About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

February 5, 2018


Elements of an Ethical Data Policy

In my last post, I introduced the issue of ethical considerations around data collection and analytics. I asked if, along with the significant expansion of technical capabilities over the last five years, there had been a corresponding increase in awareness and advancement of the ethical issues of big data, such as privacy, confidentiality, transparency, protection, and ownership. In this post, I focus on the disclosures provided to users and suggest some elements concerning ethics to include in them.

The complexities of ethics policies

As I've researched the topic of big data, I've come to realize that developing a universal ethics policy will be difficult because of the diversity of data that's collected and the many uses for this data—in the areas of finance, marketing, medicine, law enforcement, social science, and politics, to name just a few.

Privacy and data usage policies are often disclosed to users signing up for particular applications, products, or services. My experience has been that the details about the data being collected are hidden in the customer agreement. Normally, the agreement offers no "opt-out" of any specific elements, so users must either decline the service altogether or begrudgingly accept the conditions wholesale.

But what about the databases that are part of public records? Often these public records are created without any direct communication with the affected individuals. Did you know that in most states, property records at the county level are available online to anyone? You can look up property ownership by name or address and find out the sales history of the property, including prices, square footage, number of bedrooms and baths, often a floor plan, and even the name of the mortgage company—all useful information for performing a pricing analysis for comparable properties, but also useful for a criminal to combine with other socially engineered information for an account takeover or new-account fraud attempt. Doesn't it seem reasonable that I should receive a notification or be able to document when someone makes such an inquiry on my own property record?

Addressing issues in the disclosure

Often, particularly with financial instruments and medical information, those collecting data must comply with regulations that require specific disclosures and ways to handle the data. The following elements together can serve as a good benchmark in the development of an ethical data policy disclosure:

  • Type of data collected and usage. What type of data are being collected and how will that data be used? Will the data be retained at the individual level or aggregated, thereby preventing identification of individuals? Can the data be sold to third parties?
  • Accuracy. Can an individual review the data and submit corrections?
  • Protection. Are people notified how their data will be protected, at least in general terms, from unauthorized access? Are they told how they will be notified if there is a breach?
  • Public versus private system. Is it a private system that usually restricts access, or a public system that usually allows broad access?
  • Open versus closed. Is it a closed system, which prevents sharing, or is it open? If it's open, how will the information will be shared, at what level, and with whom? An example of an open system is one that collects information for a governmental background check and potentially shares that information with other governmental or law enforcement agencies.
  • Optional versus mandatory. Can individuals decline participation in the data collection, or decline specific elements? Or is the individual required to participate such that refusal results in some sort of punitive action?
  • Fixed versus indefinite duration. Will the captured data be deleted or destroyed on a timetable or in response to an event—for example, two years after an account is closed? Or will it be retained indefinitely?
  • Data ownership. Do individuals own and control their own data? Biometric data stored on a mobile phone, for example, are not also stored on a central storage site. On the other hand, institutions may retain ownership. Few programs are under user ownership, although legal rights governing how the data can be used may be made by agreement.

What elements have I missed? Do you have anything to suggest?

In my next post, I will discuss appropriate guiding principles in those circumstance when individuals have no direct interaction with the collection effort.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 5, 2018 in consumer protection, innovation, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 29, 2018


Big Data, Big Dilemma

Five years ago, I authored a post discussing the advantages and pitfalls of "big data." Since then, data analytics has come to the forefront of computer science, with data analyst being among the most sought-after talents across many industries. One of my nephews, a month out of college (graduating with honors with a dual degree in computer science and statistics) was hired by a rail transportation carrier to work on freight movement efficiency using data analytics—with a starting salary of more than $100,000.

Big data, machine learning, deep learning, artificial intelligence—these are terms we constantly see and hear in technology articles, webinars, and conferences. Some of this usage is marketing hype, but clearly the significant increases in computing power at lower costs have empowered a continued expansion in data analytical capability across a wide range of businesses including consumer products and marketing, financial services, and health care. But along with this expansion of technical capability, has there been a corresponding heightened awareness of the ethical issues of big data? Have we fully considered issues such as privacy, confidentiality, transparency, and ownership?

In 2014, the Executive Office of the President issued a report on big data privacy issues. The report was prefaced with a letter that included this caution:

Big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace. Americans' relationship with data should expand, not diminish, their opportunities and potential.

(The report was updated in May 2016.)

In the European Union, the 2016 General Data Protection Regulation was adopted (enforceable after 2018); it provides for citizens of the European Union (EU) to have significant control over their personal data as well as to control the exportation of that data outside of the EU. Although numerous bills have been proposed in the U.S. Congress for cybersecurity, including around data collection and protection (see Doug King’s 2015 post), nothing has been passed to date despite the continuing announcements of data breaches. We have to go all the way back to the Privacy Act of 1974 for federal privacy legislation (other than constitutional rights) and that act only dealt with the collection and usage of data on individuals by federal agencies.

In a future blog post, I will give my perspective on what I believe to be the critical elements in developing a data collection and usage policy that addresses ethical issues in both overt and covert programs. In the interim, I would like to hear from you as to your perspective on this topic.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 29, 2018 in consumer protection, innovation, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 4, 2017


What Will the Fintech Regulatory Environment Look Like in 2018?

As we prepare to put a bow on 2017 and begin to look forward to 2018, I can’t help but observe that fintech was one of the bigger topics in the banking and payments communities this year. (Be sure to sign up for our December 14 Talk About Payments webinar to see if fintech made our top 10 newsworthy list for 2017.) Many industry observers would likely agree that it will continue to garner a lot of attention in the upcoming year, as financial institutions (FI) will continue to partner with fintech companies to deliver client-friendly solutions.

No doubt, fintech solutions are making our daily lives easier, whether they are helping us deposit a check with our mobile phones or activating fund transfers with a voice command in a mobile banking application. But at what cost to consumers? To date, the direct costs, such as fees, have been minimal. However, are there hidden costs such as the loss of data privacy that could potentially have negative consequences for not only consumers but also FIs? And what, from a regulatory perspective, is being done to mitigate these potential negative consequences?

Early in the year, there was a splash in the regulatory environment for fintechs. The Office of the Comptroller of the Currency (OCC) began offering limited-purpose bank charters to fintech companies. This charter became the subject of heated debates and discussions—and even lawsuits, by the Conference of State Bank Supervisors and the New York Department of Financial Services. To date, the OCC has not formally begun accepting applications for this charter.

So where will the fintech regulatory environment take us in 2018?

Will it continue to be up to the FIs to perform due diligence on fintech companies, much as they do for third-party service providers? Will regulatory agencies offer FIs additional guidance or due diligence frameworks for fintechs, over and above what they do for traditional third-party service providers? Will one of the regulatory agencies decide that the role of fintech companies in financial services is becoming so important that the companies should be subject to examinations like financial institutions get? Finally, will U.S. regulatory agencies create sandboxes to allow fintechs and FIs to launch products on a limited scale, such as has taken place in the United Kingdom and Australia?

The Risk Forum will continue to closely monitor the fintech industry in 2018. We would enjoy hearing from our readers about how they see the regulatory environment for fintechs evolving.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

December 4, 2017 in banks and banking, financial services, innovation, mobile banking, regulations, regulators, third-party service provider | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 18, 2017


The Rising Cost of Remittances to Mexico Bucks a Trend

From time to time, I like to look back at previous Risk Forum activities and see what payment topics we've covered and consider whether we should revisit any. In September 2012, the Risk Forum hosted the Symposium on 1073: Exploring the Final Remittance Transfer Rule and Path Forward. Seeing that almost five years have passed since that event, I decided I'd take another, deeper look to better understand some of the effects that Section 1073 of the Dodd-Frank Act has had on remittances since then. I wrote about some of my findings in a paper.

As a result of my deeper look, I found an industry that has been rife with change since the implementation of Section 1073 rules, from both a regulatory and technology perspective. Emerging companies have entered the landscape, new digital products have appeared, and several traditional financial institutions have exited the remittance industry. In the midst of this change, consumers' average cost to send remittances has declined.

Conversely, the cost to send remittances within the largest corridor, United States–Mexico, is rising. The rising cost is not attributable to the direct remittance fee paid to an agent or digital provider but rather to the exchange rate margin, which is the exchange rate markup applied to the consumer's remittance over the interbank exchange rate. As remittances become more digitalized and the role of in-person agents diminishes, I expect the exchange rate margin portion of the total cost of remittance to continue to grow.

Even though the average cost of sending remittances to Mexico is on the rise, I found that consumers have access to a number of low-cost options. The spread between the highest-cost remittance options and the lowest-cost options is significant.

Figure-11

With greater transparency than ever before in the remittance industry, consumers now have the ability to find and use low-cost remittance options across a wide variety of provider types and product options. To read more about the cost and availability of remittances from the United States to Mexico and beyond in a post-1073-rule world, you can find the paper here.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

September 18, 2017 in payments risk, regulations, regulators, remittances, Section 1073, transmitters | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 30, 2017


Pssst…Have You Heard about PSD2?

No, I'm not talking about the latest next-generation video gaming console. I am referring to the revised Directive on Payment Services (PSD2) that the European Parliament adopted in October 2015 and that will serve as the legal foundation for a single market for European Union (EU) payments. The original PSD was adopted in 2007 but, according to official statements, the Parliament found that an update was necessary to incorporate new types of payment services, improve consumer protection, strengthen payment transaction security, and increase competitiveness with an expected result of lower consumer fees in the payments processing market. PSD2 applies only to digital payments and must be in force in all EU countries by January 13, 2018.

The directive and subsequent implementation rules that the European Banking Authority* is developing make a number of major changes in the European banking landscape, including:

  • Opens up the regulated financial services system to merchants and processors who might initiate payments on their consumer customer's behalf as well as data aggregator firms. In particular, PSD2 will apply to any financial institutions already operating within the scope of the PSD but will also apply to third parties such as operators of e-commerce marketplaces, gift card and loyalty plans, bill payment service providers, public communication networks, account access services, mobile wallets, and those who receive payment by direct debit.
  • Requires financial institutions, upon the request of their customers, to allow these approved nonbank, third parties significant, but not unlimited, access to the customer's account and transaction data through APIs (application program interfaces). Many financial institutions see having to turn over customer data to potential competitors as a significant threat to the retention of their customer's business as well as concerns with data security.
  • Sets out two-factor customer authentication as an absolute minimum, with additional security such as one-time passwords required for higher-value transactions. The card issuer must actively authenticate all transactions above 10 euros. Critics of these provisions point out that the criminals will have fixed transaction amounts and authentication methodology information to modify their attacks.
  • Supplementing card interchange limits imposed in December 2015, prevents merchants from adding surcharges to payment card transactions. Under the original directive, each country established rules regarding surcharging on card payments. It has been a common practice of European merchants to levy a surcharge on payment card transactions to offset the interchange fee paid to issuers.

While such a comprehensive single package of regulations is unlikely to occur in the United States, various flavors of these items have been and continue to be discussed. Do you favor such types of regulation here in the United States? I suspect the answer depends on your role in the payments ecosystem. I am interested in hearing from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed



_______________________________________

* Final rules are expected to be published in January 2017.


January 30, 2017 in emerging payments, mobile payments, payments, payments risk, payments systems, regulations, regulators, risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 9, 2017


The Year in Review

As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.

Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.

Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.

Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.

Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.

Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.

EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.

Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.

Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.

All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

January 9, 2017 in ACH, ATM fraud, cards, chip-and-pin, cybercrime, debit cards, emerging payments, EMV, fraud, mobile banking, mobile payments, P2P, prepaid, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 1, 2016


FFIEC Weighs In On Mobile Channel Risks

In late April, the Federal Financial Institutions Examination Council (FFIEC) released new guidance regarding mobile banking and mobile payments risk management strategies. Titled "Appendix E: Mobile Financial Services," the document becomes part of the FFIEC's Information Technology Examination Handbook. While the handbook is for examiners to use to "determine the inherent risk and adequacy of controls at an institution or third party providing MFS" (for mobile financial services), it can also be a useful tool for financial institutions to better understand the expectations that examiners will have when conducting an exam of an institution's MFS offering.

Consistent with examiners' focus on third-party relationships for the last several years, the document points out that MFS often involves engagement with third parties and that the responsibilities of the parties in those relationships must be clearly documented and their compliance closely managed. Other key areas the document reviews include:

  • Mobile application development, maintenance, security, and attack threats
  • Enrollment controls to authenticate the customer's identity and the payment credentials they are adding to a mobile wallet
  • Authentication and authorization, emphasizing that financial institutions should not use mobile payment applications that rely on single-factor methods of authentication.
  • Customer education efforts to support the adoption of strong security practices in the usage of their mobile devices

The document also identifies and reviews strategic, operational, compliance, and reputation risk issues for the various elements of a financial institution's MFS offering. The final section of the document outlines an examiner's work plan for reviewing an MFS program with seven key objectives. I believe that it would be time well spent for the institution's MFS team to assume the role of examiner and use the work plan as a checklist to help effectively identify and manage the risks associated with an MFS program.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 1, 2016 in bank supervision, banks and banking, financial services, mobile banking, mobile payments, regulations, regulators, third-party service provider | Permalink

Comments

Looking forward to welcoming David Lott to our upcoming Next Money Tampa Bay meetup.

David will be our keynote on Wednesday, Sept 21, 2016 6:00 ~ 8:00 PM

Tampa Bay Wave Venture Center
500 East Kennedy Boulevard 3rd FL
Tampa Florida 33602

All are welcome to attend RSVP at

https://www.meetup.com/NextMoneyTPA/events/233171815/

Posted by: Bruce Burke | August 6, 2016 at 05:22 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 11, 2016


Prisoner Release Cards: How to Protect the Interests of Recently Released Inmates?

I recently watched a late-night comedian criticize prison reentry programs in the United States. The segment focused on the resources—or lack thereof—that are provided to released inmates. One of these resources, I have recently learned, is increasingly a prepaid card.

Upon imprisonment, inmates are given a trust account to hold money that they receive for prison work and from family and friends. When they are released, they may also receive start-up funds to help with the reentry process. According to the Federal Bureau of Prison's Inmate and Custody Management Policy, "an inmate being released to the community will have suitable clothing, transportation to inmate's release destination, and some funds to use until he or she begins to receive income. Based on the inmate's need and financial resources, a discretionary gratuity up to the amount permitted by statute may be granted." While the policy expands the details of what constitutes suitable clothing and the method of transportation, there is no mention of how to disburse funds to the released individuals.

Enter prison-release prepaid cards. Many state and federal prison systems enter into contracts with prepaid card providers pursuant to a public bidding process to provide prison release funds through a prepaid card as an alternative to cash or checks. This shift in disbursement methods may be attributable to concerns about cash controls in the prison setting and the high check-cashing fees some inmates who lack traditional bank accounts incur, to name a couple of possibilities. Regardless of the disbursement method that the correctional agency chooses, this vulnerable population depends on every last penny.

Some people maintain that account fees are too high on these prepaid cards and that agreements with cardholders contain forced arbitration clauses. Could the correctional agency negotiate better terms on behalf of the released prisoner? Or could the inmate possibly be given options for the trust fund distribution—cash, check, prepaid card, or even a Paypal account?

A late-night comedian may have the ability to isolate one slice of the problem with prison release programs, but our regulations shouldn't piece together a solution to an overarching issue. Likewise, there are challenges with creating blanket regulations for a product category like prepaid cards that contains many different products meeting a wide variety of distinct needs, each with unique characteristics and different users. Isn't the goal is to provide released prisoners the freedom to use money that belongs to them, as for any other citizen?

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 11, 2016 in prepaid, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 23, 2015


Bitcoin's Bright Side

My kids' anticipation for the holiday season is at an all-time high because of the upcoming release of the new Star Wars movie. They are fans of Yoda, Chewbacca, and Luke, but are obsessed with the "Dark Side" and its band of characters, most notably Darth Vader. There is something about the mystery of the "dark side" that draws people in. Perhaps that is one reason that so much of the media coverage and discussion of Bitcoin has been focused on its being the preferred payment instrument for criminal enterprises.

Because the Bitcoin protocol does allow for a level of anonymity that is attractive to criminals, the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Act compliance risks are heightened for transactions with bitcoin. Over the past several years, companies have emerged within the Bitcoin ecosystem seeking to make it more accessible to obtain and easier to use for legitimate payments. But how do they manage the BSA/AML compliance risks?

To minimize these risks, companies in the Bitcoin ecosystem are adopting policies, practices, and procedures that leverage the transparency but also minimize risks associated with the level of anonymity Bitcoin offers. These practices are intended to make Bitcoin a safer payment system, while also enhancing the ability of financial institutions, which might otherwise be cautious about the BSA/AML risks, to bank Bitcoin-related companies successfully.

The Retail Payments Risk Forum took a deep dive into the types of companies entering the Bitcoin ecosystem, assessing the regulatory landscape and identifying measures that these companies can take to fulfill regulatory obligations and minimize BSA/AML regulatory compliance risks. Among one of the measures identified in a paper available on the Atlanta Fed's website, Bitcoin-related companies should have a BSA/AML compliance program in place that is led by a dedicated compliance officer with support from a staff of professionals.

Just as in the Star Wars movies, which depict the ongoing struggle between the good guys—the Rebels—and the Dark Side, Bitcoin will continue to have a tug of war between the good forces and the bad. While the criminal element will continue to force attention to the risks of Bitcoin, it will be up to the new entrants into the Bitcoin ecosystem to mitigate these risks if Bitcoin is to enter the mainstream. Details on managing BSA/AML risks associated with Bitcoin can be found in the paper.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 23, 2015 in regulations, regulators | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 2, 2015


Will NACHA's Same-Day ACH Rules Change Be an Exception-Only Service, At Least in the Short Term?

In May 2015, the 40-plus voting members of NACHA contingently approved mandating the acceptance of domestic same-day ACH payments by receiving banks. The voting members approved a three-phase development lasting 18 months. The first phase, starting in September 2016, is limited to credit pushes, followed one year later by debit pulls in the second phase. All payments are subject to a $25,000 maximum. By the final phase in March 2018, receiving banks will be required to make credit payments available to the receiving account holder by 5 p.m. local time to the receiving bank. Funds availability in the earlier phases is by the receiving bank's end-of-processing day. The service offers both a morning and afternoon processing window. A same-day return-only service is offered at the end of the business day. Lastly, originating banks are obligated to pay a 5.2 cent fee for every payment to recover costs to receiving banks.

Last month, the Federal Reserve Board of Governors removed the contingent part of the above approval by allowing the participation of FedACH, which serves as an ACH operator on behalf of the Reserve Banks. Approval followed a review of comments submitted by the public, of which a preponderance of the responses was favorable to FedACH participating in the service.

This was not the first time NACHA tried to mandate same-day ACH. Back in August 2012, a ballot initiative to mandate acceptance failed to receive a supermajority required for passage. Failure was due to a variety of reasons, and it was difficult to discern one overriding reason.

I think that most observers would agree that the earlier rollout of the Fed's proprietary opt-in, same-day service in August 2010 and April 2013 set the groundwork for mandating same-day.

As with any collaborative organization like NACHA, compromises were needed to garner sufficient votes for passage. The compromises included:

  • Same-day payment eligibility rules change due to a multi-phase development cycle requiring one-and-half years to complete from start to finish.
  • Providing certainty to the receiver that funds availability will be expedited on the day of settlement as part of the final phase, rather than earlier, which only requires posting by the receiving bank's end-of-processing day. The bank's end-of-processing day can be as late as the morning of the following business day.
  • Delaying a debit service by one year after the rollout of the phase one credit service will, to the potential surprise of the payment originator, delay settlement of debits one business day later than would occur for credits.
  • Any payment amount over $25,000 will settle one business day later than the payment originator may have expected if the payment originator is not aware of the payment cap.

Given these compromises, what do you think financial institutions can do to accelerate broader adoption of same-day?

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 2, 2015 in ACH, regulations, regulators | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad