.S. Postal Inspection Service,
Naval Criminal Investigative Service, Navy Federal Credit
Union, and the California attorney general’s office.
Each agency played a significant role in the investigation
that was initiated when the Naval Credit Union
investigators noticed suspicious activity in 2005 and
reported it to the Secret Service. For example, the San
Diego Police gang detectives helped to identify and
interview the suspects. The U.S. Postal Inspection Service
helped locate suspects and investigate the counterfeit
checks. The San Diego Regional Fraud Task Force,
district attorney’s office, and attorney general’s office
became involved due to their experience handling complex
fraud investigations.
This case is just one example of the importance of
cooperation between local, state, and federal law
enforcement in effectively combating payments fraud. By
forming interagency task forces that allow for expertise and
intelligence sharing, law enforcement can be in a better
position to prosecute and, hopefully, deter fraudsters.
By Jennifer Grier, senior payments risk analyst in the
Retail Payments Risk Forum at the Atlanta Fed

frbatlanta.org/rprf

Second Quarter 2009

I recently ran across a news article that was a shocking
reminder of the widening criminal network involved in
payments fraud. On May 13, the district attorney in San
Diego announced the arrest of 60 people on felony charges
in connection with an elaborate bank fraud scheme. It
was the culmination of a 10-month-long investigation
of a $500,000 check cashing scam at Navy Federal
Credit Union. Not an unusual story until I read who
masterminded the scheme—a San Diego street gang.

observed a steady increase in the involvement of groups
and organizations of repeat offenders or career criminals
in identity theft. Some of these groups are formally
organized and well-known to law enforcement because of
their longstanding involvement in other major crimes, such
as drug trafficking. Others may be more loosely organized
but are able to connect and coordinate their activities
through the internet.

Second Quarter 2009

J u n e 2 9, 2 0 0 9

J u ly 0 6 , 2 0 0 9

Fraud Enforcement and
Recovery Act of 2009

Remotely created checks:
Distinguishing the good from the bad

On May 20, President Obama signed into law the Fraud
Enforcement and Recovery Act of 2009. Among other
things, the law “authorizes” substantial funding in 2010
and 2011 for various federal agencies, including the
Department of Justice, the Postal Inspection Service, the
Securities and Exchange Commission, and the Inspector
General of Housing and Urban Development, to investigate
and prosecute financial frauds of all types. (Note that an
authorization does not necessarily mean any appropriation
of additional funding to these agencies above their existing
funding will result.)

There are no hard numbers to quantify that remotely
created checks (RCCs) pose greater risks than other
payment types. However, there are known instances of
RCC fraud, the impact of which can be significant. So
the depository banks liable for RCCs may want to keep a
vigilant eye on the situation.

One of the law’s chief sponsors, Sen. Patrick Leahy,
included the following in his comments on the law:
“ At its core, the Fraud Enforcement and Recovery Act
authorizes the resources necessary for the Justice
Department, the FBI, and other investigative agencies
to respond to this crisis. In total, the bill authorizes
$245 million a year over the next two years to hire
more than 300 Federal agents, more than 200
prosecutors, and another 200 forensic analysts and
support staff to rebuild our nation’s ‘white collar’ fraud
enforcement efforts. While the number of fraud cases is
now skyrocketing, we need to remember that resources
were shifted away from fraud investigations after 9/11.
Today, the ranks of fraud investigators and prosecutors
are drastically under stocked, and thousands of fraud
allegations are going unexamined each month. We
need to restore our capacity to fight fraud in these
hard economic times, and this bill will do that.”
Supporters of the law have promoted the idea that this
funding of efforts to fight financial crimes will in effect
result in a good return on the government’s investment as
it will result in higher recovery of funds lost to fraud. Some
cite Justice Department estimates that each dollar spent to
prosecute fraud results in more than $20 being ordered in
restitution and fines for victims and the government.
This law (if funded) could result in a sea change in the
focus of federal law enforcement to address a wide array of
financial crimes in the future. It bears watching to see if
this effort has a measurable impact in tamping down the
growth and spread of financial-related fraud and whether
it will in particular have any impact on payments fraud
issues, such as the persistence of check fraud schemes or
the development of new fraud schemes leveraging gaps in
emerging payments modes.
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

Porta ls&R a i ls 2009 Compendium

What are RCCs?
These are checks that are not created by the paying bank
and do not include the account holder’s signature. In
lieu of an actual signature, the check’s signature block
typically contains the account holder’s printed name or
standard language indicating authorization. RCCs have
been used for recurring transactions, such as insurance
premium payments, for quite some time. This solution
offers consumers an alternative to the hassle of manually
writing out checks each month. More recently, RCCs
have also been used in nonrecurring transactions, such
as purchases or bill payments made over the telephone
or Internet. Though a useful form of payment, RCCs
introduce risk into the retail payments system.

What are the risks?
As stated above, RCCs do not require a signature for
authorization. As a result, they are vulnerable to misuse
by fraudsters who can, for example, use an RCC to debit
a victim’s account without receiving proper authorization
or delivering the goods or services. The risk of fraudulent
RCCs is amplified in one-time purchase scenarios where
the merchant is relatively unknown to the customer.
To address the fraud risk of RCCs, in July 2006 the
Federal Reserve modified the liability structure for this
particular type of check. The liability for unauthorized
RCCs shifted from the paying bank to the depositary
bank, which must now warrant to the collecting and
paying banks that the RCC presented has been properly
authorized. The Federal Reserve’s amendment provides
economic incentive for the depositary bank to perform
additional vigilance when accepting RCCs given the
warranties they must make. Since the depositary bank
maintains the relationship with the bank customer
depositing the RCCs, it is in the best position to mitigate
the fraud risk. The challenge is that banks cannot readily
identify RCCs in an automated fashion through the
existing MICR line format. Generally, review of incoming
RCCs requires manual intervention.

J u ly 1 3 , 2 0 0 9

How pervasive are they?
In light of this identification challenge, the Fed applied
a modified definition of RCCs to a sample of check
transactions in order to establish a reasonable estimation
of the volume of RCCs. As a result, the Federal Reserve’s
2007 Check Sample Study concluded that less than 1
percent (0.95) of the checks sampled were RCCs. It is
unclear how accurate this result is when considering the
regulatory definition, but it is probably fair to say that
RCCs are only a very small portion of check volumes
overall. Moreover, the analysis did not discern within
that estimate the number of illegitimate RCCs. It is the
cases of misuse that have prompted some to call for a ban
of RCCs altogether. While there is anecdotal information
and well-publicized cases (such as the 2008 Wachovia case)
highlighting abuses committed using RCCs, there is a lack
of concrete data reflecting the portion of RCCs that are
fraudulent or returned for other reasons.

Conclusion

We know that some portion of these RCCs represent
fraudulent cases where the payment was never authorized.
However, we also know that when it does occur the
consequences may be substantial in terms of adverse
consumer impact. Therefore, despite the lack of complete
data, it is unwise to allow RCCs and the known misuses to
fall completely off the radar.
By Crystal D. Carroll, senior payments risk analyst of the
Retail Payments Risk Forum at the Atlanta Fed

For many years in the coal mining industry, a caged
canary would be brought into the mines to detect
whether toxic gases were present. The canary served
as an early warning system of potential danger for the
miners. Similarly, consumer complaints data could serve
as a harbinger of potential risks in payments for law
enforcement and other industry professionals.
Several regulatory agencies receive fraud-related
complaints from consumers, including those involving
financial institutions. Some of the consumer complaint
databases are shared among agencies to help better
facilitate fraud investigations and to track trends and
developments in consumer fraud activity.
One example is the Federal Trade Commission’s (FTC)
Consumer Sentinel Network (Sentinel), a secure online
database of consumer complaints that is only available to
law enforcement. In addition to storing FTC complaints,
the Sentinel also includes complaints filed with more
than 100 different U.S. and Canadian federal, state,
and nongovernmental organizations. Among the leading
partners and data contributors are the Internet Crime
Complaint Center, Better Business Bureaus, Canada’s
Phone Busters, the U.S. Postal Inspection Service, the
Identity Theft Assistance Center, and the National Fraud
Information Center.
Established in 1997 to collect fraud and identity theft
complaints, the Sentinel database was expanded in 2008
to include complaints about credit reports, debt collection,
mortgages, and lending, among other subjects. According
to the 2008 Consumer Sentinel Network Data Book, the
database has more than 7.2 million complaints.

FTC complaints provide insight into consumer
fraud trends
The Sentinel received a total of 1.2 million complaints
during calendar year 2008. Of the 30 complaint categories,
identity theft ranked first with 26 percent of the overall
complaints. Credit card fraud (20 percent) was the most
common form of reported identity theft, the majority of
which involved new accounts (12.3 percent). Another
significant category of identity theft reported by consumers
was bank fraud (11 percent). Although identity theft bank
fraud, which includes fraud involving checking and savings
accounts and electronic fund transfers, has declined since
2006, the most common type continues to be electronic
fund transfers.
Continued on next page

frbatlanta.org/rprf

THIRd Quarter 2009

RCCs represent a relatively small subset of checks overall.
However, applying the Check Sample Study methodology
and results of the Federal Reserve’s overall 2007 Payments
Study, the number of RCCs in 2006 alone would still have
represented approximately 286 million items.

Consumer complaints may be “canary
in a coal mine” for payments risk

J u ly 1 3 , 2 0 0 9
Continued from previous page

Top 10 Consumer Sentinel Network Complaint Categories
January 1 – December 31, 2008
Rank Category

# Complaints Percentages

1 Identity Theft

313,982

26%

2 Third Party and
Creditor Debt Collection

104,642

3 Shop-at-Home and
Catalog Sales

52,615

4 Internet Services

52,102

5 Foreign Money Offers and
Counterfeit Check Scams

THIRd Quarter 2009

38,505

6 Credit Bureaus, Information
Furnishers, and Report Users

34,940

7 Prizes, Sweepstakes,
and Lotteries

33,340

8 Television and Electronic Media 25,930

9 Banks and Lenders

22,890

22,387

10 Telecom Equipment and
Mobile Services

Consumer complaint databases can be an
important resource in detecting fraud issues
FTC Sentinel data only gives a snapshot of the consumer
fraud and risk issues occurring in the payments system.
A consumer who has a problem involving an account held
at a financial institution may file a complaint with the
appropriate bank regulator. The Retail Payments Risk
Forum is currently analyzing consumer complaints filed
with the Federal Reserve Consumer Help over a four-year
period to track whether there are trends that may indicate
underlying payments risks. At the very least, the consumer
complaints data may provide leading indicators of areas
where we may need to focus our attention with research
and/or education.
By Jennifer Grier, senior payments risk analyst in the
Retail Payments Risk Forum at the Atlanta Fed

Source: Federal Trade Commission

The data also give some indication of the preferred
payment channel for consumer fraud. In 2008, for those
fraud complaints where the consumer reported the method
of payment, credit cards was the most common (35 percent)
followed by wire transfer (24 percent), bank account debit
(19 percent), and check (10 percent). The rankings have
been consistent over the past two years, but credit cards
have increased from 30 percent and 33 percent for 2006
and 2007, respectively.

Consumer Sentinel Network Fraud Complaints by Methods
of Consumer Payment, January 1 – December 31, 2008
40%

35%

30%
20%

24%
19%
10%

10%

0%
Bank
Cash or
Account Cash
Debit Advance

Check

Credit
Card

Source: Federal Trade Commission

Porta ls&R a i ls 2009 Compendium

Money Telephone Wire
Order
Bill
Transfer

J u ly 2 4 , 2 0 0 9

Transparency: Seeing through International ACH
There are anecdotal reports that some
financial institutions are treating
their preparatory efforts for the new
international ACH transaction (IAT)
rule and format like a Y2K event.
However, they shouldn’t lose sight of
the fact that the industry stands to
reap substantial benefits from the
new rule, largely because of improved
transparency in the ACH network. As
you may be aware, the new IAT rule
and format go into effect on Sept. 18,
2009. NACHA, the rulemaking body
for the ACH network, has conducted
extensive industry outreach to provide
education on the new rule and format.

To address their concerns, OFAC worked with NACHA
to construct a payment format that would permit
sufficient information to identify parties to the crossborder transaction. In 2004 NACHA began working with
OFAC on a proposed rule change for international ACH
transactions and a new format that would include the
data elements from the Bank Secrecy Act’s (BSA) “travel
rule.” Essentially, the BSA travel rule includes more
robust information about the payment originator and
beneficiary so that a financial institution can review the
transaction for OFAC compliance. When the IAT rule goes
into effect, all transactions that meet the new definition
of international ACH transactions made via the ACH
Network will be required to use the IAT SEC code.

The IAT code will make it easier for financial institutions
to identify international payments in the ACH network
since currently many transactions are mistakenly coded
as domestic. This mistake occurs because today many
international payments are introduced into the U.S. ACH
network through domestic correspondent relationships
and are then inadvertently transmitted as domestic
transactions. So the new code will make it easier for
financial institutions to identify these payments and
comply with their OFAC obligations, which incidentally,
have not changed. IAT really creates more transparency
in two significant ways: by identifying the transaction as
international and by revealing all parties to the crossborder transaction. In the end, transparency in retail
payment systems is a good thing and should help the
banking industry combat fraud and other abuses in the
ACH network.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

frbatlanta.org/rprf

THIRd Quarter 2009

In many respects, the change in
the international ACH transaction
format is attributable to the Office of
Foreign Assets Control (OFAC). OFAC
administers and enforces economic
and trade sanctions in accordance
with U.S. foreign policy and national
security goals against targeted foreign
entities such as international drug
traffickers, terrorists, and other threats. Beginning in the
late 1990s, OFAC began to have concerns about abuses
from terrorists in cross-border ACH transactions. OFAC
had reason to believe that we needed better safeguards
for our financial system, especially after 9/11. The ACH
network today is increasingly vulnerable to potential abuse
with respect to the international cross-border movement of
funds because of the expanded use of the ACH for one-off
transactions from the practice of recurring transactions
between known and trusted parties, as well as the speed
and efficiency of the ACH network in general.

August 03, 2009

Accounting for ACH losses: What are the right numbers to crunch?
From talking with a number of industry players, it has
become increasingly clear that there is both a healthy
desire for ACH origination loss data to help understand
risks and also business practices that limit the extent
to which data to benchmark ACH losses are available
in the first place. The challenge is to reconcile these two
conflicting objectives.
Many banks today treat ACH origination as credit
underwriting, particularly for business customers. Given
this, one way banks may account for losses as a result
of ACH origination is as credit losses against loan loss
reserves or other similar accounts. This method is entirely
appropriate as a risk management practice given the
potential for losses the ACH originating bank may incur
as a result of unauthorized debit items that are returned
by the receiver through its bank. The originating bank,
having already credited its customer’s account, may find
itself unable to collect the returned item and thus may
incur a loss.

Further, while it is likely that most banks track or have
the ability to track their losses from ACH origination,
there is no standard regulatory or other financial
reporting for banks to report ACH loss information. Such
losses may be attributable to fraud or not, but the extent
of these losses in terms of aggregate dollars and velocity is
likely to be a more robust data point for analysis of ACH
fraud and ACH origination risks than the data available
today. Improved data on banks’ ACH loss experience would
go a long way to explain the true extent of ACH origination
risk within the network overall and may promote banks’
ability to benchmark their own losses in an effective way.
It also would enable both the network and individual
banks to better tailor their risk management efforts.
Most importantly, having more data could help dispel
any mistaken assumptions about how much financial loss
banks are experiencing from operational and fraud risks in
ACH origination activities.
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

THIRd Quarter 2009

NACHA does publish aggregate trend data on what is
probably the best metric it has available—unauthorized
returns as a percentage of all ACH debits in the network.
While this is a good starting point, it is not a fully
accurate picture of the actual losses banks may incur
as a result of ACH origination (whether for debits or
credits). While the trend of unauthorized debit returns is
instructive, it does not explain the dollar losses to banks.

Unauthorized Debit Return Rate, 2001 – 2008
0.12%
0.10%
0.08%
0.06%
0.04%
0.02%
0.00%
2001

2002

2003

2004

Source: NACHA, 2009

Porta ls&R a i ls 2009 Compendium

2005

2006

2007

2008

A u g u s t 10 , 2 0 0 9

Collaboration to address payments risks and fraud
In the world of payments, all players share an interest
in seeing that risks are detected and mitigated quickly
and effectively. However, when threats emerge, is it
everyone for themselves? How does the variety of interests
and goals among all the players converge? In a private
marketplace mixed with government actors, how can we
work better together?
Participants at a 2008 conference hosted by the Retail
Payments Risk Forum discussed these issues and
described the challenges and potential solutions. A year
later, the findings of this forum are worth revisiting.

Information sharing

• collection, consistency, and commonality of payments
data, better understanding of its utility, and analysis
tools. While data needs vary, a first step would
be to focus on data elements of shared interest. A
working group could facilitate ongoing payments data
compilation and analysis efforts;
• formal and informal dialogue among various agencies
and others, including simple measures such as shared
contact lists;
• development of a “matrix” of various roles/
responsibilities/information sources for shared use
to facilitate more timely location of information and
expertise available; and
• a more systematic, organized mechanism for
information sharing, perhaps by establishing “brokers”
for relevant information such as payments data.

• publishing enforcement actions and related settlements
more effectively as a deterrent;
• establishing a central “negative list” or “watch list”
of bad actors;
• extending registration requirements for third parties
participating in payments networks beyond existing
targeted voluntary efforts;
• strengthening and clarifying regulatory guidance,
such as that for counterfeit checks and consumer
account statements;
• better educating consumers and banks regarding
common issues;
• a more direct means of compensating victims;
• mining specific activity reports and other existing
agency databases such as consumer complaints
data; and
• potential new SEC codes within ACH to better
track risks.

Collaboration
Participants identified collaborative efforts to help detect
and/or mitigate retail payments risk issues and identified
benefits and gaps. Examples included bank regulatory
groups (intra- and interagency), national and regional
law enforcement partnerships, interstate collaboration,
federal-state working collaborations, joint investigative
task forces, examination- or case-driven ad hoc efforts,
and industry data-sharing efforts. Potential avenues for
improved collaborative action included:
• a law enforcement/regulatory payments fraud
working group;
• a virtual collaborative forum via Web sites, e-mail
lists, or regular phone calls;
• greater attention paid to requests for comments on
proposed NACHA rules;
• examiner and law enforcement training opportunities;

Policing bad actors
Many noted that communication about bad actors is often
ad hoc and that information is too widely dispersed to be
useful and timely. Individual agency efforts, published
enforcement actions, SAR filings, interbank collaborations,
and industry self-regulatory efforts, while all worthwhile,
have not fully promoted effective information gathering
and sharing among all the parties who can have an
impact. Suggestions for improvement in this area included:

• participation in and/or support for industry database
sharing efforts;
• engagement with industry groups to improve
best practices;
• a Web-based resource for consumers supported by all
(“fraud.gov”);
• implementation of further MOUs among agencies; and
Continued on next page

frbatlanta.org/rprf

THIRd Quarter 2009

Real or perceived information-sharing limitations among
financial institutions, regulators, law enforcement,
and others can substantially impede addressing retail
payments risks on a timely and effective basis. Examples
include inconsistent or incomplete payments data, varying
success levels of intra- and interagency collaborations,
varied and overlapping jurisdictions, an incomplete
network of memoranda of understanding (MOUs), privacy
restrictions, perceived barriers beyond legal restrictions,
competitive interests, costs, and trust. Suggestions for
improvement in this area focused on:

• better understanding of risks across payment
channels, both for front-end access point(s) and backend processing, to mitigate fraudster arbitrage
of vulnerabilities;

A u g u s t 10 , 2 0 0 9
Continued from previous page

• efforts to identify fraud patterns across agencies, such
as the federal government’s Eliminating Improper
Payments Initiative.

Substantive areas of concern
Participants were asked to describe substantive retail
payments risk issues that keep them up at night. Some
common themes emerged, including:
• strengthening the oversight of third-party payments
processors and others not covered by the Bank Service
Company Act;
• quantifying and better managing the misuse of
remotely created checks;
• understanding and mitigating risks associated with
“cross-channel” fraud;
• “Know Your Customers’ Customer” due diligence,
compliance, and associated risks and potential
liabilities for fraud detection/mitigation purposes;
• establishing a common means of redress for consumers
regardless of the payment channel; and

THIRd Quarter 2009

• improving the clarity of consumer account statements
by instituting standards and reducing jargon.
Progress has been made on a number of these ideas in the
past year, including the formation of new working groups
and other collaborations. The Retail Payments Risk
Forum continues to explore opportunities and implement
solutions to help foster collaborative action to address
these and other industry concerns. Your input in the form
of comments to Portals and Rails on these or other topics
is welcomed!
By Clifford S. Stanford, assistant vice president and director
of the Retail Payments Risk Forum at the Atlanta Fed

A u g u s t 17, 2 0 0 9

Oliver: Funding of risk initiatives
faces risky times
This week, we have a special guest blogger:
Richard Oliver, an executive vice president
with the Federal Reserve Bank of Atlanta.
Oliver was a pioneer in electronic payments,
working on a Fed system project with the
U.S. Treasury to develop direct deposit.
He was also instrumental in the Atlanta
Fed becoming the second automated
clearinghouse (ACH) operation in the United States. Since
1998 he has served as retail payments product manager for the
Federal Reserve System. In this capacity, he has responsibility for
managing the Fed’s check and ACH businesses nationwide.

As we look forward to a slow but steady emergence of the
banking industry from the current financial firestorm,
the question arises as to how investments in the payment
system will fare. More specifically, will banks and other
payment system players secure funding for initiatives
critical to mitigating payment fraud and risk?
Experiences gained from previous economic crises have
reshaped individual and corporate attitudes and practices.
Certainly, the folks who experienced the Great Depression
turned into a generation of savers, conservative spenders,
and cautious borrowers. Recent discussions with payment
leaders have given rise to the possibility that conservative
spending habits may be with us for some time. These
habits may be manifested in restricted, prioritized
spending on payment initiatives in general and fraud and
risk mitigation efforts more specifically.
Given the already narrowing margins in retail payment
profits, coupled with enterprisewide scrutiny of expenses
across business silos, it is likely that payment organizations
will have to prioritize spending in ways not typical
of the last decade of innovation and constant change.
These limitations will create choices concerning which
investments are mandatory and which are discretionary.
Investments in initiatives directed at data security and
fraud detection might take a back seat to investments
in relieving the pent-up demand for maintenance and
enhancements of core payment and settlement systems or
investments in exciting new technology.
In an ideal world, focused and well-reasoned business
case analysis would dictate the priority of spending.
My personal experience, however, has revealed that
investments in fraud reduction, data security, etc., face
an uphill battle when competing for scarce dollars. This
phenomenon stems from three major factors.
First, there is always a perception that risk/fraud
expenditures are discretionary. It remains to be seen if

Porta ls&R a i ls 2009 Compendium

August 24, 2009

the staggering cost of poor risk management that led to
the financial crisis, coupled with the everyday visibility
of fraud schemes, will help shed the discretionary label.
Discretion, by the way, not only involves expenditures on
new artificial intelligence software or high-tech encryption
devices; it also involves more subtle decisions about the
number of staff authorized to monitor systems, notify
customers of breaches, and research problems. After all,
the risks involved in past lending and investment practice
that were at the heart of the financial crisis largely
involved “payment” of obligations and not “payments.”

Finally, investments are about the future, not the past.
My personal experience in this area is that the past is a
poor predictor of the future. In that light, how does an
organization forecast likely trends in fraud losses? Is the
past a good predictor of the future? Can recent trends
such as the reduction of unauthorized activity in the ACH
network reasonably be extrapolated, or will the fraudsters
simply move to another payment channel where controls
are weaker? More importantly, will new technology help
bad actors commit fraud more easily or help banks do a
better job of detecting and preventing fraud? Should the
business case for the future depend on average industry
trend data or should it protect against “the big one,” the
major incident that culminates in a $100 million–$200
million loss? Answers to these questions will ultimately
separate the prepared from the unprepared.

Since February 2009, the Retail Payments Risk Forum
has regularly posted to the Portals and Rails blog
interesting and thought-provoking topics related to
retail payments risk issues. This online forum provides a
dynamic platform to spark conversation and foster ideas
about these topics. In an effort to further expand the
dialogue, we are excited to announce the launch of the
Payments Spotlight podcast series this month.
Payments Spotlight will be posted regularly on the
Federal Reserve Bank of Atlanta’s Web site. The podcast
will feature recorded interviews with leading experts
in the payments industry on relevant issues. The first
installment features a conversation with Woody Tyner,
payments strategist at BB&T Bank in North Carolina.
In his comments, Mr. Tyner provides an insightful
perspective that is definitely worth a listen on how the
payments industry can balance innovation and risk
management.
We hope that you will not only check out this installment
but also tune in on a regular basis as we feature other
leading thinkers and practitioners representing a wide
array of perspectives. You can listen to the Payments
Spotlight podcast using any computer audio software that
will play MP3 files. To subscribe to the podcast series
directly, go to the Atlanta Fed podcast page, click on the
“subscribe” button next to Payments Spotlight, and follow
the instructions for adding the series to your aggregator.
You can also follow the series by staying tuned to Portals
and Rails, where we will post information about new
podcasts as they become available.
Let us know what you think, and please submit any
suggestions you have for future podcast topics.
By Jennifer Grier, senior payments risk analyst in the
Retail Payments Risk Forum at the Atlanta Fed

Regardless of the answers to these perpetually difficult
questions, most of which will stem from core experiences
and individual philosophies, one thing is certain in
the wake of our recent experience: Reputation is more
important than ever. Positive reputations are difficult to
build, hard to maintain, easy to lose, and even harder to
reclaim. The value placed on reputation must be carefully
considered by senior decision makers in setting the course
for the future.
frbatlanta.org/rprf

THIRd Quarter 2009

Second, to do effective business case analysis, good data
must be present. It is not at all clear whether banks and
other payment providers have transparent and reliable
systems in place to detect, measure, and categorize fraud
in a way that allows its financial impacts to be estimated.
Certainly, banks have historically been reluctant to share
such data externally. Further, do banks have in place
systems that can collect and allocate fraud management
costs in such a way as to complete a meaningful costbenefit analysis? Without good data, business case analysis
becomes an art, not a science. Clearly, for bad actors fraud
is their core business; there is no business case to explore
and no budget committee to satisfy. In fact, their pursuits
are recession proof.

Forum launches “Payments
Spotlight” podcast series

A u g u s t 31 , 2 0 0 9

Will micropayments thrive in social networks? (Part 1 of 2)
This is the first of a two-part series on micropayments and
social networks.

One of the most recent, and indeed interesting, phenomena
is the entrance of social networks into the micropayments
arena. Micropayments, generally defined as small-dollar
transactions of $25 or less, are inherently inefficient.
Converting them into electronic payments from the
traditional cash market is costly, since fees such as
interchange can consume a large percentage, if not all, of
the transaction.
However, things have been changing recently as the
environment for small payments has grown more
hospitable. Credit card companies have introduced
contactless payment devices to address the costs associated
with unattended purchases such as parking meters and
vending machines. The emergence of online payment
network contenders such as PayPal, Amazon, Google,
and others has fueled the growth of online micropayment
transactions, as has the growth in online media sales,
such as the 99-cent songs on Apple’s iTunes.

