Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB).  And here’s why:  They focus on things that impact my day-to-day life (and yours as well).

I started tracking what the CFPB was doing about five months ago by accident.  Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update.  Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought).  Compelled a bit by the update I started poking around the CFPB website.  For the first few months of this year it seemed to have potential but was little more than brochure-ware.  But last month that all changed.

The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist.  Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to.  Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives.  They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected.  For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things).  And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data.  Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency.  And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right.  So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see.  That was the first points on the board for the CFPB.

The second set of points were scored almost on the same day.  I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“.  Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest.  The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense.  Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society.  Seniors tend to be  more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option.  And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament.  So for me having this content available was quite the relief.  I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source.  And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).

Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around.  It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population.  Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it.  To those who have had a hand in defining its charter and organizing its content, great job!   Now repay my kind words by going out and getting me some juicy enforcement stories to write about.

Ready? Here we go……

1) Credit card numbers

2) Social security numbers

3) Bank account information

I’m betting most of you came up with the following answers:

1) PCI

2) PII

3) ?

I’ve been fascinated for a few years now as a regulatory compliance professional about how little attention one of the most significant risks remaining in the digital world receives anywhere in my industry. Everyone has gone absolutely nuts when it comes to credit card numbers. There’s a significant groundswell around personally identifiable information as is evidenced based on the growing number of state laws being passed to oversee such things. But try and find anything in the pipeline seeking to protect your bank account information in the public domain and there’s “ “ (aka crickets).

Earlier this month we celebrated a milestone event in our family and a fair number of gifts we received were presented in the form of personal checks. I had in my hands full name and addresses, bank routing details and individual account numbers from dozens of people at my disposal to do with as I pleased. And while I was honorable and simply deposited them (for some of my friends I apparently did so a little too quickly) the potential for fraud was huge. Consider that of the nearly two dozen companies I conduct business with each month (e.g. mortgage, car loans, utilities, etc), more than two-thirds accept online checks in lieu of credit cards. If you’ve never paid via an online ACH payment or check, all you need to do is provide the bank routing number (got it right there on the check), the individual bank account (got that too) and on occasion the name of the institution (but again, you have that right there in front of you). Really when you boil it down to bare essentials, it’s somewhat the equivalent of giving someone your credit card information on a piece of paper that than gets circulated through multiple touch points before it is completely processed.

It’s insane, it’s unnecessary and most of all it’s unacceptable, and I’m betting it’s the next big information security flashpoint in the banking industry.

One of my colleagues considers checks to be archaic and thinks they should be eliminated altogether. Another suggested that they should be protected exactly the same way credit card numbers are being handled these days courtesy of the PCI standard. I was thinking of something a little simpler to start with. Why don’t they simply eliminate printing the routing and account details and rely exclusively on barcode technology as a Phase 1 sort of exercise? It’s an embedded technology and while far from tamper-proof it would certainly eliminate the biggest exposure currently in existence. I’d like to think that my money is a little harder to access than by my simply writing a check to a local service company and having someone in their office copy down the details and use them to make an unauthorized purchase. It’s not likely they’d have a barcode reader and so that would be the first logical step to take.

But whatever steps the industry takes to remedy this problem, one thing’s certain: Something has to be done. At this point in the evolution of identify theft and online fraud, it’s not as if the oversight bodies can claim ignorance. They know that the criminal element continually pursues the lowest hanging fruit, and right here and now the exposure provided courtesy of the printed bank check is just about dragging on the ground.

It’s time for the industry to change and hopefully before this reaches epic proportions. Because if bank customers become afraid or reluctant to use personal checks as a method of payment, it’s going to become a huge problem for commerce in general. Considering where our economy is at the moment, I doubt we can easily withstand such an event.

]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/bank-checks-the-final-frontier/feed/ 0