Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« May 2011 | Main | July 2011 »

June 27, 2011

What are you signing away with a signature instead of a PIN on card transactions?

Recent years have witnessed the commercial banking industry making some surprising risk management decisions. For instance, many financial institutions encourage their customers to choose the credit/signature option of their debit cards rather than the debit option. But the credit option is more vulnerable to fraud, so ultimately is more costly to the industry. In addition, signature debit transactions are processed through the credit card networks, which means the banks earn the higher interchange fee that comes from credit transactions as opposed to debit transactions.

The point of this discussion is not to look at the anticipated effect of the Durbin amendment on interchange practices, but instead to focus on the moral hazard presented by these practices in the context of our nation’s retail payment systems. The reason that signature debit carries a higher interchange fee is that it is less secure than PIN debit transactions. In a recent study by the Federal Reserve Bank of Minneapolis, financial institutions reported that signature debit fraud attempts eclipse fraud with other payment types. The report also says that debit cards along with checks are the payment types most often attacked by fraud schemes, and as a result sustain the highest losses.

Payment types with hihgest number of fraud attempts by % of respondents

Source: 2010 Payments Fraud Survey: Summary of Results,
The Federal Reserve Bank of Minneapolis

However, the study also reported that most financial institutions and other organizations report that actual fraud losses as a percent of their annual revenues are relatively small, at less than 1 percent. This information sheds light on the risk-versus-return decision-making rationale.

As the incidence of payment card fraud in general is on the rise, it is time to take a proactive view of the risk management practices for debit card programs. While persuading customers to process debit card payments on card networks may be more profitable in the short run, the industry may realize an increase in fraud and risk in the retail payments system as a result.

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

June 27, 2011 in consumer protection, fraud, interchange, risk | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 20, 2011

Is a national data breach notification law on the horizon?

Extensive privacy regulations exist that provide a framework for promoting identity theft prevention, data security, use of data limitations, requirements for data destruction, notice, user content, and accountability. Some of these laws are the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Gramm-Leach Bliley Act, among others. Each of these financial privacy laws has been amended several times since their enactment, but none have standardized data breach notification rules.

On the state level, some legislatures have tackled data breaches by stepping up privacy and encryption requirements for organizations that handle credit and debit card data. According to the National Conference of State Legislatures, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have passed laws that require some form of notification when security breaches involving personal information occur. Most of the state laws have common themes, yet several differences exist among them, making it difficult, costly, and burdensome to develop a consistent and effective security incident response plan.

A push for national data breach laws
In 2009, there were two federal data security laws pending that cleared the U.S. Senate Judiciary Committee. One even cleared the U.S. House of Representatives. However, neither became law. One was the Personal Data Privacy and Security Act of 2009 (Data Privacy Act), and the other was the Data Breach Notification Act. The Data Privacy Act sought to mitigate identity theft, ensure privacy, and require that breached individuals be notified. The Data Breach Notification Act also imposed notification requirements but provided a safe harbor whereby organizations were not required to report the breach if a risk assessment determined the incident would not harm consumers.

Other efforts were seen when the Federal Trade Commission (FTC) and the U.S. Department of Commerce (DoC) both released reports within days of each other with recommendations for protecting consumer privacy online. The FTC's report came out on December 2, 2010, and the DoC's report came out on December 16. The DoC report focuses on national consistency surrounding security breach notification rules. The DoC recommends the implementation of a "[f]ederal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities."

Seeking exemption from the FTC and DoC recommendations
Not everyone is on board with the DoC and FTC recommendations. On January 31, 2011, the Securities Industry and Financial Markets Association (SIFMA), a consortium of financial firms, sent a letter to the FTC and DoC asking that their recommendations on privacy exclude industries—including the financial services industry—already subject to sector-specific regulations. SIFMA's letter expressed the view that existing national privacy laws like the Fair Credit Reporting Act, the Gramm-Leach Bliley Act, and the Electronic Communications Privacy Act are sufficiently addressing the management of consumers' personal data.

SIFMA did express support of the introduction of a uniform national breach notification law that would preempt state laws, but only by requiring that consumers be notified of a breach when there is a significant risk of identity theft. SIFMA pointed out that "requiring notification if there is no significant risk of identity theft could have the unanticipated effect of overwhelming consumers with notices that might cause confusion and likely desensitize them to future notices."

Finding common ground
The deadline for comments to the FTC report closed February 18, 2011. Both the FTC and DoC are expected to issue final reports and guidance this year. The coincident timing of the FTC's and DoC's reports seems to have renewed focus on online privacy and what best practices should be used to address perceived shortcomings.

Perhaps the FTC and DoC recommendations can shed some light on whether the need for a national data breach notification law is warranted or whether the existing national and state-level laws sufficiently address the management of consumers' personal data. For now, it appears that most industry watchdogs believe that consumers and businesses alike could benefit from a national standard for security breach obligations, mainly because the differences in form and substance between states make it increasingly complicated for effectively reporting data breaches to the public and present undue costs to business and burden streamline industry compliance.

Photo of Ana Cavazos-WrightBy Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

June 20, 2011 in consumer protection, cybercrime, identity theft, regulators | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Is a national data breach notification law on the horizon?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 13, 2011

Avoiding security missteps in the brave new world of pervasive data collection

The emergence and meteoric rise of Internet-based firms and social networks is one of the biggest stories of the last decade. The movie version of Facebook's genesis even won several Oscars this year. The social network and its peers are noteworthy not only for their tremendous growth, but also for instituting a new business model. Facebook, Google, and similar companies generate the bulk of their revenues by collecting massive amounts of customer data to sell for targeted advertising.

Advertising based on such extensive data doesn't just result in higher sales—it also offers unprecedented value to consumers by matching them with the products they might want. However, consumers are also concerned about privacy. An ongoing Wall Street Journal investigation reveals the extent to which consumers' online behavior is being tracked by a multitude of players and the vast amounts of data now available to the highest bidder. And we've all being hearing about how the GPS location functionality of today's smart phones may be making it possible to collect additional consumer information. These trends are disconcerting to consumer advocates who recognize that risks exist along with the promise of valuable contextual and location-based offers. In addition to privacy implications, the broad collection of data raises questions about the security of that data. What are the risks to consumers if criminals gain access to these databases?

Any data that is collected and stored is at risk of being breached. This has been particularly troubling for the payments industry. Merchants and payments processors for years collected payment card data in their systems, regarding the threat of a breach as a low-probability and low-loss event. Eventually, enterprising criminals found ways to exploit this data, and PCI-DSS was born as a remedy. Merchants and processors were forced to play an expensive game of catch-up as they scrambled to become compliant.

Some consumers may not worry about breaches of online behavioral data. Who cares if someone finds out their favorite movies, that they have a weakness for Italian handbags, or that they stopped at Kroger after work on Thursday? These pieces of information seem banal and inconsequential. Further thought, however, reveals more worrisome possibilities. Imagine a data breach that exposed all of your movements for the last year, a complete profile of your preferences and demographic characteristics, or all of your online behavior searches for the past quarter. In the wrong hands, such data could be used for illicit activities like identity theft and payments fraud.

Extensive behavioral information could facilitate financial fraud, allowing criminals to fly under the radar of existing fraud detection systems. In the United States, the use of transaction monitoring systems that rely on behavioral analysis to detect anomalous purchases has proven successful in mitigating card fraud to a certain extent. But if fraudsters have access to a consumer's payment behavior in addition to the stolen card, they could mimic legitimate transactions and decrease the chances of getting caught. Sophisticated international crime rings are likely to harness such advantages whenever they're available.

Behavioral and location data could also be exploited by local criminals. Thieves might take advantage of knowing homeowners' locations to rob their homes while they're out. Stalkers sometimes track their target using the location awareness of the target's mobile phone. Blackmail is also a possibility if a person's online browsing or shopping behavior reveals something this person would wish to keep private.

Online and mobile data collection firms can learn from the experience of the card industry to self-regulate and proactively avoid data breaches. The industry has already shown considerable self-regulation in response to privacy concerns, and could expand these efforts to include broader data security initiatives. Best practice data security practices are known, but require up-front technology investments. For example, data can be made anonymous and delinked from individuals, limiting the risk of criminal misuse. The only question is whether online firms will proactively use available data security tools or if they will be stuck cleaning up after data breaches down the road.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

June 13, 2011 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Avoiding security missteps in the brave new world of pervasive data collection:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 6, 2011

Who does what in fighting payments crimes? Explaining the acronyms and roles of agencies

My grandmother always enjoyed a good laugh. I fondly remember her laughter as we listened to Abbott and Costello's comedy sketch "Who's on First?" multiple times during every visit to her home. I must admit that at times I can feel like Costello when discussing the many different organizations (and their related acronyms) that play a role in regulatory and legal oversight of financial-related crimes. Though not necessarily as funny as Abbott and Costello's sketch, the multitude of organizations and their related acronyms in the United States and the roles they play as they relate to financial-related crimes are enough to make even Costello think that St. Louis's lineup is a breeze to follow. In an effort to allay some of this confusion, let's examine several organizations involved in the fight against financial and payments-related crimes.

Financial Crimes Enforcement Network (FinCEN)
FinCEN was established in 1990 by the U.S. Department of the Treasury. FinCEN is responsible for issuing and administering rules and regulations governing the reporting of currency and foreign transactions as defined in Title II of the Bank Secrecy Act. Title III of the USA Patriot Act gives FinCEN additional responsibilities that include developing rules and regulations related to due diligence and surveillance of suspected terrorists and those engaging in criminal activities.

FinCEN works with law enforcement and regulatory agencies to deter and detect terrorist financing, money laundering, and other financial criminal activity through the sharing of data collected from institutions, as prescribed by the Bank Secrecy Act and the USA Patriot Act. Though FinCEN develops regulations that financial institutions must follow, the agency does not have any oversight powers, so it has to rely on other regulatory/supervisory organizations to ensure that financial institutions comply with their rules and regulations.

Financial institution regulators/supervisors
The Federal Financial Institutions Examination Council (FFIEC) was established to prescribe uniform principles, standards, and report forms for the examination of financial institutions. The organization or agency that regulates a particular financial institution depends on the type of institution. The FFIEC attempts to ensure uniformity in the supervision and regulation of financial institutions, regardless of the supervising agency.

The Office of the Comptroller of the Currency (OCC) is responsible for supervising national banks. State-chartered banks are under the supervision of a state regulatory agency. If they are members of the Federal Reserve System, they also receive supervisory oversight from the supervision and regulation arm of the Federal Reserve, typically rotating examination cycles with the state regulatory authority where they are chartered. The Federal Reserve is also the regulator for financial holding companies, with supervisory oversight for all organizations and their activities within the holding company.

The Federal Deposit Insurance Corporation (FDIC) participates in regulatory oversight for state-chartered banks that do not join the Federal Reserve System to lessen the burden on state agencies. Most importantly, the FDIC engages in reviews of both state and national banks should their troubled condition present a threat to the deposit insurance fund.

Credit unions are supervised by the National Credit Union Administration (NCUA). Before merging with the OCC, the Office of Thrift Supervision (OTS) supervised the U.S. thrift industry. Under this merger, the OTS will be phased out by July 2011. The Federal Reserve Board will then take over the supervisory role of thrift holding companies, and the OCC will supervise all federal thrifts.

In their supervisory roles, these agencies ensure that financial institutions have Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance programs in place as prescribed by FinCEN and that financial institutions comply with other rules and regulations established by FinCEN and other bodies, such as state and national governments.

Law enforcement organizations
Though the United States Secret Service is best known for protecting the president, it is also responsible for investigating financial crimes that include counterfeiting of cash and U.S. treasury securities, access device fraud, financial institution fraud, identity theft, and computer fraud. The Secret Service often works side-by-side with the Federal Bureau of Investigation (FBI), which investigates Internet fraud, identity theft, and money laundering, among many other crimes types. In investigating and detecting financial crimes, these agencies rely heavily on data from FinCEN obtained from the financial institutions' filings of suspicious activity reports. While both the Secret Service and FBI tend to focus on larger, high-profile crimes, local and state law enforcement agencies also play a critical role in leading the investigation of similar but smaller financial crimes as well as assisting the national organizations on larger crimes.

The role of the Retail Payments Risk Forum
In this web of organizations, guidelines, rules, and regulations, the Retail Payments Risk Forum (the Risk Forum) seeks to facilitate collaboration among participants in the payments industry. The Risk Forum has been successful in filling a critical and neutral role in bringing together members from the Federal Reserve System, bank regulatory agencies, rule-enacting agencies, law enforcement, and the payments industry for dialogue and information sharing. Furthermore, members of the Risk Forum are actively engaged in providing "boots on the ground" surveillance on service developments and emerging risk issues in retail payments systems.

As new payments risks take root and new organizations such as the Consumer Financial Protection Bureau (CFPB) emerge, it is imperative that these parties continue to engage with each other to effectively combat the growing threat of risk and fraud in the U.S. payments system.

This table summarizes the roles of the agencies.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 6, 2011 in payments, regulators | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad