January 09, 2012
Is what you see what you get? Proposed pricing disclosures for electronic remittances
In previous posts, we've talked about the state of regulatory reform for remittance payments. Other posts have looked at the evolving landscape for money transmitters—or remittance transfer providers (RTP), as the new Consumer Financial Protection Bureau (CFPB) refers to them.
This week's post speaks directly to a proposed consumer protection requirement that RTPs in the United States may have to comply with when they send electronic remittances to recipients in foreign countries. Specifically, the proposed rule would require RTPs to disclose clear and complete information about cross-border money transfer services, including all fees, the exchange rate, and the amount of currency the recipient will actually receive once the fees and exchange rate have been applied.
This sounds reasonable. Under the new rule, consumers would be able to determine the total price, and therefore would know the net proceeds available to the recipient. The rule would also establish error resolution rights for remittance senders, defining standards for the resolution process and procedures for cancelling transactions and refunding fees.
However, variables outside the RTP's control can complicate remittance transfer pricing. Many RTPs have reported that the new requirements threaten to drive consumers to less formal and sometimes illicit money transmitters.
Below, we summarize some of the issues that the CFPB must consider as it crafts the final rule provisions. At issue is whether the agency will effectively achieve its mission of improving transparency for consumers without also bringing about the unintended consequences of onerous regulatory compliance costs for RTPs or undesired process formality for unbanked and possibly less sophisticated consumers.
Why would remittance costs vary?
The following table shows how pricing can change depending on how RTPs combine the fees and foreign exchange costs.
Many commenters on the proposed rule contend that RTPs cannot always control the transaction from start to finish, so compliance with such a requirement could become very complicated. They argue that the sending RTP may not know the exact amount of taxes, fees, and other charges that intermediary firms and governments impose. The lack of such information would also complicate the error resolution process. Nearly all commenters suggested that the rule be modified to allow RTPs to estimate costs based on information available at the time of the transaction.
Disclosures may not be enough to do the job
The CFPB aptly notes that disclosures may be insufficient in the battle for improving transparency and customer awareness. Consumers often rely on shortcuts and opt for convenience when making decisions; they often do not make the most advantageous financial choices. Additionally, many consumers need some extra help to understand disclosures, however well-designed and articulated. The CFPB also therefore recommends augmenting disclosure practices with customer education and outreach campaigns.
There is yet another issue to consider. As we've noted in previous posts, technology is helping create new business models for money transmitters and opening new channels for delivering remittance services. As a result, RTPs will need to modify their disclosure practices for multiple channels as remittance transfers continue to evolve into new innovative products and services. As the new regulator for ensuring that nonbank RTPs are ensuring adequate consumer protections, the CFPB must also assume an adaptive posture in the highly dynamic remittance service market.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
January 9, 2012 in consumer protection, remittances, transmitters | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e540b147970c
Listed below are links to blogs that reference Is what you see what you get? Proposed pricing disclosures for electronic remittances:
Comments
October 03, 2011
Cyberspace trust: Proving you're not a dog
A very real discomfort underlies the classic joke: "On the Internet, nobody knows you're a dog." How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate's Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you're reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.
The most recent installment of the Payments Spotlight podcast series features Jeremy Grant, leader of the U.S. Department of Commerce's National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is a White House initiative that works collaboratively with the private and public sectors to improve the security of online transactions by increasing online security and solving the problem of weak and inconvenient passwords.
"The genesis of it was President Obama's cyberspace policy review that was conducted shortly after he took office in 2009," Grant explains. The goals of the new cyberspace policy include "the creation of an identity management vision and strategy that the country could implement that would focus both on the securities aspects of the topic, as well as be dedicated to preserving or enhancing privacy and civil liberties." A critical first step, says Grant, is addressing the fact that "passwords are fundamentally broken and insecure, and simply don't cut it these days as a way to identify and authenticate online." (A May 2011 Payments Spotlight podcast addressed the weakness of single-factor authentication, such as logging in with just a password.)
Although the government is coordinating the NSTIC effort, the program is designed as a private-public partnership. Grant says it is not the government's role "to figure this out for the rest of the world, but to convene different private sector stakeholders, [including] tech firms, banks, healthcare firms, security firms, advocacy groups in the privacy and consumer communities, and other interested individuals." A major goal of NSTIC is to foster collaboration. He says, "We really want to have an open and participatory process where all different stakeholders can come together and collaborate and work out practical solutions to some of the challenges that the NSTIC lays out. Government will convene and we'll be an early adopter, but we are not going to actually lead this." Some private businesses are already excited about NSTIC. Michael Barrett, Chief Information Security Officer at PayPal, has voiced his support: "[We] will be offering more services to our customers over the coming months that directly support the NSTIC, which we expect will result in many new benefits to both our customers and the Internet overall."
So when can we expect to see NSTIC implemented? Currently the National Program Office is laying the groundwork for pilots, which can be expected sometime next year. In terms of resources, Grant notes that "for fiscal year 2012, the White House has proposed $24.5 million for NSTIC, including $17.5 million that would go towards pilot programs." The funds have not yet been appropriated, so budget wrangling may still change those numbers. Those pilots will be just the first step in architecting a more secure Internet identity infrastructure. If NSTIC achieves its vision, we can be confident that no fraudsters—or dogs—lurk behind our friends' Facebook profiles and e-mail addresses!
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
October 3, 2011 in collaboration, consumer protection, cybercrime | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8bfd2b8e970d
Listed below are links to blogs that reference Cyberspace trust: Proving you're not a dog:
Comments
August 15, 2011
Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud
It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.
Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.
Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.
Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.
Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.
Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.
Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.
Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
August 15, 2011 in consumer protection, fraud, payments systems, regulators, risk, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0154348a930e970c
Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:
Comments
August 03, 2011
Fighting the rising tide of elder financial abuse
The successes and failures of law enforcement in fighting financial crime are big news here at the Retail Payments Risk Forum. Earlier this year, we highlighted the gains made in reducing identity theft in the United States. Unfortunately, one form of crime continues to grow despite law enforcement's best efforts: financial crimes targeting the elderly. Last month, MetLife released a report indicating that elder financial abuse is widespread and growing. The report estimated $2.9 billion in annual losses to victims. MetLife based these estimates on an analysis of news articles documenting crimes over two three-month periods in mid- and late 2010. Survey research conducted at Cornell confirms that this is a major problem in New York State, where an average 42 out of 1,000 elders were the victims of financial abuse. Furthermore, the report determined that victims reported fewer than 3 percent of incidents to authorities. While the rate of abuse remains subject to debate, fighting this grim crime is an ongoing battle for law enforcement and consumers.
| Resources |
|
Adult Protective Services—Directory of providers The National Center on Elder Abuse (NCEA) The National Committee for the Prevention of Elder Abuse (NCPEA) |
Elder financial abuse encompasses a category of crimes including theft, confidence tricks, Medicare and Medicaid fraud, forgery, and coerced property transfers. AARP has broadly defined the crime as "the illegal or improper use of a vulnerable adult's funds or property for another person's profit or advantage." The abuse is often a betrayal of a trusted relationship, and the victims are left with emotional and psychological scars that leave them feeling even more vulnerable.
Older Americans at risk of telemarketing fraud
MetLife also conducted a literature review and victim interviews to determine why the elderly are particularly vulnerable to financial abuse. Factors include poor physical health and limited mobility, mental health weaknesses related to the onset of dementia or Alzheimer's, and social isolation. Those who are isolated may be particularly susceptible to manipulation by con artists, for example.
Older Americans disproportionately suffer from telemarketing fraud, a scam where the victim is tricked into agreeing to electronic payments for fraudulent transactions. The criminals on the other end of the line are completely shameless in their techniques to gain the victim's trust. Con artists have targeted victims by searching for surviving spouses in local obituary notices or by purchasing lists of contact information for those who have been previously victimized in similar attacks. Banks can also become entangled in this financial abuse if they are not vigilant. In 2008, Wachovia was forced to pay out $125 million to the victims of fraudulent telemarketing businesses.
Consumer education the best defense
Combating elder financial abuse requires educating potential victims about the risks. Part of Wachovia's settlement included funding for financial literacy programs aimed at seniors. However, it is clear from rising crime rates that education alone is not a cure-all. Regulators, law enforcement, and financial institutions must collaborate to create more effective preventative measures. As a starting point, MetLife has published some consumer tips for prevention, and I have consolidated the recommendations of several of the sources cited above:
- Review financial statements and bills for unauthorized transactions.
- Use direct deposit and online banking to prevent mail theft.
- Sign your own checks.
- Keep passwords and ATM/debit card PINs secret.
- Review important documents like wills and insurance policies annually.
- Do not send money to strangers contacting you over the phone or internet: if an offer sounds too good to be true, it probably is.
- Be aware that abusers may be charismatic individuals or even someone you trust.
- Do not be afraid or embarrassed to seek help if you've been the victim of financial abuse. The longer you wait, the worse the situation can become.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 3, 2011 in consumer fraud, consumer protection, crime | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01539065eb06970b
Listed below are links to blogs that reference Fighting the rising tide of elder financial abuse:
Comments
August 01, 2011
Regulation E expected to add new consumer protections for remittance transfers
One of the many changes required by the Dodd-Frank Wall Street Reform and Consumer Protection Act is an update to Regulation E to reflect new protections for consumers who make remittance transfers to recipients in foreign countries. A remittance transfer is a transaction in which a consumer sends funds to someone in another country. The proposed rule is expected to help carry out the Dodd-Frank Act's overall intent to improve accountability and transparency in the financial system through new disclosures, notices, and error resolution procedures for remittance transfers. Recently, the Federal Reserve Board (the Board) formally announced its request for public comment on the proposed rule and model disclosures.
According to some initial comments on the proposed rule, some industry participants believe that the added requirements could increase costs and add unnecessary burdens to a system that is, as they view it, already functioning properly. Others expect that the proposed changes will reduce errors and even, in some instances, improve the speed for remittance transfers because of enhanced communications between the sending and receiving agents.
Will these changes to Reg E stifle progress in the remittance industry or help it become more consumer-friendly? And will these changes enable a thriving business environment for transfer providers—rather than stifling market growth—while preserving consumer protections?
Prevalence of remittance transfers
Remittance transfers are typically consumer-to-consumer payments of low monetary value. The World Bank estimates that a total of $440 billion in remittances was sent worldwide in 2010, of which $325 billion went to developing countries. The World Bank further estimates that the United States had the highest volume of remittances in 2009, totaling $48.3 billion.
New disclosures, notices, receipts, and error resolution procedures
Some of the proposed disclosure requirements call for remittance transfer providers to disclose to the sender, before the sender pays any money, the remittance value in the currency of the recipient's country, all fees charged in connection with the remittance transfer, and the exchange rate that will be used (to the nearest 1/100 point). Then, after sending the payment, the provider must provide the sender a series of other disclosures on the receipt. Separate notices are required for transfer providers that offer Internet-initiated remittance transfers.
Additionally, remittance transfer service providers may be required to prominently display notices describing a model remittance transfer in every storefront location that the provider owns or controls. The proposal also adds new error resolution procedures for remittance transfers. Under the proposal, the deadline for a consumer to report an error is 180 days from the promised delivery date. This notice may be oral or written, but it must contain the amount of the transfer shown in the foreign currency amount, as indicated in the receipt.
Testing existing disclosures, notices, and error resolution procedures
Prior to releasing these proposals, the Board consulted with a research group to help determine whether these requirements would help the consumer price shop remittance services or understand their fee structure. Overall, the resulting study found that most participants (remittance senders) were satisfied with their experiences.
The study, when determining what information participants received from remittance transfer service providers during an in-person transaction, found that participants infrequently received written information before they completed the transaction. However, the participants indicated they could get needed information by asking an agent. In contrast, they almost always received some form of written information after the transaction, including the exchange rate, fees, amount of money sent, and so on.
Study participants were also asked to share their experiences with dealing with errors or problems during a remittance transaction. Most reported having had problems with at least one service provider, but almost all reported that their problems were resolved expeditiously. The most common error they reported was the misspelling of the recipient's name.
Conclusion
Remittance transfers are an increasingly important source of income for households in lower-income countries. Yet, given the results of the study on the current state of remittance transfers, it is difficult to know whether the Dodd-Frank's remittance provisions will increase efficiency in the remittance industry while preserving consumer protections. What is clear, though, is that the proposed amendments to Reg. E will establish standardized disclosures and notices, thereby creating more transparency in the remittance industry so that a consumer can confidently price shop providers while fully understanding fee structures and services. Although the Board has initiated these proposals, the Consumer Financial Protection Bureau assumed responsibility over this new regulation on July 21, 2011.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 1, 2011 in consumer protection, P2P, regulators, remittances | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01539058e21e970b
Listed below are links to blogs that reference Regulation E expected to add new consumer protections for remittance transfers:
Comments
July 25, 2011
Is the final Durbin Amendment rule an impetus for EMV in the United States?
On June 29, the Federal Reserve Board released its much-anticipated final rule, Regulation II, to the Durbin Amendment. The Board's final rule significantly differs from its interim rule on this amendment, resulting in ample commentary from the payments industry, financial institutions, and the merchant community.
However, there has been little commentary provided about the potential impact the final rule may have on encouraging the migration of debit cards away from mag stripe to the EMV standard. Upon closer examination of the Board's lengthy final rule, it appears that issuers might have the ability to recoup a portion of EMV-related costs should they opt to migrate away from magnetic-stripe technology in the years ahead.
Initially, the Board limited allowable costs for the calculation of the interchange fee cap of $0.12 to include only variable costs associated with the authorization, clearance, and settlement (ACS) of transactions. In setting the final interchange cap base component at $0.21, the Board broadened its definition of allowable costs and included costs incurred to effect a debit transaction such as network connectivity and processing fees. The Board also included fixed costs, such as hardware and software costs, in developing its final interchange cap.
In addition to the $0.21 base component of the interchange cap, the Board included an ad valorem component of 5 basis points of the transaction value to reflect a portion of issuers' fraud losses. Finally, the final rule allows for a fraud-prevention adjustment of $0.01 per transaction, conditioned upon the issuer adopting effective fraud-prevention policies and procedures. These interchange fees become effective on October 1, 2011.
The final rule requires that the Board collect cost data from debit card issuers biennially. Presumably, the Board can make any necessary adjustments to the base component, the ad valorem component, and the fraud-prevention adjustment based on issuers' biennial reports of incurred costs.
What impact will the Board's final rule have on the future of EMV?
If the Board makes future adjustments to the interchange standard components based on the survey of costs every two years, language within the Board's final rule suggests that issuers may be able to recoup some, but not all, costs associated with an EMV migration. Given the Board's addition of fixed costs as allowable costs, hardware and software costs incurred by issuers to migrate to EMV might be included in future adjustments to the base component of the interchange cap. While the research and development (R&D) costs are not included in the base interchange standard, the rule states "the cost of research and development of new authentication methods would be considered in the fraud-prevention adjustment." Should issuers adopt EMV, R&D costs incurred are allowable under the fraud prevention adjustment standard. Finally, the final rule clearly excludes the cost of card production and delivery—a requirement for migration to EMV—as an allowable cost.
The impact of the Durbin Amendment on movement toward EMV remains open to debate. Is the potential for future debit card interchange rate increases enough to motivate issuers to finally migrate to the EMV standard? Do the current interchange cap and exclusion of some EMV-related costs from the interchange standard hinder a future move toward EMV? I am optimistic that future potential adjustments to the components of the interchange standard under the final rule's expanded set of allowable costs—along with the consideration of R&D costs as part of the fraud adjustment component—will have a positive impact on migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 25, 2011 in bank supervision, consumer protection, EMV | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015433fcc0c2970c
Listed below are links to blogs that reference Is the final Durbin Amendment rule an impetus for EMV in the United States?:
Comments
July 14, 2011
Where will biometric ID technologies fit in fight against fraud?
Biometric systems are designed to recognize individuals based on their unique biological and behavioral traits. Traits such as hand geometry; fingerprints; voice and vein recognition; and retina, iris, and facial scans are all personal characteristics that can authenticate someone's identity. Using biometrics to combat fraud is not novel. In addition, a California-based company introduced in 2008 a risk management solution that identifies fraudsters through the use of voice printing, which allows the company to compare a caller's voice against a database of known criminals before the company authorizes a credit card payment.
In a previous post, we discussed the concept of using biometric technology to combat ATM fraud. Since then, we learned of ATMs abroad that are equipped with voice-based biometric technology that determine user honesty and help prevent consumer credit fraud. In this post, we revisit the issue of biometrics, touching briefly on new developments in the payments industry as well as on issues reported on by companies and researchers.
Biometrics gain trust
Summarizing a poll it took of credit card users, Unisys reported in 2010 that consumers are becoming comfortable with the use of biometrics. In fact, according to the report, about two-thirds of the respondents indicated a preference for fingerprint biometrics over the use of photo verification, PINs, and signatures. A 2009 Gallup survey revealed that 58 percent of survey respondents would use biometrics to verify their identities, and a staggering 93 percent preferred fingerprints as their biometric of choice.
Searching for a secure biometric storage process
The life of biometric data on portable devices such as cards can exist anywhere from six to 12 years. Technology such as Precise Biometrics' Match-on-Card allows cards to be activated with a fingerprint or iris scan instead of a PIN. All biometric information is stored on the card, so the matching of the biometric data takes place on the card.
This type of technology sends a biometric template to the card processor, which is matched to a reference biometric template stored on the card itself. The card protects personal identity information as it is transmitted across a contactless interface using radio frequency technology. Other companies have introduced similar products retaining all the biometric data on the portable device, which can lessen user anxiety since their biometric data is stored in a device the users control. However, user control over biometric data does not necessarily lessen the potential risk for lost, stolen, or damaged credentials.
Recommended considerations for biometric recognition technologies
According to a report by the National Research Council, "no single trait has been identified as stable and distinctive across all groups," so we cannot rely solely on voice printing, for example, or on fingerprints to guarantee security. The report also points out that biometric systems contain numerous "sources of uncertainty" that "need to be considered in system design and operation." For example, biometric characteristics often vary over an individual's lifetime due to a number of factors, including age or disease, and the systems may not capture or account for this variability. Other, more technical, issues may also create variability in these systems, including sensor calibration and data degradation. Even security breaches themselves add variability. As another "source of uncertainty," the report points to the fact that biometric systems may not be "designed and evaluated relative to their specific intended purposes," so they fail to account for factors such as the competence of the systems' users.
A final note
While there is no such thing as an impregnable security system, using multiple forms of credentials and identification components can strengthen most security systems. If biometrics is one of those layers, careful consideration should be given to measuring the merits and risks relative to other authentication technologies, such as PINs and signatures, as well as ensuring that the biometric that is selected functions as intended. Like any other authentication form factor, any biometric identification technology used should undergo a thorough threat assessment to determine its vulnerabilities and its potential for mitigating attacks. Biometrics may or may not become the panacea to authentication, but ensuring that users trust the entire biometric system is integral to its successful implementation and adoption in the fight against payments fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 14, 2011 in biometrics, consumer fraud, consumer protection | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538fe263d3970b
Listed below are links to blogs that reference Where will biometric ID technologies fit in fight against fraud?:
Comments
June 27, 2011
What are you signing away with a signature instead of a PIN on card transactions?
Recent years have witnessed the commercial banking industry making some surprising risk management decisions. For instance, many financial institutions encourage their customers to choose the credit/signature option of their debit cards rather than the debit option. But the credit option is more vulnerable to fraud, so ultimately is more costly to the industry. In addition, signature debit transactions are processed through the credit card networks, which means the banks earn the higher interchange fee that comes from credit transactions as opposed to debit transactions.
The point of this discussion is not to look at the anticipated effect of the Durbin amendment on interchange practices, but instead to focus on the moral hazard presented by these practices in the context of our nation’s retail payment systems. The reason that signature debit carries a higher interchange fee is that it is less secure than PIN debit transactions. In a recent study by the Federal Reserve Bank of Minneapolis, financial institutions reported that signature debit fraud attempts eclipse fraud with other payment types. The report also says that debit cards along with checks are the payment types most often attacked by fraud schemes, and as a result sustain the highest losses.
Source: 2010 Payments Fraud Survey: Summary of Results,
The Federal Reserve Bank of Minneapolis
However, the study also reported that most financial institutions and other organizations report that actual fraud losses as a percent of their annual revenues are relatively small, at less than 1 percent. This information sheds light on the risk-versus-return decision-making rationale.
As the incidence of payment card fraud in general is on the rise, it is time to take a proactive view of the risk management practices for debit card programs. While persuading customers to process debit card payments on card networks may be more profitable in the short run, the industry may realize an increase in fraud and risk in the retail payments system as a result.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
June 27, 2011 in consumer protection, fraud, interchange, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e896d2ec3970d
Listed below are links to blogs that reference What are you signing away with a signature instead of a PIN on card transactions?:
Comments
June 20, 2011
Is a national data breach notification law on the horizon?
Extensive privacy regulations exist that provide a framework for promoting identity theft prevention, data security, use of data limitations, requirements for data destruction, notice, user content, and accountability. Some of these laws are the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Gramm-Leach Bliley Act, among others. Each of these financial privacy laws has been amended several times since their enactment, but none have standardized data breach notification rules.
On the state level, some legislatures have tackled data breaches by stepping up privacy and encryption requirements for organizations that handle credit and debit card data. According to the National Conference of State Legislatures, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have passed laws that require some form of notification when security breaches involving personal information occur. Most of the state laws have common themes, yet several differences exist among them, making it difficult, costly, and burdensome to develop a consistent and effective security incident response plan.
A push for national data breach laws
In 2009, there were two federal data security laws pending that cleared the U.S. Senate Judiciary Committee. One even cleared the U.S. House of Representatives. However, neither became law. One was the Personal Data Privacy and Security Act of 2009 (Data Privacy Act), and the other was the Data Breach Notification Act. The Data Privacy Act sought to mitigate identity theft, ensure privacy, and require that breached individuals be notified. The Data Breach Notification Act also imposed notification requirements but provided a safe harbor whereby organizations were not required to report the breach if a risk assessment determined the incident would not harm consumers.
Other efforts were seen when the Federal Trade Commission (FTC) and the U.S. Department of Commerce (DoC) both released reports within days of each other with recommendations for protecting consumer privacy online. The FTC's report came out on December 2, 2010, and the DoC's report came out on December 16. The DoC report focuses on national consistency surrounding security breach notification rules. The DoC recommends the implementation of a "[f]ederal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities."
Seeking exemption from the FTC and DoC recommendations
Not everyone is on board with the DoC and FTC recommendations. On January 31, 2011, the Securities Industry and Financial Markets Association (SIFMA), a consortium of financial firms, sent a letter to the FTC and DoC asking that their recommendations on privacy exclude industries—including the financial services industry—already subject to sector-specific regulations. SIFMA's letter expressed the view that existing national privacy laws like the Fair Credit Reporting Act, the Gramm-Leach Bliley Act, and the Electronic Communications Privacy Act are sufficiently addressing the management of consumers' personal data.
SIFMA did express support of the introduction of a uniform national breach notification law that would preempt state laws, but only by requiring that consumers be notified of a breach when there is a significant risk of identity theft. SIFMA pointed out that "requiring notification if there is no significant risk of identity theft could have the unanticipated effect of overwhelming consumers with notices that might cause confusion and likely desensitize them to future notices."
Finding common ground
The deadline for comments to the FTC report closed February 18, 2011. Both the FTC and DoC are expected to issue final reports and guidance this year. The coincident timing of the FTC's and DoC's reports seems to have renewed focus on online privacy and what best practices should be used to address perceived shortcomings.
Perhaps the FTC and DoC recommendations can shed some light on whether the need for a national data breach notification law is warranted or whether the existing national and state-level laws sufficiently address the management of consumers' personal data. For now, it appears that most industry watchdogs believe that consumers and businesses alike could benefit from a national standard for security breach obligations, mainly because the differences in form and substance between states make it increasingly complicated for effectively reporting data breaches to the public and present undue costs to business and burden streamline industry compliance.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 20, 2011 in consumer protection, cybercrime, identity theft, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e89435696970d
Listed below are links to blogs that reference Is a national data breach notification law on the horizon?:
Comments
December 20, 2010
You better watch out! ...Santa goes cyber
Happy holidays from the Retail Payments Risk Forum!
As this world has drifted away from traditional written communication to a fully electronic communications process, we see that Santa Claus has finally moved into the 21st century. On a network news show this week, we saw that there are still plenty of letters being written to Santa in the conventional way, but data from the industry consultant Javelin Gifts has shows that only 26 percent of all Christmas lists are in paper form. Most kids now want to communicate with Jolly Ol' Saint Nick electronically. The benefits appear to be extraordinary for both the wide-eyed children and the man himself, not to mention the beleaguered elves that can now use automated list sorting tools, name and address directories, and list matching to ensure the elimination of duplicate orders. A new feature labels each entry with a GPS locator that cuts down tremendously on useless flying around, thereby dramatically improving the overall "bales-of-hay-per-mile-flown" reindeer efficiency measure.
Santa's new website unveiled
Recently, we explored Santa's new site, where you can choose a variety of options, including the usual descriptions and pictures of Santa's house, Mrs. Claus, all the important workshops, the latest Elf of the Month, and live video of the reindeer in their stables. The main tab Christmas Lists is, of course, the place for all boys and girls to go to enter their wish lists, following a brief application process (name, address, age, chimney/no chimney, naughty/nice, etc.) and the usual OFAC—Office of Foreign Assets Control—screening to ensure that those kids requesting bomb-making material are not terrorists. Recent attempts to hack the site have revealed that Santa's firewalls are pretty darn good, ensuring that there are no last-minute denial-of-service attacks from the Grinch or other such hooligans intent on spoiling Christmas for the rest of us. The site also appears to have pretty strong SPAM filters to counteract the recent attempts of high end retailers trying to get Santa to provide only their brand of products.
Two other tabs are prominently shown. First, there is a live chat room where the customer can chat with specialist elves to get expert opinions on some of the hottest toys, including the current backlogs in production. Second, a tab called Value-Added Services encourages the customer to take advantage of things like gift wrapping, special notes from Santa, gift recall lists, and roof/chimney repair services. The fees associated with such services help keep the site maintained and contribute to the necessary overtime pay that inevitably piles up the last week before Christmas. One of the more interesting services is a data privacy service that provides for a Christmas list to be encrypted, thereby preventing prying eyes from seeing what they are getting under the tree. Of course, this also helps Santa stay out of legal trouble and avoid cumbersome government-mandated data breach reporting.
Wrestling with Christmas Criminals
Recently, the North Pole has had to address a growing number of account takeover concerns about Ukrainian hackers posing as children who might try to compromise the website on Christmas Eve, changing the addresses associated with some of the more attractive gift lists. The most effective malware to date rode in on a piece of spam entitled "Cookies and Canes" that the jolly old elf couldn't resist opening. My understanding is that Santa has fixed this problem by moving his site to a separate computer from his personal e-mail laptop.
Before logging off, we clicked on another tab called Flight Tracker that allows concerned parents to track the progress of their children's deliveries on Christmas Eve. This can be particularly helpful if Santa gets to your house at, oh, say 5:00 a.m. and you need to barricade the hallway to forestall the progress of some particularly geeked-up kids who wake up way too early and want to check out the tree.
And to all a good night!
Upon reflection, we were really impressed with Santa's new website, but disappointed that he had to implement so many fraud detection and prevention tools. However, there seems to be even more features to come. A news line scrolling across the bottom of the page promised upgrades next year to text messaging and Facebook for those kids who just don't have the time to send e-mail.
While the point of all this may seem to be to let you know that no one, including Kris Kringle himself, is exempt from fraud in the electronic world, it really is just a way to give our staff a week off from serious blogging and to wish all our dedicated readers a very Merry Christmas and Happy Holidays! See you next year!
By Rich Oliver, Cindy Merritt, and Ana Cavazos-Wright
December 20, 2010 in consumer protection, innovation | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c6e8bcd0970c
Listed below are links to blogs that reference You better watch out! ...Santa goes cyber
Happy holidays from the Retail Payments Risk Forum!:
