Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
August 16, 2021
Consumer Banking and Dental Woes
I have been unhappy with my personal banking relationship for some time. Most of my dissatisfaction stems from the fact that my debit card doesn't work outside the state where I live due to what I view as onerous risk controls the institution has implemented, such as requiring customers to provide advanced notice of interstate travel. But I've resisted changing banks because—let's face it—establishing a new banking relationship is about as unpleasant as having to undergo a root canal. I'd have to change direct deposits, electronic debits, and online bill pay; get a new online banking app; and, broadly, establish a new history and customer relationship. An executive order issued on July 9 aims to make this process a lot less painful for consumers.
The Executive Order on Promoting Competition in the American Economy contains several dozen proposed initiatives across numerous federal agencies, but the intended outcome that stood out to me most was:
Make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor.
At the heart of this initiative is the concept of open banking, defined by the Boston Fed report Modernizing US Financial Services with Open Banking and APIs as "a system that offers businesses and customers a range of products and services based on open flows of data." In October 2020, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemaking to standardize how consumers access their financial data or obtain a record of consumer-authorized third parties with access to their financial data. The July 9 executive order seeks to build on this consumer access "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions."
The United States lags behind the UK and the European Union (EU), who both legislated consumers' right to data portability in 2018 under their respective General Data Protection Regulation. In the United States, only California, with its Consumer Privacy Act, has legislated consumer data portability.
In the UK, data portability is supported by a set of software standards, employed by participating organizations, that includes specifications for common secure APIs (application programming interfaces) as part of the country's overall Open Banking Standards. The EU's Revised Directive on Payment Services, known as the PSD2, established in 2019 an open banking framework that allows authorized third-party providers to access a consumer's account information using APIs that are provided upon request by the sending financial institution. US standards are a necessary, but as yet undefined, component to achieving data portability, whether through industry cooperation and collaboration or through regulatory mandates.
Recently, my colleague Doug King blogged about upcoming suggested regulatory guidance in the United States on third-party risks. What are the potential cybersecurity risks for organizations if their open banking APIs were to somehow be compromised? What might this mean for other organizations that use the same APIs? Does open banking create additional risks to consumers' data and privacy?
Given the time needed to enact new consumer regulations, I will likely have to endure my personal banking woes for a while longer until I can easily and painlessly change banks. Meanwhile, it's time for a trip to the dentist.
August 9, 2021
Bank Regulatory Agencies Release New Joint Guidance
Risks stemming from financial institutions' relationships with third-party service providers have been a continuous topic at the Risk Forum during my 10-plus-years' tenure. As a quick refresher, third parties are entities that provide products or services to financial institutions (FIs) or on behalf of FIs, and often will have access to an FI's privileged systems. Given the significant growth in the fintech sector and subsequent growing relationships with FIs, understanding the also-growing risks associated with third parties has become critical for many FIs. Traditionally, the three federal bank regulatory agencies—the Federal Deposit Insurance Corp, or FDIC; the Office of the Comptroller of the Currency, or the OCC; and the Federal Reserve separately issued guidance related to managing third-party risks.
Early in July, these agencies broke from tradition and released joint guidance related to managing third-party risks. This guidance will be open for public comments for 60 days once it is published in the Federal Register.
While the joint agency guidance is not very different, FIs and their third-party providers should welcome it as it is likely to remove any nuances and differences they faced from the separate guidance. After my first extremely fast pass of the lengthy document, it doesn't appear to include major changes but is truly an amalgamation of the previous guidance from these agencies. What is new is the guidance encourages FIs to collaborate with one another to share information when they can and also share their risk management responsibilities related to regulatory compliance. What is not new is that FIs remain accountable for any risks arising from their third-party agreements.
Managing third-party risks can be a significant burden for FIs depending on the number of such relationships they have and on the depth and breadth of their regulatory and compliance department. No matter the burden, and with the growth in third-party relationships, risk management of third parties is a constant necessity to protect the integrity of the financial system. I encourage any FI or other entity that will be affected by this joint guidance to review it and let their voices be heard during the public comment period.
July 20, 2020
Innovation with an Eye on Safety: Let Your Voice Be Heard!
