August 03, 2011
Fighting the rising tide of elder financial abuse
The successes and failures of law enforcement in fighting financial crime are big news here at the Retail Payments Risk Forum. Earlier this year, we highlighted the gains made in reducing identity theft in the United States. Unfortunately, one form of crime continues to grow despite law enforcement's best efforts: financial crimes targeting the elderly. Last month, MetLife released a report indicating that elder financial abuse is widespread and growing. The report estimated $2.9 billion in annual losses to victims. MetLife based these estimates on an analysis of news articles documenting crimes over two three-month periods in mid- and late 2010. Survey research conducted at Cornell confirms that this is a major problem in New York State, where an average 42 out of 1,000 elders were the victims of financial abuse. Furthermore, the report determined that victims reported fewer than 3 percent of incidents to authorities. While the rate of abuse remains subject to debate, fighting this grim crime is an ongoing battle for law enforcement and consumers.
| Resources |
|
Adult Protective Services—Directory of providers The National Center on Elder Abuse (NCEA) The National Committee for the Prevention of Elder Abuse (NCPEA) |
Elder financial abuse encompasses a category of crimes including theft, confidence tricks, Medicare and Medicaid fraud, forgery, and coerced property transfers. AARP has broadly defined the crime as "the illegal or improper use of a vulnerable adult's funds or property for another person's profit or advantage." The abuse is often a betrayal of a trusted relationship, and the victims are left with emotional and psychological scars that leave them feeling even more vulnerable.
Older Americans at risk of telemarketing fraud
MetLife also conducted a literature review and victim interviews to determine why the elderly are particularly vulnerable to financial abuse. Factors include poor physical health and limited mobility, mental health weaknesses related to the onset of dementia or Alzheimer's, and social isolation. Those who are isolated may be particularly susceptible to manipulation by con artists, for example.
Older Americans disproportionately suffer from telemarketing fraud, a scam where the victim is tricked into agreeing to electronic payments for fraudulent transactions. The criminals on the other end of the line are completely shameless in their techniques to gain the victim's trust. Con artists have targeted victims by searching for surviving spouses in local obituary notices or by purchasing lists of contact information for those who have been previously victimized in similar attacks. Banks can also become entangled in this financial abuse if they are not vigilant. In 2008, Wachovia was forced to pay out $125 million to the victims of fraudulent telemarketing businesses.
Consumer education the best defense
Combating elder financial abuse requires educating potential victims about the risks. Part of Wachovia's settlement included funding for financial literacy programs aimed at seniors. However, it is clear from rising crime rates that education alone is not a cure-all. Regulators, law enforcement, and financial institutions must collaborate to create more effective preventative measures. As a starting point, MetLife has published some consumer tips for prevention, and I have consolidated the recommendations of several of the sources cited above:
- Review financial statements and bills for unauthorized transactions.
- Use direct deposit and online banking to prevent mail theft.
- Sign your own checks.
- Keep passwords and ATM/debit card PINs secret.
- Review important documents like wills and insurance policies annually.
- Do not send money to strangers contacting you over the phone or internet: if an offer sounds too good to be true, it probably is.
- Be aware that abusers may be charismatic individuals or even someone you trust.
- Do not be afraid or embarrassed to seek help if you've been the victim of financial abuse. The longer you wait, the worse the situation can become.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 3, 2011 in consumer fraud, consumer protection, crime | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01539065eb06970b
Listed below are links to blogs that reference Fighting the rising tide of elder financial abuse:
Comments
July 14, 2011
Where will biometric ID technologies fit in fight against fraud?
Biometric systems are designed to recognize individuals based on their unique biological and behavioral traits. Traits such as hand geometry; fingerprints; voice and vein recognition; and retina, iris, and facial scans are all personal characteristics that can authenticate someone's identity. Using biometrics to combat fraud is not novel. In addition, a California-based company introduced in 2008 a risk management solution that identifies fraudsters through the use of voice printing, which allows the company to compare a caller's voice against a database of known criminals before the company authorizes a credit card payment.
In a previous post, we discussed the concept of using biometric technology to combat ATM fraud. Since then, we learned of ATMs abroad that are equipped with voice-based biometric technology that determine user honesty and help prevent consumer credit fraud. In this post, we revisit the issue of biometrics, touching briefly on new developments in the payments industry as well as on issues reported on by companies and researchers.
Biometrics gain trust
Summarizing a poll it took of credit card users, Unisys reported in 2010 that consumers are becoming comfortable with the use of biometrics. In fact, according to the report, about two-thirds of the respondents indicated a preference for fingerprint biometrics over the use of photo verification, PINs, and signatures. A 2009 Gallup survey revealed that 58 percent of survey respondents would use biometrics to verify their identities, and a staggering 93 percent preferred fingerprints as their biometric of choice.
Searching for a secure biometric storage process
The life of biometric data on portable devices such as cards can exist anywhere from six to 12 years. Technology such as Precise Biometrics' Match-on-Card allows cards to be activated with a fingerprint or iris scan instead of a PIN. All biometric information is stored on the card, so the matching of the biometric data takes place on the card.
This type of technology sends a biometric template to the card processor, which is matched to a reference biometric template stored on the card itself. The card protects personal identity information as it is transmitted across a contactless interface using radio frequency technology. Other companies have introduced similar products retaining all the biometric data on the portable device, which can lessen user anxiety since their biometric data is stored in a device the users control. However, user control over biometric data does not necessarily lessen the potential risk for lost, stolen, or damaged credentials.
Recommended considerations for biometric recognition technologies
According to a report by the National Research Council, "no single trait has been identified as stable and distinctive across all groups," so we cannot rely solely on voice printing, for example, or on fingerprints to guarantee security. The report also points out that biometric systems contain numerous "sources of uncertainty" that "need to be considered in system design and operation." For example, biometric characteristics often vary over an individual's lifetime due to a number of factors, including age or disease, and the systems may not capture or account for this variability. Other, more technical, issues may also create variability in these systems, including sensor calibration and data degradation. Even security breaches themselves add variability. As another "source of uncertainty," the report points to the fact that biometric systems may not be "designed and evaluated relative to their specific intended purposes," so they fail to account for factors such as the competence of the systems' users.
A final note
While there is no such thing as an impregnable security system, using multiple forms of credentials and identification components can strengthen most security systems. If biometrics is one of those layers, careful consideration should be given to measuring the merits and risks relative to other authentication technologies, such as PINs and signatures, as well as ensuring that the biometric that is selected functions as intended. Like any other authentication form factor, any biometric identification technology used should undergo a thorough threat assessment to determine its vulnerabilities and its potential for mitigating attacks. Biometrics may or may not become the panacea to authentication, but ensuring that users trust the entire biometric system is integral to its successful implementation and adoption in the fight against payments fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 14, 2011 in biometrics, consumer fraud, consumer protection | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538fe263d3970b
Listed below are links to blogs that reference Where will biometric ID technologies fit in fight against fraud?:
Comments
August 16, 2010
States tackle information security with a focus on payments fraud
In response to increased data breaches like the Heartland Payment System incident, some states have passed laws requiring businesses to comply with the Payment Card Industry Data Security Standard (PCI DSS), while others have passed laws with enhanced privacy and encryption requirements for organizations that handle consumers' credit and debit card numbers. But can state laws be changed quickly enough to keep pace with the creative approaches of individuals who commit fraud?
According to Javelin Strategy & Research's 2010 Data Breach Prevention and Response study, approximately 26 percent of U.S. consumers received data breach notifications in 2009. The study also found that one in four consumers had their credit or debit card replaced in 2009 due to security concerns. Additionally, data collected by the Identity Theft Resource Center shows that though the number of breaches may rise and fall, overall, the number data breaches has doubled since 2007.
Source: http://idtheftcenter.org
*Adjusted Heartland number from 30 million to 130 million as per alleged breaches in Justice Department documentation.
Enhanced state encryption and payment card laws
States such as Massachusetts, Arizona, and Nevada have enacted encryption laws, while other states such as Washington and Minnesota have enacted payment card laws. However, to date, only Nevada and Washington have enacted a combination of both encryption and payment card laws.
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain personal financial data about its residents. Massachusetts' new encryption law is said to add teeth to a key requirement that many security breach notification laws lack by specifically delineating the security requirements that organizations must adopt to ensure their security measures are "reasonable" and "adequate." Some of those specifications include securing user authentication protocols, encrypting all personal information that travels across public networks and wirelessly, monitoring systems for unauthorized use or access, and updating security systems.
States that have adopted both enhanced encryption and payment card laws go a step further, requiring not only compliance with PCI DSS but also that the organization have an annual security assessment validating its compliance. The assessment must be performed annually to ensure compliance with PCI DSS.
What about out-of-state business?
Businesses that transact with consumers from one of the states that have enacted these laws may be required to comply with the new state laws. For instance, the Nevada encryption law applies to businesses in the state of Nevada but may extend its reach to businesses outside the state if they have a strong enough presence in Nevada.
Laws assign liability to payments participants
Some state laws address liability among payments participants to ensure that the participant in the best position to prevent loss carries its share, if not all, of the costs associated with the loss and subsequent loss prevention efforts. Determining which participant is responsible has undergone changes in the states that have adopted enhanced payment card laws. The states of Washington, Nevada and Minnesota, for example, make merchants who are not compliant with PCI DSS liable to financial institutions for associated costs in instances of security breaches. Washington state holds a business or processor liable to a financial institution for costs related to a data breach even if the financial institution has suffered no loss. Under Washington state's new payment card law, a vendor may also be held liable to a financial institution for damages that occurred as a direct result of the vendor's negligence.
Conclusion
Since the loss of data can be an indicator that fraud is being perpetrated, these latest state laws look to ensure that businesses who hold such data do so in a manner that appropriately safeguards consumers' privacy. Data breach and loss containment are ongoing challenges for organizations that handle consumers' nonpublic personal information, including credit and debit card numbers. The new encryption and payment card laws may require organizations handling consumer payments information to fundamentally reexamine their corporate security compliance obligations and evaluate the technical resources required to comply with specific state standards.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 16, 2010 in consumer fraud, consumer protection, fraud, law enforcement | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134863da345970c
Listed below are links to blogs that reference States tackle information security with a focus on payments fraud:
Comments
August 09, 2010
Shopping at the Fraud Mall: Fictional fantasy or harsh reality?
One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.
Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.
In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.
|
|
Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.
I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.
Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.
Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.
The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."
Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348607ca64970c
Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:
Comments
August 02, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
|
|
| ENLARGE |
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
|
|
| ENLARGE |
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
|
|
| ENLARGE |
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
|
|
| ENLARGE |
Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
Comments
July 19, 2010
Soccer balls and payment cards: A push for global standards
I am generally not a soccer fan but over the past few weeks I found myself curiously engaged in that nationalistic spectacle called the World Cup. Despite my general disinterest in low-scoring games and Oscar-quality performances by slightly injured players, I got caught up in the intensity of play and extraordinary skill levels displayed by these world class athletes. Then one day a debate erupted regarding standards. Apparently, soccer balls are not standardized and the one being used seemed hard and "skitterish." How bizarre!
Of course, my thoughts immediately turned to a more consequential global-standards issue taking place in the payments card world—the debate about the United States' reliance on the magnetic-stripe card standard as opposed to the chip-and-pin standard being adopted throughout the world, including in neighboring Canada.
Chip-and-pin technology has been deployed in Europe over the last decade as a means of reducing fraud by using the enhanced capabilities of a computer chip embedded in the plastic card to store and manage customer authentication data. Its success has been widely documented in recent fraud studies. This standard has been implemented using a specification called EMV, an acronym of Eurocard, MasterCard, and VISA, the original founders of the standard. In fact, EMV is now a corporation whose ownership has been expanded to include JCB (a Japanese card company) and American Express. So, what's the big deal? We survived the soccer ball dispute, so can't we survive the fact that the United States is not on board with the emerging global payments card standard? The answer may be a resounding "No!"
Various reports from payments research firms such as AITE have suggested that as many as 10 million U.S. travelers experienced difficulties with incompatible card technologies when traveling abroad during the past year. I learned some time ago that the least expensive and most secure way to acquire cash overseas is from an ATM machine. I now foresee a time when I will have to ask a European hotel concierge for the location of an American ATM (one capable of reading mag stripes), only to find out the nearest one is two miles away.
So why doesn't the United States adopt the emerging global standard? While there are many technological and political issues in play, the bottom line is that the overall cost of deployment to the U.S. payments system as a whole, and to merchants specifically, is a staggering number made even more daunting by the current state of the economy and available investment dollars. The Smartcard Alliance estimates that as many as six million merchant terminal devices may need to be replaced or upgraded to embrace chip-and-pin technology, with the bulk of the cost falling on the shoulders of merchants. Consequently, we are left to assume that we are likely to have to travel a long and winding road to migrate to the emerging global standard.
This observation is not in itself calamitous since past roads to worldwide standards are littered with the relics of failure (remember the push to implement the metric system?), but the stakes here are considerably higher in two important ways. First, we may become the only substantial economic power dependent on a payments standard that is less secure than that of the rest of the world. That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States in growing numbers. The second issue is that chip-and-pin technology is a critical element in progressing toward an even more secure and visionary goal—the deployment of mobile phone-based payments capabilities using a chip embedded in the phone. Industry conference agendas are crowded with sessions describing the way a smartphone can be waved near or tapped against a merchant terminal device using radio wave-based near-field communications (NFC) technology to capture the customer's payment credentials. Chips embedded in the phone, coupled with applications loaded on the phone from card-issuing banks, will create the effect of a "mobile wallet" that promises to be more convenient and, yes, more secure than what we use today.
So what should we do about this mess of the United States being out of step with respect to payments card technology? I would suggest that this issue could eventually reach the public policy level. Perhaps it is time for policymakers to consider whether migrating to an increasingly adopted world standard is in our best national interest. After all, we just mandated a move to digital television. While this change facilitated my ability to watch the World Cup in high definition, it cannot possibly be of the same importance as this brewing card issue. If we want to mitigate the possibility of the United States being a center of card fraud and enable our consumers and business folks to travel abroad more easily, it may be time to charge someone in government with developing a well-thought-out, participatory, multi-year plan to move this country to the emerging global payments card standard.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
July 19, 2010 in consumer fraud, mobile payments, risk, telecom | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348589ba65970c
Listed below are links to blogs that reference Soccer balls and payment cards: A push for global standards:
Comments
May 17, 2010
New Payments Spotlight podcast on mobile payments and banking
Play podcast: Mobile Payments and Banking (MP3 7:58)
Transcript
Hardly a day goes by without an announcement or press release about a new mobile payments application. Although U.S. consumers have not readily embraced mobile banking and payments services, we must consider legal and regulatory questions if an eventual uptick in consumer adoption is to occur. For example, what are the implications of mobile financial services on consumer protection laws? What are the risks to the consumer, if any, when telecoms and other private companies are involved in payments clearing and settlement?
We explored these issues in our interview with Mark Budnitz, a law professor at Georgia State University's college of law and a member of the Retail Payments Risk Forum's Advisory Group. Budnitz lectures widely on payments systems before groups such as the American Bar Association and specializes in consumer protection with a special interest in electronic payments systems. This interview is our latest installment in the Payments Spotlight series, which features recorded interviews with experts in the payments industry on relevant risk and fraud issues.
Among the topics discussed in the podcast is the increased interest in mobile financial services in the United States. Recent consumer demand for access to smart phone applications that simplify everyday activities has prompted financial institutions to explore offering mobile financial services. Banks and nonbanks are entering this emerging ecosystem. Software developers, phone manufacturers, telecoms, and others are all looking for ways to participate in the mobile payments and banking value chain.
Consumer protection is a consideration with adoption of mobile payments
Budnitz also expressed his concerns about the implications of mobile payments and banking for consumer protection laws. One example he provided was the potential confusion consumers may face when trying to resolve billing disputes. He noted that the Electronic Funds Transfer Act (EFTA) typically covers error resolution for consumer electronic funds transfers involving a financial institution, but it is not always clear what law applies when a telecom or private company is involved in payments processing.
For now, Budnitz said, consumer protection laws generally regulate the consumer-card issuer and the consumer-merchant relationship but not the multiple relationships among consumers, telecoms, nonbank private companies, and others that are potentially present in the mobile payments world. This omission presents a valid consumer concern and explains consumers' hesitancy with fully adopting mobile banking and payments and how that hesitancy has affected the pace of growth in the United States.
Privacy and security concerns take center stage with consumers
Another concern raised with mobile banking and payments is the potential privacy and security risks. As Budnitz described, "Mobile financial services offer companies new avenues for invading privacy." These companies are able to collect data about consumers that they can sell to other companies.
Surveys have shown that security concerns are a major factor inhibiting consumer acceptance of mobile banking. For example, a 2008 Javelin Strategy & Research study on mobile banking security found that 47 percent of consumers surveyed did not use mobile banking because of security concerns. Furthermore, the survey found that consumers' top fear is having hackers steal sensitive banking data (73 percent) despite available mobile encryption and authentication tools.
Addressing gaps in regulatory and legal infrastructure for mobile commerce
As with most innovation, there is a potential that the legal and regulatory infrastructure will lag behind the development of new mobile banking products and services. Budnitz suggested that the federal regulatory agencies should work cooperatively to anticipate new developments and quickly respond. One way they could respond to a problem is with regulation or interagency guidance. However, he cautioned that the agencies must strike the delicate balance of making regulation that is not so specific that it stifles innovation and not so vague that it is easily misunderstood by consumers and businesses.
Consumer adoption of mobile payments in the United States will partly hinge on addressing the lingering concerns that consumers have about data privacy and security. Budnitz contends that having strong consumer laws in place benefits both consumers and the mobile financial services industry. Consumers who have greater confidence in the system will more readily embrace mobile payments, thereby building the demand needed to make it an attractive business investment.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
May 17, 2010 in consumer fraud, consumer protection, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013480ee5f49970c
Listed below are links to blogs that reference New Payments Spotlight podcast on mobile payments and banking:
Comments
January 11, 2010
Mitigating unauthorized access to consumer accounts
New privacy rule: More clarity, less legalese
Keeping personal information private is increasingly difficult in today's environment, and as the shift toward paperless payments increases, new challenges emerge. All payment systems rely on some level of information sharing to be efficient, but they need to do so in a way that mitigates unauthorized access and fraud. Financial institutions continuously find themselves striking a balance between customers' increased demand for security, accessibility, and simplicity in their banking relationships and consumer protection laws and regulations.
Since the Gramm-Leach-Bliley Act's (GLBA) implementation in 1999, financial institutions have wrestled with how best to convey to their customers how personal information is collected and shared. GLBA requires each financial institution to provide an annual notice of its privacy policies and practices to consumers with whom it transacts business. This privacy notice should adequately describe how a financial insitution will handle the disclosure of nonpublic personal information to affiliate companies and unrelated parties. While the intent of the notice was to improve transparency in the way nonpublic information is handled, consumers have complained that privacy notices are too lengthy, confusing, and packed with legalese. Partly in response to such concerns, in October 2006, the Financial Services Regulatory Relief Act amended the GLBA privacy rules to require that federal agencies develop model privacy notice forms and rules.
Federal regulators issue final model privacy notice form
On Nov. 17, 2009, the Fed's Board of Governors, along with the other banking regulators, released their final model privacy notice form to make it easier for consumers to understand how financial institutions gather, distribute, and protect their personal information. The form is not mandatory, but financial institutions that use the form will be provided a legal safe harbor from disclosure requirements under the privacy rules. Financial institutions may use other types of notices in addition to the model form as long as they comply with the privacy rules. Privacy advocates see this action as a step forward in consumer rights efforts. The new rule and notice form may be well received by the industry as new payment innovations introduce alternative ways to transport and use financial data, creating challenges for complying with privacy laws and regulation.
Data integrity and privacy
The preservation of consumer privacy encourages widespread participation in payments systems, a necessary element for an effective network. However, the exact degree of a consumer's desire for privacy protection is increasingly difficult to determine with emerging payments. This concept was articulated in research published by the New York Fed on emerging payments, which stated in part that "maintaining privacy is tricky because, by nature, it runs counter to the payment function: every type of payment requries the exchange of some information, which under the wrong circumstances can be subject to misuse." One example of misuse is identity theft, which can occur as a result of data breaches.
In 2008, the Federal Trade Commission (FTC) reported that approximately 9.33 million people experienced some type of identity theft crime and spent an average of $1,200 out-of-pocket to repair the damage. For the ninth year in a row, the FTC’s annual report on identity theft complaint data revealed that identity theft topped the list of complaints received in 2008. Events such as the 2008 data breach at payment processor Heartland Payment Systems, where information on more than 100 million payment cards was stolen through the use of malicious software, highlight the vulnerability of consumers' financial information.
In a study conducted by Javelin Strategy & Research, 19 percent of data breach victims also became victims to some type of consumer fraud within 12 months of the data breach occurring. Of the 19 percent, nearly 2 percent of the fraud victims reported that the fraud was a direct result of the data breach. These low numbers probably suggest a general lack of public understanding of the relationship between unauthorized data access and payments fraud.
|
|
| ENLARGE |
Losses reduced when consumer engaged
Perhaps the new privacy rule and model notice form will promote better communication to consumers on how nonpublic information is shared by financial institutions. These efforts will continue to be important as more nonbank entities participate in alternative payments going forward.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 11, 2010 in consumer fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a7c44ad1970b
Listed below are links to blogs that reference Mitigating unauthorized access to consumer accounts:
