Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Are Emerging Payments More Vulnerable to Fraud?
Whenever I am in a conversation about new or emerging payment products or services, I invariably get asked whether I think they will attract heightened attention from criminals. My personal opinion is, "YES, at least initially!" Why do I have that opinion? The conventional wisdom is that criminals recognize that new payment systems are likely to have some security gaps in the beginning that can be exploited. There are a number of examples I can cite to support this position.
Consider the payment card enrollment process that accompanied the introduction of the Apple Pay wallet in late 2014. Whether it was a rush to get cardholders enrolled or because of loopholes in the Identification and Verification (ID&V) process, a number of the banks offering the service fell victim to fraud early on. Criminals enrolled a number of stolen credit and debit cards in the service and then were able to make high-dollar purchases because of weak verification controls. Some industry observers cited initial fraud losses in the 600-to-800-basis-point range at some of the early issuers. This rate compares to an overall in-person, payment card fraud rate of 12.2 basis points in 2015 cited in the Federal Reserve's Payments Study supplement Changes in U.S. Payments Fraud from 2012 to 2016. Fortunately, the affected banks reacted quickly and shored up their payment card enrollment processes.
Also consider the implementation of faster payments in the United Kingdom in 2008. As did other countries implementing faster payments, the United Kingdom tried to limit fraud by taking a measured approach. In the beginning, only credit push transactions with a maximum value of £10,000 (approximately $15,000) were eligible. (Most of the initial participating banks had lower limits.) In 2010, the maximum amount was raised to £100,000. Now the maximum limit is £250,000, although financial institutions may still set lower limits and differentiate between consumer and commercial account payments. My colleague Julius Weyman highlighted some of the fraud risks in faster payments in his 2016 working paper reviewing overall risks in faster payments schemes around the globe. He pointed to the 132 percent increase in online banking fraud the United Kingdom experienced in the year following implementation.
There is growing concern among consumers in the United States and the United Kingdom about the liability for authorized push payments—such as P2P payments—because of their near-real-time nature and their finality. In a future post, I'll examine this issue with authorized push payments and look at how the United Kingdom is dealing with it.
So circling back to my initial question, do you believe that the fraud rates for new and emerging payment products are likely to be higher than the more established payment products? Let us know what you think.