According to the True Cost of Fraud Study by LexisNexis, fraud as a percentage of revenues for merchants increased from 1.32 percent to 1.47 percent last year. “The annual cost of fraud at organizations is on the rise, and I’m sure with some of the data breaches we’ve seen recently, we’re going to see a pretty big uptick in the next year as well,” said Austin O’Brion, co-founder of identity verification technology firm Token of Trust.
Speaking at the latest meeting of AFP’s Treasury Advisory Group, O’Brion offered four ways corporate treasury and finance professionals can protect their customers’ data:
Avoid the “walled garden” approach. The typical approach to security is just building higher and higher walls around data over time. Someone is going to get into that system at some point in time; companies are being naïve if they think it won’t happen. You first have to accept that somebody will slip within your walls and gain the same access that employees would have within your organization. The key is making sure they can’t get sensitive data once they’re inside.
Anonymize data. Not all data needs to be human readable. O’Brion noted that he has observed so much personal information floating around various organizations he’s worked for, being passed between emails, etc. For example, if you have specific location information on a customer, there are programs that can scramble GPS coordinates to further anonymize them. “You don’t need to know their actual home address; maybe you just need to know they live in a certain neighborhood,” O’Brion said. “Those are things you can do to buffer yourselves and protect your customers.”
Encrypt data. It is essential to encrypt data at the individual entry. Oftentimes, organizations encrypt data at a system-wide level. But if every data entry point has its own encryption key associated with it, that adds a layer of security. However, this requires more cost for processing. “Every time you encrypt something you have to decrypt it too—so you’re going to need more processing power to have mechanisms like that within your system,” O’Brion noted.
Discard data. What data is actually necessary to have in your system? Keep as little data as possible, because storing more data has become a liability. “We’ve learned from enough of these data breaches that as long as you’re holding [personally identifiable information (PII)], you become a target,” O’Brion said. “So if you can store as little of that information as possible, then that’s definitely the optimal route. So we’ll verify and then discard. If we’re looking at driver’s license or passport information—I don’t want to store that information. I just want to know, at one point in time, that we were able to verify that information.”
While companies may seek to discard personal data that they don’t need, the same cannot be said for banks. Treasury professionals have expressed frustration over being forced to provide PII to banks on many of their companies’ employees due to strict know-your-customer (KYC) requirements. Across the board, banks are gathering this information and retaining it for the foreseeable future, leaving treasury professionals vulnerable should a breach occur.
There has been talk of creating a centralized KYC repository that would store all of this data in one place. This is a popular idea among many treasury professionals because it would require them to give out their information just once, as opposed to multiple times for multiple banking partners. The downside is that it could just create one giant treasure trove for hackers.
“If we’re talking about building a repository that has all of the PII information in its raw form, then that’s a huge risk—it’s putting a giant target out there for any hacker out there to check it out,” O’Brion told AFP in an interview.
Again, it comes down to anonymizing and encrypting that data, and ultimately discarding what you don’t need. If such a repository was designed so that it doesn’t actually hold onto some of that critical information, it could be much less appealing for cybercriminals. But that would require regulators and banks to approach KYC information differently, only requiring what is absolutely necessary.
“We have to ask ourselves what information actually is important,” O’Brion said. “Sometimes, companies will take that easy path and just store every piece of information related to an individual and keep it all on file. But is that really necessary? When you think about it in terms of KYC and AML, it’s not.”