January 10, 2011
Nonbanks and payments innovation: Because that's where the money is
In the past decade, nonbank companies have driven most payments innovations. For the most part, banks have left Silicon Valley startups and other third-party players to develop cool new payments gadgets and platforms that attract venture capital and YouTube views. While this dynamic and free market has allowed for great creativity, it has also meant that many of these new payments tools emerged outside the extensive system of regulations and consumer protections that exist in the banking industry.
This blog previously covered the lack of uniform regulation of the money services business (MSBs), a significant gap given the expansion of financial services offered by MSBs like Western Union and MoneyGram in recent years. While providing a vital service for money transfer, MSBs may be vulnerable to money laundering and fraud schemes, as they lack the robust regulatory oversight that governs mainstream financial institutions. Through a series of industry partnerships, MSBs and other less-regulated nonbank payment companies are integrating with bank operations. For example, CashEdge, a relatively new alternative payment service provider, and MoneyGram recently announced one such partnership that could have implications for anti-fraud efforts.
Last year, MoneyGram paid $18 million in a Federal Trade Commission (FTC) settlement that charged the company had known about fraud on their system but did not work to address it, disregarding law enforcement warnings and willfully ignoring customer fraud complaints against agents. Consumers reported $84 million in losses between 2004 and 2008, but it is likely that many victims did not come forward, and the FTC claims that losses may actually have run into the hundreds of millions of dollars. Since the settlement, MoneyGram has invested heavily in anti-fraud measures, including enhanced agent training, improved communication with consumers, and greater partnership with law enforcement and the FTC. In response to questions from the Connecticut Watchdog, MoneyGram explained that these efforts have prevented $30 million in fraud this year and resulted in a 75 percent decrease in fraudulent transactions between the United States and Canada.
However, con artists continue to exploit Americans, evidenced by the recent Make-A-Wish scam. This scam has already defrauded victims of $20 million, with the thieves again using Western Union and MoneyGram to receive payments. Although these companies provide a valuable service to those sending money abroad to family and others, they are still vulnerable to threats from bad actors.
In light of this vulnerability, MoneyGram's announcement this past fall of a partnership with CashEdge to integrate with their POPmoney service bears scrutiny. POPmoney is a bank-initiated peer-to-peer payments service that went live late in 2009 and allows users to send friends and family money through text, e-mail, or online banking. The product has been very popular, with more than 100 banks adopting the service within six months of launch. The new partnership means that POPmoney users will be able to transfer money not just to other bank accounts, but also to any MoneyGram location around the world. These POPmoney-to-MoneyGram transactions will likely be fast and irreversible, using CashEdge’s convenience and MoneyGram's global presence. Furthermore, users will initiate all transactions via online or mobile banking, funding them directly from their primary bank account. Although MoneyGram launched enhanced anti-fraud technology last year for scanning risky transactions, these online transfers would bypass live agents whose training is one line of defense against fraud.
Although there may be considerable risks in integrating MSBs directly to a financial institution's online banking services, doing so could also be an opportunity to fight fraud in these channels. If banks' extensive experience in fraud detection and mitigation were applied to the money transfer business, it could significantly improve consumer safety and experience. If there are lessons to be learned here, they could be applied to a variety of similar partnerships across the industry, improving banks' access to innovation and enhancing the risk management capabilities of new payments products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 10, 2011 in banks and banking, innovation, money services business (MSB), risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c77bdedc970c
Listed below are links to blogs that reference Nonbanks and payments innovation: Because that's where the money is:
Comments
May 24, 2010
Bank revenues and fraud detection: A marriage made in heaven?
Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.
The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.
Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.
The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.
Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
May 24, 2010 in account takeovers, banks and banking, malware, wire transfer fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ee5157af970b
Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:
Comments
Posted by:
richard oliver |
May 24, 2010 at 02:13 PM
The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.
It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.
Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.
Posted by:
Rob |
May 24, 2010 at 01:49 PM
December 14, 2009
Consumer preference for opt-in guides Fed rule on overdraft protection
A recent report by the Center for Responsible Lending found that more than 50 million Americans overdrew their checking account at least once over a 12-month period, with 27 million accountholders incurring five or more overdrafts of nonsufficient funds (NSF) fees. The costs to consumers for overdrafts are significant, with many instances of fees exceeding the amount withdrawn. ATM and one-time debit card transactions have been a key driver behind the growth in the volume and cost of overdraft fees. Point-of-sale/debit overdraft transactions accounted for 41 percent of surveyed institutions' NSF transactions, according to an FDIC study. These POS/debit NSF transactions had a median dollar value of $20, while the median overdraft charge assessed by banks was $27.
|
ENLARGE |
To address high overdraft costs, last month the Federal Reserve Board issued a final rule amending Regulation E, which will provide greater consumer protection by limiting the fees financial institutions can charge consumers for paying overdrafts on ATM and most debit card transactions.
The new rule essentially eliminates a common practice by financial institutions of automatically enrolling consumers in overdraft services. In fact, the aforementioned FDIC study found that 75 percent of banks automatically enrolled customers in automated overdraft programs. Starting on July 1, 2010, financial institutions will have to provide a notice explaining its overdraft service and fees for ATM and one-time debit card transactions before the consumer can accept it. The rule includes a model form that institutions may use to satisfy the notice requirement.
Public comments and consumer testing help inform final revisions
The Board's final revisions to Regulation E were informed by comments received on its January 2009 Regulation E proposal and results of consumer testing. The Board received more than 20,700 comment letters (including 16,000 form letters) on its January 2009 proposal, the majority of which were submitted by individual consumers. In addition, the Board engaged a consultant to conduct consumer testing on a model disclosure notice that would effectively communicate information to consumers about how their overdrafts would be handled by the bank, what fees they could be potentially charged, and what choices they had related to overdrafts.
Consumer advocates, members of Congress, federal and state regulators, and the overwhelming majority of individual consumers who commented favored the opt-in provision because they felt that the harm to consumers from overdraft fees outweighed the benefits from permitting the payment of ATM and debit card overdrafts. In contrast, the majority of industry commenters contended that the opt-out approach was better because it provided consumers with the benefits of overdraft services with fewer disruptions to the consumer and bank operations.
In the end the Board determined that an opt-in approach to permitting overdrafts was the best decision for consumers. This decision was based partly on the Board's consumer testing, which indicated that consumers prefer to have transactions declined than incur fees for overdrafts.
Certain types of transactions not covered by the rule
Other types of transactions are not covered by the rule, including withdrawal by check, ACH, and recurring debit. The Board determined that with respect to checks, the payment of overdrafts may be preferable to having the check returned for NSF and paying the return fees charged by the bank and merchant. In addition, participants in the Board’s consumer testing generally indicated that they were more likely to pay important bills using checks, ACH, and recurring debits. Debit cards were primarily used on a one-time basis for discretionary purchases.
Opting in is not requirement for other services
Consumers who do not accept an institution's overdraft service cannot be treated differently than those who opt in. For example, institutions are prohibited from declining payment of overdrafts of other types of transactions (e.g., checks and ACH) because the consumer did not opt in to that institution's overdraft service for ATM and one-time debit card transactions. The institutions are also required to provide those customers with the same account terms, conditions, and features that they provide to consumers who do elect to take the service.
Overdraft fee income for banks and credit unions rose 35 percent in the last two years. Although not a panacea, the Board's overdraft rules provide greater protection for consumers in navigating their personal finances. Ultimately, an informed consumer is the best consumer protection.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
December 14, 2009 in banks and banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a74436f6970b
Listed below are links to blogs that reference Consumer preference for opt-in guides Fed rule on overdraft protection:
Comments
August 03, 2009
Accounting for ACH losses: What are the right numbers to crunch?
From talking with a number of industry players, it has become increasingly clear that there is both a healthy desire for ACH origination loss data to help understand risks and also business practices that limit the extent to which data to benchmark ACH losses are available in the first place. The challenge is to reconcile these two conflicting objectives.
Many banks today treat ACH origination as credit underwriting, particularly for business customers. Given this, one way banks may account for losses as a result of ACH origination is as credit losses against loan loss reserves or other similar accounts. This method is entirely appropriate as a risk management practice given the potential for losses the ACH originating bank may incur as a result of unauthorized debit items that are returned by the receiver through its bank. The originating bank, having already credited its customer’s account, may find itself unable to collect the returned item and thus may incur a loss.
NACHA does publish aggregate trend data on what is probably the best metric it has available—unauthorized returns as a percentage of all ACH debits in the network. While this is a good starting point, it is not a fully accurate picture of the actual losses banks may incur as a result of ACH origination (whether for debits or credits). While the trend of unauthorized debit returns is instructive, it does not explain the dollar losses to banks.
Further, while it is likely that most banks track or have the ability to track their losses from ACH origination, there is no standard regulatory or other financial reporting for banks to report ACH loss information. Such losses may be attributable to fraud or not, but the extent of these losses in terms of aggregate dollars and velocity is likely to be a more robust data point for analysis of ACH fraud and ACH origination risks than the data available today. Improved data on banks’ ACH loss experience would go a long way to explain the true extent of ACH origination risk within the network overall and may promote banks’ ability to benchmark their own losses in an effective way. It also would enable both the network and individual banks to better tailor their risk management efforts. Most importantly, having more data could help dispel any mistaken assumptions about how much financial loss banks are experiencing from operational and fraud risks in ACH origination activities.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.
August 3, 2009 in ACH, banks and banking, fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0115725616aa970b
Listed below are links to blogs that reference Accounting for ACH losses: What are the right numbers to crunch?:
Comments
July 06, 2009
Remotely created checks: Distinguishing the good from the bad
There are no hard numbers to quantify that remotely created checks (RCCs) pose greater risks than other payment types. However, there are known instances of RCC fraud, the impact of which can be significant. So the depository banks liable for RCCs may want to keep a vigilant eye on the situation.
What are RCCs?
These are checks that are not created by the paying bank and do not include the account holder's signature. In lieu of an actual signature, the check's signature block typically contains the account holder's printed name or standard language indicating authorization. RCCs have been used for recurring transactions, such as insurance premium payments, for quite some time. This solution offers consumers an alternative to the hassle of manually writing out checks each month. More recently, RCCs have also been used in nonrecurring transactions, such as purchases or bill payments made over the telephone or Internet. Though a useful form of payment, RCCs introduce risk into the retail payments system.
What are the risks?
As stated above, RCCs do not require a signature for authorization. As a result, they are vulnerable to misuse by fraudsters who can, for example, use an RCC to debit a victim's account without receiving proper authorization or delivering the goods or services. The risk of fraudulent RCCs is amplified in one-time purchase scenarios where the merchant is relatively unknown to the customer.
To address the fraud risk of RCCs, in July 2006 the Federal Reserve modified the liability structure for this particular type of check. The liability for unauthorized RCCs shifted from the paying bank to the depositary bank, which must now warrant to the collecting and paying banks that the RCC presented has been properly authorized. The Federal Reserve's amendment provides economic incentive for the depositary bank to perform additional vigilance when accepting RCCs given the warranties they must make. Since the depositary bank maintains the relationship with the bank customer depositing the RCCs, it is in the best position to mitigate the fraud risk. The challenge is that banks cannot readily identify RCCs in an automated fashion through the existing MICR line format. Generally, review of incoming RCCs requires manual intervention.
How pervasive are they?
In light of this identification challenge, the Fed applied a modified definition of RCCs to a sample of check transactions in order to establish a reasonable estimation of the volume of RCCs. As a result, the Federal Reserve's 2007 Check Sample Study concluded that less than 1 percent (0.95) of the checks sampled were RCCs. It is unclear how accurate this result is when considering the regulatory definition, but it is probably fair to say that RCCs are only a very small portion of check volumes overall. Moreover, the analysis did not discern within that estimate the number of illegitimate RCCs. It is the cases of misuse that have prompted some to call for a ban of RCCs altogether. While there is anecdotal information and well-publicized cases (such as the 2008 Wachovia case) highlighting abuses committed using RCCs, there is a lack of concrete data reflecting the portion of RCCs that are fraudulent or returned for other reasons.
Conclusion
RCCs represent a relatively small subset of checks overall. However, applying the Check Sample Study methodology and results of the Federal Reserve's overall 2007 Payments Study, the number of RCCs in 2006 alone would still have represented approximately 286 million items.
We know that some portion of these RCCs represent fraudulent cases where the payment was never authorized. However, we also know that when it does occur the consequences may be substantial in terms of adverse consumer impact. Therefore, despite the lack of complete data, it is unwise to allow RCCs and the known misuses to fall completely off the radar.
By Crystal D. Carroll, senior payments risk analyst of the Retail Payments Risk Forum at the Atlanta Fed
July 6, 2009 in banks and banking, checks, remotely created checks, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011570d6e0c3970c
Listed below are links to blogs that reference Remotely created checks: Distinguishing the good from the bad:
Comments
June 07, 2009
How much risk lurks in the shadows of daylight overdraft?
With the U.S. banking system in financial distress, the Fed provides payments services to a greater number of problem banks. So how much of an issue is the credit risk associated with retail payments today? As you know, financial institutions, much like the commercial and retail customers they serve, from time to time experience the need for overdraft credit—short-time loans to accommodate the management of incoming and outgoing funds. The Fed provides daylight overdraft protection to financial institutions that experience timing differences in ACH service offerings so that they can meet their cash flow obligations, in the same way a financial institution provides overdraft protection. The Fed, like any prudent lender, also maintains a responsibility to carefully manage the credit risk exposure from these provisions of credit. The need for the Fed to monitor ACH activity for overdraft exposure becomes critical when a financial institution's health is in question.
How does the Fed monitor the financial health of financial institutions?
It is important to remember that the Fed is also a bank regulator, and it works collaboratively with other bank regulators to monitor bank conditions. When a bank's financial condition deteriorates, the agencies communicate the institution's regulatory rating and other relevant information to the Fed in its U.S. payments oversight role. Wearing that hat, the Fed may choose to restrict lending in a number of ways, such as limiting access to daylight credit.
Real-time monitor
One tool that can be used to restrict daylight credit access is "real-time monitoring" (RTM), which is implemented through the Account Balance Monitoring System (ABMS). With RTM, the Fed can reject certain transactions from posting to an institution's account if that posting would cause the institution to exceed its daylight credit limits. Under RTM, any funds transfers from the account or ACH credit originations (which are required to be prefunded) that would cause an institution to exceed its daylight credit capacity would be rejected.
Interest on reserves and daylight overdrafts
One conundrum in this equation is that the need for overdrafts has diminished recently as banks began maintaining higher reserves, prompted by the Fed's decision to start paying interest on reserve balances. Before, banks were reluctant to hold too many reserves because they were a nonearning asset. Since the Fed didn't compensate banks for holding the reserves, banks could find more rewarding uses for their funds. With more reserves in the system, the need for intraday borrowing from the Fed has decreased. Whether that trend will continue as the economy improves and the financial condition of the banking sector stabilizes, thereby creating more lucrative uses for excess reserves, remains to be seen—but then maybe we won't have as many high-risk banks as the economy improves. Let's hope not.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
June 7, 2009 in ACH, banks and banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011570c21063970b
Listed below are links to blogs that reference How much risk lurks in the shadows of daylight overdraft?:
Comments
April 14, 2009
Why aren’t we seeing fraud in remote deposit capture?
The growth in electronic payments and a distressed economy together have created an environment ripe for new payment fraud opportunities, according to the Association for Financial Professionals' 2009 Payments Fraud and Control Survey. But while the report notes that more than 70 percent of firms surveyed were the victims of attempted or actual fraud during 2008, no increase was reported in attempted fraud associated with the adoption of remote deposit capture (RDC) services. While nearly half of the respondents indicated that their organizations had offered services to customers to transmit check images using remote deposit, only 1 percent reported that they experienced payment fraud as a result.
| ||||||||||||||||||
Does nascence explain lack of reported fraud?
While RDC adoption has been rapid, it remains at an early stage in the technology adoption lifecycle. Anecdotal evidence suggests that some financial institutions and their customers have initiated service offerings judiciously to known business customers and thereby mitigated the inherent risk exposure from RDC. However, less sophisticated adopters may lack the operational systems and control processes to identify fraud when it happens or are otherwise not forthcoming to admitting when they are victimized. Time will tell if fraud trends emerge or become more transparent as RDC grows into a more mature service offering by financial institutions.
Risk management and regulatory oversight
We spoke with examiners in the Atlanta Fed and learned that they've had RDC on their radar for some time and have promoted sound risk management practices during bank examinations in advance of formalized interagency guidance. In January, the Federal Financial Institutions Examination Council (FFIEC) published its official guidance for banks' risk management of RDC services. This guidance provides a comprehensive summary of the risks inherent in this service and the necessary elements of an effective risk management program. As prescribed in the FFIEC guidance, the same disciplines that apply to the risk management of other bank products and services apply to RDC. First and foremost, it is critical to have proper due diligence in the selection and monitoring of third-party service providers to whom certain operational functions are outsourced, along with accurate and ongoing self-risk assessments of the financial institution's internal and external business environments.
Conclusion
No one can be sure why firms that offer RDC aren't experiencing fraud as they are from other payment services, particularly those that are check-related. It could be the way that information is captured and reported within an organization. One thing we know for sure is that RDC adoption is expected to continue to grow as businesses and consumers convert paper checks to more cost-effective electronic payments. Will fraudsters find vulnerabilities to exploit in the risk management efforts on behalf of product vendors, bank regulators, third-party servicers, and the financial institutions themselves? We would like to hear from you. Feel free to share your thoughts with us.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
April 14, 2009 in bank supervision, banks and banking, checks, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0115701d075d970b
Listed below are links to blogs that reference Why aren’t we seeing fraud in remote deposit capture?:
Comments
March 27, 2009
2008: A year of thought on retail payments risk and fraud
Looking back, 2008 saw an array of Federal Reserve Bank–sponsored conferences and events focused on retail payments risk and fraud issues, as well as a number of highly relevant papers. It's worth compiling and highlighting a few of those Federal Reserve efforts (at the risk of leaving some out!). I think all these developments reflect a renewed interest in public-private partnerships both in the Fed and in the industry, interest that will promote collaborative efforts to address common issues.
First, here are links to three conference summaries and related papers resulting from Reserve Bank–hosted events in 2008:
- April 2008 – Philadelphia Fed Payment Cards Center: "Maintaining a Safe Environment for Payment Cards: Examining Evolving Threats Posed by Fraud"
- June 2008 – Chicago Fed Payments Studies: "Payments Fraud: Perception Versus Reality"
- October 2008 – Atlanta Fed Retail Payments Risk Forum: "Retail Payments Risk and Fraud: Detection and Mitigation"
In addition to the results of these conferences, there were a number of papers published last year from Fed staff that I would also highlight to our readers on relevant issues:
- Braun, et al., "Understanding Risk Management in Emerging Retail Payments"
- Gerdes, "Recent Payment Trends in the United States"
- Jacob and Summers, "Assessing the landscape of payments fraud"
- Weiner, "The Federal Reserve's Role in Retail Payments: Adapting to a New Environment"
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
March 27, 2009 in banks and banking, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01156e4fa33c970c
Listed below are links to blogs that reference 2008: A year of thought on retail payments risk and fraud:
Comments
March 19, 2009
Can information sharing reduce fraud?
I was doing some research recently to see what I could find on the legal impediments to information sharing among law enforcement agencies and bank regulators when I ran across a report published by the U.S. Government Accountability Office (GAO) in March 2001 titled "Financial Services Regulators: Better Information Sharing Could Reduce Fraud." The paper identified some benefits as well as barriers to sharing information and proposed a recommendation for moving forward. While little has changed since the GAO first issued that report, there still remains much to be gained in addressing these issues.
One of the things we hear from the financial services industry, law enforcement, and bank regulators is that we need to collaborate by sharing information to better detect and mitigate fraud in retail payments. Most of the law enforcement representatives we talk to say that payments fraud is on the rise as global and domestic fraud rings alike are gaining access to consumer data for identity theft and financial transactions. According to these representatives, the bottom line is that fraudsters are talking to one another and sharing information over a number of channels including the Internet, chat rooms, and even within the prison system. With this information in mind, perhaps now is the time to rethink the way we share information to prevent and mitigate fraud and risk in retail payments.
Databases for sharing information are decentralized among separate bank regulators
Decentralization of information by bank regulators is one of the barriers noted in the GAO report. Because the systems and databases that maintain records on individuals and businesses, consumer complaints, and disciplinary actions are decentralized among the separate regulators within the banking industry, an investigation of a rogue actor realistically could involve separate inquiries of the different bank regulators.
Most information sharing is limited to public information
The GAO report also concluded that while financial regulators agreed about the benefits of sharing regulatory and criminal data, there were concerns about how to do that without creating confidentiality, liability, and privacy issues as well as the potential for inappropriate use of information. Regulators expressed concern about the potential for premature disclosure of information obtained through regulatory activities or criminal investigations.
Once they are final, formal enforcement actions taken against banks, as well as cease and desist orders and civil money penalties, are all public documents that identify individuals and entities responsible for criminal, civil, and otherwise unsafe and unsound banking practices. However, the lag time between the identification of the risky or fraudulent practice and issuance of the formal action can be considerable and does not make information available for other victims or potential targets.
Information sharing is still in separate silos at the institution level
One caveat to the potential benefits derived from an industry-wide information sharing mechanism is the fact that data are often isolated among disparate silos within a financial services company. Enterprise-wide risk management is often designed to aggregate information from separate lines of business, each often equipped with its own fraud prevention process and data collection. The successful business model going forward might enable the sharing of information across a bank's payment products and channels to prevent a fraudster from hitting the same institution multiple times.
Private industry efforts are emerging to collaborate
There are a number of private industry initiatives in play, such as third party–sponsored consortiums for financial institutions to share information among one another. These services are provided at a cost that some financial institution participants are unwilling or unable to bear. The cost for information serves as a barrier in this sense, potentially driving the fraudsters to the weaker links in the system that cannot afford to participate in the cost of building a data-sharing mechanism.
Conclusion
Financial modernization efforts have resulted in more electronic transactions of payments and information. While nontechnological means of fraudulently obtaning confidential consumer information remain prevalent (dumpster diving, etc), the use of the Internet and chat rooms makes it increasingly easy for rogue actors to communicate and share information to perpetrate fraud. Social networks are growing in popularity as consumers are increasingly comfortable in sharing information over the Internet. This technologically inspired trend was not entirely envisioned when the laws and rules designed to protect rights to privacy were crafted. Changing the legal boundaries established among regulatory and law enforcement agencies may be necessary to enable truly effective detection and mitigation of fraud, but this practice can't happen overnight.
What steps can we take to break down the barriers to information sharing? How do we balance one party's "need to know" with another's need to safeguard sensitive information? How do we determine what data are most universally useful in our mutual efforts to predict and recognize fraudulent activity and identify the bad actors? We would like to hear from you, so please let us know your thoughts.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
March 19, 2009 in bank supervision, banks and banking, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c011279758d2d28a4
Listed below are links to blogs that reference Can information sharing reduce fraud?:
Comments
February 23, 2009
Why should I work with you?
At some level, we're all selling something, even if it's just ourselves. Everyone has a reputation and a résumé to build. Information is power. We all have bosses to please, goals to meet. So when and how do these stars align such that we can work together?
Payments is a network industry with chicken-and-egg problems. It requires someone to step forward, perhaps to risk losses, in order to build networks of users and providers that enable a payments network to operate. Think of a simplistic credit card network—users need to know that merchants will accept it, banks need to know that they can make money to provide the lending that backs it, and merchants need to know that they'll be compensated with business in order to justify the costs.
The same dynamics apply to those who are minding the store when it comes to addressing risk and fraud in payments networks. Who's willing to step out (at some risk) to take on the tough challenge of pulling the variety of industry, regulatory, law enforcement, merchant, and consumer interests together? Where's the money to be made? Where's the competitive advantage?
In the best sense, law enforcement is imbued with an altruistic drive to do good by catching the bad guys, and bank supervision is all about ensuring a safe and sound banking system.
In the best sense, payment services providers seek to provide a safe and efficient environment for the exchange of value. But will any service provider risk exposure to reputational and other risks just because it's good for the payment system?
Payments is also an industry that offers opportunities to leverage positive "network effects"—the more users of a payment mechanism make it more valuable for all as it becomes more ubiquitous, commonly understood, and efficient. The same network dynamics should apply to those who are minding the store when it comes to retail payment systems risks.
All these interests and perspectives can align if we are realistic in our approach to interest alignment and continue to collectively look for opportunities of mutual benefit.
Where do you see alignment and opportunity?
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
February 23, 2009 in bank supervision, banks and banking, financial services, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01116892aeba970c
Listed below are links to blogs that reference Why should I work with you?:
Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.