One of the more interesting elements added late in the game to the Durbin amendment was the language added around card-related fraud costs. This has led to much speculation about what this might mean for various anti-fraud technologies (e.g., EMV in the US, a mandate for 3-D Secure for online ecommerce, etc.) as the Fed considers whether and how to get into this new arena of regulatory activity.
Earlier today, a colleague drew my attention back to a paper by Richard J. Sullivan of the Federal Reserve Bank of Kansas City that was published in a recent edition of the bank’s quarterly Economic Review. His concluding paragraph caught my eye:
“To guard against excessive fraud losses and to ensure confidence in card payments, policymakers need to monitor developments in card payment security. First, will card payment security continue to evolve without the benefit of industry-wide statistics on the level and sources of fraud losses? These statistics would help to determine whether the in- dustry continues to tolerate a relatively high rate of fraud. Second, will the card payment industry move toward more coordination of security efforts? Such coordinated efforts have been successful in the Automated Clearing House system, another electronic payment system that has grown rapidly in recent years (Braun and others). If not, policymakers might consider a more active role to help the payments industry over- come barriers to effective coordination of security development.”
Let’s parse what he said. It’s clear that there still aren’t yet industry-wide statistics on “the level and sources of fraud losses.” Various estimates are made by various industry pundits – but the actual data as reported within the industry isn’t available.
There has been some movement within the industry toward more coordination of security efforts as Sullivan calls it – but almost of that activity has exclusively in the arena of PCI-DSS.
So, the open question remains: what exactly should policy makers at the Fed do with respect to card payment fraud in the US? Is Fed intervention required to impose new requirements that wouldn’t otherwise be adopted by individual stakeholders acting alone? See my earlier post from just over a year ago about “Broken Windows and Card Payments Fraud“.
What do you think?