75 BANKING PERSPECTIVES QUARTER 4 2018 therefore the number of potential targets for hackers. The token can be used in all of the merchant’s back-end systems and processes. Second, it removes reliance on encryption to protect data at rest. While encryption is an important information security tool, it is based on algorithms that a sophisticated hacker may be able to crack. Once the encryption has been cracked, the hacker would have access to the sensitive credit card numbers. Of course, the value of tokenization in the United States could extend well beyond card numbers, and the idea that tokenization should be considered in other contexts is gaining steam. For example, in a recent white paper issued by the Federal Reserve Bank of Boston, 2 the authors discuss the current state of tokenization and call on the industry to consider how this technology can be used to protect, among other things, demand deposit (i.e., bank) account numbers in payment systems such as ACH. While there is always a cost when enhancing security, the costs of enabling tokens may be outweighed by the fraud losses that tokens will prevent. Who will bear this cost may determine the speed with which tokenization is adopted, but it is hard to imagine that a customer of a bank would object to having the option of using a token to guard against the possibility that the customer’s bank account number is compromised in one of the many places where it is stored today. And bank customers ultimately may demand such protection. This might be especially true of small business account holders that do not benefit from the protections afforded consumers under laws such as the Electronic Fund Transfer Act (EFTA) or Truth in Lending, and that may not have the resources of larger organizations to prevent or limit the impact of an account compromise. TOKENIZATION AND PAYMENTS SUBJECT TO THE TRAVEL RULE While the use of tokens in a particular payment system is generally regarded as a technology and operations issue, the ability to implement tokenization of certain business payments and even certain consumer payments over funds transfer systems may hit an unexpected legal roadblock known colloquially as the travel rule. The travel rule is contained in regulations issued by the Financial Crimes Enforcement Network (FinCEN) pursuant to the Annunzio- Wylie Anti-Money Laundering Act of 1992, which amended the Bank Secrecy Act. 3 It requires financial institutions 4 involved in funds transfers to include certain information in their payment instructions in order to assist law enforcement investigations of money laundering and other crimes. 5 Importantly in the context of tokenization, the travel rule requires the payer’s financial institution to include in a payment instruction at the time it is sent to the next bank in the funds transfer chain, the name and, if the payment is ordered from an account, the account number of the originator. 6 Thus, by its terms, the travel rule does not permit the use of a token as a substitute for the originator’s account number. While the travel rule also requires the payer’s financial institution to include the name and address of the payee, the account number of the payee, and any other specific identifier of the payee, the obligation to include this information is tied to actual receipt of the information from the payer. 7 As a result, if the payer provides only the payee’s token as “the specific identifier of the payee,” then the payer’s bank satisfies this aspect of the travel rule by including the token in its payment instruction. 8 The travel rule has not been an issue in current tokenization efforts for cards because of the rule’s narrowly tailored scope. The rule applies to certain “transmittals of funds,” which, until recently, were limited to non-bank money transfers and wire payments (i.e., funds transfers) of $3,000 or more. 9 This is because the rule expressly excludes a number of payment types, namely consumer funds transfers governed by EFTA, and consumer and commercial funds transfers made through an automated clearinghouse, an automated teller machine, or a point-of-sale system. 10 In contrast, consumer and commercial payments sent over wire The compromise of millions of card numbers stored at large retailers and the ever-evolving and increasingly sophisticated nature of cybersecurity threats have forced payment system stakeholders to enhance the security of their systems.