Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

November 23, 2015

Bitcoin's Bright Side

My kids' anticipation for the holiday season is at an all-time high because of the upcoming release of the new Star Wars movie. They are fans of Yoda, Chewbacca, and Luke, but are obsessed with the "Dark Side" and its band of characters, most notably Darth Vader. There is something about the mystery of the "dark side" that draws people in. Perhaps that is one reason that so much of the media coverage and discussion of Bitcoin has been focused on its being the preferred payment instrument for criminal enterprises.

Because the Bitcoin protocol does allow for a level of anonymity that is attractive to criminals, the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Act compliance risks are heightened for transactions with bitcoin. Over the past several years, companies have emerged within the Bitcoin ecosystem seeking to make it more accessible to obtain and easier to use for legitimate payments. But how do they manage the BSA/AML compliance risks?

To minimize these risks, companies in the Bitcoin ecosystem are adopting policies, practices, and procedures that leverage the transparency but also minimize risks associated with the level of anonymity Bitcoin offers. These practices are intended to make Bitcoin a safer payment system, while also enhancing the ability of financial institutions, which might otherwise be cautious about the BSA/AML risks, to bank Bitcoin-related companies successfully.

The Retail Payments Risk Forum took a deep dive into the types of companies entering the Bitcoin ecosystem, assessing the regulatory landscape and identifying measures that these companies can take to fulfill regulatory obligations and minimize BSA/AML regulatory compliance risks. Among one of the measures identified in a paper available on the Atlanta Fed's website, Bitcoin-related companies should have a BSA/AML compliance program in place that is led by a dedicated compliance officer with support from a staff of professionals.

Just as in the Star Wars movies, which depict the ongoing struggle between the good guys—the Rebels—and the Dark Side, Bitcoin will continue to have a tug of war between the good forces and the bad. While the criminal element will continue to force attention to the risks of Bitcoin, it will be up to the new entrants into the Bitcoin ecosystem to mitigate these risks if Bitcoin is to enter the mainstream. Details on managing BSA/AML risks associated with Bitcoin can be found in the paper.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 23, 2015 in regulations, regulators | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 2, 2015

Will NACHA's Same-Day ACH Rules Change Be an Exception-Only Service, At Least in the Short Term?

In May 2015, the 40-plus voting members of NACHA contingently approved mandating the acceptance of domestic same-day ACH payments by receiving banks. The voting members approved a three-phase development lasting 18 months. The first phase, starting in September 2016, is limited to credit pushes, followed one year later by debit pulls in the second phase. All payments are subject to a $25,000 maximum. By the final phase in March 2018, receiving banks will be required to make credit payments available to the receiving account holder by 5 p.m. local time to the receiving bank. Funds availability in the earlier phases is by the receiving bank's end-of-processing day. The service offers both a morning and afternoon processing window. A same-day return-only service is offered at the end of the business day. Lastly, originating banks are obligated to pay a 5.2 cent fee for every payment to recover costs to receiving banks.

Last month, the Federal Reserve Board of Governors removed the contingent part of the above approval by allowing the participation of FedACH, which serves as an ACH operator on behalf of the Reserve Banks. Approval followed a review of comments submitted by the public, of which a preponderance of the responses was favorable to FedACH participating in the service.

This was not the first time NACHA tried to mandate same-day ACH. Back in August 2012, a ballot initiative to mandate acceptance failed to receive a supermajority required for passage. Failure was due to a variety of reasons, and it was difficult to discern one overriding reason.

I think that most observers would agree that the earlier rollout of the Fed's proprietary opt-in, same-day service in August 2010 and April 2013 set the groundwork for mandating same-day.

As with any collaborative organization like NACHA, compromises were needed to garner sufficient votes for passage. The compromises included:

  • Same-day payment eligibility rules change due to a multi-phase development cycle requiring one-and-half years to complete from start to finish.
  • Providing certainty to the receiver that funds availability will be expedited on the day of settlement as part of the final phase, rather than earlier, which only requires posting by the receiving bank's end-of-processing day. The bank's end-of-processing day can be as late as the morning of the following business day.
  • Delaying a debit service by one year after the rollout of the phase one credit service will, to the potential surprise of the payment originator, delay settlement of debits one business day later than would occur for credits.
  • Any payment amount over $25,000 will settle one business day later than the payment originator may have expected if the payment originator is not aware of the payment cap.

Given these compromises, what do you think financial institutions can do to accelerate broader adoption of same-day?

By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 2, 2015 in ACH, regulations, regulators | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 21, 2015

Mimicking Mother Nature

A few months ago, we had a large colony of bats take up residence in our house. With the issue now resolved, and with everything we had to do to get rid of them, I realize how the whole experience was similar to the tactics of fraudsters and the challenges faced by their victims in taking preventive, detective and corrective action.

We learned of the initial intrusion purely by accident. Previously, we have never had any sign of vermin being able to gain entry, so I thought we had a solid defense. My wife had noticed a small amount of droppings on the back porch but we thought they were from squirrels. Imagine my shock when my adult son informed me we had been invaded by bats. He had discovered them one morning following an overnight stay. Departing for an early tee time, he noticed a swarm of bats flying into a soffit vent crevice. Incredulous, I waited for dusk only to see for myself a constant stream of small brown bats exiting the soffit crevice.

My wife went a little bat crazy as she imagined hoards bats swooping down to carry off one of our grandkids. Actually, she was more concerned about the real threat of respiratory disease from their droppings as well as the potential for rabies. We began to do some research, and I soon learned that bats are a protected species, so they cannot be disturbed unless they are posing an immediate health threat. They weren’t, since they were not in our living space. But the problem intensified, which I realized one evening when I saw an even larger colony emerging from our chimney.

We began contacting companies that specialize in wildlife removal. We found a wide variety of suggested courses of action and prices. We selected one company based on its reputation, process, guaranteed results, and pricing. The company’s first step was to inspect the entire house to identify any other potential points of entry and to seal them. We notified our neighbors so they could be on the lookout to make sure the bats didn’t settle inside their houses. The next step was to install one-way excluders that would permit the bats to leave but not get back in. This seemed to be working well until a group of the bats somehow got word they were being evicted. Trying to find another way into the house, they navigated an interior wall and became trapped. Without water, they soon died and a putrid smell began to emerge. After cutting several holes in the wall, the technicians were able to locate the source and remove the carcasses. After a couple of weeks, the excluders were removed and the entry points sealed so we thought the problem was resolved.

Imagine our further surprise when we returned from vacation and found about 50 dead bats in our unfinished basement. It seems a group had remained and found a chase route from the attic to the basement seeking water. With the disposal of those bats, the problem seems to have finally been resolved. As fall approaches and bats migrate to warmer climates, the threat diminishes, but I can assure you we will be on the alert next spring.

So how does this relate to the payments fraud environment? Some similarities:

  • We thought we had a strong defense perimeter and were safe, but the bats found a way inside given they require an opening of only three-eighths of an inch.
  • While our discovery came shortly after their initial entry, it was only by sheer luck. We could have acted earlier if we had not ignored the early warning sign of their droppings.
  • We thought we had identified the sole location of the problem, but they then migrated to a second entry point.
  • Regulations limited the potential range of actions we could take to deal with the issue.
  • We shared information about the situation with our neighbors so they could be on the alert.
  • We analyzed several different options for dealing with the issue and preventing its recurrence.
  • Despite what we thought was a successful process, other issues arose and required action before there was a final resolution.

This experience with Mother Nature has provided us a learning opportunity and we are better informed and on the alert for future such events.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 21, 2015 in fraud, regulations, risk, risk management | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 24, 2015

Payroll Cards at Interstate Speed

State lines happen fast in New England, which is where I call home. In this part of the country, it's not uncommon for people living in one state to commute for employment to a neighboring state. One could pay property tax enjoying the motto "Live free or die" (New Hampshire) while paying income tax to the Bay State (Massachusetts). Employees may not take much notice of state employment law, but employers almost certainly do. I'm thinking that minimum wage, tax rates, and corporation law would be key factors for an employer to consider, but do payroll card laws also fit into the evaluation?

Payroll cards are prepaid cards onto which an employer loads wages. They offer an alternative to paychecks or direct deposits, and are subject to a different sort of regulation. Outside of a federal law prohibiting an employer from mandating the exclusive use of a payroll card, states are generally free to develop their own legislation governing payroll cards. In Maine, for example, employers can offer payroll cards if they give their employees free access to full pay. Connecticut goes one step further, requiring employers to provide certain disclosures and prohibiting overdrafts and certain fees. Massachusetts does not have any law for or against payroll cards. Somewhere in the middle is Vermont, which allows payroll cards with certain disclosures as long as employees receive three free transactions monthly. Proposed New York legislation would go so far as to require employees to sign a written consent form—printed with a large, 12-point font—to be retained for six years following the cessation of the employment relationship.

And that's only in my home of New England. Out of 50 possibilities, I've mentioned only fragments of only five state laws. Outside of this area, payroll-card-related legislation is being introduced or pending in 12 states.

Regulation E has covered payroll cards since 2006. Regulation E includes (i) protection to employees so they do not have to receive wages via electronic funds transfers with a particular institution; (ii) access to statements, balances, and transaction histories; (iii) clear and conspicuous disclosures; and (iv) error resolution and limited liability. In January 2016, we expect the final version of the Consumer Financial Protection Bureau's Rule on Prepaid to be published.

Because payroll cards are already covered under Regulation E, only two significant issues are applicable in the pending rule. First, credit and overdraft services, while not prohibited, will be subject to compulsory use provisions and Regulation Z's definitions of credit and periodic statement requirements. Second, disclosures will carry a bold print warning, "You do not have to accept this payroll card. Ask your employer about other ways to get your wages."

What federal regulation doesn't touch is the type and amount of fees assessed on payroll cards. Regulation E provides only that fees are disclosed. Certain industry stakeholders such as National Branded Prepaid Card Association, Consumer Action, MasterCard, and the Center for Financial Services Innovation have worked to develop industry standards. Simply speaking, most agree that cardholders should have access to full wages each pay period without cost and that they should be able to perform basic functions without incurring unreasonable fees.

Best practices give the industry the ability to fill gaps and stay nimble to changing technology, fraud schemes, and consumer needs. The CFPB even says in their proposed rules, "Employees may not always be aware of the ways in which they may receive their wages, because States may have differing and evolving requirements." Does state-by-state regulation ultimately fill the gaps needed, especially in a system that crosses state lines so often?

And in case you didn't know it, National Payroll Card Week starts September 7, a day that also happens to be Labor Day.

Photo of Jessica J. Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 24, 2015 in prepaid, regulations, regulators | Permalink


Studies by the Federal Reserve and others show the least expensive and most convenient method for a LMI employee to receive their pay is a payroll card. As noted in this article it is also the most regulated. Why so much attention is given to payroll cards when 80% of employees are direct deposit and faced with exorbitant bank fees for overdrafts and minimum balance is mind boggling. The premise that if it is offered by the employer it must be bad for the worker is painting an entire population with the same prejudicial brush

Posted by: Carl Morris | August 25, 2015 at 11:45 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 18, 2015

A Presumption of Innocence

Presumption of innocence is a principle that goes all the way back to Roman law. This concept means that if reasonable doubt remains after the accuser presents his or her proof, then the accused must be acquitted. In the payments ecosystem, the guilty is defined as the party that the account holder or cardholder has not authorized to conduct a transaction on that account or card. According to the 2013 triennial Federal Reserve Payments Study, the estimated number of unauthorized ACH transactions in 2012 reached a total of $1.2 billion.

With dollar stakes so high, reaching a guilty verdict when fraud has been committed is important. What is the best due process to identify the guilty while ensuring the preservation of the rights of the accused?

In 2009, NACHA members passed a rule change requiring financial institutions (FI) to keep the percentage rate of unauthorized transaction returns below 1 percent per originating company. If an originating company reaches the unauthorized return threshold, NACHA will contact the originating FI to investigate and resolve any potential issues that can lead to rules violations and fines. Some of the reasons an ACH transaction can be returned unauthorized include the following: the entry amount is different than the amount that was authorized, the debit was processed earlier than authorized, the transaction was fraudulent, the transaction sender is unrecognized, the check conversion was done improperly, or a previous authorization has already been revoked. Unauthorized transactions can even be a result of the receiving party committing the fraud, by reporting the transaction as unauthorized but still in receipt of goods and services. The rule change set an expectation that FIs would monitor unauthorized returns received for each originating company name over a two-month period.

Monitoring for unauthorized activity unveils a number of payment issues, but there are more opportunities to identify the guilty. The ACH operator provides unauthorized return rate data, representing returns coded properly with NACHA’s unauthorized return reason codes (R05, R07, R10, R29 or R51). If a disputed transaction is improperly coded or returned with a different code, the transaction would not factor into current unauthorized return monitoring. Regulation E provides consumer protections that require FIs to provide error resolution beyond the NACHA return deadlines and therefore such disputed transactions will also fall outside unauthorized monitoring, unless the FI manually adjusts return counts. Additionally, unauthorized transactions are sometimes quickly returned under the codes for "insufficient funds, "invalid account" or "unable to locate an account." These codes should also be monitored in order to uncover guilty originators.

Effective September 18, 2015, a new NACHA rule will lower the unauthorized transaction return rate to half a percent. In addition two new thresholds will be introduced to monitor other return reason codes that can unveil guilty originators while improving overall network quality. Thresholds are meant to provide a red-flag approach to return monitoring. However, return rates over or near the threshold should trigger investigation and due process before a final verdict is rendered.

By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 18, 2015 in regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference A Presumption of Innocence:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 11, 2015

The Hill Tackles Cybersecurity

In a post last month, Take on Payments highlighted recent cybersecurity-related executive orders. Cybersecurity has been a hot item inside the Beltway in 2015, and the activity hasn't been limited to the executive office. Beginning on April 22, the House passed two separate cybersecurity bills. And now all eyes are on the Senate, as it looks like a vote on its own cybersecurity bill is set to take place later in May. Today's Take On Payments post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.

Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information (PII). The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments. To further promote and protect individual privacy, it requires that the Department of Justice (DOJ) periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity. Finally, this bill directs the Cyber Threat Intelligence Integration Center (CTIIC), under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.

National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is to also encourage information sharing of cyber related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security (DHS) to do so. In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cybersecurity and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its non-federal representatives. As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.

Cybersecurity Information Sharing Act (CISA) of 2015 (S. 754)
The Senate's version of cybersecurity legislation is a companion bill to the two recently passed House bills and combines tenets of both of them. It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. The DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.

The goal of information sharing featured in these bills is the hope both government and private sector would benefit. As evidenced by the participation of a significant number of financial institutions (FIs) with the Financial Services Information Sharing and Analysis Center, many FIs are seeing value to sharing cybersecurity information within their own sectors. Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement. Whether or not these bills accomplish the goals of creating a private environment to safely share cybersecurity information and risks, I think the payments industry and other private industries would benefit from sharing information among themselves and with government and law enforcement agencies.

Photo of David Lott By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 11, 2015 in collaboration, consumer protection, cybercrime, law enforcement, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The Hill Tackles Cybersecurity:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 22, 2014

Top 10 Payments Events in 2014

As the year draws to a close, the Portals and Rails team would like to share its own "Top 10" list of major payments-related events and issues that took place in the United States this year.

#10: Proposed prepaid rule. After a long wait, the Consumer Financial Protection Bureau issued its proposed rules on general reloadable prepaid cards in November. While the major players in the prepaid card industry had already adopted most of the practices included in the proposed rule, the proposal allowing overdrafts and credit extensions is likely to generate differing perspectives during the comment period before a final rule is adopted in 2015.

#9: Regulation II. The U.S. Circuit Court of Appeals for the District of Columbia upheld the Federal Reserve Bank's rules regarding interchange fees and network routing rules, reversing a 2013 decision. Notice of appeal on the interchange fee portion of the ruling has been given, but resolution of the network routing rules has cleared the way for the development of applications supporting routing on chip cards.

#8: Payment trends. The detailed Federal Reserve Bank's triennial payments study results were released in July 2014, continuing the Fed's 15-year history of conducting this comprehensive payments research. Cash usage continued to decline but remained the most-used form of payment in terms of transaction volume.

#7: Card-not-present (CNP) fraud. With the growing issuance of chip cards and the experience of other countries post-EMV migration—with substantial amounts of fraud moving to the online commerce environment—the payments industry continues to search for improved security solutions for CNP fraud that minimize customer friction and abandonment.

#6: Faster payments. Continuing a process it began in the fall of 2013 at the release of a consultative white paper, the Federal Reserve Bank held town halls and stakeholder meetings throughout the year in preparation of the release of its proposed roadmap towards improving the payment system.

#5: Virtual currencies. Every conference we attended had sessions or tracks focused on virtual currencies like Bitcoin. While there was some advancement in the acceptance of Bitcoin by major retailers, the number of consumers using the currency did not rise significantly.

#4: Mobile payments. The entry of Apple with its powerful brand identity into the mobile payments arena with Apple Pay has energized the mobile payments industry and brought improved payment security through tokenization and biometrics closer to the mainstream. (Apple Pay's impact on mobile payment transaction volume will likely be negligible for a couple of years.) Additionally, the use of host card emulation, or HCE, as an alternative contactless communications technology provides another option for mobile wallet development.

#3: EMV migration. The frequency and magnitude of the data breaches this year have spurred financial institutions and merchants alike into speeding up their support of EMV chip cards in advance of the October 2015 liability shift.

#2: Third-party processors. Regulators and law enforcement escalated the attention they were giving to the relationships of financial institutions with third-party processors because of increased concerns about deceitful business practices as well as money laundering.

And…drum roll, please!

#1: Data breaches. The waves of data breaches that started in late 2013 continued to grow throughout 2014 as more and more retailers revealed that their transaction and customer data had been compromised. The size and frequency of the data breaches provided renewed impetus to improve the security of our payments system through chip card migration and the implementation of tokenization.

How does this list compare to your Top 10?

All of us at the Retail Payments Risk Forum wish our Portals and Rails readers Happy Holidays and a prosperous and fraud-free 2015!

Photo of Mary Kepler Photo of Doug King Photo of David Lott Photo of Julius Weyman

Mary Kepler, vice president; Doug King, payments risk specialist; Dave Lott, payments risk expert; and Julius Weyman, vice president—all of the Atlanta Fed's Retail Payments Risk Forum.

December 22, 2014 in chip-and-pin, cybercrime, data security, EMV, innovation, mobile payments, prepaid, regulations, third-party service provider | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Top 10 Payments Events in 2014:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 8, 2014

Under Pressure: The Fate of the Independent ATM Operators

The ATM industry in the United States is facing many challenges. For one, the interchange rates that networks pay to ATM owners have been halved over the last five years, transaction surcharges are topping off, and operating expenses are escalating. These financial strains may be hardest for the thousands of small business entrepreneurs in the United States who own and operate ATMs independent of those that belong to financial institutions (FIs). (Non-FI owners/operators are responsible for an estimated 65 percent of all U.S. ATMs.) For another, at least for the small-business independents, a changing landscape is placing pressure on the relationships the independent owners/operators have with their FIs.

I recently attended and spoke at the National ATM Council's (NAC) annual conference. NAC is a nonprofit national trade association that represents the business interests of these non-FI ATM owners and operators. During the conference, I spoke with many of the attendees to learn more about the key drivers and concerns of their business. The biggest concern many owners/operators expressed is their sponsoring FI will classify them as a high-risk business and terminate their banking relationship. (Many FIs are in the process of "de-risking" their portfolios.) FIs may mistakenly classify these operators as money service businesses (MSB), since they dispense cash, even though state regulators do not consider them as such. Two factors are contributing to this confusion: guidance from the FFIEC's examiner manual that cautions financial institutions that criminals can use ATMs to launder funds, and an organizational structure that has sub-ISOs (that is, independent sales organizations), which can make ownership of all the ATMs unclear.

In actuality, the ability of ATM operators to launder money through an ATM is quite restricted beyond the initial funds placed in the terminal. The processors and networks, which are totally independent from the owners, generate financial reports that show the amount of funds that an ATM dispenses in any given period. So if the reports show an ATM paid out $5,000 in a month, the ATM owner can only justify resupplying the ATM with $5,000, plus a little reserve. In other words, controls maintained by independent parties clearly document the funds flowing through the ATM. Additionally, the non-FI sponsorships are dominated by four highly regarded financial institutions with strict AML/BSA programs that validate the initial funding of the ATM and monitor ongoing activity.

My advice to the group to try to avoid having their business relationship questioned or, worse, terminated, was to work proactively with the financial institution providing their settlement service and cash supply needs. Make sure their account officers understand how their businesses operate and know the controls that are in place to make money laundering unlikely to happen. And if you work for an FI that works with non-FI ATM owners/operators, don’t be surprised if they come calling on you.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 8, 2014 in ATM fraud, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Under Pressure: The Fate of the Independent ATM Operators:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 17, 2014

Consumer Prepaid Protections May Be Catching Up with Prepaid Use

On November 13, the Consumer Financial Protection Bureau (CFPB) issued its much-anticipated notice of proposed rulemaking of consumer protections for the prepaid market. This proposed rule covers multiple facets related to the prepaid industry, including disclosure requirements, fraud protection, access to account information, and the provisioning of credit via overdraft. Today's blog will provide a brief, high-level summary of this rule.

What is and isn't covered under this rule?
This rule redefines a "prepaid account" under Regulation E (Reg E). Prepaid products include cards, codes, and other devices capable of being loaded with funds that are not currently covered by Reg E and are usable at multiple, unaffiliated merchants and ATMs, and for person-to-person transfers. Gift cards, and certain related cards, are excluded.

Disclosure requirements
The rule requires that card issuers use two forms to disclose fees. The short form discloses four types of fees: monthly account fees, cash reload fees, ATM transaction fees, and purchase transaction fees. The rule proposes the use of a model form that establishes a safe harbor for compliance to the short-form requirement. The long form describes all of the potential account fees and the conditions under which these fees are assessed, as well as the fees that short form includes. Both disclosures must be made available to the consumer before the opening of an account.

Fraud protection
The rule modifies Reg E to require that issuers adopt error resolution procedures and limited liability for prepaid accounts. Reg E coverage limits a prepaid consumer's liability for unauthorized transfers to $50, assuming that the consumer gives timely notice to the financial institution and the card has been registered. Further, financial institutions would be required to resolve certain errors to prepaid consumer accounts.

Access to account information
The rule also modifies Reg E to require that financial institutions provide prepaid account holders with free access to periodic statements or that they make available to the consumer the account balance and at least 18 months of account transaction history. These periodic statements and transaction histories must include a summary of monthly and annual fees in addition to a listing of all deposits and debits.

Overdraft protection
The rule allows for issuers of prepaid accounts to offer overdraft services and other credit features. However, issuers that offer these services or features for a fee are subject to Regulation Z (Reg Z) credit card rules and disclosure requirements which, among other things, requires them to evaluate whether consumers can repay their debt. The issuer is required to obtain a consumer's consent before adding these services to accounts and must provide consumers with a periodic statement of the credit and provide at least 21 days to repay the debt. Should a product offer overdraft or other credit features, it must be disclosed in the disclosures of the short and long forms.

The CFPB is seeking public comment for a 90-day period, beginning with its publication in the Federal Register.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 17, 2014 in consumer protection, prepaid, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Consumer Prepaid Protections May Be Catching Up with Prepaid Use:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 27, 2014

ISO 20022 in the United States: What, When, Why, and How?

At the October 2014 Sibos conference in Boston, there was considerable discussion about the International Organization for Standardization (ISO) 20022 standard, which many major non-U.S. financial markets began moving toward a few years ago. ISO 20022 is a public international standard for financial sector global business messaging that facilitates the processing and exchange of financial information worldwide.

In Canada, adoption drivers include the use of domestic messaging standards in proprietary ways that created inefficiencies and the need for enhanced remittance data to add straight-through processing and automated reconciliation, according to a Canadian speaker at the conference. A speaker from Australia explained how the new real-time payment system that country is building will use ISO 20022, and one of the drivers is the desire for rich data to enable automation.

The United States is behind in the adoption curve, which raises the question, why? Several Sibos sessions included discussion of a study commissioned by an industry stakeholder group and conducted by the advisory firm KPMG. (The stakeholder group—which consists of representatives from the New York Fed, the Clearing House Payments Company, NACHA–The Electronic Payments Association, and the Accredited Standards Committee X9—formed to evaluate the business case of U.S. adoption of the ISO 20022 standard.)

KPMG interviewed participants of markets already moving toward adoption and found that adoption was largely driven by both infrastructure change, as in the Australian example, and regulatory requirements. In addition, many U.S. firms, beyond the large financial institutions and corporations, lack in-depth knowledge about ISO 20022. Two additional barriers in the United States are (1) the exact costs of ISO 20022 implementation are difficult to pinpoint, in part because they vary by participant, and (2) the country has no industry mandate for adopting the standard.

In one conference session, a speaker categorized some of the strategic reasons the United States should move forward, framing them in terms of the risks of nonadoption. These reasons include:

  • Commercial reasons: The U.S. industry will have to bear the incremental costs of maintaining a payments system that does not integrate seamlessly with an emerging global standard.
  • Competitive reasons: Many countries are experiencing such benefits of the ISO standard as increased efficiencies and rich data content, but U.S. corporations and financial institutions will fall farther behind.
  • Policy reasons: The U.S. market will become increasingly idiosyncratic, with more payment transactions conducted in currencies other than the U.S. dollar.

Recommendations from the KPMG study include initiating adoption of the ISO 20022 standard in this country first for cross-border activity, starting with wires, and then ACH. The U.S. industry should then reassess domestic implementation.

Because communication is keenly important to overcoming the lack of knowledge of ISO 20022 in the U.S. market, the stakeholder group is currently focusing on educating affected groups about the key observations and findings of the KPMG study.

No particular timetable or course of action has been determined for U.S. adoption, which makes it the ideal time for industry input. What's your institution's perspective on the adoption of the ISO 20022 standard in the U.S. market?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 27, 2014 in financial services, payments, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference ISO 20022 in the United States: What, When, Why, and How?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

November 2015

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          



Powered by TypePad