Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 1, 2016
FFIEC Weighs In On Mobile Channel Risks
In late April, the Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding mobile banking and mobile payments risk management strategies. Titled "Appendix E: Mobile Financial Services," the document becomes part of the FFIEC's Information Technology Examination Handbook. While the handbook is for examiners to use to "determine the inherent risk and adequacy of controls at an institution or third party providing MFS" (for mobile financial services), it can also be a useful tool for financial institutions to better understand the expectations that examiners will have when conducting an exam of an institution's MFS offering.
Consistent with examiners' focus on third-party relationships for the last several years, the document points out that MFS often involves engagement with third parties and that the responsibilities of the parties in those relationships must be clearly documented and their compliance closely managed. Other key areas the document reviews include:
- Mobile application development, maintenance, security, and attack threats
- Enrollment controls to authenticate the customer's identity and the payment credentials they are adding to a mobile wallet
- Authentication and authorization, emphasizing that financial institutions should not use mobile payment applications that rely on single-factor methods of authentication.
- Customer education efforts to support the adoption of strong security practices in the usage of their mobile devices
The document also identifies and reviews strategic, operational, compliance, and reputation risk issues for the various elements of a financial institution's MFS offering. The final section of the document outlines an examiner's work plan for reviewing an MFS program with seven key objectives. I believe that it would be time well spent for the institution's MFS team to assume the role of examiner and use the work plan as a checklist to help effectively identify and manage the risks associated with an MFS program.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 21, 2016
The Insider on the Outside
Having had a few days to digest my RSA Conference 2016 experience (and let my feet recover), I'm not sure whether to be more concerned about cybersecurity challenges or more at ease due to the sheer number of solutions on display that are available to mitigate these challenges. In reality, my emotions are mixed.
On the one hand, the cybersecurity threat is real and spreading across all types and sizes of businesses and government agencies. On the other hand, information sharing is taking place across, and within, industries like never before, and technology is being harnessed in an effort to strengthen defenses against the latest cybersecurity threats. But my biggest takeaway from the week might be different from that of the many technology evangelists and cyber risk experts that I encountered: the human element might be the most important element in mitigating data loss risks.
The risk of data loss due to the human element is quite substantial and probably merits a paper on its own or perhaps a dedicated Take on Payments series. Today, I'm going to focus on a single aspect of the human element: the expanding nature of the insider threat. In a Take On Payments post from the summer of 2013, I discussed some access and security management principles to thwart malicious behavior from an insider.
Traditionally, an insider has been thought of as an employee. That definition has broadened as organizations outsource more internal-support functions to third-party providers. Much has been written and discussed concerning regulatory and compliance issues related to third-party providers, and this notion of the "outside insider" is a logical extension of a company's risk management practice. The insider threat is real and costly. According to data from the Ponemon Institute, malicious insider attacks cost companies an average of about $144,000 annually.
Ensuring that any third-party provider has the necessary policies and procedures in place to secure your data from outsiders is paramount, but what about the sufficiency of their controls to protect your data from potential bad actors within these third parties? Have you given much thought to this notion of the "outside insider"? If you have, what recommendations or best practices do you have to avoid becoming a victim of a malicious insider on the outside?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 6, 2015
What Can Parenting Teach Us about Data Security?
My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.
As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.
However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.
In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference What Can Parenting Teach Us about Data Security?:
December 22, 2014
Top 10 Payments Events in 2014
As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.
#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.
#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.
#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.
#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.
#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.
#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.
#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.
#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.
#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.
And…drum roll, please!
#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.
How does this list compare to your Top 10?
All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!
Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.
TrackBack URL for this entry:
Listed below are links to blogs that reference Top 10 Payments Events in 2014:
December 2, 2013
Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?
An excessive number of consumer complaints or returns and chargebacks—these are among several red flags that could indicate that a third-party payment processor is engaged in fraud. And who better to take notice of these red flags than financial institutions? That's the thinking of many regulators, including the Financial Crimes Enforcement Network (FinCEN) when it released its October 2012 advisory on risk associated with third-party payment processors. In that advisory, FinCEN stressed the importance of financial institutions performing due diligence and monitoring their third-party payment processors.
The role of financial institution as gatekeeper was a major topic at the Atlanta Fed's October 30 Executive Fraud Forum, where a panel of industry leaders discussed the evolving role of third -party payment processors in the retail payments space. Representatives from the U.S. Department of Justice's Consumer Protection Branch and U.S. Secret Service, while they recognized the benefits of payment processors, highlighted case studies demonstrating the need for institutions to adjust their due diligence and monitoring to recognize attendant risks. They also stressed the importance of collaboration between institutions and law enforcement agencies in protecting consumers and keeping fraudsters away from payment processing.
Judy Long, who is the executive vice president and chief operating officer at First Citizens National Bank, also noted the gatekeeping role that institutions have with regard to the payments networks. Because banks are highly regulated entities whose primary objective is safety and soundness, she noted, they are in the best position to be the underwriters of payment processors.
As part of her discussion, Long mentioned some important practices for financial institutions in managing payment processor relationships.
- Because the board of directors plays a critical role in determining the institution's risk tolerance by approving its policies and procedures, it must make itself knowledgeable about the risk factors involved with third-party payment processors.
- The institution should have as an integral part of its policies underwriting guidelines that set limits for customers.
- The institution must monitor customers by examining return rates and consumer complaints, providing ongoing customer calling programs, and not just knowing its customer but also its customers' customers.
- Agreements should clearly explain the terms and conditions for how the institution will conduct business with a customer. These agreements protect both the institution and its customers.
For more details on this topic, watch this interview with Judy Long. You can also view the presentations from the Executive Fraud Forum on the event webpage.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?:
February 22, 2011
Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule
Financial institutions and other financial service providers commonly provide products and services through arrangements with third parties. When appropriately managed, third-party relationships can enhance competitiveness and diversification of goods and services. However, these third-party arrangements, absent adequate risk management controls, can expose companies to reputational, operational, and compliance risks.
One possible measurement of a financial institution's reputational risk is how well the institution complies with the Unfair and Deceptive Acts and Practices (UDAP, or Regulation AA). While UDAP applies more specifically to credit card issuers and consumers regarding disclosure rules and restrictions on lender practices, it can also apply to third parties when a financial institution outsources functions of its card programs—for example, credit or stored value.
Increased use of third-party arrangements in consumer products
The Federal Deposit Insurance Corporation (FDIC) recently examined how financial institutions have used third-party providers to roll out new and innovative products and services during the current economic challenges. The FDIC released its findings in the Supervisory Insights Winter 2010 newsletter, which revealed that financial institutions are increasingly relying on third-party vendors. Specifically, over 60 percent of credit card programs that financial institutions offer are the assets of third parties. Additionally, of the 19 percent of financial institutions surveyed that offered stored-value cards, 94 percent involved a third-party service provider.
Costly lessons for violating UDAP
Noncompliance with UDAP generally occurs when a financial institution outsources the development and administration of a new credit card product to a third party unfamiliar with the necessary disclosure requirements regarding finance charges and fees, for example. Complaints alleging UDAP violations generally stem from credit card marketing products released by a financial institution’s third party vendor. These types of practices can potentially expose a financial institution to a host of legal and regulatory sanctions.
Recent enforcement actions against financial institutions that have violated UDAP due to poor oversight of third-party service providers have proven costly. If a financial institution insufficiently supervises a third-party vendor engaging in acts that meet the standards for deception—for example, the third party knowingly uses representations or omissions likely to mislead a consumer—it could face enforcement action.
Incorporating UDAP risk into an existing vendor-management risk tool kit
Data security is certainly an integral aspect of managing third-party service provider risk, but it is only one part of the picture. By also including UDAP risk management in their tool kits, financial institutions can better position themselves to manage their overall risk in relation to third-party service providers.
In recent years, the FDIC and the Board of Governors of the Federal Reserve System released joint guidance on the need for a financial institution to include UDAP risks with regard to third-party service providers. Some of the key components the guidance identifies are maintaining awareness of the risks associated with outsourcing, establishing controls over such relationships, exercising proper due diligence when identifying, selecting, and maintaining a third party, and creating comprehensive written contracts.
The joint guidance recommends that the financial institutions relying on third-party service providers maintain UDAP compliance by paying close attention to the service providers' card program promotional materials, advertisements, claims, and representations that could mislead a target audience regarding the cost, availability, or terms of the product or service.
Taking the needed precautions
By outsourcing to a partner, a financial institution places a great deal of trust in that provider, but that's no excuse for poor due diligence and oversight, which could readily lead to violations of the UDAP. The financial institution successfully monitoring its UDAP compliance specifically tailors its approach to the third party with which it has a relationship.
Financial service providers must look beyond the data protection measures of third-party service providers to ensure they are also in compliance with UDAP requirements.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud