Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
October 25, 2021
Should We Throw in the Towel When It Comes to Data Breach Prevention?
Cybersecurity Awareness Month, observed in October, reminds us of a post we ran two years ago. We're rerunning it today because it is just as relevant now as it was then, and perhaps even more important. This year's Data Breach Investigations Report, for example, found that 85 percent of breaches involved a human element. As the Risk Forum has often said, the human element is the weakest link when it comes to cybersecurity. So the closing question posed by my colleague and the author of that post is as imperative today as organizations consider that human-caused breaches are inevitable: "What approach has your organization taken to adopting threat prevention and response preparedness?"
We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.
In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?
According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.
Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.
October is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map for small and midsize businesses.
While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?
October 18, 2021
They're Here! Guides to Fintech Partnerships
Over the past few years, the Risk Forum has coordinated with other areas of the Atlanta Fed, including the Supervision, Regulation, and Credit Division, to support one of the Bank's high-priority initiatives: promoting safer payments innovation. A major component of our work is reaching out to and working with community banks, financial technology firms, or fintechs, and industry stakeholders.
We continue to hear that community banks face challenges in finding the right service partners and knowing how to navigate the regulatory environment as they develop new financial innovations. At the same time, fintechs are ready for partnerships but not always certain how to work within the regulations nor how to work with multiple regulators, each with its own approach. That's why we were excited to hear about two publications recently released by regulators that will help support these partnerships between community banks and fintechs.
The first publication, Community Bank Access to Innovation through Partnerships, provides some highlights of fintech partnerships, including the benefits and risks. It describes two conditions for banks to focus on: first, establish trust and alignment with fintech partners, and second, build a long-term culture committed to innovation.
The second guide, Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks , was cowritten by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. This guide, not required by the regulatory agencies, can be helpful for community banks looking to partner with a fintech company. (This is not to be confused with the proposed joint agency guidance on third-party risk management that Doug King wrote about in August.)
Since fintech companies vary significantly in operations and maturity, this guide stresses that banks should take a risk-based approach. The level of due diligence a bank does when considering working with a fintech company should be commensurate with the nature and criticality of the activities the fintech will perform for the bank. The areas for the banks to use in their evaluation are discussed in a consistent layout of "considerations, sources, and examples." The guide suggests some nontraditional data sources, which can be very helpful, within the six recommended areas of due diligence, which are as follows:
- Business experience and qualifications: Determine if the mission and strategic plan line up with the bank's values, review the board of directors, check on outstanding consumer complaints, and business failures.
- Financial conditions: If audited financial statements are not available, consider the fintech's access to funding, earnings, net cash flow, and client base.
- Legal and regulatory: Ensure compliance with all applicable laws and regulation, including consumer protection laws; review charter and license information: periodically review contracts for compliance with the agreed-upon terms; check pending lawsuits.
- Risk management and controls: Review processes and risk management policies, such as key risk and performance indicators. Employing an audit function may help with assessment. Consider onsite evaluations to observe the operations-and-controls environment.
- Information security: Review technology policies and assessments, review procedures for deploying and patching hardware or software. Consider risks and controls over consumer data.
- Operational resilience: Review business continuity plans and third parties the company relies on for recovery operations. Know where the major data centers reside. Check the availability of other service providers for contingency planning.
Both publications contain fundamental concepts for an institution of any size or even for those fintechs vying for a bank partnership.
October 12, 2021
Scams and Student Loan Forbearance
If you are a millennial like me, sitting on a mountain of student loan debt, chances are you've probably received at least one call or letter a month with offers to suspend your student loan payments as part of the administrative forbearance set by the Coronavirus Aid, Relief, and Economic Security—or CARES—Act. In fact, I recently received a letter stating that I was "prequalified" to have my federal student loans forgiven in exchange for an upfront fee. Of course, not all of the unsolicited letters and calls are scams, but if you're asked to pay a fee to have your student loans canceled, it's a safe bet that those offers are more than likely scam tactics.
Although student loan forgiveness scams have been around for some time, fraudsters claiming to be affiliated with the Department of Education are exploiting the current economic uncertainty by creating confusion around how borrowers can qualify for the administrative forbearance program. Some fake companies will offer to work with borrowers to negotiate a lower repayment plan for free and then request that they send their payments directly to the company rather than to the lender. Furthermore, scammers may ask for personally identifiable information or the borrower's Federal Student Aid (FSA) login credentials in hopes of stealing the borrower's identity or money. In a time when unemployment is high and many are financially vulnerable, people are likely more willing to take risks if it means obtaining some desperately needed financial relief—and fraudsters are well aware of this.
So what should you do if you are contacted by a company offering student loan debt relief? The FSA recommends you look out for these red flags before you respond:
- They require you to pay upfront or monthly fees.
- They promise immediate and total loan forgiveness or cancellation.
- They ask for your FSA ID username and password.
- They ask you to sign and submit a third-party authorization form or a power of attorney.
- They claim that their offer is limited and encourage you to act immediately.
- Their communications contain spelling and grammatical errors.
The FSA also lists some examples of common phrases that scammers use in their communications:
- "Act immediately to qualify for student loan forgiveness before the program is discontinued."
- "You are now eligible to receive benefits from a recent law that has passed regarding federal student loans, including total forgiveness in some circumstances. Federal student loan programs may change. Please call within 30 days of receiving this notice."
- "Your student loans may qualify for complete discharge. Enrollments are first come, first served."
- "Student alerts: Your student loan is flagged for forgiveness pending verification. Call now!"
Although the latest extension of the administrative forbearance into early next year may be a huge relief for many borrowers, it unfortunately also means that scammers have more time to exploit the situation. I encourage you to read an FSA article that contains other helpful information on how to identify and report a student loan scam.
October 4, 2021
Webinar on Preventing Elder Financial Exploitation
Every day, nearly 10,000 adults in the United States turn 65, and every year, elder financial exploitation results in ever greater losses. In 2020, people over the age of 60 sustained more than $1 billion of losses due to fraud, an increase of $300 million over the previous year, according to the FBI's Internet Crime Complaint Center , known as the IC3. (Some estimates put the losses much higher.)
Payments-related problems are often red flags that alert bankers that fraud could be occurring. Overdraft fees due to bounced checks, unusual ATM withdrawals, utility payments for multiple properties, or payment card transactions that aren't a pattern within the customer's normal payment history are just a few examples that can be explored to protect against elder financial exploitation.
The recent public spotlight on conservatorships—consider Britney Spears, Nichelle Nichols who played Lieutenant Uhura of Star Trek fame, and the 2020 Golden Globe-winning movie I Care A Lot—has identified an until recently little-known form of potential financial exploitation. Approximately 1.3 million adults, representing $50 billion in assets , are in some form of a conservatorship today according to the most recent statistics from 2016. This number includes those who are younger and have disabilities or other issues that may require oversight, but the majority are elders.
As the population continues to age, what risks need to be exposed to protect the elderly from financial exploitation? What are the differences among guardianship, power of attorney, and conservatorship? Are women more at risk for exploitation than men? What can financial institutions do to identify their elderly customers and protect them?
Join us on October 21 for the next session of our Talk About Payments (TAP) webinar series, when two experts in elder financial abuse prevention provide insights into these and other questions. Scarlett Heinbuch, a payments risk expert at the Atlanta Fed, will lead the discussion with Naomi R. Cahn, director of the Family Law Center at the University of Virginia School of Law, and Ronald C. Long, head of aging client services for Wells Fargo.
The webinar takes place on October 21 from 1 p.m. to 2 p.m. (ET). To participate in the free webinar, you must register in advance. Register on the event page or go to the TAP webinar page, where you can also view previous webinars. Once you have registered, we will send you a confirmation email with login information.
We look forward to a lively discussion on these little-known topics. Bring your questions!