Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Mobile money transfers: Benign P2P or hawala money? | Main | Retail Payments Risk Forum hosts conference on risks in emerging payments »

January 11, 2010

Mitigating unauthorized access to consumer accounts

New privacy rule: More clarity, less legalese
Keeping personal information private is increasingly difficult in today's environment, and as the shift toward paperless payments increases, new challenges emerge. All payment systems rely on some level of information sharing to be efficient, but they need to do so in a way that mitigates unauthorized access and fraud. Financial institutions continuously find themselves striking a balance between customers' increased demand for security, accessibility, and simplicity in their banking relationships and consumer protection laws and regulations.

Since the Gramm-Leach-Bliley Act's (GLBA) implementation in 1999, financial institutions have wrestled with how best to convey to their customers how personal information is collected and shared. GLBA requires each financial institution to provide an annual notice of its privacy policies and practices to consumers with whom it transacts business. This privacy notice should adequately describe how a financial insitution will handle the disclosure of nonpublic personal information to affiliate companies and unrelated parties. While the intent of the notice was to improve transparency in the way nonpublic information is handled, consumers have complained that privacy notices are too lengthy, confusing, and packed with legalese. Partly in response to such concerns, in October 2006, the Financial Services Regulatory Relief Act amended the GLBA privacy rules to require that federal agencies develop model privacy notice forms and rules.

Federal regulators issue final model privacy notice form
On Nov. 17, 2009, the Fed's Board of Governors, along with the other banking regulators, released their final model privacy notice form to make it easier for consumers to understand how financial institutions gather, distribute, and protect their personal information. The form is not mandatory, but financial institutions that use the form will be provided a legal safe harbor from disclosure requirements under the privacy rules. Financial institutions may use other types of notices in addition to the model form as long as they comply with the privacy rules. Privacy advocates see this action as a step forward in consumer rights efforts. The new rule and notice form may be well received by the industry as new payment innovations introduce alternative ways to transport and use financial data, creating challenges for complying with privacy laws and regulation.

Data integrity and privacy
The preservation of consumer privacy encourages widespread participation in payments systems, a necessary element for an effective network. However, the exact degree of a consumer's desire for privacy protection is increasingly difficult to determine with emerging payments. This concept was articulated in research published by the New York Fed on emerging payments, which stated in part that "maintaining privacy is tricky because, by nature, it runs counter to the payment function: every type of payment requries the exchange of some information, which under the wrong circumstances can be subject to misuse." One example of misuse is identity theft, which can occur as a result of data breaches.

In 2008, the Federal Trade Commission (FTC) reported that approximately 9.33 million people experienced some type of identity theft crime and spent an average of $1,200 out-of-pocket to repair the damage. For the ninth year in a row, the FTC’s annual report on identity theft complaint data revealed that identity theft topped the list of complaints received in 2008. Events such as the 2008 data breach at payment processor Heartland Payment Systems, where information on more than 100 million payment cards was stolen through the use of malicious software, highlight the vulnerability of consumers' financial information.

In a study conducted by Javelin Strategy & Research, 19 percent of data breach victims also became victims to some type of consumer fraud within 12 months of the data breach occurring. Of the 19 percent, nearly 2 percent of the fraud victims reported that the fraud was a direct result of the data breach. These low numbers probably suggest a general lack of public understanding of the relationship between unauthorized data access and payments fraud.

Data breach and fraud victims; last 12 months

Losses reduced when consumer engaged
Perhaps the new privacy rule and model notice form will promote better communication to consumers on how nonpublic information is shared by financial institutions. These efforts will continue to be important as more nonbank entities participate in alternative payments going forward.

By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 11, 2010 in consumer fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad