April 22, 2013
Are You the Weakest Link?
Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?
You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.
So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."
Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:
- Not using antivirus software or not keeping it updated
- Not using a firewall or disabling the firewall that might have been included in a device's operating system
- Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
- Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
- Visiting unknown websites, often through links on social network website pages, that contain hidden viruses
Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?
Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d430443c3970c
Listed below are links to blogs that reference Are You the Weakest Link?:
Comments
February 04, 2013
The Promises and Pitfalls of Big Data
In reviewing one of my recent credit card statements, I noticed a marketing message offering $5 off for an online purchase using their credit card at one of the online retailers I frequently visit. At first I thought this was a bit strange as I had not used that particular credit card at that merchant. Then I realized this was likely "Big Data" in action. Evidently, this credit card issuer had gotten information from some database, perhaps from the retailer, that I was a frequent customer of that retailer. The card issuer then checked its records and found that its card wasn't the one I used for the purchases, so it tried to entice me with $5 savings to switch my card usage habits.
A recent Harris Interactive poll of 1,000 U.S. Internet users showed that the typical consumer has an extremely high level of concern about the amount of personally identifiable data (PID) that is collected about them from public databases, e-mails, web access, and private data aggregators and how that information is being used. Big Data has opened a new world of marketing opportunities for companies with the capability to analyze and use such a wide array of information. In addition to marketing opportunities, Big Data technology can also provide enhanced risk assessment capabilities.
Card issuers have used data analysis at both the macro and individual cardholder level for several decades for fraud management purposes. With sufficient transaction history, the issuer creates a cardholder's purchase profile and evaluates future transactions against that profile. In the early stages of such efforts, if a transaction fell outside the normal profile parameters, the issuer was likely to authorize the purchase and then attempt to contact the cardholder later to verify its legitimacy. Before the wide usage of cell phones or text alerts, contacting the customer was often delayed by days until he or she could be reached on a landline. With advances in software and processing technology, some issuers risk rate transactions as they are received for authorization and may deny a transaction with a high risk score or one that exceeds parameters the customer has personally established. Of course, the downside to such a process is a false denial resulting in a less-than-satisfied cardholder.
While few may find fault with using data for financial risk management purposes, the line is blurry between privacy and data analysis for behavioral activity. Let's say you normally use a particular prescription medication for treatment of a chronic medical condition. Data analysis can tell how frequently you should be getting refills of that medication from your pharmacy. On the positive side, the pharmacy can use this information to send you reminders that it is time to order a refill. But what if the data shows that your refills are spaced further apart than the quantity and dosage level dictate? Is it ethical for the online pharmacy to notify your insurance provider that you appear to have significant lapses in taking your medicine when doing so could affect future coverage? At what point does "Big Data" become "Big Brother"?
In 2013, data security and privacy—the issues associated with Big Data—will be a major area of focus for the Retail Payments Risk Forum. In addition to looking at these issues in our Portals and Rails posts, we will be publishing white papers and convening forums with designated stakeholders to further discuss these issues. We welcome your input on what topics you would like to see us cover.
Oh, and as to that $5 offer, I think I'm going to hold out for a few months and see if they are willing to raise the ante. If this blog is being data scrubbed, I think $10 will do it!
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
On a different note, the Retail Payments Risk Forum would like your feedback on our blog. We would be grateful if you would take a moment to complete our survey. It really is very short.
February 4, 2013 in cards, consumer protection, privacy | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee8360ee4970d
Listed below are links to blogs that reference The Promises and Pitfalls of Big Data:
Comments
January 07, 2013
Boston Fed on mobile phone technology: "Smarter than we thought"
When it comes to mobile payments security, will the most secure solution win out, or will convenience rule the day? Mobile payment services are coming to market, however slowly, and as they do, security in supporting technology platforms is a critical consideration for merchants and consumers. In fact, many consumer surveys, such as this one released by the Federal Reserve Board, have reported that U.S. consumers consider security to be an important factor when deciding if they will use a mobile device to access financial information or engage in a payment service. Because security is a major contributor to the success and ultimate broad adoption of mobile payments, Boston Fed researchers examined how the primary technologies supporting mobile payments at the merchant point-of-sale address payments security. These technologies include near-field communication (or NFC) and cloud solutions.
This post looks at some of the high points of a paper written by the Boston Fed researchers about their analysis. The paper, published November 2012 and titled "Mobile phone technology: 'Smarter than we thought,'" discusses the unique characteristics of each technology and why security practices will vary accordingly.
NFC mobile payment options vary in security and convenience
The three primary approaches to NFC mobile payments all involve storing payment credentials in an encrypted smart card chip within the mobile phone. This chip, also known as the "secure element," may reside in the subscriber identity module (SIM) card, it may reside in the micro secure digital (SD)—or memory—card, or it may be hardwired into the actual device. Each of these approaches has benefits and disadvantages with respect to convenience and security.
For example, the SIM card's storage capability provides an additional layer of security. The wireless carrier can manage the SIM card remotely to prevent unauthorized access if the phone is lost or stolen or if the SIM card is removed. In other words, the mobile network operator controls access to the SIM card, which, depending on your perspective, may also be a drawback.
The memory card is also portable and communicates with apps to enable mobile payments. This method can be speedy to deploy. As a result, several U.S. banks, card networks, and transit authorities have piloted solutions using memory cards. However, these cards typically support only a single application or payment account, so they may not be the best long-term solution. Furthermore, their portability presents security concerns because there is no lock or PIN to prevent removal of the card from the phone and then subsequent unauthorized access to the payment information stored within it.
The third approach has the chip soldered into the hardware, making it relatively tamper-proof. Although it is less costly than the other NFC options, it provides no portability feature. So despite the stronger security features, this lack of portability makes this approach inconvenient because consumers cannot easily transfer payment credentials and applications when they switch phones.
Mobile payments in the cloud: A new security paradigm
While industry stakeholders were discussing the security options of NFC technology deployments, new alternatives emerged that rely on cloud computing. In cloud-based payment business models, the consumer's payment credentials are stored remotely on a server—which a merchant or payment services provider manages—as opposed to on the phone's hardware. Cloud-based services are less costly to deploy than NFC-based services. In addition, because they are hardware-agnostic, they are essentially portable and convenient for the consumer. In some ways, cloud-based payments can be more secure than in-phone solutions, since the consumer's payment credentials are not stored in the mobile phone and are not potentially exposed during transactions. However, it is still necessary to take steps to secure the remote storage of payment credentials and other important data. And, as the paper notes:
There are still many unknowns to be addressed. Because payments data can be compromised in the cloud, it is essential that: 1) payments data is not transmitted via SMS [short message service, or instant messaging] or email because these platforms are not encrypted; and 2) payments to the cloud are transmitted between secure, encrypted endpoints handled either by mobile carrier data networks or merchant-provided secure Wi-Fi hotspots, and are not transmitted unencrypted over any network.
Data privacy remains a critical concern
Cloud providers have a responsibility to protect consumer data. They must comply with privacy laws and obtain explicit permission before sharing data or mining it for other monetization opportunities. Ultimately, cloud providers must make sure that the underlying payment services are secure and resilient.
When it comes to new mobile payment methods in the cloud, how will we make sure that cloud service providers are fulfilling these responsibilities? This new paradigm requires new processes for vendor management, especially for banks in mobile payments. Banks will need to be able to demonstrate to regulators that they have conducted a comprehensive risk assessment on service offerings and done third-party due diligence at the onset of an outsourced relationship. Regulators must provide ongoing oversight for financial stability and fulfillment of contractual responsibility.
Complex business models likely will use combinations of technology
As the paper notes, it is likely that we will see hybrid models that use both NFC and the cloud for managing different pieces of information associated with a payments transaction. As we noted in a previous post, there are benefits and challenges to both NFC and cloud technologies. Numerous complex variables are at play when it comes to their security environments. As these technologies are likely to coexist, it will be important to understand the underlying security features as new mobile payment solutions come to market in the future.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
January 7, 2013 in consumer protection, mobile banking, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d3f94af97970c
Listed below are links to blogs that reference Boston Fed on mobile phone technology: "Smarter than we thought":
Comments
December 17, 2012
The Fraud Triangle
The "Rule of 3" is a principle that suggests when things come in threes, they are inherently funnier, more satisfying, or more effective. (I talked about the Rule of 3 in a recent post in which I described my search for the right payment product.) There's even a Latin phrase that generally describes this concept: omne trium perfectum, which means "everything that comes in threes is perfect," or "every set of three is complete."
This rule may apply even to occupational fraud. Long recognized as a predictor of fraudulent actions in the workplace, the Fraud Triangle suggests that three factors must be present for fraud to occur: opportunity, perceived pressure or motivation, and rationalization. But what happens when one of the three members of the trifecta is removed? Will it topple over like a three-legged stool that loses a leg? Will the chance of fraud be decreased?
The Fraud Triangle theory, first described by Donald Cressey in the 1950s, is based on interviews with 200 incarcerated embezzlers, including executives. Not surprisingly, the researchers found that the majority of these embezzlers had committed fraud for financial gain. But what they didn't expect was that most often the perpetrators had no intent to commit the crime.
In workplace fraud, there is the opportunity—say an employer doesn't follow necessary workplace controls and makes one trusted employee singly responsible for all the cash in the business. Then there is the financial trigger, or motivation—the employee experiences a sudden illness, is living beyond his or her means, experiences a loss of spousal income, or has an addiction.
Next, there is the rationalization. Say the employee feels job pressure because of too-high performance standards or unattainable goals, or maybe the employee simply wants to exact revenge on the employer for a missed promotion or reassignment. And voila! You have the Fraud Triangle. The employee has access to cash, needs cash in his or her personal life, and is angry at the employer anyway, so might feel somewhat justified in taking the money.
These situations can occur any time there are weak or missing controls, fast growth in a business, or just lax management, and they usually increase in times of downsizing and layoffs. The crime tends to start small. It may even at first be a true accident. But when it goes undetected, the amounts grow, as does the confidence of the fraudster.
According to the Fraud Triangle theory, then, opportunity, motivation, and rationalization combine to lead to fraud. As an employer, by taking away the opportunity, you can prevent fraud. Make sure you have the proper controls in place in your workplace, even if your workplace is your home, because you hire outside help.
You can protect yourself from fraud as a consumer, too. Make sure you have balance alerts on your accounts, use strong passwords, and undertake other prudent financial account management practices. Let's all keep our holidays safe and secure.
By Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
December 17, 2012 in consumer protection, workplace fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d3ee43981970c
Listed below are links to blogs that reference The Fraud Triangle:
Comments
December 03, 2012
CFPB Modifies Remittance Disclosure and Error Resolution Rules
According to their congressional mandate, the Consumer Financial Protection Bureau's (CFPB) primary focus is to advocate for consumers when dealing with financial companies. Champions of the CFPB see them as part of the "checks and balances" regulatory environment of all things financial. One of the CFPB's primary activities since being created in mid-2010 has been to work to create disclosures to assist consumers in better understanding their costs, rights, and responsibilities when entering into various financial transactions or agreements. The Dodd-Frank Act, which created the CFPB, also added a new section to the Electronic Funds Transfer Act (EFTA) implemented through Regulation E. The addition requires the CFPB to develop disclosure and error resolution requirements for remittances being sent outside the United States.
In February 2012, the CFPB published rule 1073 dealing with the prepayment disclosure of the total costs of consumer-originated remittances. The rule also imposed liability for errors on the remittance transfer provider (RTP) even if the consumer was the one that provided an incorrect account number or routing information. The rule was originally scheduled to become effective February 7, 2013. More details about the rule can be found in previous Portals and Rails blogs. (Under Categories on the right side of this post, select remittances to get a full listing.)
Responding to input from financial institutions, other governmental regulatory agencies, and the remittance industry groups, the CFPB announced on November 27, 2012, that it plans to issue a proposal to refine specific provisions of the rule and will propose an extension of the effective date until 90 days after the bureau finalizes the proposal. Following are the proposed key changes:
- One of the key requirements of the rule is that the RTP must disclose the exchange rate and all fees and taxes charged for the remittance so the sender can see the net amount received by the recipient. The CFPB received a number of comments indicating that it would be extremely difficult for RTPs to create and maintain an accurate database of national and local taxes as well as other fees imposed by the disbursement facility. In response, the CFPB's proposal will provide additional flexibility by permitting RTPs to base disclosures on published bank fee schedules and only for taxes levied at the national level.
- Originally, the rule placed the liability on the RTP for transmittal errors resulting in nondelivery or late delivery resulting from incorrect account numbers. However, the CFPB plans to release the RTP from this responsibility if the RTP can demonstrate that the consumer provided incorrect information. The RTP must still make a good faith effort to recover the funds.
The CFPB will be publishing its proposed modifications in December and will be seeking public comment before issuing a final rule sometime in the spring. While these modifications are termed "limited" by the CFPB, remittance providers must be breathing a measured sigh of relief, especially regarding the shift in liability from consumer-created errors. It will be interesting to monitor the impact of these regulations to determine if there has been any constriction in the number of countries served due to the additional requirements.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 3, 2012 in consumer protection, remittances | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c343a10cf970b
Listed below are links to blogs that reference CFPB Modifies Remittance Disclosure and Error Resolution Rules:
Comments
June 25, 2012
An interview with a risk expert: The costs of complying with Dodd-Frank 1073
This week's post features an interview with Devon Marsh, senior vice president and treasury management risk manager at Wells Fargo Bank, N.A. We asked Devon for his thoughts on recent amendments to Regulation E as a result of Section 1073 of the Dodd-Frank Act.
P&R: Devon, what is the interest of Dodd-Frank 1073 to a risk manager?
Devon Marsh: I'm interested for a couple of reasons. First, it imposes a compliance obligation—and a steep one. The second reason I'm interested, and the reason that concerns me more than our ability to comply, is that this rule poses risk to consumers and financial institutions.
P&R: How can a rule aimed at consumer protection pose a risk to consumers?
Marsh: There is a risk that familiar services may become harder to find if some remittance providers such as banks can no longer afford the new compliance costs imposed by 1073. Remittance services are vital to some consumers, and they are at risk of having fewer providers from which to choose.
P&R: The new rule is designed to improve consumer protections in remittance transfers. What are some of the specific challenges that remittance providers will face?
Marsh: The new rule requires very detailed disclosures with a lot more information, so that consumers on both sides of the remittance transaction can better understand how fees reduce the payment transfer. The problem that arises is that remittance providers may not know the exact amount of all the fees. For example, they may not know the tax rates on a given day in a small municipality in another country. In certain countries, tax rates change depending on the day or the total volume of remittances over a period of time. You can't disclose what you can't possibly know.
The new error resolution process defined by the rule is another example where providers will be challenged to comply. In the new rule, remittance providers are responsible not only for their own mistakes, but for errors committed by consumers. If a consumer happens to enter the wrong beneficiary account number, for example, the remittance provider must cover any loss associated with the transaction, even though the consumer error was out of its control.
Because remittance providers are now responsible for consumer error, the rule may create the risk of intentional fraud, whereby a criminal could send a remittance to an accomplice who collects the money. Then the person sending the funds could claim that the funds never reached the intended beneficiary, saying they provided the wrong account number. In such a situation, it would be exceedingly difficult for a remittance provider to prove that an error did not take place, and even more difficult to recover funds.
If fraud losses increase for remittances, the price of remittances will increase. The risk of fraud loss, added to the cost of compliance on the front end, may prove too great for some providers to bear, so they may exit the business. Consequently, consumers could have fewer options for sending remittances, and higher costs for the service due to fraud losses.
P&R: What can remittance providers do to address the challenges in this rule?
Marsh: Given the tight time frame, it looks like remittance providers can't do much to change the rule. Hopefully, more dialogue with regulators and policymakers can influence understanding and lead to new industry perspectives on how remittance providers will deal with compliance challenges imposed by 1073. If not, the consumer may have fewer choices and higher prices than they have today.
June 25, 2012 in consumer protection, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017742b3ac33970d
Listed below are links to blogs that reference An interview with a risk expert: The costs of complying with Dodd-Frank 1073:
Comments
June 04, 2012
The new consumer protection agency looks at prepaid cards
The prepaid card industry has grown faster than many expected it to in recent years. The industry has a wide range of customers today, including not only the underbanked market but also many other market segments. In fact, in a public hearing on May 23, 2012, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray noted that while many consumers "actually have a bank account, they often use nonbank products to meet their financial needs," including the relatively new prepaid card. As this product has grown in acceptance, consumer advocacy groups have voiced concerns about the potential lack of consumer protections and the need for regulatory clarity for prepaid product providers. In response to these concerns, the CFPB announced its plan to launch a rulemaking initiative to promote safety and transparency in the prepaid market.
Why legal protections differ
While payment law critics cite the fragmented legal landscape for retail payment methods, the differences lie in the underlying mechanics. In the simplest of terms, retail payments can be segmented into three basic genres: "paying now" through a deduction in your account balance at a financial institution through either a check or debit card; "paying later" by using a credit card, which involves a loan from the payment service provider to cover the cost of the purchase in the transaction; and "paying before," by prefunding an account by the consumer for use at a later time.
These inherent funding differences lend themselves to different laws, regulations, and rule sets, since the timing and liability for maintaining the safety of the funds in each case differs. Consumer lending protection laws, for example, have relevance only for credit payment products. The emergence of new prepaid products and nonbanks participating in new business models, along with the sometimes questionable pricing schemes and fees, points to the need for industry dialogue on what new regulatory governance is needed in prepaid services today.
Growth in prepaid
The Federal Reserve’s last triennial payment study revealed that prepaid cards, particularly the general-purpose reloadable (GPR) variety, were the fastest growing retail payment in recent years, even though they represent a relatively small piece of the overall pie of preferred retail payment types. GPR cards allow the consumer—or another party, like an employer—to add funds to the card. This reloadable feature makes the product functional and convenient, and allows consumers who traditionally relied on cash to participate in the electronic economy.
Increased e-commerce is in turn leading to the use of prepaid in the mobile environment. Payment providers have been experimenting in recent years with bridge technologies such as prepaid card stickers using contactless technology. The sticker is put on the mobile handset, and is intended to influence consumer payment behavior by offering consumers the opportunity to tap their mobile phones at the merchant’s point of sale. As a result, the advanced notice of rulemaking notes that a prepaid "card" may also take the form of other access devices, such as key fobs, or even a cell phone application that accesses a prepaid financial account.
What the CFPB is offering consumers
When it comes to prepaid cards, the public hearing made it clear that the CFPB wants to make sure, first and foremost, that consumers’ funds are safe, especially because not all prepaid accounts are structured so that they are protected by deposit insurance. The agency also wants to make sure that consumers have access to clearly written disclosures on card terms and fees before they even open a prepaid account. In the hearing, the CFPB also discussed a proposal to extend Regulation E protections to include GPR cards specifically. Furthermore, the CFPB also launched "Ask CFPB: Prepaid Cards" on its website to provide consumers with information about prepaid cards in a question-and-answer format.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
June 4, 2012 in consumer protection, payments, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ec128349970c
Listed below are links to blogs that reference The new consumer protection agency looks at prepaid cards:
Comments
January 09, 2012
Is what you see what you get? Proposed pricing disclosures for electronic remittances
In previous posts, we've talked about the state of regulatory reform for remittance payments. Other posts have looked at the evolving landscape for money transmitters—or remittance transfer providers (RTP), as the new Consumer Financial Protection Bureau (CFPB) refers to them.
This week's post speaks directly to a proposed consumer protection requirement that RTPs in the United States may have to comply with when they send electronic remittances to recipients in foreign countries. Specifically, the proposed rule would require RTPs to disclose clear and complete information about cross-border money transfer services, including all fees, the exchange rate, and the amount of currency the recipient will actually receive once the fees and exchange rate have been applied.
This sounds reasonable. Under the new rule, consumers would be able to determine the total price, and therefore would know the net proceeds available to the recipient. The rule would also establish error resolution rights for remittance senders, defining standards for the resolution process and procedures for cancelling transactions and refunding fees.
However, variables outside the RTP's control can complicate remittance transfer pricing. Many RTPs have reported that the new requirements threaten to drive consumers to less formal and sometimes illicit money transmitters.
Below, we summarize some of the issues that the CFPB must consider as it crafts the final rule provisions. At issue is whether the agency will effectively achieve its mission of improving transparency for consumers without also bringing about the unintended consequences of onerous regulatory compliance costs for RTPs or undesired process formality for unbanked and possibly less sophisticated consumers.
Why would remittance costs vary?
The following table shows how pricing can change depending on how RTPs combine the fees and foreign exchange costs.
Many commenters on the proposed rule contend that RTPs cannot always control the transaction from start to finish, so compliance with such a requirement could become very complicated. They argue that the sending RTP may not know the exact amount of taxes, fees, and other charges that intermediary firms and governments impose. The lack of such information would also complicate the error resolution process. Nearly all commenters suggested that the rule be modified to allow RTPs to estimate costs based on information available at the time of the transaction.
Disclosures may not be enough to do the job
The CFPB aptly notes that disclosures may be insufficient in the battle for improving transparency and customer awareness. Consumers often rely on shortcuts and opt for convenience when making decisions; they often do not make the most advantageous financial choices. Additionally, many consumers need some extra help to understand disclosures, however well-designed and articulated. The CFPB also therefore recommends augmenting disclosure practices with customer education and outreach campaigns.
There is yet another issue to consider. As we've noted in previous posts, technology is helping create new business models for money transmitters and opening new channels for delivering remittance services. As a result, RTPs will need to modify their disclosure practices for multiple channels as remittance transfers continue to evolve into new innovative products and services. As the new regulator for ensuring that nonbank RTPs are ensuring adequate consumer protections, the CFPB must also assume an adaptive posture in the highly dynamic remittance service market.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
January 9, 2012 in consumer protection, remittances, transmitters | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e540b147970c
Listed below are links to blogs that reference Is what you see what you get? Proposed pricing disclosures for electronic remittances:
Comments
October 03, 2011
Cyberspace trust: Proving you're not a dog
A very real discomfort underlies the classic joke: "On the Internet, nobody knows you're a dog." How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate's Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you're reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.
The most recent installment of the Payments Spotlight podcast series features Jeremy Grant, leader of the U.S. Department of Commerce's National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is a White House initiative that works collaboratively with the private and public sectors to improve the security of online transactions by increasing online security and solving the problem of weak and inconvenient passwords.
"The genesis of it was President Obama's cyberspace policy review that was conducted shortly after he took office in 2009," Grant explains. The goals of the new cyberspace policy include "the creation of an identity management vision and strategy that the country could implement that would focus both on the securities aspects of the topic, as well as be dedicated to preserving or enhancing privacy and civil liberties." A critical first step, says Grant, is addressing the fact that "passwords are fundamentally broken and insecure, and simply don't cut it these days as a way to identify and authenticate online." (A May 2011 Payments Spotlight podcast addressed the weakness of single-factor authentication, such as logging in with just a password.)
Although the government is coordinating the NSTIC effort, the program is designed as a private-public partnership. Grant says it is not the government's role "to figure this out for the rest of the world, but to convene different private sector stakeholders, [including] tech firms, banks, healthcare firms, security firms, advocacy groups in the privacy and consumer communities, and other interested individuals." A major goal of NSTIC is to foster collaboration. He says, "We really want to have an open and participatory process where all different stakeholders can come together and collaborate and work out practical solutions to some of the challenges that the NSTIC lays out. Government will convene and we'll be an early adopter, but we are not going to actually lead this." Some private businesses are already excited about NSTIC. Michael Barrett, Chief Information Security Officer at PayPal, has voiced his support: "[We] will be offering more services to our customers over the coming months that directly support the NSTIC, which we expect will result in many new benefits to both our customers and the Internet overall."
So when can we expect to see NSTIC implemented? Currently the National Program Office is laying the groundwork for pilots, which can be expected sometime next year. In terms of resources, Grant notes that "for fiscal year 2012, the White House has proposed $24.5 million for NSTIC, including $17.5 million that would go towards pilot programs." The funds have not yet been appropriated, so budget wrangling may still change those numbers. Those pilots will be just the first step in architecting a more secure Internet identity infrastructure. If NSTIC achieves its vision, we can be confident that no fraudsters—or dogs—lurk behind our friends' Facebook profiles and e-mail addresses!
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
October 3, 2011 in collaboration, consumer protection, cybercrime | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8bfd2b8e970d
Listed below are links to blogs that reference Cyberspace trust: Proving you're not a dog:
Comments
August 15, 2011
Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud
It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.
Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.
Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.
Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.
Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.
Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.
Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.
Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
August 15, 2011 in consumer protection, fraud, payments systems, regulators, risk, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0154348a930e970c
Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:
