Who's to Stand in for Mom?

About

Take On Payments, a blog sponsored by the Payments Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take On Payments and look forward to collaborating with you.

Disclaimer

Subscribe by E-mail

Subscribe by RSS

Who's to Stand in for Mom?

You have likely heard about the fraud that's clouding one of the newest mobile payment solutions. Credit where it is due, the security underpinning the mobile payments themselves represents an amalgamation of strong advances including such things as tokenization, biometric authentication (at the time of the transaction), encryption, and on-device secure storage. The problem that's generating the latest buzz pivots around a gap in authentication—specifically, verification of the legitimacy of those registering the cards that will be used to effect subsequent transactions. Truth is, this isn't a misstep by a singular entity. We've seen this trouble pop up in any number of payment channels.

Some institutions have put a lot of thought into enrollment authentication while others may have felt a need to rush to market at the expense of developing a fully effective authentication process. In November 2014, First Annapolis Consulting/M & A Advisory Services documented various approaches in use by issuers and followed up this past February with emerging best practices and recommendations.

To tack in the way I want for this topic, I will quote a thought provided in one of our recent forums that was given by Peter Tapling, president and CEO of Authentify Inc.: authentication is proving "you are who your mother says you are." This could be key to the best practice of all. But if moms everywhere prove disinclined to authenticate all of us rascals at the provisioning stage (and let's be frank, they're a little busy) can another stand for Mom in this place?

Since we're talking about payments, banks seem a logical option. Consider these highlights of their responsibilities related to "customer due diligence" (CDD) as detailed by the Federal Financial Institutions Examination Council:

The concept of CDD begins with verifying the customer's identity….
The cornerstone of a strong… compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all (emphasis added) customers…
CDD policies, procedures, and processes are critical to the bank because they can aid in:

Avoiding criminal exposure from persons who use or attempt to use the bank's products and services for illicit purposes.
Adher(ing) to safe and sound banking practices….
Provid(ing) guidance for resolving issues when insufficient or inaccurate information is obtained.

The context of the excerpt above is BSA/AML—or Bank Secrecy Act/anti-money laundering—compliance and is generally applied to customers in the business space. However, it seems reasonable to think the skill set might be brought to bear wherever there is need. Banks are clearly best positioned to determine who is setting up a payment and whether or not that person should be. Yet the responsibility is a broad one. Those party to any payment solution, including innovators, provisioning banks, and consumers, should demand that new and extant solutions include enrollment authentication that is well considered and properly coordinated using the best techniques for thwarting fraud. To get the best authentication, it's about who you know—and also, who knows you, besides your mother.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

Take On Payments

About

Who's to Stand in for Mom?

Take On Payments Search

Recent Posts

Categories