Payments Security: Public and Private Regulation Federal Reserve Bank of Kansas City

Similar documents
Thank you very much for inviting me to respond to a really interesting

Internet Banking Authentication Guidance is Out

ID Fraud & Law Reform

Industry Update & New Rules. Stephanie Schrickel, AAP Director, emarketing EastPay. All Rights Reserved 1 EASTPAY

Identifying Key Risk Indicator

General Discussion The Economics of Retail Payments Security

Know Your Customer & Know Your Customer s Customers (KYCC) BITS ACH Fraud Risk Subgroup Presented by George Thomas November 19, 2008

THIRD PARTY PAYMENT PROVIDERS

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;

Understanding & Managing Third Party Relationships in the ACH Network. PAYMENTS 2008 May 18, 2008 Las Vegas, NV

TERMINAL CONTROL MEASURES

Data Security in the Evolving Payments Ecosystem

Selecting a Secure and Compliant Prepaid Reloadable Card Program

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

Oligopoly. Oligopoly is a market structure in which the number of sellers is small.

Who s next after TalkTalk?

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

A Cautionary Tale Plus Cross-Channel Risk

IT04 UO ACH Security Policy

Credit, Debit, or ACH: Consequences & Liabilities A Comparison of the Differences in Consumer Liabilities

Fraud Protection, You and Your Bank

Helping to protect your business and your customers in the event of a data breach

Credit vs. Debit: The Network Perspective

Incentives for Communications Security Nico van Eijk. Berkman/IViR Rondtable, 18 April 2014

Payments Fraud: It's Not Fun & Games

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Capital Policy and Safeguards Statement for Merchant Acquirer Limited Purpose Banks

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Target Security Breach

MAINE DATA BREACH STUDY Pursuant to Resolve 2007, Chapter 152

Sustainable Compliance: A System for Ongoing Audit Readiness

ACH Welcome Kit. Rev. 10/2014. Member FDIC Page 1 of 8

MEMO/09/143. General What are interchange fees? Brussels, 1 st April 2009

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Direct Business & Direct Business Plus Internet Banking

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

The FACT Act: An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies

Payment Card Industry Data Security Standards

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012

CYBER LIABILITY AND PRIVACY CRISIS MANAGEMENT EXPENSE APPLICATION

This presentation was originally given by:

U.S. Mobile Payments Landscape NCSL Legislative Summit 2013

ACH Internal Control Questionnaire

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

what your business needs to do about the new HIPAA rules

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Third-Party Senders Risks and Best Practices

credit card Conditions of Use

2015 NACHA Rules, Same Day ACH and Regulation E Changes

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

STANDARD SERIES GLI-18: Promotional Systems in Casinos. Version: 2.1

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

360 Federal Credit Union Reloadable Prepaid Card Terms and Conditions

Intelligent Vendor Risk Management

GDPR & Service Providers ( Cloud Focus )

Application Security in the Software Development Lifecycle

Reloadable Visa Debit Card. These are your Reloadable Visa Debit Card Terms and Conditions.

Don t be tomorrow s headline: Protect and secure payment information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

51ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, 2014

FUTURE PLANS OF BROADBAND SERVICE PROVIDERS. Ganson Lewela Head of Regulatory Airtel Networks Kenya Ltd. CTO Forum 14 th 16 th Sep 2015

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

OVERVIEW OF MOBILE PAYMENT LANDSCAPE

OVERVIEW OF MOBILE PAYMENT LANDSCAPE Marianne Crowe Federal Reserve Bank of Boston NEACH September 10, 2014

Third Party Risk Management Basics. Webinar. 26 February 2015

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Cloud Computing: Legal Risks and Best Practices

The Economics of Retail Payments Security

Managing your community bank s ACH and demand draft risk By George F. Thomas

New Challenges in Card Optimization: Security, Payments, Receivables

T s And C s. On 28 May 2015, Kiwibank will be changing its Credit Card Terms and Conditions. View the new Credit Card Terms and Conditions here

Insights into Potential RDC Litigation Legal Issues and Reasonable Commercial Standards

Franchise Data Compromise Trends and Cardholder. December, 2010

Dartmouth College Merchant Credit Card Policy for Processors

DRAFT. Six Recommendations to MasterCard and Visa to Improve Credit and Debit Cardholder Security. Presented by

Risk Management of Outsourced Technology Services. November 28, 2000

Claim notification form (PL1)

Whitepaper. Best Practices for Securing Your Backup Data. BOSaNOVA Phone: Web:

Key Topics in Mobile Payments. Marianne Crowe Federal Reserve Bank of Boston m-enabling Summit June 10, 2014

Payment Card Industry Data Security Standards

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data security: A growing liability threat

Better Late Than Never: NDRC Publishes Full Decisions on Zhejiang Car Insurance Cartel Case Analysis of NDRC s Antitrust Law Enforcement Approach

May 14, Statement for the Record. On behalf of the. American Bankers Association. Consumer Bankers Association

NACHA and the ACH Network: What You May Not Know

Visa Student Card Terms and Conditions. These are your Student Card Terms and Conditions.

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Payment Card Industry Data Security Standards

Executive Fraud Forum October 30, 2013

Did security go out the door with your mobile workforce? Help protect your data and brand, and maintain compliance from the outside

White Paper on Dodd Frank Section 1073 Cross-border Remittance Transfers (Version 3.0, September 2013)

Brown Smith Wallace, LLC

360 Degrees: Regulating Payday Lending from All Angles By Christopher Dye, Senior Compliance Counsel, Harland Financial Solutions

7. You agree to grant MCB a security interest in all your property in our possession to secure payment of your obligations under this Addendum.

A comparison of the Risk Equalization systems and the policy context of 5 European countries

Transcription:

Payments Security: Public and Private Regulation Federal Reserve Bank of Kansas City Prof. Adam J. Levitin Georgetown University Law Center June 25, 2015

Game Theory Assumptions Knowledge assumption Parties know outcome values Causative assumption Game outcomes drive choice Bilateral game assumption Only 2 parties involved in game No spillover effects Binary choice assumption Choice is cooperate or not No other alternatives 1

Knowledge Assumption Game theory assumes players know outcome values. Static model, but dynamic world in which outcomes change. Immediate costs vs. unclear benefit. 2

Causative Assumption Game theory assumes that players act based on expected game outcomes. Usually this is expressed as a rationality assumption. But security is not a stand-alone product. Part of a bundle of features in a payment system. FIs, Merchants, and Consumers choose rationally, but based on total bundle of features. There isn t a security game. 3

Bilateral Game Assumption Game theory usually models 2-player games. Multi-player models are harder to model. Stable Nash equilibrium is guaranteed possible if no coalitions But payments security is often a multi-player game. Game theory does not model third-party externalities (spillover costs/benefits to nonplayers). E.g., data breach at merchant 1 results in fraud losses for merchant 2, 3, & 4 and at banks X, Y, and Z. 4

Binary Choice Assumption Game theory often assumes a binary choice: cooperate or not. But real life is not binary choice. Alternative to cooperating in game 1 is to cooperate in game 2, 3, 4, etc. Much harder to model universe with multiple simultaneous games (additivity problem). 5

Implications of Game Theoretic Limits Knowledge assumption Need for data Causative assumption Need for competitive markets to achieve efficient outcome. Bilateral game assumption Need for fair markets (no uncompensated spillover effects) Binary choice assumption Need for competitive markets to achieve efficient outcome. 6

Key Payments Security Policy Goals 1. Data Helps achieve efficient outcomes. Facilitates primary actors choices Facilitates secondary risk markets 2. Competitive markets Ensures payments security rules are set based on security outcomes, not other considerations, like growth. 3. Fairness Prevent or mitigate negative spillover effects. 7

