Posts Tagged ‘identity theft’
Tower Group are right – US financial services firms have lost the battle to protect the personal information of customers
This is a sufficiently provocative headline that I can hardly ignore.
US financial services firms have lost the battle to protect the personal information of customers and must now assume that all their clients’ data has been, or will be, compromised, according to TowerGroup.
First of all I agree with the headline. The battle is largely lost; I would go further, and hesitantly admit what few bankers will, that control over customers information never really existed. Why do I say that?
Consider how banks have evolved, which is one account type at a time, one service at a time. Each of those were managed by disparate computer systems, and as new products were added new systems were added. This problem has only been magnified by bank consolidations which added even more disparate systems.
The result is that Joe Customer has ‘files’ located within different systems, each with his own address, and personal information. In fact he is often Joe C. Customer, or J.T. Customer in those other systems. Government regulation that forestalled the use of Social Insurance/ National Insurance numbers as identifiers forestalled any common macro identifier for Joe. The result is that the bank is not sure of Joe is the same in each system or not. Similar addresses are a clue but hardly definitive. I will have more to write on this later.
Lets return to the Tower piece in Finextra:
Meanwhile, companies should assume that traditional account information such as name, address, date of birth and account balance are useless as authentication factors. Instead they should consider using knowledge-based authentication and one-time passwords delivered via SMS.
Relevance to Bankwatch:
In other words, the very information that Banks do not fully control nor understand in context of customer identification, is the the same information that cannot be relied on any more. The conundrum is that is the only information that banks have in place to rely upon. This is hardly a recipe for success nor customer loyalty, and small wonder that customers accept and promote use of disaggregated financial services, spreading themselves between institutions as their own personal risk mitigation strategy.
Banks are very focussed on transaction security, using chip cards, two factor authentication and the like, but this does nothing for information security. The Bank that can ever crack this nut by offerring complete information security, such that Joe in our example can feel confident about his financial information not being compromised might just give itself a leadership edge.
President Kohn of the Kansas City Fed speaks at the ECB/De Nederlandsche Bank Conference conference in Frankfurt. He argues for greater control by the Fed over the payments system. While his outline of problems makes sense, they also describe the failure of the current system, and the lack of foresight from the existing controls, and its unclear that the proposed solution from them will have any impact other than exacerbating those problems. The problems he describes are real and more importantly consumer facing. They are also imho problems that large banks could address given their scale and the opportunity for customer loyalty. I am thinking of BofA and Wells specifically, but that is for another post.
The Future of Retail Banking and Payments – President Thomas H. Hoenig
In light of the trend toward greater industry concentration and the existence of important payments system externalities, the Federal Reserve should play a larger and more active role in electronic retail payments if it wants to promote the efficiency and integrity of the payments system.
There are two broad categories of problems that he identifies with the payments networks
- lack of competitiveness: In 2007 81% of the payments volume went over three networks, compared to 46% just few years earlier. In addition the number of networks are down from 43 to 14.
- integrity of the system(s): He sees single point of failure and prominence of non-banks as issues of concern. The variety of systems introduce externalities that undermine the entire system. His example is the continued use of mag stripe and the security implications of not shifting to chip card as the rest of the world has done.
On that last point I would add that the fact of holding on to the mag stripe is influencing the rest of the world with counter productive results. For example in Canada banks are issuing cards with stripe and chip which makes no sense. So long as the stripe exists the flaws associated with strip exist. But the sheer size of the American market pressures the issuers to continue with stripe for the forseeable future.
Then he makes this statement:
Historically, the Federal Reserve’s role in both checks and ACH reflects a preference to operate within the market rather than as a pure regulator. We are well aware that industries can – and do – quickly develop methods to exploit any regulatory loopholes and avoid the intended outcome. By competing with the private sector on a level playing field, the Federal Reserve can encourage efficiency and integrity from an “on the ground” position.
That statement reads to me as rationalisation of inaction and continuation of the status quo. His conclusion is that the best form of regulation and solution to the aforementioned problems is to compete with the other networks.
Thus, in my view, the Federal Reserve’s future role in retail payments should be built around its current position in ACH. For example, in its operator role, the Federal Reserve could augment its ACH products and services, with the aim of enhancing competition and safety within the ACH industry.
… … …
Finally, the Federal Reserve could enhance competition in payment card markets by positioning ACH services as an alternative to debit card payment networks.
It certainly is a strategy and we can debate whether government ought to be engaged in payments systems directly, as regulators, or not at all. All I know is that consumers (and banks) will suffer from the real problems he identified at the outset, and its not at all clear that the Feds 14th network will address those problems at all. This reads as a recipe for disaster in American payments. For example the very issue he outlined of underinvestment in security and integrity will only accentuate as the other 13 networks work to compete with the Fed, and protect profits. Expect continued data leakages, network outages, and identity theft.