Payment fraud remains the fastest-growing threat to financial institutions and their customers. The new request for information (RFI) from the Federal Reserve, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) presents a meaningful chance for the industry to shape how we respond, together.
Specifically, it invites commenters to provide input on the following lines of inquiry:
- What actions could increase collaboration among stakeholders to address payments fraud?
- What types of collaboration, including standard setting, could be most effective in addressing payments fraud? What are some of the biggest obstacles to these types of collaboration?
- Which organizations outside of the payments or banking industry might provide additional insights related to payments fraud and be effective collaborators in detecting, preventing, and mitigating payments fraud?
- Could increased collaboration among Federal and State agencies help detect, prevent, and mitigate payments fraud? If so, how?
The RFI also makes the case for improvements to fraud education and awareness and invites commenters to consider providing input on these additional lines of inquiry:
- In general, what types of payments fraud education are most effective, and why? Would different audiences (for example, industry and consumers) benefit from different types of payments fraud education?
- Would additional education informing consumers and businesses about safe payment practices be helpful to reduce payments fraud and promote access to safe, secure payment options?
I am an enthusiastic supporter of this effort and appreciate the thoughtful manner in which the RFI lays out and articulates the topics that bound the scope of input. I have written about how a market’s response to financial crime crises can shape the duration and severity of that crisis. This influence is especially true in circumstances, such as now, when financial criminals are highly organized with a global operational footprint that enables them to quickly and easily shift their focus from one market to another.
In the fight against payments fraud, markets in Australia, Canada, Singapore, and the U.K. have benefited from smaller, less complex market structures compared to those in the U.S. These countries’ responses to the fraud and scam crisis demonstrate their ability to mobilize cooperation and collaboration efforts. These markets have a substantive head start in their mobilization, but this RFI is precisely the kind of opportunity that could accelerate and amplify mobilization in the U.S. market.
What to Consider Before Crafting a Response
Below, I share with you some thoughts to consider when crafting your responses to these RFI questions.
Q: What actions could increase collaboration among stakeholders to address payments fraud?
This question enables us to consider several models that other nations have used to address payment fraud.
The first comes from the U.K., where the Payment Systems Regulator and Financial Conduct Authority jointly hosted a hackathon program, which brought together solution providers, regulators, and practitioners. The program enabled them to collaborate and compete on generating innovative information-sharing approaches for FIs. Information sharing gives FIs access to valuable insights from one another without violating existing and emerging data privacy restrictions under PSD2 and PSD3, respectively. In the U.S., the FRS’s Payments Improvement Program is well-positioned to lead a similar effort and has an exceptional pool of talent to draw upon.
Another model comes from Singapore, with similar efforts in Brazil and Australia. Like the U.K.’s hackathon collaboration, these efforts also focus on overcoming information-sharing constraints through direct sponsorship of an information-sharing program by a regulatory authority (Singapore), or a similar program sanctioned by regulatory authorities (Australia and Brazil). Such efforts underscore the importance of overcoming or circumventing constraints on information sharing as a crucial means of automating and facilitating real-time or near-real-time fraud detection.
If these models fail to appeal to U.S. regulatory authorities for whatever reason, then perhaps a third model is worth consideration. Regulatory authorities in the U.S. could, based on input from this RFI, convene an industry-wide working group to produce guidance that clearly defines the boundaries between what is and what is not allowed in terms of information sharing as defined by the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Importantly, this guidance should also include similarly clear guidance on what is and what is not allowed under safe harbor provisions such as those under section 314(b) of the USA PATRIOT Act.
Q: What types of collaboration, including standard setting, could be most effective in addressing payments fraud? What are some of the biggest obstacles to these types of collaboration?
Here, again, there are lessons to observe from other markets, but also just some common sense in considering a response to this line of inquiry.
If most fraud executives can agree on one thing, it is that there is a profound lack of standardization in how the industry measures fraud. In times defined by the absence of crisis, particularly those that do not pose a systemic threat to the trust relationship, this lack of standardization is tolerable. However, our present crisis is one in which the trust relationship is being influenced by those who would make the case that FIs are failing to protect their customers adequately. It’s more important than ever to be able to speak confidently and with empirical, data-driven language in defense of all that the industry is and is not doing to protect its customers. FIs can only do so if they all agree to adopt a common measurement standard.
I would like to say that this could happen in the absence of a mandate. Yet, I must admit that the most efficient means of getting the industry to adopt such a standard would be for regulatory authorities to mandate it into existence.
Q: Which organizations outside of the payments or banking industry might provide additional insights related to payments fraud and be effective collaborators in detecting, preventing, and mitigating payments fraud?
A: This one’s a whopper. I could go on for pages, but I will do my best to summarize it by pointing to Australia’s model. Australia’s admittedly ambitious model would place some form of liability on companies whose platforms, networks, services, or systems were used in the commission of fraud, even if it was far “upstream” from the theft event that ultimately takes place under the watch of an FI. How this liability will be adjudicated and enforced has yet to be detailed, and the devil is certainly in the details.
Such processes of adjudication and enforcement would (even in Australia) require regulatory authorities to develop protocols that span the entire ecosystem of industries—those with jurisdiction over not just the banking sector, but also the telecommunications industry, the tech industry, and even retail and commercial entities. This ecosystem-wide approach to resolving disputes may sound daunting, but it’s worth pointing out that the card networks have been operating such a system for over 50 years. While the chargeback system is far from perfect and has its fair share of critics, it’s also true that it functions in a manner that has preserved trust in the networks for what might qualify as an eternity in technological time.
Q: Could increased collaboration among Federal and State agencies help detect, prevent, and mitigate payments fraud? If so, how?
My short answer to this question is “maybe.” My long answer would be something closer to “this question misses the mark.” I think a better question is, “Could increasing the budget of state and federal law enforcement agencies and directing them to allocate increased budgets directly to creating and expanding resources dedicated to pursuing cyber fraud criminal cases help detect, prevent, and mitigate payments fraud?”
Granted, U.S. regulatory authorities are not exactly well-positioned to sponsor the kinds of legislation that could bring about this kind of outcome. The question should then become, “What authority can/should be established that can bear the responsibility of championing and orchestrating collaboration among multiple industries, governmental agencies, and legislators in the interest of producing tangible outcomes that will help contain, control, and ultimately reduce fraudulent activity?”
Any effort to improve collaboration must also address the reality that enforcement teams need adequate funding, specialized talent, and clarity on how to share intelligence across jurisdictions and sectors.
Conclusion
Other markets have taken steps to define such authorities and started down the difficult path of addressing the crisis. It’s time that the U.S. market began mobilizing similar efforts, lest we become the last watering hole for the burgeoning ranks of global criminal syndicates preying on the public. This RFI is a crucial opportunity for the industry to share what works and what is still needed. I encourage everyone with frontline insights to participate and help shape a coordinated approach that matches the scale of today’s organized financial crime and to reach out to us at Datos Insights if you’d like to discuss this important opportunity to more meaningfully shape efforts to combat payment fraud and financial crime.
