Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 23, 2022
Vulnerable Populations and the Case for Cash
We recently wrote a post about communities not being able to access cash because of natural or man-made disasters. Severe weather and war, for example, may leave a bank branch inoperable. But even in "normal" times, access to cash remains an important consideration, especially for consumers who use it as their only or preferred means of payment. With this post, we look at how cash remains an important payment option and how accessing it may be becoming more difficult for certain vulnerable populations. These vulnerable populations—who tend to be low- to moderate-income households, rural communities, and recent immigrants—are more likely to be un- or underbanked (underserved) and often rely on cash to buy groceries and pay utility bills.
Even with an uptick in digital payment usage , cash remains a critical payment choice for many Americans. Some may be unable to use digital payment options because they lack access to broadband or a smartphone, for example. Others may not be able to access these options because they are unbanked. Data from the Federal Deposit Insurance Corporation's 2019 report How America Banks reveal that approximately 5.4 percent of households (7.1 million) were unbanked in 2019. Almost 14 percent of Black households are unbanked and presumably rely on cash or alternative payment options.
There are many reasons why cash can be a person's default method of acquiring goods and services, according to a forthcoming paper titled "Cash Is Alive: How Economists Explain Holding and Use of Cash" by Oz Shy, a senior policy adviser at the Atlanta Fed.
Unfortunately, recent data suggest that challenges to accessing cash existed prepandemic and accelerated during the pandemic. It may be especially difficult for the underserved, cash-reliant consumer, according to a report by the National Community Reinvestment Coalition:
- The number of banking institutions declined from approximately 18,000 in 1984 to fewer than 5,000 in 2021.
- The rate of bank branch closures doubled during the pandemic.
Rural areas tend to see the most bank branch closures, and those closures have contributed to a decline in ATMs as well. Adding to this, banks have been more cautious in providing accounts to independent ATM operators in part because of anti-money-laundering concerns. So some banks are adopting policies that prohibit business relationships with independent ATM operators or are charging much higher fees for their services—which means some ATM accounts with banks are closing and fewer ATMs are being established.
These closures matter, even to the unbanked consumer, who may need bank branches and ATMs, for example, to obtain cash from a prepaid benefits card for unemployment or social security payments, get a cash advance on a credit card, or cash a check at a bank where the check writer has an account.
As the digital economy expands, people in underserved communities and those who are cash reliant, whether by choice or lack of other options, are at risk for being further marginalized in the financial system. To help ensure that everyone, regardless of payments preferences, is included in this system, cash access and preservation in underserved communities across the nation remain important to maintain.
May 16, 2022
The Cost of "Free"
When I began my banking career in the early 1970s, we essentially had only three consumer payment methods: cash, check, and credit (or charge) card. My checking account had a monthly service charge, and the account permitted me to write 15 checks a month—any more than that cost me 15 cents each. The overdraft/nonsufficient fee was $15 per check. My credit card had an annual fee of $25.
Today, I pay no fees for my checking account, debit card, online banking services, mobile banking services, electronic bill payments, or electronic wallet. I pay no annual fees for my credit cards unless a card is a premium card that bundles other products such as product protection or roadside assistance. (Of course, my statement about free checking is slightly exaggerated—most banks impose some sort of monthly maintenance fee, which you can often avoid by keeping a minimum balance or having a recurring direct deposit.)
The banking and payments industry has invested billions of dollars in these free channels and products. But is there really such a thing as a free lunch? Have financial institutions (FI) adopted a benevolent social policy giving everyone the right to free banking services?
It’s more complicated than that. Publicly traded FIs answer to their stockholders, and even nonprofit credit unions must generate sufficient revenue to maintain their financial health. So how can they offer all these free services and products? I believe there are four primary reasons that FIs are willing to forego explicit pricing for their services. The first is competition. Banks must compete in their market with the pricing of their products and services along with other factors such as quality of service and convenience of location. Second, debit card usage creates significant interchange revenue for the issuing FIs. Third, core deposits are the lifeblood of an FI's ability to fund its credit-related, revenue-generating products. Fourth, the bundling of services like bill payment and direct deposit have been shown to create a level of "stickiness"—in other words, the bundling increases the level of dissatisfaction a consumer must experience to believe it is worthwhile to move their account.
Will the bundling of these free services continue, or will the evolutionary cycle return to more explicit fees? Many FIs have been announcing of late that they are eliminating or reducing their overdraft/nonsufficient fund (OD/NSF) fees. The Consumer Financial Protection Bureau estimates that FIs collected almost $15.5 billion in OD/NSF fees in 2019, which was about two-thirds of their fee income. You have to wonder if fees in other products and services will increase to replace this lost revenue. What do you think?
May 2, 2022
Taking the Long View: A Visit with Retail Payments Risk Forum Founder Rich Oliver
Rich Oliver, the founder of our Retail Payments Risk Forum (RPRF), paid a visit to our team recently and shared his vision when creating the forum, the challenges facing the payments industry, and the future direction our team could consider as the payments landscape continues to evolve.
In addition to founding our RPRF, Rich's payments expertise goes back to the 1970s when he led the effort to utilize the fledgling US Automated Clearing House (ACH) system to electronically deliver the first government payrolls and social security payments.
Drawing on his expertise, Rich wrote a book with George Warfel Jr. about the payments industry, The Story of Payments: How The Industrialization of Trust Created the Modern Payments System, that "tells the story of how payments—between people, merchants, employers, and governments—emerged from the ancient system of barter and grew, through various technological implementations ranging from coins and paper money to checks, wire transfers, and credit cards, to today's entirely electronic local and international payment systems."
In a wide-ranging conversation about the history of payments and Rich's role in many areas with the Fed, each of us in the RPRF took away some highlights to share with you.
Scarlett Heinbuch: Rich reminded us of the need to be bold in our thinking about the future of payments. We discussed advances in biometrics and how these initiatives could address identity and security concerns and make payments easier for all while also presenting other risks and challenges.
Nancy Donahue: One comment that made me go "hmm" was: "Do we have too many retail payments products that are trying to solve the same problem? Do they all make money? Do they all need to?"
Catherine Thaliath: What resonated with me was when Rich talked about potential risks of Buy Now Pay Later (BNPL). While viewed as a credit offering, it is nevertheless using a payment instrument in ways not previously done.
Claire Greene: "When it comes to product design, you can't assume you know what someone wants without doing the work." This was a humble statement from an innovator that applied in the 1970s and remains relevant today.
Dave Lott: Rich discussed the evolution of the current consumer banking product market where many of the explicit services (on-us ATMs, online banking, mobile banking, pay wallets, etc.) are provided free of charge.
Sally Martin: It resounded with me how much collaboration went on with the payments players in the industry. Also, the amount of time spent brainstorming on what the needs were and how to fill them, and in moving toward new offerings rather than replays of existing products. Rich's talk focused on moving into new territory—he was "agile" before it was cool.
Jessica Washington: We still need to collaborate on fraud mitigation at the strategic level. In the United States, we implemented chip credit cards but not so much chip-and-pin, plus we still have the magstripe, which is a major source of weakness, and we still have much work to do on card-not-present transactions.
As the RPRF founder, Rich challenged each of us to remember its mission: to be a source for non-biased thought leadership, to do original research, challenge norms, and push the envelope to move the payment system forward. Sometimes looking back at history can bring the future into sharper focus, which is what our chat with Rich did for us. As you look to the future of payments and payments risk, what stands out to you?
By the Retail Payments Risk Forum Team: Jessica Washington, Dave Lott, Scarlett Heinbuch, Claire Greene, Nancy Donahue, Catherine Thaliath, and Sally Martin.
March 21, 2022
ATM Jackpotting Attacks Getting Clever
In reviewing my previous posts on ATM fraud, I realized I haven't written about ATM jackpotting since cybersecurity journalist Brian Krebs detailed the first jackpotting attacks against ATMs in the United States in early 2018. ATM jackpotting occurs when a criminal gains physical access to an ATM and instructs the ATM to dispense cash until the ATM is empty. This type of fraud is different from ATM cash-out schemes I wrote about in February 2018 and December 2019, whereby the criminal gains access to an issuer's card management system and overrides card or account withdrawal limits by manipulating the authorization messages to the ATM. More details on the jackpotting process below.
The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.
I recently attended a panel discussion at an ATMIA conference on this topic. The participants discussed several attacks, including one involving multiple ATMs resulting in a loss of $1.5 million in the span of a couple of hours. The amount of money in a machine varies from a couple thousand dollars to as much as $50,000, depending on the ATM type (full-service ATM versus simple cash dispenser), its location, and the expected activity level. It's a balancing act of trying to minimize service calls to replenish the cash versus risking losing the cash to an attack.
So what does it take for a jackpotting attempt to succeed? Unlike the highly secured vault-like compartment for cash storage, an ATM's top compartment, which contains the software-driven components, is more easily accessed, either by jimmying the lock or purchasing a key off the internet (many terminals use a common key). In that compartment, the criminal installs software with jackpotting malware or a black box that intercepts transaction messages. Most often, criminals target ATMS in retail locations, where they can pose as a service technician and not attract the attention of store employees. After the criminal has installed the malware, money mules collect the money. In some cases, a mule presses numbers on the keypad that instruct the terminal to dispense a large quantity of bills or to empty the currency cassette completely. In others, the mule seems to be withdrawing, say, $60 but the malware tells the terminal to dispense $600. In most cases, the ATM owner doesn't discover the attack until the terminal unexpectedly transmits an "out-of-cash" message.
Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. In a follow-up to this post, I will examine some of the countermeasures ATM owners can use to prevent such attacks from being successful.