This week, we have a special guest blogger: Richard Oliver, an executive vice president with the Federal Reserve Bank of Atlanta. Oliver was a pioneer in electronic payments, working on a Fed system project with the U.S. Treasury to develop direct deposit. He was also instrumental in the Atlanta Fed becoming the second automated clearinghouse (ACH) operation in the United States. Since 1998 he has served as retail payments product manager for the Federal Reserve System. In this capacity, he has responsibility for managing the Fed's check and ACH businesses nationwide.

Richard OliverAs we look forward to a slow but steady emergence of the banking industry from the current financial firestorm, the question arises as to how investments in the payment system will fare. More specifically, will banks and other payment system players secure funding for initiatives critical to mitigating payment fraud and risk?

Experiences gained from previous economic crises have reshaped individual and corporate attitudes and practices. Certainly, the folks who experienced the Great Depression turned into a generation of savers, conservative spenders, and cautious borrowers. Recent discussions with payment leaders have given rise to the possibility that conservative spending habits may be with us for some time. These habits may be manifested in restricted, prioritized spending on payment initiatives in general and fraud and risk mitigation efforts more specifically.

Given the already narrowing margins in retail payment profits, coupled with enterprisewide scrutiny of expenses across business silos, it is likely that payment organizations will have to prioritize spending in ways not typical of the last decade of innovation and constant change. These limitations will create choices concerning which investments are mandatory and which are discretionary. Investments in initiatives directed at data security and fraud detection might take a back seat to investments in relieving the pent-up demand for maintenance and enhancements of core payment and settlement systems or investments in exciting new technology.

In an ideal world, focused and well-reasoned business case analysis would dictate the priority of spending. My personal experience, however, has revealed that investments in fraud reduction, data security, etc., face an uphill battle when competing for scarce dollars. This phenomenon stems from three major factors.

First, there is always a perception that risk/fraud expenditures are discretionary. It remains to be seen if the staggering cost of poor risk management that led to the financial crisis, coupled with the everyday visibility of fraud schemes, will help shed the discretionary label. Discretion, by the way, not only involves expenditures on new artificial intelligence software or high-tech encryption devices; it also involves more subtle decisions about the number of staff authorized to monitor systems, notify customers of breaches, and research problems. After all, the risks involved in past lending and investment practice that were at the heart of the financial crisis largely involved "payment" of obligations and not "payments."

Second, to do effective business case analysis, good data must be present. It is not at all clear whether banks and other payment providers have transparent and reliable systems in place to detect, measure, and categorize fraud in a way that allows its financial impacts to be estimated. Certainly, banks have historically been reluctant to share such data externally. Further, do banks have in place systems that can collect and allocate fraud management costs in such a way as to complete a meaningful cost-benefit analysis? Without good data, business case analysis becomes an art, not a science. Clearly, for bad actors fraud is their core business; there is no business case to explore and no budget committee to satisfy. In fact, their pursuits are recession proof.

Finally, investments are about the future, not the past. My personal experience in this area is that the past is a poor predictor of the future. In that light, how does an organization forecast likely trends in fraud losses? Is the past a good predictor of the future? Can recent trends such as the reduction of unauthorized activity in the ACH network reasonably be extrapolated, or will the fraudsters simply move to another payment channel where controls are weaker? More importantly, will new technology help bad actors commit fraud more easily or help banks do a better job of detecting and preventing fraud? Should the business case for the future depend on average industry trend data or should it protect against "the big one," the major incident that culminates in a $100 million–$200 million loss? Answers to these questions will ultimately separate the prepared from the unprepared.

Regardless of the answers to these perpetually difficult questions, most of which will stem from core experiences and individual philosophies, one thing is certain in the wake of our recent experience: Reputation is more important than ever. Positive reputations are difficult to build, hard to maintain, easy to lose, and even harder to reclaim. The value placed on reputation must be carefully considered by senior decision makers in setting the course for the future.