Here are several samples of my work for PaymentsCompliance:
U.S. Financial Sector Embraces Open APIs For Payments Revolution
5TH JUL 2017 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.
U.S. financial firms are embracing the prospect of industry-wide application programming interfaces (APIs) to facilitate third-party access, dismissing fears around the security of consumer data.
The Consumer Financial Protection Bureau is currently investigating whether banks should be required to develop open APIs that would allow fintechs an easier path to consumer data.
Some industry stakeholders expressed concern about the possible reforms, arguing that third parties may have little ability or willingness to protect that data.
But Zach Perret, co-founder and chief executive of Plaid, a San Francisco-based technology platform that enables applications to connect with users’ bank accounts, said consumers already use APIs all the time — perhaps without even realizing it.
“I would say when you pull out your mobile phone and open your favorite bank’s application, just by opening that application you started a series of hundreds if not thousands of APIs,” Perret said at an American Bankers Association (ABA) conference in Washington, D.C. last week.
“To log in to check your balance your mobile device is requesting that data from bank servers.”
APIs are not new, having been developed 15 to 20 years ago to enable different systems to talk to each other.
“We are really excited about something that has been around for a long time,” added Christopher McClinton, senior vice president of the ABA.
In their early days, APIs were largely internally-focused and non-standardized, meaning they were inaccessible to the outside world and that substantial customization work was needed to link to them.
But today, with the emergence of open APIs, their role and importance have escalated to a whole new level, especially when it comes to the financial sector, Perret said.
For financial institutions, it is an opportunity to take advantage of the fintech industry, which has been delivering a constant flow of new technologies — especially for banks to meet their customers’ financial needs more effectively.
“We are never going to be fast enough, we are never going to be smart enough to do it all ourselves,” said Steven Van Wyk, chief information officer with PNC Bank in Pittsburgh, Pennsylvania.
“So, we use our open API platform to encourage people to rethink how banking is done.”
Van Wyk explained that PNC looks at its API network like an iPhone: Apple did not create the bulk of the applications on the phone, but created the platform that allows others to invent on top of it.
“Now you have an iPhone that is customized to how you want to use it,” said Van Wyk. “Why can’t a bank do the same thing? We want to expose a platform for a lot of others to create apps that interface with the bank’s app … and it becomes a personal way to bank.”
Jeff Deppen, chief information officer at Orrstown Bank, said APIs currently give smaller banks a way of competing with much larger rivals.
He said Orrstown, which has 22 branches in Pennsylvania and Maryland, has around $1.45bn in assets, whereas PNC posted assets of nearly $370bn in December.
For larger banks, Van Wyk said there are further opportunities in the real-time business-to-business payments sector.
“We see the corporate side as a tremendous opportunity,” he said.
In Europe, where authorities have mandated through the revised Payment Services Directive (PSD2) that financial institutions must offer open interfaces to third parties, fears are still being raised that data protection could be weakened as a result.
But for Perret, APIs as a technology are not inherently risky.
“It’s important to know that the concept of an open API is a little bit of a misnomer,” Perret said.
“No API source is open … they need to go through a compliance process. They are relatively restrictive, not open APIs.”
Van Wyk agreed, adding that banks will have to “adopt some critical standards” to ensure third-party access remains secure.
Oliver Jenkyn, a group executive with Visa’s North American operations, was in no doubt about the transformative potential of open APIs.
“I truly believe that more is going to change over the next two years than the last 20 years,” he said.
“Decisions we are making right now will shape the industry. The impact of technology on our industry is greater than any other industry out there.
“It’s our challenge to make sure payments is flexible enough to make sure we meet wherever it is going to go.”
Global Cyber-Warfare ‘Placing Financial Firms At Risk’
4TH JUL 2017 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.
A counter-terrorism expert in the United States has said that the rise of state-sponsored hacking, malware and online espionage has created a new battleground for cyberattackers — with the financial sector at its center.
Reid Sawyer, a senior vice president at multinational insurance and risk consultancy JLT, told an industry conference that financial institutions and payments firms must urgently improve their cyber-defences or risk becoming pawns in wider global conflicts.
“What we are seeing now is private warfare,” Sawyer, a counter-terrorism specialist and former soldier, told the American Bankers Association’s inaugural Payments Forum in Washington, D.C.
“States are no longer seeing state-to-state warfare as a legitimate target,” he said. “It is the economy that is being targeted.”
Sawyer cited Iran’s response to the Stuxnet — a computer worm identified in 2010 that was used to destroy centrifuges inside the country’s Natanz uranium enrichment site. The cyberattack plan also targeted Iran’s air defenses, communications systems and key parts of its power grid.
“Iran’s response wasn’t against the Pentagon,” Sawyer said. “It was against 50 financial institutions in the United States.
“Data integrity is the payments industry’s greatest risk.”
The problem is not restricted to the U.S.; last month’s “brute force” cyberattack on UK parliamentarians was widely thought to be linked to a hostile government — with many pointing the finger at Russia.
The previous month, sophisticated ransomware known as “WannaCry” spread across thousands of institutions in more than 150 countries.
The attackers demanded payment in Bitcoin in exchange for restoring access to files, prompting warnings to the payments sector that money laundering activity was expected to spike in the aftermath.
“The geography is irrelevant these days,” said Sawyer.
“Doesn’t matter if it’s coming from Russia, Ukraine or China, or from a criminal organization in the United States. Geography is irrelevant, which also mean no vertical is safe.”
He added that cyber-espionage — both state-based and from criminal actors — is developing as a new battleground on the international stage.
Today, Sawyer said bad actors are not only scanning the internet to find open portals to exploit, but are looking at social media profiles belonging to company employees.
He suggested that the majority of incidents come from willing or unwilling employees in your corporations.
“They are going in and identifying who that unsatisfied employee is,” Sawyer said. “They are targeting them, saying the information you have can be monetized — no different from when we used to run sources. You look for the disaffected.”
He said they build up those employees’ sense of importance, sometimes offer a financial reward, and ultimately include them within their network.
The key to a breach, Sawyer said, is that when employees are approached they are told they do not have to do anything except click on a link.
Sawyer bemoaned the lack of protective action from the financial sector.
“We don’t get that this is a business risk,” Sawyer said, citing an EY survey that found 68 percent of executives believe they would not change their IT spending if the supplier was breached.
Yahoo suffered two breaches in 2013 and 2014, with some 1.5bn accounts compromised. The company said the stolen user data included names, email addresses and passwords, but not financial information.
He suggested criminals are using that data to mine for information they can re-use, potentially to access financial information.
“You know what is common among all my passwords, especially in the financial industry, is the three questions,” he said. “What’s my favorite dog? What was my first car? What’s my favorite winter activity?”
Sawyer said those questions were common among the data stolen, so know someone has the ability to apply machine learning or early artificial intelligence to acquire all those security questions.
“Think about what they can do with that,” he said. “We need to understand how data is being used against these firms.”
Ex-MoneyGram Compliance Officer Settles Money Laundering Case
5TH MAY 2017 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.
A former MoneyGram compliance officer has agreed to pay a $250,000 fine and refrain from performing similar functions for three years, settling a civil action accusing him of failing to ensure compliance with anti-money laundering (AML) laws.
The U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) and the U.S. Attorney’s Office for the Southern District of New York had initially sought to collect a $1m fine and bar Thomas Haider from working in the financial industry.
Haider was sued on December 18, 2014 for failing to ensure the money transfer company had an effective AML program in what was the first of its kind lawsuit by regulators.
Haider worked as chief compliance officer at Dallas-based MoneyGram from 2003 to 2008; in its 50-page complaint, FinCEN said Haider failed to comply with the U.S. Bank Secrecy Act (BSA) during that time.
“FinCEN relies on compliance professionals from every corner of the financial industry,” said acting FinCEN director Jamal El-Hindi. “FinCEN and our law enforcement partners need their judgment and their skills to effectively fight money laundering, fraud, and terrorist financing.”
In a two-page statement released yesterday, El-Hindi said compliance officers occupy “unique positions of trust in our financial system”.
He added that the agency has repeatedly said that when FinCEN takes action against an individual, “the record will clearly reflect the basis for that action.”
As chief compliance officer from 2003 until he left MoneyGram in 2008, Haider supervised MoneyGram’s fraud and anti-money laundering compliance departments.
MoneyGram uses a global network of agents and outlets, and Haider was accused of failing to ensure the company had a policy to discipline agents suspected of being involved in fraud or to terminate high-risk agents and outlets.
FinCEN also claimed Haider did not ensure that MoneyGram filed reports alerting the U.S. government to suspicious transactions, according to the complaint.
Haider allegedly had the authority to terminate or otherwise discipline agents and outlets due to “compliance concerns” and allegedly could decline to approve new agents or outlets.
“By failing to terminate MoneyGram outlets that presented a high risk for fraud and to take other actions clearly required of him, Haider allowed criminals to use MoneyGram to defraud innocent consumers,” acting U.S. Attorney Joon H. Kim said on Thursday.
MoneyGram has a network of 350,000 places where customers can send and receive money. These include stores, post offices and banks in 200 countries.
In 2009, after Haider had left MoneyGram, the Federal Trade Commission filed a complaint against MoneyGram alleging that, between 2004 and 2008, agents in the United States and Canada aided fraudulent telemarketers in a scam that cost U.S. consumers millions of dollars.
In 2012, MoneyGram paid a $100m fine and entered into a deferred prosecution agreement with federal agencies and law enforcement on charges of aiding and abetting wire fraud and willfully failing to implement an effective AML program.
Despite the company’s settlement, the U.S. District Court for the District of Minnesota in January 2016 denied Haider’s motion to dismiss the federal government’s complaint seeking to hold him liable for BSA violations.
Haider disputed that FinCEN had the authority to hold him individually liable for company failings.
Among other things, the court:
- Affirmed that a compliance officer responsible for the development and oversight of an AML program may be held liable for the Bank Secrecy Act violations of his or her employer.
- Reserved judgment as to whether the proposal to bar Haider from service to any U.S. financial institution was a punitive sanction subject to the statute of limitations or a prophylactic measure that was not so limited.
In the meantime, China’s Ant Financial, an affiliate of online shopping company Alibaba Group, is expected to sign a $3.5bn loan to help fund its purchase of MoneyGram, Reuters reported.
MoneyGram is the world’s second-largest money transfer business, behind Western Union.
Ant Financial has offered to pay $1.2bn more for the company than Euronet Worldwide, according to Reuters.
After Euronet offered to buy MoneyGram in March, Ant Financial increased its offer by 36 percent.
Nevada Bill Would Block Taxes On Blockchain Transactions
12TH APR 2017 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.
A senator in Nevada has told PaymentsCompliance it is crucial to the state’s economic viability that it positions itself as a “safe space for entrepreneurs” developing companies that utilize blockchain technology.
To begin to create a supportive environment, Republican Senator Ben Kieckhefer filed a bill that would prevent local authorities from imposing fees or taxes on the use of blockchain technology.
Nevada Senate Bill 398 is concerned with creating a legal foundation for blockchain contracts and records.
“As blockchain is growing and evolving … I want companies to know that Nevada has a legal structure that ensures transactions conducted over a blockchain will be recognized by our courts,” Kieckhefer said.
Hopefully, the senator said, it will encourage more companies to do business in Nevada.
Kieckhefer said one of the companies he was working with was Filament, which is a Reno-based blockchain company.
“It isn’t often that a new technology comes along that completely changes the way we interact with each other,” Filament chief executive Allison Clift-Jennings wrote in a letter supporting SB 398 to the Senate Judiciary Committee.
“It happened with the advent of the internet and later with the smartphone revolution,” Clift-Jennings said. “The blockchain is a new technology that’s just as important.”
Clift-Jennings said that blockchain technology has the “ability to reduce fraud and bring new trust to existing interactions.”
Under Kieckhefer’s proposal, the use of blockchain technology or licensure would not be taxed by local government in Nevada.
But nothing in the bill “prohibits a local governmental entity from using a blockchain or smart contract in the performance of its powers or duties.”
A similar bill was signed on March 31 by Republican Arizona Governor Doug Ducey that would enshrine signatures recorded on a blockchain and smart contracts — self-executing pieces of code — under state law.
Specifically, House Bill 2417, aimed to make those types of records “considered to be in an electronic format and to be an electronic record.”
The Arizona law was also similar to a measure passed in Vermont last year that would make blockchain data admissible in court.
The bill also focused on data that would be a “factor or record” tied to a blockchain.
“Blockchain technology has certainly gained transaction among Nevada’s entrepreneurs,” Kieckhefer said.
Kieckhefer’s four-page bill states that a local government is prohibited from “(1) imposing a tax or fee on the use of blockchain; (2) requiring a certificate, license or permit to use a blockchain; and (3) imposing any other requirement relating to the use of a blockchain.”
The bill would also prohibit the exclusion of blockchain records in “proceedings,” noting in Section 11 that “if a law requires a record to be in writing, submission of a blockchain which electronically contains the record satisfies the law.”
“A smart contract, record or signature may not be denied legal effect or enforceability solely because blockchain was used to create, store or verify the smart contract, record or signature,” the bill said.
“In a [legal] proceeding, evidence of a smart contract, record or signature must not be excluded solely because a blockchain was used to create, store, or verify the smart contract, record or signature.”
But with less than half of the 120-day session left in Nevada, lawmakers have limited time to approve what is a wide-ranging piece of legislation that deals with relatively new technology.
If the bill dies in the 2017 Nevada legislature, Kieckhefer would have to wait until February 2019 to file another measure.
“While I’m not sure any specific problems will be created if we don’t pass this legislation, I believe Nevada could miss out on a significant opportunity to become a destination state for entrepreneurs and businesses working in this area,” the senator said.
U.S. Legalized Marijuana Industry Struggling To Bank Its Billions
14TH MAR 2017 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.
Payments start-ups in the U.S. have said the rift between federal and state regulations means banks are unwilling to process transactions linked to legalized marijuana businesses.
Despite a flurry of state laws making it legal for retailers to supply marijuana, industry insiders believe a federal-level ban on the drug means the vast majority of transactions — worth billions of dollars — are being made in cash.
Financial institutions, fearful of being on the receiving end of stinging enforcement actions by federal authorities, will often refuse transactions or deny account services to businesses involved in the industry.
“Banks are very risk adverse, especially when it comes to dealing with marijuana businesses,” said Adam Healy, the chief information security officer at digital wallet provider Tokken.
“How can we de-risk these transactions?”
Tokken, along with other start-ups such as Kind Financial and PayQwick, have created online systems that help dispensaries and banks record and monitor transactions, with the goal of moving transactions away from cash.
“Really, how we see it in terms of law enforcement, is that we don’t want to operate in the shadows,” Healy told PaymentsCompliance.
“We really see it as an advantage to provide stability for the industry.
“We are talking about billions of dollars in transactions.”
Industry analysts GreenWave Advisors and the Arcview Group estimated the cannabis industry in the U.S. last year reached $6.5bn and $6.7bn respectively.
Both research groups estimate the industry will surpass $20bn by 2020.
But, with few exceptions, marijuana customers pay with cash, leaving retailers to pay their employees, taxes, landlords and suppliers with stacks of possibly questionable and hard-to-trace cash.
“Consumers and retailers don’t want to deal with the cash issue,” Healy said. “Local governments don’t want that volume of cash on the street due to public safety concerns.”
He added that if it was easier to bank marijuana-related businesses it would also mean billions of dollars in liquidity for smaller, community banks and millions in tax revenue for local and state governments.
That means the business cannot only accept card transactions from consumers but also utilize its balance like any other mainstream company with a business banking account, paying suppliers, employees and taxes.
Tokken was founded in February last year by a formal federal banking regulator, and says it helps law enforcement authorities by recording all transactions indelibly using distributed ledger technology.
All transactions are also “geofenced”, meaning the company can prove customers are making purchases where they say they are.
PayQwick, which has also targeted the legalized marijuana sector, has taken a slightly different approach.
Registered federally as a money services business, the firm is a licensed money transmitter in Washington and is overseen by the state’s Department of Financial Institutions.
It is also supervised in Oregon by the state’s Division of Finance and Corporate Securities, and intends to expand into Colorado, Nevada, and other states that adopt seed-to-sale traceability systems.
Marijuana customers, retailers and producers are able to use PayQwick’s app, website and prepaid card to make purchases or transfer money between each other.
The system allows for a customer to sign up for an account online and link it to their bank account and transfer funds to PayQwick, which sends the customer a physical card.
When the card is swiped the funds are transferred from the consumer’s PayQwick account to that of the retailer, which can then transfer it to their bank account.
It vows to minimise the risk of exposure to illicit activity by taking on the regulatory compliance role itself, ensuring customer due diligence requirements are met and anti-money laundering rules are being adhered to.
Data Protection In A ‘Post-Dwolla’ World: Industry Told To Up Standards
20TH SEP 2016 | WRITTEN BY: CHRIS SIEROTY IN WASHINGTON, D.C.
U.S. financial institutions that are well prepared for a cyber-attack could save millions of dollars if a breach occurs, legal experts have said, in an increasingly hostile regulatory environment.
Courtney Stout, an attorney at Davis Wright Tremaine law firm, told last week’s Emerging Payment Systems event in Washington, D.C. that the average cost of identifying a data breach in fewer than 100 days is $5.8m, compared with $8m for firms that act more slowly.
To control a breach in less than 30 days will cost on average of $5.2m, compared with $8.8m after 30 days, she added.
“Things that you can do to prepare your employees can save your company money,” Stout said.
“Data breaches can be prevented if you have all of the right people.”
Since online payment platform Dwolla was fined $100,000 by consumer protection authorities in March, despite there being no allegation that a data breach actually occurred, has been seen as a landmark case by cybersecurity experts.
The Consumer Finance Protection Bureau (CFPB) said Dwolla had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and so was liable for a financial penalty — the first it had ever issued on security grounds.
“We don’t know what started the Dwolla investigation,” Stout added. “It was one of the first cases that didn’t stem from a data breach.”
For New York lawyer Jessica Sklute, special counsel at Schulte Roth & Zabel, payments providers and other financial firms should ensure they are meeting requirements set out in the Gramm-Leach-Bliley Act (GLBA).
“GLBA is the primary U.S. law that governs privacy,” said Sklute.
“It’s meant to regulate financial institutions, but broadly covers many businesses.”
The act generally requires that financial institutions inform their customers annually on how they share customers’ non-public personal information.
If the institution shares this information with unaffiliated third parties in ways other than specified by statute, Sklute warned that the institution must notify customers of their right to opt out of sharing, and inform them how to do so.
The federal law consists of three sections:
The financial privacy rule, which regulates the collection and disclosure of private financial information.
The safeguards rule, which stipulates that financial institutions must implement security programs to protect such information.
The pretexting provisions, which prohibit the practice of accessing private information using false pretences.
The GLBA, particularly the safeguards rule, has been used by the CFPB and the Federal Trade Commission (FTC) to investigate and fine companies that violate standards when it comes to cybersecurity and data privacy.
Sklute said the FTC has settled more than 50 data security cases over the years under the GLBA.
She said that some of the best examples were cases involving Eli Lilly, Snapchat, and Wyndham Worldwide.
“The CFPB has been very aggressive,” said attorney Barrie VanBrackle, a partner with Orrick, Herrington & Sutcliffe.
“It takes a company down and a lot of others with it.”
For Sklute, the CFPB’s case against Dwolla using the safeguard provision of the GLBA means companies need to be careful of the promises they make about protecting customers from data breaches and other cybersecurity threats.
Among Sklute’s suggestions were maintaining communications between the legal and marketing teams, accurately reflecting policies and practices of the business, and avoiding consumer promises that are not legally or technically accurate.
Stout agreed, but focused her comments on how companies can mitigate the risk from a data incident.
She reminded event attendees it is not a matter of if, but when, a company deals with a data breach.
Among the factors that can decrease a financial firm’s exposure is creating an incident response team and training its employees.
What a business cannot control, Stout said, is the size and type of incident.
“Size is going to be one of the very few elements of a breach that are out of your control,” she said.
About PaymentsCompliance – We are a large and experienced team of payments professionals, journalists, lawyers and researchers who analyse the legal and regulatory changes affecting the global and emerging payments communities.
We provide actionable intelligence to stakeholders throughout the ecosystem in a concise and comprehensive format that allows our clients to make informed business decisions, uncover opportunities and reduce legal fees.