Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« December 2009 | Main | February 2010 »

January 25, 2010

Connecting the dots needed to reduce payment risks

Some say baseball is not only America's Game, but also a metaphor for life in America. As a lifelong fan I have noticed that each year a couple of rookie players explode onto the scene in April, putting up terrific numbers and establishing themselves as the sport's next great icons. Usually by mid-May they have disappeared from the league leader boards as their numbers fall precipitously. Why? Because the league knows very little about the players' strengths and weaknesses in April, but as time wears on, pitchers make adjustments to exploit the rookies' weaknesses. Don Sutton, an announcer for the Atlanta Braves, says that baseball is a game of continuous adjustments. The rookie wunderkinds will only be successful over the long run if they are able to make the adjustments necessary to counter the pitchers' new approach.

In today's payments world, rookie fraudsters are having significant success penetrating corporate payroll and accounting systems using Trojan horse and key-logging software to insert bogus payments into the company's disbursement streams without the company realizing until it is much too late. So called "money mules," hired by the kingpin fraudster, receive the "stolen" funds in new accounts and immediately wire them to faraway places after taking their promised cut. Such schemes have been much discussed in the payments industry press over the past few months.

My wife's sister is the bookkeeper for a small firm, and in that role she is responsible for most of the company's disbursements, including payroll. Over a glass of eggnog or some acceptable substitute, I told her about these schemes and she listened, wide-eyed. We discussed the controls that were in place in the company that could detect and prevent them from becoming a victim, and I began to realize the problem we face as an industry in addressing such new threats. Like the rookie baseball player, we must begin to adopt a mentality of constantly adjusting to the ploys of the fraudsters to ensure our future success. For example, a company could add a new step to their disbursement process that would check payroll totals for reasonableness in terms of numbers and dollars, scan preliminary logs of payees, names or accounts, etc., before pressing the transmit button. The challenge is to figure out how to share threat information broadly enough to reach the point of common sense protection. There can be no remedy if there is no awareness.

A number of organizations are working on education and communications efforts within their industries, but the best protection is always a first-line defense at the point of greatest vulnerability—the corporate originator of payments. While we in banking view the depth and breadth of our industry as daunting, it is trivial compared to the universe of American business, from large mega-corporations who can invest millions in protection to small entrepreneurs engaged in realizing their lifelong dreams, totally oblivious to the dangers of the brave new world. What, then, can we do to address this seemingly impossible challenge?

The answer would seem to lie in harnessing the amazing technology present in the world today, the same technology being used by the bad guys. Just as nuclear technology can be used to pursue both good and bad objectives, so can e-mail systems, social networking, twittering, and other yet-to-be-discovered advents of the new century. My sense is that the problem lies in discerning how to connect the dots. In other words, how can we as a society create a massive web of "community of interest" associations that allows information to reach the eyes and ears of all (or most) of those who need to hear it?

From my background as a math major, I know that the shortest distance between two points is a straight line (actually, I think you can get this from high school geometry). Noting that every company needs a bank, my sense is that the straight line for this effort runs directly from the central industry sources of fraud knowledge, to the banking community, to a bank's business customer base. Simultaneously, another connection at the top of the chain runs from industry sources to other parties in the regulatory and law enforcement businesses.

Over the past few months, we at the Retail Payments Risk Forum have become aware of and frequently engaged with several organizations who are interested in and trying to enhance the current communications and education process. For example, a new interagency fraud working group, co-chaired by the Department of Justice and the Federal Reserve Board, has been created to share information between bank and nonbank regulators and the law enforcement community. An effort to construct an educational toolkit for banks to use to report fraudulent activity is being developed under the auspices of BITS. In an ideal world, we would all work together to harvest the unique capabilities of each of the many efforts under way and try to coordinate them in such a way as to minimize duplication, maximize knowledge, ensure accuracy, and expedite wide distribution of information. In the months ahead, the Forum will be trying to work across many interested parties to see if there is a model for accomplishing this goal that could be deployed to the benefit of all possible victims in the "fraud value chain."

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

January 25, 2010 in fraud, payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Connecting the dots needed to reduce payment risks:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 19, 2010

Retail Payments Risk Forum hosts conference on risks in emerging payments

Conference Summary: HTML | PDF

The third annual Retail Payments Risk Forum conference, "Emerging Retail Payment Risk Issues: An Industry, Regulatory and Law Enforcement Dialogue," has come and gone, drawing a mix of bankers, regulators, and law enforcement representatives Nov. 5–6 at the Atlanta Fed. Unfortunately, many of the risks and fraud threats to emerging payments discussed at the conference will be with us awhile.

The good news is that the conference is one of the ways the stakeholders can collectively advance the fight against risk and fraud, through sharing information and strengthening relationships. Much of the information shared at the conference is now available on this site, including a conference summary and the presentations delivered by conference speakers.

As in the past, attendees participated in breakout sessions designed to promote the development of actions that all group participants could take during the year to collaboratively address issues of risk discussed during the conference.

Emerging payments create challenges and opportunities
Some key themes covered in the conference focused on the challenges and opportunities for payments risk management in an environment of technological change. The keynote speaker highlighted the fact that financial services companies must adapt to an array of transformative technologies in a time when consumer confidence and trust in financial institutions are threatened. Nonbanks continue to enter the retail payments marketplace to compete with regulated financial institutions for market share. An expert panel spoke on emerging payment market developments and outlined the trends and risks in new payment channels and devices, noting that contactless devices, mobile commerce, and social networking platforms are areas to watch. The person-to-person payment area is particularly ripe for innovation.

Alternative payment types and new providers can lead to increased security and fraud risks, requiring increased public and private engagement to promote effective risk-mitigation practices industrywide. This engagement is difficult as many financial institutions' risk management efforts can be fragmented by payment delivery type. While financial institutions must look across payment channels to develop holistic risk-mitigation programs, time-tested practices of ensuring dual controls and segregating duties in operations are still critical elements of effective risk management. Newer fraud schemes such as corporate account takeovers, analogous to corporate identity theft, can be combated effectively with current risk management tools if properly implemented.

Growing threats from data breaches and cybercrime
Still, the growing threats to cybersecurity by global crime rings represent a significant industry challenge. Panel experts discussed private and public partnerships and initiatives in place to respond to increased fraud in retail payments and improve the resiliency of the financial services sector. Law enforcement representatives discussed trends in criminal activity and recent successes in shutting down global crime rings. Industry practitioners discussed the need for better information sharing with financial institutions and law enforcement agencies to prevent criminals from migrating across payment systems and financial institutions.

This event offered the participants a deep and broad update on trends and issues of the day as the payments industry, regulators, and law enforcement all seek to work together to understand, mitigate, and deter risks and fraud in the emerging payments environment. Clearly, further work remains, and the landscape is ever changing. But the challenges faced are common to all parties, presenting an imperative for common understanding, information sharing, and collaborative action.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

January 19, 2010 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Retail Payments Risk Forum hosts conference on risks in emerging payments:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 11, 2010

Mitigating unauthorized access to consumer accounts

New privacy rule: More clarity, less legalese
Keeping personal information private is increasingly difficult in today's environment, and as the shift toward paperless payments increases, new challenges emerge. All payment systems rely on some level of information sharing to be efficient, but they need to do so in a way that mitigates unauthorized access and fraud. Financial institutions continuously find themselves striking a balance between customers' increased demand for security, accessibility, and simplicity in their banking relationships and consumer protection laws and regulations.

Since the Gramm-Leach-Bliley Act's (GLBA) implementation in 1999, financial institutions have wrestled with how best to convey to their customers how personal information is collected and shared. GLBA requires each financial institution to provide an annual notice of its privacy policies and practices to consumers with whom it transacts business. This privacy notice should adequately describe how a financial insitution will handle the disclosure of nonpublic personal information to affiliate companies and unrelated parties. While the intent of the notice was to improve transparency in the way nonpublic information is handled, consumers have complained that privacy notices are too lengthy, confusing, and packed with legalese. Partly in response to such concerns, in October 2006, the Financial Services Regulatory Relief Act amended the GLBA privacy rules to require that federal agencies develop model privacy notice forms and rules.

Federal regulators issue final model privacy notice form
On Nov. 17, 2009, the Fed's Board of Governors, along with the other banking regulators, released their final model privacy notice form to make it easier for consumers to understand how financial institutions gather, distribute, and protect their personal information. The form is not mandatory, but financial institutions that use the form will be provided a legal safe harbor from disclosure requirements under the privacy rules. Financial institutions may use other types of notices in addition to the model form as long as they comply with the privacy rules. Privacy advocates see this action as a step forward in consumer rights efforts. The new rule and notice form may be well received by the industry as new payment innovations introduce alternative ways to transport and use financial data, creating challenges for complying with privacy laws and regulation.

Data integrity and privacy
The preservation of consumer privacy encourages widespread participation in payments systems, a necessary element for an effective network. However, the exact degree of a consumer's desire for privacy protection is increasingly difficult to determine with emerging payments. This concept was articulated in research published by the New York Fed on emerging payments, which stated in part that "maintaining privacy is tricky because, by nature, it runs counter to the payment function: every type of payment requries the exchange of some information, which under the wrong circumstances can be subject to misuse." One example of misuse is identity theft, which can occur as a result of data breaches.

In 2008, the Federal Trade Commission (FTC) reported that approximately 9.33 million people experienced some type of identity theft crime and spent an average of $1,200 out-of-pocket to repair the damage. For the ninth year in a row, the FTC’s annual report on identity theft complaint data revealed that identity theft topped the list of complaints received in 2008. Events such as the 2008 data breach at payment processor Heartland Payment Systems, where information on more than 100 million payment cards was stolen through the use of malicious software, highlight the vulnerability of consumers' financial information.

In a study conducted by Javelin Strategy & Research, 19 percent of data breach victims also became victims to some type of consumer fraud within 12 months of the data breach occurring. Of the 19 percent, nearly 2 percent of the fraud victims reported that the fraud was a direct result of the data breach. These low numbers probably suggest a general lack of public understanding of the relationship between unauthorized data access and payments fraud.

Data breach and fraud victims; last 12 months

Losses reduced when consumer engaged
Perhaps the new privacy rule and model notice form will promote better communication to consumers on how nonpublic information is shared by financial institutions. These efforts will continue to be important as more nonbank entities participate in alternative payments going forward.

By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 11, 2010 in consumer fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad