Mitigating Data Risk at AMEX

American Express and Data Theft Risk

Scenario

In March 2016, American Express admitted that customer data was stolen from the company in 2013 in a letter to the California Attorney General (Condliffe, 2016). As a credit card company, AMEX works with a large number of merchants, and the data breach came on the merchant end and that the affected customers were notified as soon as was possible. However, this incident provides a learning experience, and the key problem now is how Amex can learn from this experience going forward with respect to how it handles such third-party data breaches in the future. This one particular incident is not the problem, but it highlights a broad category of problems -- credit card fraud and cybercrime -- that cost the industry billions of dollars every year. Managing this better than competitors will be a boon to consumer confidence in the American Express brand and can be a source for both financial and marketplace competitive advantage going forward.

Analysis

American Express competes in the credit card business, wherein it provides consumer credit, and works with retailers who recognize its credit cards to facilitate merchandise purchases. Amex has seen its total revenue decline in 2015 in the face of a competitive industry, and this in turn has reduced the company's profits as well (American Express Form 10K). Despite these struggles, the company cited its many strengths in its annual report, namely higher transaction volumes, industry-leading credit quality, a growing loan portfolio and strong operating expense controls. Another strength of Amex is that it has just recently surpassed MasterCard for the #2 position in the credit card industry, according to SEC filing data (Papadimitrou, 2016)

Working against these strengths are a number of weaknesses that the company faces in its operations. First, it is highly dependent on the U.S. dollar, and a stronger dollar supressed revenues from overseas customers, which were worth less when translated back to USD for financial reporting purposes -- Amex has high translation risk. The company is vulnerable to data breaches, as the core case identifies, in particular where vendors, merchants, and other third-party partners are concerned. While Amex can control its own cybercrime risk, it has very limited ability to control cybercrime risk at third parties that also have access to Amex customer data. Amex remains, however, a distant second behind Visa in market share, and ranks third in terms of global acceptance behind Visa and MasterCard, both of which have a much broader global network (Papadimitrou, 2016).

Working with a reasonably strong financial base and market position, Amex can improve its reputation among consumers by strengthening its credit card fraud prevention. This opportunity represents an improved way of handling such cases of data theft and other fraud. Credit card cybercrime costs the industry billions, but if American Express can develop superior security techniques, it can avoid the attention of thieves, who typically look for weaknesses in security that they can exploit. It is worth noting, however, that while there is significant opportunity to improve upon fraud prevention techniques, fraud remains a threat because the rapid pace of technological development allows criminals to often stay one step ahead of those engaged in cybersecurity (Barker, D'Amato & Sheridon, 2008).

Research shows that reducing opportunities to commit cybercrime is critical to achieving a reduction in such crime. Large credit card frauds in particular tend to be sophisticated crimes, and there are often organized crime links. In particular, criminals who steal the data must then sell that data in order to monetize their theft. The organizations that buy the data are usually the ones that actually commit the frauds. Thus, in order to defend against cybercrimes, it is important to deny the hackers access to data in the first place. Typically, proactive approaches are recommended by cybersecurity experts (Prabowo, 2011).

Alternatives

There are a couple of different alternatives that can be explored. One is to pursue remedies with the other major credit card companies (Visa, MasterCard, Discover). The advantages of pooling resources are that more resources can be put into the effort, and that efforts are not duplicated, leading to more efficient use of the resources that are applied to this problem. If the industry as a whole becomes difficult to scam, then criminals may turn their attention to other industries entirely. Conversely, if the four companies work independently on solutions, there may be enough gaps in the solutions for criminals to exploit, and the companies will forever be playing catch-up as criminals respond quickly to new opportunities for fraud. The downside of this alternative is that if the companies work together, there is no opportunity for Amex to gain competitive advantage from the approach. Competitive advantage is specifically gained by outperforming the competition in specific areas. If Amex can go from being a company that receives negative publicity for security breaches to a company known for having few such breaches, that could make Amex a more attractive option for consumers. By working independently, there is greater risk of incomplete defenses, but greater upside if the company can outperform its competitors in cybercrime risk management.

The second alternative is to deal with the issue at the merchant level. . This means more carefully vetting merchants for their cybersecurity procedures. The advantages of this are that Amex can become a more exclusive card in a sense, offering a level of security that the other companies cannot offer. Amex already has lower distribution, and does not compete strictly on its distribution the way that Visa and MasterCard do, so the downside risk is lower than it would be for the other two major companies. Thus, Amex could gain competitive advantage by being the company whose vendors are certified to be trustworthy.

The disadvantage of this approach is that it is expensive. Verifying security protocols at each merchant would be a time-consuming, costly endeavor, and one that given the rapid changes in technology would have to be updated annually. This alternative may ultimately cost Amex more money than fraud does, to implement it in a meaningful way. Further, there are some risks associated with reducing the number of merchants that accept Amex cards, and raising barriers to merchants accepting these cards constrains Amex's revenue growth going forward in a way that increased usage by customers may not offset.

Recommendation

It is recommended that Amex works with its competitors to strengthen security throughout the industry. The credit card industry is targeted by criminals because it is an easy mark, and can be taken for billions. If the industry players work together on fraud prevention and data security, the pooling of resources, and efficient use of those resources, can make the credit card industry more secure overall. Further, these companies duplicate merchants -- most merchants take all four major cards -- so providing a simple, uniform set of security protocols for all merchants across the industry would make it easier for merchants to implement data security. This recommendation still leaves room for competitive advantage -- how the company handles incidents of fraud is an area where it can outperform its competitors. For example, Amex dealt with the California data breach quickly with affected customers, and moving quickly when incidents do occur, while maintaining a high level of communication with both customers and law enforcement, can be an area where if Amex outperforms, it will gain greater acceptance among customers. A recent poll by Gallup showed that cybercrime is the number one crime fear among Americans (Riffkin, 2014). Showing leadership in terms of reducing risk to consumers will go a long way to winning more customers and more transactions for Amex.