«July 2012 THE WORLD BANK Acknowledgements The preparation of this paper was led by the Financial Inclusion Practice of the World Bank. Lead author is ...»
Guideline 3. Effective oversight of retail payment systems by the central bank is crucial to balance cooperation and competition issues.
• An effective payment system oversight is the tool authorities have to address market and coordination failures and achieve an appropriate balance between cooperation and competition in the National Payments System. In particular, the overseer plays the role of a central agent who is best placed to solve the coordination problems that typically plague multi-agent decisional contexts by mobilizing efforts from individual participants, prompting them, to act collectively when circumstances so require, and facilitating the development of private sector institutions equipped to deal with these problems.
• Central banks are the natural overseers on payment systems and should persuade themselves (or be persuaded) to play a central role due to their stake on the confidence in money and functioning of commerce and the economy in general.
• Other authorities might have an important role, as well, due to multiple implications of retail markets (e.g., competition authorities, financial supervisors, Ministries of Finance, etc.). The central bank, as primary oversight authority, should ensure all public policy goals are aligned.
• The scope of the oversight function should extend over the totality of the payment arrangements to ensure that new instruments and players (such as non-bank financial institutions and nonfinancial service providers) be appropriately covered.
• There is a broad range of oversight instruments, ranging from regulations and incentives (including those on access and pricing) to moral suasion and policy dialogue, from antitrust enforcement to structural measures (e.g., government-owned service provision).
Guideline 4. Institutional mechanisms to promote cooperation and information sharing are essential.
• Policy-making is complex due to the institutional fragmentation of relevant policy makers as well as by the different—and sometimes overlapping—scope of their mandates.
• Sometimes authorities have already established cooperative arrangements but normally with a narrow scope that has to be broadened, other times these arrangements are nonexistent and need to be established.
• In particular, it is essential to develop a good cooperative framework between the overseer and the anti-trust agencies that rule against uncompetitive behavior.
Guideline V: Retail payments should be supported by appropriate governance and risk management practices.
Description Good governance arrangements provide incentives for an organization‘s top management to pursue the long-term interests of the organization, such as continued growth, increased coverage, profitability (where applicable), and overall viability.
Payment system operators and other infrastructure services providers should be subject to mechanisms of accountability and independent oversight, including independent audits, to ensure they are pursuing such long-term interests.
All economic activities face a variety of risks, and it is the role of management to determine whether the identified risks should be avoided, accepted, shared or transferred to third parties. Major risks in operating and using payment instruments and
Systemic risks, arising from linkages between various national payments system components and international payment systems.
Legal risks (e.g. the legal framework not supporting some common practices, or the inadequate or erroneous compliance of the applicable legal and regulatory framework).
Settlement risks, arising from liquidity or credit risk problems of the participants.
Business risks, arising from the general operation and administration of the various participants in the retail payment systems.
Operational risks, issues related to operational reliability of the various participants and infrastructures including issues such as fraud, data theft, or usage of retail payment for unlawful activities like money laundering or financing terrorism related activities.
Management will need to establish internal controls to mitigate the risks it decides to accept.
Risks specific to payment cards Payment card infrastructures are for the most part globalized infrastructures and by far the most fraud-prone but also with the most advanced fraud risk management mechanisms. Counterfeit risk is a significant risk. However, technology to address this risk is available. Typically, payment card transactions involve exchange of the information about the card being used for payment, read from the cards magnetic stripe or physically entered by the payer. This information is static throughout the life of the card. This information can be compromised at the point of transaction, in transit, at any intermediary processing system, at issuers processing system or finally by physically copying card information or extracting card information from the cardholder through social engineering attacks like phishing and vishing. A card prepared using this compromised information is called a counterfeit card. A counterfeit card can be used successfully for completing a transaction if it manages to evade the risk detection
systems at the various levels, for example:
Physical inspection of the card for verifying presence of standard physical security features like hologram stickers, issuer specific information, name of cardholder etc;
Fraud detection at acquirer, network operators and issuers, using advanced fraud detection software often based on neural networks; and Strong authentication mechanisms such as a PIN number or 2-factor authentication for Internet and offline transactions.78 In other cases the risk mitigation mechanism includes using chip in a card to create dynamic data that varies from transaction to transaction, hence making compromised information unusable. Box 8 describes a recent initiative by the payment card industry to create a data security standard for payment cards.
§ Box 10: The Payment Cards Industry Security Standards Council The Payment Card Industry (PCI) Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements—all created to mitigate data breaches and prevent payment cardholder data fraud.
The PCI Security Standards Council operates a number of programs to train, test, and certify organizations and individuals to assess and validate adherence to PCI Security Standards.
The Council's five founding global payment brands—American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.—have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.
Each founding member also recognizes the organizations and individuals certified by the PCI Security Standards Council.
All five payment brands share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.
Other industry stakeholders are encouraged to join the Council as Participating Organizations and review proposed additions or modifications to the standards.
The enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Council.
