December 09, 2013
What Do Crayons and Virtual Currencies Have in Common?
Coloring with my young boys the other day, I was a bit amazed by the variety in colors. The days of a single blue crayon from my childhood has now expanded to at least 10 different shades of blue with names such as "Pacific blue" and "cerulean." I quickly learned that my regulation of the usage of crayons by the boys also varied by color. For example, the lone black crayon required ample regulation (and was quite challenging to enforce) to prevent an all-out toddler brawl. Because the blue crayons had such variety, they clearly required less and were much easier to enforce.
Just as crayons come in a variety of colors and shades, virtual currencies have a variety of different attributes, including:
- Open or closed: Closed virtual currencies can be used only within a specific community. Open virtual currencies can be used anywhere the currency is accepted.
- Unidirectional or bidirectional: Unidirectional flow allows the currency to be obtained at a specific exchange rate using fiat currency. This currency cannot be exchanged back to the fiat currency. Bidirectional currencies are bought and sold according to exchange rates.
- Centralized or decentralized: A centralized currency has a central authority that issues the currency and operates the system. A decentralized currency does not have a single entity acting as a central issuer or clearing house.
- Asset backed or demand backed: An asset-backed currency is tied to an asset or assets held in reserve while a demand-backed currency has no tangible value other than the value established by its market.
- Machine-based or human-based: Monetary policy of machine-based currencies, or crypto-currencies, is managed by computers. A central authority establishes monetary policy with human-based currencies.
The regulation of my children's crayon usage differed depending on the particular crayon being used. In that case, it was a matter of scarcity, so the analogy isn't perfect—but it will also be imperative for the regulation of virtual currencies and their enforcement to differ according to the characteristics of the various currencies. Undoubtedly, a decentralized, demand-backed currency not only poses different risks than a centralized asset-backed currency does but it may also include a unique set of participants not part of other virtual currency schemes.
Most of the regulatory discussion currently taking place is focused squarely on a particular virtual currency. And while this particular currency has an enormous market share of the virtual currency market, there are at least 50 other virtual currencies in the marketplace. If I had regulated the blue crayons in a similar way as the black crayon, my children would likely have left their coloring books and moved on to the train table.
I fear that should regulations be developed based on a single virtual currency and then applied to the market at large, the regulations could drive away the innovators in the virtual currency space that may hold long-term promise if they promote a faster, more secure, and more efficient payment system.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 02, 2013
Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?
An excessive number of consumer complaints or returns and chargebacks—these are among several red flags that could indicate that a third-party payment processor is engaged in fraud. And who better to take notice of these red flags than financial institutions? That's the thinking of many regulators, including the Financial Crimes Enforcement Network (FinCEN) when it released its October 2012 advisory on risk associated with third-party payment processors. In that advisory, FinCEN stressed the importance of financial institutions performing due diligence and monitoring their third-party payment processors.
The role of financial institution as gatekeeper was a major topic at the Atlanta Fed's October 30 Executive Fraud Forum, where a panel of industry leaders discussed the evolving role of third -party payment processors in the retail payments space. Representatives from the U.S. Department of Justice's Consumer Protection Branch and U.S. Secret Service, while they recognized the benefits of payment processors, highlighted case studies demonstrating the need for institutions to adjust their due diligence and monitoring to recognize attendant risks. They also stressed the importance of collaboration between institutions and law enforcement agencies in protecting consumers and keeping fraudsters away from payment processing.
Judy Long, who is the executive vice president and chief operating officer at First Citizens National Bank, also noted the gatekeeping role that institutions have with regard to the payments networks. Because banks are highly regulated entities whose primary objective is safety and soundness, she noted, they are in the best position to be the underwriters of payment processors.
As part of her discussion, Long mentioned some important practices for financial institutions in managing payment processor relationships.
- Because the board of directors plays a critical role in determining the institution's risk tolerance by approving its policies and procedures, it must make itself knowledgeable about the risk factors involved with third-party payment processors.
- The institution should have as an integral part of its policies underwriting guidelines that set limits for customers.
- The institution must monitor customers by examining return rates and consumer complaints, providing ongoing customer calling programs, and not just knowing its customer but also its customers' customers.
- Agreements should clearly explain the terms and conditions for how the institution will conduct business with a customer. These agreements protect both the institution and its customers.
For more details on this topic, watch this interview with Judy Long. You can also view the presentations from the Executive Fraud Forum on the event webpage.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 25, 2013
Maintaining a Strong Defense with Layered Security
A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.
This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.
Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.
As the table shows, only one of the tools had an average score above 5.
We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.
Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 18, 2013
Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud
The Retail Payments Risk Forum and the southeastern Regional Payments Associations (RPAs) cohosted an Executive Fraud Forum at the Atlanta Fed on October 30. Forum attendees engaged with speakers and panelists on such issues as the latest payments fraud trends, legislation and regulation, and best practices for financial institutions to mitigate risk in today's dynamic payments environment.
In one session, Federal Reserve Bank of Atlanta senior examiner Tony DaSilva discussed best practices to combat cybercrime. Cybercrime remains top of mind for financial institutions because denial-of-service attacks, which overload an institution's computers so customers cannot access their account information, can affect an institution's reputation and divert attention away from account takeover attempts. Account takeover is when a fraudster uses malware to attempt to steal a customer's valid online credentials and direct payments—often via wire and ACH—out of the customer's account. DaSilva suggests that financial institutions should assume that their systems are infected, and thus constantly, proactively monitor for cybercrime.
DaSilva also highlighted the importance for an institution's board and management to understand the nature of current cyber threats, assigning adequate IT resources and using industry tools to contend with cybercrime. DaSilva also emphasized the importance of following regulatory guidance.
A critical piece of regulatory guidance in this area is the Federal Financial Institutions Examination Council's (FFIEC) 2011 supplement to its 2005 guidance, Authentication in an Internet Banking Environment. The updated guidance recognizes the changing nature of cyber threats, including account takeovers, and emphasizes three area of responsibility for institutions.
- Periodic risk assessments, at a minimum every 12 months, are important. In these assessments, institutions should consider the current threat landscape, changes in customers, and actual incidents, and then make adjustments to customers' authentication controls
- Layered security for high-risk Internet-based systems should at a minimum detect and respond to anomalies and have robust controls for system administrators of business clients
- Education should focus on making consumer and business customers aware of security steps, and should explain federal consumer protection provisions, risk controls offered by the institution and relevant institution contacts
For more on this topic, view Tony DaSliva's video interview and presentation on the conference web page.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed