Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 20, 2018
Best Practices for Data Privacy Policies
In my last couple of posts, I've discussed the issue of ethical policies related to data collection and analysis. In the first one, I focused on why there is a need for such policies. The second post focused on ethical elements to include in policies directly involving the end user. Whether or not the customer is actively involved in accepting these policies, any company that collects data should have a strong privacy and protection policy. Unfortunately, based on the sheer number and magnitude of data breaches that have occurred, many companies clearly have not sufficiently implemented the protection element—resulting in the theft of personally identifiable information that can jeopardize an individual's financial well-being. In this post, the last of this series, I look at some best practices that appear in many data policies.
The average person cannot fathom the amount, scope, and velocity of personal data being collected. In fact, the power of big data has led to the origination of a new term. "Newborn data" describes new data created from analyses of multiple databases. While such aggregation can be beneficial in a number of cases—including for marketing, medical research, and fraud detection purposes—it has recently come to light that enemy forces could use data collected from wearable fitness devices worn by military personnel to determine the most likely paths and congregation points of military service personnel. As machine learning technology increases, newborn data will become more common, and it will be used in ways that no one considered when the original data was initially collected.
All this data collecting, sharing, and analyzing has resulted in a plethora of position papers on data policies containing all kinds of best practices, but the elements I see in most policies include the following:
- Data must not be collected in violation of any regulation or statute, or in a deceptive manner.
- The benefits and harms of data collection must be thoroughly evaluated, then how collected data will be used and by whom must be clearly defined.
- Consent from the user should be obtained, when the information comes from direct user interaction, and the user should be given a full disclosure.
- The quality of the data must be constantly and consistently evaluated.
- A neutral party should periodically conduct a review to ensure adherence to the policy.
- Protection of the data, especially data that is individualized, is paramount; there should be stringent protection controls in place to guard against both internal and external risks. An action plan should be developed in case there is a breach.
- The position of data czar—one who has oversight of and accountability for an organization's data collection and usage—should be considered.
- In the event of a compromise, the data breach action plan must be immediately implemented.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Insuring against Business Email Compromise Fraud
- The Case of the Disappearing ATM
- The First Step in Risk Management
- Who Owns Your ATM?
- With Social Engineering, It Takes Only One
- Protecting Our Senior Citizens from Financial Abuse
- The FBI Is on the Case
- Are You at Risk from Zombie Credit Cards?
- Learning about Card-Not-Present Fraud Mitigation
- Behind the Growth in Debit Card Payments
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud