October 22, 2012
Ignorance Is No Excuse--Or Is It?
Last time I got a speeding ticket (just for the record, it's been a very long time), the officer didn't care that I didn't realize the speed limit was only 35 mph. As he told me, ignorance of the law is no excuse for breaking the law. Contrast that with consumer payments protections. Consumers can practice unsafe computing and expose their account information, yet regulations still protect them if an unauthorized payment is made using the information the consumer revealed. Although an unauthorized payment is transacted by someone else, the consumer, through his or her own behavior, may be aiding and abetting the lawbreaker.
As we study different payment types and channels here at the Retail Payments Risk Forum, a consistent theme has emerged: consumer behavior plays a significant role in payments issues, and consumer education is the antidote. Although the consumer may be protected from financial consequences even when they engage in unsafe online behavior, it is in everyone's best interest, including the consumer's, if the consumer is armed with enough information to behave safely and responsibly.
Take card payments and the conversion under way to EMV standards. As the cards are converted to a chip and reissued to consumers, the consumer will need to understand where and how the card can be used. Education will be critical if the chip implementation also includes the use of PINs. A recent analysis by DataGenetics shows that nearly 27 percent of PINs can easily be guessed by attempting 20 simple combinations such as "1234" or "0000." PINs can be an effective authentication method, if only the consumer is thoughtful in choosing a hard-to-guess PIN.
Consider ACH payments and the dreaded account takeover. The information used to perpetrate an account takeover is sometimes gained through malware that enables key logging. The malware is installed on the consumer's computer most likely because of the consumer's unsafe computing practices, such as clicking on unfamiliar links and opening attachments sent by suspicious or unknown sources.
The same is true for the emerging mobile channel, essentially a handheld computer with security considerations similar to the online channel. The September 2012 GAO report on Mobile Device Security concludes, "Mobile devices face an array of threats that take advantage of numerous vulnerabilities commonly found in such devices. These vulnerabilities can be the result of inadequate technical controls, but they can also result from the poor security practices of consumers." The report recognizes that many education and awareness efforts, both public and private, have occurred or are underway, but it remains unclear whether those efforts have raised consumer security awareness or had any beneficial effect on the security of the mobile device.
Diagnosing is the easy part...
While it's easy to recognize that consumer behavior is a problem in electronic payments, the solution of providing consumer education is elusive. As it turns out, financial institutions are in a good position to provide education. For one thing, consumers tend to trust their financial institutions, with their financial information and with their privacy. From a practical standpoint, financial institutions are commonly the connection point between the consumer and these payment types. However, the traditional connection point of the branch is evolving to the online and mobile channels.
So what can financial institutions do to better educate consumers in the new digital and mobile environment? They already devote significant resources to providing education, but the effectiveness of these efforts can be questioned as the incidences of fraud appear to be rising. Are there best practices for consumer education in the non-face-to-face environment that financial institutions should employ to positively impact fraud?
By Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Ignorance Is No Excuse--Or Is It?:
September 04, 2012
Pointing to the Future: Biometrics Crucial for Data Protection
Experts are escalating their call for aggressive measures to improve customer authentication as phishers, malware authors, and other criminals develop increasingly complex schemes to gain access to personal credentials. As we discussed in a previous post, the use of biometrics is gaining more attention as technological advances are bringing low-cost, high-quality solutions. In a recent paper ("The Case for Replacing Passwords with Biometrics"), authors Markus Jakobsson and Sebastien Taveau assert that biometric methods such as fingerprinting methods could address a large part of the looming cyber fraud problem.
Matching fingerprints to protection
Fingerprints as a means of identification have actually been used for more than 150 years. However, Jakobsson and Taveau note that lower technology costs may allow fingerprint authentication to become a mainstream risk mitigation solution, in concert with other backup authentication methods. (The Federal Financial Institutions Examination Council's 2011 Supplement to Authentication in an Internet Banking Environment reports that layered security controls go a long way to protecting consumer credentials and high-risk transactions from cyber threats.) According to Jakobsson and Taveau, the convergence of methods used by cybercriminals is driving fraud into the mobile arena, with an increased incidence of dual platform attacks targeting both PCs and mobile handsets. The authors describe how fingerprint authentication can improve authentication effectiveness and enable better risk management.
As more and more data are stored in personal clouds—remote data servers that store digital content for consumers—the security paradigm becomes more critical. Jakobsson and Taveau describe cases whereby fingerprints could effectively serve as a "key" to consumer information. Just authenticating users by asking who they are and what they know—in other words, prompting for name and password—is inadequate in such "remote" data storage environments. Essentially, "the cloud is a storage area with a door, the handset or other device is the lock and the fingerprint is the key."
The authors also describe the challenge of "BYOD"—that is, "bring your own device" to work. Many companies today permit employees to use their own devices. The use of multiple passwords and other protocols can create confusion that can tempt employees to circumvent authentication protocols designed for their protection. As we noted in a June post, one out of every 11 wallets contains easily discovered PINs. The use of the biometric tool of fingerprinting permits a simple authentication method that can be used across applications and devices, with greater assurance that the account or device owner and the device are in the same physical space.
I can't put my finger on it
Despite the promise of fingerprinting as an effective biometric risk management system, a number of concerns remain, according to the authors. Device sharing can be a problem when the device is secured with a biometric unique to a single user. An issue of a more violent nature is the potential of a criminal stealing someone's finger to facilitate a transaction. Jakobsson and Taveau aptly remark, "It is much better to have one's password stolen!"
In the final analysis, the authors note that the benefits of biometric authentication methods outweigh their deployment challenges. Furthermore, their authentication architecture using a "biometrically unlocked password manager" could provide significant protection against phishing and malware attacks—the primary tools of cybercrime. As the incidence of data breaches and account takeovers continues to rise, the argument for more secure authentication methods will continue as well.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Pointing to the Future: Biometrics Crucial for Data Protection:
November 14, 2011
Evidence for PCI’s effectiveness in the fight against fraud
Despite the PCI Council's best efforts and laudable goals, the effectiveness of its data security standard, PCI DSS, is frequently questioned. This standard is sometimes disparaged as expensive and ineffective. One critic has even decried the standard as a "false god." Such criticisms have stuck in part because it is difficult to know how many breaches would have occurred if it weren't for the PCI standard, and supporters have essentially been left to argue a counterfactual. The PCI Council has long maintained that no organization that has been breached has been found to have been compliant at the time of the breach, but the claim has never been fully validated.
Contrary to the claims of PCI DSS critics, however, Verizon has collected some data that support the value of PCI. The Verizon 2011 Payment Card Industry Compliance Report provides evidence that PCI compliance is effective at preventing breaches, and that the most compliant organizations are the least likely to be breached. The Verizon report provides a detailed analysis of compliance and breach threats across their client portfolio. The report reviews the cases of annual audit clients to assess compliance across the 12 PCI DSS requirements. The report also lays out the authors' retroactive assessment of the compliance of organizations that used the firm's forensic services after they suffered a breach.
The report ends up offering two very different perspectives: that of organizations proactively pursuing PCI compliance and that of organizations reacting to a breach that may not have previously emphasized compliance. The study sample consists of more than 100 reports from primarily American and European companies, and is the second year that this study was published (see the 2010 report here.)
At first glance, the report's findings seem discouraging because only 21 percent of organizations are found to be fully compliant at the beginning of the audit. However, the researchers assessed each organization's compliance across each requirement, and found that a further 37 percent were compliant across 90 to 99 percent of requirements.
Verizon conducted these assessments to help clients identify gaps and prepare them for their annual audit process. Once Verizon issued their Initial Reports of Compliance, the organizations then worked to fill all gaps and achieve full compliance. Of course, achieving full compliance is not a simple task. Full PCI compliance is extremely complex and requires ongoing testing and updates, and many organizations succumb to complacency and fatigue between audits. They may not respond to changing circumstances, and in fact the researchers found that compliance levels sometimes deteriorated over the course of the year.
The complexity of achieving full compliance is one reason the PCI Council released the Prioritized Approach to compliance in 2009. These guidelines are intended to help firms with limited resources tackle the most effective security requirements first. Unfortunately, the researchers found no evidence that organizations had implemented this prioritization, which raises the concern that companies are not taking a strategic approach to the compliance process.
In the second half of the Verizon report, the researchers tried to tease out how breached companies are attacked and what characteristics made them most vulnerable. They found that breached companies were less likely to meet individual PCI requirements, and scored overall worse than nonbreached clients by a 50 percent margin on average. Additionally, every threat action identified by the forensic team could have been prevented with full PCI compliance.
Jen Mack, the director of Verizon's PCI Services, believes that the Verizon report shows that PCI is effective. She says, "It's clear the standards provide protection for card data if organizations implement them correctly and maintain them throughout the year." Verizon's report does provide strong evidence that PCI DSS is an effective tool for preventing breaches and combating fraud. Since data breaches are repeatedly recognized as a major threat to the payments industry, it is critical to leverage tools like PCI DSS. How can the PCI Council encourage increased compliance among merchants and other organizations? Will increased recognition of the standard's effectiveness lead to greater adoption?
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Evidence for PCI’s effectiveness in the fight against fraud:
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:
October 12, 2010
New study examines the effectiveness of U.S. payments security
As everyday citizens, we are all responsible for understanding the threat of identity theft and its potential to facilitate payments fraud. The proliferation of identity theft is not solely a by-product of the high-tech world in which we live; it has been around from time immemorial. In the pre-Internet era, identity theft and payments fraud were more commonly committed by a "familiar"—a family member or someone with access to the victim's home, office, or mailbox. This type of white-collar crime still exists today, of course, and its success rate, measured in terms of the number of fraud attempts that result in a monetary loss, remains high. But today's identity theft schemes are more complex and involve larger-scale data breaches, so they pose a more significant threat to the retail payments industry and demand stronger security management techniques.
This evolution has created the need for more sophisticated compliance initiatives to keep identity and payment information secure. Retailers are on the first line of defense, in many respects, since they are the receivers and keepers of payment card data used to facilitate purchases at the point of sale.
So, along those lines, how is the retail industry faring? A new study from Verizon—released Oct. 4—reports on how well the U.S. retail sector keeps payment card data secure.
PCI security compliance: A first line of defense
There is an industry-organized defense procedure, or set of procedures, created to guard against large-scale thefts of payment card data. This procedure is called the Payment Card Industry Data Security Standard, or PCI-DSS for short. The Verizon report notes a high correlation between an organization's PCI compliance and its resistance to data breaches.
Most large retail enterprises in the United States claim compliance with PCI-DSS, and they have their operational systems periodically audited to ensure continued compliance. Although many of the largest retailers are compliant—with some, like Heartland, even working now to go above and beyond the minimum requirements—the Verizon study reveals just how far U.S. retailers are from full PCI-DSS compliance.
The following table summarizes the findings of the Verizon report for PCI compliance rates.
Meeting the challenge—and going above and beyond
The study concludes that complying with PCI is a complex challenge for many retailers, but the outlook is good—the retail sector is heading in the right direction. On average, it reports, organizations meet 81 percent of the procedures required by PCI, and 75 percent of organizations meet at least 70 percent of the testing procedures required.
Some industry experts even contend that PCI-DSS compliance in and of itself is not enough, which is why Heartland Payment Systems—one of the largest U.S. card processors, and which in 2009 suffered a serious data breach—is raising the bar and requiring its merchants to use additional security measures for data encryption. All data messages must be encrypted when in transit and when at rest in temporary storage along the way. For now, organizations responsible for storing and transmitting this data will continue to be challenged with the responsibility for safeguarding its data from breaches that facilitate identity theft and payment fraud.
By guest blogger Dan Littman, Economist, Federal Reserve Bank of Cleveland
TrackBack URL for this entry:
Listed below are links to blogs that reference New study examines the effectiveness of U.S. payments security:
September 20, 2010
Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2)
Last week, in Part 1, we took a conceptual look at the issue of balancing financial privacy interests with catching criminals. This week we look closer at the subject, with an eye on the legal landscape of financial privacy laws and law enforcement's ability to access financial records under the existing laws.
The legal battle between law enforcement and personal privacy in the United States is as old as privacy law itself, and maintaining a balance between the two has for years required continuous maintenance of financial privacy laws. One of the most recent changes occurred in 2001, with the introduction of the Patriot Act. While the Patriot Act gives law enforcement agencies easier access to financial information so they can intercept terrorist financing and prevent money laundering, the Patriot Act has also been used routinely to combat nonterrorist criminals.
But have we struck the right balance yet? Or are stronger financial privacy parameters needed to tip the scales in favor of either the consumer or law enforcement?
The financial privacy law landscape prior to the Patriot Act
Historically, customers have expected their bank records to be held in confidence, relying largely on their right to financial privacy based on their contractual agreement with the bank. But in 1970, the Bank Secrecy Act (BSA) became law, and turned that expectation upside down. The BSA began requiring financial institutions to maintain certain records on their customers and authorized the Secretary of the Treasury to require financial institutions to report certain financial transactions. That same year, the Fair Credit Reporting Act (FCRA) was passed, whose goal was to safeguard consumer financial information by limiting the availability of consumer credit reports only for specific "permissible purposes."
In 1978, the Right to Financial Privacy Act was passed, which generally precluded the disclosure of a consumer's individual financial records to a government authority without the customer's consent, absent a subpoena or other judicial order. In 1999, Title V of the Gramm-Leach Bliley Act addressed several additional issues relating to the protection of nonpublic personal information maintained by financial institutions. Since their enactment, each of these statutes has undergone several amendments, mostly in response to the competing interests between a consumer's right to financial privacy and law enforcement's legitimate need to access consumers' financial records.
The Patriot Act, enhanced law enforcement provide access to customers' financial records
The Patriot Act allows law enforcement to develop a strategy for catching the bad guys by virtue of significant changes in the regulatory scheme of financial privacy, including new "Know Your Customer" rules, and allowing the sharing of information between law enforcement and financial institutions. Specifically, section 314(a) of the Patriot Act allows law enforcement agencies to gather financial data about a person being investigated.
Under section 314(a), a federal law enforcement agency investigating either terrorist activity or money laundering may request that FinCEN (the U.S. Department of the Treasury's Financial Crimes Enforcement Network) provide certain financial information from a financial institution or group of financial institutions. FinCEN then turns to the financial institutions and asks them to search their records to determine whether they maintain or have maintained accounts for, or conducted transactions with, the individual or entity specified by the law enforcement agency.
If a financial institution has a record of dealing with the subject of the inquiry, it must report back to FinCEN, which in turn shares the collected financial information with the law enforcement agency. Financial institutions may not disclose that FinCEN or the requesting agency made such an information request. No search warrant or subpoena is required.
Section 314(a): Beyond terrorist financing and money laundering
According to FinCEN, investigations incorporating section 314(a) requests have included a Hawala operation, cigarette smuggling, arms trafficking, investment fraud, and an international criminal network. Anonymity stifles the ability of law enforcement to combat criminal activity. Consequently, one of the biggest challenges confronting law enforcement officials is connecting the dots when trying to catch the bad guys. However, given the delicate and often strained balance between the privacy laws and law enforcement’s need to access financial records, can a sacrifice in financial privacy result in a balancing benefit in more effective law enforcement, or does law enforcement have adequate tools today to intercept criminal activity?
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2):
September 13, 2010
Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2)
Many, many years ago, when I was an elementary school student, I experienced the excitement of that now-defunct practice called "recess." This outdoor break in the school day allowed students to blow off steam, get some exercise, and learn social playground skills. It also allowed weary teachers to have a break from us. One of my favorite things on the playground was the "teeter-totter," the simple, two-person balancing board affixed to a fulcrum. The boredom of just going up and down was interrupted by doing so with force and speed or by surprising one's partner by jumping off, thereby causing the other party to descend rapidly, sometimes causing his/her bottom to hit the ground before the feet. More challenging, however, was the concept of the two riders trying to position themselves so that the teeter-totter would actually balance itself in a way that both parties would be suspended off the ground. Great fun!
Balancing data privacy rights
Strangely, this activity bears a strong resemblance to what we find ourselves doing in the payments system today as we try to balance a consumer's right to data privacy with a service provider's responsibility to protect a customer from financial loss. Achieving this balance has become a time-consuming and expensive activity for the payments industry and for law enforcement agencies charged with catching bad guys after they breach protected files.
The responsibilities inherent in providing data privacy protection are complicated because data privacy laws today are set largely at the state level. Consequently, some variance exists in due diligence. Companies whose customers span multiple states struggle to deal with different requirements and remedial actions should a data breach occur. Frequently, a company adopts procedures that comply with the most rigid of the laws, in essence satisfying the "greatest common denominator," the effect of which is to gravitate toward a de facto national standard in federal laws on data privacy.
Responsibilities in managing data breaches
No fewer than 24 federal laws exist today that attempt to protect the privacy of some aspect of our personal and business lives. However, there is no overarching federal legislation in place that specifically addresses financial data privacy. Such bills have been drafted, but they are logjammed in Congress behind more pressing matters. At the state level, virtually all states have some form of financial data privacy legislation on the books. For the most part, the banking industry has looked at the construct and verbiage of the 2002 California law as the standard of care for all. In essence, the law requires a company to report any breach in which a customer's name is compromised in combination with a Social Security number, a driver's license number, or any bank account information, including debit and credit card numbers. More recently, in March, Massachusetts adopted a seemingly more stringent law that speaks less to the need for post-breach remedial action and more to the prevention of breaches in the first place. In this way, data privacy legislation seems to be converging with the "commercially reasonable" data security requirements of Article 4A of the Uniform Commercial Code.
Ultimately, trouble arises when organizations are forced to guess what standards are commercially reasonable. Trouble also arises when companies attempt to minimize exposure by extending the definition of protected data to include non-personal information, such as company names and other identifiers resident in payment transaction records. While courts will have to sort out the first issue, the practice of businesses adopting self-imposed, expanded data protection standards is another matter.
The problem here is twofold. First, excess caution will inevitably lead to higher costs that have to be recovered elsewhere in a bank's profitability formula. Frequently, this occurs through the institution of some form of account. Second, over-interpretation of laws creates barriers to effective industry controls and processes for detecting and mitigating fraud, as well as making the regulatory and law enforcement aspects of fraud mitigation more cumbersome and expensive. Where, then, is the balance point on this teeter-totter of financial privacy?
Where do we go from here?
Unfortunately, the answer may ultimately lie in creating some umbrella national legislation that tries to strike the right balance. Such legislation must allow for a cadre of "trusted parties" who bear the responsibility for protecting data as a price for collecting it so as to reduce financial crimes. As a consumer, I certainly don't want anyone misusing my personal information, but I also want those who do so to get caught and pay the price. It is only then that the cycle of improvement can take place—more forcible enforcement, more prison terms, fewer bad guys in the market, less privacy invasion, fewer sleepless nights. Inevitably, the balance point on a teeter-totter only occurs when one party pushes off first—and that may be the regulators and law enforcement.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2):
March 29, 2010
Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models
The folks engaging in the early stages of the mobile payments industry have coined the term "mobile ecosystem" to describe the environment into which they are trying to merge the traditional roles of telecommunications with those of payments and banking. While some in this fledgling industry are already becoming disenchanted with the grandeur of the "ecosystem" terminology, the concept does suggest a useful model for thinking about the challenges faced in this new arena.
A few weeks ago I received a new issue of National Geographic that contained a fantastic article (and even more fantastic pictures) of the unique ecosystem of the African island nation of Madagascar. The ecosystem of this large island, located off the southeastern coast of Africa, has yielded an extraordinary collection of plants and animals that live in a tropical setting interrupted by some truly anguished geological formations. The local ecosystem is, of course, actually a collection of subsystems (plants, animals, climate, topography, etc.) that have adapted over time to work seamlessly together. For example, large families of lemurs leap fearlessly and safely among knife-sharp rock formations because their hands and feet have developed coarse, leather-like padding over thousands of years.
In the mobile ecosystem, we see a similar makeup of subsystems that must work together. The technology and operational components, while not trivial, are clearly achievable, and many are in place today. The challenges that lie ahead, however, are in the sub-ecosystems of law, regulation, data security, data privacy, customer care, and profitability. Depending on the nature of some of the mobile payment solution alternatives, the banking and the telecommunications industries find themselves wondering if they can coexist on the same island. Is there enough value to the customer to generate the revenue necessary to fund a mobile payments initiative? Who gets or shares the revenue? Who is responsible for data security and authentication, and how does that credential or certainty get passed along the mobile payment supply chain? Who resolves the customer's problem if a mistake is made? What consumer protection rights exist in case of error or fraud, and do those rights change depending on whether a traditional payments system is used to settle the transaction? Are proven models in other countries transportable, or are the characteristics of the economics and user base too different?
With respect to customer care and protection, I recently asked an audience of representatives from the full span of the mobile payment value chain, "Who owns the customer in a mobile transaction?" Gratifyingly, they agreed they all did. However, the true ownership response may ultimately depend on the nature of the transaction and agreement on who is liable if anything goes wrong. Take the case of a person-to-person payment initiated by Consumer A (Barbara Buyer) to Consumer B (Gloria Girl Scout's Mom) for payment of six boxes of Girl Scout cookies (three Thin Mints and three Trefoils). In a telephone-based clearing model, Barbara would enter the requisite $21 in the payment instruction and designate the phone number of Gloria's mom in the recipient field, and both their phone bills would be adjusted accordingly. Now suppose that Barbara was distracted by her daughter's chiding that she really wanted Samoas and carelessly entered $210. Since the payment never went through the payment system, Barbara Buyer cannot rely on traditional banking regulatory protections or problem resolution processes. She must resolve the problem with her phone provider, who has already credited Gloria's mom. Alternately, given PayPal's March 16 announcement of an iPhone app to send money to another person, PayPal's resolution procedures could be in play.
If, however, Barbara's phone company clears the transaction through a mobile service ACH backend, or Barbara pays Gloria's mom through a P2P service offered by her bank, the error resolution process is likely through normal banking customer service channels, and the adjustment process may be managed differently, assuming an adjustment process is contractually spelled out in either case. In reality, Barbara would probably get Gloria's mom to write her a check for $189 to straighten things out. While this may seem like a trivial example, it does dramatize some of the issues that must be worked out in the new ecosystem of mobile payments to make such services work effectively for the customer's benefit.
Given these difficult challenges, it seems likely that various models will initially emerge within alliance groups (one phone company, one or more application providers, a few partner banks, etc.) before they begin to converge into one or more universal market models. Along the way, one hopes that the key participants can collaborate to anticipate the types of risk issues that could arrive in the real world so that the consumer's experience turns out to be one that encourages growth. In the age of e-mailing, twittering, and facebooking, it is increasingly clear to me that mobile banking and mobile payments are in our future and that they will be a very attractive service to some key sectors of our population. However, they will be extremely slow to develop if critical mass issues such as those mentioned above are not resolved up front. In fact, this would be a good place for banks to try new, customer-friendly approaches to consumer education and disclosure that match the payment channel being used and the customer demographic.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models: