The ‘Third-Party Element’ in Mobile Fraud

The threat will come.

Bank of America Corp.’s Donna Turner, senior vice president, global fraud policy executive, repeated this phrase three times, like a mantra, during her presentation on mobile fraud at last month’s BAI Payments Connect conference. And all the other panelists agreed: mobile fraud is not yet a serious problem for the financial services industry but could be soon as new players less sensitive to risk issues join the fray and fraudsters gravitate to the emerging channel.

“As you have a number of new nonbanks in the payments system, they’re creating new touch points and new vulnerabilities,” said Cindy Merritt, assistant director for the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta. “So we’re seeing a lot of risks starting to emerge that we don’t quite understand.”

“The threat will come as we enable the new form factors to give the bad guys access to trillions of dollars in assets,” Turner said.

The Third-Party Element

In her introduction to the March 9 panel discussion in Phoenix, Ariz., Merritt explained why fraud has been scarce in the mobile channel up to now. “Most of the services have been primarily mobile banking-centric, as opposed to mobile payments, and the risk profile for those services is very different,” she said.

“We’ve prevented fraud because we limited the capabilities,” Turner added later. “We’ve said, yeah, you can move money and you can pay bills, but you can’t add a new payee or do other things. We’ve controlled the risk at this early point.” She noted that, by and large, banks have simply transferred to the mobile phone the same functionalities and authentication/fraud prevention features that they developed for other channels. “Those tried-and-true methods continue to work in the mobile space today, as we all know, regardless of the form factor, regardless of the transaction type.”

Matt Calman, senior vice president, R&D executive at Bank of America, added that the Charlotte-based company employs a group of “ethical hackers,” known as the “Red Team,” which is tasked with finding weak spots in all the smart phones and applications being introduced for mobile banking and payments. “The good news is that nothing’s really emerged as being hack-able at this point,” Calman said. “All our work to date has shown that the software is safe and the devices are safe.”

The problem, the panelists said, lies in the near future as new players enter the mobile payments space and fraudsters begin to focus on the fast-growing mobile channel. “We’ve expanded the constituencies in the payments world,” Turner said. “We’ve added manufacturers to the constituency, we’ve added application developers to the constituency and we’ve added carriers.”

Historically, according to Turner, the payments business had been governed by a limited number of players who understood their specific levels of control, accountability and liability for product development. With the advent of mobile payments, “we’ve expanded our constituent base and our governance has not kept pace with that. We don’t have a holistic, end-to-end governance model for these three new and very important constituencies.”

Turner added that she personally spends a lot of time thinking about how to enable the new constituencies to come together in the mobile payments arena while building a risk management governance to handle the emerging threats.

Merritt complimented the nonbanks for bringing “a lot of ingenuity and entrepreneurialship to the payments system.” Yet, she also said that this entrepreneurial spirit “is typically accompanied by risky behavior or, at the very least, a lack of skin in the proverbial game. The nonbanks are often thinly capitalized or not in a way our commercial banks are. And oftentimes, we don’t understand how they’re regulated; how many people understand who the primary regulator for Obopay is?”

Turner described this involvement by nonbanks as “the third-party element” in mobile payments. “Where our customers’ lines of credit or asset accounts provide the liquidity or the funding source and they’ve linked that funding source through a third-party element, how do we understand that risk?”

Turner also pointed out that banks can never “eradicate risk” entirely because that would likely mean eliminating customer access to new and promising technologies. She said her team’s job is to prevent as much fraud as possible while still providing a “seamless experience” for customers wanting to move or receive funds via mobile devices.

“As I often tell my teammates around the industry and around the bank, you can’t pilot for fraud,” Turner said. “You have to make intelligent assumptions and balance your risk tolerance but you can’t pilot for fraud.”

“Three years from now, when we’re at a point where we have a significant population of payments-enabled mobile devices and issuers and merchants are all working in the medium, then I think the mobile fraud issue will become a more significant part of the dialogue,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “Today, we’re still at the standpoint of understanding the functionality, the payment delivery aspect of mobile devices and how that’s going to evolve.”

Mr. Cline is managing editor with BAI Banking Strategies. He can be reached at [email protected].