THIRd Quarter 2009

Several social networks have gained popularity recently
as trusted sites for the exchange of information, digital
media, and communication. This popularity and trust can
help foster the network effect necessary for establishing
an effective payment system. However, developing a
new payment system is a risky venture, and many
micropayment provider start-ups are not successful.
While some social network sites are exploring the
opportunities to offer payment services, they are also
permitting outside payment providers to place their
applications on the social network platforms. These
payment providers are able to leverage the social network
platforms providing online payment solutions and
monetizing digital currency.
The demand for digital currency via social networks and
the ability to monetize transactions in virtual economies
are garnering attention from venture capitalists—and
they’ve captured our attention, for the moment. The
remainder of this blog as well as next week’s will examine
a few examples of the emerging micropayment service
providers that we found. Keep in mind, our list is by no
means an endorsement or an exhaustive list.

Twitpay
First, consider Twitter, a social networking site that lets
users give short updates to other users about what they
are doing. Twitter has, in essence, created an ecosystem
in which third-party service providers are leveraging it to
enable micropayments. A recent person-to-person (P2P)
start-up called Twitpay allows Twitter users to send
payments to other Twitter users—that is, as long as they
both have PayPal accounts. As a third-party application
that merely uses the Twitter platform, Twitpay has no
formal ties to Twitter, aside from the similar name.
Here is how the application looks on the Twitpay site.

The user fills in the payment instructions and presses the
“tweet” link at https://twitpay.me. The application delivers
the payment to the recipient’s Twitter Twitpay account.
The recipient pays the cost of the transaction, which
currently consists of PayPal’s commercial transaction fee of
2.9 percent of plus 30 cents. A user also can replenish his
Twitpay account using PayPal.

Twollars
Another third-party application that recently started using
the Twitter platform is Twollars, a vehicle for charitable
giving in small-dollar denominations that allows Twitter
account holders to donate to a charity or cause of their
choice. Twollars was conceived in January 2009 as a way
for people on Twitter to thank one another for sharing
digital content and giving advice and information.
Symbolic currency on “twollars” can be converted by
charities into real currencies, such as dollars and euros,
for example, again via PayPal. The Twollars Web site
contends that Twollars can only be converted into real
currency through donations to good causes. Charities can
start campaigns on Twitter to raise funds. Any Twitter
user starts with 50 Twollars. The Twitter platform allows
even the smallest charity to reach a large audience. The
site even allows businesses to reward customers with
Twollars to be used for a charitable cause of their choice.
Next week in Part 2, we look at Facebook as well as other
players in this emerging market such as Spare Change,
Zong, and BOKU.
By Cindy Merritt, assistant director of the Retail Payments
Risk Forum at the Atlanta Fed

Porta ls&R a i ls 2009 Compendium

September 08, 2009

Will micropayments thrive in social networks? (Part 2 of 2)
Last week’s blog posting discussed how some social network
sites are exploring the opportunities to offer payment services
or are permitting outside payment providers to operate on their
social network platforms. Twitpay and Twollars, two third-party
platforms used on the Twitter platform, were discussed in Part 1.
This week, we examine other players in this emerging market.

Facebook
Facebook is likewise evolving as an ecosystem for
emerging micropayment service providers. Users are
increasingly spending real money buying virtual goods on
the applications that run on Facebook’s platform as well
as Facebook credits. Facebook credits are funded using
major credit cards and available in U.S. dollars as well as
foreign currency denominations. The social network has
realized tremendous success since its inception. Recently
the research firm Nielsen revealed that Americans spent
more time on Facebook sites than other top Internet sites
in its June 2009 report.

Table 1: Top 10 Parent Companies/Divisions
for June 2009 (U.S., Home, and Work)
Unique Audience
(000)

Time Per Person
(hh:mm:ss)

1 Google

155,606