§ The information in this Box has been adapted from the information in the website of PCI Security Standards Council: https://www.pcisecuritystandards.org/index.php Identity theft is also a significant risk for payment cards. Data on the cardholder can be extracted and used by either redirecting a replacement card or applying for a fresh card which can then be used to conduct fraudulent transactions.
Risks specific to EFT based products The EFT payment instructions can be delivered using a variety of channels—walk-in to a branch, phone, Internet, ATM, mobile phones, and kiosks. Except in the case of walk-in to a branch, all other channels are non face-to-face and hence are exposed to typical authentication, social engineering, and data security risks.
3D-Secure is an authentication protocol that enables multi-factor authentication for card payments where the acquirer and issuer are not the same institution.
However, since the respective financial institution manages these channels, a range of risk mitigation measures can be deployed. However, where the payer or payee uses Internet, the computing device is generally outside the control of the financial institution, and can be exposed to standard Internet virus, Trojan and bots-based attacks. These attacks could harvest the authentication information used by the payer or payee, and use that to generate fraudulent transactions. These risks to a large extent are mitigated by two-factor authentication, requiring prior registration of beneficiaries (which could require stringent offline verification), fraud detection systems to detect abnormal transaction patterns, and by providing customers with robust transaction alerts.
EFT transactions are also exposed to data entry error, as the transaction initiator has to provide the account details of the beneficiaries and transaction amount. EFT transactions require the initiator to provide account details of the beneficiary—the account number, name, branch, bank name, country etc. Any errors in these could result in the transaction being misdirected. These risks are mitigated by: requiring prior registration of beneficiaries to reduce the potential of errors; reducing the number of data entries required by providing data for bank names, routing codes etc., as standard dropdown lists; educating the transaction initiators to exercise caution, and requiring confirmations before executing the transaction; providing a cool-off period allowing the initiating institution to retract the transaction; and, finally by using robust fraud detection and transaction alert systems.
Risks specific to innovative payment schemes Innovative payment mechanisms are basically exposed to many of the same risks as payment cards and EFT-based traditional products, and probably have heightened exposure to money laundering and terrorist financing risks. For example, the Financial Action Task Force (FATF) in its recent report identifies anonymity, high negotiability, and utility of funds as well as global access to cash as some of the major factors that can add to the attractiveness of innovative payment schemes for money launderers. 79 Anonymity can be reached either ―directly‖ by making use of truly anonymous products (i.e., without any customer identification) or ―indirectly‖ by abusing personalized products (i.e., circumvention of verification measures by using fake or stolen identities, or using straw men or nominees).
Additionally, as many of the innovative mechanisms are operated by non-banking entities, their supervision might not be as rigorous. Moreover, these schemes might not have other protection measures like deposit insurance or the operator being able to access short-term funding to mitigate settlement risks. Figure 6, compiled based on the responses to the Global Payment Systems Survey 2010 (see that survey‘s annex on retail payments innovations), captures the percentage of innovative products/product groups that were reported to have full protection of consumer funds.
Figure 6: Protection of Customer Funds in Innovative Payment Products Source: GPSS 2010 Possible Actions Ensure that infrastructure operators and payment service providers have appropriate governance structures and mechanisms. These mechanisms should provide for proper accountability of management and, where applicable, of board members, and should include independent audits or reviews. Moreover, governance arrangements should ensure appropriate identification and management of risks, through a system of sound internal controls and risk management mechanisms.
In consultation with the industry players, the central bank can develop guidelines with respect to risk management covering key areas: These may include data security and privacy standards, authentication standards, settlement risk, incident reporting, protection of IT and networking systems, data back-up, retention and business continuity procedures, disaster recovery planning, and anti-money laundering - combating the financing of terrorism AML/CFT procedures.80 Requiring the industry players to demonstrate compliance through an independent assessment can enforce compliance with these standards and guidelines.
Fraud prevention is an area where collaboration amongst all the industry players is particularly important: The central bank and industry players can jointly create mechanisms to exchange information about fraudulent incidents and best practices, and also develop common repository of previous incidents to serve as a reference against which all future transactions or new applications can be cross-referenced to aid decisionmaking.
There are well developed international standards for most of these aspects, especially for the data security, IT security, and authentication areas.
Guideline VI: Public authorities should exercise effective oversight over the retail payments market and consider direct interventions where appropriate.
Description In general terms, the payment system oversight function aims to ensure that the
infrastructure and the market for payment services:
Work smoothly, efficiently, and fairly to all participants and users;
Pursue the level of technological and institutional development necessary to satisfy the payment needs of a growing and open economy; and Minimize the risk of transmitting shocks across the economy.
As discussed throughout this document, some of the key foundations for exercising oversight over retail payment systems include the existence of market failures (e.g.
externalities, information asymmetries, and non-contestable markets, among others), coordination failures among stakeholders, and the existence of dominant positions due to, among other reasons, the ―natural monopoly‖ feature of the infrastructures supporting retail payment services.