There are several reasons why you can’t rely on law and regulation, says Ed Adshead-Grant. Here’s where they fall short and what you should do about it.
Initiatives like open banking and faster payments have ushered in a whole new era in the world of business-to-business payments. The industry is now faster and more flexible than was ever thought possible. Unfortunately, these advances have come with significant risks. The faster payments move, the harder it is to protect them and the easier it is for cyber criminals to exploit vulnerabilities.
Consider this: It has become more and more difficult to tell the difference between real transactions and fraudulent ones, mostly because of the huge volume of transactions being processed. That’s scary to think about in this world of irrevocable payments.
The industry has responded to these increasing threats by doing what industries do—introducing regulations.
These are formal, enforceable security policies designed to prevent fraud and protect organizations and individuals. They sound like a good idea. Yet regulations are not always the panacea the industry would like them to be. As a whole, they fall short in three key areas, providing a false sense of security rather than any element of true protection.
1. They are too ambiguous
The biggest issue with regulations is that they are often wide open for interpretation, chock-full of ambiguity and consequently implemented in an inconsistent manner. Understanding them is a little like playing a complicated game designed by 5-year-olds. You’re never sure of where you stand until you make a mistake. The PSD2 regulations in Europe are a great example of this. They are well-intentioned and an incremental improvement on PSD1, but because there are so many ambiguities in how they can be implemented, they potentially lack the teeth to be really effective.
2. They lag behind what is really needed
Because it takes so long for regulatory bodies to write and agree to a common set of rules, they are nearly always out of date by the time they are made public.
Proposed requirements in the state of New York for multifactor authentication are a good example of this. They are a solid step in the right direction, but, overall, the regulations miss the mark because they fail to account for open banking, an industry trend that shines a light on a number of potential security threats.
SWIFT’s new Customer Service Programme (CSP) is another relevant example. As part of its 11 advisory provisions this year it calls for the use of end-of-day log-file reporting. While a good source of data, log files aren’t tremendously helpful because they only collect partial information about incidents, which limits investigators’ ability to be effective. They also only make organizations fully aware of fraudulent payments after they’ve been made. At that point it’s far too late. Bottom line? The level of mandated protection offered by the CSP can be limited and even ineffective by design.
Henry Ford was famous for saying “If I had asked people what they wanted, they would have said a faster horse.” At this stage of the game, the industry needs Teslas, not Clydesdales.
3. They lack broad perspective
The committees that create regulations are often made up of mostly financial-services professionals, with little representation from corporates, which are the major users of payments day after day. Creating rules in such a vacuum of vested interests can result in onerous rules that do not adequately represent the needs of everyone.
So if regulations aren’t always effective, what should companies do?
Regulations are a necessary tool in many market structures and they need be implemented where the alternatives are fines, prosecution, and even imprisonment. They just have to be kept in perspective.
Think of it this way: regulations are only designed to enforce minimum standards.
When put in that light, it’s obvious that simply adhering to industry mandates is not sufficient. Remember, it only takes one vulnerability for a hacker to be successful. You wouldn’t lock the doors of your car yet leave all of the windows open. So don’t leave the security of your payments to the mercy of the lowest level of security controls required.
To be truly secure, organizations must go beyond what is required of them and focus on securing every payment that passes through their hands. The ultimate goal has to be stopping fraudulent payments before they happen, because once they’re gone, there’s little hope (and significant expense) in getting them back.
Thankfully, this is possible. It can be accomplished by finding a security solution that can monitor the usage of business applications on multiple fronts, internally at the organizational level (employees, contractors, and authorized users) as well as customers and any other online channels, including bank-to-bank networks such as SWIFT.
Look to achieve effective monitoring practices that take place at the application level (e.g., understanding if a certain behavior is atypical when reviewing payments, inquiries, screen lookups etc.), as well as at the network level (e.g., detecting anomalies with transaction traffic). By taking such measures, it will be far easier to identify activities that are likely fraudulent and then stop them before the real cost of financial losses kicks in.
Regulations are here to stay. If anything, I would expect them to become even more complicated. The industry will insist on it because regulations are a security blanket that gives people comfort that something is being done to keep the fox out of the henhouse.
Organizations should not rely on regulations as their sole protection, however. Meeting the minimum standards will not be enough to keep payments safe, and creative criminals will always up their game. To avoid the financial losses and reputational damage that occur as a result of fraud, it’s imperative that you go beyond the minimum.
—Ed Adshead-Grant is general manager of payments and cash management at Bottomline Technologies, Portsmouth, N.H.