Retail Payments Risk Forum
Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
Take On Payments
May 11, 2015
The Hill Tackles Cybersecurity
In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.
Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.
National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.
Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.
The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Hill Tackles Cybersecurity:
January 27, 2014
The Importance of Partnerships between the Private Sector and Law Enforcement
Helen Keller once said, "Alone we can do so little; together we can do so much." As the "forum" part of our name implies, we tend to agree with Helen Keller's comment on collaboration. The mission of the Retail Payments Risk Forum (RPRF) is to identify, detect, educate, and encourage mitigation of risk in retail payment systems. We firmly believe that one of the ways to achieve our mission is to collaborate with industry participants, regulators, and law enforcement. And while we convene our own forums to encourage collaboration, ample opportunities for collaboration between law enforcement and the private sector exist beyond the boundaries of the RPRF.
Below are descriptions of organizations that are built on such collaborations.
- Financial Services Information Sharing and Analysis Center (FS-ISAC): An organization dedicated to gathering and disseminating reliable and timely information from financial services providers, security firms, local, state, and federal law enforcement agencies, and other trusted resources related to physical and cyber threats against the financial services community.
- National Cyber-Forensics &l Training Alliance (NCFTA): A nonprofit corporation with formal partnerships/agreements with more than 40 U.S. private-sector organizations and more than 15 U.S. and international law enforcement or regulatory agencies. The NCFTA enlists subject matter experts from stakeholder organizations to share real-time intelligence regarding cyber threats and supports the development of joint proactive strategies to better identity, mitigate, and ultimately neutralize threats.
- Electronic Crimes Task Forces: Led by the United States Secret Service, these groups bring together federal, state, and local law enforcement with prosecutors, private industry, and academia for the purpose of preventing, detecting, investigating, and mitigating attacks on the nation’s financial infrastructures. Groups are structured through local field offices and organized in most major metropolitan areas.
- InfraGard: Led by the Federal Bureau of Investigation, this association with representatives from the private sector, academia, and state, local, and federal law enforcement agencies is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Like the Electronic Crimes Task Force, InfraGard is comprised of groups organized by FBI field offices in major metropolitan areas.
- Anti-Phishing Working Group (APWG): An organization that seeks to unify the global response to cybercrime across industry, government, and law enforcement through data sharing, education, and standards development.
Each of these groups is different, but the common thread is information sharing between the private sector and law enforcement. This collaboration increases knowledge and awareness of threats and is often required to effectively capture and prosecute the masterminds behind attacks on financial institutions and their customers. I encourage our readers to learn more about and take advantage of these opportunities and others for collaboration between law enforcement and the private sector.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Importance of Partnerships between the Private Sector and Law Enforcement:
November 26, 2012
Highlights from a Conference on Technology and Payments
The retail payments landscape is rapidly evolving as technological advances promote new electronic payment methods. On October 15–16, the Risk Forum convened at the Atlanta Fed a diverse gathering of stakeholders in the payments industry. Industry representatives were from telecommunication firms, airlines, standards bodies, payments processors, and coffee house retailers, as well as the more traditional players.
Federal Reserve Bank of Atlanta President and CEO Dennis Lockhart kicked off the event. His opening remarks focused on the Federal Reserve System's role as a central bank in the country's retail payment system, both as a payments operator and as the country's guardian of financial stability. In the latter role, the Fed aims to preserve the integrity of both the retail and wholesale payments systems. Lockhart stressed that although this role has national strategy overtones, it is not intended to stifle innovation and competition but rather to support a market-oriented approach to payment developments. By noting the vulnerabilities that the fast pace of change and innovation in the industry create, Lockhart set the stage for the day's session, the highlights of which we are sharing here. You can find the complete presentation materials on the Atlanta Fed website.
Technology developments in card-based payments
Legacy plastic cards are likely to remain important for some time. Nevertheless, significant changes are under way. These technological changes were the focus of this panel. The U.S. payments industry is struggling to collectively shift from magnetic stripe-enabled card payments to a more secure and interoperable environment. Panelists discussed the challenges posed by the planned U.S. migration to chip-enabled cards and to the EMV standards already adopted in most of the globe's major developed countries. They discussed the potential shift in fraud to card-not-present payments in the shift from mag-stripe cards. Panelists said that fraud mitigation in the future U.S. EMV environment will require additional data analysis tools, including the use of better encryption methods and tokenization. They also touched on the benefits of PIN versus signature authentication.
The evolution of technology standards in retail payments
Technology standards provide the cohesion to ensure the critical mass needed for successful payment network adoption. At the same time, the myriad of new market solutions, patent issues, and even standards bodies themselves challenges industry cooperation and consensus building, slowing the standards development process. Panelists discussed the activities of various standards bodies that touch retail payments today. They also talked about how they are working to galvanize industry stakeholders to agree and employ standards that foster security and interoperability.
Mobile payment developments at the point of sale
This panel of experts reviewed technological developments in the mobile channel for payments at the merchant's point of sale (POS), including the rollout of several mobile wallet initiatives. Panelists discussed the challenges associated with the highly dynamic nature of the technologies. They noted that new complex business models are resulting in many different types of payment solutions, creating a confusing ecosystem for mobile proximity payments.
Panelists noted that the many new, thought-provoking products out in the market place today create many unknowns, not only with respect to security, but also future viability. They agreed that it is hard to predict which solutions have true scalability. An interesting discussion took place on the success of new payments such as Square, which changed the proverbial game by expanding the population of merchants that can accept card payments and by repurposing the mobile handset into a payment acceptance device. The panel also discussed how Starbucks unwittingly assumed the role of a payments pioneer when they moved to the mobile channel. Their original aim was not to adopt a new payments method but rather to increase customer loyalty and convenience.
The merits and challenges with the upcoming EMV migration were also top of mind for the panel.
Technology trends in mobile payment transfers
U.S. mobile payment developments have generally centered on payments at the POS. However, remote mobile payments, or person-to-person mobile transfers, are also taking form as a business model. Panelists discussed how nonbank players are entering the money transmission space hoping to leverage new mobile technologies. They explored the current environment for domestic and cross-border mobile transfer payment activity, analyzing the changing roles of payment service providers and the subsequent regulatory and policymaking considerations.
Panelists noted that we are seeing a huge paradigm shift in mobile money, with prepaid airtime credits looking more and more like currency in developing countries. Some countries permit payment service providers to provide airtime cash-out; Kenya's M Pesa is one of these providers. The lack of system interoperability across borders and liquidity management considerations are barriers to a global, scalable airtime transfer system. Panelists also noted, however, that airtime transfers are increasingly becoming a natural complement to traditional remittances.
In addition, traditional remittance providers are partnering with telecom firms to deliver services in emerging markets. These providers also work with banks in more developed countries, like the United States, to use the mobile channel in more efficient ways.
Technology threats and mitigants in electronic payment systems
Whether through scams such as “Obama Will Pay Your Bills” or corporate account takeovers, criminals are increasingly using electronic payments networks to perpetrate fraud. Panelists stressed that industry stakeholders must themselves become more sophisticated in order to develop solutions to better detect and mitigate these risks. Future fraud detection will require more sophisticated approaches to address growing vulnerabilities in web applications. Panelists also stressed that financial institutions must validate transactions to enforce rules and limits and to manage fraud.
The Risk Forum uses events such as this to encourage dialogue and share critical business intelligence among participants. We can then use information that comes out of such discussions to inform our work with the payments industry as we collectively work on better solutions to detect and mitigate risk. Expect to see more discussion in future posts. As always, we value your responses.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Highlights from a Conference on Technology and Payments:
May 14, 2012
Cooperating competitors? Yes, when it comes to payment standards
Standard sizes allow us to efficiently pick out clothing to try on at any store we go to, and even to shop online. Standard file formats enable the exchange of documents between computers with different operating systems and software programs. Similarly, standard payment formats ensure that our payment cards work at a wide range of merchants regardless of where we bank. Although we often take standards for granted, they are absolutely critical to the efficient functioning of the payment system.
Standard formats are a classic public good: they can be used by multiple people at no marginal cost per user and it is difficult to exclude people from using them. Typically, public goods have to be provided by the government, because no individual firm has sufficient incentive to provide them privately. However, in the payments industry, standard payment formats have frequently been adopted without government intervention. Instead, private firms generally cooperate to develop payment standards through membership organizations like NACHA, the Accredited Standards Committee X9, and EMVCo. These organizations are direct competitors who choose to cooperate in developing shared industry utilities. Atlanta Fed payments risk expert Doug King has written extensively on industry efforts to implement the EMV payment card standard in the United States.
The payments industry might be able to supply its own public goods due to the relatively low transaction costs of doing so. While a small number of companies manage the majority of card payments across the globe, the U.S. industry includes several well-established companies and numerous smaller competitors as well as start-ups. Most of the companies are already members of established industry organizations that facilitate collaboration. This is much simpler than the market providing a public good like low pollution in a river, for example. Somehow the many consumers and firms who access that river must assemble and agree on the pollution level, develop an enforcement mechanism, and implement the agreement—and many of these stakeholders will likely never have worked together before.
The effect of payment standards on competition is unclear. It’s possible that standards increase competition in the payments industry by leveling the playing field between established firms and start-ups. However, some payments standards are proprietary and may inherently favor the companies that most influenced their development. For example, to the extent that the largest card networks dictate the specifications for the EMV standard, this may disadvantage smaller networks. Those smaller networks are left in the unenviable position of having to comply with standards in which they had little voice in developing. Thus, although the payments industry seems to have been effective in developing standards cooperatively, it’s possible that this market activity has favored the dominant players. How will the move to the EMV payment card standard affect competition in the U.S. market?
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Cooperating competitors? Yes, when it comes to payment standards:
October 3, 2011
Cyberspace trust: Proving you're not a dog
A very real discomfort underlies the classic joke: "On the Internet, nobody knows you're a dog." How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate's Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you're reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.
The most recent installment of the Payments Spotlight podcast series features Jeremy Grant, leader of the U.S. Department of Commerce's National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is a White House initiative that works collaboratively with the private and public sectors to improve the security of online transactions by increasing online security and solving the problem of weak and inconvenient passwords.
"The genesis of it was President Obama's cyberspace policy review that was conducted shortly after he took office in 2009," Grant explains. The goals of the new cyberspace policy include "the creation of an identity management vision and strategy that the country could implement that would focus both on the securities aspects of the topic, as well as be dedicated to preserving or enhancing privacy and civil liberties." A critical first step, says Grant, is addressing the fact that "passwords are fundamentally broken and insecure, and simply don't cut it these days as a way to identify and authenticate online." (A May 2011 Payments Spotlight podcast addressed the weakness of single-factor authentication, such as logging in with just a password.)
Although the government is coordinating the NSTIC effort, the program is designed as a private-public partnership. Grant says it is not the government's role "to figure this out for the rest of the world, but to convene different private sector stakeholders, [including] tech firms, banks, healthcare firms, security firms, advocacy groups in the privacy and consumer communities, and other interested individuals." A major goal of NSTIC is to foster collaboration. He says, "We really want to have an open and participatory process where all different stakeholders can come together and collaborate and work out practical solutions to some of the challenges that the NSTIC lays out. Government will convene and we'll be an early adopter, but we are not going to actually lead this." Some private businesses are already excited about NSTIC. Michael Barrett, Chief Information Security Officer at PayPal, has voiced his support: "[We] will be offering more services to our customers over the coming months that directly support the NSTIC, which we expect will result in many new benefits to both our customers and the Internet overall."
So when can we expect to see NSTIC implemented? Currently the National Program Office is laying the groundwork for pilots, which can be expected sometime next year. In terms of resources, Grant notes that "for fiscal year 2012, the White House has proposed $24.5 million for NSTIC, including $17.5 million that would go towards pilot programs." The funds have not yet been appropriated, so budget wrangling may still change those numbers. Those pilots will be just the first step in architecting a more secure Internet identity infrastructure. If NSTIC achieves its vision, we can be confident that no fraudsters—or dogs—lurk behind our friends' Facebook profiles and e-mail addresses!
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Cyberspace trust: Proving you're not a dog:
August 29, 2011
Seeing what dimly lies in the distance: Parting thoughts on addressing payments system risk
As this post for Portals and Rails runs, it is likely that my concerns about fraud may be starting to center on whether the manufacturer's claims about the bass lure I am using are fraudulent. I guess that's a way of saying that on August 31, I will officially retire after 38 years with the Federal Reserve, an extraordinary organization faced with extraordinary challenges across the three legs of its mission responsibilities: monetary policy, bank supervision and regulation, and payments services. I have been blessed to have had so many challenging and diverse experiences through the years, including the last two years directing the fascinating work of the Retail Payments Risk Forum. Learning about the risks in our payments system, marveling at the entrepreneurship of those who want to exploit its weaknesses to commit fraudulent activity, and working with the industry to try to find ways to mitigate those risks has been both interesting and exhilarating.
Clearly such work is never done and the constant arms race to stay ahead of the bad guys in a technology-centric payments world is not likely to abate. My hope is that those who read this column continue to support the work of the Forum, its outstanding staff, and its new leader. But even more importantly, my hope is that the industry continues to make progress in collaboratively addressing the needs of our payments system in difficult times when investment dollars are scarce and tough choices must be made. At the risk of waxing philosophic, it is with all this in mind that I leave the following thoughts for others to consider and hopefully run with.
First, as an industry, we need to push our leaders to understand that the paradigms of success today are not those that served us well 10 years ago. The payments system is now a global infrastructure, and purely domestic solutions to managing fraud will not work. Business models for success changed with the advent of the Internet and they will change again with the evolution of mobile technology. A corporation's worst nightmare may be riding a train in Eastern Europe while simultaneously cleaning out a bank account in the United States. This means that it will inevitably be harder to implement solutions, but imminently necessary to extract ourselves from domestic thinking while building partnerships across the globe.
Second, standards are the key to long-term progress in such an environment. Certainty about what standards frees markets to invest in developing solutions to payments problems in a competitive environment that encourages escalating performance. Hence, we must give a lot of attention to doing the work in the basement rooms where standards folks work. While I suppose that revenue opportunities may abound for the entity that owns the standards, companies that are able to depend on standards to deliver risk management systems and products greatly reduce their cost of development and ongoing operations.
Third, it would be useful to clarify the roles of the many government (and sometimes private sector) groups that must engage in the business of protecting our payments system. The Forum and colleagues from the Boston Fed have been engaged in an ongoing effort with mobile payments that has demonstrated to us that nobody wants this clarity more than a frequently confused marketplace. While they long for integrated operations, integrated law, and integrated technology, it is integrated oversight that would help clarify who is responsible for what, encourage collaboration and sharing, and expose gaps in coverage that bad actors can exploit.
Fourth, in recent industry meetings I have heard payments professionals lament that a big part of our problem is that customers—both consumers and businesses—are not well educated in how to protect themselves against fraud. The discussion concerning who should be responsible for providing the education, however, resembles a group of folks juggling a hot potato. My suggestion is that financial institutions (individually or collectively through their trade associations) are the one party that touches both user groups and that stepping up and assuming the leadership role in payments education would not only be a great service but might actually be an endearing customer relationship and retention strategy.
Finally, as an industry we seem to be struggling to establish a vision for the future. On a wall at a recent meeting room, I read a quote by Thomas Carlyle that said, "Our main business is not to see what dimly lies at a distance, but to do what lies clearly at hand." Carlyle (who is credited with calling economics the "dismal science") may have had a point when he wrote this in the mid-19th century, but today the future comes at us so fast, it seems to me that we have to constantly keep our eye on what lies vaguely in the distance and create a vision for the future that embraces the possibilities. Said differently, it may be useful to create a vision for how we will collectively address future risks in the payments system even as we deploy new technology, rather than focusing on how to defeat the threats we already know.
With that, I wish our readership all the best and trust that perhaps our paths may cross again.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Seeing what dimly lies in the distance: Parting thoughts on addressing payments system risk:
February 16, 2010
Haitian crisis: Are mobile payment discussions an unexpected consequence?
The earthquake in Haiti caused massive destruction that ultimately leveled the capital city of Port-au-Prince and resulted in the deaths of thousands of people. As charitable assistance has poured in from around the world, an unexpected revelation has come to light with respect to the potential for mobile phone–enabled payments. Within a matter of days, wireless network operaters facilitated millions of dollars in donations, demonstrating how quickly people all over the world could assemble to adopt a single payment method for a specific purpose. Through the use of text messaging, or SMS (short message service), via the mobile phone, consumers could send payments to a variety of charitable organizations providing aid to Haiti.
Convenience of text messaging can drive adoption
I heard someone say recently that "convenience is like a drug for consumers." This convenience is possibly why texting is outpacing e-mail messaging as a mainstream form of communication—the ubiquity of mobile phones makes texting increasingly easier, cheaper, more convenient, and perhaps a natural vehicle for sending payment instructions. According to research released by Nielsen Mobile, the typical U.S. consumer sends and receives more SMS text messages than telephone calls. Mobile SMS is already widely used in developing countries to facilitate mobile money transfers for domestic person-to-person payments and cross-border remittances.
What if something goes wrong?
In many developing countries, mobile money transfer payments are transmitted via SMS without a bank partner to facilitate clearing and settlement. As described in an earlier post, Safaricom's M-pesa service provides mobile phone–enabled payments through text message instructions, with cash-out needs accommodated by agents, typically a village store or wireless retailer. But many of the payments are peer-to-peer in nature and funded by topping up the consumer's mobile phone bill. In the Haiti example, customers also could fund the payment by adding the value of the donation to their phone bills or by debiting a bank account.
Of course, the legal and regulatory environments in the United States differ markedly from developing markets like Kenya, where the M-pesa mobile payments service has grown so rapidly. The risk environments also differ significantly. In Kenya, a consumer faces less risk of loss in a mobile-enabled payment environment than the cash-based system that prevailed only a few years ago. U.S. consumers have many choices in payments and enjoy legal protections if service providers fail to consummate the payment transaction.
So what happens if the $20 donation instruction you sent to Haiti appears as a $200 or even a $2,000 charge on your bill? What if there is a disagreement about the error between you and your wireless carrier? What else could go wrong?
Protection for consumers
One of the growing challenges created by payment innovations is the creation of new laws and rule sets, which provide different protections depending on the payment type. This challenge is further complicated as payments converge and assume different formats along the supply chain. For example, a payment initiated via a credit card on a mobile device is subject to error resolution procedures and consumer protection standards established by the card networks. Similarly, Regulation E covers electronic transactions initiated from a bank deposit account. But if you disagree with a charge to your phone bill for a payment, it is questionable whether the error resolution provisions of Regulation E would even apply. As telecom firms become more important participants in retail payments, what laws and rule sets can consumers look to for protection when things go awry?
Of course, these issues are highly hypothetical but also very possible. Telecom firms and mobile payment service providers are filling new roles in mobile payments, forcing business models that we know today into a new paradigm. Perhaps the crisis in Haiti will serve as a catalyst for proactive thinking on risk issues so that all industry participants can work together to build a safe and trusted mobile sector of commerce.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Haitian crisis: Are mobile payment discussions an unexpected consequence?:
October 20, 2009
Building a bridge: Will proactive discussions of fraud concerns help drive financial services and telecom industry collaboration in the emerging mobile payments context?
Much has been written in this blog and elsewhere about the emergence of mobile phone-enabled payments. Recently, we had the pleasure of attending two excellent conferences that stimulated thinking about how the lines between two major industries, telecoms and financial services, are beginning to blur. First was the Finovate 2009 conference in New York. Among a wide array of financial services technologies and business model demos presented was a fascinating lineup of emerging methods for accomplishing payments transactions using the mobile phone. Clearly, much new innovation is emerging in this area. Technology providers are building bridges between banks and telecoms in this environment. All of this fertile stew of ideas bears watching in the years to come.
Second, we recently attended a joint session put together by the Santa Fe Group Vendor Council and the Communications Fraud Control Association in Atlanta. This meeting offered an opportunity for those thinking about fraud controls in the payments arena and those concerned about fraud in the communications (telecoms) industry to begin to discuss issues of mutual concern as mobile payments emerge in the United States and abroad.
For example, issues at the table included the following:
- Registration protocols vary significantly between mobile services and bank payment services. This variation can complicate the forensics on a fraudulent transaction in the aftermath as either investigators within banks or telecoms or law enforcement may find it very difficult to map a transaction to a particular person through mobile payments channels.
- Authentication protocols are also differentiated because of regulatory requirements and industry practices. These protocols complicate investigations as varying audit trails create complexities.
- Malware concerns such as SMiShing in mobile phones are emerging and may be creating new and poorly understood vulnerabilities and hacker threats in the payments environment.
- Fraud detection "flags" may not be translated or communicated well between the two industries. What happens when a phone is reported as lost to the mobile carrier, and it is a fully enabled mobile wallet? Does the bank with whom the customer is affiliated also need to be notified? Does a compromised account at a bank also need to be reported to the telecom provider when the phone is a transaction device?
- Are fraud investigators duplicating efforts when they investigate a fraudulent episode involving a mobile payments transaction? How could these efforts be better coordinated?
- Do privacy restrictions in the banking and telecom environments create undue barriers to sharing of useful information to help track down bad actors?
- If a payment transaction is reliant upon an “always on” mobile connection, what happens to the transaction when and if a connection is lost midstream? Who is responsible? What about the fraud risk?
These and other issues were raised in the context of the discussion, and all agreed that further elaboration of these issues was needed to determine the best opportunities for collaborative action. However, it seemed clear that when it comes to fraud, open channels between the two industries could go a long way to ensuring effective deterrence and loss mitigation in the mobile payments environment.
On a larger scale, these conversations are likely to deepen as many of the emerging mobile payments business models take hold. In this emerging environment, collaborative cross-industry work on fraud issues could be a positive launching point for breaking down industry silos for the good of financial services and telecommunications companies, and it could benefit their customers, which will in turn further support the utilization of all those innovative mobile payments models we heard about at Finovate.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Building a bridge: Will proactive discussions of fraud concerns help drive financial services and telecom industry collaboration in the emerging mobile payments context?:
August 10, 2009
Collaboration to address payments risks and fraud
In the world of payments, all players share an interest in seeing that risks are detected and mitigated quickly and effectively. However, when threats emerge, is it everyone for themselves? How does the variety of interests and goals among all the players converge? In a private marketplace mixed with government actors, how can we work better together?
Participants at a 2008 conference hosted by the Retail Payments Risk Forum discussed these issues and described the challenges and potential solutions. A year later, the findings of this forum are worth revisiting.
Real or perceived information-sharing limitations among financial institutions, regulators, law enforcement, and others can substantially impede addressing retail payments risks on a timely and effective basis. Examples include inconsistent or incomplete payments data, varying success levels of intra- and interagency collaborations, varied and overlapping jurisdictions, an incomplete network of memoranda of understanding (MOUs), privacy restrictions, perceived barriers beyond legal restrictions, competitive interests, costs, and trust. Suggestions for improvement in this area focused on:
- collection, consistency, and commonality of payments data, better understanding of its utility, and analysis tools. While data needs vary, a first step would be to focus on data elements of shared interest. A working group could facilitate ongoing payments data compilation and analysis efforts;
- formal and informal dialogue among various agencies and others, including simple measures such as shared contact lists;
- development of a “matrix” of various roles/responsibilities/information sources for shared use to facilitate more timely location of information and expertise available; and
- a more systematic, organized mechanism for information sharing, perhaps by establishing “brokers” for relevant information such as payments data.
Policing bad actors
Many noted that communication about bad actors is often ad hoc and that information is too widely dispersed to be useful and timely. Individual agency efforts, published enforcement actions, SAR filings, interbank collaborations, and industry self-regulatory efforts, while all worthwhile, have not fully promoted effective information gathering and sharing among all the parties who can have an impact. Suggestions for improvement in this area included:
- better understanding of risks across payment channels, both for front-end access point(s) and back-end processing, to mitigate fraudster arbitrage of vulnerabilities;
- publishing enforcement actions and related settlements more effectively as a deterrent;
- establishing a central “negative list” or “watch list” of bad actors;
- extending registration requirements for third parties participating in payments networks beyond existing targeted voluntary efforts;
- strengthening and clarifying regulatory guidance, such as that for counterfeit checks and consumer account statements;
- better educating consumers and banks regarding common issues;
- a more direct means of compensating victims;
- mining specific activity reports and other existing agency databases such as consumer complaints data; and
- potential new SEC codes within ACH to better track risks.
Participants identified collaborative efforts to help detect and/or mitigate retail payments risk issues and identified benefits and gaps. Examples included bank regulatory groups (intra- and interagency), national and regional law enforcement partnerships, interstate collaboration, federal-state working collaborations, joint investigative task forces, examination- or case-driven ad hoc efforts, and industry data-sharing efforts. Potential avenues for improved collaborative action included:
- a law enforcement/regulatory payments fraud working group;
- a virtual collaborative forum via Web sites, e-mail lists, or regular phone calls;
- greater attention paid to requests for comments on proposed NACHA rules;
- examiner and law enforcement training opportunities;
- participation in and/or support for industry database sharing efforts;
- engagement with industry groups to improve best practices;
- a Web-based resource for consumers supported by all (“fraud.gov”);
- implementation of further MOUs among agencies; and
- efforts to identify fraud patterns across agencies, such as the federal government’s Eliminating Improper Payments Initiative.
Substantive areas of concern
Participants were asked to describe substantive retail payments risk issues that keep them up at night. Some common themes emerged, including:
- strengthening the oversight of third-party payments processors and others not covered by the Bank Service Company Act;
- quantifying and better managing the misuse of remotely created checks;
- understanding and mitigating risks associated with “cross-channel” fraud;
- “Know Your Customers’ Customer” due diligence, compliance, and associated risks and potential liabilities for fraud detection/mitigation purposes;
- establishing a common means of redress for consumers regardless of the payment channel; and
- improving the clarity of consumer account statements by instituting standards and reducing jargon.
Progress has been made on a number of these ideas in the past year, including the formation of new working groups and other collaborations. The Retail Payments Risk Forum continues to explore opportunities and implement solutions to help foster collaborative action to address these and other industry concerns. Your input in the form of comments to Portals and Rails on these or other topics is welcomed!
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.
TrackBack URL for this entry:
Listed below are links to blogs that reference Collaboration to address payments risks and fraud:
May 26, 2009
SARs trends, SAR Review teams, and fraud
A February 2009 report from the U.S. Government Accountability Office (GAO) found that between 2000 and 2007, suspicious activity report (SAR) filings by depository institutions nearly quadrupled, from 163,000 to 649,000 per year, with 2008 promising even further growth. The GAO report posited two key forces driving the overall increase in filings: a) the deployment of automated monitoring systems that can assess suspicious activities using customer profile information and b) heightened diligence in light of several high-profile cases involving poor account monitoring by some institutions, which may have led to institutions filing more SARs "defensively" to avoid criticism.
SARs were initially associated with money laundering and terrorist financing concerns, but now, some experts note, SARs are increasingly filed for other potential suspicious activities such as identity theft and consumer fraud. Possibly this trend is a further reflection of the sophistication of integrated and automated systems deployed by some financial institutions which can detect suspicious activity of all types, or possibly this development is a manifestation of the "defensive filing" phenomenon. FinCEN Director James Freis was recently quoted in the American Banker: "I think that more bankers are realizing that the same due diligence required for AML (Anti-Money Laundering) compliance is also a powerful weapon against fraud."
Another contributing factor not mentioned by the GAO report is growth in the overall volume of banking transactions such as mortgage activity. However this factor is not likely to fully explain the very rapid growth in SAR filings in these years. Moreover, there is the question of whether the increase in SAR filings is reflective of an increase in criminal activity itself.
The 2001 National Money Laundering Strategy called for the establishment of "SAR review teams" in every federal judicial district, drawing together federal law enforcement (U.S. attorneys offices, Internal Revenue Service, U.S. Immigration and Customs Enforcement, Federal Bureau of Investigation, Secret Service, U.S. Postal Inspection Service, etc.), federal banking regulators, and state and local law enforcement. While SARs have typically been used as supporting documents for existing cases, these SAR review teams look to SARs also for the purpose of initiating new investigations. SAR reviews by these teams may uncover links among superficially distinct SARs that can lead to criminal prosecutions, civil forfeiture actions, federal or state regulatory actions, warning letters, and/or referrals to other agencies or districts. Further, these teams help to coordinate efforts and more efficiently allocate scarce resources.
Will the confluence of increased reporting, improved data monitoring by many institutions, and proactive monitoring of SARs by SAR review teams have a measurable impact on abuse of payments systems and associated fraud?
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference SARs trends, SAR Review teams, and fraud:
- Don't Forget the Check
- Fraud Reduction at the IRS: Some Happy Returns
- Phone Scams and Phishing
- Asset Size Matters in Survey Responses
- Wouldn't It Be Nice to Tap and Pay?
- The Social Benefits of Biometrics
- The Five-Star That Flops
- ACH: No Trace Left Behind
- Pssst…Have You Heard about PSD2?
- Mobile Banking and Payments Survey Results
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud