Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

September 19, 2016


Mobile Banking and Payments—What's Changed?

This week, the Federal Reserve Banks of Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond are launching an online mobile banking and payments survey to financial institutions based in their respective districts. The purpose of the survey is to achieve better understanding of the status of mobile banking and payments initiatives, products, and services that financial institutions offer in the various regions of the country. The results of the survey at the individual district level should be available to participants by mid-December; a consolidated report for all the districts will be published in early 2017.

The last survey, which had 625 participants, was conducted in the fall of 2014. That was before the launch of the various major mobile wallets operating today, so it will be interesting to see what level of impact these wallets have had on the mobile payments activity of financial institutions. You can find the results of the 2014 Sixth District survey on our website. This survey effort complements the 2016 Consumer and Mobile Financial Services survey conducted by the Federal Reserve Board's Division of Consumer and Community Affairs.

First designed by the Federal Reserve Bank of Boston in 2008, the survey has been updated over the years to reflect the many changes that have taken place in the mobile landscape in the United States. Similar to past surveys, the 2016 survey looks to capture:

  • Number of banks and credit unions offering mobile banking and payment services
  • Types of mobile services offered or planned
  • Mobile technology platforms supported
  • Features of mobile services offered or planned
  • Benefits and business drivers associated with mobile services
  • Consumer and business adoption/usage of mobile services
  • Barriers to providing mobile services
  • Future plans related to mobile payment services

If your financial institution is based in one of the participating districts and has not received an invitation to participate in this year's survey, please contact your district's Federal Reserve Bank. For the Sixth District, you can contact me via email or at 404-498-7529. You can also contact me if you need assistance in locating your district's lead survey coordinator.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 19, 2016 in banks and banking, financial services, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 1, 2016


FFIEC Weighs In On Mobile Channel Risks

In late April, the Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding mobile banking and mobile payments risk management strategies. Titled "Appendix E: Mobile Financial Services," the document becomes part of the FFIEC's Information Technology Examination Handbook. While the handbook is for examiners to use to "determine the inherent risk and adequacy of controls at an institution or third party providing MFS" (for mobile financial services), it can also be a useful tool for financial institutions to better understand the expectations that examiners will have when conducting an exam of an institution's MFS offering.

Consistent with examiners' focus on third-party relationships for the last several years, the document points out that MFS often involves engagement with third parties and that the responsibilities of the parties in those relationships must be clearly documented and their compliance closely managed. Other key areas the document reviews include:

  • Mobile application development, maintenance, security, and attack threats
  • Enrollment controls to authenticate the customer's identity and the payment credentials they are adding to a mobile wallet
  • Authentication and authorization, emphasizing that financial institutions should not use mobile payment applications that rely on single-factor methods of authentication.
  • Customer education efforts to support the adoption of strong security practices in the usage of their mobile devices

The document also identifies and reviews strategic, operational, compliance, and reputation risk issues for the various elements of a financial institution's MFS offering. The final section of the document outlines an examiner's work plan for reviewing an MFS program with seven key objectives. I believe that it would be time well spent for the institution's MFS team to assume the role of examiner and use the work plan as a checklist to help effectively identify and manage the risks associated with an MFS program.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 1, 2016 in bank supervision, banks and banking, financial services, mobile banking, mobile payments, regulations, regulators, third-party service provider | Permalink

Comments

Looking forward to welcoming David Lott to our upcoming Next Money Tampa Bay meetup.

David will be our keynote on Wednesday, Sept 21, 2016 6:00 ~ 8:00 PM

Tampa Bay Wave Venture Center
500 East Kennedy Boulevard 3rd FL
Tampa Florida 33602

All are welcome to attend RSVP at

https://www.meetup.com/NextMoneyTPA/events/233171815/

Posted by: Bruce Burke | August 6, 2016 at 05:22 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 11, 2016


Surviving the Emerging Payments Providers

Predictions abound that emerging companies will dominate the remittance and person-to-person (P2P) payments space and financial institutions will be relegated to being a bystander. While I am not sold on their eventual dominance, I do think that emerging companies are creating positive changes. These changes have included new business models for financial institutions and traditional remittance providers who are able to offer their existing and prospective customers new, efficient payment choices. And as recently released financial and transaction figures show, some traditional players embracing change are poised to remain in their leadership positions.

I recently saw a speaker who said that one particular emerging digital remittance provider is the largest digital remittance business in the United States. However, I think the honor of the largest digital remittance transfer provider goes to a long-term remittance incumbent, Western Union. Though payments volume data are not available, revenue data do provide us with some insight into the size of these providers. According to Western Union's 2015 annual report, its digital money transfer services generated $274 million in revenues in 2015. As a point of comparison, three emerging companies (Xoom, Worldremit, and TransferWise) had combined revenues of $230 million. Though Western Union's online service represents only 6.3 percent of its consumer-to-consumer revenues, the segment grew by 26 percent in 2015.

In June, Chase announced changes to its digital P2P solution that will allow Chase customers to send and receive money in real time through ClearXchange with customers of Bank of America, U.S. Bank, and several other financial institutions. Chase's digital P2P solution has been a feature on the Chase mobile application and online banking website for several years now and was used in 2015 to send $20 billion in P2P payments. As a point of reference, the wildly popular emerging mobile and online P2P provider, Venmo, reported $1 billion in transfers during the month of January, up 250 percent from the prior January. With the additional reach of ClearXchange participants, Chase customers will now be able to digitally send and receive payments to 65 percent of the digital banking population in the United States, placing it in a position to experience significant growth to its digital solution.

With both remittances and P2P payments, online and mobile channels are seizing share from traditional channels. Even though the in-person agent model in remittances and P2P payments via cash and checks will remain a viable solution for many consumers, today's growth is being driven by digital models.

No doubt emerging players are threatening traditional companies for remittance and P2P dollars. However, financial institutions and established money transmitters are evolving, and based on the numbers, remain valuable payments providers. Given this environment, financial institutions and traditional remittance providers that don't evolve to embrace the digital remittance and P2P economy are at serious risk of losing share. And the threat isn't just coming from emerging companies. In fact, you can call me a traditionalist, but I think evolving traditional financial institutions and remittance providers are positioning themselves to remain the dominant providers of P2P and remittance payments.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 11, 2016 in banks and banking, emerging payments, financial services | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 27, 2016


Between a Rock and a Hard Place?

Customer education encouraging safe payments practices has always been viewed by staff at the Retail Payments Risk Forum as a vital element in mitigating payments-related fraud. We have stressed this need time and time again in our posts as well as our numerous speaking engagements at payments-related conferences and events.

Financial institutions (FIs) have generally been identified as the group that should bear this responsibility as they own the account relationship, but with more intermediaries in the payments process, I think that others should also be involved. The advent of mobile banking and payments has introduced even more challenges since the financial institution doesn't get involved in the acquisition of the mobile device as that is normally handled by the mobile network sales representatives. My personal experience with these sales representatives is that once the device sale is done, they are more interested in selling me accessories or upgrading my data plan than they are teaching me about selecting and setting strong passwords or preventing malware and viruses from finding their way into my phone.

When I raise this issue with others, all too often I hear a pessimistic chorus that getting consumers to adopt strong security practices will always be a losing battle for FIs. They say that consumers will always choose convenience over security—that is, until they fall victim to fraud. And forget about any other player in the ecosystem taking on the education responsibility because if they have no liability for fraud losses, why direct funds to education when they could be deployed elsewhere?

The impact of fraud on a consumer's relationship with his or her financial institution has never been greater. We read every day about the increasing economic importance of the Gen Y or millennial segment. With an estimated 80 million people, they represent the largest segment of our country's bankable population. A late 2015 study by FICO on millennial banking habits revealed that 29 percent of respondents indicated that they would close all their accounts with a financial institution if one of those accounts experienced fraud. To make matters worse, one quarter of the survey participants indicated they would write a negative post on social media about their financial institution if they experienced a fraud incident.

So are financial institutions in a no-win situation? A ray of hope emerges from the same FICO study, which states that 41 percent of the millennials surveyed indicated that they recommended their FI to friends, colleagues, or family members after a positively handled fraud incident. Studies have consistently shown that payment security is a key concern of all customers, not just millennials. So although it may not seem fair that financial institutions have to shoulder most of the security education effort, the impact of not doing so could be significant. Perhaps it is time for a coordinated payments industry campaign to encourage consumers to adopt safer and more secure banking practices.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 27, 2016 in banks and banking, financial services, payments, risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 27, 2014


ISO 20022 in the United States: What, When, Why, and How?

At the October 2014 Sibos conference in Boston, there was considerable discussion about the International Organization for Standardization (ISO) 20022 standard, which many major non-U.S. financial markets began moving toward a few years ago. ISO 20022 is a public international standard for financial sector global business messaging that facilitates the processing and exchange of financial information worldwide.

In Canada, adoption drivers include the use of domestic messaging standards in proprietary ways that created inefficiencies and the need for enhanced remittance data to add straight-through processing and automated reconciliation, according to a Canadian speaker at the conference. A speaker from Australia explained how the new real-time payment system that country is building will use ISO 20022, and one of the drivers is the desire for rich data to enable automation.

The United States is behind in the adoption curve, which raises the question, why? Several Sibos sessions included discussion of a study commissioned by an industry stakeholder group and conducted by the advisory firm KPMG. (The stakeholder group—which consists of representatives from the New York Fed, the Clearing House Payments Company, NACHA–The Electronic Payments Association, and the Accredited Standards Committee X9—formed to evaluate the business case of U.S. adoption of the ISO 20022 standard.)

KPMG interviewed participants of markets already moving toward adoption and found that adoption was largely driven by both infrastructure change, as in the Australian example, and regulatory requirements. In addition, many U.S. firms, beyond the large financial institutions and corporations, lack in-depth knowledge about ISO 20022. Two additional barriers in the United States are (1) the exact costs of ISO 20022 implementation are difficult to pinpoint, in part because they vary by participant, and (2) the country has no industry mandate for adopting the standard.

In one conference session, a speaker categorized some of the strategic reasons the United States should move forward, framing them in terms of the risks of nonadoption. These reasons include:

  • Commercial reasons: The U.S. industry will have to bear the incremental costs of maintaining a payments system that does not integrate seamlessly with an emerging global standard.
  • Competitive reasons: Many countries are experiencing such benefits of the ISO standard as increased efficiencies and rich data content, but U.S. corporations and financial institutions will fall farther behind.
  • Policy reasons: The U.S. market will become increasingly idiosyncratic, with more payment transactions conducted in currencies other than the U.S. dollar.

Recommendations from the KPMG study include initiating adoption of the ISO 20022 standard in this country first for cross-border activity, starting with wires, and then ACH. The U.S. industry should then reassess domestic implementation.

Because communication is keenly important to overcoming the lack of knowledge of ISO 20022 in the U.S. market, the stakeholder group is currently focusing on educating affected groups about the key observations and findings of the KPMG study.

No particular timetable or course of action has been determined for U.S. adoption, which makes it the ideal time for industry input. What's your institution's perspective on the adoption of the ISO 20022 standard in the U.S. market?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 27, 2014 in financial services, payments, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d0855662970c

Listed below are links to blogs that reference ISO 20022 in the United States: What, When, Why, and How?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 6, 2014


Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

Photo of Douglas A. King

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 6, 2014 in authentication, financial services, mobile banking, mobile payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d078369c970c

Listed below are links to blogs that reference Starting Off on the Right Note with Mobile Enrollment:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 24, 2014


The Fraudsters Are Omni-Channel--and Omnipresent

"Omni-channel banking" is an in-vogue term for what bankers have known for quite some time: customers can access multiple channels to conduct their banking, have a preference for one over the others, and that preference to a large degree reflects their ages. Despite their primary preference, these consumers are likely to use multiple delivery channels, and when they do, they want a seamless experience when moving from one to another. The banking industry has struggled to successfully implement such an experience. Achieving this seamlessness is difficult because the industry has historically had a vertical organizational structure, in which each distribution channel has its own strategic plan and sometimes even an independent technology, which leads to differences among the channels. For example, if a customer were to check his or her account balance from an ATM or automated call center, the balance can be different from the balance they would get from a teller inside a branch.

Unfortunately, criminals have also adopted omni-channel usage, and at an even faster pace—they are not concerned with having a transparent or seamless experience. In fact, they seem to be more successful when there are disparate systems because that makes the detection of fraudulent activity more difficult. For example, we have seen criminal attacks move from in-branch armed robberies to ATM cash-out cyberheists. Why risk a physical confrontation and mandatory jail sentence when you can work anonymously and actually get a greater haul? We are also aware of cross-channel fraud activity within the electronic channels. In one case, e-mail phishing attacks led to a customer unwittingly disclosing online banking credentials (user ID and password) and then fraudulent payments or wires being initiated through the online channel. In a recent post, we talked about how criminals often target call centers. They use social engineering techniques to gain sufficient account information to fraudulently access accounts through a variety of channels.

A lesson from these incidents is that financial institutions must take a holistic view of fraudulent activity and not just a channel-specific view. For major losses, they have to perform forensics to determine the channel where the fraudulent effort began not just the channel where the actual fraudulent transaction occurred. Only after such investigative work can the financial institution identify the weak points in its system and processes and take the necessary steps to fortify them to provide a higher level of protection against future attacks.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 24, 2014 in banks and banking, crime, cybercrime, financial services | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5118d52d4970c

Listed below are links to blogs that reference The Fraudsters Are Omni-Channel--and Omnipresent:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 1, 2013


The Cost of "Free"

Many retail-centric banks have found themselves in a fee-revenue dilemma as the impact of regulations regarding overdraft fees and debit card interchange revenue begins to be felt. After decades of providing "free" services to consumers, these banks are under significant customer pressure to continue this practice even as they roll out new products and services. But this pricing model poses financial risk. The operating expenses of the bank are increasing at the same time that the banks are receiving minimal—if any—incremental revenue.

I recently participated in a conference that had a session comprised of a panel of four MBA students. The goal of the session was for the audience of bankers to better understand the driving forces for financial service decisions by the Gen Y, or millennial, customer. (I wrote a bit about this panel in a previous post.) One eye-opening statement universally shared by the panel was the expectation that mobile banking and mobile banking services be provided free of charge. When asked for a justification, they believe that by using the mobile channel they "saved" the bank money over writing a check or going into a branch office. When further questioned as to how the bank was going to pay for the development and operating expenses of such new products and services, their response was essentially that they believe the bank earns sufficient revenue from its lending operations, including credit cards and installment and mortgage loans. I am sure that many other consumer segment groups have this attitude as well.

After Regulation II capped debit card interchange fees for banks with assets exceeding $10 billion, some banks announced they would begin charging a monthly debit card fee. Consumer and media response was so negative that banks withdrew the proposed fee changes. Subsequently, many banks changed their checking account service fee waiver conditions by raising minimum balance requirements, requiring other account relationships (to provide additional revenue support), or eliminating some previously bundled services. The Bankrate 2012 Checking Survey found that only 39 percent of banks were offering free checking without a minimum balance requirement or maintenance fee. This percentage is down from 45 percent in 2011 and 76 percent in 2009. Credit unions have not followed suit—the number of them offering free checking is holding fairly steady at around 72 percent.

Is there anything banks can do to shift consumers' expectations and ease some of the financial risk associated with controlling operating expense levels? We would like to hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 1, 2013 in financial services, mobile banking, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0192abd00149970d

Listed below are links to blogs that reference The Cost of "Free":

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 21, 2011


Remote deposit capture: If you expand it, will fraud come?

It has been nearly two years since Portals and Rails focused on remote deposit capture (RDC). In just this short period, the RDC market has grown significantly and changed rapidly. This growth and change has led to approximately 13 percent of checks being deposited as images at the bank of first deposit, according to the 2010 Federal Reserve Payments Study. In addition, financial institutions and banks, which initially offered RDC capabilities primarily to their commercial customers, are now broadening these services to include their retail customers. Even the hardware used for RDC is evolving from desktop scanners to mobile phones. Despite this growth and evolution, RDC fraud has been minimal, much as my colleague, Cindy Merritt, discussed in an April 2009 post.

According to a new Celent report, the commercial RDC market is nearing maturity, with an estimated 75 percent of U.S. banks and 50 percent of U.S. financial institutions offering at least one RDC service. Given this mature commercial market, any future growth of RDC services should be expected via retail consumers. This growth will come from the adoption of retail RDC services by banks and financial institutions as well as the expansion of the service into new payment products—most notably, prepaid cards. As RDC usage expands to more retail consumers and additional payment products, we have to wonder if fraud associated with it will rise or continue to be held under control.

Lowest Client Growth Rate in Six Years

Current risk assessment
According to the 2011 Payments Fraud and Control Survey from the Association of Financial Professionals, only 1 percent of surveyed organizations responded that someone had used their electronic check conversion service to commit fraud. This figure is unchanged from the 2009 survey.

A similar assessment of RDC fraud recently emerged from the Financial Crimes Enforcement Network (FinCEN). FinCEN analysts identified 1,017 Suspicious Activity Report (SAR) filings related to RDC that banks and credit unions filed between January 1, 2005, and July 31, 2011. More than half of these reports were filed after the start of 2010. These 1,017 RDC-related SARs account for only about 0.1 percent of all bank-filed, check-fraud-related SARs. FinCEN found no real differences between the RDC channel and more traditional check depositing channels when it came to fraud schemes (for example, check kiting and counterfeit or altered checks).

Annual RDC SAR Filings

Will the low level of fraud be sustainable as the service grows?
To date, banks and other financial institutions have successfully managed risks for commercial RDC services. Whether by restricting the use of the service to only its most vetted commercial clients or limiting the value of allowable remote deposits, banks have implemented risk controls to effectively minimize their risk and fraud exposure associated with RDC.

Banks and financial institutions are now beginning to cast the RDC net into their retail channels. Ally Bank offers its retail customers RDC through the traditional scanner and computer model, while USAA, J.P. Morgan Chase, PNC Bank, and U.S. Bank all now offer mobile RDC for retail consumers. Bank of America is targeting a second-quarter 2012 launch for its retail mobile RDC service. With banks and financial institutions expanding this service to a retail customer base that often undergoes less stringent due diligence than do their commercial customers, is the potential for fraud increasing?

The general-purpose reloadable (GPR) prepaid card market offers a significant growth opportunity for mobile RDC. With this service, GPR prepaid cardholders—many of whom are unbanked—would be able to load funds directly onto their prepaid cards without having to walk into a store, in the same way the service now allows banking customers to deposit checks into their direct deposit accounts.

According to a recent paybefore.com article, several third-party service providers have the risk-management software to enable mobile RDC for the prepaid industry. Interestingly, these third-party software providers will accept the risk of the mobile RDC transactions, taking the responsibility from the prepaid program manager or issuer. However, the inherent dearth of information about GRP prepaid users compared to retail and, especially, commercial banking customers makes RDC services more vulnerable to fraud with this group. In fact, prepaid card users may be unbanked because they have a poor, or no, credit history or they lack appropriate identification and credentials to open a banking account.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 21, 2011 in banks and banking, financial services, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015437308f63970c

Listed below are links to blogs that reference Remote deposit capture: If you expand it, will fraud come?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 11, 2011


High-impact events in a warming world: Business continuity planning for retail payments

Which will be the first to reopen after a major disaster: your financial institution or the local Waffle House? In some cases, you may be able to order your hash browns smothered, covered, peppered, and chunked before electricity is restored to your usual ATM. The breakfast chain invested heavily in crisis management planning following Hurricane Katrina, and today is recognized as one of the most responsive American companies to disasters. Whether the move was more about building goodwill and trust among customers or about profitability, the underlying operational risk management principles Waffle House employed apply equally to financial institutions and third-party payment processors.

Appropriate operational risk management for any organization includes business continuity planning for even unlikely disasters. In fact, this year's extreme weather highlights the need to prepare for even low-probability but high-impact events. In February, unprecedented snowfall blanketed Chicago. Record numbers of tornadoes ravaged the Southeast this April. Floodwaters swelled the Mississippi River to a new high in May. Just last month, historic flooding menaced the Northeast. Such disastrous weather leads not only to evacuations, grounded flights, and missed school days, but also could affect the ability of banks to maintain retail payment systems. Tellers may not be able to make it into branches to accept deposits and process withdrawals. Flooding can damage ATMs and the cash and checks they contain. Tornadoes may wreck back office processing centers or knock out the electricity and network connectivity critical for clearing and settling transactions on time.

Evidence indicates that global warming is causing an increase in extreme weather. Apart from being frightening, greater volatility in the weather requires a different approach to business continuity risk assessments. And this instability makes it difficult or impossible to determine the actual likelihood of a disruption. As part of a lessons-learned debriefing from Hurricane Katrina, the Federal Financial Institutions Examination Council emphasized that preparing for just this kind of disaster is critical. The agency's advice is to focus on potential outcome, not probability, in assessing business continuity plans:

The impact rather than the source of the threat should guide the development of disaster recovery and business continuity plans.... However, every threat that could pose a high adverse impact generally warrants further consideration regardless of its probability of occurrence.

The Bank for International Settlements has recognized the importance of business continuity planning for the financial services industry, so in 2006, it came out with seven high-level principles that can serve to direct financial institution and payment processor risk management efforts. These principles underline the importance of explicitly considering and preparing for major disruptions and acknowledge that such disruptions are occurring with increasing frequency. They also advise clear and regular communication with affected parties internal and external to the affected business, and note that ultimate responsibility for operational risk rests with senior management and the board of directors of the organization. Once implemented, plans should also be periodically tested and refined as necessary.

In a world that isn't always predictable, strong business continuity plans hinge on making sure businesses are ready for the unexpected. The mission-critical nature of retail payments should challenge financial institutions to be at least as prepared as the local diner.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

October 11, 2011 in banks and banking, financial services, payments systems, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8c2dacc2970d

Listed below are links to blogs that reference High-impact events in a warming world: Business continuity planning for retail payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


September 2016


Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Archives


Categories


Powered by TypePad