Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 22, 2012
Ignorance Is No Excuse--Or Is It?
Last time I got a speeding ticket (just for the record, it's been a very long time), the officer didn't care that I didn't realize the speed limit was only 35 mph. As he told me, ignorance of the law is no excuse for breaking the law. Contrast that with consumer payments protections. Consumers can practice unsafe computing and expose their account information, yet regulations still protect them if an unauthorized payment is made using the information the consumer revealed. Although an unauthorized payment is transacted by someone else, the consumer, through his or her own behavior, may be aiding and abetting the lawbreaker.
As we study different payment types and channels here at the Retail Payments Risk Forum, a consistent theme has emerged: consumer behavior plays a significant role in payments issues, and consumer education is the antidote. Although the consumer may be protected from financial consequences even when they engage in unsafe online behavior, it is in everyone's best interest, including the consumer's, if the consumer is armed with enough information to behave safely and responsibly.
Take card payments and the conversion under way to EMV standards. As the cards are converted to a chip and reissued to consumers, the consumer will need to understand where and how the card can be used. Education will be critical if the chip implementation also includes the use of PINs. A recent analysis by DataGenetics shows that nearly 27 percent of PINs can easily be guessed by attempting 20 simple combinations such as "1234" or "0000." PINs can be an effective authentication method, if only the consumer is thoughtful in choosing a hard-to-guess PIN.
Consider ACH payments and the dreaded account takeover. The information used to perpetrate an account takeover is sometimes gained through malware that enables key logging. The malware is installed on the consumer's computer most likely because of the consumer's unsafe computing practices, such as clicking on unfamiliar links and opening attachments sent by suspicious or unknown sources.
The same is true for the emerging mobile channel, essentially a handheld computer with security considerations similar to the online channel. The September 2012 GAO report on Mobile Device Security concludes, "Mobile devices face an array of threats that take advantage of numerous vulnerabilities commonly found in such devices. These vulnerabilities can be the result of inadequate technical controls, but they can also result from the poor security practices of consumers." The report recognizes that many education and awareness efforts, both public and private, have occurred or are underway, but it remains unclear whether those efforts have raised consumer security awareness or had any beneficial effect on the security of the mobile device.
Diagnosing is the easy part...
While it's easy to recognize that consumer behavior is a problem in electronic payments, the solution of providing consumer education is elusive. As it turns out, financial institutions are in a good position to provide education. For one thing, consumers tend to trust their financial institutions, with their financial information and with their privacy. From a practical standpoint, financial institutions are commonly the connection point between the consumer and these payment types. However, the traditional connection point of the branch is evolving to the online and mobile channels.
So what can financial institutions do to better educate consumers in the new digital and mobile environment? They already devote significant resources to providing education, but the effectiveness of these efforts can be questioned as the incidences of fraud appear to be rising. Are there best practices for consumer education in the non-face-to-face environment that financial institutions should employ to positively impact fraud?
By Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Ignorance Is No Excuse--Or Is It?:
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?
- Mobile Biometrics: Ready or Not, Here They Come
- Starting Off on the Right Note with Mobile Enrollment
- Let's Talk Token, Part II: Distinguishing Attributes
- New ACH Return Rate Threshold on the Horizon
- Let’s Talk Token: Authenticating Payments
- Seeking a Successful Biometric Solution
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud