March 15, 2010
Global challenge: Catching crooks while protecting privacy
As I watched the Winter Olympics unfold in Vancouver, I marveled at the stories of athletes who had gained citizenship in other countries in order to pursue their dreams. A Canadian moguls skier moved to Australia (which I kind of get) and a Japanese pairs figure skater fled to Russia (which I don't get). In both cases, their renationalization was rewarded with Olympic medals, and in both cases, I was reminded of how completely we have merged into a one-world family and a one-world economy.
Amidst this clear and widely embraced trend to global industrialization and trade, we find that our payments systems lag miserably behind. Certainly this is not because of the lack of availability of technology to wire us together; in fact, both good guys and bad guys use the Internet to order and ship goods and services, as well as commit fraud, across the globe in minutes. And, certainly, this is not because of trade practices. As I found out from Linda Coven, a senior executive at the Silicon Valley Bank in California, a technology firm born in the Silicon Valley becomes a global firm the minute they put up their Web site. Even a modest-sized bank such as hers can develop the expertise and partnerships to help such companies cope with the financial aspects of worldwide markets.
Tangled web
The fly in the international payments ointment is the complex web of regulatory and law enforcement regimens that quite naturally do not as yet mesh. In fact, this can still be a problem domestically, no less globally. The global version of this dilemma gained center stage on February 2010 when the folks at the European Parliament voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programs (TFTP). These programs were established by the U.S. Treasury in the wake of the September 11, 2001, attacks. The TFTP allows the Treasury law enforcement agencies to issue administrative subpoenas for terrorist-related data, including the records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the world's largest network for banking transactions. Privacy laws and liabilities were cited as the major stumbling block in this reversal of form from previous agreements. Efforts by SWIFT to implement new technology to separate their databases into geographical segments may still allow some access to data involving a U.S. institution, but the EU ruling could ultimately impede law enforcement activities aimed at catching criminals that make today's global payments world a bit of the wild, wild West.
For those who feel that today's regulatory/law enforcement climate borders on paranoia, I would counter that in the face of global terrorism and money laundering there may be ample reason for paranoia. It is clear that cross-border payments applications deserve greater scrutiny to make sure they are not vehicles for financing dangerous and unsavory organizations. Strong compliance policies and screening practices are even more critical in this environment than they are domestically. Nevertheless, we see once again the incongruent goals of catching criminals and preserving privacy. In cases where cooperation and trust have been established there have been great successes. Internet corporate takeover rings have been stymied and Nigerian-based fraudulent check schemes have been terminated to the benefit of numerous domestic corporations and consumers.
Building a team
At the Retail Payments Risk Forum, we are working with various parties to find ways to synthesize the conflicting goals of privacy and enforcement to create a more directed and timely approach to catching the bad guys. As we progress, we will have to be ever-mindful of the fact that the next step will be to use our domestic examples as templates for solving the same problems internationally. Useful new work groups and task forces have been established here in the United States, such as the Interagency Payments Fraud Working Group under the current co-chairmanship of the Justice Department and the Federal Reserve Board, that are directed at better cooperation between law enforcement and the bank/non-bank regulatory community. Extending such collaboration into the international arena needs to become a priority for our industry if we are truly going to mitigate payments risk and catch offenders. It is no secret that this will be a difficult challenge, but fighting cyber crime is no longer a domestic issue here in the States or anywhere else. While we cast aside old norms in the payments and technology areas to do business across borders, we must also be open and innovative in regulatory and law enforcement circles if we are to have any chance of keeping up with criminals.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 15, 2010 in Cybercrime, Fraud, Internet, Law enforcement, Payments risk, Regulation | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01310f823141970c
Listed below are links to blogs that reference Global challenge: Catching crooks while protecting privacy:
Comments
January 25, 2010
Connecting the dots needed to reduce payment risks
Some say baseball is not only America's Game, but also a metaphor for life in America. As a lifelong fan I have noticed that each year a couple of rookie players explode onto the scene in April, putting up terrific numbers and establishing themselves as the sport's next great icons. Usually by mid-May they have disappeared from the league leader boards as their numbers fall precipitously. Why? Because the league knows very little about the players' strengths and weaknesses in April, but as time wears on, pitchers make adjustments to exploit the rookies' weaknesses. Don Sutton, an announcer for the Atlanta Braves, says that baseball is a game of continuous adjustments. The rookie wunderkinds will only be successful over the long run if they are able to make the adjustments necessary to counter the pitchers' new approach.
In today's payments world, rookie fraudsters are having significant success penetrating corporate payroll and accounting systems using Trojan horse and key-logging software to insert bogus payments into the company's disbursement streams without the company realizing until it is much too late. So called "money mules," hired by the kingpin fraudster, receive the "stolen" funds in new accounts and immediately wire them to faraway places after taking their promised cut. Such schemes have been much discussed in the payments industry press over the past few months.
My wife's sister is the bookkeeper for a small firm, and in that role she is responsible for most of the company's disbursements, including payroll. Over a glass of eggnog or some acceptable substitute, I told her about these schemes and she listened, wide-eyed. We discussed the controls that were in place in the company that could detect and prevent them from becoming a victim, and I began to realize the problem we face as an industry in addressing such new threats. Like the rookie baseball player, we must begin to adopt a mentality of constantly adjusting to the ploys of the fraudsters to ensure our future success. For example, a company could add a new step to their disbursement process that would check payroll totals for reasonableness in terms of numbers and dollars, scan preliminary logs of payees, names or accounts, etc., before pressing the transmit button. The challenge is to figure out how to share threat information broadly enough to reach the point of common sense protection. There can be no remedy if there is no awareness.
A number of organizations are working on education and communications efforts within their industries, but the best protection is always a first-line defense at the point of greatest vulnerability—the corporate originator of payments. While we in banking view the depth and breadth of our industry as daunting, it is trivial compared to the universe of American business, from large mega-corporations who can invest millions in protection to small entrepreneurs engaged in realizing their lifelong dreams, totally oblivious to the dangers of the brave new world. What, then, can we do to address this seemingly impossible challenge?
The answer would seem to lie in harnessing the amazing technology present in the world today, the same technology being used by the bad guys. Just as nuclear technology can be used to pursue both good and bad objectives, so can e-mail systems, social networking, twittering, and other yet-to-be-discovered advents of the new century. My sense is that the problem lies in discerning how to connect the dots. In other words, how can we as a society create a massive web of "community of interest" associations that allows information to reach the eyes and ears of all (or most) of those who need to hear it?
From my background as a math major, I know that the shortest distance between two points is a straight line (actually, I think you can get this from high school geometry). Noting that every company needs a bank, my sense is that the straight line for this effort runs directly from the central industry sources of fraud knowledge, to the banking community, to a bank's business customer base. Simultaneously, another connection at the top of the chain runs from industry sources to other parties in the regulatory and law enforcement businesses.
Over the past few months, we at the Retail Payments Risk Forum have become aware of and frequently engaged with several organizations who are interested in and trying to enhance the current communications and education process. For example, a new interagency fraud working group, co-chaired by the Department of Justice and the Federal Reserve Board, has been created to share information between bank and nonbank regulators and the law enforcement community. An effort to construct an educational toolkit for banks to use to report fraudulent activity is being developed under the auspices of BITS. In an ideal world, we would all work together to harvest the unique capabilities of each of the many efforts under way and try to coordinate them in such a way as to minimize duplication, maximize knowledge, ensure accuracy, and expedite wide distribution of information. In the months ahead, the Forum will be trying to work across many interested parties to see if there is a model for accomplishing this goal that could be deployed to the benefit of all possible victims in the "fraud value chain."
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
January 25, 2010 in Corporate Internet fraud, Fraud, Fraud awareness, Internet fraud education, Money mules, Payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0128770e3999970c
Listed below are links to blogs that reference Connecting the dots needed to reduce payment risks:
