Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 20, 2015
Unsafe at Any Speed?
If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?
I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.
- Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
- Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
- Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
- Track and report. We must do more of this in a frank, transparent way and it must be timelier.
Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.
There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.
The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
May 11, 2015
The Hill Tackles Cybersecurity
In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.
Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.
National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.
Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.
The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Hill Tackles Cybersecurity:
May 19, 2014
Choking on the Cost of Risk Management
In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.
While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.
The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.
By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.
To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.
Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Choking on the Cost of Risk Management:
January 27, 2014
The Importance of Partnerships between the Private Sector and Law Enforcement
Helen Keller once said, "Alone we can do so little; together we can do so much." As the "forum" part of our name implies, we tend to agree with Helen Keller's comment on collaboration. The mission of the Retail Payments Risk Forum (RPRF) is to identify, detect, educate, and encourage mitigation of risk in retail payment systems. We firmly believe that one of the ways to achieve our mission is to collaborate with industry participants, regulators, and law enforcement. And while we convene our own forums to encourage collaboration, ample opportunities for collaboration between law enforcement and the private sector exist beyond the boundaries of the RPRF.
Below are descriptions of organizations that are built on such collaborations.
- Financial Services Information Sharing and Analysis Center (FS-ISAC): An organization dedicated to gathering and disseminating reliable and timely information from financial services providers, security firms, local, state, and federal law enforcement agencies, and other trusted resources related to physical and cyber threats against the financial services community.
- National Cyber-Forensics &l Training Alliance (NCFTA): A nonprofit corporation with formal partnerships/agreements with more than 40 U.S. private-sector organizations and more than 15 U.S. and international law enforcement or regulatory agencies. The NCFTA enlists subject matter experts from stakeholder organizations to share real-time intelligence regarding cyber threats and supports the development of joint proactive strategies to better identity, mitigate, and ultimately neutralize threats.
- Electronic Crimes Task Forces: Led by the United States Secret Service, these groups bring together federal, state, and local law enforcement with prosecutors, private industry, and academia for the purpose of preventing, detecting, investigating, and mitigating attacks on the nation’s financial infrastructures. Groups are structured through local field offices and organized in most major metropolitan areas.
- InfraGard: Led by the Federal Bureau of Investigation, this association with representatives from the private sector, academia, and state, local, and federal law enforcement agencies is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Like the Electronic Crimes Task Force, InfraGard is comprised of groups organized by FBI field offices in major metropolitan areas.
- Anti-Phishing Working Group (APWG): An organization that seeks to unify the global response to cybercrime across industry, government, and law enforcement through data sharing, education, and standards development.
Each of these groups is different, but the common thread is information sharing between the private sector and law enforcement. This collaboration increases knowledge and awareness of threats and is often required to effectively capture and prosecute the masterminds behind attacks on financial institutions and their customers. I encourage our readers to learn more about and take advantage of these opportunities and others for collaboration between law enforcement and the private sector.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Importance of Partnerships between the Private Sector and Law Enforcement:
October 15, 2013
Fighting Counterfeit Currency and Protecting the Integrity of Our Payments System
The Federal Reserve recently introduced the redesigned $100 note into circulation and has begun an extensive public awareness campaign to acquaint consumers and merchants with the new note. The production of this note marks more than 10 years of effort and technology innovation to make U.S. currency more resistant to counterfeiting. The note incorporates two new security features: a 3-D security ribbon and a color-shifting image. These features are in addition to features such as an embedded security thread, portrait watermarks, and microprinting, introduced in the first redesigned note—the $20—back in 2003. The redesign of the $100 completes the current cycle of note redesign; there are no plans to redesign the $1 and $2 notes due to their low appeal to counterfeiters.
Fighting the constant battle against counterfeiters falls officially to the United States Secret Service, although they certainly rely on support from other federal, state, and local law enforcement agencies as well as from the general public. Many people erroneously believe the Secret Service was created in July 1865 as a reaction to President Lincoln’s assassination three months earlier. But the original mission of the Secret Service was to suppress the rampant problem of counterfeit currency being produced by the 1,600-plus private banks. The authority of the Secret Service was broadened two years later to include bootleggers, mail robbers, and others conducting fraudulent activities against the federal government. The Secret Service wasn’t given official responsibility for executive protection until the early 1900s, following the assassination of President William McKinley.
How big is the counterfeiting problem? It is constant, even though electronic financial crimes have more lucrative payoffs and are more difficult to investigate and prosecute. Over the last 10 years, the Secret Service has seized more than $295 million in counterfeit notes. The Secret Service investigates every counterfeiting report since it is often a series of individual reports that leads to a trail of counterfeiting activity by a criminal moving over a geographic area.
Criminals still employ crude counterfeiting techniques, but improvements in printer technology have made detecting counterfeit bills more difficult. Early counterfeiting deterrence relied on the skill needed to operate an offset printing press, along with the high costs of these printers. Now, the weapon of choice of counterfeiters is the advanced laser printer. Since these printers are capable of producing high-quality graphics, the development of the additional anti-counterfeiting technologies now incorporated in the new $100 note (as well as the redesigned $50, $20, $10, and $5 notes) was necessary in this continuous challenge to stay ahead of the criminals.
At Portals and Rails, we urge all financial institutions to maintain communication with your consumer and business customers about the challenges that counterfeit currency present and the steps to take should they come across a note that appears suspicious.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 18, 2011
Can electronification close tax loopholes opened by cash?
Happy Tax Day! Today is the deadline for paying 2011 federal taxes. Those of us who have waited until the last minute still have until midnight tonight to file our returns electronically. Although the vast majority of Americans will pay their taxes voluntarily, a small minority of evaders do not. According to a study conducted by the IRS for tax year 2001, for example, tax evasion resulted in a $345 billion federal tax gap. More than 70 percent of this gap can be attributed to individual small businesses, who the IRS estimates report only 43 percent of their income, with particularly low reporting of income received as cash. Underreporting is possible because cash payments are invisible to authorities, and therefore the social burden of tax evasion needs to be considered a risk of a cash payment system.
For those of us who do voluntarily pay our taxes, tax evasion by a few seems unfair and even immoral. Indeed, 87 percent of Americans feel that it is never acceptable to cheat on your taxes. Tax advocate Nina Olson further notes that "[t]he tax gap has real victims. Individuals and businesses that evade tax impose a significant burden on those who comply with their tax obligations." Evaders tend not to see the issue in terms of morality, however. The academic literature suggests that the primary driver of small businesses tax evasion is opportunity.
The temptation of cash income
Previously, I covered some of the risks of cash acceptance to small businesses: threats of robbery, employee theft, and counterfeit bills. Nevertheless, many small businesses seem to prefer cash. This is partly to avoid credit card processing fees and the risk of bad checks. But the greatest allure of cash to many small businesses may be its low visibility to tax authorities. Cash transactions do not automatically generate a paper trail and as such comprise the bulk of unreported income. The IRS's tax gap analysis actually understates the extent of evasion by limiting their estimate to federal income tax losses. Evaders are also dodging state income and employment taxes, as well as state and local sales taxes on the unreported income. A small merchant might be willing to accept some risk of theft in order to avoid such a hefty tax burden!
The burden of tax evasion
To achieve these illicit benefits, tax evaders take major risks and bear significant costs. The IRS conviction rate in the cases they pursue has never fallen below 90 percent. When caught in evasion, business owners often have to pay large fines and serve prison sentences. Even if they never face enforcement actions, tax evaders must invest considerable resources and change behaviors in order to avoid detection. The business owners may have to share illicit gains with a complicit accountant or spend significant time and effort to manufacture false numbers and backup documentation for claimed income. They also cannot deposit funds in a bank account, because doing so establishes a paper trail, so they must find other places to store the cash they receive. Not only do these tax-evading business owners risk theft and destruction of their hoarded cash, but they also are unable to use their unclaimed income to secure credit from banks. Furthermore, they run the risk of someone reporting their large cash purchases to the IRS or the Financial Crimes Enforcement Network, which would increase and the risk of an audit.
In addition to the costs borne by the evader, tax evasion imposes externalities on others. Businesses that voluntarily pay taxes operate at a competitive disadvantage, which results in a market distortion. Despite their having to charge market prices for their products, compliant businesses have higher costs than their tax-evading competitors.
The IRS takes action
We have a strong interest in collecting this revenue and correcting the market failures caused by tax evasion. Other countries have responded to unreported cash income in a variety of ways. Mexico has a two percent tax on large cash bank deposits to capture informal market activity. As part of their recent austerity plans, both Italy and Greece have banned high-value cash transactions in order to limit tax evasion. In the United States, the IRS will be using the electronic payments system to address underreporting of cash income: IRS rule 6050W will require merchant processors—the companies that process credit and debit card payments for businesses—to report their clients' receipts to the IRS annually. The IRS will use this data to improve audit algorithms. Third-party income reporting is a classic technique for increasing compliance. 6050W went into effect for tax year 2011, and the IRS will begin receiving the relevant data in January 2012.
Increasing electronification of both payments and tax administration should lead to increased transparency of small businesses income. This greater transparency might result in a natural decline in tax evasion over time. Is there a role for the payments industry in ensuring compliance? Cooperation among industry processors, compliant businesses, and regulators may represent an opportunity to lower the social cost of cash payments, and thereby mitigate risk in the payments system.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
November 8, 2010
Proposed rule targets cross-border wire transfers
In its simplest terms, money laundering generally involves the creation of an intricate series of financial transactions designed to conceal the identity, source, and destination of illicitly obtained funds. The success or failure of the laundering process generally turns on whether the launderer successfully minimizes or eliminates the trail that would lead law enforcement to trace the illicit proceeds back to their illegal source.
One common method for laundering money is wire transfers, particularly cross-border wire transfers, as they permit funds to move instantaneously from one account to another within and among international financial institutions. The Financial Crimes Enforcement Network (FinCEN) recently took action to address the money laundering risks commonly associated with cross-border wire transfers by proposing more stringent reporting requirements for financial institutions.
Expanded reporting for cross-border wire transfers
On September 27, 2010, FinCEN issued a notice of proposed rulemaking that would lower the reporting threshold on cross-border electronic fund transfers (CBEFT) from $10,000 to $1,000. FinCEN based its proposed rule on the conclusions of two studies: Feasibility of a Cross-Border Electronic Funds Transfer Reporting System under the Bank Secrecy Act, and Implications and Benefits of Cross-Border Funds Transmittal Reporting. The proposed rule would also require certain depository institutions and money services businesses to provide records to FinCEN of certain cross-border electronic transmittals of funds. Banks directly transacting with foreign financial institutions would be required to report all cross-border wire transfers to FinCEN.
The proposal would also require financial institutions to report the taxpayer identification numbers (TIN) of individuals who make CBETFs. Banks would file a list of these numbers annually for all CBETFs, regardless of the amount. MSBs would file TINs for CBETFs of $3,000 or more.
Currently, financial institutions are subject only to reporting suspicious wire transfers and maintaining and making available upon request to FinCEN records of cross-border wire transfers. According to FinCEN, the proposed rule will most likely affect larger financial institutions that use centralized message systems like SWIFT (Society for Worldwide Interbank Financial Telecommunication), Fedwire, and CHIPS (Clearing House Interbank Payments System).
The challenge in monitoring cross-border wire transfers
Monitoring cross-border wire transfers can present unique challenges since their processing can sometimes involve several intermediary financial institutions before the intended funds are received by the beneficiary. Effectively monitoring these transfers for anti-money laundering purposes generally requires that banks and nonfinancial institutions be knowledgeable of an account's normal and reasonable activity so they are better armed to identify transactions that may fall outside a known pattern.
According to a paper by the Basel Committee on Banking Supervision, there is need for improved transparency in cross-border wires due to the variance with the existing wire structure, which has done little to enable institutions to report the difference between cross-border and domestic wire transfers. The paper states that existing messaging practices can impair an institution's risk management and compliance obligations.
The proposed cross-border wire transfer reporting requirements are intended to improve transparency by facilitating more information gathering and enhancing money laundering due diligence. The proposed rule may also further assist law enforcement with the arduous task of unraveling the launderers' intricate web of tracing laundered proceeds back to their illegal source. FinCEN estimates that the proposed rule will spur 500 million to 700 million new reports a year. Currently, financial institutions and MSBs file more than 15 million reports per year.
Containing existing loopholes
FinCEN indicates that the enhanced reporting requirements will help close certain loopholes in the existing wire transfer rules that are exploited for money laundering, terrorist financing, and tax evasion—for instance, money launderers often purposefully send funds in increments below the current reporting threshold and use multiple institutions to avoid detection. Nevertheless, it is hoped that heightened reporting of account activity will help law enforcement and regulatory authorities detect, mitigate, and investigate money laundering and other illicit financial crimes. Or will the increased reporting requirements only serve to flood FinCEN with massive amounts of wire transfer data? But that is the topic of a future post.
The proposed rule is open for comment until December 29, 2010.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Proposed rule targets cross-border wire transfers:
October 18, 2010
Fighting back: Good news on the law enforcement front
I've noticed that blogs by their nature tend to focus on pointing out problems, this blog included. But I think it's also important to identify progress and celebrate victory in a society that appears to approach every topic from a negative angle. So here goes!
In the past, we've reported on all kinds of complications and issues in the cooperative efforts necessary to catch bad actors intent on defrauding folks in the payments space. This includes the sometimes difficult efforts of government and law enforcement to work together across borders. In the past few months, though, we've seen some significant accomplishments with respect to industry collaboration to address payments-related crimes.
First, we reported some time ago that a rift between the European Union and the FBI had resulted in the European Parliament's rescinding the FBI's access to the wire transaction data of SWIFT—short for the Society for Worldwide Interbank Financial Telecommunication. In late June 2010, the European Union, via the European Council, signed with little fanfare a new five-year contract with the United States, allowing U.S. authorities to continue sharing European bank data for the purpose of counterterrorism. The key to the renewal was the promise of stronger controls over data privacy and the presence of a third-party overseer to make sure that data provided to U.S. authorities were accurately maintained and procedures existed to manage redress if a person's private data was abused. This five-year deal ensures that the global fight to address the financial aspects of terror activities can proceed aggressively.
Second, we've spent some time in this space talking about the growing problem of corporate account takeovers over the Internet, in addition to traditional identity theft forays, particularly from foreign sources. We've also described the complexity of U.S. and foreign law enforcement authorities working together to apprehend instigators of such schemes. In the last few weeks, however, we've been delighted to see a spate of successes by European and U.S. authorities—often working together—that will send a message to perpetrators who may believe that they are free to conduct crime in cyberspace.
In partnership with Slovenian Criminal Police and the Spanish Guardia Civil, the FBI announced in July that a two-year investigation into European-based fraud activity had resulted in the arrest of the operators of the Mariposa Botnet, quickly followed by the arrest in Slovenia of the Botnet's creator, who was code-named "Iserdo." All parties lauded the value of the strong law enforcement partnerships present in this effort.
In August, U.S. and French authorities worked together to arrest a notorious cybercriminal owning the moniker of "BadB." Otherwise known as Vladislav Horohorin, BadB had been targeted by the U.S. Secret Service for some time. He was arrested by French authorities while traveling in France. If extradited to the United States, Horohorin faces up to 12 years in prison.
In September, U.S. and British authorities made what seems to be well-coordinated announcements concerning the wide-ranging arrests of Eastern European cybercriminals engaged in hacking and account takeover activities of British and U.S. small businesses. U.K. officials announced that the Metropolitan Police's e-crime Unit arrested in a predawn raid 11 individuals on charges of fraud and money-laundering activities that netted close to $40 million dollars. This announcement was followed by an announcement from the New York U.S. Attorney's office that they had issued 60 arrest warrants and made 20 arrests for U.S.-based perpetrators involved in similar account takeover schemes. At least 37 of the individuals involved were so-called "money mules," hired by overseas criminals to open bank accounts and deposit funds stolen from businesses, then wire the funds overseas after keeping a nice fee. This effort featured extraordinary cooperation among the U.S. Attorney's Office for the Southern District of New York, the FBI, the New York Police Department, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service. The gang appears to have stolen at least $4.2 million from small businesses and security brokers in the United States.
At any rate, our hats are off to the various law enforcement authorities who successfully participated in these actions. We look forward to more such efforts as a growing deterrent to those who use cyberspace as a playground for financial crime. Mr. Horohorin may have plenty of company during his stay in the United States.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Fighting back: Good news on the law enforcement front:
September 7, 2010
Is KYC DOA? The tribulations of trying to know your customer
Based on recent nightly news coverage, it appears that armed robbery has entered a new era of "brazenness," as robbers seem to commit their crimes without the cover of a disguise, despite the growing omnipresence of security cameras. I seem to recall that in the good old days of TV westerns, the robbers always wore disguises—at least they covered their faces with bandanas. Unfortunately, in the world of cybercrime, the disguises are still a basic part of the uniform as bad actors go about the business of laundering money, financing terrorists, and committing general computer crimes.
Increasingly in the wake of the Sept. 11 attacks, the responsibility for wrestling with detecting criminal financial activity lies with banks, subject to the provisions of Section 326 of the Patriot Act. In essence, the Patriot Act extended the earlier requirements of the Bank Secrecy Act to place financial institutions in the center of a process to know more and more about their account holders. Generally described as the "Know Your Customer" (or KYC) provisions of the act, Section 326 requires financial institutions (now broadly defined to include everything from traditional banks to gambling casinos) to gather, record, and report a great deal of specific information about their business and consumer customers.
Customers have reacted to this heightened information-gathering process with some frustration, yet it is simply the consequence of the global village in which we now live. The standards for such information gathering are cataloged in the Customer Identification Program (CIP) requirements of the Patriot Act, but many institutions, in an effort to protect their bank's financial welfare and avoid criticism from regulators about adhering to the letter of the law only, have extended their programs into the area of customer due diligence (CDD). CDD embraces broader information gathering that may frequently seem intrusive to the customer. For example, CDD may ask customers to describe the nature of transactions flowing through their accounts so that the bank can establish a risk rating for the accounts. However, in today's reality of global cybercrime, have we come to the point where even extended CDD may not be sufficient?
The emergence of third parties in the payments arena
This question is accentuated by the increasing roles of third parties in the payments system. Many third parties are legitimately engaged in providing services and technology support to businesses and banks alike in order to facilitate a more efficient use of the payments system. For example, some companies offer ACH or electronic check origination services to smaller businesses that cannot easily afford the acquisition of in-house systems to accomplish certain payment functions. While it is reasonable to assume that a bank can perform due diligence reviews on such third parties, history has been a harsh teacher in revealing that the third party (the bank's customer) can be well intentioned, but some of the companies they provide services to (the customer's customer) may be less honorable. Consequently, we talk in the trade of the fact that banks must now know their customer's customer (KYCC).
It turns out that this is not an easy thing to do. Nor is it easy to tell their customer's customer how to do it. For instance, many of the customer's customers may be startup companies, entrepreneurs pursuing the dream, or relatively small niche businesses. Some such firms start legitimately and intentionally act innocently until such time that they are positioned to commit significant fraud. In other words, the robbery suspects in cyber space do wear bandanas and they do disguise themselves so that no one can make an easy determination in advance as to their trustworthiness. In fact, they do it so well that we must ask, "Is KYC dead on arrival?" in this modern world of payments.
It is increasingly apparent that the answer is, "No, KYC isn't dead, but neither is it enough." A good KYC plan is better than no plan and is needed to comply with the Patriot Act, but we cannot possibly expect such a plan to be foolproof. Instead, we need to anticipate the possibility of a rogue player and complement KYC with other controls. Ultimately, this means that noncard transaction processing systems need to begin to adopt many of the practices used in card systems, including data forensics to detect and address potentially fraudulent behavior before it happens or as soon after it happens as possible.
In addition, it may be time for the industry, working with regulators, to examine the growing importance and risk profiles of nonbank entities engaged in the payments space. Most of today's fraudsters fall outside of the regulatory purview of bank supervisors and examiners, leaving the field to agencies such as the Federal Trade Commission. In 1850, the Pinkerton Agency was formed to assist the government in finding and arresting bank robbers. Perhaps we need a modern-day cyber version of the Pinkertons, armed with powerful networked computers to reach out and oversee the operations of a bank's customer's customer on behalf of regulators and law enforcement bodies everywhere. At any rate, a fresh look at this topic couldn't hurt.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Is KYC DOA? The tribulations of trying to know your customer:
August 16, 2010
States tackle information security with a focus on payments fraud
In response to increased data breaches like the Heartland Payment System incident, some states have passed laws requiring businesses to comply with the Payment Card Industry Data Security Standard (PCI DSS), while others have passed laws with enhanced privacy and encryption requirements for organizations that handle consumers' credit and debit card numbers. But can state laws be changed quickly enough to keep pace with the creative approaches of individuals who commit fraud?
According to Javelin Strategy & Research's 2010 Data Breach Prevention and Response study, approximately 26 percent of U.S. consumers received data breach notifications in 2009. The study also found that one in four consumers had their credit or debit card replaced in 2009 due to security concerns. Additionally, data collected by the Identity Theft Resource Center shows that though the number of breaches may rise and fall, overall, the number data breaches has doubled since 2007.
*Adjusted Heartland number from 30 million to 130 million as per alleged breaches in Justice Department documentation.
Enhanced state encryption and payment card laws
States such as Massachusetts, Arizona, and Nevada have enacted encryption laws, while other states such as Washington and Minnesota have enacted payment card laws. However, to date, only Nevada and Washington have enacted a combination of both encryption and payment card laws.
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain personal financial data about its residents. Massachusetts' new encryption law is said to add teeth to a key requirement that many security breach notification laws lack by specifically delineating the security requirements that organizations must adopt to ensure their security measures are "reasonable" and "adequate." Some of those specifications include securing user authentication protocols, encrypting all personal information that travels across public networks and wirelessly, monitoring systems for unauthorized use or access, and updating security systems.
States that have adopted both enhanced encryption and payment card laws go a step further, requiring not only compliance with PCI DSS but also that the organization have an annual security assessment validating its compliance. The assessment must be performed annually to ensure compliance with PCI DSS.
What about out-of-state business?
Businesses that transact with consumers from one of the states that have enacted these laws may be required to comply with the new state laws. For instance, the Nevada encryption law applies to businesses in the state of Nevada but may extend its reach to businesses outside the state if they have a strong enough presence in Nevada.
Laws assign liability to payments participants
Some state laws address liability among payments participants to ensure that the participant in the best position to prevent loss carries its share, if not all, of the costs associated with the loss and subsequent loss prevention efforts. Determining which participant is responsible has undergone changes in the states that have adopted enhanced payment card laws. The states of Washington, Nevada and Minnesota, for example, make merchants who are not compliant with PCI DSS liable to financial institutions for associated costs in instances of security breaches. Washington state holds a business or processor liable to a financial institution for costs related to a data breach even if the financial institution has suffered no loss. Under Washington state's new payment card law, a vendor may also be held liable to a financial institution for damages that occurred as a direct result of the vendor's negligence.
Since the loss of data can be an indicator that fraud is being perpetrated, these latest state laws look to ensure that businesses who hold such data do so in a manner that appropriately safeguards consumers' privacy. Data breach and loss containment are ongoing challenges for organizations that handle consumers' nonpublic personal information, including credit and debit card numbers. The new encryption and payment card laws may require organizations handling consumer payments information to fundamentally reexamine their corporate security compliance obligations and evaluate the technical resources required to comply with specific state standards.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud