The advent of mobile and online banking, so-called “alternative” payment applications and the rapid increase of nonbanks in the retail payments environment have clearly revolutionized the payments system but those changes have raised a key question: Does the rapid disaggregation of the payments value chain have to spell gloom and doom from a fraud-and-security perspective? Or, to the contrary, could new players provide new tools to make the payments environment substantially safer and more convenient? The answer, and the subject of the recent BITS Payments Risk Forum, is“it depends.”
Today, the number of non-bank participants in the retail payments ecosystem is exploding and few, if any, of the real-time credit and debit networks that provide key infrastructure are bank-owned. Indeed, the proliferation of innovative payments products and of companies in customer interfaces and client support looks like the Burgess Shale, that natural laboratory of experimental life forms in the Cambrian Age more than 500 million years ago. In his book Wonderful Life: The Burgess Shale and the Nature of History, paleontologist Steven Jay Gould describes fauna with six or eight limbs or wings, five or seven eyes, and other characteristics we’d call abnormalities today because they proved to be developments that didn’t survive in the long run. These life forms are abundant in the Burgess Shale, much like failed schemes in parts of the payments value chain that will someday litter the history of payments.
The pessimists among us cringe at the sheer number of new actors in today’s payments space, many with little initial exposure to the complexities of security and fraud. Cynics look at current regulatory structures and worry that no agency has a broad understanding of the exploding world of mobile payments functionality and the ability to bring an increasingly divergent set of players to table. And consumer smartphone security practices (or the lack thereof) concern everyone.
Consider Commonwealth Bank of Australia’s recent criticism of Google Wallet’s deployment as premature because the Android phones’ secure module chip is not enabled, exposing users to unnecessary risk. In its 2012 Identity Fraud Report, Javelin Strategy & Research found a one-third higher incidence of fraud among smartphone users than in the general public. It suggested that poor user security practices, for example, a smartphone owner not enabling password protection (almost two-thirds do not) or saving log-on credentials on the device, is partially responsible for the differential.
Finally, on June 29, Stephanie Martin, associate general counsel for the Federal Reserve Board, testified before the House Subcommittee on Financial Institutions and Consumer Credit current payments laws “may not be well-tailored to address the full range of mobile payment services in the marketplace.” She spoke about the grey areas of non-bank payments regulation in mobile and stated her view that no one single entity today is equipped to be the primary mobile regulator.
There is another side to this story, however. Innovation in the customer identification space continues, even if it’s not foolproof. The Pay With Square app, live and usable today by both iPhone and Android users, automatically loads both a photograph and the name of a purchaser to a merchant terminal when that customer approaches and presents his purchase to the cashier at a retailer equipped for the service. The cashier looks at the customer, asks for his or her name, and because payment card information has been pre-loaded into the consumer’s application, the customer leaves the shop without having to produce either their wallet or phone.
Every smartphone has the inherent capability (if not the permission) to transmit location information to the issuer for scoring purposes whenever a transaction is submitted from a mobile wallet for approval. That data, as well as device ID information, are two additional elements which can improve scoring algorithms to the detriment of fraudsters.
Mobile devices may soon function as reliable biometric authentication devices, helping to provide stronger front-end customer identification to complement improved back-end analytics. Apple’s recent purchase of AuthenTec is just the latest indicator that better customer authentication is on the way. No matter how good the industry’s back-end anomaly detection engines become, basic principles of layered security tell us we’ll need increasingly reliable means to authenticate customers at the front end of any payments transaction. We likely have at least part of the solution in our hands.
Achieving the enhanced fraud and security capability that lies just over the horizon may not be so easy. For example, telecommunication laws limit the ability of mobile carriers to share or use security data (e.g., Customer Proprietary Network Information or CPNI/location data) without a customer’s express consent. And even if that data could be shared, financial institutions (FIs) must assess their own ability to use that information in a payments silo- and channel-agnostic process to best mitigate fraud. In many FIs, that ability is limited for now.
Some of the largest established payments providers have launched digital wallets designed to move payments to the cloud, a step that many believe has the potential to substantially reduce risk. Yet, standards may not yet be adequate to provide comfort that cloud-based payments applications will be uniformly secure as attacks on this emerging infrastructure increase over time. The FFIEC’s July 10 statement on outsourced cloud computing proved unusual in that industry commentators suggested immediately that it fell short of “providing useful insights about how banks and credit unions must address privacy and security risks.”
As we were rightly reminded in the recent House hearings, regulators generally try to strike a balance in rapidly evolving technology environments between anticipating and trying to correct every possible issue and giving industry enough room to innovate and develop products that can provide materially increased value to customers. That’s a tough chore to accomplish in normal circumstances, but the convergence of telecommunications and payments ecosystems comes at a time when regulatory roles are not clearly defined and some areas of consumer exposure are acknowledged.
Amid this mix of both clear potential to enhance fraud mitigation and payments security and considerable friction against such progress, we believe that it’s time for FIs, mobile carriers, regulators, networks, and new entrants to the payments space to step up their game and focus more effectively on cooperating to enhance security in the payments ecosystem to everyone’s benefit. That requires:
FIs, mobile carriers, payments networks, and regulators setting standards and removing any regulatory barriers to transmit security data for use exclusively to better protect all participants in the ecosystem;
FIs developing the uniform capacity to effectively use that new data;
Improving fraud systems to enable real-time anomaly detection across all payment channels and rails;
Continuing to develop and deploy better front-end device and customer authentication techniques;
FIs, smartphone manufacturers, application developers and others better anticipating customer smartphone security practices and developing tools and techniques to isolate payment applications from the consequences of that behavior;
Launching consumer education programs to help users fully understand available mobile security tools and the consequences of ignoring them.
We think it’s going to be increasingly difficult for any one set of industry players to improve the payments risk environment alone. Today’s complex retail payments industry requires more effective collaboration and regulatory encouragement to shape the environment everyone wants to see. The time has come for us all to make the commitment to do so with better organization across both business and regulatory divides and with far greater effectiveness.
Ms. Place and Mr. Roboff are senior consultants at The Santa Fe Group where they focus on payments strategy, payments risk, and technology innovation. Ms. Place is also CEO at DigitalThinking.com. Mr. Roboff is also a senior consultant at BITS, the technology division of the Financial Services Roundtable. Ms. Place can be reached at [email protected] and Mr. Roboff at [email protected].