Portals and Rails

About


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

November 17, 2014


Consumer Prepaid Protections May Be Catching Up with Prepaid Use

On November 13, the Consumer Financial Protection Bureau (CFPB) issued its much-anticipated notice of proposed rulemaking of consumer protections for the prepaid market. This proposed rule covers multiple facets related to the prepaid industry, including disclosure requirements, fraud protection, access to account information, and the provisioning of credit via overdraft. Today's blog will provide a brief, high-level summary of this rule.

What is and isn't covered under this rule?
This rule redefines a "prepaid account" under Regulation E (Reg E). Prepaid products include cards, codes, and other devices capable of being loaded with funds that are not currently covered by Reg E and are usable at multiple, unaffiliated merchants and ATMs, and for person-to-person transfers. Gift cards, and certain related cards, are excluded.

Disclosure requirements
The rule requires that card issuers use two forms to disclose fees. The short form discloses four types of fees: monthly account fees, cash reload fees, ATM transaction fees, and purchase transaction fees. The rule proposes the use of a model form that establishes a safe harbor for compliance to the short-form requirement. The long form describes all of the potential account fees and the conditions under which these fees are assessed, as well as the fees that short form includes. Both disclosures must be made available to the consumer before the opening of an account.

Fraud protection
The rule modifies Reg E to require that issuers adopt error resolution procedures and limited liability for prepaid accounts. Reg E coverage limits a prepaid consumer's liability for unauthorized transfers to $50, assuming that the consumer gives timely notice to the financial institution and the card has been registered. Further, financial institutions would be required to resolve certain errors to prepaid consumer accounts.

Access to account information
The rule also modifies Reg E to require that financial institutions provide prepaid account holders with free access to periodic statements or that they make available to the consumer the account balance and at least 18 months of account transaction history. These periodic statements and transaction histories must include a summary of monthly and annual fees in addition to a listing of all deposits and debits.

Overdraft protection
The rule allows for issuers of prepaid accounts to offer overdraft services and other credit features. However, issuers that offer these services or features for a fee are subject to Regulation Z (Reg Z) credit card rules and disclosure requirements which, among other things, requires them to evaluate whether consumers can repay their debt. The issuer is required to obtain a consumer's consent before adding these services to accounts and must provide consumers with a periodic statement of the credit and provide at least 21 days to repay the debt. Should a product offer overdraft or other credit features, it must be disclosed in the disclosures of the short and long forms.

The CFPB is seeking public comment for a 90-day period, beginning with its publication in the Federal Register.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


November 17, 2014 in consumer protection, prepaid, regulations | Permalink | Comments (0) | TrackBack (0)

November 10, 2014


Virtual Currency Environment Still Fluid after Latest Rulings

The end of October was filled with multiple news-grabbing headlines reflecting the growing fears of Ebola, the exciting seven-game World Series, and the release of the first-ever college football playoff rankings. The launch of ApplePay also saw its fair share of headlines, but one piece of payments-related news might have flown a bit under the radar. On October 27, the United States Department of Treasury's Financial Crime Enforcement Network (FinCEN) issued two virtual currency administrative rulings stemming from its March 2013 guidance on regulations to persons administering, exchanging, or using virtual currencies.

The first administrative ruling involves a virtual currency trading platform that matches its customers' buy-and-sell orders for currencies. The company requesting this ruling stated that they operated the trading platform only and were not involved with money transmissions between it and any counterparty. FinCEN determined that money transmission does, in fact, occur between the platform operator and both the buyer and seller. Consequently, FinCEN said that this company and other virtual currency trading platform operators should be considered "exchangers" or "operators" and required to register as money transmitters subject to Bank Secrecy Act (BSA) requirements.

The second administrative ruling involves a company that enables virtual currency payments to merchants. This company receives payment in fiat currency from the buyer (or consumer) but transfers an equivalent amount of virtual currency to the seller (or merchant) using its own inventory of virtual currency to pay the merchant. This particular company asserted that it wasn"t an "exchanger" since it wasn't converting fiat currency to virtual currency because it was using its own reserve of virtual currency to pay merchants. However, FinCEN determined that this company, and similar companies, is a money transmitter because it accepts fiat currency from one party and transmits virtual currency to another party.

These two rulings confirm that if a virtual currency-related company's services allow for the movement of funds between two parties, that company will be viewed as a money transmitter and will be subject to BSA requirements as a registered money transmitter. As financial institutions consider business relationships with these types of companies, they should make sure that these companies are registered as money transmitters and have BSA programs in place.

The virtual currency regulatory environment continues to be fluid. For example, in his recent comments at the Money 2020 Conference, Benjamin Lawsky, superintendent of the New York Department of Financial Services, suggested that his office will soon be releasing its second draft of a proposed framework for virtual currency business operating in New York. Portals and Rails will continue to monitor this regulatory environment at the state and federal level.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 10, 2014 in currency, mobile banking, mobile payments, transmitters | Permalink | Comments (0) | TrackBack (0)

October 27, 2014


ISO 20022 in the United States: What, When, Why, and How?

At the October 2014 Sibos conference in Boston, there was considerable discussion about the International Organization for Standardization (ISO) 20022 standard, which many major non-U.S. financial markets began moving toward a few years ago. ISO 20022 is a public international standard for financial sector global business messaging that facilitates the processing and exchange of financial information worldwide.

In Canada, adoption drivers include the use of domestic messaging standards in proprietary ways that created inefficiencies and the need for enhanced remittance data to add straight-through processing and automated reconciliation, according to a Canadian speaker at the conference. A speaker from Australia explained how the new real-time payment system that country is building will use ISO 20022, and one of the drivers is the desire for rich data to enable automation.

The United States is behind in the adoption curve, which raises the question, why? Several Sibos sessions included discussion of a study commissioned by an industry stakeholder group and conducted by the advisory firm KPMG. (The stakeholder group—which consists of representatives from the New York Fed, the Clearing House Payments Company, NACHA–The Electronic Payments Association, and the Accredited Standards Committee X9—formed to evaluate the business case of U.S. adoption of the ISO 20022 standard.)

KPMG interviewed participants of markets already moving toward adoption and found that adoption was largely driven by both infrastructure change, as in the Australian example, and regulatory requirements. In addition, many U.S. firms, beyond the large financial institutions and corporations, lack in-depth knowledge about ISO 20022. Two additional barriers in the United States are (1) the exact costs of ISO 20022 implementation are difficult to pinpoint, in part because they vary by participant, and (2) the country has no industry mandate for adopting the standard.

In one conference session, a speaker categorized some of the strategic reasons the United States should move forward, framing them in terms of the risks of nonadoption. These reasons include:

  • Commercial reasons: The U.S. industry will have to bear the incremental costs of maintaining a payments system that does not integrate seamlessly with an emerging global standard.
  • Competitive reasons: Many countries are experiencing such benefits of the ISO standard as increased efficiencies and rich data content, but U.S. corporations and financial institutions will fall farther behind.
  • Policy reasons: The U.S. market will become increasingly idiosyncratic, with more payment transactions conducted in currencies other than the U.S. dollar.

Recommendations from the KPMG study include initiating adoption of the ISO 20022 standard in this country first for cross-border activity, starting with wires, and then ACH. The U.S. industry should then reassess domestic implementation.

Because communication is keenly important to overcoming the lack of knowledge of ISO 20022 in the U.S. market, the stakeholder group is currently focusing on educating affected groups about the key observations and findings of the KPMG study.

No particular timetable or course of action has been determined for U.S. adoption, which makes it the ideal time for industry input. What's your institution's perspective on the adoption of the ISO 20022 standard in the U.S. market?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 27, 2014 in financial services, payments, regulations | Permalink | Comments (0) | TrackBack (0)

October 20, 2014


Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?

Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.

The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.

But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.

And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.

Those naysayers are correct.

But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.

Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.

In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


October 20, 2014 in cards, data security, EMV | Permalink | Comments (0) | TrackBack (0)

Google Search



Recent Posts


November 2014


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Archives


Categories


Powered by TypePad