About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« April 2009 | Main | June 2009 »

May 29, 2009


Do market forces drive fraud?

In today's U.S. markets for payment and credit services, have we overshot the mark in keeping personally identifiable information private, thereby lowering the bar to fraudsters?

Providers of credit and payment services traditionally required customers to have a public identity, such as by providing references, allowing the provider to verify the person's identity and creditworthiness before opening an account. This required the potential customer to be socially engaged and sacrifice some privacy to establish a public identity. Some non-Western cultures still look to public personas to help ensure good conduct. Consider Qifang, a new Chinese peer-to-peer lending business, which requires potential borrowers to provide not only personal information but also information about family members, thereby raising the penalty for default as it may cause the whole family to "lose face."

U.S. consumers have come to expect instant gratification in their ability to open accounts, obtain credit, and complete payments. Further, they tend to demand privacy and security of their personally identifiable information and want to share the least information that will facilitate the transaction. These market demands may drive payment services providers to impose the least amount of privacy requirements and security risk on their customers to facilitate the most "frictionless" transactions possible. While perhaps inevitable and likely a positive driver of payments innovation, this confluence of market forces may nevertheless increase the vulnerability of payment systems to risks such as those resulting from identity theft and new account fraud—less information is demanded of a legitimate customer, so similarly the hurdles to wrongdoers are lower.

Some thinkers in this arena have applied economic analysis to the trade-offs between privacy, data security, and fraud prevention. Others have advocated re-evaluating entirely how we view privacy, by severing the link between identification information (which should be harmless and public) and privacy, in effect permitting individuals to preempt imposters by making their identity fully public and allowing anyone to verify it easily.

While there is great emphasis on protection of personally identifiable information (driven by law and regulation, consumer demand, fear of reputational impact from data breaches, etc.), as long as such information can be used effectively to perpetrate fraud, risks will persist. As payment providers simultaneously compete for the most user-friendly, hassle-free, fast, private, secure services model, they also may have incentives to require less personally identifiable information. This is less intrusive for their customers and also helps avoid storage of such information. This may drive providers to require the lowest level of information and, as mentioned before, lower the bar for fraudsters as well.

Do these market incentives in effect foster an environment where identity theft and resultant payment frauds can proliferate? If so, how can this problem best be addressed?

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed

May 29, 2009 in fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01156fbb1d37970c

Listed below are links to blogs that reference Do market forces drive fraud?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 26, 2009


SARs trends, SAR Review teams, and fraud

A February 2009 report from the U.S. Government Accountability Office (GAO) found that between 2000 and 2007, suspicious activity report (SAR) filings by depository institutions nearly quadrupled, from 163,000 to 649,000 per year, with 2008 promising even further growth. The GAO report posited two key forces driving the overall increase in filings: a) the deployment of automated monitoring systems that can assess suspicious activities using customer profile information and b) heightened diligence in light of several high-profile cases involving poor account monitoring by some institutions, which may have led to institutions filing more SARs "defensively" to avoid criticism.

SARs were initially associated with money laundering and terrorist financing concerns, but now, some experts note, SARs are increasingly filed for other potential suspicious activities such as identity theft and consumer fraud. Possibly this trend is a further reflection of the sophistication of integrated and automated systems deployed by some financial institutions which can detect suspicious activity of all types, or possibly this development is a manifestation of the "defensive filing" phenomenon. FinCEN Director James Freis was recently quoted in the American Banker: "I think that more bankers are realizing that the same due diligence required for AML (Anti-Money Laundering) compliance is also a powerful weapon against fraud."

Another contributing factor not mentioned by the GAO report is growth in the overall volume of banking transactions such as mortgage activity. However this factor is not likely to fully explain the very rapid growth in SAR filings in these years. Moreover, there is the question of whether the increase in SAR filings is reflective of an increase in criminal activity itself.

The 2001 National Money Laundering Strategy called for the establishment of "SAR review teams" in every federal judicial district, drawing together federal law enforcement (U.S. attorneys offices, Internal Revenue Service, U.S. Immigration and Customs Enforcement, Federal Bureau of Investigation, Secret Service, U.S. Postal Inspection Service, etc.), federal banking regulators, and state and local law enforcement. While SARs have typically been used as supporting documents for existing cases, these SAR review teams look to SARs also for the purpose of initiating new investigations. SAR reviews by these teams may uncover links among superficially distinct SARs that can lead to criminal prosecutions, civil forfeiture actions, federal or state regulatory actions, warning letters, and/or referrals to other agencies or districts. Further, these teams help to coordinate efforts and more efficiently allocate scarce resources.

Will the confluence of increased reporting, improved data monitoring by many institutions, and proactive monitoring of SARs by SAR review teams have a measurable impact on abuse of payments systems and associated fraud?

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed

May 26, 2009 in bank supervision, collaboration, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c011570a6c744970b

Listed below are links to blogs that reference SARs trends, SAR Review teams, and fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 19, 2009


State attorneys general shine light on gray areas of payments risk

When considering due diligence standards in payments relationships, banks and others may want to look beyond bank regulators, legal requirements, and NACHA rules to also include considerations developed out of the work of state attorneys general. During the last several years, state attorneys general have found their way into the payments risk management space as they have sought to inhibit merchants from evading taxes, promoting internet tobacco sales to minors, and other illegal behaviors. In their pursuit of wrongdoers, states have investigated the payments processors who aggregate and/or initiate ACH payments or remotely created checks, and the banks who accept these items through their account relationships as well. In doing so, these states have negotiated settlement agreements, which include due diligence policies for banks and payment processors. The results of these efforts may raise interesting questions as to whether or not existing regulatory guidance, NACHA rules, or legal requirements are sufficiently specific or clear standing alone.

One instance is instructive. Beginning in 2006, the states of California, Idaho, and New York began to investigate Internet tobacco sales activities in violation of various state laws. These investigations led to negotiated settlements with ECHO Inc., a payments processor, and with First Regional Bank, a California-based financial institution. These settlements included detailed requirements for the processor and the bank to perform due diligence on their customers (or, for the bank, their customers' customers). In particular, First Regional Bank was required to institute a "Tobacco Policy" under which the bank would perform specific steps to ensure it did not permit illegal tobacco sales activity to be facilitated using payments originated via its accounts. As an example, the bank's policy would include terminating accounts with any processor who failed to terminate processing for any customer who a) switched ACH activity to "demand drafts" (presumably focused on remotely created checks) once notified of a problem or b) offered "demand drafts" as a means to avoid ACH return scrutiny. This provision highlights a particular concern with illegal activity, including frauds, switching between ACH payments, and remotely created checks to avoid the network scrutiny instituted by the ACH operators and NACHA.

The efforts of the states, such as in the example above, raise potential questions about the specificity and clarity of the guidelines issued by the banking regulators, such as those issued by the OCC and FDIC with regard to payments processor relationships. The bank supervisors promote banks taking a risk-based view of due diligence requirements rather than prescribing specific actions. NACHA rules require commercially reasonable standards generally, suggest contracts should be in place with third-party senders, and make clear the ODFI bears the responsibility for the items it introduces into he ACH network but do not otherwise prescribe due diligence standards for processor relationships.

Subject to the principles-based standards described in supervisory guidance, NACHA rules, and other considerations, banks and even payments processors themselves might want to consider the standards included in state attorney general settlements in developing their own due diligence policies.

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed

May 19, 2009 in ACH, bank supervision, checks, remotely created checks | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01157095d05b970b

Listed below are links to blogs that reference State attorneys general shine light on gray areas of payments risk:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 12, 2009


Patenting the payments system: Navigating confusing and congested waters

Anybody looking to innovate in the payments space may need to tiptoe carefully to avoid stumbling upon patent infringement. What's more, the complex patent landscape may raise interesting questions about the ability of the payments industry to collaborate.

Some years ago I ran a thought experiment to consider whether U.S. "payments patents" could be assessed easily using the U.S. Patent and Trademark Office (USPTO) classification system. Unfortunately, the classification system does not label patents as "payments-related" per se, so there is no scientific manner to search for related patents without studying claims on thousands of patents individually. However, one can derive an impression of the landscape by using a simplified approach of counting patents across a limited set of USPTO patent classifications that most strongly exemplify "payments-related patents" (drawing particularly on subclassifications 705/39-45 and 705/64-79). In these subclassifications, 3,659 patents were issued from 1998–2008, with 653 (17.8 percent) issued in 2008 alone. If one considers these back-of-the-envelope calculations and even controls for the "noise" between the USPTO classification system and what is considered "payments-related," there is nevertheless a revealing picture of the complexity and potential for patent infringement for any firm trying to innovate in the payments space.

What's more, an understanding of the payments patents landscape is also useful when considering the possible impact of patents on a highly segmented market like payments, which is characterized by network effects, first-mover advantages, large sunk costs, and lock-in effects. Some existing research examines the impact of patents on financial services innovation generally.

In the payments market, on balance, will patent holders hinder market entry, or will they enable new market entry for new innovations? How do patent rights affect payments industry efforts to set standards, develop and implement innovative risk management tools, or create new products that improve the integrity of the payments system overall? Does a concern about patent rights further hinder industry efforts to share information necessary to address risk issues collectively?

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed

May 12, 2009 in collaboration, innovation, payments | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c011570819a25970b

Listed below are links to blogs that reference Patenting the payments system: Navigating confusing and congested waters:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad