Updated: Monday, March 30, 2015
Fed report shows gains in mobile banking and payments
M obile banking adoption in the United States is on a tear. Survey results just released by the Federal Reserve Board reveal that 39 percent of adults with mobile phones had used those devices for banking activities as of December 2014. That's up from 33 percent in December 2013, according to Consumers and Mobile Financial Services 2015.
Most adults today have mobile phones: 87 percent of those surveyed by the Fed said they had mobile phones; 71 percent of those devices are smart phones, up from 61 percent a year earlier.
By far the most common mobile banking activities performed by adult consumers were checking balances and transactions (94 percent of mobile phone users, as of December 2014), transferring money between accounts (61 percent), receiving bank alerts (57 percent), remote check deposits (51 percent) and initiating electronic bill payments (48 percent). Twenty-eight percent of surveyed mobile phone users had used their mobiles to make payments last year, up from 24 percent in 2013.
Consumers and Mobile Financial Services 2015 is the fourth annual survey report issued by the Fed that examines how consumers use mobile devices to access accounts at federally insured banks and credit unions. The 78-page report contains a wealth of information about who is and is not using mobile devices for banking and payments, adoption rates and methods of access.
For example, the data shows that younger consumers are more likely to make mobile payments. So, too, are minority populations. Yet the report noted "no clear relationship between mobile payment usage and income or education level among those who own a mobile phone."
M-POS payments set for growth despite security concerns
The top two activities for mobile payments are bill payments and in-app purchases; at 24 percent POS payments ranked third. Despite its current standing, the Fed said mobile POS "is becoming less rare an occurrence."
Scanning quick response codes displayed on their mobiles is the method most consumers use for making mobile POS payments, with 31 percent of the user base. "While this remains the most common POS mobile payment, it is a decrease from 39 percent a year ago," the Fed wrote. Fourteen percent said they made payments by tapping or waving their mobiles near a POS device, while 22 percent used methods other than scanning, tapping or waving their phones.
One of the biggest drawbacks to consumer adoption of mobile banking and payments is concern about the technology's security. For example, when mobile phone users were asked how safe they believed personal financial information is when they use their mobiles to make purchases at stores, 28 percent said "somewhat unsafe" and 21 percent said "very unsafe."
Debit, credit and the underbanked
Mobile payments are most commonly funded using debit cards (55 percent). Credit cards are used by 51 percent; 15 percent use a nonbank account, such as PayPal, the Fed found. Only 8 percent of mobile payment users reported using prepaid cards, and just 4 percent had payments posted to their mobile phone accounts.
The Fed's data also points to significant opportunities for banks to reach underserved markets with mobile banking and payment services. According to the report, 13 percent of U.S. adults are unbanked; 14 percent are underbanked. Seventy-seven percent of the unbanked have access to mobile phones, 65 percent of which are smartphones. Among the underbanked 90 percent have access to mobile phones, and 73 percent of those are smartphones. What's more, 48 percent of the underbanked surveyed had used mobile banking during 2014, the Fed reported.
Target data breach price tag $252 million and counting
Friday, March 27, 2015
R emediation and legal challenges continue at Target Corp., in the costly aftermath of a December 2013 data security breach that compromised 40 million customers’ credit and debit cardholder data, as well as an estimated 70 million consumer email and mailing addresses. Target, in a recent statement, estimated costs of the breach to exceed $252 million in fines and legal fees, with no clear end in sight.
The newest addition to a litany of filings was announced March 26, 2015, with preliminary approval of a $10 million dollar settlement in a class action suit filed by Target customers with awards of up to $10,000 per person. Minnesota District Court Judge Paul A. Magnuson set a final hearing date of Nov. 10, the filing deadline for all claims and objections.
A separate ruling by Judge Magnuson in December 2014 paved the way for banks to sue Target, stating that the banks were the true victims in the data breach, since most consumers are fully reimbursed by banks for fraudulent charges on their credit cards. The Judge stated that the ruling’s intent was consistent with “Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”
Claimants must prove beyond doubt
Settlement terms dictate that claimants must provide proof of expenses and/or lost time caused by the data breach. Plaintiffs can use the settlement’s web portal to submit official claim forms, which must include at least one of the following complaints to meet reimbursement eligibility requirements:
- Unauthorized charges were made on their credit or debit cards that were not reimbursed.
- Time was lost when they had to deal with unauthorized charges.
- Legal counsel or an identity protection specialist was hired to rectify credit reports or to help restore credit worthiness.
- Late fees or higher interest rates were assessed on the cardholder’s account due to unusual account activity.
- The account was frozen, closed, or access to funds was blocked or restricted.
- Additional fees were paid on payment card accounts.
After the initial large payouts are made to claimants, any remaining settlement funds will be evenly disbursed among participating members of the class action suit who did not submit proof of damages. Considering that 40 million people were potentially hacked, if all or even half of those affected chose to participate, the average check would amount to under a dollar per person.
Attorneys expect to fare considerably better than consumers in this case, as settlement terms establish a separate fund of as much as $6.75 million to be set aside exclusively for class action legal representatives.
Target joins nonprofit initiatives
Target has been generally cooperative throughout the remediation process, security analysts have said. Early on, when the company first learned of the data breach, it offered customers who shopped at its U.S. locations up to a year of free credit monitoring and identity theft protection.
Immediately following the breach, Target published a dedicated website to address the ongoing data breach investigation and reassure customers that the company was making every effort to address concerns and improve security standards. In a March 6, 2014, statement, Target stated it officially joined the FSIAC:
“Target has officially joined the Financial Services Information Sharing & Analysis Center (FS-ISAC), a nonprofit private sector initiative developed by the financial services industry to help facilitate the detection, prevention, and response to cyber attacks and fraud activity," the company stated. "Information Sharing and Analysis Centers (ISACs) were created nearly 15 years ago in several industries to help effectively share critical information. As part of its financial operations (Target Bank, a federally regulated entity), Target will now be a platinum member of the organization.”
Ralph Boelter, Target Vice President of Corporate Security, added, "The Target team is looking forward to playing an active part of the FS-ISAC and working alongside these partner organizations toward industry solutions for cyber threats."
In February 2015, Target followed Payment Card Security Data Security Standard guidelines by appointing Mike McNamara as its Chief Information Officer. McNamara, formerly with U.K. retailer Tesco, will oversee a broad effort to protect consumer data, enhance threat detection, and implement ongoing employee protocols and security training.
Target has also made changes to its executive leadership. Chief Executive Officer Brian Cornell, formerly of PepsiCo Americas Foods, has replaced former CEO Gregg W. Steinhafel. In forward-looking statements released with its March 13 annual report, the company stated it expects further litigation from state and federal regulatory bodies, including the Federal Trade Commission, Securities and Exchange Commission, and leading payment card brands.
CFPB takes on consumer lenders, card market
Wednesday, March 25, 2015
T he Consumer Financial Protection Bureau wants to get a better fix on the market for credit cards. On March 17, 2015, the federal consumer watchdog agency issued a request for public comments on how the credit card market is functioning and the impact of credit card regulations on both consumers and card issuers.
The request came on the heels of a report to Congress in which the CFPB blasted banks and other service providers for hamstringing consumers when it comes to seeking relief for disputed transactions. “Tens of millions of consumers are covered by arbitration clauses, but few know about them or understand their impact,” said CFPB Director Richard Cordray.
Mandatory arbitration clauses limit consumer remedies
Arbitration is a method for resolving disputes outside the court system. According to the CFPB’s research, in recent years many contracts for consumer financial products and services have included “pre-dispute arbitration clauses” stating that either party can require that disputes be resolved through arbitration instead of the court system. Where such a clauses exist, either party can block lawsuits, including class actions, from proceeding in court.
The 2010 Dodd-Frank Act addressed the issue by prohibiting pre-dispute arbitration clauses in mortgage loan agreements. The law also tasked the CFPB with undertaking a study of pre-dispute arbitration clauses in other consumer finance markets and to issue regulations on their use if the study finds problems.
These are some of the problems highlighted in the CFPB’s report titled Arbitration Study: Report to Congress, pursuant to Dodd-Frank Wall Street Reform and Consumer Protection Act Section 1028(a):
- 53 percent of credit card issuers include arbitration clauses, mostly large banks.
- 93 percent of prepaid card agreements studied are subject to arbitration clauses.
- 44 percent of insured checking account deposits are covered by arbitration clauses.
- Among mobile wireless carriers that authorize third parties to charge consumer accounts for services, 88 percent of carriers representing 99 percent of the market include arbitration clauses in customer contracts.
Copies of the report are available for downloading at http://files.consumerfinance.gov/f/201503_cfpb_arbitration-study-report-to-congress-2015.pdf .
Getting to know the card market
The March 17 request by the CFPB is part of an ongoing series of studies mandated by Congress under the CARD Act of 2009. The Bureau said comments received will contribute to a report scheduled to be delivered to Congress later this year.
The CFPB said it wants comments from all stakeholders about how they believe the card market is functioning and what passage of the CARD Act has or has not done for consumers. Specific areas of inquiry include:
- What, if any, changes card issuers have made in terms of pricing, marketing, underwriting and other practices, and whether those changes have benefitted consumers.
- To what extent unfair and deceptive acts and practices, or unlawful discrimination, still exist in the credit card market.
- Debt collection practices and issuer relationships with third-party collection agencies.
- Whether disclosures regarding rewards programs are clear and transparent, and what can be done to improve such disclosures.
“With today’s inquiry, the Bureau is seeking to further understand how the credit card market is working in practice and how credit card protections affect consumers and credit card issuers,” Cordray stated when introducing the request for comment. “As we undertake this review, the Bureau wants to ensure it understands the information that consumers, industry, advocates, and other stakeholders believe is most relevant.”
Copies of the CFBP’s request for comment is available for downloading at http://files.consumerfinance.gov/f/201503_cfpb_card-act-report-rfi.pdf .
Verizon study details need for improved PCI security
Monday, March 23, 2015
T he Verizon 2015 PCI Compliance Report is Verizon Communications' fourth and most extensive study of global trends in payment card security. Highlights include a review of Payment Card Industry (PCI) Data Security Standards (DSS) baseline requirements and a first-time focus on sustainable security practices.
The 84-page study explores why four out of five companies fall out of compliance after passing their PCI audits. Additionally, two thirds of the companies studied used incomplete or inadequate test scripts for their in-scope security systems.
PCI Council sounds wake-up alarm
The PCI Security Standards Council, established in 2006 by American Express Co., Discover Financial Services, JCB International Credit Card Co. Ltd., MasterCard Worldwide and Visa Inc., is an open global forum focused on developing, managing, educating, and raising awareness of the PCI DSS for increased payment data security.
Stephen W. Orfei, the PCI SSC's General Manager, called the Verizon report "a wake-up call for every business that cares about payment security," adding that despite overall progress, businesses still have a long way to go in prioritizing and implementing payment security.
Orfei acknowledged that there is no "silver bullet" to preventing security breaches and urged companies to take a "multilayered approach to security" by managing access, strengthening security at the POS and remaining vigilant to the evolving threat landscape.
The report noted a global increase in credit card spending, predicting that total world card payments will exceed $20 trillion in 2015. The PCI DSS provided the framework for the report's quantified analysis. Following are three takeaways from the report.
- Compliance is up
Overall PCI compliance increased between 2013 and 2014 for 11 of the 12 PCI DSS requirements, with an average increase of 18 percent per business.
- Sustainability is low
Less than one third (28.6 percent) of companies retained PCI compliance in the 12 months following successful validation.
- Data security is still inadequate
Verizon's viewpoint is that the PCI DSS is "a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security. PCI DSS compliance should not be seen in isolation, but as part of a comprehensive information security and risk-management strategy."
The report examined all 12 of the PCI DSS requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus tools, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
Each requirement was reviewed according to its role in a comprehensive security strategy. The report also examined newer versions of each requirement that reflect emerging technologies and the evolving threat environment.
For example, Requirement 2 prohibits using default passwords or security parameters. This requirement has been affected by Cloud and virtual technologies.
"Requirement 2 is one of the requirements most affected by the emergence of virtualization and cloud," the report stated, referring to technologies that simplify information technology (IT) infrastructures. The introduction of new technology can pose challenges to IT professionals tasked with separating in-scope and out-of-scope systems that coexist on the same physical server.
EMV may drive fraud to card-not-present transactions
Orfei noted that the U.S. transition to EMV (Europay, MasterCard and Visa) chip technology will make 2015 a pivotal year in payments. His tone of cautious optimism is reflected in Verizon's report, which references the coming Oct. 1, 2015, liability shift for POS terminals, and Oct. 1, 2017, for automated fuel dispensers. The report pointed out that EMV is not a panacea, and suggested that experience gained from other countries shows that it displaces, rather than eliminates fraud.
EMV cards may initially increase the security of card-present transactions, and "attackers may focus their attention on 'card not present' (CNP) transactions, including online shopping," the report stated. The report also noted that banks and card issuers are developing new methods of encryption, tokenization and behavioral analytics to enhance the security of e-commerce transactions.
Becoming and remaining compliant
In addition, Verizon's 2015 report explored why companies fail to sustain PCI compliance – in many cases for less than a year after achieving successful audits.
Verizon noted the problems stem from failure to build robust procedures, which need to be not only built, but also managed and maintained, and failure to see an assessment as a snapshot that captures only a moment in time and demonstrates that a company and its selected sites, devices and systems assessed during sampling were deemed compliant.
Real payment card data security requires ongoing controls and vigilance beyond the PCI assessment. Orfei described passing an annual compliance assessment as a starting point for a implementing a broader, vigilant and proactive security program. "Only a combination of people, process and technology, and a focus on making security a 'business-as-usual' practice will help thwart these constant threats," he said.
Congressional Payments Technology Caucus a positive for payments
Friday, March 20, 2015
T he Congressional Payments Technology Caucus (CPTC), formed March 19, 2015, will expand oversight into payment technologies, data security and alternative payment schemes that exist outside the traditional banking footprint. Committee members include House Representatives Lynn Westmoreland, R-Ga., Randy Neugebauer, R-Texas, David Scott, D-Ga., and Kyrsten Sinema, D-Ariz. The representatives share an interest in consumer protection and concurrently serve on the House Financial Services Committee.
Jason Oxman, Chief Executive Officer at the Washington, D.C.-based Electronic Transactions Association hailed the newly formed caucus as an important new development for the payments industry and U.S. economy.
"As the trade association of more than 500 U.S. payments technology companies, ETA applauds the leadership of Representatives Westmoreland, Scott, Neugebauer, and Sinema and looks forward to working with caucus members to advance deployment of payments technologies that grow our economy while improving the lives of all Americans," Oxman said.
Scott Talbott, ETA Senior Vice President of Government Relations, added, "The CPTC will deepen Members of Congress' understanding of issues facing the rapidly evolving payments tech industry."
Parallel efforts continue
While the CPTC's complete agenda has not yet been revealed, its committee members will continue to work with the House Financial Services Committee on initiatives that broadly impact the payments and financial industries. The committee's far-reaching agenda addresses current legislation and new issues that surface while Congress is in session. Current legislative initiatives include: The Dodd-Frank Wall Street Reform and Consumer Protection Act, financial institutions and consumer credit, capital markets, government sponsored enterprises, housing, insurance, and monetary policy and trade.
The Dodd-Frank Act's sweeping reforms include formation of the Financial Stability Oversight Committee and the Office of Financial Research. The "Too Big to Fail" initiative is designed to end government bailouts of banks regardless of their size or influence. The Volcker Rule restricts commercial banks from investing in hedge funds and private equity. The HFSC will continue to examine "Too Big to Fail" implementation and the Volcker Rule's impact on the strength and competitiveness of U.S. capital markets.
A diverse group of HFSC subcommittees manage ongoing oversight of financial institutions and consumer credit practices. These committees cover the Consumer Financial Protection Bureau, financial supervision, capital standards and Basel III, mortgages, deposit insurance, community financial institutions, regulatory burden reduction, credit scores and credit reports, access to financial services, Operation Chokepoint, and discrimination in lending.
Cautiously optimistic outlook
CPTC members noted the accelerated pace of technology innovation and its impact on U.S. and global economies. Rep. Neugebauer sees an upside in CPTC activities in the United States and locally for constituents in the 19th District of Texas. "Many of these new technologies will help address some of our most pressing financial services challenges such as cyber and data security," he said.
Rep. Westmoreland described Georgia as a leader in both consumer payment systems and cyber security. She looks forward to representing Georgia and participating in committee activities. "Global technology is growing and changing at a rapid pace and has a dramatic effect on our consumer payment systems and cyber security," she said, adding that the CPTC will help members stay current on industry changes, provide information, and participate in crafting future legislation.
Reflecting on his role in the Financial Services Committee, Rep. Scott commented on Georgia's central role in payments, a large and diverse industry that touches every segment of the U.S. economy. "Most electronic transactions in the US pass through Georgia-based companies," he said. He also acknowledged the need to further educate fellow members of Congress on the challenges and benefits facing the payments industry such as security and consumer protections.
Rep. Sinema saw innovation as fueling the growth of small business and start-ups, while protecting consumer privacy and security. "I look forward to working with the CPTC to foster innovation, protect consumers, and support small businesses," Sinema said.
View prior breaking news