STUDY: LEGAL REQUIREMENTS FOR AN EXCHANGE OF FRAUD DATA AMONG CARD ISSUERS

Transcription

1 4 STUDY: LEGAL REQUIREMENTS FOR AN EXCHANGE OF FRAUD DATA AMONG CARD ISSUERS In 2003, the Observatory looked at the automatic fraud detection systems implemented by card issuers. This work showed that pooling data on fraudulent transactions could help make these systems more effective and thereby contribute to fighting fraud. In 2004, the Observatory therefore studied the legal requirements for such data exchanges and requested the opinion of the French data protection authority (CNIL). The results of this study are presented below, but these findings are not a sufficient foundation for undertaking an operational project. If payment card issuers decide to exchange fraud data, they will have to provide the CNIL with more information about the technical and operational procedures involved in order to comply with the provisions of the Data Processing and Freedom Act and, more particularly, to comply with Article 6 of the Act of 6 January 1978, as amended, with regard to questions about the legitimacy and relevance of collecting personal data. Purpose of the study Issuers use automatic fraud detection systems to identify abnormal transactions that are potentially attempted fraud. These systems provide real-time analysis of the authorisation requests received and post-processing analysis of transactions (see Box 13). The effectiveness of automatic fraud detection systems depends greatly on the system parameters and the issuers knowledge of proven cases of fraud. In the case of three-party cards, a single institution collects all of the information about fraud. On the other hand, in the case of four-party cards, the information is spread out between the different issuers. In order to enhance their knowledge of fraud and make their detection systems more effective, some issuers in four-party card payment systems have thus decided to exchange fraud data. The Observatory investigated the legal feasibility of extending this practice to all systems and authorising the pooling of fraud data, not just within a single card payment system, but between several different systems. This pooling of data does not entail setting up a joint database on fraudulent cards or transactions. It means sharing information about behaviour patterns that card issuers have identified as being typical of fraudsters. This information sharing is intended to help each issuer improve the parameters of its own fraud detection systems. The general criteria of the CNIL s assessment of the requirements and restrictions on card issuers pooling of behavioural data about fraud are presented in the rest of this study. Observatory for Payment Card Security 2004 Report 33

2 Box 13: Functional flows in a card payment system Card holder s bank Debit from account Settlement stage Credit to account Acceptor s bank Default management Clearing and settlement system Transmission of accounting data Debit from holder s Credit to acceptor s card account card account Transmission of accounting data Detection of abnormal transactions and identity theft Card issuing institution Authorisation requests and answers Acquiring institution Detection of technically invalid payment orders Card sent to holder Transaction stage Authorised transactions collected Card holder Card payment or withdrawal Acceptor (merchant, ATM) Detection of counterfeit cards The processing of a card payment can be broken down into two stages. The fight against fraud involves action in both stages. The transaction stage includes the initiation, validation and transmission of the payment order. The validation of a card payment requires the implementation of several functions, such as card holder authentication, proof of the card holder s consent for the transaction, checking the authenticity of the card and the transaction authorisation, which may be accomplished off-line (without consulting the card issuer) or on-line. Authorised payments are stored in the merchant s accepting terminal. They are then transmitted to the acquiring bank, which prepares them for the settlement stage. The settlement stage is where the payment is completed by the exchange and settlement of payment orders between the card holder s and the acceptor s financial intermediaries. These exchanges might be direct transactions between two financial intermediaries, if they both belong to the same institution or the same group. In most cases, however, card payments made in France are exchanged through the SIT (Système Interbancaire de Télécompensation) system, which calculates the issuers and acquirers net clearing balances. These net balances are then settled across central bank accounts through the TBF (Transfert Banque de France) RTGS system. The card issuer and the transaction acquirer do not necessary hold the card holder s and acceptor s accounts. In this case, further payment orders need to be generated to debit the card holder s account for the amount of the transactions made and to credit the acceptor s account for the amount of the transactions recorded by the point of sale. The purpose of pooling fraud data In 2003, the Observatory stressed the value of automatic systems that enable issuers to detect abnormal transactions, which back up the measures to protect them against counterfeit cards. These systems are even more important for Report Observatory for Payment Card Security

3 international transactions and remote payments, since payment security cannot always rely on the robustness of the payment medium 6. These systems are designed to protect card holders against fraudulent debits from their accounts and to protect merchants against unpaid transactions. The systems may generate alerts that do not necessarily lead to the automatic rejection of a payment or a withdrawal request. Other actions, such as a telephone call to the merchant s bank or the card holder s bank may complete the authorisation procedure, when there is a doubt about the validity of a transaction. According to the CNIL s assessment, such back office checks are likely to reduce the risk that fully automatic systems arbitrarily block payments to the detriment of card holders 7. Pooling fraud data is intended to enhance issuers knowledge of fraud through the sharing of information about typical fraud patterns (for example, transactions made in a very short period of time at points of sale that are far away from each other), and thus improve the relevance of parameters of automatic abnormal transaction detection systems. At the same time, improving the parameters of automatic fraud detection systems should lead to a reduction in the frequency of false alarms. On the other hand, the pooling of fraud data discussed in this study is not intended to automate authorisation refusals for payments and withdrawals, nor is it intended to prevent certain merchants or consumers from using card payment systems. The pooling of fraud data does not mean compiling a joint blacklist of deadbeats and suspicious merchants for all card payment systems. Types of data that could be exchanged Even though automatic fraud detection systems may vary from issuer to issuer and from card network to card network (expert systems, neural networks, behaviour pattern analysis), they all use the same data: authorisation request and transaction characteristics (amount, card number or card holder identification, acceptor identification, authorisation or refusal data); information in the clearing files (transaction amount, card holder s and acceptor s account numbers); descriptive information about the customers and merchants (card holder s habits, merchant s location, etc.) 6 In its 2003 Annual Report, the Observatory urged card issuers that were already in the process of migrating to EMV to continue their action as quickly as possible. Furthermore, the CNIL recommended on several occasions that the security of payment media take precedence over the implementation of databases to fight fraud. 7 The CNIL regularly receives complaints from individuals whose cheques have been wrongfully refused by scoring systems developed to ensure the security of cheque payments. Observatory for Payment Card Security 2004 Report 35

4 Box 14: Automatic fraud detection systems There are many different automatic fraud detection systems. They can be operated by several issuers or dedicated to the specific needs of an individual issuer. They include artificial intelligence systems (for example, neural networks), expert systems and behaviour pattern analysis systems. Neural network systems are computer programs that simulate the deductive thinking of the human brain. A training data set is used to configure the neural network so that, for a given input, the system returns a response that is based on the experience acquired in the training data set, or, potentially, from events occurring after the initial configuration of the network. The distinguishing characteristic of neural networks is the automatic configuration of the system in which the deduction rules are not set by a human operator. On the other hand, expert systems use a set of empirically defined rules. The choice of these rules determines the effectiveness of the system. An expert system analyses a given transaction or authorisation request inputs with regard to the set of rules and usually produces a final score that measures the probability of fraud. Systems that analyse behaviour patterns use not only transactions and authorisation requests as parameters, but also a series of payment orders. The analysis of the series can sometimes reveal discrepancies, such as a card seeming to be in several places at once, as cited in the example above. It is important to note that the pooled data could be made totally anonymous without affecting the proper configuration of automatic fraud detection systems. This means that it does not seem necessary to disclose the personal data relating to the fraudulent payments for the identification of some typical fraud patterns (such as a quick succession of transactions in places that are far apart). Under these circumstances, the data that could be pooled to good effect include among others: fraudulent transaction profiles (amount, place, date, card holder and merchant identifiers, type of store); card holder and merchant profiles (card use and acceptance habits); behaviour patterns that point to a high probability of fraud. The pooled data could concern proven cases of fraud and not abnormal transactions. Since French law does not define payment card fraud, issuers could rely on the definition given by the Observatory to determine whether data are eligible for pooling. Some of the data mentioned above may be personal and relate to a card holder or a merchant. Legal obstacles In conjunction with the CNIL, the Observatory identified a number of legal requirements applying to the sharing of fraud data by payment card issuers Report Observatory for Payment Card Security

5 To start with, the CNIL will not grant its authorisation for the processing of sensitive personal data until anonymisation techniques based on hashing have been implemented. This technique is used by the Paris transportation authority in its Navigo application to ensure a degree of anonymity with regard to passengers travel patterns, despite having to monitor the risk of technological fraud. This is also the case in healthcare applications that require anonymous statistical monitoring of certain individuals. In the same vein, fraud patterns could be defined by discerning similar fraudulent behaviour on the basis of this anonymous monitoring. Under these circumstances, the CNIL considers that pooling of fraud data is possible without its prior authorisation, as long as personal data are anonymised by hashing or a similar process. Box 15: Hashing Hashing is a process in which a stable and unique anonymous number is created for a given individual on the basis of directly and indirectly identifiable data. The key property of a hashing process is that it must be irreversible, which means that it must be impossible to work back from the anonymous number to find the identifiable data used to calculate the number. Because the anonymous number is stable and unique, it can be used to track an individual s behaviour over a certain period, without revealing their real identity. On the other hand, any project calling for the exchange of non-anonymised personal data must be submitted to prior authorisation from the CNIL, in accordance with Article 25-4 of the Data Processing and Freedom Act, which states that prior authorisation is required from the CNIL for the implementation of automated processing that is, because of its nature, scope or purpose, likely to exclude individuals from the benefits of a contract. The CNIL has identified three main legal obstacles to the sharing of non-anonymised personal data: the pooling of data in the banking sector, the risk of pooled data being used for unauthorised purposes and the risk of a database of offences being compiled. Box 16: Personal data According to the Data Processing and Freedom Act of 6 January 1978, as amended by the Act of 6 August 2004, personal data means any information about a named natural person or a person who can be identified directly or indirectly by reference to an identification number or one or more items specific to that person. All of the means available to or accessible to the person in charge of data processing or to any other person that could be used to identify a person must be considered to determine whether that person is identifiable. In the case of payment cards, such data can include the card number or any other information, even if it is strictly technical in nature, that could enable to link the holder to the card. Information pooling in the banking sector As banking is subject to the obligation of professional secrecy, the exchange or the pooling of personal data with third parties, even if they are other financial institutions, is a very critical issue. Observatory for Payment Card Security 2004 Report 37

6 According to the CNIL, breaches of banking secrecy must be exceptional and stated by law or regulation, both for the legal protection of professional secrecy and the legal protection of the privacy of the persons concerned. Credit institutions indeed collect a great deal of information, which is only given to them by virtue of their monopoly on the management of means of payment. Credit institutions must therefore comply with the rules on the confidentiality of customer information under the terms of Article 29 of the Act of 6 January 1978 and the specific rules applying to the financial sector. The CNIL does not know of any industry regulations that eliminate the obligation of professional secrecy between credit institutions 8. Consequently, the CNIL refers to the guidelines laid down by the Comité de la Réglementation Bancaire et Financière (CRBF) on the subject: a credit institution does not have the right to transmit personal data about its customers to third parties, even if the latter are affiliated companies. As there are no provisions for it in the legislation, sharing information with other companies outside of a group would require an exemption from banking secrecy, as defined in Article L of the Monetary and Financial Code. Such exemptions must be subject to the courts interpretation and subject to verification of the legitimacy of sharing certain information. Customer protection calls for a rigorous contract setting out the requirements for sharing information, the receivers of the shared information, the use made of the shared information and the purpose of the partnership. Such a contract is to be signed when the customers give their explicit consent to waive their bank of its professional secrecy obligation. The CNIL also took several closer looks at the scope of the option offered to customers to authorise the bank to disclose some of the information it holds to designated third parties. It appears that, subject to the courts interpretation, signing a special banking secrecy waiver clause in a card holder s agreement, does not prove beyond a doubt that the person has freely made an informed decision to give their consent, in view of the individual s weak bargaining power and the impossibility of exercising their right to oppose such a clause. Furthermore, the CNIL stresses the legal risks that issuers would incur if they were to rely on a customer s request to waive banking secrecy since each customer could revoke such a waiver unilaterally. 8 On the contrary, there is such legislation concerning the sharing of information within a group in order to fight money laundering. Some of the uncertainties were removed by the adoption of Act on Financial Security on 1 August Article L of the Monetary and Financial Code, as amended, now states that: Undertakings established in France that belong to a financial group or a mixed group that includes credit institutions or investment firms having their registered offices in a Member State of the European Community or in a State party to the Agreement on the European Economic Area or in a State where the agreements referred to in Article L apply shall be required, notwithstanding provisions to the contrary, to send to undertakings belonging to the same group having their registered office in one of these States: ( ) 2 Information necessary for organising the fight against money laundering and the financing of terrorism. The said information may not be disclosed to persons outside of the group, with the exception of the competent authorities of the States referred to in the first paragraph. ( ) The provisions of this Article shall not impede the application of Act of 6 January 1978 on dataprocessing, databases and freedom Report Observatory for Payment Card Security

7 The risks of pooled data being used for unauthorised purposes The implementation of automated data processing routines to improve recognition of payment card fraud patterns is legitimate, but the personal data used for this legitimate purpose could be used for other unauthorised purposes, which might be considered as an offence under Article L of the criminal code that carries a penalty of up to 5 years in prison and a fine of EUR 300,000. The CNIL has noted many occasions where the pooling of fraud data in a business sector can lead to misuse and create individual situations that are very harmful for the persons concerned. In a recent report 9, the CNIL recounted that the pooling of blacklists by business undertakings or certain industry bodies has become increasingly common. The CNIL reminded the managers of all of these lists of the requirements imposed by the Act of 6 January 1978, especially with regard to security and confidentiality. It drew their attention to violations of the principle of proportionality defined by the provisions of Article 5 c of the Council of Europe Convention of 28 January Risk management processing does have social and economic value, but it creates a risk that the persons concerned will be excluded and this risk needs to be monitored very strictly. The CNIL s remarks with regard to blacklists do not apply to the pooling of behavioural data relating to payment card fraud, since the pooled data is not used to create a joint database that centralises fraud data. However, the CNIL told the Observatory about its concerns with regard to the technical possibility that the information gathered to improve statistical tools for fraud analysis could be used to create joint blacklists for bankers with contents that could eventually cover more than just payment fraud. The issue of a database of offences Article 9.1 of the Act of 6 January 1978, as amended, states that automated processing of personal data with regard to offences can only be implemented by the courts, public authorities and corporations managing public services which act within their legal powers. The Constitutional Council s decision of 29 July 2004 repealed one of the provisions (Article 9.3), which gave a private corporation, acting on behalf of other corporations that feel that they have been the victims or are likely to be the victims of criminal acts, the right to gather data relating to offences, sentences or detention orders. The Constitutional Council stated that the repealed 9 «Les listes noires», le fichage des «mauvais payeurs» et des «fraudeurs» au regard de la protection des données personnelles, report adopted at the plenary meeting of 27 March See also Listes noires : suite, in the CNIL s 23rd Activity Report, p Appearing in such databases is also likely to harm the reputation of the persons concerned. Causing such harm is prohibited by the provisions of Article of the Criminal Code, which makes it a crime for anyone who receives personal information when it is being recorded, filed, transmitted or otherwised processed, which, if it was disclosed, would harm the reputation of the person concerned or violate his or her privacy, to disclose this information to a third party who is not entitled to receive it without the authorisation of the person concerned. Observatory for Payment Card Security 2004 Report 39

8 provision was too sweeping and too vague about the safeguards surrounding this type of data processing, which is for example implemented to fight fraud. Under these circumstances, issuers are strictly prohibited, barring any legislative provisions to the contrary 11, from creating joint databases that could contain information about offences 12. Conclusion The Observatory s work, in conjunction with the CNIL, led to the conclusion that the pooling of data on fraudulent behaviour patterns could be done for a legitimate purpose. The practical procedures for the implementation of such data sharing must, however, be compatible with the provisions of the Data Processing and Freedom Act and they must not violate the privacy of the persons concerned. Under these circumstances, the CNIL considers that the anonymisation of personal data would give card issuers the right to implement the pooling of fraud data without its prior authorisation, in accordance with the Act of 6 January 1978, as amended. On the other hand, an application for prior authorisation would be required before implementing any project involving the pooling of non-anonymised personal data, and any data processing system for fraud detection that generates alerts and refuses payments, because of the legal obstacles to the pooling of data in the banking sector, the risk of pooled data being used for unauthorised purposes and the risk of a database of offences being compiled. 11 As is the case, for example, for the fight against the financing of terrorism and money laundering. 12 The Monetary and Financial Code covers various criminal offences relating to payment cards. Article L of the Monetary and Financial Code makes it a criminal offence to conterfeit or forge payment and withdrawal cards, or to use or attempt to use counterfeit or forged cards or to accept payments made using such cards. Furthermore, the Everyday Security Act makes it a criminal offence to manufacture, acquire, hold or provide equipment, data and software that can be used to counterfeit or forge a payment card Report Observatory for Payment Card Security