Security of Payment Systems
Though most countries have laws in place to regulate different components of the payments system, no country has yet addressed payments systems issues comprehensively. Payment systems legislation should identify, license, and regulate any directly related payment system entities, such as money transmitters and ISPs. It should require such elements to operate in a safe and sound manner so as to protect the integrity and reliability of the system. It should require the timely and accurate reporting of all security incidents, including all electronically related money losses. Finally, it should require all payment system entities to adhere to a documented security program and should encourage some form of shared risk protection. In particular, money transmitters and ISPs that provide services to the financial sector should be required by regulation or legislation to provide liability for their services. Sharing risk is a proven model in the financial services arena, and there is as yet no evidence that this would increase the basic service cost. In fact, only when service entities are required to report losses or suspected losses can sufficient information be garnered to improve pricing for e-security performance bonds and e-commerce liability insurance. As a result of the lack of a comprehensive law regulating payment systems coupled with the lack of standardization in regulation and oversight, many money transmitters insert significant risk into the payments system. Typically, they are undercapitalized, use little or no risk-management analysis, and are extremely susceptible to bankruptcy and failure. With the escalation of Internet related commercial activities and the requisite need to provide ubiquitous payment system conduits, money transmitters are increasing the disintermediation of the traditional payments systems and have a higher profile in the eyes of law enforcement.