Article

Risky Business

hand holding out credit card while typing information into laptop next to coffee cup and smartphone on red background
Celia Shatzman Photo
Writer & Editor

14 minutes

Credit unions are facing various threats in the payments space; here’s what they need to know to protect themselves.

Cash or credit? That question is becoming more obsolete every day, since we can make plenty of purchases without whipping out our wallets—even in person. It’s great not having to fumble around in your bag or wallet trying to find your credit card at the grocery store and skipping punching in your credit card number every time you shop online, but with all that convenience comes a major inconvenience: payment risks. 

“Credit unions are potentially at risk of fraud in two different ways: at the point of card issuance and through payment acceptance options,” says Rob Borucki, VP/product management at payments provider REPAY, Atlanta. “Many credit unions have different integrations that supplement their product offerings, introducing risk where these different systems touch sensitive customer information. 

“When bringing systems together or creating a new integration, it’s crucial for the credit union to ensure that security is tested at each point in the integration process and … at each phase of the payment experience,” Borucki explains. “As with all tech integrations with human interaction, there’s a strong possibility for error on the human side, so it’s important to properly test new systems.” 

As payment options have become broader than ever, so has the financial risk. Credit unions certainly aren’t exempt from these payment perils; however, they do have an advantage in this space. “Payment risk is a challenge across the financial services industry, with credit unions, banks and fintechs all working to deliver secure payment capabilities without compromising the user experience,” says Mike Homer, VP/product management/account processing for CUES Supplier member Fiserv, Brookfield, Wisconsin. “One bright spot for credit unions is that they tend to have close relationships with their members that may make it easier to spot abnormal activity. So, while they face the same risks as other financial service providers, the number of fraud occurrences and the overall impact, including potential monetary losses, can be reduced.”

We tapped industry experts to delve into the various types of payments risks credit unions are facing today—and how they can best protect themselves. 

Jack Lynch
Chief Risk Officer
PSCU
There are many periods throughout the year when spending increases. … Credit unions must understand cardholder seasonality as a whole as well as ensure they have a system that is sophisticated enough to adjust to those periods.

The Holiday Spending Surge

‘Tis the season for holiday shopping, promotions and scams. Undoubtedly, November and December are some of the busiest months of the year for credit card and virtual wallet spend as members check off everyone on their nice list.

“There are many periods throughout the year when spending increases in addition to the winter holidays, such as back to school, after taxes and summer travel,” says Jack Lynch, chief risk officer of CUESolutions provider PSCU, St. Petersburg, Florida. “Credit unions must understand cardholder seasonality as a whole as well as ensure they have a system that is sophisticated enough to adjust to those periods.

“Looking at it from the perspective of opportunity risk, credit unions also need to ensure that value propositions like rewards and promotional rates are competitive enough to keep up,” Lynch notes. “Keeping a pulse on what the competition is offering from a value proposition perspective and reacting accordingly is paramount to winning and retaining share of wallet. Successful campaigns should be both mindful and relevant.”

One of the reasons the holiday season carries higher risk is the significant number of scams and fraudulent marketing that occur during this time of year. To keep members safe, credit unions should educate them about potential threats. “Make sure that you’re spending time late in the third quarter into the fourth quarter sending fraud reminders,” says Keith Ash, SVP for CUESolutions provider Strategic Resource Management, Memphis, Tennessee. “One example is having a conversation around using Zelle and making sure you have a known person that you’re sending funds to, because it’s definitive—you can’t get it back, so overcommunicating is important. 

“E-commerce spend is up quite significantly,” Ash adds, “so make sure the credit union is investing in technology, tokenization and digital enablement, so that when [members] are spending, it is as safe and as secure as possible.”

Embedded Payments 

Embedded payments—payments technology from other vendors, fintechs and service providers embedded in merchant or vendor apps—are a convenient option for members, but they can also cause a headache.

“There is a right way to start accepting payments, and credit unions should prioritize mitigating immediate and downstream risk,” Borucki says. “The biggest risk with embedded finance is uncertainty that the product is properly secured and PCI (payment card industry) compliant. Credit unions need assurance that each touchpoint is free of susceptibility.”

Essentially, embedded payments have similar risks as traditional payments, including fraud and reputational risk, and must meet similar regulatory and compliance requirements. “The best way to address each of these considerations is with effective processes and tools that mitigate risk by proactively identifying, reporting and preventing losses,” Homer says. He recommends using tools that provide real-time fraud detection and prevention with advanced analytics to identify fraudulent patterns as they arise.

Additionally, credit unions can strengthen authentication procedures. Homer believes that two-factor authentication is not sufficient to curb fraud, but the introduction of additional factors can significantly decrease malware and remote attacks.

“Protect all channels and payment types” to avoid “displacement” of fraud attempts, he says. “For example, a sole focus on online transactions can push bad actors to alternative channels that are less protected, such as call centers. Additionally, configure tools and processes to monitor both outgoing and incoming payments. Review of payment recipients can reduce the incidence of fraud. And by monitoring incoming payments, credit unions may be able to identify differences or unusual behavior.”

FedNow Versus RTP

Is there a wrong choice when it comes to offering faster payments options? Tim Ruhe, VP/real-time payments at Fiserv, explains that when it comes to real-time payments, there are three important payment networks to consider for U.S. financial institutions. 

“Zelle is the first real-time network most financial institutions support because of its widespread and growing use and its popularity with consumers,” Ruhe says. The Zelle network is used primarily for P2P payments but is increasingly used for other purposes. Zelle uses email and mobile numbers to route payments securely.

“The other U.S. real-time networks are The Clearing House RTP Network, which is live at over 270 financial institutions, and FedNow, which will launch in 2023,” Ruhe continues. “RTP and FedNow are different from Zelle in that they enable real-time clearing and settlement between financial institutions using account numbers, but they are also very similar to each other, so it remains to be seen whether financial institutions will choose to support both or support only one of the two.

“The large payment originators will likely support both to ensure maximum reach for delivery of real-time payments,” he adds.

Since FedNow is not yet available, any advice or opinions thus far are purely speculative, Lynch says. “That being said, ultimately, it will come down to the hurdle of entry and use cases,” he notes. “There is a project cost involved with real-time payments, and although we suspect FedNow’s cost to be lower, only time will tell. In terms of use cases, it will depend on whether merchants and service providers will be developing instant payments, because they will have to invest in the technology to be able to use FedNow and ride both ACH and FedNow rails. Both of those factors may drive the adoption and preference for which solution is chosen.” 

Mike Homer
VP/Product Management/Account Processing
Fiserv
One bright spot for credit unions is that they tend to have close relationships with their members that may make it easier to spot abnormal activity.

The Fast and the Fraudulent

Despite—or because of—its popularity, fraud is flourishing on Zelle; in fact, $159 billion Navy Federal Credit Union, Vienna, Virginia, is facing a class action lawsuit filed May 2022 because, allegedly, it didn’t explain the risks of using Zelle to members. A similar suit against Wells Fargo was filed in June 2022 and dropped the same month.

“The risk of offering P2P payments as a payment option is that the liability is on the consumer,” Borucki says. “There are no consumer protection protocols in place, and it is still something that hasn’t been regulated by the CFPB (Consumer Financial Protection Bureau). Credit unions need to work with their … members to properly educate them on the potential risks associated with this form of payment.”

Real-time payments like Zelle and TCH RTP should be treated like electronic cash, so you should always know and trust who you are paying, notes Ruhe. “The primary source of fraud today is not the payment networks themselves but misuse of those networks,” he says. “An example is when a consumer is tricked into giving fraudsters their login credentials or one-time passwords.

“The second risk is in using a real-time payment method to pay someone you don’t know for goods or services, like buying a puppy or a concert ticket on Craigslist. There has been a lot of education on how to be safe with payments, but more education and awareness is needed. Education and awareness are the most important forms of protection,” Ruhe adds. He compares it to the education that has gone on around online security, such as teaching people to never give away a password or one-time passcode and to never click on a link you didn’t expect to receive or don’t trust. 

Buying and Selling Cryptocurrency

Even though the risks of cryptocurrency continue to be closely watched and documented, that doesn’t seem to be tamping down excitement for this hot payments category.

“Today, there is still uncertainty in the regulatory environment for cryptocurrency, and yet consumer interest in all things crypto-related is strong,” Homer says. “To help our credit union clients meet the demand, our approach has been to integrate cryptocurrency platforms with digital experiences that allow members to access a third-party crypto platform or wallet via their credit union, enabling the member to buy, sell or hold cryptocurrencies. This puts the risk of buying and selling crypto on the member and not the credit union.”

It’s important for credit unions to stay on top of trends like crypto to meet member needs while protecting themselves. Doing so today while remaining compliant requires a partner. Marqeta, for example, allows CU members “to use their crypto-currency holdings to purchase [with] fiat currency (government-issued currency not backed by a commodity) from a crypto wallet and earn rewards in crypto,” says Kevin Issadore, head of business development for North America at Marqeta, Oakland, California, a payments platform provider. “This way, … credit unions can leverage on-ramps and off-ramps to provide crypto rewards without needing to hold crypto themselves, instead deferring to the crypto provider.” 

To keep members satisfied, credit unions can educate their members on the risks of buying and selling cryptocurrency. “We’ve actually seen a lot of buyer’s remorse in that space,” says Ashley Town, VP/fraud services for CUES Supplier member Co-op Solutions, Rancho Cucamonga, California. “Not all members who are investing in cryptocurrency are educated on what they’re purchasing. Right now, we’re seeing a lot of celebrity endorsements around cryptocurrencies and promises of riches that are making cryptocurrency seem very appealing to members. But what we’re finding is that, especially as we’re seeing this change in the economy, cryptocurrency might not be the investment that members thought it was.”

Lynch notes that PSCU’s cryptocurrency education microsite hosts a wealth of resources and information specifically curated for credit unions to help them make informed decisions, including a downloadable educational video to share with credit union boards and staff, blogs, whitepapers and more from PSCU and other industry thought leaders.

Credit unions always face reputational risk offering such speculative products and services as cryptocurrency. “Because the NCUA does not allow cryptocurrency assets to be held by credit unions, they are not insured, so people who choose to invest in cryptocurrency run the very real risk of financial losses,” Lynch says. “Credit unions should consider very carefully if they want their reputation to be attached to such a product.” 

Reducing Risk With Wearables and Tap-to-Pay 

Not only are wearables, Apple Tap to Pay and contactless payments via Google Pay convenient, but they also provide very secure transactions, notes Town.

The catch can occur during the provisioning or the signing up of transactions for digital wallets. “That can be where there is opportunity for fraudsters,” she says. “What’s important in this technology is to make sure that you have really strong authentication measures when doing provisioning for those mobile wallets. That’s really the space that fraudsters can tap into if you have areas of vulnerability.”

However, security isn’t the only thing credit unions must keep in mind when it comes to these payment offerings. High cost is another major consideration. “Apple Pay is a very expensive solution—you have to pay Apple Pay,” says Ash of SRM. “Encourage and communicate to customers about other options, such as digitally putting your card on file—whether it be at the merchant or leveraging Click to Pay, which is where Visa and Mastercard store it on behalf of merchants—so that way, … you’re storing your credentials in a safe and secure environment.”

Ashley Town
VP/Fraud Services
Co-op Solutions
We’ve actually seen a lot of buyer’s remorse in that space. Not all members who are investing in cryptocurrency are educated on what they’re purchasing.

Buy Now, Pay Later 

Whether you choose to ignore buy now, pay later or offer your own competing option, BNPL is a key trend and risk—both in terms of opportunity cost and the potential for unchecked member debt. 

“Marqeta surveyed 3,500 consumers in the U.S., U.K. and Australia at the end of last year, and 51% of all adults surveyed had used a BNPL service,” Issadore says. “We anticipate that number will continue to grow as people seek out more flexible payment options, and many credit unions want to capitalize on consumer demand for BNPL.”

New entrants to the payments industry have focused on very specific segments of the population and have the potential to infringe on segments currently owned by credit unions, cautions Issadore. He believes that credit unions that can offer the latest payment experiences and trends—whether it’s BNPL, teen cards or instant issuance—while offering financial wellness services and education will have a leg up on their competition. Otherwise, if they don’t keep pace with what other financial institutions and fintechs can offer, they risk losing business. 

“Credit unions have a unique advantage in that they know existing customers very well,” Issadore says. “In many cases, they may even be able to offer stronger underwriting and a more complete financial picture.” The goal for credit unions, he adds, is to make payment and credit options more accessible to members. Leveraging a modern platform that lowers the barrier to entry for new products or markets can help CUs accomplish this goal.

The Bottom Line

Fraud is constantly evolving alongside changing consumer expectations and trends, so credit unions need to be able to react quickly to new threats. “It’s an interesting challenge, because credit unions are trying to keep up technology-wise with big banks and tech companies when it comes to the interface with their members,” Town says. “As this new technology keeps rolling out, there are also new risks that are introduced.

“With those new types of trends, or new tools and technology to make the experience faster and better for the member, you’re also seeing that fraudsters are trying to take advantage of these new features,” she adds. “It’s a balance of trying to adapt and keep on top of new technologies but also ensuring that you’re introducing new ways to protect members against fraud.”

One of the best ways for credit unions to protect members is to raise awareness and educate them on how they can best protect themselves.

“Credit unions are a very important part of our society and are viewed as a trusted advisor who helps connect members to their money in a very trusted way,” Ash says. “Being aligned with the right technology partners who help move them into the digital age quickly is going to be more important than ever. Whether it is a contactless card, easy-to-use mobile or online solutions and implementing card controls where they can turn a card on/off, members look to their credit unions to help them feel secure in how they transact. The role of the credit union is to allow members to do what they love and pay for it in a way that feels seamless and secure.”  cues icon 

Celia Shatzman has penned stories on topics ranging from beauty to fashion, finance, travel, celebrities, health and entertainment.

Compass Subscription