AUSTIN, Texas — For credit unions and banks, payments innovations like Apple Pay and Bitcoin tend to be a double-edged sword. Such groundbreaking technology will almost necessarily be accompanied by security and compliance vulnerabilities.
This conundrum was a recurring theme at the 2015 Retail Banking conference in Austin on Tuesday. A panel on Apple Pay delved into recent revelation about fraudsters using stolen credit-card data to set up accounts with the tech giant's mobile wallet.
At a separate panel, attendees weighed the advantages of developing relationships with cryptocurrency firms against regulators' concerns about how the anonymity of some digital currencies could further money laundering and other criminal activities.
Apple Pay is vulnerable to fraud for the same reason it's attractive to customers, according to Steve Mott, principal of payments consultancy BetterBuyDesign: "It's easy to do."
"That's the beauty of it and the tragedy of it," Mott said. While he lauded Apple for introducing tokenization to mainstream mobile payments, he said the company had rushed rollout of the service to the detriment of banks' and issuers' security defenses.
"They effectively stampeded the industry, banks and merchants to get it out as fast as possible," he said.
The issue at the heart of the Apple Pay fraud lies in the way that many partnering financial institutions verify customers' identities when they upload their cards to the mobile wallet. Banks frequently ask for authentication information such as the last four digits of customers' Social Security numbers.
The problem with this kind of static data is that hackers can easily steal the answers to such questions, Mott said. He pointed out that hackers were able to access as many as 80 million customer records containing Social Security numbers, birthdays and employment information in the breach disclosed by health insurer Anthem in February.
"The moral of the story is, if you try to make payments too easy, you're going to have real tradeoff in making them secure and scalable," he said.
CUs and banks should be also aware that payments security problems typically arise from a confluence of factors, according to Neff Hudson, assistant vice president for emerging channels at USAA, which supports Apple Pay.
"The fact that Apple Pay came along after the credit card breach is what created the vulnerability," he said, referring to recent breaches of major retailers including Target and Home Depot. "But [if] we think long-term, it's still potentially the most secure payment method ever invented."
Further out on the edge: Wells Fargo has concluded there's too much compliance risk involved in banking cryptocurrency businesses, according to Lester Joseph, manager of its global financial crimes intelligence group. The San Francisco-based company conducted what Joseph called a rigorous study of cryptocurrencies last year.
"We determined that at this point, we would not be in a position to bank any Bitcoin businesses or Bitcoin exchangers because there's a certain lack of transparency in Bitcoin currency as far as determining who the payments are coming from and where they're going to," Joseph said. "Without being able to identify parties on either end of the transactions, we're not able to do effective sanctions or [anti-money laundering] screening."
While Bitcoin users are pseudonymous (unless they opt to link their addresses to their identities), its public transaction ledger provides a trail that authorities can potentially use to track down criminal suspects. Some cryptocurrency businesses have taken additional steps to address regulatory concerns about sanctions, terrorist financing and AML rules.
Companies such as Bitcoin wallet provider Coinbase have registered as money-service businesses, obtained money transmitter licenses and developed compliance programs intended to root out suspicious patterns of activity. A number of startups have taken a risk-based approach to AML rules: the larger the transaction, the more scrutiny they apply to it.
But none of this is enough to soothe compliance jitters, according to Joseph.
"With respect to OFAC sanctions screening, there's zero tolerance — it doesn't matter if it's a quarter or a million dollars," Joseph said, referring to the rules enforced by the Treasury Department's Office of Foreign Assets Control.
He did, however, express interest in learning more about the cryptocurrency technologies offered by firms including Ripple Labs.
In fact, small but bold financial institutions like the Weir, Kansas-based CBW Bank are already embracing the use of cryptocurrency technology for cross-border payments. CBW is using the distributed ledger technology developed by Ripple Labs to establish direct, bilateral relationships with foreign banks, according to the bank's chairman and chief technology officer Suresh Ramamurthi.
Ramamurthi said he was well aware that "anything you do that's new" involving cryptocurrency technology will be highly scrutinized by regulators — all the more so when the institution in question is "a little bank in Kansas."
"I'll probably have to document everything in triplicate and notarize it personally with my blood before we go live," he said.
But the reality of regulatory scrutiny shouldn't deter banks from exploring new payments technology that can help them send money around the world more efficiently, Ramamurthi said.
"You assume regulations are a constraint," he said. "You set up an equation under a constraint like you do in algebra and get on with life. We don't fight them."