Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 16, 2022
The Cost of "Free"
When I began my banking career in the early 1970s, we essentially had only three consumer payment methods: cash, check, and credit (or charge) card. My checking account had a monthly service charge, and the account permitted me to write 15 checks a month—any more than that cost me 15 cents each. The overdraft/nonsufficient fee was $15 per check. My credit card had an annual fee of $25.
Today, I pay no fees for my checking account, debit card, online banking services, mobile banking services, electronic bill payments, or electronic wallet. I pay no annual fees for my credit cards unless a card is a premium card that bundles other products such as product protection or roadside assistance. (Of course, my statement about free checking is slightly exaggerated—most banks impose some sort of monthly maintenance fee, which you can often avoid by keeping a minimum balance or having a recurring direct deposit.)
The banking and payments industry has invested billions of dollars in these free channels and products. But is there really such a thing as a free lunch? Have financial institutions (FI) adopted a benevolent social policy giving everyone the right to free banking services?
It’s more complicated than that. Publicly traded FIs answer to their stockholders, and even nonprofit credit unions must generate sufficient revenue to maintain their financial health. So how can they offer all these free services and products? I believe there are four primary reasons that FIs are willing to forego explicit pricing for their services. The first is competition. Banks must compete in their market with the pricing of their products and services along with other factors such as quality of service and convenience of location. Second, debit card usage creates significant interchange revenue for the issuing FIs. Third, core deposits are the lifeblood of an FI's ability to fund its credit-related, revenue-generating products. Fourth, the bundling of services like bill payment and direct deposit have been shown to create a level of "stickiness"—in other words, the bundling increases the level of dissatisfaction a consumer must experience to believe it is worthwhile to move their account.
Will the bundling of these free services continue, or will the evolutionary cycle return to more explicit fees? Many FIs have been announcing of late that they are eliminating or reducing their overdraft/nonsufficient fund (OD/NSF) fees. The Consumer Financial Protection Bureau estimates that FIs collected almost $15.5 billion in OD/NSF fees in 2019, which was about two-thirds of their fee income. You have to wonder if fees in other products and services will increase to replace this lost revenue. What do you think?
March 14, 2022
Thumbs Up: Smartphone Apps versus Websites
Sitting in front of my computer, I recently picked up my smartphone and unlocked my banking app with my thumbprint to see if a check I had written had cleared my account. Before going any further, let me acknowledge that, yes, this payment professional still writes checks every now and again! I learned the check had cleared, logged off the app, and resumed my day in front of my computer. This got me thinking about a change in my behavior that has occurred over time. Even when I am right in front of my computer, I find myself using my smartphone apps almost exclusively instead of visiting the full-function websites from my laptop or desk computer. Why?
The answer is simple: ease of access. I can get to my information through apps on my smartphone using just my thumbprint but accessing that same information from my computer through a website requires me to remember and type in my username and password. In fact, every app on my smartphone that requires a log-in allows me to authenticate using my thumbprint. Truthfully, I’m not so good at remembering my passwords even using the methods I teach others to use: create difficult yet supposedly easy-to-remember passwords. Perhaps this is why password managers remain so popular. I continue to hold out from using a password manager with hopes that biometric authentication will become more common on websites and remembering passwords will be a thing of the past (except when biometric authentication fails). If smartphone apps authenticate me with my fingerprint or face, then why don’t websites do that when my laptop has a fingerprint reader and camera just as smartphones do?
While the same biometric functionality is currently available on my computer, the main barrier is that websites struggle to support and accept biometric validation due to different implementations across various web browsers and operating systems. Several organizations and standards bodies are considering this issue. The FIDO (Fast Identity Online) Alliance was formed in 2013 to produce stronger authentication standards and reduce password reliance. The FIDO2 Project, a joint effort between FIDO and the World Wide Web Consortium (W3C), released specifications in 2019 for W3C’s Web Authentication (WebAuthn) product that allows a website to use the FIDO authentication through a standard API implemented in a browser using public key cryptography and biometric authentication. Unfortunately, its uptake has been slow primarily because of the inconsistent user experience from website to website.
I should note that biometric authentication for apps on phones has not necessarily eliminated passwords, though it certainly feels like it, at least until the biometric authentication fails. Rather, biometrics serve as an alternative method of accessing the app’s username and password combination. The fingerprint and facial recognition is a template algorithm stored in a highly secure location on our phones. When an app requests my thumbprint and the stored algorithm confirms a match, the equivalent of a password manager opens on my phone and I am authenticated.
Is the end drawing any closer for manually entering online passwords, and are you looking forward to that day? Taking it further, will the day ever come when passwords are eliminated? Personally, I hope so and am very much looking forward to that day. If it doesn’t happen, then, based on my own habits, the days of visiting my financial institution’s website and others’ sites might be altogether forgotten.
February 14, 2022
Contactless Card Pay More Than Doubled in 2020, but from Small Base
Readers of this blog know that we at the Retail Payments Risk Forum have for years scratched our heads at the tepid growth of contactless card payments:
- Doug King in 2017: Wouldn't it be nice to tap and pay?
- Dave Lott in 2019: Contactless cards: the future king of payments?
- Me in 2020: Are contactless cards having their moment?
Now, data released in December by the Federal Reserve Payments Study find that amid the decline in the number and value of in-person card payments from 2019 to 2020, in-person contactless card pay increased both by number and value. You can see the appeal of contactless card pay in the COVID-19 pandemic: The ability to tap or wave a card or mobile device at the in-person point of sale could be perceived to reduce the risk of contagion.
From 2019 to 2020:
- The number of contactless card payments more than doubled (up 140 percent from 1.6 billion payments to 3.7 billion)
- The total value of contactless card payments also more than doubled (up 120 percent from $50 billion to $110 billion)
The number and value of contactless card payments also doubled from 2018 to 2019, although on a smaller base. The 2020 growth is especially impressive in the context of the overall decline in the number and value of in-person card payments that year. But am I convinced that contactless pay is having its moment? Well, no. That’s because looking at percentage increases can be misleading when the base is so small.
With their 2020 growth, contactless card payments remain less than 5 percent of in-person card payments by number (figure) and 3.5 percent of in-person card payments by value. Maybe not the "king of payments" quite yet.
I am willing to believe, however, that throughout 2020 and 2021 merchants ramped up their ability to accept contactless cards for in-person payments (along with screens and procedures to separate employees and customers)—even as they pushed customers toward delivery and curbside pick-up. With acceptance more widespread, consumers should be less likely in 2022 to run into the sort of difficulties my friend encountered in August 2020, when she tried to find a merchant that could successfully accept a completely contactless payment.
For more on newer and emerging payment methods, see the most recent report of the Federal Reserve Payments Study.
April 6, 2020
Will COVID-19 Exacerbate Ecommerce Fraud?
Ecommerce sales in the United States continue to gain a greater share of overall retail sales each year. The Department of Commerce reports that in 2019, total ecommerce sales increased almost 15 percent over 2018 and represented 11 percent of total retail sales. There is no question that with the current COVID-19 environment, our daily habits have undergone tremendous change. As part of that change, I expect that ecommerce sales will increase at a greater rate in 2020 than in 2019.
Following social isolation guidelines, consumers and businesses are turning more and more to conducting their commerce transactions online. Prepaid carry-out, drive-through, and delivery orders now dominate the dining industry as inside dining options have been largely shuttered. Large retailers have been promoting online ordering and ship-to-home delivery options as their stores are closed. TransUnion reports that in the week from March 11 to 17, when the World Health Organization classified COVID-19 as a global pandemic, ecommerce transaction volume increased 23 percent over the previous week.
This spike in ecommerce traffic will likely bring with it a parallel spike in criminal activity, possibly adding to the increasing fraud levels in ecommerce. This shouldn't come as any surprise. It will be important for the good guys not only to be expecting this but also to be prepared for it by making swift adjustments that match the challenge.
One of the key adjustments to consider and apply quickly is properly tuning algorithms for detecting ecommerce fraud. In normal times, anomalous-pattern detection schemes are relied on to expose fraudsters. Elements such as the type of stores commonly used, frequency of usage, average or range of transaction values, and more go into making up an overall usage pattern for a given customer. While these transaction risk models have become very sophisticated over the years, they are challenged by abrupt changes in usage patterns, especially at an individual account level. They need to be smartly and quickly adjusted. Issuers and merchants need to balance the decision of denying transactions—which brings with it the risk of disgruntled legitimate customers and lost revenues—against approving fraudulent transactions and taking financial losses. No easy task, but doable and necessary to undertake, with constant attention.
Working collaboratively with merchants, consumers can help to surprise the criminals as fraud fighting evolves. The good guys win if we exercise patience with one another and remain mindful of the balance between purchase friction and fraud avoidance as fraud-fighting tools and methods adjust. Both sides being considerate of the needs on both sides of the transaction—working together, again, with patience and willingness to engage, perhaps differently than we've been willing to in the past, could yield results that everyone (except the crooks) is happier with, in both the short run and long run.
We know fraud management teams will be busy managing their fraud-detection tools and processes and expect they will rise to the challenge. We also expect consumers are ready and willing to assist in ways that are helpful as well. The constant chess match with the criminal element will continue, and we look forward to seeing a chess piece on the good guys ' side of the board with some new moves to help aid in the fight against the bad guys.