April 2015 Newsletters
Apple Pay hit the ground running after its launch. Thousands of institutions are already signed up with more waiting in the queue. Financial institutions are adopting new technology more quickly to keep up with customer demand and maintain a competitive edge in the market.
But with new products comes new risk.
Reports of fraud in Apple Pay have been creeping up over the last few weeks. There have been reports claiming fraud of up to 6 percent of overall use. That number is a bit suspect, but there is no doubt that some fraud is being perpetrated through the new system. And there is no shortage of pointing fingers. Banks are blaming Apple, who points the finger right back.
Who’s to blame for the actual fraud really misses the point. The fact is ultimate liability falls back on bank. If there is an unauthorized transaction, the customer collects against the financial institution, not Apple.
The onus is on the banks to protect themselves. Banks must be mindful to manage their risk. To that end, risk management and compliance must be ahead of the technology curve. Risk management and compliance must adapt as fast, if not faster than the pace of technology to avoid pitfalls. Unfortunately, this part of the equation often gets pushed aside in the name of progress.
In the case of Apple Pay, banks did not want to be left out of the launch of a product billed as a payment revolution. Many banks simply signed on the dotted line without asking too many questions. They were told that the payments are secure and they have nothing to worry about. What they should have asked is “how do I protect my bank?”
The vulnerability in Apple Pay lies in the very characteristics that make it popular: its simplicity. All a user has to do to add a credit card to Apple Pay is to snap a picture. That’s it. Opening a tab at your local bar? All that bartender needs to do is snap a picture and they now have your card on file.
Sure, there was potential for the same fraud as before. That same bartender could snap a picture and they have your card number, security code and expiration date. The difference is timing. Prior to Apple Pay, the thief would have to order something online or create a clone. An online retailer often requires more information verifying your identity and, because of shipping, often takes days to complete the transaction. Clone cards require another level of sophistication – you need a machine to create a cloned credit card. Apple Pay removes those barriers. Take a picture, and you can use that card via Apple Pay down the street, right away. Well, unless the bank has systems to prevent that from happening. The key is “verification.” This is where the bank comes in. Before the card is allowed to be used on Apple Pay, the bank should have a verification process. This can be done via text, email, phone or some other way to verify that the phone being used to process the transaction is actually held by the cardholder.
Some financial institutions already have a similar system for other products. In online and mobile banking for example, many financial institutions require a six-digit code, sent via text or email, to be entered before logging into online banking from an unknown computer. These are the same type of risk management and security procedures the bank should consider before rolling out this product to their customer base.
By Jennifer Kirby, Compliance Specialist, Compliance Alliance
CFPB issued a final interpretive rule on April 15, 2015, to help lenders comply with the homeownership counseling list requirements. Along with new guidance, the interpretive rule restates prior guidance the CFPB issued back in 2013.
Lenders are required to provide federally related mortgage loan applicants with a written list of certified homeownership counselors located in the loan applicant’s area. The CFPB issued an interpretive rule in 2013 that specified that lenders have two options for obtaining the list.
- Generate the list from the Bureau’s website or
- Generate the list within the lender’s own systems using the same HUD data that the Bureau uses on HUD-approved counseling agencies, in accordance with Bureau’s data instructions.
The new final interpretive rule includes additional guidance about: how to generate the homeownership counseling lists for applicants abroad; use of an applicant’s mailing address to generate the list; permissible geolocation tools; combining the counseling list with other disclosures; and high-cost mortgage counseling qualifications and lender participation in such counseling.
What you need to know:
- When an applicant’s current address does not include a five-digit ZIP code (e.g., the current address is out of the country), the lender can use the ZIP code of the property securing the mortgage to generate the list.
- When an applicant’s current and mailing address are different, the lender can use the mailing address instead of the current address to generate the list. Furthermore, the mailing address can be used to generate the list when the applicant’s current address does not include a five-digit ZIP code (e.g., the current address is out of the country).
- Lenders are not required to use the same geolocation system as CFPB, as long as the results are generated in accordance with CFPB’s data instructions.
- In addition to disclosures required under Regulation X and Z, the homeownership counseling list may be combined with other mortgage disclosures that are not required pursuant to Regulation X and Z.
- Housing counselors that are approved by HUD to offer homeownership counseling are also qualified to provide the counseling required for high-cost mortgages under Regulation Z.
- Housing counselors can provide advice on buying a home, credit issues and foreclosures.
- Consumers should receive a list of counselors shortly after they apply for a mortgage loan to help ensure the consumers ultimately make the best decision.
- Lenders cannot insist on participating or listening in to a counseling call or session if such behavior results in a consumer’s selection of a particular counselor. However, counselors are allowed to request that a lender participate in a call or session.