Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

May 18, 2015


A Presumption of Innocence

Presumption of innocence is a principle that goes all the way back to Roman law. This concept means that if reasonable doubt remains after the accuser presents his or her proof, then the accused must be acquitted. In the payments ecosystem, the guilty is defined as the party that the account holder or cardholder has not authorized to conduct a transaction on that account or card. According to the 2013 triennial Federal Reserve Payments Study, the estimated number of unauthorized ACH transactions in 2012 reached a total of $1.2 billion.

With dollar stakes so high, reaching a guilty verdict when fraud has been committed is important. What is the best due process to identify the guilty while ensuring the preservation of the rights of the accused?

In 2009, NACHA members passed a rule change requiring financial institutions (FI) to keep the percentage rate of unauthorized transaction returns below 1 percent per originating company. If an originating company reaches the unauthorized return threshold, NACHA will contact the originating FI to investigate and resolve any potential issues that can lead to rules violations and fines. Some of the reasons an ACH transaction can be returned unauthorized include the following: the entry amount is different than the amount that was authorized, the debit was processed earlier than authorized, the transaction was fraudulent, the transaction sender is unrecognized, the check conversion was done improperly, or a previous authorization has already been revoked. Unauthorized transactions can even be a result of the receiving party committing the fraud, by reporting the transaction as unauthorized but still in receipt of goods and services. The rule change set an expectation that FIs would monitor unauthorized returns received for each originating company name over a two-month period.

Monitoring for unauthorized activity unveils a number of payment issues, but there are more opportunities to identify the guilty. The ACH operator provides unauthorized return rate data, representing returns coded properly with NACHA’s unauthorized return reason codes (R05, R07, R10, R29 or R51). If a disputed transaction is improperly coded or returned with a different code, the transaction would not factor into current unauthorized return monitoring. Regulation E provides consumer protections that require FIs to provide error resolution beyond the NACHA return deadlines and therefore such disputed transactions will also fall outside unauthorized monitoring, unless the FI manually adjusts return counts. Additionally, unauthorized transactions are sometimes quickly returned under the codes for "insufficient funds, "invalid account" or "unable to locate an account." These codes should also be monitored in order to uncover guilty originators.

Effective September 18, 2015, a new NACHA rule will lower the unauthorized transaction return rate to half a percent. In addition two new thresholds will be introduced to monitor other return reason codes that can unveil guilty originators while improving overall network quality. Thresholds are meant to provide a red-flag approach to return monitoring. However, return rates over or near the threshold should trigger investigation and due process before a final verdict is rendered.

By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 18, 2015 in regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb08305c2e970d

Listed below are links to blogs that reference A Presumption of Innocence:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 11, 2015


The Hill Tackles Cybersecurity

In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.

Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.

National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.

Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.

The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.

Photo of David Lott By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 11, 2015 in collaboration, consumer protection, cybercrime, law enforcement, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb082c5f0e970d

Listed below are links to blogs that reference The Hill Tackles Cybersecurity:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 22, 2014


Top 10 Payments Events in 2014

As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.

#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.

#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.

#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.

#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.

#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.

#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.

#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.

#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.

#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.

And…drum roll, please!

#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.

How does this list compare to your Top 10?

All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!

Photo of Mary Kepler Photo of Doug King Photo of David Lott Photo of Julius Weyman



Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.


December 22, 2014 in chip-and-pin, cybercrime, data security, EMV, innovation, mobile payments, prepaid, regulations, third-party service provider | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c723d660970b

Listed below are links to blogs that reference Top 10 Payments Events in 2014:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 08, 2014


Under Pressure: The Fate of the Independent ATM Operators

The ATM industry in the United States is facing many challenges. For one, the interchange rates that networks pay to ATM owners have been halved over the last five years, transaction surcharges are topping off, and operating expenses are escalating. These financial strains may be hardest for the thousands of small business entrepreneurs in the United States who own and operate ATMs independent of those that belong to financial institutions (FIs). (Non-FI owners/operators are responsible for an estimated 65 percent of all U.S. ATMs.) For another, at least for the small-business independents, a changing landscape is placing pressure on the relationships the independent owners/operators have with their FIs.

I recently attended and spoke at the National ATM Council's (NAC) annual conference. NAC is a nonprofit national trade association that represents the business interests of these non-FI ATM owners and operators. During the conference, I spoke with many of the attendees to learn more about the key drivers and concerns of their business. The biggest concern many owners/operators expressed is their sponsoring FI will classify them as a high-risk business and terminate their banking relationship. (Many FIs are in the process of "de-risking" their portfolios.) FIs may mistakenly classify these operators as money service businesses (MSB), since they dispense cash, even though state regulators do not consider them as such. Two factors are contributing to this confusion: guidance from the FFIEC's examiner manual that cautions financial institutions that criminals can use ATMs to launder funds, and an organizational structure that has sub-ISOs (that is, independent sales organizations), which can make ownership of all the ATMs unclear.

In actuality, the ability of ATM operators to launder money through an ATM is quite restricted beyond the initial funds placed in the terminal. The processors and networks, which are totally independent from the owners, generate financial reports that show the amount of funds that an ATM dispenses in any given period. So if the reports show an ATM paid out $5,000 in a month, the ATM owner can only justify resupplying the ATM with $5,000, plus a little reserve. In other words, controls maintained by independent parties clearly document the funds flowing through the ATM. Additionally, the non-FI sponsorships are dominated by four highly regarded financial institutions with strict AML/BSA programs that validate the initial funding of the ATM and monitor ongoing activity.

My advice to the group to try to avoid having their business relationship questioned or, worse, terminated, was to work proactively with the financial institution providing their settlement service and cash supply needs. Make sure their account officers understand how their businesses operate and know the controls that are in place to make money laundering unlikely to happen. And if you work for an FI that works with non-FI ATM owners/operators, don’t be surprised if they come calling on you.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


December 8, 2014 in ATM fraud, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0a446b6970c

Listed below are links to blogs that reference Under Pressure: The Fate of the Independent ATM Operators:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 17, 2014


Consumer Prepaid Protections May Be Catching Up with Prepaid Use

On November 13, the Consumer Financial Protection Bureau (CFPB) issued its much-anticipated notice of proposed rulemaking of consumer protections for the prepaid market. This proposed rule covers multiple facets related to the prepaid industry, including disclosure requirements, fraud protection, access to account information, and the provisioning of credit via overdraft. Today's blog will provide a brief, high-level summary of this rule.

What is and isn't covered under this rule?
This rule redefines a "prepaid account" under Regulation E (Reg E). Prepaid products include cards, codes, and other devices capable of being loaded with funds that are not currently covered by Reg E and are usable at multiple, unaffiliated merchants and ATMs, and for person-to-person transfers. Gift cards, and certain related cards, are excluded.

Disclosure requirements
The rule requires that card issuers use two forms to disclose fees. The short form discloses four types of fees: monthly account fees, cash reload fees, ATM transaction fees, and purchase transaction fees. The rule proposes the use of a model form that establishes a safe harbor for compliance to the short-form requirement. The long form describes all of the potential account fees and the conditions under which these fees are assessed, as well as the fees that short form includes. Both disclosures must be made available to the consumer before the opening of an account.

Fraud protection
The rule modifies Reg E to require that issuers adopt error resolution procedures and limited liability for prepaid accounts. Reg E coverage limits a prepaid consumer's liability for unauthorized transfers to $50, assuming that the consumer gives timely notice to the financial institution and the card has been registered. Further, financial institutions would be required to resolve certain errors to prepaid consumer accounts.

Access to account information
The rule also modifies Reg E to require that financial institutions provide prepaid account holders with free access to periodic statements or that they make available to the consumer the account balance and at least 18 months of account transaction history. These periodic statements and transaction histories must include a summary of monthly and annual fees in addition to a listing of all deposits and debits.

Overdraft protection
The rule allows for issuers of prepaid accounts to offer overdraft services and other credit features. However, issuers that offer these services or features for a fee are subject to Regulation Z (Reg Z) credit card rules and disclosure requirements which, among other things, requires them to evaluate whether consumers can repay their debt. The issuer is required to obtain a consumer's consent before adding these services to accounts and must provide consumers with a periodic statement of the credit and provide at least 21 days to repay the debt. Should a product offer overdraft or other credit features, it must be disclosed in the disclosures of the short and long forms.

The CFPB is seeking public comment for a 90-day period, beginning with its publication in the Federal Register.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


November 17, 2014 in consumer protection, prepaid, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07ad028f970d

Listed below are links to blogs that reference Consumer Prepaid Protections May Be Catching Up with Prepaid Use:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 27, 2014


ISO 20022 in the United States: What, When, Why, and How?

At the October 2014 Sibos conference in Boston, there was considerable discussion about the International Organization for Standardization (ISO) 20022 standard, which many major non-U.S. financial markets began moving toward a few years ago. ISO 20022 is a public international standard for financial sector global business messaging that facilitates the processing and exchange of financial information worldwide.

In Canada, adoption drivers include the use of domestic messaging standards in proprietary ways that created inefficiencies and the need for enhanced remittance data to add straight-through processing and automated reconciliation, according to a Canadian speaker at the conference. A speaker from Australia explained how the new real-time payment system that country is building will use ISO 20022, and one of the drivers is the desire for rich data to enable automation.

The United States is behind in the adoption curve, which raises the question, why? Several Sibos sessions included discussion of a study commissioned by an industry stakeholder group and conducted by the advisory firm KPMG. (The stakeholder group—which consists of representatives from the New York Fed, the Clearing House Payments Company, NACHA–The Electronic Payments Association, and the Accredited Standards Committee X9—formed to evaluate the business case of U.S. adoption of the ISO 20022 standard.)

KPMG interviewed participants of markets already moving toward adoption and found that adoption was largely driven by both infrastructure change, as in the Australian example, and regulatory requirements. In addition, many U.S. firms, beyond the large financial institutions and corporations, lack in-depth knowledge about ISO 20022. Two additional barriers in the United States are (1) the exact costs of ISO 20022 implementation are difficult to pinpoint, in part because they vary by participant, and (2) the country has no industry mandate for adopting the standard.

In one conference session, a speaker categorized some of the strategic reasons the United States should move forward, framing them in terms of the risks of nonadoption. These reasons include:

  • Commercial reasons: The U.S. industry will have to bear the incremental costs of maintaining a payments system that does not integrate seamlessly with an emerging global standard.
  • Competitive reasons: Many countries are experiencing such benefits of the ISO standard as increased efficiencies and rich data content, but U.S. corporations and financial institutions will fall farther behind.
  • Policy reasons: The U.S. market will become increasingly idiosyncratic, with more payment transactions conducted in currencies other than the U.S. dollar.

Recommendations from the KPMG study include initiating adoption of the ISO 20022 standard in this country first for cross-border activity, starting with wires, and then ACH. The U.S. industry should then reassess domestic implementation.

Because communication is keenly important to overcoming the lack of knowledge of ISO 20022 in the U.S. market, the stakeholder group is currently focusing on educating affected groups about the key observations and findings of the KPMG study.

No particular timetable or course of action has been determined for U.S. adoption, which makes it the ideal time for industry input. What's your institution's perspective on the adoption of the ISO 20022 standard in the U.S. market?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 27, 2014 in financial services, payments, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0855662970c

Listed below are links to blogs that reference ISO 20022 in the United States: What, When, Why, and How?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 22, 2014


New ACH Return Rate Threshold on the Horizon

In a December 2013 post, we asked the question, Is it the right time for lower ACH return rate thresholds? We can now say that the answer is "Yes." The voting membership of NACHA-The Electronic Payments Association recently approved a NACHA Operating Rule amendment that will reduce the unauthorized debit return rate threshold.

The process of returning payment transactions is a pain point for the receiving financial institutions that incur the costs of exception processing, which includes handling customer service inquiries and the returns. Unauthorized transactions are also a pain point for customers who have experienced such postings to their accounts. For the financial institution originating transactions on behalf of businesses and third-party customers, ongoing and proactive monitoring of return rates can help them quickly identify potential problems and determine if those problems have been addressed.

The NACHA Operating Rule amendment will reduce the threshold for returns of unauthorized debit entries from 1 percent to 0.5 percent, effective September 18, 2015. An originating depository financial institution will be subject to possible reporting and fines if they have an originator or third-party sender whose return rate for unauthorized debits exceeds the current threshold.

As NACHA states in its information on the new rule, this 0.5 percent threshold is more than 16 times higher than the average network return rate of 0.03 percent for unauthorized debit entries in 2013. This new threshold will continue to emphasize the importance of institutions focusing on high return rates and working with their customers to bring any excessive rates down. The amendment also establishes a review process for when returns for "administrative" or "overall return" reasons exceed certain levels. For administrative returns, this will be 3 percent, and for overall returns, it will be 15 percent. Administrative returns include debits returned for reasons such as closed account, invalid account number structure, or the account number not corresponding to an existing account. Overall returns for ACH debits include unauthorized and administrative reasons, as well as others such as insufficient funds and stop payments.

Unlike the unauthorized return threshold, breaching return rate levels for administrative and overall return reasons will not result in an automatic requirement to reduce the return rate or undergo a rules enforcement proceeding. Instead, exceeding these return rates will lead to a process to determine if the origination practices of a given originator or third-party sender need to be modified to achieve lower exception levels.

The timeframe for implementing this rule allows originating financial institutions to look carefully at their current return monitoring processes and determine whether customers are near these return rates and to put into place practices that would address problem areas. Will this new rule affect your due diligence processes? Does your current monitoring already show that your customers' return rates are lower than the new thresholds?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 22, 2014 in ACH, debit cards, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c6dede57970b

Listed below are links to blogs that reference New ACH Return Rate Threshold on the Horizon:

Comments

What is the current NACHA guideline "threshold of returns for insufficient funds", the percentage?

Posted by: Bob Lewis | March 11, 2015 at 01:58 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 16, 2014


Banking on the Financial Institutions as Gatekeepers

With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.

Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.

Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.

Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)

An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.

The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.

Photo of Deborah Shaw

June 16, 2014 in banks and banking, regulations, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dd9fb1b970d

Listed below are links to blogs that reference Banking on the Financial Institutions as Gatekeepers:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 19, 2014


Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dc5354c970d

Listed below are links to blogs that reference Choking on the Cost of Risk Management:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 12, 2014


The Art of Balancing Innovation and Regulation

Several factors have converged in recent years to add complexity to the regulatory oversight of retail payments. These elements include new regulation and oversight along with technology advances that have created new payment types. The challenge for regulators in an environment with an abundance of innovation is to align that innovation with appropriate regulation to ensure consumer protection, data security, and fraud mitigation, and to retain consumer confidence in payments.

The 2008 financial crisis led to an increased focus within the regulatory framework on retail payment risk factors. One new regulation was the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank). Dodd-Frank led to many changes—including the creation of a regulatory agency, the Consumer Financial Protection Bureau (CFPB), to focus exclusively on consumer protection. Since the CFPB was created, two of the payments types it has identified as deserving of its oversight are remittances and prepaid cards.

At the same time, evolving technology continues to change the nature of how consumers make payments—moving from the physical to the virtual—and has increased consumers' expectations for speed, control, information, and transparency. Options available for consumers to make payments and for businesses and financial institutions to participate in offering payment services have multiplied as Internet and mobile evolved, cloud-based solutions progressed, and virtual currencies expanded.

Technological advances have led to a retail payments system that is more transparent than ever before, in which all types of entities, from start-up companies to financial institutions, are able to innovate. Nonbank entities are flourishing in retail payments, challenging the historic role of financial institutions as primary payment participants by offering payments products and services in an ever-more complex payments landscape.

While some participants complain that there is too much regulation of payments practices, others call for more or different regulation when problems arise. Still others call for change because they believe the playing field is not level for all participants. Sometimes regulation can be a catalyst for innovation by legitimizing a payments practice after clarifying requirements for all participants. Whatever your perspective, it is a complex undertaking to attain the delicate balance between innovation and oversight.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 12, 2014 in innovation, mobile payments, regulations, regulators | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dc1c139970d

Listed below are links to blogs that reference The Art of Balancing Innovation and Regulation :

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


June 2015


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Archives


Categories


Powered by TypePad