I was doing some research recently to see what I could find on the legal impediments to information sharing among law enforcement agencies and bank regulators when I ran across a report published by the U.S. Government Accountability Office (GAO) in March 2001 titled "Financial Services Regulators: Better Information Sharing Could Reduce Fraud." The paper identified some benefits as well as barriers to sharing information and proposed a recommendation for moving forward. While little has changed since the GAO first issued that report, there still remains much to be gained in addressing these issues.

One of the things we hear from the financial services industry, law enforcement, and bank regulators is that we need to collaborate by sharing information to better detect and mitigate fraud in retail payments. Most of the law enforcement representatives we talk to say that payments fraud is on the rise as global and domestic fraud rings alike are gaining access to consumer data for identity theft and financial transactions. According to these representatives, the bottom line is that fraudsters are talking to one another and sharing information over a number of channels including the Internet, chat rooms, and even within the prison system. With this information in mind, perhaps now is the time to rethink the way we share information to prevent and mitigate fraud and risk in retail payments.

Databases for sharing information are decentralized among separate bank regulators
Decentralization of information by bank regulators is one of the barriers noted in the GAO report. Because the systems and databases that maintain records on individuals and businesses, consumer complaints, and disciplinary actions are decentralized among the separate regulators within the banking industry, an investigation of a rogue actor realistically could involve separate inquiries of the different bank regulators.

Most information sharing is limited to public information
The GAO report also concluded that while financial regulators agreed about the benefits of sharing regulatory and criminal data, there were concerns about how to do that without creating confidentiality, liability, and privacy issues as well as the potential for inappropriate use of information. Regulators expressed concern about the potential for premature disclosure of information obtained through regulatory activities or criminal investigations.

Once they are final, formal enforcement actions taken against banks, as well as cease and desist orders and civil money penalties, are all public documents that identify individuals and entities responsible for criminal, civil, and otherwise unsafe and unsound banking practices. However, the lag time between the identification of the risky or fraudulent practice and issuance of the formal action can be considerable and does not make information available for other victims or potential targets.

Information sharing is still in separate silos at the institution level
One caveat to the potential benefits derived from an industry-wide information sharing mechanism is the fact that data are often isolated among disparate silos within a financial services company. Enterprise-wide risk management is often designed to aggregate information from separate lines of business, each often equipped with its own fraud prevention process and data collection. The successful business model going forward might enable the sharing of information across a bank's payment products and channels to prevent a fraudster from hitting the same institution multiple times.

Private industry efforts are emerging to collaborate
There are a number of private industry initiatives in play, such as third party–sponsored consortiums for financial institutions to share information among one another. These services are provided at a cost that some financial institution participants are unwilling or unable to bear. The cost for information serves as a barrier in this sense, potentially driving the fraudsters to the weaker links in the system that cannot afford to participate in the cost of building a data-sharing mechanism.

Conclusion
Financial modernization efforts have resulted in more electronic transactions of payments and information. While nontechnological means of fraudulently obtaning confidential consumer information remain prevalent (dumpster diving, etc), the use of the Internet and chat rooms makes it increasingly easy for rogue actors to communicate and share information to perpetrate fraud. Social networks are growing in popularity as consumers are increasingly comfortable in sharing information over the Internet. This technologically inspired trend was not entirely envisioned when the laws and rules designed to protect rights to privacy were crafted. Changing the legal boundaries established among regulatory and law enforcement agencies may be necessary to enable truly effective detection and mitigation of fraud, but this practice can't happen overnight.

What steps can we take to break down the barriers to information sharing? How do we balance one party's "need to know" with another's need to safeguard sensitive information? How do we determine what data are most universally useful in our mutual efforts to predict and recognize fraudulent activity and identify the bad actors? We would like to hear from you, so please let us know your thoughts.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed