May 07, 2012
Regulating mobile: Distinguishing the payment from the channel
The handset is just a device, not a payment
Policymakers and regulators are just beginning to discuss the regulatory environment for mobile banking and payments in the United States. The added dialogue to existing industry conversations can lead to mixed messages about where regulatory and policy action may be needed. Recently we've heard from industry and regulatory agencies that the payments industry should carefully consider introducing new regulations and supervisory guidance.
The mobile handset is "just a device, not a payment," noted Mallory Duncan, senior vice president and general counsel at the National Retail Federation. Duncan, who spoke at the workshop "Paper, Plastic...or Mobile," hosted by the Federal Trade Commission, also said that regulation should be no more stringent than that of the underlying payment. In essence, the laws, regulations, and rule sets associated with a payment type—be it a credit card, debit card, or online payment—should follow that payment through the mobile channel for clearing and settlement. I offered similar conclusions in a previous Portals and Rails post on dispelling myths in mobile payments, adding that "while new networks...may emerge in the future, at present, the payment network systems remain the same."
Fragmented framework on an expanded landscape
One problem the payments industry faces as technology enables new intermediary payment methods (they all start off as something we already use: cash, checks, or cards) is that the legal and regulatory framework includes different consumer protections, disclosure requirements, and error resolution provisions depending on the payment type. While all these payments are used in an Internet environment—whether the Internet is accessed by phone or a traditional PC—the addition of the mobile channel and its telecom partners has seemingly created a tipping point for confusion and speculation. Many of the issues raised about consumer protection for prepaid cards, for example, exist now and have nothing to do with a consumer's ability to use a prepaid account with a mobile device.
Can existing regulatory infrastructure handle new mobile payment business models?
The United States has a more complicated banking system than most countries. National laws, for example, govern national banks, which are preempted from state law. State-chartered banks and nondepository money service businesses (like payday lenders and money transmitters), on the other hand, are responsible for complying with the laws of every state in which they do business. These laws are different from state to state, and sometimes even conflict.
Industry players in each of these separate chartering authorities are stepping into the mobile channel as a way to expand their footprint. While telecoms and technology firms are entering into partnerships with banks to establish new business models in the delivery of mobile payments, so far they're sticking to their knitting and leaving the clearing and settlement, and the extension of credit, to the financial services industry. As long as banks remain the payment issuers in these still nascent business models, caution in rethinking the regulatory infrastructure is probably a good idea as well.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
May 7, 2012 in innovation, mobile banking, mobile payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168eb46b266970c
Listed below are links to blogs that reference Regulating mobile: Distinguishing the payment from the channel:
Comments
March 19, 2012
Balancing payments risk management and regulation with innovation
Government must be careful not to overreact to, or stifle, new innovations that can greatly benefit the consumer and the American economy. Government should take advantage of marketplace solutions to issues where appropriate. To do this, and at the same time to be in a position to act appropriately, it is important for government to maintain expertise in electronic money and payments development, and to consider carefully major questions presented by these developments. (Excerpt from 1996 paper prepared by the Department of Treasury on emerging electronic money and banking innovations.)
This quote appeared in a presentation given last week by John Carlson, executive vice president at BITS, a nonprofit group that fosters communication around technology issues that affect the financial services industry. John used this quote to demonstrate that, even in 1996, the Treasury Department recognized the need to not over-regulate at a time when financial institutions were beginning to experiment with Internet banking.
In the presentation "Hardening Payments for the Next Generation," which he gave at the BAI Payments Connect conference, John stressed that we still have to exercise care as financial institutions continue to innovate. The industry must still consider how it will balance the benefits of innovation in payments with the need to manage changing risks and ensure that regulators keep up with the changes. John warned that, despite the myriad of new threats, the temptation to overreact to these with regulation and legislation may stifle payment innovations. He emphasized that, instead, payment stakeholders must collaborate and share information.
Following are a few other noteworthy points from the presentation.
Rise in fraud and security issues in payments
John noted that as more nonbanks enter the marketplace and new innovative alternative products are introduced, payments fraud is evolving alongside. We need to keep looking at emerging payment issues involved with EMV-enabled payments, for example, as well as mobile payments, cloud computing, and payments conducted via social media. At the same time that these products are entering the marketplace, fraud is evolving in new and unexpected ways. And as global crime rings increasingly engage in cross-border activities, for example, a rise in cyber-security threats will likely continue.
We are also seeing some conflicting trends in consumer trust of security issues, according to John. While many consumers respond conservatively in surveys on payments security, for example, consumers generally are becoming increasingly willing to share personal information with "friends" in social media sites like Facebook and LinkedIn. And while consumers are gradually warming up to alternative payments in the mobile channel, most fail to employ general protections such as mobile device password locks.
A challenging regulatory environment
John mentioned that U.S. financial institutions are subject to independent regulatory oversight by a host of federal and state agencies, but the regulatory environment for nonbanks is not well understood. This lack of clarity around the nonbanks results in unclear liability for financial institutions and their customers alike. Consumers are likely to go to financial institutions for error resolution because of trust and familiarity, even when the risk and liability belong to the nonbank partner.
Third-party risk will continue to be a significant concern going forward, said John, as banks recognize the economic benefits they can get from outsourcing. As a result, regulators will focus on banks' vendor management programs to ensure that banks exercise comprehensive due diligence when they engage with vendors, and that they continue to provide oversight of the vendor throughout the duration of the relationship.
John noted that while there is a great deal of discussion on regulation of the emerging mobile channel, it is likely that such regulatory guidance will be embedded in vendor oversight guidance, of which there have been many iterations over the years.
Trust is necessary element of a successful payment system
John's presentation concluded in saying that "trust is central to everything we do." Financial institutions and other stakeholders with access to payment data and personally identifiable information have a growing responsibility to protect that data as the risk grows for network and device compromise. With more personal information exposed via social media, we will need to consider incentives for stakeholders to safeguard information by banks and other competitors in the payments space. Furthermore, those nonbank competitors and outsourcing partners need to be held to similar business practice standards for security and safety and soundness.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
March 19, 2012 in innovation, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e8feaacf970c
Listed below are links to blogs that reference Balancing payments risk management and regulation with innovation:
Comments
February 21, 2012
Security in the mobile wallet: Is it good enough yet?
For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.
But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.
Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.
A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:
"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."
It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.
Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.
Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.
Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d
Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:
Comments
September 12, 2011
Retail Payments Risk Forum publishes discussion paper on peer-to-peer payments
Peer-to-peer (P2P) payment products are some of the most innovative developments from the payments industry in the past decade. Consumers have never had so many payment choices. Alongside a host of recent entrants like PayPal and CashEdge, longstanding industry players like Fiserv, Visa, and MasterCard all offer P2P products. Additionally, three major banks have announced a collaborative P2P initiative called ClearXchange.
Despite this range of innovative offerings, however, the industry lacks a standard understanding of how the various P2P payments in the market work. Further, consumers and businesses are also confused by the many options, and a lack of familiarity may be a source of the inertia that keeps consumers relying on cash and checks for most P2P payments.
The Retail Payments Risk Forum recently published a working paper on P2P payments as a resource for regulators, consumers, and the payments industry in general. The paper offers a framework to organize a discussion of P2P payments and evaluate the associated risks. This framework should help bankers and regulators better manage the risk exposure of different P2P products currently in the market. The framework categorizes transactions by counterparties, access channel, funds load and receipt instruments, and settlement network. Any P2P payment can be mapped across this lifecycle into categories that are mutually exclusive and comprehensively exhaustive.
Consumers send P2P payments by first initiating the transaction through an access channel. Traditionally limited to face-to-face, mail, or bank branches, today you can send payments at a kiosk, online, or even with your mobile phone. The payment funds are loaded and received through an instrument like cash, a bank account, credit card, or prepaid balance. In the background, the funds clear and settle over traditional networks, including ACH, wire, and card networks.
The paper goes on to detail specific P2P payments with case studies indicating how a provider fits across the payment lifecycle. Two of the covered providers have been mentioned in this blog before: Western Union and CashEdge's PopMoney.
In a Western Union P2P transaction, both counterparties are consumers. The sender can initiate a payment at an agent location, a kiosk, or online, or by using their mobile phone in some limited markets. The sender can fund the transaction using cash or a credit, debit, or prepaid card. Senders can also use their account and routing numbers to fund transactions made online or by mobile. Western Union has been proactive in expanding the access channels and funding instruments available to remittances senders. The transaction clears by ACH in countries where the network is available, and by wire in other geographies. Finally, the recipient can receive the funds as cash, or can direct them to their bank account using account and routing numbers.
Consumers can use CashEdge's Popmoney to send a payment to another consumer or to a small business, and can access the service through online or mobile banking. The payment is funded from the sender's bank account using the account and routing number, and the recipient receives funds into their bank account the same way. CashEdge recently partnered with MoneyGram, an international money transmitter, and some recipients may be able to pick up their payment in cash at MoneyGram agents around the globe. Transactions are usually settled via ACH, although recent partnerships with EFT networks enable card network settlement as a speedier option in some cases.
The working paper concludes by discussing some of the risks of P2P payments. P2P payments may seem new and unprecedented from the industry and media buzz surrounding them, but, as described above, most P2P payments actually rely on traditional networks and banking channels. Therefore, the risks posed by P2P payments are not original, but rather map to the risks of the underlying payment type. The risk profile of each P2P product must be evaluated across the specific use case, access channel, and settlement network, a specific risk profile. A one-size-fits-all risk management plan cannot work for such a diverse market. Finally, in evaluating the risk of P2P payments, consumers, banks, and third parties should make comparisons to the status quo of cash and check transactions. Many times new products will offer benefits in terms of efficiency and innovation that may outweigh their greater risk, and in some cases the risk of new products may be lower than that of the status quo.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
September 12, 2011 in innovation, P2P, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0153918b35ab970b
Listed below are links to blogs that reference Retail Payments Risk Forum publishes discussion paper on peer-to-peer payments:
Comments
January 10, 2011
Nonbanks and payments innovation: Because that's where the money is
In the past decade, nonbank companies have driven most payments innovations. For the most part, banks have left Silicon Valley startups and other third-party players to develop cool new payments gadgets and platforms that attract venture capital and YouTube views. While this dynamic and free market has allowed for great creativity, it has also meant that many of these new payments tools emerged outside the extensive system of regulations and consumer protections that exist in the banking industry.
This blog previously covered the lack of uniform regulation of the money services business (MSBs), a significant gap given the expansion of financial services offered by MSBs like Western Union and MoneyGram in recent years. While providing a vital service for money transfer, MSBs may be vulnerable to money laundering and fraud schemes, as they lack the robust regulatory oversight that governs mainstream financial institutions. Through a series of industry partnerships, MSBs and other less-regulated nonbank payment companies are integrating with bank operations. For example, CashEdge, a relatively new alternative payment service provider, and MoneyGram recently announced one such partnership that could have implications for anti-fraud efforts.
Last year, MoneyGram paid $18 million in a Federal Trade Commission (FTC) settlement that charged the company had known about fraud on their system but did not work to address it, disregarding law enforcement warnings and willfully ignoring customer fraud complaints against agents. Consumers reported $84 million in losses between 2004 and 2008, but it is likely that many victims did not come forward, and the FTC claims that losses may actually have run into the hundreds of millions of dollars. Since the settlement, MoneyGram has invested heavily in anti-fraud measures, including enhanced agent training, improved communication with consumers, and greater partnership with law enforcement and the FTC. In response to questions from the Connecticut Watchdog, MoneyGram explained that these efforts have prevented $30 million in fraud this year and resulted in a 75 percent decrease in fraudulent transactions between the United States and Canada.
However, con artists continue to exploit Americans, evidenced by the recent Make-A-Wish scam. This scam has already defrauded victims of $20 million, with the thieves again using Western Union and MoneyGram to receive payments. Although these companies provide a valuable service to those sending money abroad to family and others, they are still vulnerable to threats from bad actors.
In light of this vulnerability, MoneyGram's announcement this past fall of a partnership with CashEdge to integrate with their POPmoney service bears scrutiny. POPmoney is a bank-initiated peer-to-peer payments service that went live late in 2009 and allows users to send friends and family money through text, e-mail, or online banking. The product has been very popular, with more than 100 banks adopting the service within six months of launch. The new partnership means that POPmoney users will be able to transfer money not just to other bank accounts, but also to any MoneyGram location around the world. These POPmoney-to-MoneyGram transactions will likely be fast and irreversible, using CashEdge’s convenience and MoneyGram's global presence. Furthermore, users will initiate all transactions via online or mobile banking, funding them directly from their primary bank account. Although MoneyGram launched enhanced anti-fraud technology last year for scanning risky transactions, these online transfers would bypass live agents whose training is one line of defense against fraud.
Although there may be considerable risks in integrating MSBs directly to a financial institution's online banking services, doing so could also be an opportunity to fight fraud in these channels. If banks' extensive experience in fraud detection and mitigation were applied to the money transfer business, it could significantly improve consumer safety and experience. If there are lessons to be learned here, they could be applied to a variety of similar partnerships across the industry, improving banks' access to innovation and enhancing the risk management capabilities of new payments products.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 10, 2011 in banks and banking, innovation, money services business (MSB), risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c77bdedc970c
Listed below are links to blogs that reference Nonbanks and payments innovation: Because that's where the money is:
Comments
December 20, 2010
You better watch out! ...Santa goes cyber
Happy holidays from the Retail Payments Risk Forum!
As this world has drifted away from traditional written communication to a fully electronic communications process, we see that Santa Claus has finally moved into the 21st century. On a network news show this week, we saw that there are still plenty of letters being written to Santa in the conventional way, but data from the industry consultant Javelin Gifts has shows that only 26 percent of all Christmas lists are in paper form. Most kids now want to communicate with Jolly Ol' Saint Nick electronically. The benefits appear to be extraordinary for both the wide-eyed children and the man himself, not to mention the beleaguered elves that can now use automated list sorting tools, name and address directories, and list matching to ensure the elimination of duplicate orders. A new feature labels each entry with a GPS locator that cuts down tremendously on useless flying around, thereby dramatically improving the overall "bales-of-hay-per-mile-flown" reindeer efficiency measure.
Santa's new website unveiled
Recently, we explored Santa's new site, where you can choose a variety of options, including the usual descriptions and pictures of Santa's house, Mrs. Claus, all the important workshops, the latest Elf of the Month, and live video of the reindeer in their stables. The main tab Christmas Lists is, of course, the place for all boys and girls to go to enter their wish lists, following a brief application process (name, address, age, chimney/no chimney, naughty/nice, etc.) and the usual OFAC—Office of Foreign Assets Control—screening to ensure that those kids requesting bomb-making material are not terrorists. Recent attempts to hack the site have revealed that Santa's firewalls are pretty darn good, ensuring that there are no last-minute denial-of-service attacks from the Grinch or other such hooligans intent on spoiling Christmas for the rest of us. The site also appears to have pretty strong SPAM filters to counteract the recent attempts of high end retailers trying to get Santa to provide only their brand of products.
Two other tabs are prominently shown. First, there is a live chat room where the customer can chat with specialist elves to get expert opinions on some of the hottest toys, including the current backlogs in production. Second, a tab called Value-Added Services encourages the customer to take advantage of things like gift wrapping, special notes from Santa, gift recall lists, and roof/chimney repair services. The fees associated with such services help keep the site maintained and contribute to the necessary overtime pay that inevitably piles up the last week before Christmas. One of the more interesting services is a data privacy service that provides for a Christmas list to be encrypted, thereby preventing prying eyes from seeing what they are getting under the tree. Of course, this also helps Santa stay out of legal trouble and avoid cumbersome government-mandated data breach reporting.
Wrestling with Christmas Criminals
Recently, the North Pole has had to address a growing number of account takeover concerns about Ukrainian hackers posing as children who might try to compromise the website on Christmas Eve, changing the addresses associated with some of the more attractive gift lists. The most effective malware to date rode in on a piece of spam entitled "Cookies and Canes" that the jolly old elf couldn't resist opening. My understanding is that Santa has fixed this problem by moving his site to a separate computer from his personal e-mail laptop.
Before logging off, we clicked on another tab called Flight Tracker that allows concerned parents to track the progress of their children's deliveries on Christmas Eve. This can be particularly helpful if Santa gets to your house at, oh, say 5:00 a.m. and you need to barricade the hallway to forestall the progress of some particularly geeked-up kids who wake up way too early and want to check out the tree.
And to all a good night!
Upon reflection, we were really impressed with Santa's new website, but disappointed that he had to implement so many fraud detection and prevention tools. However, there seems to be even more features to come. A news line scrolling across the bottom of the page promised upgrades next year to text messaging and Facebook for those kids who just don't have the time to send e-mail.
While the point of all this may seem to be to let you know that no one, including Kris Kringle himself, is exempt from fraud in the electronic world, it really is just a way to give our staff a week off from serious blogging and to wish all our dedicated readers a very Merry Christmas and Happy Holidays! See you next year!
By Rich Oliver, Cindy Merritt, and Ana Cavazos-Wright
December 20, 2010 in consumer protection, innovation | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c6e8bcd0970c
Listed below are links to blogs that reference You better watch out! ...Santa goes cyber
Happy holidays from the Retail Payments Risk Forum!:
Comments
December 06, 2010
Tough decisions: Fighting fraud in a free market
Over the past two years, despite a stagnant economy, the U.S. payments system has harvested the benefits of a free market: the generation of hundreds of innovative ideas. Mobile payment pilots, P2P offerings, remote banking services, small merchant credit card approval tools, and at-home remote deposit capture services for checks are only a sampling of the new ideas, many of which came from nonbank participants. Inevitably, this type of innovation and competition will result in more choices at more reasonable prices for American consumers and businesses.
This extraordinary explosion of payments system creativity stems not only from the benefits of free market capitalism, but also from the historical fact that our payments system enjoys substantially less oversight than other advanced economies. While we have a considerable array of consumer protection regulations in place in the United States, we do not have any specific government body charged with determining and enforcing overall payments policies and practices. Unlike much of Asia, Europe, the Far East, and Australia, there are no competition authorities, payments councils, commissions, or boards that set policy across payments channels. The Federal Reserve does not play as strong a role in governing payments as do the European Central Bank, the Bank of Japan, or the Reserve Bank of Australia. Congress has passed no comprehensive payments law such as the Payments Services Directive in Europe or the Payments Services Act in Japan. Predictably, then, we see the type of lively and innovative payments market in place in the United States today.
The downside of freedom
But, in the words of that great college football guru, Lee Corso, "Not so fast, my friends!" With the freedom to innovate also comes the freedom to do bad things. Said differently, there exists an inconsistent appreciation or concern for the necessary integrity of payments products and services. Entrepreneurs are not given the responsibility to ensure that their ideas can pass muster in the public policy arena. Their first concern is the marketability of their glitzy new product, not its protection against intrusion or susceptibility to fraud. While we can argue that banks by their very nature are more steeped in the tradition of focusing on integrity and security as key elements in payments services, the same is probably not as true for the large number of new nonbank players entering the payments world. Certainly, some such companies, particularly those run by experienced financial services professionals do get the message, but many do not. We can assume that as less secure products and services are deployed, bad things will happen and lessons will be learned that bring about a reformation. In the meantime, many consumers and businesses may be seriously impaired.
The likely result of such experiences, however, may be the further engagement of Congress—and, ultimately, government—to devise remedies for the failings of a highly innovative payments system. Over time, we have seen some of this in the form of targeted legislation intended to fix problems or reign in abuses. Payments-related controls are embedded in the Expedited Funds Availability Act (EFAA), the Patriot Act, the CARD (Credit Card Accountability Responsibility and Disclosure) Act, and the recent Financial Reform Act. But none of the past legislative efforts have been comprehensive. The EFAA focused on checks, the Patriot Act on cross-border payments, the CARD Act on credit cards, and the Durbin Amendment to the Financial Reform Act on debit cards. The specific rules and controls for operating our various payments systems are resident in the requirements of the card companies, the NACHA rules for ACH, and Fed and ECCHO (Electronic Check Clearing House Organization) rules for check image exchange. In essence, the integrity of our payments system relies as much on vigorous self-policing as it does on law making. In fact, one could argue that law making is the predictable successor to bad self-policing.
The challenge to self-police
So the challenge for the payments industry, in an era of explosive technological development and worldwide connectivity, is to become much more focused on the issues associated with protecting the integrity of the payments system. Such attention needs to encompass a wide range of concerns, including data privacy, fraud mitigation, and financial stability. We cannot continue to build solutions that allow customer accounts to be taken over, identities to be stolen, and terrorist financing and money laundering to prosper. If we do, than we can be certain that Congress will move to clamp down, either on a piecemeal basis or more comprehensively, following models in place elsewhere. Ultimately, it is up to the industry as a whole, through its individual parts and representative groups, to get serious about its deficiencies within and across silos. In difficult financial times, it is hard to contemplate spending more on protecting the payments system when so many other priorities call. But our ability to preserve the potential benefits of widespread innovation may depend on it. If we fail to spend on remedies now, we will inevitably spend on them later and probably with less efficiency in reaction to legislation and regulation.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
December 6, 2010 in innovation, payments systems, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e06c270d970b
Listed below are links to blogs that reference Tough decisions: Fighting fraud in a free market:
Comments
February 16, 2010
Haitian crisis: Are mobile payment discussions an unexpected consequence?
The earthquake in Haiti caused massive destruction that ultimately leveled the capital city of Port-au-Prince and resulted in the deaths of thousands of people. As charitable assistance has poured in from around the world, an unexpected revelation has come to light with respect to the potential for mobile phone–enabled payments. Within a matter of days, wireless network operaters facilitated millions of dollars in donations, demonstrating how quickly people all over the world could assemble to adopt a single payment method for a specific purpose. Through the use of text messaging, or SMS (short message service), via the mobile phone, consumers could send payments to a variety of charitable organizations providing aid to Haiti.
Convenience of text messaging can drive adoption
I heard someone say recently that "convenience is like a drug for consumers." This convenience is possibly why texting is outpacing e-mail messaging as a mainstream form of communication—the ubiquity of mobile phones makes texting increasingly easier, cheaper, more convenient, and perhaps a natural vehicle for sending payment instructions. According to research released by Nielsen Mobile, the typical U.S. consumer sends and receives more SMS text messages than telephone calls. Mobile SMS is already widely used in developing countries to facilitate mobile money transfers for domestic person-to-person payments and cross-border remittances.
What if something goes wrong?
In many developing countries, mobile money transfer payments are transmitted via SMS without a bank partner to facilitate clearing and settlement. As described in an earlier post, Safaricom's M-pesa service provides mobile phone–enabled payments through text message instructions, with cash-out needs accommodated by agents, typically a village store or wireless retailer. But many of the payments are peer-to-peer in nature and funded by topping up the consumer's mobile phone bill. In the Haiti example, customers also could fund the payment by adding the value of the donation to their phone bills or by debiting a bank account.
Of course, the legal and regulatory environments in the United States differ markedly from developing markets like Kenya, where the M-pesa mobile payments service has grown so rapidly. The risk environments also differ significantly. In Kenya, a consumer faces less risk of loss in a mobile-enabled payment environment than the cash-based system that prevailed only a few years ago. U.S. consumers have many choices in payments and enjoy legal protections if service providers fail to consummate the payment transaction.
So what happens if the $20 donation instruction you sent to Haiti appears as a $200 or even a $2,000 charge on your bill? What if there is a disagreement about the error between you and your wireless carrier? What else could go wrong?
Protection for consumers
One of the growing challenges created by payment innovations is the creation of new laws and rule sets, which provide different protections depending on the payment type. This challenge is further complicated as payments converge and assume different formats along the supply chain. For example, a payment initiated via a credit card on a mobile device is subject to error resolution procedures and consumer protection standards established by the card networks. Similarly, Regulation E covers electronic transactions initiated from a bank deposit account. But if you disagree with a charge to your phone bill for a payment, it is questionable whether the error resolution provisions of Regulation E would even apply. As telecom firms become more important participants in retail payments, what laws and rule sets can consumers look to for protection when things go awry?
Of course, these issues are highly hypothetical but also very possible. Telecom firms and mobile payment service providers are filling new roles in mobile payments, forcing business models that we know today into a new paradigm. Perhaps the crisis in Haiti will serve as a catalyst for proactive thinking on risk issues so that all industry participants can work together to build a safe and trusted mobile sector of commerce.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
February 16, 2010 in collaboration, emerging payments, innovation, mobile network operator (MNO), mobile payments, telecom | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a89d1472970b
Listed below are links to blogs that reference Haitian crisis: Are mobile payment discussions an unexpected consequence?:
Comments
December 28, 2009
Mobile money transfers: Benign P2P or hawala money?
Informal value transfer systems (IVTS) such as traditional trade and barter have existed since the beginning of time and still serve legitimate purposes today. While informal payments may provide benefits such as improved reliability and convenience to users over formal systems, they may also create regulatory and risk management challenges. Person-to-person (P2P) payments via the mobile phone, also known as mobile money transfers (MMT), represent an innovation with the potential for use in informal channels as nonbanks, many of which are start-up firms, extend services in a cross-border enviroment.
IVTS were defined by Nikos Passas to describe "any network or mechanism that can be used to transfer funds or value from place to place either without leaving a formal paper trail of the entire transaction or without going through regulated financial institutions." One of those systems is hawala, which has its origins in classical Islamic law and is mentioned in texts of Islamic jurisprudence as early as the eighth century. Hawala drew interest from the U.S. government after 9/11 because payments are exchanged on the honor system without a paper trail. With this arrangement, it could be difficult to determine if a transfer of funds was for legitimate purposes.
In addition to hawala, Passas identified other important IVTS to include gift and money transfer services via Internet sites, Internet-based payments and transfers, and stored value cards, such as prepaid telephone cards, to name a few. IVTS systems and mechanisms range from basic and traditional exchanges to modern and sophisticated ones.
ENLARGE |
Passas' initial work predated the recent developments in the mobile payments channel and certainly came before the growth in mobile enabled P2P and the use of prepaid airtime for remittances, as described in an earlier edition of Portals and Rails. When P2P payments are conducted by mobile carriers in a bank-agnostic ecosystem, do they potentially represent a more sophisticated, modern-day informal payment system?
MMT: The fastest-growing mobile payment
P2P payments represent possibly the fastest form of financial transaction enabled by mobile phones, driven by the steady growth in remittance markets, the ubiquity of cell phones themselves, and the desirability for an electronic P2P payment alternative in developed countries like the United States. Research firm Gartner recently identified mobile money transfer as the first of the top 10 consumer mobile applications in 2012, made possible by developments in smart handsets like the iPhone. Separately, ABI research predicts that almost three times as many consumers worldwide will use mobile phones to conduct P2P payments than those who will use them to conduct mobile banking functions by the end of 2011.
Formal versus informal
GSMA (Global System Mobile Association), the alliance of mobile network operators, launched the Mobile Money Transfer Programme initiative to promote the mobile channel and formalize international remittances. With low barriers to entry, roaming capacity, and a growing unbanked market in developed countries, start-up firms may offer informal MMT services, including international and domestic P2P in cross-border markets to expand their customer reach and network opportunities. While informal payment systems can provide means for legal transactions, the lack of transparency could potentially provide bad actors the opportunity for money laundering and other financial crimes.
Nonbanks, like telecom firms and others, are rapidly entering the financial services arena, creating an uncertain regulatory environment as laws and regulations vary from country to country. Will mobile P2P innovation permit service offerings that are characterized as informal payments with the potential for misconduct? Will violators of money-laundering laws go undetected as stored-value mechanisms move from the plastic card to the mobile device? These questions will no doubt be the focus for regulators in many markets going forward as they attempt to understand both the operational and regulatory risks money transfer services have the potential to introduce.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
December 28, 2009 in emerging payments, innovation, mobile payments, remittances, risk, telecom | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a78682bf970b
Listed below are links to blogs that reference Mobile money transfers: Benign P2P or hawala money?:
Comments
December 07, 2009
If nonbanks drive payment innovation, will banks pay for the risk management?
Nonbanks are driving significant investment in the retail payments space today, a healthy signal to the economy that contrasts starkly to some other economic sectors, and a sign that innovation in payments businesses and technologies is alive and well. This continuing and dynamic evolution is changing the retail payments landscape in new and unexpected ways, such that all industry stakeholders will need to consider risk issues in a new light as well.
What does this spell for the role of financial institutions as retail payments service providers going forward? More importantly, how will industry stakeholders ensure integrity in retail payments systems more generally?
Venture capital and M&A activity for nonbanks
The venture capital community has demonstrated a continued interest in payment technology start-up companies, particularly in the mobile information technology market. Investment banking firm Updata Advisors recently published research reporting that out of the 16 deals the firm tracked in the third quarter of 2009 in the financial technology sector, six fell into the payments subsector. Updata also reports that it believes that new payment technology providers "with their roots in social networking technology will be prime candidates for future acquisitions by larger merchants that do not want to spend on their own R&D."
|
ENLARGE |
The migration from traditional to smart phones is helping drive these trends, with a number of venture capital funds investing in start-ups involved in developing smart phone applications (apps). Consider the $150 million BlackberryPartners Fund launched in 2008 by RIM, RBS, and Thomson Reuters to focus on mobile phone apps and services. Mpower Mobile, a firm that provides person-to-person (P2P) services and remittances, recently announced it had received a second round of investment to fund further technology developments such as debit and credit card functionality for mobile phones.
On the M&A front, Mint, a two-year-old, privately held personal finance service, agreed to be acquired by Intuit for $170 million in September 2009. Mint derived its revenue by directing subscribers to online financial products and services from participating institutions. Just this week, American Express announced it would acquire Revolution Money, a recently established alternative payment network, for $300 million.
Economic volatility may hinder banks' investment in payment technology
While tech firm investment in alternative payments is active and highly publicized, the same cannot be said of the banking sector. Established banks saddled with legacy payment system investments have had to balance new technology investment with existing costs while competing with de novo financial institutions.
|
|
While new bank charters flourished at the economic peak years of 2005 and 2006, the following years witnessed the largest rash of bank failures in decades. According to the FDIC report of failed banks, more than 100 institutions have been closed in 2009 alone. The turmoil in the financial services sector suggests that prospects for significant bank investments in payment-related technology may be hindered for some time. This effect was described with regard to payments risk management investments in an earlier Portals and Rails post.
|
|
Will risk controls take a back seat to innovation?
The take-away from these environmentals is that nonbanks continue to drive technology investment opportunities, which in turn lead to the development of alternative forms of retail payments. The current economic environment may impede participation on behalf of the banking industry, where risk management and regulatory compliance are much more commonplace.
Within the telecom industry, by contrast, there are consortia worldwide discussing how to manage risk in mobile payments in a cross-border environment as bank-agnostic start-up firms provide new mobile remittance and money transfer services. If financial institutions are not part of that conversation on the front end, how will they address risk management and compliance issues with security and identity theft or money laundering? How will the solutions that arise from discussions on risk outside of financial institutions be implemented in a banking environment, and who will assume that responsibility?
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
December 7, 2009 in innovation, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a7245f6a970b
Listed below are links to blogs that reference If nonbanks drive payment innovation, will banks pay for the risk management?:
