Board of Governors of the Federal Reserve System

Errata

The Federal Reserve revised this report on October 18, 2018. On p. 10, the second occurrence of the year was revised from 2012 to 2015 in the following: "The number of fraudulent credit card payments rose from 14.0 million in 2012 to 30.4 million in 2015, while the number of fraudulent debit card payments rose from 13.7 million to 28.7 million (table 6)."

Preface

An efficient, effective, and safe U.S. and global payment and settlement system is vital to the U.S. economy, and the Federal Reserve plays an important role in helping maintain that system's integrity.

The Federal Reserve Payments Study (FRPS) is a data collection project that tracks and reports aggregate estimates of payment volumes, payments fraud, and related information in the United States through surveys of key payment service providers. The Federal Reserve Bank of Atlanta (FRB Atlanta) sponsors the study on behalf of the Federal Reserve System and partners with the Board of Governors of the Federal Reserve System (Board) to form the FRPS team.

The FRPS team includes staff from the Retail Payments Risk Forum at FRB Atlanta and the Payment System Studies section in the Division of Reserve Bank Operations and Payment Systems at the Board. The Retail Payments Risk Forum works with financial institutions, industry participants, regulators, and law enforcement officials to research issues and sponsor dialogue to help mitigate risks in paper, card, and other electronic payments. The Payment System Studies section conducts original research and collects data related to payments, clearing, and settlement to inform policymakers, the payments industry, and the public.

Blueflame Consulting and the GCI Analytics office of McKinsey & Company assisted with survey administration and data collection.

Geoffrey Gerdes, Claire Greene, and May Liu prepared this report, with excellent research assistance from Lauren Clark. Staff members at FRB Atlanta and the Board who also contributed to this report include Rudy Alvarez, Dave Brangaccio, Steven Cordray, Nancy Donahue, Susan Foley, Lisa Gillispie, Jonathan Hamburg, Mary Kepler, Doug King, Susan Krupkowski, Ellen Levy, Dave Lott, Mark Manuszak, Jeffrey Marquardt, Stephanie Martin, David Mills, Daniel Nikolic, Laura Reiter, Susan Stawick, Catherine Thaliath, Jessica Washington, and Julius Weyman. The authors take responsibility for any errors.

The FRPS team thanks the invited industry experts who participated in a discussion of preliminary payments fraud estimates held by the Retail Payments Risk Forum in May 2017.

The Federal Reserve System appreciates the efforts of survey respondents who provided the information summarized in this report and the leaders at the respondent institutions who supported them. This information is intended to enable payments system participants to better understand payment developments and inform strategies to foster further improvements in the payments infrastructure.

If you have questions about the FRPS or this report, please email [email protected].

Media queries, please contact the Board's Office of Public Affairs at (202) 452-2955.

FRPS reports and data can be found at www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

Executive Summary

This Federal Reserve Payments Study (FRPS) report provides estimates of payments fraud totals and rates for payments processed over general-purpose credit and debit card networks, including non-prepaid and prepaid debit card networks; the automated clearinghouse (ACH) transfer system; and the check clearing system. These payment systems form the "core" of the noncash payment and settlement systems used to clear and settle everyday payments made by consumers and businesses in the United States today.¹

The data reported here show that the overall rate of payments fraud, by value, was rising even as the total value of noncash payments was rising in the United States in recent years. A rising rate means the value of payments fraud was increasing faster than the value of total noncash payments. As the number of payments has risen, the likelihood that a payment is fraudulent has also increased. Payments fraud is shifting as the payments system evolves and as new vulnerabilities emerge or old ones fade. Overall, however, payments fraud remains rare and represents only small fractions of 1 percent of the total value or number of payments.

The Federal Reserve surveyed depository institutions and payment card networks to collect the value and number of fraudulent payment transactions. Payments fraud involves the use of stolen credentials or the exploitation of a security vulnerability in the given payment network or system. The types of fraudulent payments covered in this study are those made by an unauthorized third party, a person that the authorized user, such as an accountholder or cardholder, has not approved. Although funds must have been transferred to be included in the survey data, not all of the reported fraudulent payments represent a permanent loss to the payer, payee, or the financial institutions involved.²

The survey of depository institutions collected data for 2012 and 2015 on all the core noncash payment and settlement systems, including withdrawals of cash from automated teller machines (ATMs). The data show an overall rise in fraud and fraud rates over the period, by both value and number, primarily driven by fraudulent card payments. Rates of fraud by value and number rose for credit card and debit card payments as well as for ATM withdrawals. ACH fraud also rose, by value, but the rate was flat. By number, ACH fraud declined, as did the rate. The value of check fraud declined, as did the number of fraudulent checks. The rates of fraudulent check payments by value and number also declined.

The survey of payment card networks collected data for 2015 and, more recently, for 2016, on credit and debit card payments. The data, which exclude ATM withdrawals, show continued increases in the value of fraudulent card payments by credit, prepaid debit, and non-prepaid debit cards, as well as increases in the number of fraudulent card payment incidents. The fraud rate, by value, for cards declined slightly, however, from 2015 to 2016, driven by a decline in the fraud rate of non-prepaid debit cards. Accelerated adoption of microchip, or "chip," authentication technology in cards, portable devices, and terminals from 2015 to 2016 accompanied a reduction in the value of in-person card fraud, but this reduction occurred alongside an increase in the value of remote card fraud.³ These results suggest that remote card payments fraud is likely to be of increasing concern for the U.S. payments system going forward.

Quantitative results from the two surveys are somewhat different because of different sources and research methods and because they cover changes over different periods.⁴ Taken together, the findings tell a consistent story of dynamic change in payments fraud activity. As consumer and business payment habits evolve because of technological change and other factors, so do the efforts of fraud perpetrators. Financial industry efforts to prevent payments fraud should remain vigilant.

Highlights from the 2012 and 2015 Surveys of Depository Institutions

• The aggregate fraud rate, by value, increased. From 2012 to 2015, the value of payments fraud grew faster than the value of total payments. The fraud rate, by value, increased by more than one-fifth, rising from 0.38 basis points to 0.46 basis points.⁵
• The aggregate fraud rate, by number, increased more than the fraud rate, by value. From 2012 to 2015, the number of fraudulent payments increased much faster than the value of fraudulent payments. The fraud rate, by number, increased more than two-thirds, rising from 2.60 basis points to 4.38 basis points.
• Check fraud and the fraud rate, by value, declined. From 2012 to 2015, the total value of check fraud declined. The fraud rate, by value, for checks also declined from 0.41 basis points to 0.25 basis points.
• The fraud rate, by value, for ACH payments was low and stable. ACH payments had the lowest fraud rate, by value, among the payment types, remaining flat at 0.08 basis points in 2012 and 2015. In both years, the fraud rate, by value, of ACH credit transfers was less than half the fraud rate of ACH debit transfers, which must be authorized by the payer but are originated by the payee's bank.
• Card fraud increased as a percentage of total fraud value, and the fraud rate, by value, for cards increased. Card fraud's share of the value of fraud increased from 2012 to 2015, rising from less than two-thirds to more than three-fourths. The fraud rate, by value, of card payments and ATM withdrawals combined increased from 7.99 basis points to 10.80 basis points.
• By value, card-not-present payments were more prone to fraud than card-present payments and ATM withdrawals. In 2015, the fraud rate, by value, of card-present payments and ATM withdrawals, at 9.32 basis points, was less than two-thirds of the fraud rate of card-not-present payments, at 14.23 basis points.
• By value, card-present payments authenticated by a personal identification number (PIN) were less prone to fraud than card-present payments without a PIN. In 2015, the fraud rate, by value, of card-present payments and ATM withdrawals involving a PIN, at 3.99 basis points, was less than one-third of the fraud rate of card-present payments without a PIN, at 12.78 basis points.⁶

Highlights from the 2015 and 2016 Surveys of Card Networks

• The overall fraud rate, by value, for cards was stable. From 2015 to 2016, the overall fraud rate, by value, for cards was nearly flat, dropping slightly from 13.55 basis points to 13.46 basis points.
• The fraud rate, by value, for debit cards decreased, but the fraud rate for credit cards increased. The fraud rate, by value, for credit cards increased from 16.95 basis points in 2015 to 17.13 basis points in 2016, while the fraud rate for debit cards declined from 9.61 basis points to 9.15 basis points.
• Counterfeit card fraud decreased, by both value and number, while all other fraud types increased. Fraud by counterfeit card (typically in-person) decreased from 2015 to 2016 and dropped from the largest type of card fraud, by value, in 2015 to the second largest type in 2016. Led by fraudulent use of account numbers (typically remote), all other types of card fraud increased from 2015 to 2016.

• Card fraud, by value, shifted from in-person fraud toward remote fraud. The stable overall fraud rate, by value, for cards masked a substantial shift away from in-person fraud toward remote fraud:

  • Total in-person card fraud declined from $3.68 billion in 2015 to $2.91 billion in 2016.
  • Total remote card fraud increased from $3.40 billion in 2015 to $4.57 billion in 2016.
  • The fraud rate, by value, for in-person card payments declined from 12.17 basis points in 2015 to 9.34 basis points in 2016, while the fraud rate for remote card payments increased to about twice that rate at 18.71 basis points.
• The share of chip-authenticated in-person card payments, by value, increased sharply. Driven by increases in the use and acceptance of Europay, MasterCard, and Visa (EMV) microchip-based cards and payments, the share of chip-authenticated card payments in the value of total in-person card payments increased sharply, from 3.2 percent in 2015 to 26.4 percent in 2016. Chip cards are harder to counterfeit, and chip-authenticated payments increase the security of card data.

Overview

A reliable and secure payments system for U.S. dollar transactions is crucial to economic growth and stability. The safety and soundness of the payments system--including, especially, its ability to resist fraud--is important to the security and efficiency of the U.S. economy. By creating uncertainty and undermining confidence, the risk of payments fraud creates frictions for households, businesses, and financial institutions and represents a drag on economic activity.

One way the Federal Reserve System can help promote payments system safety and soundness is by providing reliable quantitative information about technological innovations and fraud developments in the payments landscape. Consistent and accurate data on payments fraud and related factors may help to assess the security of the payments system. To that end, and in support of initiatives to protect and improve the U.S. payments system, this report aims to provide quantitative information on payments fraud to policymakers, participants in the financial services and payments industry, and the public.

This report provides aggregate estimates of payments fraud totals and rates for general-purpose credit and debit card (including non-prepaid and prepaid debit card), ACH, and check transactions--the core noncash payment types used for everyday payments and settlements by consumers and businesses.⁷ For cards, further breakouts of payments fraud--such as card type, payment channel, and authentication method--are provided. ACH fraud is broken out into ACH credit and ACH debit fraud.

Data Collection

The Federal Reserve Payments Study (FRPS) tracks and reports aggregate estimates of payment volumes, payments fraud, and related information in the United States through surveys of key payment service providers. The FRPS first reported information on aggregate noncash payments fraud in the 2013 summary report, The 2013 Federal Reserve Payment Study: Recent and Long-Term Payment Trends in the United States: 2003-2012. Fraud data in that report, and a related detailed report, were based on estimates for 2012 from a survey of depository institutions.⁸ Subsequently, the FRPS has collected fraud data from depository institutions for 2015 and from general-purpose card networks for 2015 and 2016.

The depository institution survey (Depository and Financial Institutions Payments Survey, or DFIPS) collected payment volumes and payments fraud data for general-purpose credit and debit card payments, ATM withdrawals, ACH payments, and check payments in 2012 and 2015.⁹ The payment card network survey (Networks, Processors, and Issuers Payments Surveys, or NPIPS) collected payment volumes and payments fraud data for credit and debit cards from general-purpose card networks in 2015 and 2016.¹⁰

No single source can summarize a topic as complex as payments fraud. In the case of this report, the two survey data sources, while complementary, each provide unique information and perspective on payments fraud. To preserve that uniqueness, the results are presented separately, with the depository institution survey, which includes fraud data for 2012 and 2015, presented first, and the card network survey, which includes data for 2015 and 2016, presented second.

Each survey has relative strengths and weaknesses, and there is no objective way to choose one set of survey results over the other for 2015. Despite their differences, both sets of survey results for 2015 are reported to allow a comparison of results within each survey for the other years in which they were conducted. Appendix A contains a detailed comparison of the surveys.

Definition of Payments Fraud

Payments fraud, as defined for this report, is a cleared and settled transaction that a third party initiated without the authorization, agreement, or voluntary assistance of the authorized user (the accountholder or cardholder) with the intent to deceive for personal gain. Third-party payments fraud generally takes advantage of a vulnerability or security failure in a payment type, initiation method, or system.

Depending on the type of payment, various factors may contribute to determining whether the transaction is a valid payment and causing it to clear and settle. Among other things, these factors can include information to authenticate the authorized user, such as an account number or password, or the payment type itself, such as a card or check. Third-party payments fraud involves illicit acquisition and use of these factors to impersonate an authorized user.

A fraudulent transaction that did not clear and settle is not included in fraudulent payments by this report's definition, even though some sort of fraudulent transaction or attempted fraudulent transaction may have taken place (figure 1). A fraudulent payment transaction that was attempted but denied, for example, by an authorization system is not included. A fraudulent transaction that was cleared (and thus not denied) but was returned to the payee without becoming a settled payment is also not included.

After clearing and settling, a third-party fraudulent payment can result in several outcomes. The payer, accountholder, or cardholder may incur a loss, or the payer's bank may absorb it. The fraudulent payment may also be returned by the paying or card-issuing bank and charged back to the collecting or card-acquiring bank. If the fraudulent payment is returned or charged back, the payee may incur a loss because of a good or service taken by the fraud perpetrator in exchange for the payment, or the collecting or card-acquiring bank can absorb that loss. Any one of these parties--the payer, the payer's bank, the payee, or the payee's bank--may recover the loss from the third-party fraud perpetrator.

Because any of these outcomes may occur, the payments fraud amounts in this report do not necessarily represent a permanent loss. Different types of payments may involve different loss risks to the various parties involved, including the payer, the payee, depository institutions, and payment processors. Owing to consumer protections, consumers, in particular, may face limited risk of loss, so long as they monitor account statements for unauthorized activity and report to the issuer if cards are lost or stolen.

Third-party payments fraud can range from a spontaneous decision to make a purchase with a lost card found on the street, all the way up to well-planned, elaborate payments fraud schemes involving conspiracies of large numbers of individuals and prearranged business agreements.¹¹ Table 1 provides some examples of third-party fraudulent payments that are within the scope of this report's definition, along with other types of fraud that are not third-party payments fraud.¹²

Table 1. Examples of third-party payments fraud, as distinct from first-party payments fraud and fraud that is not payments fraud (Some examples could apply to more than one payment type)

Data breaches resulting in stolen account numbers, card numbers, and personal information may eventually result in payments fraud, but do not directly involve fraudulent payments. Furthermore, payments that happen to be unauthorized are not necessarily fraud. Some unauthorized payments could be accidental and arise from human errors or computer glitches. These types of unauthorized payments would not be counted as fraud.

More than other amounts measured and reported in the FRPS, payments identified as fraud in the survey data may vary from the definition, in part, because fraud involves deception. Fraud estimates may also vary because of respondents' existing tracking procedures, policies, and individual judgements. As the examples in table 1 illustrate, an accurate determination of whether fraud took place--and, if so, what type of fraud occurred for any particular payment--can be difficult, subject to error, and often prohibitively costly to verify.

Fraud Measures

Different indicators or performance measures are used to track and assess the status of fraud in the payments system. This report applies several measures to each category of payment type, card payment channel, or authentication method for which fraud data are reported, including the following:

1. Aggregate dollar value of payments fraud: Payments fraud by value provides a perspective on the amount of value actually lost or, if ultimately recovered, the value at risk.
2. Aggregate number of incidents of payments fraud: Payments fraud by number, or, in other words, counts of fraudulent payment incidents, provides a perspective on the overall occurrence of fraud.
3. Fraud rate by value: The fraud rate by value, or, in other words, the dollar value of fraudulent payments divided by the dollar value of all payments, is important for assessing financial exposure to fraud as a fraction of the value of payments.
4. Fraud rate by number: The fraud rate by number, or, in other words, the number of fraudulent payments divided by the number of all payments, is important for assessing the frequency at which payments turn out to be fraudulent and gives insight into the likelihood of encountering a fraudulent payment.
5. Average dollar value of fraudulent and non-fraudulent payments: The average dollar value, or in other words, the total value of payments divided by the total number of payments, can be calculated separately for fraudulent payments and non-fraudulent (or legitimate) payments. The different average values may be affected by how the payment types are typically used, the kinds of fraud protections in place, and the fraud opportunities that arise.

Each of these measures provides a different perspective on payments fraud. Fraud measures involving the value of payments address the direct financial implications of fraud. Fraud measures involving the number of payments address the occurrence of fraud. Because the magnitude of fraudulent payments is small in both total dollar value and number compared to all payments, and because fraud and payment values and numbers vary across payment types, fraud rates help to put fraud data in more consistent and comparable context.

Findings

The FRPS has documented the substantial growth in noncash payments in the United States over the past two decades, as consumers and businesses have increasingly turned to these methods of payment. Starting from 2012, this report documents that fraudulent payments, overall, have also increased, perhaps for some of the same reasons that legitimate payments are growing. In fact, by value and number, fraud across core noncash payments was generally growing faster than non-fraudulent payments from 2012 to 2015. As a result, the overall rates of payments fraud, by both value and number, were rising over that period as well.

Although fraud is rising, the U.S. payments system, as a whole, is resilient. This report documents that payments fraud remains rare and represents only a fraction of 1 percent of the total value or number of payments. Moreover, payments providers have increasingly introduced technological innovations to mitigate fraud or to add convenience, security, and other potential improvements to the payment experience.

Payments fraud remains a concern, however, as fraud perpetrators continue to try to exploit existing or new security vulnerabilities. Because of the opposing forces of fraud prevention and perpetration, it remains to be seen whether the reported shifts in payments fraud will endure or fade.

Depository Institution Survey

The value of fraud in total core noncash payments in the United States, estimated using depository institution survey data, rose from $6.10 billion in 2012 to $8.34 billion in 2015 (table 2). Over the same period, the total value of core noncash payments rose from $161.16 trillion to $180.25 trillion (appendix B, table B.2.A). The fraud rate, by value, rose from 0.38 basis points in 2012 to 0.46 basis points in 2015, or 38 cents in 2012 to 46 cents in 2015, for every $10,000 in payments.¹³

Table 2. Total, percentage, and rate of payments fraud from general-purpose transaction and credit card accounts, by payment type and value, 2012 and 2015

By value, card fraud accounted for more than three-fourths of noncash payments fraud in 2015, rising from less than two-thirds in 2012. Although fraud rates, by value, for cards are relatively high, ACH and check payments constitute most core noncash payments value, so aggregate fraud rates are lower than the rates for cards alone.

Although the number of checks decreased, continuing a trend that began in the mid-1990s, the value of checks increased from 2012 to 2015. Meanwhile, check fraud, by value, declined from $1.11 billion in 2012 to $710 million in 2015. The fraud rate, by value, of checks also decreased from 0.41 basis points to 0.25 basis points over the same period.

ACH fraud rose from $1.05 billion in 2012 to $1.16 billion in 2015. Among the core noncash payment types, the ACH system settles the largest portion of core payments value, and the survey data show that ACH payments also had the lowest fraud rates, by value, staying flat at 0.08 basis points in both years.

As a fraction of value, ACH credit transfers, which are originated by the payer's bank, appear to be less subject to fraud than ACH debit transfers, which must be authorized by the payer but are originated by the payee's bank. The fraud rate, by value, of ACH credit transfers stayed flat at 0.05 basis points in both years, less than half the fraud rate of ACH debit transfers, which increased slightly from 0.13 basis points in 2012 to 0.14 basis points in 2015 (table 3).

Table 3. Total, percentage, and rate of ACH payments fraud from general-purpose transaction accounts, by ACH payment type and value, 2012 and 2015

Even as card payments and ATM withdrawals, in total value, exhibited high growth, the value of fraudulent card payments and ATM withdrawals grew faster over the 2012 to 2015 period. The value of all card payments and ATM withdrawals rose 21.2 percent, increasing from $4.94 trillion in 2012 to $5.98 trillion in 2015 (appendix B, table B.2.A). The value of fraudulent card payments and ATM withdrawals, however, grew 63.8 percent over the same three-year period, increasing from an estimated $3.95 billion in 2012 to $6.46 billion in 2015 (table 4). As a result, the fraud rate, by value, of card payments and ATM withdrawals rose from 7.99 basis points in 2012 to 10.80 basis points in 2015. The difference in fraud rates, by value, for cards, ACH, and checks implies that fraud is substantially greater for every dollar spent by card than by ACH or check.

Table 4. Total, percentage, and rate of card payments fraud from general-purpose transaction and credit card accounts, by card payment type and value, 2012 and 2015

Card fraud rates, by value and number, varied among card payment types, payment channels, and authentication methods. Credit card had a large and growing share of fraudulent card activity from 2012 to 2015. The fraud rate, by value, of credit card payments in 2015 was relatively high at 13.88 basis points, compared with the fraud rate of debit card payments at 9.17 basis points. The fraud rate, by value, for ATM withdrawals in 2015 was even lower at 4.65 basis points.

The payment channel, related to the physical presence of a card or cardholder, influences the opportunity to commit payments fraud. At $4.18 trillion, the value of card-present payments and ATM withdrawals in 2015 was 131.1 percent larger than the value of card-not-present payments, at $1.81 trillion (appendix B, table B.2.B). At $3.89 billion, the value of fraudulent card-present payments and ATM withdrawals in 2015 was just over 50 percent larger than card-not-present fraud, at $2.57 billion. As a result, the fraud rate, by value, of card-present payments and ATM withdrawals, at 9.32 basis points, was less than two-thirds of the fraud rate of card-not-present payments, at 14.23 basis points (appendix B, table B.3.B).

For card-present transactions, activity that involves a PIN has traditionally been regarded as more secure than activity without a PIN because the former requires the cardholder to enter an additional authentication factor (that is, the PIN itself) at a terminal.¹⁴ Estimates based on the survey data corroborate this view for 2012 and 2015. In 2015, the fraud rate, by value, of card-present PIN-authenticated payments and ATM withdrawals, at 3.99 basis points, was less than one-third the fraud rate of card-present payments that did not require a PIN, at 12.78 basis points (appendix B, table B.3.C). The fraud rate, by value, for card-present PIN-authenticated debit card payments in 2015, at 3.20 basis points, was similarly less than one-third the fraud rate for card-present debit card payments with no PIN, at 10.80 basis points.

The aggregate number of core noncash payments rose 16.8 percent, from 120.7 billion in 2012 to 141.0 billion in 2015 (appendix B, table B.2.A). The rise reflected an increase in the numbers of card payments and ACH payments, in spite of the decline in the numbers of check payments and ATM withdrawals. Over the same period, the aggregate number of fraudulent core noncash payments nearly doubled, rising from 31.4 million in 2012 to 61.7 million in 2015 (table 5). The aggregate rise in fraud came entirely from fraudulent card payments and ATM withdrawals, as the number of fraudulent ACH and check payments both declined.

Table 5. Total, percentage, and rate of payments fraud from general-purpose transaction and credit card accounts, by payment type and number, 2012 and 2015

Cards have grown to dominate the payments landscape by number of payments. Cards also constitute most payments fraud by number. In 2015, by number, 97.8 percent of payments fraud was card fraud. Because the number of fraudulent card payments grew faster than the number of non-fraudulent card payments from 2012 to 2015, the fraud rate, by number, for cards also increased. The number of fraudulent credit card payments rose from 14.0 million in 2012 to 30.4 million in 2015, while the number of fraudulent debit card payments rose from 13.7 million to 28.7 million (table 6). Fraudulent ATM withdrawals rose from 1.3 million in 2012 to 1.4 million in 2015.

Table 6. Total, percentage, and rate of card payments fraud from general-purpose transaction and credit card accounts, by card payment type and number, 2012 and 2015

Card Network Survey

Fraudulent card payments and fraud rates based on the 2015 card network survey were larger, particularly for credit cards, than the fraudulent card payments and fraud rates based on the 2015 depository institution survey (appendix A, table A.1). Nevertheless, although the fraud totals and derived information, such as rates, are quantitatively different, especially for credit cards, the results are qualitatively similar.

As shown in the results from the depository institution survey, card fraud, including ATM fraud, increased from 2012 to 2015. Results from the card network survey cover card fraud but not ATM fraud. The data from that survey show that, while total card fraud increased, the overall fraud rate, by value, for cards declined slightly from 2015 to 2016. In particular, card payments fraud increased from $7.07 billion in 2015 to $7.48 billion in 2016 (table 7).

At the same time, entirely because of a decline in the fraud rate for debit cards, the corresponding fraud rate, by value, declined from 13.55 basis points to 13.46 basis points. The value of credit card fraud in both years was more than double that of debit card fraud, and the fraud rate, by value, for credit cards in both years was substantially higher than for debit cards. The fraud rate, by value, for credit cards increased from 16.95 basis points in 2015 to 17.13 basis points in 2016, while the fraud rate for debit cards declined from 9.61 basis points to 9.15 basis points.

Table 7. Total, percentage, and rate of card payments fraud, by card payment type and value, 2015 and 2016

The card network survey included allocations of payments into in-person and remote card payment channels, categories that respectively align with the payer and payee transacting in close proximity via a card or mobile device or at a distance through a communications channel.¹⁵ The apparent stability of aggregate reported card fraud from 2015 to 2016 belies a substantial shift in fraudulent payments away from in-person fraud and toward remote fraud over the two years.

Specifically, in-person card fraud declined from $3.68 billion in 2015 to $2.91 billion in 2016, corresponding to a decline in the fraud rate, by value, for in-person card payments from 12.17 basis points in 2015 to 9.34 basis points in 2016 (table 8). There was an industrywide push for the adoption of a microchip-based specification for payment cards and terminals called "Europay, MasterCard and Visa," or EMV, in the United States during this period. The decline of in-person card fraud coincided with substantial increases in the use and acceptance of chip-authenticated card payments, which rose from $0.10 trillion or 3.2 percent of in-person card payments value in 2015 to $0.82 trillion or 26.4 percent of in-person card payments value in 2016 (appendix B, table B.6.C).¹⁶

Table 8. Total, percentage, and rate of in-person card payments fraud, by card payment type and value, 2015 and 2016

Remote card fraud, however, grew from $3.40 billion in 2015 to $4.57 billion in 2016. The fraud rate, by value, for remote card payments, already higher than the fraud rate of in-person card payments in 2015, grew from 15.45 basis points in 2015 to 18.71 basis points in 2016, twice the fraud rate of in-person card payments (table 9). Consistent with reports of increasing cybercrime across industries worldwide, remote card payments fraud rose during this period in the United States.¹⁷

Table 9. Total, percentage, and rate of remote card payments fraud, by card payment type and value, 2015 and 2016

The total number of fraudulent card payments increased from 63.5 million in 2015 to 71.4 million in 2016. The fraud rate, by number, for cards also increased, almost entirely because of an increase in the fraud rate for debit cards, which increased from 4.30 basis points in 2015 to 4.64 basis points in 2016 (table 10). This increase in the fraud rate for debit cards by number contrasts with the decline in the fraud rate for debit cards by value. Nevertheless, the fraud rates, by number, for debit cards in both 2015 and 2016 were much smaller than the contemporaneous fraud rates for credit cards.

Table 10. Total, percentage, and rate of card payments fraud, by card payment type and number, 2015 and 2016

In the remainder of the report, these and other findings will be discussed in more detail, with the results presented separately for the depository institution survey and the card network survey.

Detailed Discussion: Depository Institution Survey, 2012 and 2015

For the depository institution survey, depository institutions reported fraudulent and non-fraudulent payments and ATM withdrawals on U.S. domiciled accounts made with the following payment types:

• debit card payments by non-prepaid debit cards, typically linked to checking accounts, and prepaid debit cards;
• credit card (including charge card) payments;
• ATM withdrawals using non-prepaid debit, prepaid debit, or credit cards;
• ACH payments, including ACH credit transfers and ACH debit transfers; and
• check payments.

ATM withdrawals, though reported separately, may be considered part of card payments and a type of card payments fraud because the card is used at the ATM to make a "payment" for the dispensed currency. Most ATM withdrawals are from ATMs sponsored by the payer's depository institution, and do not pass over an ATM network.

All reported fraud is from the perspective of the paying depository institution, for whom the payer is the customer. Card payments, check payments, and ACH debit transfers are collected or "originated" by the payee's bank. An ACH credit transfer, however, is originated by the payer's bank. The payee's bank may have different information about whether a payment is fraudulent than other parties to the transaction, as well as different incentives to investigate and make a determination about whether a payment is fraudulent compared to the payer's bank. For example, a settled fraudulent payment may be returned to the payee's bank as unauthorized without a determination having been made that it is fraudulent. If the payee's bank identifies the fraud without notifying the payer's bank, it will not be included in these estimates.

There were notable differences in the survey content and reference periods between the two survey years. These differences are discussed in appendix A.

Aggregate Fraud, 2012 and 2015

The results from the 2012 and 2015 depository institution surveys show that aggregate payments fraud, by value and number, for the core noncash payment types was greater in 2015 than for 2012. In fact, fraud, by value, in 2015 was more than one-third larger than for 2012 (figure 2). Moreover, as illustrated in figure 2, the total number of fraudulent payments increased more rapidly than did the total fraud value.

Fraud Rates

The fraud rate, by value, for the core noncash payments in the United States was 0.46 basis points in 2015, increasing from 0.38 basis points in 2012
(figure 3). Both rates are less than 1/200 of 1 percent, which implies that there was less than 50 cents of payments fraud for every $10,000 in payments. In particular, there was an estimated 46 cents of payments fraud for every $10,000 in 2015, compared with 38 cents of payments fraud for every $10,000 in 2012.

The fraud rate, by number, grew from 2.60 basis points in 2012 to 4.38 basis points in 2015. These rates correspond to 2.60 and 4.38 fraudulent payments, respectively, for every 10,000 payments in 2012 and 2015. These rates can equivalently be expressed as one fraudulent payment for every 3,842 payments in 2012 and one fraudulent payment for every 2,284 payments in 2015.

An increase in the fraud rate by value or number over time means that the value or number of fraudulent payments are increasing faster than the value or number of non-fraudulent payments:

• The 2015 fraud rate, by value, was more than 20 percent larger than the 2012 rate.
• The 2015 fraud rate, by number, was nearly 70 percent larger than the 2012 rate.

Average Values

As seen above, the fraud rate by number exhibited a larger increase than the fraud rate by value from 2012 to 2015. Reflecting the relatively large increase in fraud by number, the average value of fraudulent payments declined from $194 in 2012 to $135 in 2015 (figure 4). The average value of non-fraudulent payments also declined.

In both 2012 and 2015, the average values of non-fraudulent payments were much larger than the average values of fraudulent payments. Payments fraud among the core noncash payment types was more prevalent among payment types that typically are of relatively small value (that is, cards) and less prevalent for payments types that typically are of higher value (that is, ACH and checks).This factor, among others, helps to explain the outcome that, in 2015, the average value of a fraudulent payment was about one-tenth the average value of a non-fraudulent payment (appendix B, tables B.1.A and B.2.A).

Card, ACH, and Check Fraud, 2012 and 2015

Most of the non-fraudulent payments value in 2015, at 96.7 percent, was processed on the ACH or check payment systems. In contrast, most of the payments fraud value was by cards. The share of card fraud in total payments fraud, by value, was 77.5 percent in 2015, an increase from a share of 64.6 percent in 2012 (figure 5). Such large shares of fraud value for cards stand in contrast to the relatively small shares of cards in the total value of non-fraudulent payments: 3.3 percent in 2015 (appendix B, B.2.A).¹⁸ From 2012 to 2015, the share of cards in the total value of non-fraudulent payments grew only 0.3 percentage points, while the share of cards in the total value of fraudulent payments grew 12.9 percentage points.

By number, the share of card fraud in total fraud was even higher. Fraudulent card payments constituted 97.8 percent of total fraudulent payments in 2015, an increase from 92.2 percent in 2012. In contrast, the share of card payments, by number, in total non-fraudulent payments was lower, at 70.6 percent in 2015.

In comparison to cards, the combined share of fraudulent ACH and check payments, by both value and number, was substantially smaller. From 2012 to 2015, ACH fraud declined as a share of total fraudulent payments by both value and number.¹⁹ By value, ACH fraud fell from 17.2 percent in 2012 to 14.0 percent in 2015; by number, from 5.0 percent in 2012 to 1.3 percent in 2015 (tables 2 and 5).

In 2015, by value, check fraud had a share of 8.6 percent of total fraud compared with 18.2 percent in 2012. By number, the share of check fraud in total fraud was even lower, at 0.9 percent in 2015, compared with 2.8 percent in 2012. The shift away from checks as a share of total fraudulent payments, by value and number, reflects a corresponding shift in non-fraudulent payments away from checks. The number of non-fraudulent check payments declined from 2012 to 2015, even as the value of non-fraudulent check payments increased. Detailed data on types of checks reported elsewhere show that most of the decline in non-fraudulent commercial check payments was from reductions in consumer checks.²⁰ The number of business checks also declined from 2012 to 2015; however, the value of non-fraudulent business checks increased.

Fraud Rates

With 77.5 percent of total fraud value but only 3.3 percent of total payments value, it is not surprising that the fraud rate, by value, for cards was substantially higher than the fraud rate for ACH or checks (figure 6). Similarly, reflecting the relatively high shares of cards in the number of both fraudulent payments and non-fraudulent payments, the fraud rate, by number, for cards was higher than the fraud rate for ACH or checks. (More card fraud detail is provided in the section, Credit and Debit Card Fraud, 2012 and 2015.)

The fraud rate by number for cards in each year was lower than the fraud rate by value for cards. In contrast, for both ACH and checks, fraud rates by value in 2015 were lower than fraud rates by number:

• ACH fraud rates: by value, 0.08 basis points; by number, 0.33 basis points
• check fraud rates: by value, 0.25 basis points; by number, 0.32 basis points
• card fraud rates: by value, 10.80 basis points; by number, 6.07 basis points

Average Values

Compared to the relative average values of fraudulent and non-fraudulent payments for cards and checks, average values of fraudulent ACH payments were significantly lower than the average values of non-fraudulent ACH payments in both 2012 and 2015. Even after a substantial rise in the average value from $670 in 2012 to $1,498 in 2015, the average value of a fraudulent ACH payment was less than one-fourth of the average value of a non-fraudulent ACH payment in 2015 (figure 7). Fraudulent ACH payments may have a lower average value than the average value of non-fraudulent ACH payments because the possibility of accomplishing ACH fraud is likely restricted by fraud protections used for very high-value payments, such as any enhanced scrutiny or review that larger-value payments would receive.²¹

The average value of a fraudulent check payment was closer to, but still less than, the average value of a non-fraudulent check payment in both 2012 and 2015. The average value of fraudulent check payments remained nearly flat, even as the average value of non-fraudulent check payments rose, likely because of increases in the average value of business checks over the period. Fraudulent check payments may have a lower average value than the average value of non-fraudulent check payments because corporate accounts, which pay larger-value checks, often have features (for example, "positive pay") that allow the business accountholder to review presented checks and proactively approve or reject them for payment. If rejected, such checks are not settled.

In contrast to ACH and checks, fraudulent card payments and ATM withdrawals were higher in average value than non-fraudulent card payments and ATM withdrawals. In part, this difference may be because, compared to a legitimate card user, a fraud perpetrator might be more focused on getting as much value out of the transaction as possible. Moreover, cards are not often used for larger-value payments that are conducted through the ACH and check systems and may be associated with specific risk controls. While similar risk controls for larger-value payments may exist for cards as well, larger-value payments are not as common for cards, resulting in a different relative average value for fraudulent and non-fraudulent payments.

ACH Credit and Debit Transfer Fraud, 2012 and 2015

The ACH system supports both credit transfers and debit transfers, which are authorized and initiated in different ways. These differences imply that fraudulent payments using ACH credit transfers and ACH debit transfers are perpetrated in different ways.

For an ACH credit transfer, the payer's depository institution initiates the funds transfer on the instruction of the payer. ACH credit transfers are typically used for routine business-to-business payments as well as business-to-consumer payments such as payroll.²² Third-party fraudulent ACH credit transfers would generally need to be initiated by obtaining access to or taking over the payer's account (possibly facilitated by stolen or hacked passwords or other credentials) or insider fraud facilitated by a rogue employee of a depository institution or business payer.

For an ACH debit transfer, the payee's depository institution initiates the funds transfer on the instruction of the payee who, in turn, must have authorization from the payer to initiate the payment. ACH debit transfers are typically used for consumer-to-business payments like pre-authorized automated bill payments. Corporations typically block ACH debit transfers, so fraud opportunities are mainly limited to consumer accounts.²³ If a settled fraudulent ACH debit transfer is returned as unauthorized, the payee's bank must investigate the fraud. If the fraud determination is not communicated to the payer's bank, the fraud will not be included in the estimates. For this reason, the survey may underestimate ACH debit transfer fraud.

As with other depository institution data, ACH data reported here is from the payer's bank, meaning the bank holding the account from which the payment is made. Like a check, an ACH debit transfer is collected, or "originated" by the payee's bank, often based on files containing payment and account information line items submitted by a business. Generally, an ACH debit transfer can be initiated via a business account that has obtained an authorization to debit the payer's account. However, fraud may be perpetrated through the illegitimate establishment of a business account and claim of authorization. Alternatively, a hacker or insider may make fraudulent use of the business account, such as including fraudulent debit entries in an ACH file submitted to the originating depository institution for processing.

Fraud Rates

For both ACH credit transfers and ACH debit transfers, fraud rates by value were lower than fraud rates by number in 2015. This relationship also applies to checks, but the difference is more pronounced for ACH (figure 8). Furthermore, the fraud rates, by value and number, of ACH debit transfers in 2015 were more than twice the fraud rates of ACH credit transfers. Finally, from 2012 to 2015, the fraud rates by value for both ACH credit transfers and ACH debit transfers were largely unchanged, while the fraud rates by number fell.

• ACH credit transfers. By value, the fraud rate of ACH credit transfers stayed almost the same in 2012 and 2015, at 0.05 basis points. By number, the fraud rate of ACH credit transfers declined sharply from 0.59 basis points in 2012 to 0.12 basis points in 2015.
• ACH debit transfers. By value, the fraud rate of ACH debit transfers increased slightly from 0.13 basis points in 2012 to 0.14 basis points in 2015. By number, the fraud rate of ACH debit transfers declined from 0.89 basis points in 2012 to 0.48 basis points in 2015.

Average Values

The average values of fraudulent ACH credit transfers and ACH debit transfers were lower than average values of corresponding non-fraudulent payments (figure 9). As discussed above, the high value of some ACH payments likely invites scrutiny for payments over a value threshold, which could lead to relatively low average values of fraudulent ACH payments compared to non-fraudulent ones.

The average value of fraudulent ACH payments more than doubled from 2012 to 2015, suggesting a possible change in fraud perpetration or prevention behavior. The changes in the average values of fraudulent ACH payments--both credit and debit transfers--are striking, especially when compared to the relative stability in the average values of other types of fraudulent payments and of non-fraudulent ACH transfers over the same period. These changes could reflect any number of factors, such as changes in fraud strategies or the sizes and types of accounts affected.

• ACH credit transfer. The average value of a fraudulent ACH credit transfer increased by 366.9 percent from 2012 to 2015, to $3,582.
• ACH debit transfer. The average value of a fraudulent ACH debit transfer increased 81.3 percent from 2012 to 2015, to $1,130.

Credit and Debit Card Fraud, 2012 and 2015

As noted above, most noncash payments fraud by value and number was card fraud in 2012 and 2015. Moreover, from 2012 to 2015, card fraud increased by both value and number. By value, total fraudulent card payments and ATM withdrawals increased to $6.46 billion in 2015 from $3.95 billion in 2012, a rise of more than 60 percent (figure 10). By number, fraudulent card payments and ATM withdrawals more than doubled to 60.4 million in 2015 from 29.0 million in 2012.

In 2015, both credit card and debit card payments fraud (excluding ATM withdrawal fraud) were individually greater than either ACH or check fraud (appendix B, table B.1.A). In particular, the value of credit card fraud was more than twice the combined value of ACH and check fraud. In contrast, the value of ATM withdrawal fraud was lower than the value of either ACH or check fraud.

Among the three categories--credit card payments, debit card payments, and ATM withdrawals--credit card fraud was largest in value, at $3.89 billion in 2015. In both years, the value of debit card fraud, at $2.22 billion in 2015, was about 60 percent of the value of credit card fraud. The value of ATM withdrawal fraud, at slightly more than $350 million in 2015, was about 9 percent of the value of credit card fraud.

In 2015, the respective number of fraudulent credit card and debit card payments each substantially exceeded the combined number of fraudulent ACH and check payments. The number of fraudulent ATM withdrawals was about the same as the combined number of fraudulent ACH and check payments.

By number, in both 2012 and 2015, credit card fraud was the most common type of card fraud, followed by debit card fraud, with ATM withdrawal fraud a distant third. Although credit card payments fraud, by value, was substantially higher than debit card fraud, the number of fraudulent credit card payments was only slightly higher than the number of fraudulent debit card payments in 2015. In particular, there were 30.4 million fraudulent credit card payments, 28.7 million fraudulent debit card payments, and 1.4 million fraudulent ATM withdrawals in 2015.

Fraud Rates

The fraud rate, by value, for credit card payments--largest among the three card fraud types--was 13.88 basis points in 2015, about 50 percent higher than the comparable rate of 9.17 basis points for debit card payments. The fraud rate, by value, for ATM withdrawals in 2015 was lower at 4.65 basis points. In contrast to credit and debit card payments at the point of sale, ATM withdrawals generally require a PIN, a second "factor" or additional piece of information, which may account for the relatively low fraud rate for ATM withdrawals.²⁴

Fraud rates by number in 2015 followed the same ranking as the fraud rates by value, with the fraud rate, by number, for credit card payments highest at 9.79 basis points, followed by the fraud rate for debit card payments at 4.53 basis points. The fraud rate, by number, for ATM withdrawals in 2015 was 2.58 basis points, just over one-fourth of the fraud rate for credit card payments.

In 2015, fraud rates, by both value and number, for credit card payments, debit card payments, and ATM withdrawals were each greater than the corresponding rates in 2012 (figure 11). In light of the large increases in non-fraudulent card payments and ATM withdrawals from 2012 to 2015 (except the number of ATM withdrawals), these rising fraud rates for every type of card activity mean that fraudulent activity was rising faster for each of them than non-fraudulent activity.

Average Values

For all types of card payments, the estimated average values for fraudulent card payments were higher than the average values for non-fraudulent card payments in both 2012 and 2015 (figure 12). In 2015, the average value of a non-fraudulent credit card payment was $90 compared with the average value of $128 for a fraudulent credit card payment. The same pattern applies to debit card payments and ATM withdrawals. This pattern may be due to fraud perpetrators seeking to maximize the value they obtain by focusing on high-value items or exploiting ATM withdrawal allowances.

Fraud by Card-Present and Card-Not-Present Channels, 2012 and 2015

Over time, as more social and commercial activity is conducted remotely, payments fraud opportunities may also shift toward remote channels. The FRPS has been tracking data on the card-present and card-not-present distinction, a traditional classification used by the card industry, to understand changes in shopping and related payments behavior and the associated fraud risks. (Detailed data on card-present and card-not-present payments for the different types of cards is provided in appendix B, tables B.1.B, B.2.B, and B.3.B.)

In 2012 and 2015, card-not-present payments comprised a larger share of fraudulent card payments, by value, than they did of non-fraudulent card payments. In particular, the share of fraudulent card-not-present payments in the total value of fraudulent card payments in 2015 was 39.8 percent. In contrast, the share of non-fraudulent card-not-present payments in the total value of card payments in 2015 was 30.2 percent (figure 13).

The shares of fraud, by value and number, of these channels were virtually unchanged between 2012 and 2015, with negligible shifts away from the card-present channel and toward the card-not-present channel in 2015. Card adoption in the United States was also low during this period, and had only begun its sharp rise at the end of 2015 with the shift toward EMV chip authentication.

Fraud Rates

In both 2012 and 2015, the fraud rates, by value and number, for card-not-present payments were higher than the fraud rates for card-present payments (figure 14). By value, the fraud rate for card-not-present payments reached 14.23 basis points in 2015, whereas the fraud rate for card-present payments was 9.32 basis points. By number, the disparity in the fraud rates in 2015 was greater, with the fraud rates for card-not-present and card-present payments at 16.33 basis points and 4.02 basis points, respectively.

All fraud rates--both card-present and card-not-present--increased between 2012 and 2015. In addition, by both value and number, the fraud rates for card-not-present debit card payments grew fast enough to overtake the fraud rates for card-not-present credit card payments.

• Debit card payments displayed the highest rates of card-not-present fraud in 2015 (appendix B, table B.3.B): 16.31 basis points by value and 16.73 basis points by number. These represent substantial increases of 6.44 and 7.36 basis points, by value and number, respectively, over the card-not-present fraud rates for debit cards in 2012.
• Credit card payments displayed the highest rates for card-present fraud in 2015: 14.27 basis points by value and 7.32 basis points by number. These represent increases of 5.34 and 3.41 basis points, respectively, over the card-present fraud rates for credit cards in 2012.
• ATM withdrawals only occur when the card is present. The fraud rates for ATM withdrawals were lowest among all card activity in 2015 at 4.65 basis points by value and 2.58 basis points by number; however, the rates did increase from the 2012 rates of 3.73 basis points by value and 2.21 basis points by number.

Average Values

The average values of fraudulent and non-fraudulent card-not-present payments in 2015 were fairly similar at $95 and $109, respectively (figure 15). In contrast, at $117 in 2015, the average value of fraudulent card-present payments was more than twice the average value of $50 for non-fraudulent card-present payments.

Card-Present PIN and No-PIN Fraud, 2012 and 2015

The PIN is traditionally used to authenticate the "single message" method of authorization for in-person payments, which combines the authorization and funds transfer messages. The PIN is almost always used to authenticate ATM withdrawals which are necessarily in person, and sometimes used for in-person debit card payments at merchant terminals. Most in-person credit card payments in the United States do not involve PIN authentication. When no PIN is used, a "dual message" method is typically used, which separates payment authorization from the funds transfer, and a signature may or may not be collected.²⁵

The PIN may be thought of as a specific piece of data that, if available to a fraud perpetrator, could provide easy access to cash through an ATM, cash back at the point of sale, or purchases in card-present venues. Card-not-present PIN acceptance is currently rare and is not considered in this section. (Detailed data on card-present PIN and no-PIN payments and ATM withdrawals are provided in appendix B, tables B.1.C, B.2.C, and B.3.C.)

In past reports, the FRPS has shown that most growth in card-present payments has been in the use of debit and credit card payments without a PIN. By value in both 2012 and 2015, card-present PIN payments represented less than half of all card-present debit card payments and a negligible amount of card-present credit card payments. In contrast, nearly all ATM withdrawals require a PIN (appendix B, table B.2.C).

By value, PIN-authenticated payments accounted for 39.3 percent of non-fraudulent card-present payments and ATM withdrawals in 2015 (figure 16). In contrast, by value, fraudulent PIN-authenticated payments, at just 16.8 percent, accounted for a much smaller fraction of fraudulent card-present payments and ATM withdrawals. Similarly, by number, the share of PIN-authenticated payments in non-fraudulent card-present payments and ATM withdrawals was 33.0 percent, while the share of fraudulent card-present payments involving a PIN was 12.1 percent. Evidently, the PIN is less likely to be used in a fraudulent transaction than in a non-fraudulent transaction.

Fraud Rates

Overall, fraud rates for PIN-authenticated card-present payments were substantially lower than fraud rates for card-present payments that were not PIN-authenticated (figure 17). By value, the fraud rate for PIN-authenticated card-present payments was 3.99 basis points in 2015, compared with 12.78 basis points for cards payments without PIN authentication. By number, the fraud rate for PIN-authenticated card-present payments, at 1.48 basis points in 2015, was less than 30 percent of the fraud rate of 5.27 basis points for card-present payments without PIN authentication.

Excluding ATM withdrawals, less than 30 percent of card-present payments, by number, were authorized with PINs in 2015, and PIN-authenticated card-present payments were almost exclusively debit card payments (appendix B, table B.2.C). In 2015, the fraud rates for PIN-authenticated debit card payments were 3.20 basis points by value and 1.20 basis points by number.

Average Values

The average values of fraudulent card-present payments were high relative to the average values of non-fraudulent card-present payments. This relationship also holds for the subset of card-present payments that are PIN authenticated (figure 18). In 2015, the average value of a fraudulent card-present transaction with a PIN was $162 compared with $60 for a non-fraudulent card-present payment with a PIN. One reason for the relatively high value of fraudulent card-present PIN-authenticated payments is that they tend to include cash access through an ATM withdrawal, a purchase including cash-back with a debit card, or a cash advance using a credit card. Most of the value of fraudulent PIN-authenticated card-present payments ($660 million) was from ATM withdrawals ($350 million) in 2015 (appendix B, table B.1.C).²⁶

Detailed Discussion: Card Network Survey, 2015 and 2016

The card network survey collected information on consumer and business card payments originated on general-purpose card networks including the following card types:

• credit cards
• non-prepaid debit cards
• prepaid debit cards

The survey, which collected data for each card type on a separate survey form, contains information on net, authorized, and settled payments on U.S. domiciled accounts and associated fraudulent payments before any chargebacks, returns, or recoveries, as identified in reports compiled by the networks.²⁷ The card network survey data cover card payments, including purchases and bill payments, but not ATM withdrawals.

Fraud data were collected for calendar years 2015 and 2016. While the surveys show a change over the two years, it is important to note that limited inferences can be drawn from two years of data.

Mainly because of credit cards, total fraud for card payments is larger by both value and number in the card network survey than in the depository institution survey for 2015, the year that the two surveys overlap. For debit card payments, the estimates are relatively close. For debit cards, the card network survey data show higher total fraud by value but lower total fraud by number in 2015. (See tables B.1.A and B.5.A. Also see appendix A for a discussion of similarities and differences between the rate estimates from both surveys.)

Card Industry Fraud Categories, 2015 and 2016

Allocation of fraud into categories used by the card industry provides a view into the changes brought on by the shift toward remote shopping and the transition to chip cards for in-person payments. Fraudulent card payments were allocated to six categories recognized by the card industry (appendix B, table B.4):²⁸

1. Counterfeit card. Fraud is perpetrated using an altered or cloned card.
2. Lost or stolen card. Fraud is undertaken using a legitimate card, but without the cardholder's consent.
3. Card issued but not received. A newly issued card sent to a cardholder is intercepted and used to commit fraud.
4. Fraudulent application. A new card is issued based on a fake identity or on someone else's identity.
5. Fraudulent use of account number. Fraud is perpetrated without using a physical card. This type of fraud is typically remote, with the card number being provided through an online web form or a mailed paper form, or given orally over the telephone.²⁹
6. Other. Fraud including fraud from account takeover and any other types of fraud not covered above.

In descending order of total value in 2016, the most common categories were as follows:

• Fraudulent use of account number totaled $3.46 billion in 2016, a 20.0 percent increase over the $2.88 billion in 2015. By number, there were 36.0 million incidents in 2016, a 26.2 percent increase over the 28.5 million in 2015 (appendix B, table B.4).
• Counterfeit card fraud was $2.62 billion in 2016, a decrease of 14.0 percent from $3.05 billion in 2015. Notably, counterfeit card fraud (and not fraudulent use of account number) was the most common fraud category, by value, in 2015. In 2016, counterfeit card fraud fell to the second-most-common method. By number, there were 23.8 million incidents in 2016, a 4.5 percent decrease from 25.0 million in 2015.
• Lost or stolen card fraud accounted for $810 million and 8.2 million incidents in 2016, compared with $730 million and 7.5 million in 2015.
• Fraudulent application fraud reached $360 million and 2.1 million incidents in 2016, compared with $210 million and 1.5 million incidents in 2015.

The increase in fraudulent use of account number and the decrease in counterfeit card fraud could be related to both the increase in remote card payments and the introduction of chip cards. Chip cards are designed both to help prevent counterfeit card fraud (because the technology is difficult to replicate) and to prevent the theft of information via data compromises (because the data transmission method is more secure).

Card Fraud by Card Type,
2015 and 2016

The data show increasing card fraud between 2015 and 2016. By value, total card fraud increased to $7.48 billion in 2016 from $7.07 billion in 2015 (figure 19), an increase of 5.8 percent. The number of fraudulent card payments increased to 71.4 million in 2016 from 63.5 million in 2015, an increase of 12.4 percent.

By value and number, credit card fraud exceeded debit card fraud in both 2015 and 2016. The values of credit card fraud were more than twice the values of debit card fraud in both years. In 2016, the value of total credit card fraud was $5.14 billion while the value of total debit card fraud was $2.34 billion. By number, the fraud totals for credit and debit cards in 2016 were relatively closer: 40.1 million fraudulent credit card payments and 31.3 million fraudulent debit card payments. Higher fraud amounts for credit cards may be due to higher payment limits for credit cards in general.³⁰

Fraud Rates

For the two years studied, the fraud rate, by value, of cards is estimated to have been nearly flat, actually showing a slight decline from 13.55 basis points in 2015 to 13.46 basis points in 2016. The rise in card fraud from 2012 to 2015 reported from the depository institution survey data starkly contrasts with the near stability in card fraud from 2015 to 2016 reported from the card network survey data.

Fraud rates were relatively high for credit cards compared to debit cards in both 2015 and 2016 (figure 20). Specifically, in 2016

• the fraud rate, by value, for credit cards was 17.13 basis points, while the fraud rate for debit cards was 9.15 basis points; and
• the fraud rate, by number, for credit cards was 11.70 basis points, while the fraud rate for debit cards was 4.64 basis points.

Average Values

For both credit and debit cards, the average value of fraudulent card payments was substantially greater than the average value of non-fraudulent payments, a relationship that is also evident in the depository institution survey results (figure 21). In 2016, the average value of a fraudulent credit card payment was $128, compared with the average value of a non-fraudulent credit card payment of $88. The average value of a fraudulent debit card payment was $75, about twice the $38 average value of a non-fraudulent debit card payment in 2016.

Prepaid and Non-Prepaid Debit Card Fraud, 2015 and 2016

Debit card payments comprise both prepaid and non-prepaid types. Prepaid debit cards include non-reloadable cards given as gifts and incentives and reloadable prepaid debit cards, which are sometimes used similarly to non-prepaid debit cards. Prepaid debit card payments represented a small portion of all payments by debit card (appendix B, table B.6.A). Prepaid debit fraud was also small, all at just 3.8 percent of the total value of debit card fraud in 2016 (figure 22). By number, prepaid debit cards accounted for 5.0 percent of fraudulent debit card payments in 2016.

The fraud rate for prepaid debit cards by value was 5.91 basis points in 2016, substantially smaller than the fraud rate for non-prepaid debit cards, at 9.35 basis points (figure 23). By number, the fraud rate for prepaid debit cards, at 3.49 basis points, was also lower in 2016 than the fraud rate for non-prepaid debit cards, at 4.72 basis points.

The general relationship between the average value of fraudulent payments and the average value of non-fraudulent payments for cards overall also holds for prepaid and non-prepaid debit cards, separately (figure 24). The average value of fraudulent prepaid debit card payments was $58 in 2016, and the average value of non-fraudulent prepaid debit card payment was $34. Because non-prepaid debit cards are such a large proportion of all debit cards, by both value and number, their average values are almost the same as the average values for all debit cards (that is, for prepaid and non-prepaid aggregated).

Fraud by In-Person and Remote Channels, 2015 and 2016

The proximity of the cardholder to the merchant may affect how fraud is perpetrated and the business practices and technologies employed to try to prevent or avoid it. The card network survey shifted from requesting allocations of fraud between card-present and card-not-present payments to requesting allocations between in-person and remote payments beginning in 2015. While the preponderance of in-person payments may have involved a physical card, in-person card payments may also include some payments initiated with a mobile device where the card is provisioned to a digital wallet and, less often, card-not-present "card number" payments keyed in by a cashier.

From 2015 to 2016, for all types of card payments, there was a marked change in the relative shares of fraud, by value, via the in-person and remote channels (figure 25).³¹ In 2015, remote card payments fraud was less than half of all card payments fraud by value, at 48.0 percent. By 2016, most fraudulent card payments by value were remote, at 61.1 percent. Meanwhile, most non-fraudulent payments by value were still in person with 56.0 percent in 2016.³²

The number of fraudulent payment incidents--already tipped toward remote in 2015--tipped more in 2016 with 63.1 percent. This share is markedly higher than the share of remote card payments in non-fraudulent card payments by number, at 22.2 percent in 2016.

By both value and number, in-person card fraud fell and remote card fraud grew (figure 26). In-person card fraud declined 20.8 percent by value and 10.2 percent by number in just one year (appendix B, table B.5.B). Meanwhile, remote fraud increased 34.6 percent by value and 32.0 percent by number. At the same time, overall card fraud grew from 2015 to 2016. Taken together, these results highlight a major shift from in-person card fraud to remote card fraud, influenced by both the effort to secure in-person card payments using chips and, likely, an increasing supply and sophistication of cyber fraud techniques.

Fraud Rates

As the value and number of non-fraudulent remote card payments increased, remote card fraud increased more, leading to growth in the fraud rates, by both value and number, for remote card payments from 2015 to 2016. The fraud rate, by value, for remote card payments increased from 15.45 basis points in 2015 to 18.71 basis points in 2016. The fraud rate, by number, increased from 17.71 basis points in 2015 to 19.89 basis points in 2016 (figure 27). During the same period, the fraud rate for in-person card payments was lower than the fraud rate for remote card payments. Moreover, because the fraud rates for in-person card payments were declining, the gap between the rates was widening.

Average Values

By card type, fraudulent card payments have higher average values compared to non-fraudulent card payments. This pattern was repeated for in-person card payments, where the average value of a fraudulent in-person card payment was $110 in 2016, $71 greater than the average value of a non-fraudulent in-person card payment of $39 (figure 28). This relationship, however, does not apply to remote card payments. At $102 in 2016, the average value of a fraudulent remote card payment was only $6 less than of a non-fraudulent remote card payment at $108.

In-Person Chip and No-Chip Fraud, 2015 and 2016

As noted in the report of the 2016 Federal Reserve Payments Study, the transition to chip cards, which help better secure in-person payments, is one of the most notable recent developments in U.S. payment card security.³³ EMV chips are intended to thwart counterfeit card fraud. Although most cards and terminals still allow use of the less-secure magnetic stripe in back-up situations, the opportunities to use counterfeit cards are declining as more terminals and cards default to the chip-authenticated technology. This change has made counterfeit cards with magnetic stripes a less effective and more risky (for the perpetrator) fraud method over time. Changes in the shares of in-person and remote card fraud in the United States are likely connected with the recent acceleration in the adoption and transition to in-person chip-authentication payments.

Over recent years, issuers began shipping cards with EMV chips, and merchants began installing terminals capable of accepting them. Card systems brought EMV processing online, and a liability shift, beginning in October 2015, created an incentive for merchants to accept chip cards.³⁴ By value, the share of non-fraudulent in-person payments made with chips shifted dramatically between 2015 and 2016, with chip-authenticated payments increasing from 3.2 percent to 26.4 percent (figure 29). The share of fraudulent in-person payments made with chips also increased from 4.1 percent in 2015 to 22.8 percent in 2016. As chips are more secure, this growth in the share of fraudulent in-person chip payments may seem counterintuitive; however, it reflects the overall increase in use. Note that in 2015, the share of fraudulent in-person payments with chips (4.1 percent) was greater than the share of non-fraudulent in-person payments with chips (3.2 percent), a relationship that reversed in 2016.

Fraud Rates

The data presented here are an early look at the effect of a significant transition to chip cards for in-person payments. Unexpectedly, in 2015, the fraud rate, by value, for in-person chip-authenticated card payments was higher than the fraud rate for in-person no-chip card payments, driven by non-prepaid debit card fraud (figure 30 and appendix B, table B.7.C). This appears to be connected with a very low volume of chip-authenticated non-fraudulent debit card payments in 2015, possibly related to lost or stolen or issued-but-not-received chip card fraud. By 2016, both fraud rates had dropped, and the fraud rate, by value, of in-person chip-authenticated card payments, at 8.07 basis points, had fallen below the fraud rate of in-person no-chip card payments, at 9.80 basis points. While still early in the transition in 2016--chip penetration was just about one-fourth of the total value of in-person card payments--the introduction of chip-enabled cards already appears to have had a meaningful effect on in-person card fraud.

Average Values

Both fraudulent and non-fraudulent in-person chip card payments were generally of greater value than in-person no-chip card payments in 2016 (figure 31). The average values of both fraudulent and non-fraudulent in-person chip and no-chip card payments declined from 2015 to 2016.

• Chip. The average value of fraudulent in-person chip card payments was $216 in 2016.
• No-chip. The average value of fraudulent in-person no-chip card payments was $96 in 2016.

Conclusion

The data in this report show that, driven by card fraud, the overall rate of payments fraud, by value and number, increased from 2012 to 2015 in the United States. The rate of card fraud, by value, stabilized from 2015 to 2016, with the rate of in-person card fraud decreasing significantly while the rate of remote card increased significantly. At the same time, data from the two surveys show that payments fraud is rare and represents only small fractions of 1 percent of total value or number of payments.

The findings show that, while vulnerabilities exist--and specific experiences are likely to vary substantially from the overall picture--the U.S. payments system, in the aggregate, is resilient and responsive with respect to payments fraud vulnerabilities. Because of significantly more card fraud appearing in the recent surveys, the payments fraud measures in this study show fraud rates to be higher than reported in previous FRPS publications.

Continued tracking of aggregate fraud data is an essential element of making informed choices about fraud-prevention efforts. Many questions remain, and new developments will emerge, providing future opportunities to collaborate with the industry, policymakers, and the public to update the information, standardize and improve definitions, improve empirical measurement, and promote better understanding of payments fraud.

This report represents a collaborative project of the Federal Reserve Board and the Federal Reserve Bank of Atlanta intended to foster a better understanding of developments in the payments system, and thereby to inform efforts to improve the U.S. payments infrastructure. Going forward, the FRPS will continue to collect fraud data in order to determine whether these changes foreshadow any persistent trends.

Appendix A: Survey Comparability

Since 2001, the central goal of the Federal Reserve Payments Study (FRPS) has been to estimate the total value and number of payments of various types in the United States. The collection and estimation of payments fraud was added for 2012. The fraud data in this report come from two survey efforts:

• a survey of commercial banks, savings institutions, and credit unions that process payments, the Depository and Financial Institutions Payments Survey (DFIPS) or the depository institution survey, conducted in 2012 and 2015; and
• a survey of general-purpose credit and debit card networks, part of the Networks, Processors, and Issuers Payments Surveys (NPIPS), conducted in 2015 and 2016.

As with total payments, collecting data from these different sources provides a richer set of data than would be available from just one.

DFIPS 2012 Compared with DFIPS 2015

Fraud data were collected for two survey years, 2012 and 2015.³⁵ While definitions are the same for both years, there are differences in the survey reference period and the corresponding method used to compute the resulting estimates:

• The more recent survey requested data for calendar year 2015. The 2015 estimates are representative of that year because respondents reported fraudulent payments processed over the full year.
• The earlier survey requested data for March 2013. The aggregate seasonal fluctuations of fraud are unknown, and evidence about whether or not March 2013 was a "representative month" for fraud volumes across the payment types is unavailable. Seasonal adjustment was not possible and so, as was done for all estimates from the depository institution survey in that year, a simple annualization was performed by multiplying totals reported for the month of March by 12, the number of months in the year. Note that the same approach was used to annualize partial-year estimates for all previous depository institution surveys as well.

As this methodological change for 2015 indicates, there is likely a greater, but unknown, amount of uncertainty around the 2012 estimates. Moreover, fraud may be either over- or under-reported in the 2012 methodology relative to the 2015 methodology.

DFIPS 2015 Compared with NPIPS 2015 for General-Purpose Card Data

The depository institution survey and the card network survey both collected data about card payments and card fraud. Data are collected from these two different types of providers because, although both process payments, the type and detail of information available to them differs, and different information is requested and reported. The 2015 estimates of total credit, non-prepaid debit, and prepaid debit card payments from the depository institution survey and the card network survey were so close that there was no benefit in reporting them separately. Instead, the depository institution estimates were set equal to the network estimates, and subcategories were allocated proportionally at the reporting stage.³⁶

Estimates of fraud totals and rates for 2015 from the two sources were different. First, the surveys study different market structures, or "populations," of payments providers. Because of the different market structures, the survey design and estimation methods differed in important ways. The differences may be due to sampling errors and the statistical models used to estimate the totals for depository institutions, but also may be due to non-sampling errors such as variances in the procedure for identifying and classifying fraud across institutions or reporting mistakes.

Fraudulent payments reflect different information sets available to the different types of payment providers. Therefore, it is helpful to consider how data collection methods and the resulting independent estimates of card fraud compare. The depository institution survey collected information about card totals based on reported payments made with cards issued by the depository institutions. The population of depository institutions is stratified by size and type, and separate ratio estimators are constructed from data returned by a sample drawn from each separate stratum. Of more than 11,000 depository institutions in the population, in 2015, about 3,800 were sampled and 1,383 provided data.

Partial responses were filled in by statistical imputation, using information from other respondents about how missing responses are related to items that were reported. Estimates for the population strata were constructed using ratio estimation, which takes advantage of the high correlation between the size of an institution and the value and number of payments. The national estimate is the sum of the estimates for each stratum.

The general-purpose card networks surveyed included the national credit card networks and national and regional non-prepaid debit and prepaid debit card networks. In 2015, 6 general-purpose card networks processed credit cards, 14 processed non-prepaid debit cards, and 11 processed prepaid debit cards. Any missing items were imputed using information from other networks about how the missing items were related to reported items and using information from outside the survey process, if available. Estimates of the national total were computed as the sum of data from the census.

Depository institution survey fraud estimates are based on fraud determinations by the payer's bank or card issuer. Card network survey fraud estimates are based on fraud determinations by the card networks from reports filed by issuers, acquirers, and third-party processors. Because card networks derive fraud information from the issuers, merchants, or third-party processors, the network's information identifying fraudulent card payments could be broader, thus leading to higher fraud rates. Alternatively, if depository institutions had concerns about the stigma of reporting a high fraud rate, they may have chosen not to participate in the study or may have chosen not to provide any fraud data.

The fraud rates were calculated directly from each survey independently. The fraud totals for the depository institution survey were then derived from the rates by applying them to the same numbers and values of total payments provided in appendix B, tables B.2.A-C. The total fraud estimates for cards from the depository institution survey are provided in tables B.1.A-C, and the rates are provided in tables B.3.A-C. The total fraud estimates from the card network survey are provided in tables B.5.A-C, total payments are provided in tables B.6.A-C, and the rates are provided in tables B.7.A-C. The rate comparison is discussed below.

By value, the 2015 card fraud rate estimate, excluding ATM, from the depository institution survey is 86.3 percent of the size of the card network survey estimate, or 13.7 percent smaller (appendix A, table A.1). Although card network survey rates across the board (credit, prepaid debit, non-prepaid debit) were higher, this difference in rate by value is mostly due to the differences in credit card fraud rates between the two surveys--a difference of 3.07 basis points.

Table A.1. Rate of card payments fraud, by card payment type and channel, 2015

By number, the depository institution survey and card network survey fraud rates are closer. In percentage terms, the depository institution survey fraud rate, by number for total cards is 93.0 percent of that of the card network survey or 7.0 percent smaller. In contrast to credit and prepaid debit rates by number, the depository institution survey fraud rate by number for non-prepaid debit cards is slightly higher than the analogous card network survey rate.

Readers deciding how to interpret these different results should consider differences in survey respondents and their frameworks for reporting:

• For credit cards, the estimates from card network survey could be more reliable than the depository institution survey estimates. The card network survey information comes from a small set of networks that reported a nearly complete set of fraud data, with little need for imputation. In contrast, the credit card issuers surveyed in the depository institution survey participate in a relatively concentrated market, so missing information from one or more large issuers can affect the estimates.
• For debit cards, the estimates from the depository institution survey could be more reliable than the card network survey estimates. The market for debit card issuance is less concentrated than credit card issuance, although still highly concentrated in the largest issuers. Debit card issuers, however, are experienced in reporting fraud information in the Federal Reserve Board Regulation II surveys, which do not collect credit card fraud data.³⁷ In addition, numerous regional debit card networks were unable to report fraud data in the card network survey, requiring imputation of fraud rates from ratios with reported data derived from a relatively small number of non-prepaid debit and prepaid debit networks.

Turning to card payment channels, there is no expectation of close similarity for these physical proximity allocations because the definitions are not identical. The card-present/not-present allocations were reported in the depository institution survey, and the in-person/remote allocations were reported in the card network survey. The depository institution survey reported a higher share of card-present by both value and number than the network survey reported for the share of in-person. For example, the depository institution survey percentage of payments, by number, that were card-present was 82.4 percent in 2015, compared with the card network survey percentage of payments that were in-person, at 79.6 percent. This difference could be due to some remote card purchases or bill payments being classified as card-present in the depository institution survey when they involve the provision of a three- or four-digit number printed only on the card, other identifying information, or card-on-file information from previous payments.

As held true for depository institution survey card-present fraud rates by value are smaller than card network survey in-person fraud rates by value. As for the rates overall, the difference in fraud rates related to proximity was greatest for credit cards. The largest percentage difference, by value, is between the credit card depository institution survey card-present rate and the card network survey in-person rate.

The intersection of the card channel, or the card's or cardholder's physical proximity and authentication method used for payment is an active area of research for the FRPS. Understanding how the card industry classifies payments in combination with authentication methods that may not require the cardholder to be physically proximate to the merchant (for example, the verification of an object or token) is important for judging the relative risk that a fraudulent card payment will occur, given different combinations of proximity and authentication method.

Appendix B: Data Tables

Table B.1.A. Total payments fraud from general-purpose transaction and credit card accounts, by payment type, 2012 and 2015

Table B.1.B. Card payments fraud from general-purpose transaction and credit card accounts, by card payment type and channel, 2012 and 2015

Table B.1.C. Card-present payments fraud from general-purpose transaction and credit card accounts, by card payment type and use of personal identification number (PIN) for authentication, 2012 and 2015

Table B.2.A. Total payments from general-purpose transaction and credit card accounts, by payment type, 2012 and 2015

Table B.2.B. Card payments from general-purpose transaction and credit card accounts, by card payment type and channel, 2012 and 2015

Table B.2.C. Card-present payments from general-purpose transaction and credit card accounts, by card payment type and use of personal identification number (PIN) for authentication, 2012 and 2015

Table B.3.A. Rate of payments fraud from general-purpose transaction and credit card accounts, by payment type, 2012 and 2015

Table B.3.B. Rate of card payments fraud from general-purpose transaction and credit card accounts, by card payment type and channel, 2012 and 2015

Table B.3.C. Rate of card-present payments fraud from general-purpose transaction and credit card accounts, by card payment type and use of personal identification number (PIN) for authentication, 2012 and 2015

Table B.4. Card payments fraud, by card industry fraud category, 2015 and 2016

Table B.5.A. Card payments fraud, by card payment type, 2015 and 2016

Table B.5.B. Card payments fraud, by card payment type and channel, 2015 and 2016

Table B.5.C. In-person card payments fraud, by card payment type and use of chip-based payment information encryption for authentication, 2015 and 2016

Table B.6.A. Card payments, by card payment type, 2015 and 2016

Table B.6.B. Card payments, by card payment type and channel, 2015 and 2016

Table B.6.C. In-person card payments, by card payment type and use of chip-based payment information encryption for authentication, 2015 and 2016

Table B.7.A. Rate of card payments fraud, by card payment type, 2015 and 2016

Table B.7.B. Rate of card payments fraud, by card payment type and channel, 2015 and 2016

Table B.7.C. Rate of in-person card payments fraud, by card payment type and use of chip-based payment information encryption for authentication, 2015 and 2016

Footnotes