Last Monday the Federal Reserve released a little-noticed 58-page report entitled “Strategies for Improving the U.S. Payment System.” The study outlines the Fed’s proposal to address concerns about the risks posed by the currently fragmented U.S. payments system. This system presently depends upon a combination of banks and thrifts, credit card companies, retailers and businesses, third-party providers of technology and related services, and securities firms and related exchanges. Part of the system is based upon paper checks, coin, and currency; but increasingly, payments are becoming more and more dependent upon both private and public internet-based technologies. And more innovative systems are on the way, like Apple Pay, which relies upon cellphones and other devices. There are even a growing number of totally electronic systems of private currency, like (Bitcoin).
The Federal Reserve itself operates a large wholesale payments system, – Fedwire, which is a real-time, gross settlement system with more than 9K participants, an automated clearinghouse for both domestic and cross-border payments. Plus, there is a parallel system, Fedwire Securities Service, that provides safekeeping, transfer, and settlement services for securities issued by the Treasury, other government agencies and GSEs, and selected international organizations. Then there are quasi payment systems (such as the airline ticket system) that cross books and make payments and at the same time interface with the more standard systems.
Given the inter-linkages and the reach of these payment systems into the fabric of our economy, ensuring their integrity against cyber threats is as important as ensuring the safety and integrity of our power grid, including nuclear facilities. One might argue that they may be even more critical. Certainly, their complex linkages dwarf the kinds of interconnectedness that plagued financial institutions during the financial crisis; and they are arguably significantly more important than the financial stability and systemic risks concerns that are the purview of the Financial Stability Oversight Council created by Dodd-Frank. Realistically, an attack from outside agents on this infrastructure is more likely, at this point, than the threat of a nuclear attack. Such an attack could be accomplished virtually anonymously from remote locations, and there would be no viable way for the U.S. to retaliate, making our current nuclear deterrent strategy ineffective.
For all the reasons noted above, the Fed’s proposal and its objectives are laudable and much needed, especially given the recent experience with hackers of Target (NYSE:TGT), JPMorgan Chase & Co. (XETRA:JPM) and Home Depot (NYSE:HD). These are just a few notable examples among many other such incidents. However, there is an important consideration that has been left out of the Fed strategy, one that is critical to ensuring that our payments systems are truly safe and stable.
Right now, the legal structure governing these systems is configured so that the crimes that are perpetuated against them can be treated as either a local or a federal issue, depending upon where the criminal activity originates and the nature of the offense. At the federal level, the Computer Fraud and Abuse Act (CFAA) [18 U.S.C. Section 1030], the National Information Infrastructure Protection Act, and the Identity Theft and Assumption Deterrence Act (ITADA) [18 U.S.C. Section 1028(a)(7) are the principal statutes governing computer and Internet crimes. Hence there are a variety of state and federal investigative and enforcement agencies that can become involved, often with overlapping jurisdictions. The focus of much of their activity is on consumer protection and privacy. The FBI and Secret Service have the main federal responsibilities in this area, but the US Immigration and Customs Enforcement (ICE); the Postal Inspection Service; and the Bureau of Alcohol, Tobacco, Firearms and Explosives are also involved. But these agencies are not principally involved in sophisticated payments systems operation and structure, and the Secret Service’s involvement is largely a historical accident: the Secret Service was originally charged with investigating crimes related to the Treasury, primarily counterfeiting. We all know that the Secret Service’s prime responsibility is to protect the president and other dignitaries; and the other agencies named above also have a broad range of missions far removed from the critical responsibility of addressing and preventing financial crimes and protecting payment systems.
Our payment systems are national systems engaged in interstate and international commerce. For this reason, the laws, regulations, enforcement, and protection related to those payment systems should be organized at the federal level and lodged with the agency that is charged with maintaining and ensuring the safety of the payments system. So what we need is a complete and thorough overhaul of the laws governing payments, eliminating differences in the treatment of electronic debit and credit transactions and promulgating instead a single set of federal laws governing the payments systems structure and crimes related to it. This agency’s responsibilities would include policing, promulgating regulations and enforcing them, and providing support to consumers with regard to identity theft.
The agency best positioned to handle this responsibility, given its deep involvement and its understanding of retail and wholesale payments systems, is in fact the Federal Reserve, perhaps in concert with the Consumer Financial Protection Board that is legally part of the Federal Reserve and funded by the Fed. The current investigative and enforcement activities of the Secret Service, the FBI, and other responsible agencies should be transferred to the Federal Reserve, which presently has examiners and other personnel involved in examining and inspecting financial institutions at the center of the payments system. These are personnel who also have deep understanding of how these systems operate.
The Federal Reserve System already has a national footprint, with multiple offices across the country that could be used to carry out these responsibilities, a function far more critical than their current focus on economic education and the gathering of economic information, as their role in check processing has essentially disappeared. This reassignment would complement the Fed’s current responsibilities with regard to systemic risk.
Without a comprehensive review and a more coherent and unified approach to overseeing and safeguarding payments systems and addressing cyber-terrorism, the Fed’s proposed initiatives, which are presently focused mainly on cooperation and volunteer participation by the affected industry components, are likely to be ineffective and/or too little too late.
Bob Eisenbeis, Vice Chairman & Chief Monetary Economist.