May 07, 2012
Regulating mobile: Distinguishing the payment from the channel
The handset is just a device, not a payment
Policymakers and regulators are just beginning to discuss the regulatory environment for mobile banking and payments in the United States. The added dialogue to existing industry conversations can lead to mixed messages about where regulatory and policy action may be needed. Recently we've heard from industry and regulatory agencies that the payments industry should carefully consider introducing new regulations and supervisory guidance.
The mobile handset is "just a device, not a payment," noted Mallory Duncan, senior vice president and general counsel at the National Retail Federation. Duncan, who spoke at the workshop "Paper, Plastic...or Mobile," hosted by the Federal Trade Commission, also said that regulation should be no more stringent than that of the underlying payment. In essence, the laws, regulations, and rule sets associated with a payment type—be it a credit card, debit card, or online payment—should follow that payment through the mobile channel for clearing and settlement. I offered similar conclusions in a previous Portals and Rails post on dispelling myths in mobile payments, adding that "while new networks...may emerge in the future, at present, the payment network systems remain the same."
Fragmented framework on an expanded landscape
One problem the payments industry faces as technology enables new intermediary payment methods (they all start off as something we already use: cash, checks, or cards) is that the legal and regulatory framework includes different consumer protections, disclosure requirements, and error resolution provisions depending on the payment type. While all these payments are used in an Internet environment—whether the Internet is accessed by phone or a traditional PC—the addition of the mobile channel and its telecom partners has seemingly created a tipping point for confusion and speculation. Many of the issues raised about consumer protection for prepaid cards, for example, exist now and have nothing to do with a consumer's ability to use a prepaid account with a mobile device.
Can existing regulatory infrastructure handle new mobile payment business models?
The United States has a more complicated banking system than most countries. National laws, for example, govern national banks, which are preempted from state law. State-chartered banks and nondepository money service businesses (like payday lenders and money transmitters), on the other hand, are responsible for complying with the laws of every state in which they do business. These laws are different from state to state, and sometimes even conflict.
Industry players in each of these separate chartering authorities are stepping into the mobile channel as a way to expand their footprint. While telecoms and technology firms are entering into partnerships with banks to establish new business models in the delivery of mobile payments, so far they're sticking to their knitting and leaving the clearing and settlement, and the extension of credit, to the financial services industry. As long as banks remain the payment issuers in these still nascent business models, caution in rethinking the regulatory infrastructure is probably a good idea as well.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
May 7, 2012 in innovation, mobile banking, mobile payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168eb46b266970c
Listed below are links to blogs that reference Regulating mobile: Distinguishing the payment from the channel:
Comments
March 19, 2012
Balancing payments risk management and regulation with innovation
Government must be careful not to overreact to, or stifle, new innovations that can greatly benefit the consumer and the American economy. Government should take advantage of marketplace solutions to issues where appropriate. To do this, and at the same time to be in a position to act appropriately, it is important for government to maintain expertise in electronic money and payments development, and to consider carefully major questions presented by these developments. (Excerpt from 1996 paper prepared by the Department of Treasury on emerging electronic money and banking innovations.)
This quote appeared in a presentation given last week by John Carlson, executive vice president at BITS, a nonprofit group that fosters communication around technology issues that affect the financial services industry. John used this quote to demonstrate that, even in 1996, the Treasury Department recognized the need to not over-regulate at a time when financial institutions were beginning to experiment with Internet banking.
In the presentation "Hardening Payments for the Next Generation," which he gave at the BAI Payments Connect conference, John stressed that we still have to exercise care as financial institutions continue to innovate. The industry must still consider how it will balance the benefits of innovation in payments with the need to manage changing risks and ensure that regulators keep up with the changes. John warned that, despite the myriad of new threats, the temptation to overreact to these with regulation and legislation may stifle payment innovations. He emphasized that, instead, payment stakeholders must collaborate and share information.
Following are a few other noteworthy points from the presentation.
Rise in fraud and security issues in payments
John noted that as more nonbanks enter the marketplace and new innovative alternative products are introduced, payments fraud is evolving alongside. We need to keep looking at emerging payment issues involved with EMV-enabled payments, for example, as well as mobile payments, cloud computing, and payments conducted via social media. At the same time that these products are entering the marketplace, fraud is evolving in new and unexpected ways. And as global crime rings increasingly engage in cross-border activities, for example, a rise in cyber-security threats will likely continue.
We are also seeing some conflicting trends in consumer trust of security issues, according to John. While many consumers respond conservatively in surveys on payments security, for example, consumers generally are becoming increasingly willing to share personal information with "friends" in social media sites like Facebook and LinkedIn. And while consumers are gradually warming up to alternative payments in the mobile channel, most fail to employ general protections such as mobile device password locks.
A challenging regulatory environment
John mentioned that U.S. financial institutions are subject to independent regulatory oversight by a host of federal and state agencies, but the regulatory environment for nonbanks is not well understood. This lack of clarity around the nonbanks results in unclear liability for financial institutions and their customers alike. Consumers are likely to go to financial institutions for error resolution because of trust and familiarity, even when the risk and liability belong to the nonbank partner.
Third-party risk will continue to be a significant concern going forward, said John, as banks recognize the economic benefits they can get from outsourcing. As a result, regulators will focus on banks' vendor management programs to ensure that banks exercise comprehensive due diligence when they engage with vendors, and that they continue to provide oversight of the vendor throughout the duration of the relationship.
John noted that while there is a great deal of discussion on regulation of the emerging mobile channel, it is likely that such regulatory guidance will be embedded in vendor oversight guidance, of which there have been many iterations over the years.
Trust is necessary element of a successful payment system
John's presentation concluded in saying that "trust is central to everything we do." Financial institutions and other stakeholders with access to payment data and personally identifiable information have a growing responsibility to protect that data as the risk grows for network and device compromise. With more personal information exposed via social media, we will need to consider incentives for stakeholders to safeguard information by banks and other competitors in the payments space. Furthermore, those nonbank competitors and outsourcing partners need to be held to similar business practice standards for security and safety and soundness.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
March 19, 2012 in innovation, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e8feaacf970c
Listed below are links to blogs that reference Balancing payments risk management and regulation with innovation:
Comments
December 12, 2011
Retail Payments Risk Forum conference explores the role of government
In light of the many legislative and regulatory changes affecting the payments industry that are already underway, how and when does government intervene in today's highly dynamic marketplace? To answer this question and more, a mix of regulators, legal professionals, and law enforcement representatives participated in the Risk Forum's fifth annual signature conference, "The Role of Government in Payments Risk and Fraud," held November 17–18 at the Atlanta Fed.
Marie Gooding, first vice president of the Atlanta Fed kicked off the event with some opening remarks. Next up was Louise Roseman , director of reserve bank operations and payment systems at the Fed's Board of Governors, with the conference's keynote address. Roseman offered some historical perspective on the relevance of government in the nation's payments systems. The conference continued with five key sessions relating to the governance of risk and fraud in retail payments. We present the highlights of each session in this post. You can get the presentation materials on the Atlanta Fed website.
Changes in regulatory oversight and self-governance crucial
Government oversight of the nation's retail payment system is delivered through different models at the federal and state levels. Complicating matters further, regulatory oversight depends on whether the payment service provider is a bank or a nonbank third party. As the payments environment grows more complex with new nonbank entrants in the payment system and many new alternative payment alternatives, it will be challenging for traditional governance to fully understand the emerging risks Alongside regulatory oversight, self-governance in the form of compliance programs, rules, and standards can contribute to effective alternative models. This panel also explored the role and scope of the new Consumer Financial Protection Bureau and how it plans to fulfill its newly established mission.
Law enforcement challenges
Panelists discussed the importance of collaboration among law enforcement agencies as payment crimes become more sophisticated and proliferate across global geographies. Cross-border financial transactions will demand collaboration among international and domestic law enforcement organizations, as well as among the industry participants themselves and their respective regulators. The panel addressed the growing need for law enforcement to collaborate with regulators who have fragmented state-level authority and are not required to exercise prudential supervision.
The need for better fraud data
Panelists discussed the growing incidence of payment crimes, noting that the United States' efforts to address payments risk and fraud may be hindered by a lack of supporting data on the costs of prevention and the losses incurred. The United States is virtually the only country that does not keep comprehensive data on such losses and costs. The panel discussed how the industry could benefit from complete quantitative information. Armed with such information, the industry could more effectively allocate resources to payment mechanisms and channels posing the most significant risks. This knowledge will become increasingly necessary as payment providers and businesses plan future investments in payment fraud risk management programs.
Changes in the U.S. regulatory environment
2011 witnessed significant regulatory efforts such as the CARD Act, overdraft legislation, the Durbin amendment, and the effects of these initiatives on the behaviors of such stakeholders as the merchants, banks, and even consumers. Panelists engaged in a comprehensive discussion on the current state of these initiatives and what to expect. The audience participated in the dialogue on noteworthy issues such as payment authentication methods and fraud management systems resulting from the industry's response to the Durbin amendment, and the response from Congress to marketplace changes such as new bank fees.
Payment laws and regulations in a dynamic payment environment
Panelists in this session explored how a complex matrix of federal and state laws for retail payments in the United States poses challenges as the industry migrates to alternative payment mechanisms. At issue is the lack of a common playing field for banks and nonbanks regarding legal compliance and safety and soundness. Also at issue is the inapplicability of some laws and regulations to specific payment methods. While many panelists agreed that it is desirable to harmonize efforts under Dodd Frank, they noted that small changes in some payment systems can create significant complications in others. Finally, the panelists discussed the current need for commercially reasonable security methods to limit a financial institution's liability within the current legal and regulatory framework.
Conclusion
This event provides the Retail Payments Risk Forum with critical business intelligence from participants to drive our thought leadership and strategic planning as we move forward into 2012. Look forward to further discussion on these topics as our team explores these evolving issues, and as always, we invite your dialogue in the conversation.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
December 12, 2011 in regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01675eaaddf0970b
Listed below are links to blogs that reference Retail Payments Risk Forum conference explores the role of government:
Comments
October 24, 2011
Keeping pace as money transmitters proliferate
As the United States migrates from paper-based retail payments to electronically enabled methods, we are witnessing a proliferation of entrepreneurial and innovative nonbank stakeholders entering the retail payments market. As my colleague discussed in a previous post, these nonbanks provide a variety of services that banks can use to create more efficient payment systems. But the fast pace of technological change and the ease with which these new companies can enter the retail payments arena may also be translating into new risk vulnerabilities for the nation's retail payments systems.
There are many different types of nonbanks in U.S. payments systems today, including technology developers, aggregators, agents, third-party service providers, and money service businesses (MSB) and transmitters. As technology enables more nimble and innovative payments, the role of MSBs and, in particular, money transmitters is growing more important.
Am I an MSB?
According to this table from the Financial Crimes Enforcement Network (FinCEN), certain products or service offerings may dictate the capacities in which a business might fit the definition of an MSB. Note that money transmitters represent a specific type of MSB that engages primarily in funds transfer services.
The innovations that PayPal introduced illustrate the value that transmitters add to the payment system through the provision of nimble service offerings that respond to consumer payment needs. Over time, PayPal has evolved into a mainstream payment service provider and household name, and has demonstrated a commitment to risk management and regulatory compliance across all the jurisdictions in which it operates. But PayPal's commitment contrasts with the overall state of the industry of MSBs, whose efforts are not completely transparent. MSBs and transmitters today operate in a fragmented regulatory environment determined by the specific governing laws, licensing requirements, and permissible business activities of each U.S. state.
As money transmitters become more prevalent players in our nation's payment system, is it time to reassess their regulatory environment and consider the potential benefits of a national supervisory framework?
Transmitters and the U.S. regulatory structure
Money transmitters are required to register with FinCEN and to comply with federal laws for anti-money-laundering and counterterrorist-financing provisions of the Bank Secrecy Act. In addition, 48 states require the licensing of money transmitters before they can do business. For money transmitters that operate in more than one state and across state lines, differences in state legal requirements create challenges to developing effective enterprise-wide compliance and risk-management programs. Furthermore, monitoring changes in various state legal regimes can be extremely complicated, not to mention costly.
Ironically, state regulatory authorities governing money transmitter businesses are generally budget-strapped in today's economically distressed environment, and lack the financial resources for taking action against all but the most egregious of bad actors. Unlike the prudential regulatory governance employed by the agencies of the Federal Financial Institutions Examination Council for the nation's mainstream financial institutions, regulatory response for the oversight of money transmitters is prompted instead by complaints to state authorities, or by the filing of suspicious activity reports to FinCEN.
Future regulatory considerations
There are many risks to consider in this nascent segment of the retail payments industry. With the ease of entry into the market for money transmitters and the potential lack of funding in some states for comprehensive regulatory oversight, some startups may circumvent licensing and capital requirements by merely opening for business, undetected by state authorities. FinCEN has issued advisories requesting that financial institutions that discover such businesses file suspicious activity reports (SARs) as a means of mitigating unlicensed and potentially illegal activity. Unfortunately, as technology supports more sophisticated advancements in electronic payments as well as new alliances between carriers and money transmitters, regulatory efforts will become increasingly difficult.
The newly established Consumer Financial Protection Bureau is empowered to exercise enforcement authority for improper conduct on behalf of money transmitters, but the task is daunting, considering the disproportionate state-by-state regulatory framework currently in place. Is it time to consider a more consistent, national approach to the legal and regulatory oversight of money transmitters? And, considering the onerous compliance costs that the current environment imposes, would money transmitters in fact welcome a more consistent, uniform environment?
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
October 24, 2011 in money services business (MSB), payments risk, payments systems, regulators, transmitters | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0162fbe1f446970d
Listed below are links to blogs that reference Keeping pace as money transmitters proliferate:
Comments
Posted by:
twitter.com/dgwbirch |
October 29, 2011 at 04:58 AM
September 26, 2011
I can’t use my prepaid card for that now?
The focus of the Portals and Rails blog is usually related to fraud or operational risks to the payments system. Today's blog will take a look into a different type of risk, the risk of reduced functionality for general purpose reloadable (GPR) prepaid cards. An interesting development with GPR prepaid cards has risen out of the recent Regulation II (Reg II) ruling. Considering that 1.3 billion general purpose prepaid card transactions were conducted in 2009, according to the 2010 Federal Reserve Payments Study, changes affecting GPR prepaid cards could affect many people.
Reg II, which was instituted in response to the statute commonly referred to as the Durbin Amendment, has an unintended consequence. Consumers risk losing some payment functionality with prepaid cards, including the ability to have funds auto-drafted via ACH from GPR prepaid cards. The risks of unintended consequences such as this one has not gone unnoticed by the Federal Reserve Board. In fact, during the June 29 Open Board Meeting, Governor Duke expressed her concern on this topic and would eventually like the Board to "undertake a study to quantify the overall effect of this rule on consumers."
With the Reg II interchange cap set to go into effect on October 1, many institutions are implementing new checking account fees and debit card fees that will undoubtedly make checking accounts and debit cards costlier for consumers. However, outside of eliminating or reducing rewards, institutions will offer consumers the same benefits and functionality for debit cards as they did before Reg II. It does not appear that the same can be said for the functionality and convenience of GPR prepaid cards.
To be exempt from the interchange cap, a GPR prepaid card must be the only means for a consumer to access the funds on that card or the card issuer must qualify for the small-issuer exemption (assets of less than $10 billion). If the consumer can access funds on a GPR prepaid card issued by a large issuer (assets of $10B or more) with a check, ACH, wire, or other account transfer method, then the card is viewed as a "deposit account" and therefore not exempt from the Reg II interchange cap. It was critical that the regulation include this language concerning GPR prepaid cards to prevent the widespread evasion of the interchange cap by issuers labeling traditional debit cards and their underlying deposit accounts as prepaid cards.
Conceivably, a GPR prepaid card issuer could be exempt from the Reg II interchange cap by eliminating payment functionality beyond the purchasing function of the prepaid card. Under this scenario, consumers would no longer be able to use their GPR prepaid cards to auto-draft funds via ACH from the card to pay recurring bills, such as utility bills.
According to recent comments by the CEO of Green Dot, the largest GPR prepaid card program manager, "all Green Dot managed programs, including our Walmart MoneyCard program, will be exempt from interchange restrictions under the Durbin interchange amendment and therefore, our programs will not be subject to lower interchange." A recent article in the American Banker noted that Green Dot would need to either remove features of its cards or switch bank issuers (neither of Green Dot's current issuers can qualify as small) for its cards to be exempt from the interchange cap.
Implications for GPR prepaid card users
With Green Dot cards set to be exempt from the Reg II interchange cap, many GPR prepaid card users should prepare for the loss of the direct debit functionality of their cards. And with the loss of this payment option, prepaid card users that currently use their cards' direct debit functionality to pay bills will now be more at risk of making late payments and having to pay the accompanying late fees. Furthermore, because many recurring billers, including utility companies, often charge a fee for card-based payments, GPR prepaid card users can expect to pay a service fee for paying some of these bills. To avoid these service fees for card-based payments, GPR prepaid card users may be forced to make cash payments in person, which can be both inconvenient for the consumer and costly for the biller.
A final thought
Perhaps the most surprising information from the Green Dot announcement is the fact that the WalMart Money Card will also be exempt from the interchange cap. With merchants being some of the biggest proponents of the Reg II interchange cap, it's interesting to learn that a merchant cobranded prepaid card will be stripped of a feature that provides consumers with a free, safe, and convenient way to pay bills all in the name of earning the higher interchange and presumably maintaining low costs for consumers. Given the utility of GPR prepaid cards for the un- and underbanked population, will removing electronic payment functionality from the cards further disenfranchise these consumers from banks? Or would increasing consumers' cost for the product to maintain its current functionality lead this segment away from electronic payments and back to cash?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 26, 2011 in payments, prepaid, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015391e1f729970b
Listed below are links to blogs that reference I can’t use my prepaid card for that now?:
Comments
Although article focuses on loss of direct ACH debit from prepaid cards, these same programs are also eliminating their web billpay offerings -- this is probably an even bigger customer impact as web billpay usage exceeds that of direct debit.
Posted by:
dave fortney |
October 03, 2011 at 10:25 AM
How absurd that a piece of legislation intended to curb debit interchange earnings for banks is singling out transactions that do not generate any interchange (ACH, checks).
Under-banked people encouraged by the government to receive their tax refunds into prepaid cards will be delighted to learn that they can no longer pay their bills conveniently with the money received...
There are plenty of non-evil large banks that will think twice before offering prepaid cards as an entry product, if the cards loose a large part of their usefulness.
Posted by:
Patrice Peyret |
September 27, 2011 at 09:02 PM
September 19, 2011
The prepaid market: Growth and sophistication mean more risk
FinCEN has released its final rule on prepaid products, and a key feature expands the Bank Secrecy Act (BSA) compliance obligations to include providers and sellers of certain types of prepaid access devices. In March, we discussed FinCEN's proposed rule on prepaid products. The rule was drafted with the intent to address potential money laundering risks in prepaid access devices.
The final rule, released July 29, also replaces the term "stored value" with "prepaid access." The purpose of changing the nomenclature was to cast a broader net by covering not only prepaid access devices like cards, but also emerging prepaid access devices such as key fobs and mobile phones. The new definition is broad enough to cover any type of device that can serve as a portal to funds that have been paid for in advance and are retrievable and transferable.
Prepaid access devices are available in a wide variety of formats. Some types of prepaid access devices come in the typical card format, while others can exist in virtual form, such as an electronic serial number.
Growth of prepaid access
There is good reason for FinCEN's interest in prepaid products. Growth in consumer adoption and increased government activity (payout of government benefits, including unemployment and social security, among others) have accelerated the acceptance rate of prepaid products in recent years. Mercator Advisory Group predicts in its
Seventh Annual Prepaid Market Forecast that the total dollars loaded onto prepaid cards may climb to $672 billion by 2013.
The Office of the Comptroller of the Currency (OCC) has also responded to the growth and sophistication of the prepaid market by releasing guidance to national banks that offer prepaid products with advanced functionality. The guidance advises national banks to develop comprehensive risk management policies and procedures to guard against potential fraud. The OCC expressed that prepaid products offering features such as international funds transfers, card-to-card transfers, and Internet transfers can potentially expose banks to a variety of risks that may not be in line with the banks' business strategies or risk appetites.
Newly regulated entities: Sellers and providers of prepaid access
Providers of prepaid access are now required to comply with the Bank Secrecy Act's regulations related to Money Services Business (MSB). Some of those requirements entail maintaining adequate anti-money laundering programs. The type of BSA program will depend on the risk appetite, size, customer base, and geography of the sellers and providers.
Under the new rule, prepaid access providers must retain transaction-specific records generated in the ordinary course of business for five years. The records collected must be easily accessible upon request from FinCEN or other law enforcement. Both providers and sellers of prepaid access are subject to Suspicious Activity Reporting (SAR) and Currency Transaction Reporting (CTR), but only providers are required to register with FinCEN once every two years.
Prepaid products exempted
For the first time, closed loop prepaid products are regulated if more than $2,000 can be loaded on the device on a given day. FinCEN acknowledged that although closed loop prepaid access is generally considered an unattractive, inefficient, and unlikely means of moving large sums of illicit money, law enforcement cautioned FinCEN that closed loop prepaid access in large dollar amounts can be vulnerable to criminal enterprises intending to launder funds. This partial exemption for closed loop prepaid access addresses law enforcement's money laundering concerns regarding a limited segment of closed loop prepaid access market, while still exempting the retail sale of closed loop prepaid of $2,000 or less.
Also regulated for the first time is low-value ($1,000 or less/day) open loop prepaid access, if it can be used internationally, transferred between or among other persons (P2P), or reloaded by a nonbank. The restrictions placed on the open loop prepaid access are based on the device's functionality and not on what it can be used to purchase.
Exempt from most of the new rule are prepaid access devices that FinCEN determined posed a decreased risk of money laundering, terrorist financing, and other criminal activities. Those devices include prepaid access to funds for payroll, government benefits, and incentives, so long as the funds cannot be used internationally, do not have P2P capabilities, and cannot be reloaded by a nonbank.
The rule's effective date is September 27, 2011. However, compliance for registration of MSBs does not take effect until January 29, 2012.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
September 19, 2011 in payments, prepaid, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8bac9807970d
Listed below are links to blogs that reference The prepaid market: Growth and sophistication mean more risk:
Comments
August 15, 2011
Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud
It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.
Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.
Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.
Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.
Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.
Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.
Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.
Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
August 15, 2011 in consumer protection, fraud, payments systems, regulators, risk, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0154348a930e970c
Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:
Comments
August 01, 2011
Regulation E expected to add new consumer protections for remittance transfers
One of the many changes required by the Dodd-Frank Wall Street Reform and Consumer Protection Act is an update to Regulation E to reflect new protections for consumers who make remittance transfers to recipients in foreign countries. A remittance transfer is a transaction in which a consumer sends funds to someone in another country. The proposed rule is expected to help carry out the Dodd-Frank Act's overall intent to improve accountability and transparency in the financial system through new disclosures, notices, and error resolution procedures for remittance transfers. Recently, the Federal Reserve Board (the Board) formally announced its request for public comment on the proposed rule and model disclosures.
According to some initial comments on the proposed rule, some industry participants believe that the added requirements could increase costs and add unnecessary burdens to a system that is, as they view it, already functioning properly. Others expect that the proposed changes will reduce errors and even, in some instances, improve the speed for remittance transfers because of enhanced communications between the sending and receiving agents.
Will these changes to Reg E stifle progress in the remittance industry or help it become more consumer-friendly? And will these changes enable a thriving business environment for transfer providers—rather than stifling market growth—while preserving consumer protections?
Prevalence of remittance transfers
Remittance transfers are typically consumer-to-consumer payments of low monetary value. The World Bank estimates that a total of $440 billion in remittances was sent worldwide in 2010, of which $325 billion went to developing countries. The World Bank further estimates that the United States had the highest volume of remittances in 2009, totaling $48.3 billion.
New disclosures, notices, receipts, and error resolution procedures
Some of the proposed disclosure requirements call for remittance transfer providers to disclose to the sender, before the sender pays any money, the remittance value in the currency of the recipient's country, all fees charged in connection with the remittance transfer, and the exchange rate that will be used (to the nearest 1/100 point). Then, after sending the payment, the provider must provide the sender a series of other disclosures on the receipt. Separate notices are required for transfer providers that offer Internet-initiated remittance transfers.
Additionally, remittance transfer service providers may be required to prominently display notices describing a model remittance transfer in every storefront location that the provider owns or controls. The proposal also adds new error resolution procedures for remittance transfers. Under the proposal, the deadline for a consumer to report an error is 180 days from the promised delivery date. This notice may be oral or written, but it must contain the amount of the transfer shown in the foreign currency amount, as indicated in the receipt.
Testing existing disclosures, notices, and error resolution procedures
Prior to releasing these proposals, the Board consulted with a research group to help determine whether these requirements would help the consumer price shop remittance services or understand their fee structure. Overall, the resulting study found that most participants (remittance senders) were satisfied with their experiences.
The study, when determining what information participants received from remittance transfer service providers during an in-person transaction, found that participants infrequently received written information before they completed the transaction. However, the participants indicated they could get needed information by asking an agent. In contrast, they almost always received some form of written information after the transaction, including the exchange rate, fees, amount of money sent, and so on.
Study participants were also asked to share their experiences with dealing with errors or problems during a remittance transaction. Most reported having had problems with at least one service provider, but almost all reported that their problems were resolved expeditiously. The most common error they reported was the misspelling of the recipient's name.
Conclusion
Remittance transfers are an increasingly important source of income for households in lower-income countries. Yet, given the results of the study on the current state of remittance transfers, it is difficult to know whether the Dodd-Frank's remittance provisions will increase efficiency in the remittance industry while preserving consumer protections. What is clear, though, is that the proposed amendments to Reg. E will establish standardized disclosures and notices, thereby creating more transparency in the remittance industry so that a consumer can confidently price shop providers while fully understanding fee structures and services. Although the Board has initiated these proposals, the Consumer Financial Protection Bureau assumed responsibility over this new regulation on July 21, 2011.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 1, 2011 in consumer protection, P2P, regulators, remittances | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01539058e21e970b
Listed below are links to blogs that reference Regulation E expected to add new consumer protections for remittance transfers:
Comments
June 20, 2011
Is a national data breach notification law on the horizon?
Extensive privacy regulations exist that provide a framework for promoting identity theft prevention, data security, use of data limitations, requirements for data destruction, notice, user content, and accountability. Some of these laws are the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Gramm-Leach Bliley Act, among others. Each of these financial privacy laws has been amended several times since their enactment, but none have standardized data breach notification rules.
On the state level, some legislatures have tackled data breaches by stepping up privacy and encryption requirements for organizations that handle credit and debit card data. According to the National Conference of State Legislatures, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have passed laws that require some form of notification when security breaches involving personal information occur. Most of the state laws have common themes, yet several differences exist among them, making it difficult, costly, and burdensome to develop a consistent and effective security incident response plan.
A push for national data breach laws
In 2009, there were two federal data security laws pending that cleared the U.S. Senate Judiciary Committee. One even cleared the U.S. House of Representatives. However, neither became law. One was the Personal Data Privacy and Security Act of 2009 (Data Privacy Act), and the other was the Data Breach Notification Act. The Data Privacy Act sought to mitigate identity theft, ensure privacy, and require that breached individuals be notified. The Data Breach Notification Act also imposed notification requirements but provided a safe harbor whereby organizations were not required to report the breach if a risk assessment determined the incident would not harm consumers.
Other efforts were seen when the Federal Trade Commission (FTC) and the U.S. Department of Commerce (DoC) both released reports within days of each other with recommendations for protecting consumer privacy online. The FTC's report came out on December 2, 2010, and the DoC's report came out on December 16. The DoC report focuses on national consistency surrounding security breach notification rules. The DoC recommends the implementation of a "[f]ederal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities."
Seeking exemption from the FTC and DoC recommendations
Not everyone is on board with the DoC and FTC recommendations. On January 31, 2011, the Securities Industry and Financial Markets Association (SIFMA), a consortium of financial firms, sent a letter to the FTC and DoC asking that their recommendations on privacy exclude industries—including the financial services industry—already subject to sector-specific regulations. SIFMA's letter expressed the view that existing national privacy laws like the Fair Credit Reporting Act, the Gramm-Leach Bliley Act, and the Electronic Communications Privacy Act are sufficiently addressing the management of consumers' personal data.
SIFMA did express support of the introduction of a uniform national breach notification law that would preempt state laws, but only by requiring that consumers be notified of a breach when there is a significant risk of identity theft. SIFMA pointed out that "requiring notification if there is no significant risk of identity theft could have the unanticipated effect of overwhelming consumers with notices that might cause confusion and likely desensitize them to future notices."
Finding common ground
The deadline for comments to the FTC report closed February 18, 2011. Both the FTC and DoC are expected to issue final reports and guidance this year. The coincident timing of the FTC's and DoC's reports seems to have renewed focus on online privacy and what best practices should be used to address perceived shortcomings.
Perhaps the FTC and DoC recommendations can shed some light on whether the need for a national data breach notification law is warranted or whether the existing national and state-level laws sufficiently address the management of consumers' personal data. For now, it appears that most industry watchdogs believe that consumers and businesses alike could benefit from a national standard for security breach obligations, mainly because the differences in form and substance between states make it increasingly complicated for effectively reporting data breaches to the public and present undue costs to business and burden streamline industry compliance.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 20, 2011 in consumer protection, cybercrime, identity theft, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e89435696970d
Listed below are links to blogs that reference Is a national data breach notification law on the horizon?:
Comments
June 06, 2011
Who does what in fighting payments crimes? Explaining the acronyms and roles of agencies
My grandmother always enjoyed a good laugh. I fondly remember her laughter as we listened to Abbott and Costello's comedy sketch "Who's on First?" multiple times during every visit to her home. I must admit that at times I can feel like Costello when discussing the many different organizations (and their related acronyms) that play a role in regulatory and legal oversight of financial-related crimes. Though not necessarily as funny as Abbott and Costello's sketch, the multitude of organizations and their related acronyms in the United States and the roles they play as they relate to financial-related crimes are enough to make even Costello think that St. Louis's lineup is a breeze to follow. In an effort to allay some of this confusion, let's examine several organizations involved in the fight against financial and payments-related crimes.
Financial Crimes Enforcement Network (FinCEN)
FinCEN was established in 1990 by the U.S. Department of the Treasury. FinCEN is responsible for issuing and administering rules and regulations governing the reporting of currency and foreign transactions as defined in Title II of the Bank Secrecy Act. Title III of the USA Patriot Act gives FinCEN additional responsibilities that include developing rules and regulations related to due diligence and surveillance of suspected terrorists and those engaging in criminal activities.
FinCEN works with law enforcement and regulatory agencies to deter and detect terrorist financing, money laundering, and other financial criminal activity through the sharing of data collected from institutions, as prescribed by the Bank Secrecy Act and the USA Patriot Act. Though FinCEN develops regulations that financial institutions must follow, the agency does not have any oversight powers, so it has to rely on other regulatory/supervisory organizations to ensure that financial institutions comply with their rules and regulations.
Financial institution regulators/supervisors
The Federal Financial Institutions Examination Council (FFIEC) was established to prescribe uniform principles, standards, and report forms for the examination of financial institutions. The organization or agency that regulates a particular financial institution depends on the type of institution. The FFIEC attempts to ensure uniformity in the supervision and regulation of financial institutions, regardless of the supervising agency.
The Office of the Comptroller of the Currency (OCC) is responsible for supervising national banks. State-chartered banks are under the supervision of a state regulatory agency. If they are members of the Federal Reserve System, they also receive supervisory oversight from the supervision and regulation arm of the Federal Reserve, typically rotating examination cycles with the state regulatory authority where they are chartered. The Federal Reserve is also the regulator for financial holding companies, with supervisory oversight for all organizations and their activities within the holding company.
The Federal Deposit Insurance Corporation (FDIC) participates in regulatory oversight for state-chartered banks that do not join the Federal Reserve System to lessen the burden on state agencies. Most importantly, the FDIC engages in reviews of both state and national banks should their troubled condition present a threat to the deposit insurance fund.
Credit unions are supervised by the National Credit Union Administration (NCUA). Before merging with the OCC, the Office of Thrift Supervision (OTS) supervised the U.S. thrift industry. Under this merger, the OTS will be phased out by July 2011. The Federal Reserve Board will then take over the supervisory role of thrift holding companies, and the OCC will supervise all federal thrifts.
In their supervisory roles, these agencies ensure that financial institutions have Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance programs in place as prescribed by FinCEN and that financial institutions comply with other rules and regulations established by FinCEN and other bodies, such as state and national governments.
Law enforcement organizations
Though the United States Secret Service is best known for protecting the president, it is also responsible for investigating financial crimes that include counterfeiting of cash and U.S. treasury securities, access device fraud, financial institution fraud, identity theft, and computer fraud. The Secret Service often works side-by-side with the Federal Bureau of Investigation (FBI), which investigates Internet fraud, identity theft, and money laundering, among many other crimes types. In investigating and detecting financial crimes, these agencies rely heavily on data from FinCEN obtained from the financial institutions' filings of suspicious activity reports. While both the Secret Service and FBI tend to focus on larger, high-profile crimes, local and state law enforcement agencies also play a critical role in leading the investigation of similar but smaller financial crimes as well as assisting the national organizations on larger crimes.
The role of the Retail Payments Risk Forum
In this web of organizations, guidelines, rules, and regulations, the Retail Payments Risk Forum (the Risk Forum) seeks to facilitate collaboration among participants in the payments industry. The Risk Forum has been successful in filling a critical and neutral role in bringing together members from the Federal Reserve System, bank regulatory agencies, rule-enacting agencies, law enforcement, and the payments industry for dialogue and information sharing. Furthermore, members of the Risk Forum are actively engaged in providing "boots on the ground" surveillance on service developments and emerging risk issues in retail payments systems.
As new payments risks take root and new organizations such as the Consumer Financial Protection Bureau (CFPB) emerge, it is imperative that these parties continue to engage with each other to effectively combat the growing threat of risk and fraud in the U.S. payments system.
This table summarizes the roles of the agencies.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 6, 2011 in payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015432d17fd8970c
Listed below are links to blogs that reference Who does what in fighting payments crimes? Explaining the acronyms and roles of agencies:
You are right to ask the question Cindy. A national framework that works to separate payments and other banking businesses ought to be a straightforward first step toward a more efficient payment sector. Innovation in the "money transmitter" segment should be decoupled from the areas of systemic risk (eg, credit creation).