Balancing safety and innovation in banking and payments is critical. The Federal Reserve Bank of Atlanta recognizes this so has been focusing its efforts on a safer payments innovation strategic initiative. In fact, the Atlanta Fed's 2019 annual report highlights this initiative, which includes meeting with fintech entrepreneurs and bankers to share information. Earlier this year, the Atlanta Fed hosted the Federal Reserve System's first "innovation office hours" to talk with entrepreneurs and bankers on topics such as payments security, regulation, and financial inclusion. Of primary concern to many of the participants of these office hours was regulatory compliance and clarity.
In June, the Office of the Comptroller of the Currency (OCC) issued an advance notice of proposed rulemaking on digital activities and other banking issues related to digital technology or innovation. The notice encourages all OCC-supervised institutions—national banks, federal savings associations, and federal branches and agencies of foreign banks—to respond. If you are among these, take this opportunity to let your voice be heard.
It's our job and the job of the OCC and other regulatory agencies to ensure the safety and soundness of banks and the payments system. But we also recognize that innovation is important when it comes to delivering services to consumers and businesses, and we know we are living in a changing technological environment that is bringing in entrants from outside traditional banking. So that the payments system can achieve balance in safety and innovation, it is critical that the regulatory agencies have an ongoing dialogue with those affected by laws, rules, and regulations.
Some of the topics the OCC is requesting comment on include:
- How is distributed technology used or potentially used in activities related to banking?
- What are the issues that are unique to smaller institutions regarding the use and implementation of innovative products, services, or processes that the OCC should consider?
- What are the new payment technologies and processes that the OCC should be aware of and the potential implications of these technologies and processes for the banking industry?
Input from those affected by existing and new rules and regulations will help us create an environment where financial institutions can harness new technologies in a way that makes them competitive yet safe. Do your part to help create a regulatory environment that promotes safety and allows innovation to flourish. Reply to the OCC by the August 3 deadline.
January 27, 2020
Mobile Banking Nearing Ubiquity
In June 2019, eight Federal Reserve districts,1 led by the Federal Reserve Bank of Boston's Payment Strategies Group, surveyed financial institutions (FI) based in their respective districts about their current and planned mobile banking and mobile payment service offerings. The survey defined mobile banking as the use of a mobile phone to connect to a financial institution to access bank or credit account information (including to view balances), transfer funds between accounts, pay bills, set up account alerts, locate ATMs, deposit checks, and more. The term mobile payments described the use of a mobile phone to pay at the point of sale, remotely for a retail item (or items) using near field communication or a quick response code, or via mobile app or web for digital content, goods, or services (such as transit, parking, or ticketing).
You can find the full 2019 Mobile Financial Services Survey report, including the survey questionnaire, on the Boston Fed website. This collaborative survey effort previously took place in 2014 and 2016.
The survey found that 96 percent of the respondents currently offered or planned to offer mobile banking services. (As expected, most of the respondents who indicated they had no plans to offer mobile banking—18 of the 23—were the smallest FIs [those with assets under $50 million]). Support for mobile payment services had increased significantly since the 2016 survey, going from 24 percent to 43 percent in 2019, with an additional 26 percent planning to support mobile payments within two years.
Especially interesting to me were the responses to a new survey question regarding FIs' plans to issue contactless payment cards. Many of the largest FIs began issuing contactless cards in 2019. The survey found that while only 5 percent of respondents were issuing contactless cards, 21 percent plan to do so within two years and an additional 18 percent plan to issue them in the next two to five years. As the chart shows, although nearly two-thirds of the smallest FIs indicated no plans to offer a contactless card, a relatively high percentage (43%) of the larger FIs also indicated no plans to do so. I am curious to see how these plan responses change, if any, in future surveys.
A total of 504 financial institutions responded—337 banks and 167 credit unions (CUs)—which represented 6 percent of all banks and 3 percent of all CUs in the United States. It is important to note that none of the top 100 banks by asset size and only four of the top 100 CUs by asset size are included in the survey. Almost half of the responding CUs have assets under $100 million. The distribution of survey respondents (displayed in the chart below) helps us better understand the development of mobile financial services in the mid- and small-sized FIs.
The Boston Fed's Payment Strategies Group will present a webinar on the full survey report later this year. We will be sure to keep Take On Payments readers apprised of those plans. In the meantime, if you have any questions regarding the survey or the results, please be sure to contact me.
1Atlanta, Boston, Cleveland, Kansas City, Minneapolis, Philadelphia, Richmond, and San Francisco