ID theft legislation: A juggling act between protection and privacy
he electronic transactions industry is struggling to preserve the integrity of the payments system and build consumer confidence. Meanwhile, identity theft is spurring legislative mandates to protect consumer information.
These were the interlocking concerns of a forum hosted by the Federal Deposit Insurance Corp. June 23, 2006. Moderator Carla Balakgie, Executive Director of the Electronic Transactions Association, noted that consumer-protection legislation often begins in California and "makes its way across the country." At least 30 states now have security-breach notification requirements.
"New Hampshire was the 31st to enact it," said Maurine Padden, Senior Vice President for Government Relations at the California Bankers Association. "In addition, Congress is considering it." California requires encryption of personal data and its access code, she said. Breaches of personal data mandate a duty to notify the consumer, which applies to any business entity, qualified partner, merchant or data warehouser using that information. "If I'm a business, I have to be cognizant that some states trigger duty-to-notify [statutes] when likely, potential or actual harm-being-present applies," Padden said.
The variation among state laws is the reason Congress is contemplating a federal standard. "The question becomes whether federal legislation will also include 'potential for harm.' Many would like to see that provision," she said.
California voters are likely to see a proposition on the November ballot that would increase criminal penalties for the crime of identity theft. "Law enforcement officers are hampered by the fact we don't have felony status for identity theft crimes," Padden said.
Legislation is "always a juggling act between consumer protection and customer convenience," Balakgie said. Illustrating that point, Padden noted that the state of California has made numerous attempts over the past decade to require biometric identifiers as authenticating factors in banking, but the concept has met resistance from consumers.
Putting the engine into 'neural'
Laws increasing enforcement powers should be welcome news to the card Associations; yet the best safeguards are self-imposed. "We're concerned about PIN fraud," said Sally Graham, Visa U.S.A. Vice President for Risk & Back Office Processing Products Fraud Risk Solutions. "Fraud in the debit card area has been growing because of PIN compromises."
While issuers have always taken care to apply Visa's neural networks to the use of their credit cards, many were lax with verification on their debit card transactions. Today, "we see debit issuers implementing neural networks and fraud detection controls," she said.
Card issuers have always stemmed fraud by issuing new plastic as soon as consumers report misuse or theft of their cards. "Now, that is becoming a challenge because the customer may be involved in two, three or four compromises," Graham said. "It becomes difficult to reissue those cards." Instead, the issuers are being vigilant at monitoring for fraud coming from specific compromises.
Visa provides issuers with information about a compromise including the type, such as card not present, PIN or other vulnerability. "We allow our members to make decisions based on specific compromises," she said. "The future of fraud detection is looking at the profitability [of] fraud strategies," because of the costs associated with losing customers and investigating potential fraud.
Clearing the way for check fraud?
Fraud within the automated clearing house (ACH) world has always been low and is declining because banks are adding security services, such as allowing consumers to put blocks on ACH access to their accounts, according to Dave Kurrasch, Contractor and Manager for BankServ.
However, "now that you can access the ACH network at the POS, and I'll extend that to Check 21, the industry is a lot more concerned about check fraud being [imported] to the ACH world." ACH institutions are worried that people will try to deposit checks twice: electronically and in person at the bank. "More check guarantee services will kick in" at the POS, he predicted.
Duty to due diligence
Federal Trade Commission attorney Allison Brown with the Division of Financial Practices warned that payment processors must be vigilant in performing due diligence on merchants. She cited a case the Securities and Exchange Commission brought early this year against a pair of sister companies, which told their processor they would send out postcards inviting consumers to call, but instead were involved in outbound telemarketing of a Ponzi scheme.
"Payment processing needs ongoing monitoring," Brown said. "Dig deeper and visit the merchant in person." The fraud might have been revealed if the processor had asked to see the postcards, which were nonexistent.
In the case of another fraudulent merchant, the FTC is suing the payment processor that served as the link from an overseas merchant to the U.S. banking system.
Fraudulent operators can make use of payment processors as the direct link in an illegal scheme, for which there should be red flags, Brown said. Failing to perform due diligence can lead to complicity.
"Debiting a consumer's checking account while knowing or consciously avoiding knowing that they lack authorization to do so is an unfair practice," she said. "[I]f you're just looking the other way at these red flags right there in front of you, [it doesn't mitigate the responsibility of knowing] that these transactions shouldn't ... be getting into the banking system."
When law enforcement gets involved, merchants can learn some basics for detecting fraud. Attendee Key Budge, Detective with the Los Angeles County Sheriff's Department, noted that a big box retailer it trained is thwarting up to $15,000 a month in fraudulent charges.
A key factor in the training is the use of countertop ultraviolet-light units that display hidden bankcard logos, which only valid cards carry.
"It seems as if no [merchants] know about the UV features," he said. Budge is also a distributor for merchant UV-light-emitting equipment from Ready 2 Protect.
For banks, the most important aspect of fighting fraud is collaboration among banks and law enforcement to share information about fraud trends, Padden said.
"Awareness, willingness [to collaborate] and due diligence are the solutions to many problems," Balakgie added.
|