As part of our Payments Spotlight podcast series, we recently sat down with Will Roberds to discuss the economic theory behind payments risk and data security. Roberds is a research economist and senior policy adviser at the Federal Reserve Bank of Atlanta. His research spans a range of payments topics, and we discussed two recent papers on risk management in emerging payments and the causes of data breaches.
The externalities of personal data collection According to Roberds, personal data collection creates some externalities in the normal course of enabling consumer payments. Briefly, an externality is an unintended side effect of a transaction imposed on those who are not party to the transaction. An example of a positive externality is when your neighbors plant a rose garden for their own benefit, but you also benefit because you enjoy the fragrance of the flowers whenever you walk by their yard.
Resources |
Understanding risk management in emerging retail payments; Michele Braun, James McAndrews, William Roberds, and Richard Sullivan; September 2008 Data breaches and identity theft; William Roberds and Stacey Schreft, September 2008 |
Roberds said that banks and other service providers create a negative externality whenever they verify payer identities by collecting personal data. He warned that "as more and more of that data is assembled and it becomes more and more extensive, it becomes a riper target for theft by talented individuals who are able to access that data, use that data to construct pseudo-identities that allow them to illegitimately purchase goods and services, and thereby impose costs on everyone else who's working within the credit system."
Roberds explained that excessive data collection is continuing to happen "because there are so many entities out there in the economy right now collecting this data, it's difficult for them to coordinate on the right level of personal data collection and to make the right decision about how much data and how much security effort should be expended to preserve the privacy of that data."
Security as a weakest-link public good
The security of payments data often functions as a weakest-link public good. Roberds noted that, "a lot times the level of security is not related to the total amount of effort or cost that's put forth in protecting and keeping that data secure. Instead, it follows a weakest link, or lowest-point rule, meaning that the data is only as secure as the weakest place within the system that's using it in terms of its security and its ability to be breached by hackers and other malefactors." Total security, therefore, depends on those players who have the least to lose in the event of a data breach, or who are the least savvy in implementing security. Oftentimes, emerging payments companies have both less risk management experience and less to lose than more established players.
Self-policed market place for now
Economic theory illustrates how excessive data collection and insufficient risk mitigation can result from mismatched incentives. Nevertheless, the U.S. payments industry has been fairly effective at managing these risks with market mechanisms. Pricing is one tool. Riskier payments are often more expensive. For example, part of the reason credit cards cost more for merchants to accept than debit cards is that credit cards have higher fraud incidence. Insurance is another tool for managing risk. Card issuers guarantee that merchants will be paid when they accept a card, thereby increasing issuers' incentives to decrease the credit risk of their cardholders.
The industry also manages risk through self-regulation. Card network rules, for example, ensure that merchants follow certain standards or risk losing the right to accept cards. Private contracts may require that participants meet industry standards like PCI-DSS or face increased liability for losses.
Sometimes the market may not be able to ensure cooperation. In such cases, there may be a role for regulatory intervention. Well-designed regulations can support industry efforts to coordinate risk management and enforce standards. Recent attempts to implement a national data breach law are one example. Rich Oliver, executive VP at the Atlanta Fed and director of the Retail Payments Risk Forum, has previously suggested in this space that there may also be a public policy role in prompting the U.S. payments industry to move to the global EMV standard. Despite the generally robust market response to risks in the payments industry, government intervention is appropriate when the market fails. In those cases, regulators and industry should cooperate to ensure that policy minimizes unintended consequences while supporting innovation and efficiency.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed