The Consumer Financial Protection Bureau (CFPB) plans to use its tools to prevent consumer harm, but it won’t hesitate to use its enforcement powers, the Bureau’s Director, Kathleen Kraninger, said in a speech to the Bipartisan Policy Center on April 17, 2019.

Kraninger’s tenure began with a listening tour, aimed at gathering input from a variety of stakeholders, including the Innovative Payments Association, about the Bureau’s operations and the state of consumer financial services. According to the Director, she identified four themes that emerged from these conversations.

“The CFPB’s mission and the agency itself are critical to our economy and are not going away,” she said.

Additionally, Kraninger reiterated her commitment to ensuring a level playing field for providers, to holding bad actors accountable, and to taking care of the people using financial services.

“All stakeholders expressed a strong interest in protecting consumers, though they differ on the best way to accomplish that mutual interest,” Kraninger said.

For Kraninger, the best approach for protecting consumers starts with preventing them from having problems in the first place, and then stepping in when necessary. She identified four tools for making this method work.

“Those tools include education, regulation, supervision, and enforcement, each of which serves an important component in the Bureau’s execution of its mission,” Kraninger said.

Educating consumers was the first tool in preventing harm, because it enables individuals to make better choices and avoid potentially dangerous products, she said.

“Let me be clear, however, the ultimate goal for the Bureau is not to produce booklets and great content on our website,” Kraninger said. “The goal is to move the needle on the number of Americans in this country who can cover a financial shock, like a $400 emergency.”

To that end, the Director said she wants to leverage the already substantial investment in financial education across the country and create a strategy that involves providers, educators and other stakeholders to help improve the finances of American consumers. She pointed to the Bureau’s recently launched “Start Small, Save Up” program as a starting point for this larger initiative.

Moving on from education, Kraninger said regulation was another area where the Bureau could help prevent problems and foster innovation at the same time. By ensuring that rules are keeping up with the times, the Bureau can help protect consumers while enabling them to access to good products.

She gave the Fair Debt Collection Practices Act as an example, which was first put into place in 1977. The advances in communications technology since that time require updates to the rules, according to the Director. The Bureau is planning to propose clarifying rules on this matter in the near future.

Although rules will be reviewed and updated, that doesn’t mean there will be scores of new regulations for the industry, according to Kraninger.

“I take seriously our responsibility under the law to reduce unwarranted regulatory burden and to consider the impact of rulemaking on regulated entities and consumers,” she said.

Along with regulation comes supervision. Kraninger believes that regular exams for financial services providers can be part of the preventative approach to consumer protection by catching lapses in compliance and internal controls before they become larger problems.

“Heading trouble off at the pass may not grab big headlines, but it will prevent a lot of headaches for the consumers we serve,” she said.

Of course, not all trouble can be headed off, and Kraninger says the Bureau is ready for that.

“Let me state emphatically my view that enforcement is an essential tool Congress gave the Bureau – particularly because education, rulemaking, and supervision will not prevent every violation,” she said. “There will always be bad actors who don’t comply with the law.”

Enforcement actions take time while the Bureau is building a case, and this process often entails cooperation with other agencies—including state regulators and attorneys general. Conducting enforcement thoughtfully and well is a critical component to the Bureau’s mission, she said.

“I hope that our emphasis on prevention will mean that we need our enforcement tool less often,” Kraninger said. “But when we do discover violations, enforcement is essential to hold wrongdoers to account, make things right for consumers, and deter future violations.”

Despite the current political atmosphere, the Director struck a bipartisan note and said that the common goal of protecting individual Americans should drive the Bureau’s mission and actions.

“I worked under Secretary [Norman] Mineta, a former Democratic congressman and Clinton commerce secretary, who served as President Bush’s Secretary of Transportation. He liked to say there are no Democratic roads or Republican highways,” Kraninger said. “While being mindful of the political environment and considerations, we focused on developing and promoting the right policies for the American people. We also engaged in robust and transparent discourse on what those right policies were – both internally and externally with the many stakeholders who cared about those policies. I have adopted that model in my career and am bringing that to my leadership of the CFPB.”

Cyber security expert and author Brian Krebs had a cold dose of reality for financial services companies at the Power of Prepaid Conference.

“It’s easy to think everything, everyone, everywhere gets hacked – I think that’s a good summation of reality,” Krebs said in his keynote talk on April 10. Accepting this reality, he added, is the first step toward improving both personal and corporate security.

“If you accept the fact that companies get breached on a daily basis, then you can do security [better],” he said.

Throughout his talk, Krebs offered ideas and suggestions for how businesses can cope in such a world. The first step is for them to start working together.

An advantage hackers have over cyber security teams is their collaboration through online forums.

“If you need help in the underground there are lots of people there,” Krebs said.

Companies can combat this by sharing information and letting others know when they have faced attacks. An open dialogue not only helps others ward off attacks but also encourages reciprocity.

Once cyber security teams recognize what is happening out in the wild, they can figure out where their weaknesses lie and work to shore up their defenses, which aren’t purely technical.

“People are the most important and most dangerous assets in organizations,” Krebs said.

People don’t change passwords and click on phishing e-mails, but also secure systems and respond to incidents. Training employees and hiring cybersecurity staff are steps that can reduce a company’s risk. Krebs encouraged companies to implement two-factor authentication for customers and employees, noting that system administrators in particular should be held to high authentication standards.

“You can’t secure what you don’t know you have,’ Krebs explained. Identifying the connections and overlaps between physical and cyber security is essential. Businesses should also map out their servers, domains and IP addresses to understand their own vulnerabilities. Response plans also need to be prepared and drilled.

One area where the prepaid industry can have an advantage is managing third-party risk. Krebs said this was “the biggest elephant in the room” no one wanted to talk about, but if a company has a handle on this, they have a handle on security. Prepaid issuers have had regulatory guidance since 2011 from the Office of the Comptroller of the Currency that includes a provision saying banks’ third-party contracts should include: “procedures in the event of service disruption or security breaches that pose a material risk to the bank.”

Of course, guidance needs to be followed with action. An earlier panel at the conference highlighted managing third-party risk. Liz Nutting, senior vice president of strategic partnerships and network relations at Axos bank, said that banks need to do risk assessments at least yearly and more often if risks are high.

Risks need to be reevaluated when a third-party does something like making a major software change, added Alicia Reid, associate general counsel at FSV Payments Systems.

Perhaps the most surprising advice Krebs offered attendees was to encourage people to “hack their companies.” Finding weaknesses is ultimately the best way to manage them. He said companies can hack themselves by trying things like testing common passwords to break into accounts from the outside.

“If you want to know how vulnerable you are, just start hacking your own people,” he said.

The final advice Krebs offered was for everyone to make sure they did not fall prey to thinking that they know more than they do.

“All of us win – personally and professionally – when we challenge our assumptions about security,” Krebs said.

Financial services companies that want to prevent hackers from breaking into their portfolios need to develop intelligence and counter intelligence, according to speakers at the

2019 Power of Prepaid Conference.

Financial services companies can learn from the ancient Chinese strategist Sun Tzu, who wrote that generals needed to know their enemies and know their own armies in order to be victorious, Bob Gourley, the cofounder of OODA LLC and a former naval intelligence officer, said. He described how espionage has gone from cloak and dagger to breach and hacker, and that this has bled over into the world of financial services.

He had three primary recommendations for companies planning to fight fraud.

1. Companies need to know their adversaries look for their weaknesses. While hackers will likely surprise a company, studying them can yield good information about their weaknesses.
2. Companies need to know themselves: what is their most important data and their abilities to fight fraud. Gourley also said the companies need to test themselves to learn how well their defenses work.
3. Companies need to raise their defenses by designing systems for defense and containment and planning for backups in case they do get hacked.

Doing intelligence work like this is one part of the puzzle for companies. The other part is counter-intelligence. Steve Lenderman, who works in the Global Security organization for ADP, recommended that companies begin doing counter intelligence on what is happening in the realm of fraud.

He said companies can gain a lot by starting with online searches of the most common schemes to see how they are executing. He recommended that people look at common scams such as romance scams and work at home scams where people use social engineering to connive people to send them money.

Financial service providers should also pay attention to purchase patterns to spot nefarious activity such as human trafficking. For example, a pattern of use that shows using Uber to get to the same hotel frequently followed by transfers of money off a card might be indicative of human trafficking.

Another area of counter intelligence would be to search for portfolio BINs on the dark web. He recommended that people either out source this work or make sure they can do it in a way isolated from their primary systems to avoid risking exposure.

Companies have options when it comes to fighting fraud, but it is a constantly changing fight. So they must continually update themselves both through intelligence on themselves and their defenses and counter intelligence on what is happening on the dark side.

In a divided Congress, one area that might lend itself to bipartisan is financial services, Congressman French Hill (R-AR) said in a speech at the Innovative Payments Association’s Power of prepaid Conference in Washington DC on Tuesday.

He said that in the House Financial Services Committee there is consensus between Chairwoman Maxine Waters (D-CA) and Ranking Member Patrick McHenry (R-NC) that fintech should be a priority for the Committee. He recommended that the attendees read the Department of Treasury’s Fintech report, which was released last you. You can find a summary and a link to the full report here.

Mr. Hill said that as incumbents and fintechs reshape the payments landscape, Congress needs to focus on a number of issues including

• Data aggregation and consumer use of third-party apps;
• Data privacy and breach notification;
• Developing a faster payments system.

The United States needs to develop a solution for real time settlement in order to remain competitive in financial services, he said.

Mr. Hill said that Congress plans to invite the federal regulatory agencies to the hill to learn about their approaches. He suggested there is a need to streamline compliance, and he invited the industry to give feedback to Congress.

All of this work needs to aim towards a singular end, he said.

“The ultimate beneficiary of this should be the American consumer,” Mr. Hill said.