How to Achieve Payment Security Policy Goals? Three major approaches are currently used. Private ordering (contract) Hard regulation (rulemaking) Soft regulation (nudges & policing) Different approaches appear in different contexts. Security rules Fraud loss prevention/mitigation rules Fraud loss allocation rules 8

Soft Public Ordering Convening/coordination role Government as neutral convener (FPTF, SPTF, MPIW) Data collection Enables empirical research Enables secondary and insurance markets Definitional and standard-setting function Regulatory guidance Formally non-binding regulatory instruction But functionally followed Antitrust enforcement Case specific, but improves private ordering overall Provision of public options that frame competition. Fed s role as operator for ACH and check clearing 9

Security Rules Set by private contract only. Single-system rules (network rules) Collaborative standards (e.g., PCI) But AML, national security, and reputational concerns lurk. Soft regulatory pressures 10

Fraud Loss Prevention & Mitigation Rules LP&M rules are set by command & control public law. State data breach notification laws. LP&M rules also function as a type of loss allocation rule, in that they impose costly duties on certain parties. Unclear if costs outweigh losses averted. If costs > losses averted, then LP&M rules function as a penalty. 11

Fraud Loss Allocation Rules Fraud loss allocation rules shape incentives for adopting security rules. Fraud loss allocation rules are set in part by private contract and in part by public law. Private ordering (contract) Network rules for credit, debit, ACH Bilateral checking rule arrangements Public law ( hard regulation) Checking system (UCC Art. 4) Consumer liability rules for all systems 12

Consumer Unauthorized Transaction Liability Rules Consumer liability rules combine public law and private ordering. Public law TILA/Reg Z; EFTA/Reg E; UCC Article 4 Private ordering Various network rules (incl. zero liability policies) Consumer liability rules are inconsistent across systems. Some systems have capped strict liability or contributory negligence liability. Generally, however, consumers have little or no liability for unauthorized transactions. Protects players with the least market power. 13

Inconsistent Consumer Liability Rules System Law Consumer Liability for Unauthorized Transaction Credit TILA/Reg Z Strict liability, but capped at $50. Debit ACH EFTA/Reg E EFTA/Reg E + NACHA Rules Strict liability, but capped at $50, unless consumer was negligent, then $500 or unlimited. No consumer liability. Checks UCC Art. 4 No liability unless negligent. Cash Common law Unlimited liability.

Unintended Consequences of Hard Regulation Often, faster payments = less secure payments e.g., single-factor authentication; unencrypted data. Some merchants want faster payments to increase sales. Consumers are willing to use less secure payment methods because they do not usually bear fraud losses. Full costs of faster, less secure payments are not internalized by merchants who use them. Security lapse at one merchant can cause losses for other merchants and banks. Conditions consumers to expect faster/easier payments; harder for slower systems to compete. 15

Imperfect Solutions Solution 1: Increase consumer unauthorized transaction liability for less-safe systems. Incentivizes consumers to demand safety. But works only if consumers end up actually liable. Not worthwhile for small dollar transactions Network zero liability policies force subsidization of consumers by banks & merchants. Doesn t fully internalize spillovers. Politically difficult. Solution 2: Minimum mandatory standards across systems. E.g., mandatory two-factor authentication or encryption. Prevents uncompensated externalities. Cf. minimum product safety or environmental regulations. But what should these standards be? How detailed? And who should set them? 16

Private vs. Public Tradeoffs Private Ordering Public Ordering Responsive? More Less Expertise? More Less Accounts for Externalities? Transparent & Open Process? No Less Potentially More Other Influences? Market power Politics 17

Payment Security Policy Agenda Data Collection Need data collection in standardized forms Enables market discipline in primary markets Facilitates secondary risk markets (insurance, derivatives, securitization) Enables better policy making Antitrust Socially optimal security choices require competitive markets. But natural monopoly problem because of network effects Mobile ecosystem exacerbates competition problems. Antitrust enforcement is an imperfect policy tool. Reduce Externalities Mandatory liability rules to incentivize care and reduce spillovers? Minimum mandatory standards to reduce spillover effects? Risks of intended consequences. 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information