Will Faster Payments Mean Faster Fraud?Summit Speakers Weigh Benefits, Adverse Effects of Faster Payments in U.S.
Will the advent of faster payments in the U.S. open new doors for fraud? That's been a question on the minds of many fraud and security experts in the wake of recent attacks that compromised global transactions processed through the interbank messaging platform known as SWIFT (see Report: Bangladesh Probes 2013 Bank Hack via SWIFT).
See Also: The Business Email Compromise Handbook
At Information Security Media Group's recent Boston Fraud and Breach Prevention Summit, the long-term security of faster payments in the U.S. was questioned, raising the issue: Is the U.S. ready?
"Interchange will play a bigger role than security. It always comes back to the money."
Marianne Crowe, vice president of payment strategies at the Federal Reserve Bank of Boston, says business continuity and security are priorities for the Fed, which is now reviewing more than 20 proposals from the private sector for technologies that could facilitate faster payments in the U.S., where the payments system is much more diverse and complex than in other nations.
Crowe contends that to ensure global payments interoperability, faster payments are a necessity. The U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
But Richard Parry, an independent consultant who formerly led consumer risk management at JPMorgan Chase, says he's not optimistic about a U.S. shift to faster payments, especially given the ongoing legal and legislative wrangling surrounding payments among banks and merchants. "It will become an interchange issue," Parry argued during a panel discussion with Crowe at our summit. "It always comes back to money, not security."
Parry says the most fundamental risk to payments is poor identity management. And it's a legitimate concern. After all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
And in a real-time or near-real-time environment, once the money is gone, it's gone.
Several heists of SWIFT payments have proven how easy it is for fraudsters to exploit the lax identity management practices used to authenticate and verify bank-to-bank transactions.
Barriers to Faster Payments
Unlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S. As a result, banking institutions will have to completely rethink how they authenticate and verify payments to move to speedier payments, and that hinges on good identity management, Parry points out.
What's more, Parry believes tensions between banks and retailers over interchange fees will overshadow security in the migration to faster payments, just as they have with EMV.
"EMV chip and PIN versus chip and signature in the U.S. became an interchange issue, rather than a security issue," he said during the panel. "I see faster payments going in the same direction. I think interchange will play a bigger role than security."
Money Over Security
Merchants have argued that U.S. issuers and the card brands, namely Visa and MasterCard, opted to move forward with chip and signature rather than chip and PIN because they did not want to give merchants the same interchange advantages with credit payments that they now reap with debit payments.
Credit transactions are routed through the card brands' networks - Visa, MasterCard, etc. - and the per-transaction interchange rates charged to merchants are non-negotiable. Interchange rates are set by the card brands based on complicated stipulations that remain a mystery to most merchants and issuers.
Debit payments are different. Merchants can decide which networks they want to use to route debit payments, and they have far more options than they do for credit. By law, merchants are given a choice to route their debit transactions through the network that charges them the lowest interchange fees.
Because the U.S. is set up for debit PIN, the belief is that moving to a PIN option for credit payments could give merchants the same routing options. The card brands, which are owned by the banks, didn't want to give up revenue options, so they axed EMV chip-and-PIN deployment in the U.S., merchants claim.
So, in spite of the fact that chip and PIN is more secure than chip and signature - because the additional authentication layer of a PIN is far superior to that of a signature - the U.S. moved forward with EMV without making overall security the No. 1 priority, Parry argues. Had security, not money, been the focus, then the U.S. would be adopting chip and PIN today, just like the rest of the world.
Interchange: Not an Issue for the Fed
Crowe declined to touch the interchange issue. "Cost is not the No. 1 worry for the Fed when it comes to faster payments," she noted during the summit. The top concern, she says, is "a faster process that is still secure for business."
"Faster payments does not mean real-time," she was quick to add. "And we have two separate task forces that are reviewing the ongoing security of payments in the U.S. as well as a move toward faster payments. The Secure Payments Task Force's goals differ from the goals of the Faster Payments Task Force. And the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward. Faster payments will be part of that, but not all."
The four areas include identity management, information sharing, data protection, and law and regulation coordination, Crowe says.
It's clear that the Fed is reviewing security concerns surrounding faster payments in the U.S.; but are they doing enough?
Will faster payments become an interchange issue? And, if so, what more should the Fed be doing to ensure security remains a top priority? Please share your comments below.