I paid little attention when news broke on the April 1 announcement by the marketing services firm Epsilon that a subset of their clients' data—e-mail addresses and names—was compromised. However, my interest in the story grew as I began receiving numerous e-mails from various financial institutions and merchants letting me know that my name and e-mail address, which I voluntarily supplied to them at some time, were part of the compromise. Unbeknownst to me, these companies had provided my data to Epsilon for marketing services.
Perhaps if I had taken the time to read the service agreements and privacy notices from these companies, I would have been more aware that my data might be shared with a third party. But in today's digital and mobile world that's all about speed and convenience, does anyone really take the time to read these privacy notices before submitting personal information? And I have to think that for most people, the e-mails and snail mail about changes to privacy policies that seem to come on a monthly basis from various companies quickly find their way unread into the trash. Do current bank-enabled P2P offerings present data compromise risks for customers and are banks offering other P2P alternatives that offer convenience without the potential risks?
The current bank-enabled P2P environment
The Epsilon data compromise comes on the heels of my recent experience with two different bank-enabled P2P products that caught me by surprise with the amount of personally identifiable information (PII) required for a transaction. In one experience, all I had to do was enter the recipient's e-mail address. But when the recipient received notice of the payment, she had to enter her name, address, telephone number, e-mail address, and bank routing and account numbers as well as agree to the terms of service and privacy policy of the institution in order to receive the funds.
In the other experience, I was required to enter the recipient's PII before actually initiating the payment. For this provider, depending on the type of transfer being conducted, I might also have had to include a passport/driver license number or a Social Security number. Because my recipient banked with a different institution than I do, she had to authenticate the account by entering her online banking username or Social Security number and password and finally agree to the terms of the service and privacy policy of the institution.
In light of the Epsilon data compromise, it seems only fair for consumers to be fearful about the amount of personal (and highly sensitive) information they hand over to financial institutions to complete a P2P transaction. These institutions could potentially share this data with third parties that provide P2P services for banks or with companies that provide marketing services—such as Epsilon. Once a consumer provides information to the bank, he or she does not necessarily know how much of the data is shared and with whom it is shared. This person is left in the dark about who actually has access to PII and the corresponding privacy and security policies of those companies.
Are today's bank-enabled P2P services solid replacements for cash and checks?
Based on my two recent experiences with these bank-enabled P2P solutions, their value—even ignoring the cost of the service—appears to be small for one-time, small-dollar payments between individuals. The idea of bank-enabled P2P payments may be cool and trendy. However, the amount of information the sender’s bank requires about the receiver to complete the transaction not only is time-consuming to enter but also presents risk issues that outweigh any perceived benefits, especially for the recipient.
Perhaps banks are realizing the challenges behind P2P services for small value, one-time payments given the recent proliferation of banks offering an alternative to traditional check depositing, remote deposit image capture (RDIC), which is potentially simpler and less risky for the consumer than banks' current P2P offerings.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed