Banks and Mobile PaymentsThe ABA's View on Cybersecurity Legislation, Payments
To help mitigate online fraud, the financial industry is pushing for the oversight of .bank, just one of many new top-level domain names being pitched to the Internet Corporation for Assigned Names and Numbers.
For its part, the American Bankers Association, along with the Financial Services Roundtable, has filed an application for oversight of the .bank domain. Doug Johnson, who oversees risk management policy for the ABA, says the ABA and the Roundtable believe if .bank is approved, it should be managed by an unbiased entity or entities with financial-services expertise.
"One of the things which we developed as part of that [DNS application] process was a set of 31 security standards, which we recommended to ICANN," Johnson says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
Johnson says those recommendations include the need for other financial domains to contain the same 31 security standards, such as higher levels of authentication.
"Not only do we have higher levels of security, we control who can operate a .bank, as opposed to essentially anybody who can [today] operate a .com," Johnson says.
The .bank domain-naming initiative also will give customers greater confidence that the site they're doing business with is legitimate. "That could lend itself toward a higher degree of confidence and security in the overall environment," Johnson says.
During this second half of a two-part interview about emerging financial fraud threats and technology investments, Johnson discusses:
- How regulators and legislators are addressing mobile risks;
- The role banks and credit unions can and should play in mobile payments; and
- Other areas, such as the .bank domain-naming initiative, banking institutions are watching closely.
Johnson currently leads the ABA's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and serves on the BITS/Financial Services Roundtable Security Steering Committee, in addition to his involvement with FS-ISAC.
Mobile Banking and Payments
TRACY KITTEN: What about the state of mobile banking and mobile payments security? What services are institutions offering and how are they ensuring security?
DOUG JOHNSON: I think that payments are going to be interesting. In the near future, there's going to be increasing pressure for institutions to ensure that they're properly involved in the payments space as it relates to mobile or otherwise. Banks have always been central to the payment system. Even if we weren't central to it from the standpoint of the consumer, we would still be the backbone of that system because behind every payment is some level of the bank accounts if it's not a loaded card. And so the financial institution will always have a central role of some sort within payments, and we desire to continue that.
I think the state of security is such that banks have a tendency to be what I would call "fast followers" as opposed to "early adopters," and I think that's wise because you can have some level of experimentation and I think that to the extent that we learn from that experience before we go "willy-nilly," that's an important component. But I think also other providers of payment services have learned that the most effective payment services are those that have financial services as partners, and financial services are the ones that are going to be building and more mindful about the payment security as part of that component, so I think to the extent that payment processes are built and financial institutions are central to them, the security will be actually baked in the cake. How you ensure it is to continue to adapt to it, and I think that goes back to the risk assessment.
KITTEN: Beyond phishing and malware, what other fraud threats are top of mind among the institutions that you work with?
JOHNSON: I think with some of the larger financial institutions particularly, it's related to both fraud threats and cybersecurity generally because there's a lot of legislative dust in the air - shall we say - associated with cybersecurity-proposed legislation, and a lot of discussion about what portions of the financial services sector should be identified as critical to the financial services infrastructure, and portions of payments obviously are very much among those.
So I think that's top of mind to a lot of large financial institutions, how as government attempts to build that infrastructure it relates to our existing infrastructure. What role does the Department of Homeland Security have in terms of protecting the critical infrastructure in concert with our standard financial services regulatory agencies, which we're accustomed to dealing with and that know our industry? How do we have that relationship go forward in a productive fashion?
Now from the community bank standpoint, I think that it's really back to the knitting to some degree, because in some cases it's conventional check fraud and the electronification of checks and the speed with which checks are going through the system, based upon that electronification, that creates some potential fraud and potential losses for those institutions as we essentially go towards same-day clearing. That kind of environment from a community bank standpoint is something they really have their eye on because at the end of the day, particularly for the community bank, check fraud losses - and that would include losses where a check becomes electronic - are still sometimes two to three times greater than what losses might be incurred at the financial institution for a more conventional electronic fraud.
KITTEN: I also wanted to ask about the domain-naming initiative that we've been talking about quite a bit in the industry. What can you tell us about the .bank domain-naming initiative and do you see it helping to curb online fraud?
JOHNSON: I do. As you know, the American Bankers Association in concert with the Financial Services Roundtable filed an application for the .bank top-level domain and we're hopeful that we do get approved to operate that domain on the industry's behalf. One of the things which we developed as part of that process was a set of 31 security standards, which we recommended to ICANN, who is essentially the approver of applications.
We also recommended that any other financial domain contain those standards, and one standard that's within that particular set of recommendations is higher levels of authentication at the domain level, and so baked in a bank domain is going to be a much more difficult ability for fraudsters to phish, saying that they're within the .bank domain, because not only do we have higher levels of security, we control who can operate a .bank as opposed to essentially anybody who can operate a .com. So I think to the extent that a bank customer receives a communication from an institution or goes to a site which has a .bank domain associated with it, they can have a much higher level of expectation that this is not a fraudulent site. So I think that could lend towards a higher degree of confidence and security in the overall environment.
KITTEN: One thing I would like to ask on that note relates to the FBI's takedown of some of these fraudulent sites that were selling credit card information, and I'm wondering if perhaps the .bank domain-naming system might have helped in some of those cases.
JOHNSON: Exactly, to the extent that you've got an environment where a customer is either duped because they believe that's their bank site or determines not to use the service because they're unsure as to whether or not it's the bank site. To the extent that it will be difficult to spoof a .bank site, there can be that higher level of confidence. That doesn't mean that there aren't a tremendous number of other externalities outside of .bank, but there's still going to be a challenge for the domain space generally, but I think to the extent that we narrow and build a community of financial institutions operating in .bank that have higher levels of security, it can to some degree counteract what you just discussed.
KITTEN: Before we close, I wanted to ask what the ABA is doing to help financial institutions fight fraud, and what other risk management issues do you see as being top concerns?
JOHNSON: In terms of what ABA's core business is, I think that our ability to really serve the entire industry is extremely important. We have working groups and discussion groups and committees of large financial institutions as well as small institutions, community-based institutions, and in some cases both in the same committees and I think it's through that active conversation of what the big banks are seeing as it relates to fraud that ultimately would end up in the community bank as well, because it might show up in the large financial institution first.
I think one of the core things that ABA does that I'm very proud of is really providing the mechanism for that sharing and I think that's particularly true of our area here at ABA, the risk management policy area, where we're responsible for really making sure that the information chain exists and that the community banks are aware of the threats that others are seeing, so that's central.
And of course, partnering with organizations like the FS-ISAC and being very supportive of ensuring that financial institutions have the ability to directly link to the ISAC and get that threat information I think is another core piece of what we do as well. I think that also, to the extent that we see new threats such as corporate account takeover, now that's not new but I think it's an example of something which once we saw it starting to occur we started to build tools in concert with the ISAC in terms of giving both the customer as well as the bank the kinds of resources to help them protect themselves and give them some recommendations in terms of what's effective and what's not effective and asking institutions themselves what they found as effective. I think providing that mechanism to do that and then pushing out the information so the entire community can work and benefit from it is really core to what we do.
Risk Management Issues
There are always new risks and in terms of what risk management issues are top concerns, one of the things that I found very interesting is we were discussing a survey of that group that was talking about enterprise risk management and this group is comprised of a wide cross section of community banks from about a half a billion, maybe less than a half a billion, to about six billion. There was hesitancy among institutions to say that they had an enterprise risk management program in place, but if you talk to them about it they actually to some degree did, but there was some lack of really looking across the enterprise from the standpoint of how is the key risk indicators related to that institution. How are they devised? Are they consistently devised? How are they presented to the board? Are they reported to the board?
I think that one of the things that all institutions struggle with is that whole process. How do we build an organization that on an enterprise-wide basis understands what the key risks are and has great measurement of those risks, whether or not they be a risk in the electronic environment or otherwise. My advice is no matter what size your institution is, really take that temperature of what the key risk issues are across the entire institution and have some mechanism to report those on an enterprise basis. You don't have to call it enterprise risk management, but you can essentially do the same thing regardless of what size institution you are and that's the conclusion really that the group came to yesterday that was having that conversation.
KITTEN: Why would they be hesitant to call it enterprise-wide?
JOHNSON: Well, it's the "E" word. I think that some institutions, when they think of ERM [enterprise risk management], they think big bank and they think there are certain things that come with that that are very big bank-centric, and so I think it's mostly just semantics frankly. I think that any size institution can build a culture to really have that kind of enterprise risk management approach, regardless of what you call it.