Fed Addresses the Faster Payments Identity Crisis
A Federal Reserve task force has issued criteria for its faster payments initiative, part of a long journey to build a framework to securely and efficiently accommodate the near real-time processing for digital commerce.
It's also an opportunity to achieve long overdue fixes to security and identity verification on the Internet, according to Stephen Lange Ranzini, president and CEO of University Bank & University Bancorp, and a member of the steering committee for the Federal Reserve Secure Payments Task Force.
"Using passwords and usernames to secure anything is ludicrous," Ranzini said, adding the identity security protocols of the new faster payments system could be usable beyond the scope of the banking industry.
People in technology and security industries have called for a federated identity system for years as a way to replace the myriad passwords that have become a staple of Internet life, but the initiatives never gained much traction. The Federal Reserve's faster payments task force, which on Tuesday released broad criteria—including for authentication and security—provides a new opportunity because it stems from the collaboration of a large number of stakeholders in different industries, according to Ranzini.
The efficiency and security necessary to achieve near real-time processing for digital transactions could also help build broad-based identity systems based on mobile technology, he said.
"The problem right now on the Web is it's using highly insecure methods to put locks on the front door," he said.
Strong authentication is crucial in 'faster payments' as the payer has to log in to push the payment out, rather than the merchant pulling the funds based on customer credentials, said Zil Bareisis, a senior analyst at Celent's banking group.
"Knowing the identity of the payer and understanding what they are entitled to is a key factor in managing the safety of such a system," Bareisis said.
The document the task force released on Tuesday does not directly call for passwords to be replaced, nor does it endorse any specific technology or call for any direct measure to secure payments or hasten transaction processing. Rather, it sets up categories to address ubiquity, efficiency, safety and security, speed, legal and governance. Each of these categories includes additional guidance.
For example, ubiquity entails any entity to initiate payments with any other entity with a straightforward user experience and cross-border functionality. Efficiency refers to the capability to add other features to a payment product, and adaptable to current and future payment format standards. Safety refers to a risk framework, settlement approach, end to end data protection and robust authentication. The criteria also details how fast settlement should work, calls for prompt visibility and transparent legal rules and governance.
End-to-end encryption and tokenization do not in and of themselves eliminate the need for usernames and passwords, but strong enrollment and authentication could, said Julie Conroy, a research director at Aite Group.
"A transition away from usernames and passwords is long overdue across the payment ecosystem, since its value as a security mechanism disappeared long ago," she said.
Data breaches have compromised hundreds of millions of passwords and other credentials, which consumers tend to overuse, Conroy said. "Given that part of the vision for faster payments is immediate availability of funds, the confidence that the initiator of the transaction is authorized to do so is essential for the system to work."
While encryption and tokenization would protect the data within the faster payments system, it would not do away with identity theft altogether, since there are other points of exposure, Conroy said. "Herein lies one of the big challenges: How do you perform strong enrollment in a customer-friendly manner in an age when the majority of personal identifying information is already in the hands of criminals?"
The task force will receive proposals to build or power the entire faster payments system, or parts of it. These proposals will be weighed to see how they match the criteria or fall short. The process is wide open—the final result could be to assign the work to a private company, a group of companies or a Fed-directed effort, Ranzini said.
The task force has 320 members from a variety of participants in the payments and financial services industries. Members include representatives from Wells Fargo and U.S. Bank, which are among the operators of ClearXchange, an initiative designed to enable real-time transfers between bank customers. Other members include Dwolla, which provides a venue for real-time digital payments and Ripple, a company that enables transactions across digital and fiat currencies.
It additionally includes organizations and associations that are actively developing their own faster payment initiatives, such as Swift and a collaboration between Vocalink and the Clearing House. The Fed's system is not expected to compete with these other initiatives.
The development and assessment of proposals is expected to be completed by November, with review and publication scheduled for March 2017. "We can declare one a winner, or there could be multiple winners or there could be multiple proposals, all of which are flawed," Ranzini said.