Attendees at Nacha’s Smarter Faster Payments conference last month were coasting through a late morning panel discussion on fraud just before lunch when one panelist’s comments stirred up the ballroom.

Consolidated Edison Director Frank D’Amadeo, who leads treasury operations at that utility, was asked by a moderator about “pain points” faced by companies amid rising payments fraud. With his response, D’Amadeo took on the banking and payments professionals packed in the room.

“There is a need in our country for fraud to be stopped before it even gets to us, and there’s a lot of data out there where, if the banking community shared information, they could prevent a good amount of fraud before it even occurred,” D’Amadeo said. “The banks need to do a lot more,” he said during an earlier panel, making the message clear for those attending the annual conference in Las Vegas.

His remarks sparked a mini-debate in the ballroom over whether banks are doing enough, jointly, to thwart criminals who shift from one bank to another, undeterred, in search of new victims.

JPMorgan Chase, the biggest bank in the U.S., didn’t respond to a request for an interview on the topic, but the moderator for one of D’Amadeo’s panels, JPMorgan Executive Director Steven Bernstein, opened with this: “Fraud is prevalent.”

Fraud has become a big problem for payments players, which include banks, processors, card networks and a host of intermediaries and fintechs. Now, the rise of faster digital payments, including the impending launch of the FedNow real-time system, and artificial intelligence innovations threaten to exacerbate the trouble.

Here’s how Thomas French, a senior fraud consultant at software company SAS Institute, described the current environment: “That's just a basket full of awful there, between scams, scams, scams and more scams. When you combine scams with faster payments, you get faster fraud.”

While there has always been fraud, it has worsened in the past year to 18 months, said French, who spent 27 years working for banks, including Bank of America and the former Wachovia and First Union. “It's the industrialization of fraud, where you’ve got different criminal rings doing different things,” he said in an interview this month. “I’ve never seen it so sophisticated, so fast, and so full of crooks in my 30-plus years.”

Bank customers have suffered alongside their financial institutions. The amount of money American consumers reported losing to fraud last year jumped 30% to $8.8 billion compared to 2021, the Federal Trade Commission said in February, and much of that fraud flowed through some part of the payment system. Those frauds took place in business, shopping, investment and online dating settings, among others. 

The FTC was able to identify a payment method for 17% of consumer fraud reports last year. Of those methods documented, the biggest losses were in bank transfers and payments, with those losses more than doubling to nearly $1.6 billion last year, compared to $762 million in 2021. That payment channel constituted the single biggest area of fraud losses for the past three consecutive years, the FTC data showed.

While the most dollars were lost through bank payments last year, the highest number of fraud reports were regarding credit cards, according to the FTC.

Businesses looped into losses

With such large losses, it’s not just consumers being targeted for the frauds. It’s also companies of all sizes, including D’Amadeo’s power company servicing the New York City area. With respect to incoming customer payments, the utility receives 500 to 600 fraudulent receipts daily from valid debit accounts, but they are accounts for which a fraudster likely bought information on the dark web. In some cases, they even brazenly use Con Edison account numbers. That fraud is minimal, relative to the utility’s three million customers, he said. 

But D’Amadeo worries more about outgoing payments. The company is “constantly” targeted by email scams in which con artists, purporting to be Con Edison executives or vendors, seek payments, putting hundreds of millions of dollars at risk. For instance, a firm to which Con Edison owes money may have been hacked, and the hacker sends the utility an invoice with accurate information, but an altered bank account directing money to the fraudster. 

“The biggest concern we have is on the disbursement side where we’re being compromised and duped into changing payment instructions to a counterparty and, look, if you don’t catch it within the first 24 hours, you’re not getting that money back,” he said.

Smaller companies are targets too. Jefferson Grace, a Las Vegas detective who also spoke at the conference, described how one local business owner that had been in business for 30 years went belly up after he misdirected $1.1 million in payments to a crook impersonating a vendor. He explained how fraudsters take over or mimic email addresses and glean executive names from social media sites, like LinkedIn, to send persuasive emails.

Email schemes that trick corporate executives into sending payments to swindlers has become a major stumbling-block. “We’ve put so much trust into email that was never designed to be there,” Grace said. Multiple speakers at the conference stressed the importance of executives following explicit payment processing instructions to avoid fraud.

A big part of the problem is valid accounts being tapped by bad actors. In that “synthetic identity fraud” trend some pieces of authentic information are used to create the appearance of normalcy.

“Synthetic identity is a concerning and growing threat factor,” Visa’s head of U.S. risk, Dustin White, said at another April industry conference, the ETA's Transact conference in Atlanta. “It's fairly sophisticated, and it's very devastating because it's not a $500, $1,000, $2,000 fraud run that a financial institution has to deal with. These are like $80,000, $100,000, $150,000 bust-out schemes, per instance,” he said. 

The Boston Federal Reserve Bank estimated that synthetic identities cost the U.S. $20 billion in 2021, White noted. “It's a very prevalent and growing threat vector,” he said.

The conundrum for payments and banking industry professionals alike is fixing the fraud without introducing too much “friction.” With the industry having made significant headway in making digital payments easy for consumers to use, banks and companies are reluctant to unwind features that have fostered more commerce, especially online.

Nacha pivots to fight fraud

Nonetheless, a consensus is emerging that something has to be done, and industry organizations capable of bringing the banks and payments communities together are mulling new approaches. One Citigroup executive at the Nacha conference caught up in the debate said: “It’s coming.”

A key player in any new effort would be Nacha, formerly known as the National Automated Clearing House Association. Indeed, it’s discreetly pressing for changes within its own community, including among its big bank operators, so that financial institutions take more responsibility to counter fraud.

Earlier this month, Nacha posted for public comment the outline of a new “risk management framework” it has under development in what it called a new era of fraud, where funds are mistakenly “pushed” by users into accounts where they shouldn’t be. The updated approach would address increasing fraud threats and attacks on ACH credits, wires, cards and other instant and digital payments, Nacha said.

“As a new risk management strategy, the Framework is intended to bring the ACH Network and the broader payments community together to address an emerging and important area of need, and to provide an overarching direction for new initiatives, guidance, rules and industry tools,” the May 2 Nacha executive summary said.

The aim of the new framework is to increase awareness of the illicit push schemes; reduce the success of those attempts at fraud; and improve the chances of recovering funds after the scams have occurred, Nacha said. A Nacha spokesperson, Dan Roth, didn’t respond to repeated requests for comment on the new framework.

Obstacles to cooperation

Part of the challenge in addressing the problem has been banks’ reluctance to share customer data with each other that might otherwise be helpful in fighting fraud, said Mark Dixon, who is vice president of education at the New England Automated Clearing House Association in Burlington, Massachusetts.

Banks have long been sensitive to sharing information in any way that might undercut their proprietary interests, but that attitude might be changing now, at least slightly.

“The industry is looking at how can we be more proactive with our communication,” Dixon said, pointing to Nacha’s new framework concept and a Nacha contact registry designed to help institutions talk to one another. “A challenge is going to be making sure all the institutions get on board with that.”

Increasing the difficulty is the fact that there are nearly ten thousand U.S. banks, creating a daunting task in allowing them to communicate with each other. 

As part of the effort, Nacha developed the contact registry in 2020 and had taken on the arduous task of asking bank personnel to sign in. So far, the registry has 45,000 contacts.

Nacha’s operating rules require financial institutions to provide the contacts so professionals from other institutions can reach them if need be, and all of them are supposed to be willing to share information as a part of the reciprocity of receiving it.

“The intent of the registry is to provide consistent and accurate information for a financial institution that may need to reach another financial institution regarding fraud scenarios like business email compromise and vendor impersonation,” Jeanette Fox, Nacha’s senior director for risk investigation and ACH network risk management, said in an emailed statement.

Early Warning Services, the bank-owned operator of the payment tool Ze also operates a national shared database to which the largest U.S. banks contribute account information, but professionals note it has a significant gap in coverage because smaller banks have more than a quarter of accounts.

Banks launch another initiative

Other banking organizations also are brainstorming new ways of combating fraud. The American Bankers Association is working on a new anti-fraud prevention project with Early Warning Services, according to one well-placed industry source who asked not to be identified.

That effort is starting out with just a handful of banks participating and is about to kick off a pilot phase, the source said, declining to provide further details. 

Sarah Grano, an ABA spokesperson, declined to comment, as did Meghan Fintland, a spokesperson for Early Warning Services.

Professionals from those organizations meet regularly to discuss fraud and risks, but French still has concerns that banks aren’t capturing and sharing as much information as they might. He notes that bankers are steeped in policies that keep them from sharing information with third-parties. Also, some professionals say they lean away from broadcasting new techniques for fear of tipping off fraudsters. “There is some sharing, but I think there’s a need and a desire for more sharing of different information,” said French, whose firm sells fraud analytics software.

Still, plenty of companies have been stepping up public campaigns to sell new fighting-fraud tools in recent months, including SAS Institute, card network company Mastercard, credit bureau Experian and a parade of fintechs introducing new services and products.

Europeans explore a new approach

Across the Atlantic in Europe, there has been more movement in terms of a collective industry response. A new concept of “authorized push payments” has taken root, with a sense of shared liability among banks for wayward payments, said Donna Turner, a former chief operations officer at Early Warning Services who is now a consultant for the auditing firm Ernst & Young.

European financial institutions on the sending side are now taking as much responsibility for fraud as those on the receiving end, Turner said. Increased data sharing among banks in Europe has unfurled with the open banking trend following a 2016 adoption of the European Union’s Second Payment Services Directive, known as PSD2.

Bank and payment actors on either side of a transaction have an increased incentives to change their behavior to fight fraud, Turner said in an interview this month. “It’s about protecting the ecosystem,” she added.

Participants in the U.S. payments ecosystem may be starting to embrace the same approach as they seek to build stronger industry defenses against fraud.

 

Dive Brief:

• A fifth of consumers worldwide have been victims of payment fraud in the past four years, according to an ACI Worldwide report based on consumer polling last year. 
• Of that group, more than a quarter (26.9%) have fallen victim to authorized push payment scams, which involve scammers tricking users into making payments to a destination account the scammer controls, ACI said in a news release issued Thursday. ACI called that type of payments fraud the top fraud threat globally. 
• Financial crime and fraud are projected to cost banks and financial institutions around the world $40.62 billion by 2027, ACI said. With the rollout of FedNow in the U.S., real-time payment volume is expected to grow 32.6% by 2027, ACI said, referencing the March report.

Dive Insight:

Though push payment scams are defrauding consumers abroad, ACI argues that the U.S. doesn’t have to suffer the same fate. U.K. consumers lost £1.2 billion to fraud scams last year, more than a third of which were push payment scam losses, ACI said. In the U.S., the July launch of FedNow, the Federal Reserve’s real-time payments system, presents the chance for the financial sector to anticipate risk and update its management technology, ACI said.

Push payment scams “are on the rise as fraudsters exploit human vulnerabilities and weaknesses in bank controls to manipulate mule accounts to receive funds from fraudulent activities and facilitate further illicit transactions,” Cleber Martins, ACI’s head of payments intelligence and risk solutions, said in a Thursday news release. 

“Banks need to safeguard their customers and revenue by shifting their focus from relying on traditional measures designed to prevent check or card fraud,” Martins said in the statement. “They need to arm themselves with the right fraud strategies to capitalize on the security of the real-time payment rails and reap the benefits of real-time payments without fraud management becoming a cost-center.” 

Fraud has become an increasingly large problem for payments players, and the onset of real-time payments has raised concerns about real-time fraud. Payments fraud came up at Nacha’s Smarter Faster Payments conference in April, during which Consolidated Edison Director Frank D’Amadeo urged banks to do more to combat fraud. 

Payments firms are also tackling fraud with currently available payment products. Earlier this month, American Express CEO Steve Squeri said the card company has seen an uptick in scammers targeting elderly customers via gift card fraud.

Sponsored content

By Oversight

Occupational Fraud – The ‘Five Percent Factor’ in Financial Risk 

Occupational fraud hurts. To the tune of 5% lost revenues annually¹. Median loss per case is a painful $130,000. Perpetrators reside in the C-suite or work anywhere in the company. There’s no hard core of easy-to-find regulars. Nearly 90% of fraudsters are first timers with clean resumes; tough to spot pre-hiring.  

Where Does Fraud Hide? 

Around 14% of total fraud stems from misuse of P-Cards and T&E reimbursements. Employees often start by cheating on expense reports, graduating to other frauds.  

How Can Technology Help?  

Auditors are human. Spotting and shutting down fraud is superhuman. Step forward AI-based data analytics. Think of them as an always-on assistant, with a tireless capability to analyze every transaction across T&E and P-Card programs. With complete context analysis, and the same rigor applied by internal auditors or fraud examiners.  

Which Technologies? What Do They Deliver? 

Rules-based, behavioral, and deductive analysis, evidential reasoning, and standard business intelligence combine in complex analysis. The technology monitors transactions continuously, delivering two benefits to organizations. First, they can flag suspicious activities within large data volumes. Second, they cut out noise, distinguishing highest priorities among hundreds of indicators of fraud, misuse, and waste. These then undergo skilled human investigation.   

Finding – And Fixing – Holes In The Controls 

Weak controls create fraud and misuse opportunities. AI-driven analytics tighten the net, checking for fraud schemes and misuses. Auditors have a detailed view of spending habits and can pinpoint employees exhibiting non-compliant activity. In the long term, they protect bottom lines by adjusting policy, procedures, controls, and training, preventing issues from recurring.  

Comprehensive Cover Replaces Spot Checks 

Reliance on spot checks and sample deep dives ends. Auditors enjoy monitoring and analysis of all transactions across all expense reports and time intervals. The strategic benefit is increased compliance. Organizations are empowered to have employees follow corporate travel and expense policies. Day-to-day, companies monitoring with the power of AI pinpoint non-compliant spending, equipping management to take appropriate action.  

Data Driven Audit Automation Acts Fast. Saving Time and Money.  

Median fraud schemes detection time is 16 months². Organizations monitoring data using the power of AI detect frauds in less than half the time, with 52% lower fraud losses.  

How Employees Spend (Steal) Employers’ Money 

Our solutions have helped detect employees expensing the personal and the bizarre! Including weekly visits to the liquor store, funerals, wedding receptions, and family vacations. Even online psychics have appeared. But companies want to influence employee behavior practically, not psychically.  

End Playing Cat And Mouse  

‘Gotcha’ moments boost auditor morale. But they risk the gamification of fraud, with perpetrators knowing detection odds are stacked in their favor. Automated analysis, with relentless regularity, works far better. It drills into the ‘why’ of non-compliant spending. And it enables companies to adjust spending policies and provide training and coaching to modify employee behavior before it becomes habitually damaging.  

If building this compliance culture sounds time-consuming, consider that an effective monitoring solution should deliver automated policy education and feedback to employees. By socializing specific policy violations, companies have improved employees’ future spending decisions, reducing violations by up to 70%.  

Finding ‘Genuine Fraud’ Drives Technology ROI 

Your automated data analytics solution should deliver strong ROI by identifying true positives: real cases of fraud, misuse, or error. False positives are just another cost, requiring effort for no useful outcome. Here, time-based reasoning is key: viewing transactions in the context of their relationships over time, to determine the unusual from the everyday.   

Best-In-Class Support For Your Audit Function  

Advanced AI-based data analytics support your audit activity with these built-in functionalities: 

• Automatic identification of high-risk transactions. 
• Automatic high-risk activity assignment for audit team remediation. 
• Integrated case management workflow for efficient resolutions and effective stakeholder communication. 
• Permanent audit log recording of key individual case details and creating compliant documentation. 
• Built-in dashboards leveraging data analytics and workflow, providing actionable senior management information. 
• Resolution results feed to the next data analytics run, enabling the system to grow smarter with each iteration. 

Plug In to The Power Of Artificial Intelligence  

An AI-powered, automated data analytics tool, coupled with your TEM software, is measurably the best way to holistically manage, mitigate and minimize total T&E and P-Card risk, in real-time. And when that tool is Oversight, you have the winning combination. The advantages of AI are right here right now, and Oversight can apply them to your business. Because, as we say, Oversight is AI in action.  

When the Federal Reserve’s new instant payments system arrives later this month, it will have features to help financial institutions deter high-speed fraud.

In a speech to the National Bureau of Economic Research, Cleveland Fed President Loretta Mester spelled out how the new real-time system will equip banks and credit unions to stop fraudsters from using the new payment rails to advance their schemes.

Mester focused on FedNow, which promises to complete payments within 20 seconds, as the likely launch of the new system nears later this month. The instant payment system has been in development since 2019 as the first major U.S. government payments upgrade in 50 years, she said.

It’s an important development in that payments help fuel any country’s economy, and determine to some extent, how efficient that commerce is. In addition, the U.S. is playing catch up with some other nations that have already implemented such real-time systems.

Faster payments are in demand by consumers and businesses alike, Mester noted. The FedNow system, with its ability to transfer funds around the clock, could help both avoid fees when money in accounts is running low, she noted. The system can also deliver faster paychecks to consumers, she added.

“FedNow will provide the public with more flexibility to manage their money and to make time-sensitive payments whenever needed,” Mester said.

FedNow has raised the specter of faster payments leading to faster fraud, but the central bank is attempting to ensure that isn’t the case.

Users of the new government system will have the option to create a list of “suspicious accounts,” from which they aren’t interested in sending or receiving payments through FedNow, Mester said. Indeed, participants in the new system will be able to reject payments and to limit use by certain accounts, she said. 

FedNow will also incorporate tools that help financial institutions investigate shady transactions, Mester said. In addition, FedNow’s request-for-payment function will include fraud-mitigating features, she added.

“Combating fraud is a dynamic endeavor, so the service will be offering more fraud-prevention tools over time,” Mester said in the speech.

She also addressed other FedNow challenges that have been raised as the launch date nears, such as its lack of interoperability with other payment systems, the possibility it could increase the risk of bank runs and the likelihood that it will be adopted only slowly and therefore not be widely available.

Education about the new system, with respect to financial institutions, businesses and the broader public will be key. The Fed has had an intense marketing campaign in place for months now, with the central bank announcing last month some 57 companies as early adopters

On the threat of bank runs, she stressed that financial institutions will have flexibility to impose restrictions that should fend off such problems. For example, banks will be able to lower dollar limits on transactions and could shift to a receive-only mode if they like, she said. 

With respect to interoperability, she explained that such cooperation between payment rails has been an issue in the past and that it sometimes took decades to create better connections. Still, FedNow is designed in keeping with the international ISO 20022 standard and it has that in common with the U.S. private real-time payments system known as the RTP network, which is operated by The Clearing House, which is owned by a group of banks, she noted.

“No doubt it will be a challenge for instant payments,” she said. “But the Fed continues to engage with RTP to discuss how best to accomplish this goal.”

As the Federal Reserve prepares for the launch of FedNow as early as May, it’s focusing on building fraud prevention features into the new real-time payments system.

“Fraud management features are a high priority for (financial institutions) and are being tested along with transaction flows in the countdown to launch,” the Federal Reserve said in a website post, citing FedNow Senior Vice President Nick Stanescu.

The central bank is zeroing in on the fraud prevention effort as other speedy payment systems fend off criticism that consumers can run into trouble when fraudsters trick them into sending payments that can’t be reversed. That’s been the case with Zelle, the peer-to-peer payments system operated by the bank-owned Early Warning Services. 

That system, introduced in 2017, has been battered by complaints from bilked consumers. Sen. Elizabeth Warren (D-MA) took up their cause last year, railing against Zelle and calling for increased regulations to protect consumers. For its part, Zelle has said that the fraud on its system accounts for well under 1% of transactions.  

FedNow won’t be offered directly to consumers, but rather to some 10,000 banks and other financial institutions that are connected to the FedLine network. Those financial institutions will, in turn, make the instant payment services available to corporate clients and ultimately consumers as well. 

After years of planning for FedNow, the payments system entered the final phases of testing and certification last month, with an aim to make the service available sometime between May and July of this year.

“Early adopters in the FedNow Pilot Program — FIs, processors and service providers among them — are now sending test payments messages to one another using the FedLine infrastructure,” the Feb. 6 Fed update said.

All of that development comes with an eye on fraud prevention, as users ultimately tap it for account-to-account money transfers and bill payments, among other services.

In a separate post, the Fed said the initial launch of FedNow will allow financial institutions to impose value limits for transactions and specify some situations in which transactions would be rejected. It also will offer features that let the institutions check whether a message was altered as well as options for running transaction reports.

The update made clear that the Fed is keenly aware of the troubles that have recently plagued Zelle and the inability to reverse payments so it’s seeking to find ways to bolster defenses against fraud. It will encourage financial institutions to mimic Zelle’s extra layer of prompts asking users if they’re sure they want to send a payment.

Identity theft and account takeovers are the types of schemes that the Fed is bracing for as it anticipates that criminals will infiltrate the new real-time payments system, as they have other forms of payment such as debit cards, checks and automated clearing house payments.

“The rise of instant payments is a reminder that while fraud itself may be as old as human civilization, new ways of making payments invariably introduce fresh fraud management challenges to financial services sectors and their customers,” the Fed post said.

The Fed said it may also eventually give financial institutions the ability to fine-tune their controls for certain types of customers that allow them to better screen out requests to send payments to bad actors. 

The central bank could also use the FedNow system to monitor for illegal activity, such as “aggregated concentrations of inbound and outbound activity” that may suggest illicit “mule activity.” It could also tap machine-learning capabilities to assess transactions.

The central bank did say that potential features planned for a roll-out in 2024 may allow financial institutions using the system to reject payments that exhibit “unusual frequency patterns” or show an unusual cumulative value over certain periods of time.

“This could address fraudsters’ efforts to work around transaction limits by originating large numbers of low-value payments in a short window,” the Fed said in the web post.

In the meantime, the Fed is relying on education to make sure the financial institutions know how to use the system in a way that mitigates fraud.

Financial institutions aren’t completely unfamiliar with how a real-time payments system works because a group of big U.S. banks introduced their own real-time payments system, called the RTP network, in 2017. Smaller institutions that have been reluctant to use a system run by their larger rivals are expected to tap FedNow for services.

Comments from Stanescu came in an interview of the Fed official with the trade publication Pymnts.com, the Fed said in its web post.

In the mid-2000s, when biometrics in payments was still a mysterious notion, a company called Solidus Networks developed a finger-reader for payments that was trotted out at grocery chains such as Jewel-Osco.  

It allowed shoppers to pay at a Pay By Touch terminal with the touch of a finger. That payment method – which arrived a decade prior to a similar product, TouchID on Apple iPhones – failed to gain traction, and Solidus filed for bankruptcy in 2007. 

“At that point in time, biometrics was just really an alien concept,” said Thad Peterson, a strategic adviser with consulting firm Aite-Novarica.

While biometrics was too early to market then, payments consultants and executives say now is the moment for the technology. The FIDO Alliance, which seeks to eliminate passwords and advance biometrics for authentication, is one of several actors pushing payments in that direction. In the U.S., the retail sector is expected to generate $5.5 trillion by 2027 and Aite-Novarica estimates fraud losses just for card-not-present transactions will reach $9.2 billion next year, so there’s strong appeal in making payments simpler and more secure.

Tech companies Apple and Google – major influencers of consumer behavior – have done the heavy-lifting when it comes to biometrics acceptance. Their tech tools and ubiquitous smartphones have primed consumers to use their fingerprints or faces to access their devices. 

In addition, user IDs, PINs and passwords have become a friction-filled headache for many. Consumers who’ve grown weary of the need for unique passwords may increasingly view biometrics as a welcome change.

Those two factors have set the wheels in motion on biometrics in payments, said Peterson, who focuses on emerging payment technologies and digital wallets.

As the pandemic prompted a shift toward contactless, payments players want to make transactions as frictionless and quick as possible, both to increase volumes and please customers. Tapping biometrics takes that a step further, proponents say, with ease of use and security both necessities in the digital age. By combining biometrics with Near Field Communication (NFC) and EMVCo standards, “you get to a really secure transaction,” Peterson said.

Reducing fraud is crucial to payments companies, and brands want to be seen as modern, seamless organizations, said Andrew Shikiar, FIDO Alliance’s executive director, during a June interview. 

There’s plenty of buzz around biometrics, but a number of questions remain regarding adoption and security. Paying by face has been around for at least five years in China, but privacy concerns are more of an issue in the U.S. than in that country, payments consultants and executives said. Additionally, the U.S. financial system is far more diverse and American consumers tend to be slower to use new technologies.

U.S. adoption will come faster if biometric payment methods take off in Europe, where regulations are more stringent, Alessandro Chiarini, senior vice president of enterprise authentication for biometric software company Aware, said during a May interview.

As more companies turn to biometrics and collect consumer data, however, the odds of a major breach occurring increase. “You see one high-profile breach, and maybe consumer appetite and concerns completely change from what they were,” said Greg Szewczyk, partner and co-chair of the privacy and data security group at law firm Ballard Spahr.

Until the security of such systems has been tested further, biometric payment methods are unlikely to unseat other payment options, some professors and consultants said.

Biometrics in payments is “no silver bullet,” said Dave Lott, a payments risk expert at the Federal Reserve Bank of Atlanta, during an August interview. He noted the Federal Reserve has always maintained “a technology agnostic position.”

In payments, “there are applications that lend themselves to various forms of biometrics, and there’s others that don’t,” Lott said. “If I’m paying cash, there’s no biometrics involved in that.”

New payment methods emerge

Since the days of Pay By Touch, a crop of new biometric technologies have emerged: Methods asking users to hover or wave their palm over a scanner are factoring in unique features like the shape of the hand and the veins running through it. 

Face-pay tools ask users to look into a camera as their image is captured and compared against facial scans; methods involving the eye can scan the retina or iris to authenticate payment.

People tend to be less comfortable with a biometric that involves the eye than a fingerprint, scholars said. In geographic regions of the world that have already turned to biometrics, like China, face-pay is more popular than palm-pay. 

Consultants said biometric payment methods are far more likely to gain traction if they are geared to consumers using their smartphones, as opposed to requiring merchants to acquire and install in-store technology.

“I think absolutely people are ready for it, and they’re already using it,” Peterson said. As long as it’s device-dependent, “the merchant is kind of out of the equation,” he added.

Big names pursue biometrics

Consumers tend to be most familiar with the biometric method that employs a one-to-one comparison. That’s typical with phones using biometric sensors to verify users with a fingerprint or facial identification, said Anil Jain, a professor in the computer science and engineering department at Michigan State University.

“The advantage is that your template, or your reference biometric, is always stored in the phone, which is with you,” which is highly secure, Jain said.

That’s the approach that FIDO Alliance, a consortium of technology companies, has tapped in its effort to eliminate passwords. FIDO stands for fast identity online and the consortium is spearheading that change.

Pairing biometrics with cryptography allows a person to prove his or her identity to a device and then allow that device to provide proof to an approved third party, like a bank app, said Stephanie Schuckers, a professor at Clarkson University and director of the Center for Identification Technology Research. She was involved in the biometric certification process for FIDO.

PayPal, Bank of America, Wells Fargo and large retailers Best Buy, Wayfair and eBay are among those already accepting FIDO for log-in, said Megan Shamas, FIDO’s senior marketing director. It’s gained traction in online payments in Europe, because it’s easier for consumers than a one-time password or multi-factor authentication, Shamas said.

Products like Amazon’s palm-pay, called Amazon One, are different: Consumers enroll at a store and link their payment information. In a system like Amazon One, it’s a one-to-many comparison, with “one” being the customer paying and the “many” being the pool of Amazon customers who’ve opted into recognition by their palm, Jain said. This method can be highly convenient, but involves biometric data being stored in a central database.

“There is always a worry that somebody may either break into the central storage or, during the transmission of the data from the point-of-sale to the cloud, somebody may intercept your data,” Jain said. That’s why Amazon and other large companies ensure biometric data is encrypted, so even if it’s intercepted, it’s secure, he said.

The e-commerce giant opted for the palm biometric because it was important to the company to choose a method that doesn’t reveal a person’s physical identity, said Dilip Kumar, Amazon’s vice president of physical retail and technology. 

“Unlike face or even your voice, which can give you clues about the person’s identity, a picture of your palm doesn’t give you a clue as to who the person is,” he said in an Amazon News video published in July.

Amazon also opted for “a very intentional gesture,” Kumar said in the video. Customers are accustomed to holding their phones over devices, so hovering their hand over a scanner would seem similarly active, said Kumar, who the company said wasn't available for an interview. 

Amazon uses sophisticated cameras and computer vision technology to capture the details of the palm and subsurface images of veins, Kumar said. The company incorporated “liveness detection” to bolster accuracy and ensure hands being held over devices are real. 

Beyond some of the company’s Fresh, Go and Whole Foods stores, the technology also is being used in some U.S. airport stores and stadiums, an Amazon spokesperson said.

Other biometric uses are popping up in payments: Companies like Samsung are embedding fingerprint sensing, which eliminates the need for a PIN, into physical cards. Pasadena, California-based PopID has partnered with Visa and Mastercard to bring its face-pay technology beyond southern California to other regions of the world. 

Mastercard’s biometric checkout program launched earlier this year with a pilot program in Brazil. The company also plans to test biometric payment methods in the Middle East, Asia and the U.S., although Nili Klenoff, senior vice president and head of authentication solutions at Mastercard, wouldn’t say when the program will arrive in the U.S. 

The card network’s program lays out standards for how biometric service providers, digital players and merchants should develop their biometric tools and tests them to ensure the tools meet the company’s privacy and security standards, Klenoff said during a May interview.

“Ultimately, that’s the key to unlocking scale,” Klenoff said. “Our goal is to create an open environment that empowers different channel providers to play.”

Privacy, security concerns

No two people in the world have the exact same biometric traits – and that plays into the hands of those trying to reduce fraud and enhance security in payments.

Consumers are still coming around to the idea, however. About half of U.S. adults favor the use of facial recognition technology for security purposes, such as enhanced security with a credit card payment, Pew Research Center determined in March. 

When it comes to checkout, 74% of U.S. adults expressed privacy concerns about their biometric data, like fingerprints or retina scans, being stored by a marketer, according to data from an upcoming issue of Ipsos' strategic foresight magazine, What the Future. Respondents were polled in late August.

Consumers tend to view biometric checkout technology as reliable and trustworthy, but the next hurdle “is the security piece of it,” said Oscar Yuan, CEO of Ipsos Strategy3. The security factor is “particularly challenging” because it’s not just biometric data security that impacts consumers’ nervousness, “it’s general data security that’s giving people pause,” Yuan said.

Mastercard’s data from June also indicate about two-thirds of global consumers say biometrics is more secure than a PIN or password, but 71% are concerned about which parties have access to their biometric data.

From FIDO Alliance’s perspective, it’s critical that all biometric data remain in the device, not in a central database, Shikiar said. That’s a comfort to consumers who are trusting that their biometric information is being handled responsibly. FIDO’s user testing showed that “once they understood that the data was on their device, they loved it,” Shamas said. 

Still, consumer advocates worry there’s a false hope the new systems being touted are more secure, when that might not be the case. 

“My sense is that consumers are not going to wholeheartedly embrace all of this biometric stuff that’s being sold to them,” said Ed Mierzwinski, senior director of the federal consumer program at advocacy organization Public Interest Research Group. Consumers “are very concerned about databases containing their information that could then be misused.”  

Of FIDO’s locally stored approach, Mierzwinski said: “I’m not endorsing it, but I’m saying it’s better.” 

Others suspect consumers aren’t thinking about the different approaches to data storage. “I don’t think there’s that divide in their mind, that, oh, this one’s saved on my phone, so this one’s safer,” Yuan said. “They think in terms of, ‘OK, they have my data and I want it to be secure, whether that’s the device that stores it, whether that’s Amazon that stores it, whether that’s Apple that stores it, whether that’s AT&T that stores it.’”

With sensitive data in play, it’s incumbent upon companies to be transparent. Those capturing biometric information need to “be really clear about what’s being captured, how it’s being used and how it’s being protected,” said Adam Pressman, a managing director in the retail practice at consulting firm AlixPartners.

Among U.S. states, Illinois, Texas and Washington have biometric identifier laws, requiring specific consent from consumers before companies can collect biometric data. But all 50 states have breach notification laws, and most of those include biometric information, Szewczyk said.

If the biometric method used is something consumers are familiar with, it’s less likely to raise concern on the consumer front, Szewczyk said.

The usability factor

A handful of different biometric methods are being pursued in payments, but certain types have greater usability than others, depending on the setting.

“There are a whole bunch of biometrics,” Jain said. “The question is, what makes most sense in a given scenario?” 

Background noise in a crowded store may interfere with the use of a voice biometric at a kiosk. Paying by face could be particularly useful at drive-thru restaurants. Merchants will assess biometric technologies and pick the right tool for their business, Klenoff said.

For in-store payments, FIDO has been working with EMVCo on allowing the FIDO biometric credential to be used to authenticate at the point of sale, erasing the need for another verification method like PIN or a signature. Mobile payment providers like Apple and Android are beginning to implement that credential, Shamas said.

But if the biometric payment method involves the merchant obtaining and installing new technology – like a kiosk with a camera that scans a customer’s face – envisioning that is harder, consultants said. 

That approach could be costly for merchants, requiring added hardware or software at each store, and customers would have to be taught how to use it, said Jeff Fortney, a senior associate with payments consulting firm The Strawhecker Group, in June.

The path to broad adoption

The pace at which biometrics in payments could take off in the U.S. remains unclear. 

Some payments professionals pointed to the persistence of cash or the arduous adoption of chip cards. The latter were rolled out in 2015, and gas pumps just reached compliance this year. QR codes were used to make payments in India in the mid-2000s, but it took the pandemic to get consumers to use QR codes in the U.S.

“I’ve seen a lot of new technology that I thought would just be a game-changer, but it either didn’t have financial support or merchants weren’t going to do it,” Fortney said. “It’s going to be a 10-year cycle, in my opinion, before [biometrics] really makes an appearance.”

Klenoff pointed to greater adoption of tap-to-pay during the pandemic, predicting biometrics will follow a similar trend. “We’ve taught consumers to swipe, then to dip, then to tap and now, biometrics,” she said. “With any of those experiences, it takes the consumer a couple of times to experience the technology, try it out and become comfortable with it before it becomes a habit.”

The older the technology is, the more consumers trust it. In the earlier days of the internet, people were afraid to use their credit cards online to pay. At that point, “we were looking at the same thing – 75 percent -80 percent of people were nervous,” Ipsos’ Yuan said.

Over time, technology improved and the convenience factor outweighed concerns, causing that percentage to shrink, Yuan said. He suspects consumer comfort with biometric payment methods will follow a similar path.

There’s still work to be done in biometrics on the technology side, in terms of improving accuracy. Shikiar noted false rejections can be an issue in biometrics, particularly for Black users. That’s something the industry continues to address, “to make sure that bias goes away through stronger testing, improvements in algorithms, things like that,” he said.  

As Apple, Android and Windows products roll out new operating systems in the coming months that support FIDO credentials, Shamas expects that will be the spark that fuels further adoption on the part of financial institutions and merchants.

Rather than having shoppers input payment details such as card security code at each site, merchants want to move toward a process that has customers “form fill your credential in the browser, and then you authorize it with your biometric,” Shamas said. “I think we’re going to see these things come together in the next couple years or so.”

Looking ahead, consultants envision the use of biometrics to unlock a mobile device being applied to authorize a payment made shortly thereafter, without having to re-authenticate, Peterson said.

For his part, Lott expects to continue to see a “buffet of payment choices.” 

“Ultimately, it is the consumer that’s going to make the decision as to what method of payment they prefer to use,” Lott said. “If a merchant doesn’t support that particular method of payment, it’s highly likely that consumer [is] going to find a merchant that does.”