Making Electronic Money Safer in the Digital Age 
Imagine you go to pay for your morning coffee and your stored-value card returns an error message, or the wallet in the payments app on your phone isn’t opening because the company providing the payment service has gone bankrupt. Worse, what if you live in a rural area and the e-money service provided through your mobile phone was the only access you have to the financial system? Or your government now relies on the e-money system to transfer benefits or collect taxes on a large scale?
With the growing importance of e-money issuers, a comprehensive, robust framework for regulation and safeguarding customer funds is critical.
Digital forms of money—including central bank digital currencies, privately issued stable coins, and e-money—continue to evolve and find new ways to become more integral in people’s day-to-day lives. In essence e-money is a digital representation of fiat currency guaranteed by its issuer. Customers exchange regular money into e-money, which they can use to make payments through an app on their cellphone to individuals and businesses alike with ease and immediate effect. Compared to other recently developed forms of digital money, such as stablecoins, e-money has been around for some time and its customer base continues to rapidly increase. Unlike most privately issued stablecoins, e-money operates in a regulated framework.
For regulators and supervisors charged with protecting consumers and ensuring a level playing field for all financial intermediaries, keeping pace with new developments can be challenging. Regulators and supervisors need to consider how to best protect customers from the failure of (potentially systemic) e-money issuers, including preventing the loss of their funds.
A new IMF staff paper considers these and other scenarios that may put consumers and—potentially—entire e-money systems at risk. We examine how regulatory practices are evolving on a country-by-country basis and put forward a set of policy recommendations on regulating e-money issuers and safeguarding their customers’ funds.
E-money offers payment solutions for the unbanked
We can think of e-money as an electronic store of monetary value on a prepaid card or an electronic device, often a mobile phone, that may be widely used for making payments. The stored value also represents an enforceable claim against the e-money issuer, by which its customers can demand at any time to be repaid the funds they used to purchase e-money.
E-money is already a vital part of daily life for billions of people, especially in many developing countries, where many lack access to the banking system. As shown in the chart below, a high percentage of the population across a number of East African countries now use e-money, making it important from a macro-financial perspective. It is estimated, for instance, that two-thirds of the combined adult population of Kenya (where M-PESA has reached a high degree of market penetration), Rwanda, Tanzania, and Uganda use e‑money regularly. Many of these people do not have bank accounts or other access to the formal financial system, so they store significant shares of their disposable funds in e‑money wallets and access them using mobile phones or computers.
Protecting financial systems and consumers alike
With the growing importance of e-money issuers, a comprehensive, robust framework for regulation and safeguarding customer funds is critical. Issuers should be subject to proportionate prudential regulatory requirements. For example, they should establish operational risk governance and management systems to identify and limit risks. They should also be prohibited from retail lending. And, in order to protect consumers who may be less sophisticated than bank customers, rules should be put in place governing how issuers disclose fees, protect consumer data, and handle complaints.
One of the most important regulatory measures identified in our paper is that in order to protect customers’ money, all e-money issuers need to implement mechanisms to safekeep and segregate those funds. Issuers need to maintain a secure pool of liquid funds that is equivalent to the amounts of customers’ balances, and which is kept separate from the issuer’s own funds. This is a fundamental safeguard against misuse of the funds and should allow, in principle, for recovery of those funds in the event of bankruptcy of an issuer.
Keeping the customers’ funds segregated, however, does not resolve all the problems if a potentially systemic issuer were to fail. In the absence of specific bankruptcy rules, segregation by itself does not ensure that the customers would get quick access to their funds, and this discontinuity may create severe problems if the issuer plays a potentially systemic role in the payments system and in day-to-day transactions of the country.
Potentially systemic, potentially problematic
Regulators and supervisors may need to significantly strengthen prudential oversight and user-protection arrangements, depending on the business model and size of the e-money system. In countries with a potentially systemic e-money issuer or sector, the protection in place should seek to preserve customers’ funds and ensure continuity of critical payment services.
While some countries have sought to extend deposit insurance to e-money, further efforts may be needed to operationalize such protection and ensure that it would work effectively in practice. In particular, customers should not lose access to their funds and, therefore, services should be restorable or replaceable quickly, preferably within hours. But putting e‑money deposit insurance into practice remains untested so far—at least in practical terms. The costs and benefits of extending deposit insurance coverage effectively to e-money should be carefully considered.
As with many issues in the fintech sphere, best practices are still taking shape, making policy decisions challenging. However, the pandemic has only increased the importance of prudent e-money frameworks, as the number of online transactions and e-money’s growth has accelerated. For regulators and supervisors, the time for action is now.
For the average person, the most valuable information may be knowing how to identify and avoid the most current financial scams. Nearly everyone I know has either been targeted or has become a victim of one of these scams, and I am betting many people who lost money are too embarrassed to admit it publicly. (Literally in the middle of writing this post, I received another scam call.)
One scam that you may not have heard of is the ACAT Transfer scam. A thief will obtain enough of your personal information to open a new E*Trade brokerage account, and then they will request an ACAT transfer of the entire contents of your existing brokerage account (ex. Fidelity) to that new fake E*Trade account which they control. At this point, they can quickly liquidate the account and send the money elsewhere. The key here is that they just need to be able to open an empty, new brokerage account in your name plus find your Fidelity account numbers from a statement. They don’t need your Fidelity username and password (or pass two-factor authentication).
Even more importantly, you won’t notice unless you log into your account. Opening a new E*Trade or other brokerage account will not trigger a credit alert or most identity protection services. Many brokers (see below) will process an outgoing ACAT transfer without confirming with you or even notifying you in any way. If you don’t look at your statements closely, it may be months or longer before you notice.
You can read about the experiences of multiple victims in this Reddit thread. Here’s a partial quote in case the thread is deleted.
Lost around 150k worth of stock from my fidelity brokerage account to an online scam (ACATS Transfer)
My husband has a fidelity brokerage account and last month all his shares were transferred out of his account. Upon calling the customer care, we were told that his stocks were transferred by him to an account with eTrade.
We communicated that we don’t have any e-trade account and the transfer was not initiated by us. We were shocked that no notification/intimation was sent to us before completing the transfer and no authorization was required!!
It looks like a fake account was created in his name with eTrade which initiated an account transfer. He did not receive any request/emails/text from Fidelity that the stocks are being moved. The etrade account has been frozen but the stocks are already sold and proceeds are transferred to another account.
The good news is that the original poster was eventually able to get back their funds, although it must have been a very stressful two months. It is not clear if Fidelity reimbursed them out of their own pockets or were able to reverse the transactions.
We were able to recover the stocks after waiting and following up for 2 months. Fidelity reps were able able to help us.
The discussion pointed out the potential usefulness of a relatively unique Fidelity feature called Money Transfer Lockdown (Fidelity login required). Here is a summary of the features and how to activate it per Fidelity:
Money Transfer Lockdown, an additional security measure Fidelity provides to its customers, may affect or disallow certain types of transactions. In order to transfer between two of your Fidelity accounts (In your example brokerage and CMA) when Money Transfer Lockdown is enabled, you will need to temporarily disable the feature prior to making the transaction. Once you have successfully made the transfer, you can enable the lockdown again by logging in into your Fidelity.com account anytime and visit “Security Center” from your “Profile” page.
Protected Transactions:
- Outbound money transfers
- Transfers between Fidelity accounts
- Transfer of shares and assets to other institutions
- Individual withdrawals (previously scheduled EFT transfers from an account might still be processed)
Unaffected Transactions:
- Deposits or transfers into a Fidelity account
- Checkwriting and direct debits
- Debit/ATM transactions
- Trading
- Scheduled Required Minimum Distribution (RMD) or Personal Automatic Withdrawal plan
- BillPay
A member of the Bogleheads forum helpfully tested out this service by attempting various transfers out of their “locked” Fidelity account. The Money Transfer Lockdown service did successfully block a legitimate ACAT transfer request from another brokerage. However, ACH pulls went through for those accounts that have routing and account numbers like a traditional bank account. Here are their brief conclusions:
Fidelity’s account lockdown blocks fraudulent ACATS pulls. It is an excellent, differential feature that Schwab and Vanguard don’t have. However, it has some limitations and vulnerabilities. It provides no extra security against fraudulent push of assets and doesn’t block fraudulent ACH pulls. To deal with ACH limitations, using CMA as an intermediary account from brokerage to the external world may be prudent.
As a result, I have taken to using the Money Transfer Lockdown service on all available account types (doesn’t work on 401k accounts, for example). It’s a little extra hassle, but definitely worth the added peace of mind. I hope that Vanguard and other brokers will add a similar feature to make it harder to perform an ACAT transfer without notice. I also believe that Fidelity would do a much better job of working to restore my assets than any other broker, especially the smaller brokers.
Now, if someone gains full access to your Fidelity account (username + password + 2FA), they can simply turn off the Lockdown feature. However, every time I do that I get both a text and an e-mail, so hopefully that will provide early enough notice to block any fraudulent transfers, or at least make the clawback faster. In addition, I feel that most people need to make sure they have a difficult PIN number on their phone, as login security is quickly coming down to having your phone as a type of physical “key”.
The quiet nature of ACAT transfer is what makes this scam possible! They are taking advantage of standard industry practice that is a weak point in financial security. The scammers all know this. We need to change this process to increase security. First, I’ve never had a brokerage account opening trigger any credit alert or identity theft monitoring service. Second, I recently transferred a significant amount of assets to Fidelity from Public using ACAT, and Public did not send me a single email, text, or phone call. My Public account was simply zero one day. I did legitimately request this transfer, but what if I didn’t?!?
No comments:
Post a Comment