About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

April 15, 2019


For Customer Education, Map Out the Long Journey

Financially savvy consumers are good customers for financial services. They save for retirement and pay back loans. Those are among the findings of research looking into the effects of formal financial education. And, as readers of this blog already know, customer education is central to risk management.

Using data from the National Financial Capability Study, researchers at the University of Nebraska found that financial education encouraged positive behaviors in the long run, such as saving for retirement or setting up an emergency fund. For short-run behavior, which the researchers defined as tasks that "give continual feedback," the evidence was mixed. They hypothesized that, in the short run, people learn good behavior better from getting negative feedback like late fees.

A paper by researchers at the Federal Reserve Board looked at three states (including Georgia, Idaho, and Texas) that began requiring financial education in 2007. Students in school after the requirement was implemented had higher relative credit scores and lower relative loan delinquencies than young people in bordering states without financial education. The effects lasted for four years after high school graduation. Among the goals of the Georgia curriculum is one that says students should be able to "apply rational decision making to personal spending and saving choices" and "evaluate the costs and benefits of using credit." Through age 22, the researchers found that the students who studied personal finance were better off than peers who had not, as measured by relative credit scores and delinquency rates.

What this means: if I learn in middle school that cost should factor into college choice, perhaps I'll decide to take on less student loan debt when it's time to choose a college. If one of my college professors stresses the importance of saving for retirement, perhaps I'll be more likely to make sure I participate in my employer's 401(k) and qualify for its full match. If I receive regular reminders about phishing attacks, perhaps I would be less likely to reply to or open a link in a phishy email.

April is Financial Literacy Month. For parents, teachers, and financial institutions, it's encouraging to know that split-second timing is not necessarily critical to effective financial learning. Financial education need not be delivered at life's crossroads, but everyone should have an overview of the route before getting on the road.

Finally, let me share some tips:

  • For parents of young children: Use these parent Q & A resources during story time. They are designed to help you talk about the importance of making careful decisions when saving versus spending and other personal finance topics related to their daily lives.
  • For teachers: The Federal Reserve Bank of Atlanta offers professional development programs for teachers, designed to enhance classroom instruction of economics and personal finance, including a free webinar on April 16, "Personal Finance Basics: Classroom Resources."

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

April 15, 2019 in consumer protection , risk management | Permalink | Comments ( 0)

April 8, 2019


Insuring Against Cyber Loss

Over the last few months, my colleagues and I have had multiple speaking engagements and discussions with banking and payments professionals on the topic of business email compromise (BEC). Generally, these discussions lead to talk about a risk management strategy or approach for this large, and growing, type of scam. One way some companies and financial institutions are mitigating their risk of financial loss to BEC and other cyber-related events is through a cyber-risk insurance policy. In a recent conversation, someone told me their cyber-insurance carrier mandates that they get an outside firm to audit and assess their cybersecurity strategy and practices, or they risk losing coverage.

According to a recent Wall Street Journal article, some large insurers are even going a step further and collaborating with each other to offer their own assessments of cybersecurity products and services available to businesses. Their results, which they will make publically available, will identify products and services they deem effective in reducing cybersecurity incidents and potentially qualify insured companies with improved policy terms and conditions if they use those products or services.

Cybersecurity vendors who would like their products and services to be assessed must apply by early May. They are not required to pay any fees for the evaluation. In light of the rising number of cyber-related events and increasing financial losses, along with the growing number of legal cases between companies and their insurance providers, this move by the insurance companies makes sense as a way for them to potentially reduce their exposure to cyber incidents. But it will be very interesting to see just how many cybersecurity vendors apply for participation in the program and how effective the insurers are at assessing the vendors' products and services. Moreover, for businesses, just using cybersecurity solutions helps them meet only part of the challenge. How they implement and maintain these solutions is critical to an effective cybersecurity approach.

Also of note in the Wall Street article is a graph that depicts the percentage of a particular global insurance company's clients, by industry, that have purchased a stand-alone cyber-insurance policy. Financial institutions, at 27 percent, rank last. Perhaps they are more confident in their cybersecurity strategies than are other industries, or perhaps insurers have no attractive stand-alone policies for financial institutions.

The cyber threat today is serious. In fact, Federal Reserve Board chairman Jerome Powell in a recent CBS 60 Minutes interview, when asked about a possible cyberattack on the U.S. banking system, responded that "cyber risk is a major focus—perhaps the major focus in terms of big risks."

As the Risk Forum continues to also focus on and monitor cyber risks, we look forward to the public findings from the insurers' collaborative assessment of cybersecurity products and services and will be interested to see if, over time, more financial institutions obtain cyber-risk insurance policies. I suspect the cyber-insurance industry will evolve in the products they offer and will continue to grow as companies look to mitigate their risks in the event of a cyber event.

What are your thoughts on this collaborative effort by the insurers? How do you see the cyber-insurance industry evolving? And do you think more financial institutions (or perhaps your own) will acquire cyber-insurance policies?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

April 8, 2019 in banks and banking , cybercrime , cybersecurity | Permalink | Comments ( 0)

April 1, 2019


Contactless Cards: The Future King of Payments?

Just over two years ago, my colleague Doug King penned a post lamenting the lack of dual interface, or "contactless," chip payment cards in the United States. In addition to having the familiar embedded chip, a dual interface card contains a hidden antenna that allows the holder to tap the card on or wave it near the POS terminal. This is the same technology—near field communications (NFC)—that various pay wallets inside mobile devices use.

Doug is now doing his daily fitness runs with a bigger smile on his face as the indicators appear more and more promising that 2019 will be the year of the contactless card. Large issuers have been announcing plans to distribute dual interface cards either in mass reissues or as a cardholder's current card expires. Earlier this year, some of the global brand networks launched advertising campaigns to make customers aware of the convenience that contactless cards offer.

So why have U.S. issuers not moved on this idea before now? I think there have been several reasons. First, for the last several years, financial institutions have focused a lot of their resources on chip card migration. Contactless cards will create an additional expense for issuers and many of them wanted to let the market mature as it has done in a number of other countries. They were also concerned about the failure of contactless card programs that some of the large FIs introduced in the early 2000s—most merchants lacked terminals capable of handling the technology.

The EMV chip migration solved much of the merchant terminal acceptance problem as the vast majority of POS terminals upgraded to support EMV chips can also support contactless cards. (While a terminal may have the ability to support the technology, the merchant has to enable that support.) Visa claims that as of mid-2018, half of POS transactions in the United States were occurring at terminals that were contactless-enabled. Another factor favoring contactless transactions is the plan by major U.S. mass transit agencies to begin accepting contactless payment cards. According to the American Public Transportation Association's 2017 Ridership Report, there were 41 transit agencies in the United States with annual passenger trip volumes of over 20 million trips.

Given that consumer payments is largely a total sum environment, these developments have led me to ask myself and others what effect contactless cards will have on consumers' use of other payment forms—in particular, mobile payments. As my colleagues and I have written numerous times in this blog, mobile payments continue to struggle to obtain consumer adoption, despite earlier predictions that they would catch on quickly. There are some who believe that the convenience of ubiquity and fast transaction speed will favor the dual purpose card. Others think that the increased merchant acceptance of contactless will help push the mobile phone into becoming the primary payment form.

My personal perspective is that contactless cards will hinder the growth of in-person mobile payments. There are those who claim to leave their wallet at home and never their phone, and they will continue to be strong users of mobile payments. But the reality is that mobile payments are not accepted at all merchant locations, whereas payment cards are practically ubiquitous. While I am a frequent user of mobile payments, simply waving or tapping a card appeals to me. It's much more convenient than having to open the pay application on my phone, sign on, and then authorize the transaction.

Do you believe the adoption of contactless cards by consumers and merchants will be as successful as it was for EMV chip cards? And do you think that contactless cards will help or hinder the growth of mobile payments? Let us hear from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

April 1, 2019 in card networks , cards , emerging payments , EMV , innovation , mobile payments | Permalink | Comments ( 0)

March 25, 2019


Safeguarding Privacy and Ethics in AI

In a recent post I referred to the privacy and ethical guidelines that the nonprofit advocacy group EPIC (Electronic Privacy Information Center) is promoting. According to this group, these guidelines are based on existing regulatory and legal guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. Given the continued attention to advancements in machine learning and other computing technology advancements falling under the marketing term of “artificial intelligence” (AI), I thought it would be beneficial for our readers if we were to review these guidelines so the reader can assess their validity and completeness. The heading and the italicized text in these guidelines are EPIC’s specific wording; additional text is my commentary. It is important to point out that neither the Federal Reserve System nor the Board of Governors has endorsed these guidelines.

  • Right to Transparency. All individuals have the right to know the basis of an AI decision that concerns them. This includes access to the factors, the logic, and techniques that produced the outcome. EPIC says the main elements of this principle can be found in the U.S. Privacy Act and a number of directives from the European Union. It is unlikely that the average person would be able to fully understand the complex computations generating a decision, but everyone still has the right to an explanation of and validation for the decision.
  • Right to Human Determination. All individuals have the right to a final determination made by a person. This ensures that a person, not a machine, is ultimately accountable for a final decision.
  • Identification Obligation. The institution responsible for an AI system must be made known to the public. There may be many different parties that contribute to an AI system, so it is important that anyone be able to determine which party has overall responsibility and accountability.
  • Fairness Obligation. Institutions must ensure that AI systems do not reflect unfair bias or make impermissible discriminatory decisions. I understand the intent of this principle—any program developed by a person will have some level of inherent bias—but how is it determined that the level of bias has reached an “unfair” level, and who makes such a determination?
  • Assessment and Accountability Obligation. An AI system should be deployed only after an adequate evaluation of its purpose and objectives, its benefits, as well as its risks. Institutions must be responsible for decisions made by an AI system. An AI system that presents significant risks, especially in the areas of public safety and cybersecurity, should be evaluated carefully before a deployment decision is made.
  • Accuracy, Reliability, and Validity Obligations. Institutions must ensure the accuracy, reliability, and validity of decisions. This basic principle will be monitored by the institution as well as independent organizations.
  • Data Quality Obligation. Institutions must establish data provenance, and assure quality and relevance for the data input into algorithms. As an extension of number 6, detailed documentation and secure retention of the data input help other parties replicate the decision-making process to validate the final decision.
  • Public Safety Obligation. Institutions must assess the public safety risks that arise from the deployment of AI systems that direct or control physical devices, and implement safety controls. As more Internet-of-Things applications are deployed, this principle will increase in importance.
  • Cybersecurity Obligation. Institutions must secure AI systems against cybersecurity threats. AI systems, especially those that could have a significant impact on public safety, are potential targets for criminals and terrorist groups and must be made secure.
  • Prohibition on Secret Profiling. No institution shall establish or maintain a secret profiling system. This principle ensures that the institution will not establish or maintain a separate, clandestine profiling system to assure the possibility of independent accountability.
  • Prohibition on Unitary Scoring. No national government shall establish or maintain a general-purpose score on its citizens or residents. The concern this principle addresses is that such a score could be used to establish predetermined outcomes across a number of activities. For example, in the private sector, a credit rating score can be a factor not only in credit decisions but also in other types of decisions, such as for vehicle, life, and medical insurance underwriting.
  • Termination Obligation. An institution that has established an AI system has an affirmative obligation to terminate the system if human control of the system is no longer possible. I refer to this final principal as the “HAL principle” from 2001: A Space Odyssey, where the crew tries to shut down HAL (a Heuristically programmed ALgorithmic computer) after it starts making faulty decisions. A crew member finally succeeds in shutting HAL down only after it has killed all the other crew members. HAL is an extreme example, but the principle ensures that an AI system’s actions do not override or contradict the actions and decision of the people responsible for the system.

On February 11, 2019, the president signed an executive order promoting the United States as a leader in the use of AI. In addition to addressing technical standards and workforce training, the order called for the protection of “civil liberties, privacy, and American values” in the application of AI systems. As the development of AI systems increases pace, it seems important that an ethical framework be put in place. Do you think these are reasonable and realistic guidelines that should be adopted? Do you think some of them will hinder the pace of AI application development? Are any principles missing?

Let us know what you think.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

March 25, 2019 in emerging payments , fintech , innovation | Permalink | Comments ( 0)

March 18, 2019


The Patriots of the Payments Landscape

Last February, the New England Patriots and their future first-ballot Hall of Fame quarterback, Tom Brady, won their sixth Super Bowl title since 2002. Over this 17-year period, they have played for the National Football League title nine times. In college football, a similar scenario has emerged, with two teams (the University of Alabama and Clemson University) winning seven out of the last 10 collegiate football national titles. It is proving to be very difficult to upend the dominant players in this sport, and many football fans and pundits believe that such domination makes the overall sport less interesting (especially if your favorite team isn’t Alabama, Clemson, or the Patriots). They think it’s bad for the sport and argue it would be better to see more variety in championship teams. As I think about that perspective, my mind drifts to a payments conversation that I am often a part of in both business and social settings: Where are payments going to be in the next three to five years?

While it would be much "more entertaining" in my social settings to be able to discuss some great shift in payments on the horizon, the fact is that right now payments is in a place similar to football’s. Card-based payments are sitting on top of the non-cash-based payments world and will be difficult to dethrone anytime soon. According to the Federal Reserve Payments Study 2016 (the last report that provided annual estimates for both automated clearinghouse (ACH) and check payments), card payments, by number of transactions, made up 72 percent of noncash payments. Now the latest figures from the payments study’s 2018 Annual Supplement report reveal that there were 123.5 billion card transactions in 2017, a figure representing robust growth of 10.1 percent from 2016. The report also highlights that, during this 2016–17 period, the number of network ACH payment transactions grew at an accelerated pace of 5.7 percent while large-institution check payments declined in number of transactions at an accelerated pace of 4.8 percent. The Federal Reserve is currently conducting its triennial payments study, which will provide updated national estimates on all noncash payments for 2018.

In the future, we might be dipping cards more often, tapping contactless cards, or even tapping our phones more, but it’s hard to envision a new payment channel making much headway in the next three to five years. Cards just have too big of a share and are experiencing accelerating growth. Consumers are not only accustomed to using them, but they also find that cards work very efficiently for them. And just like the football fans and pundits who talk or write about the need for different champions in the football world, payments professionals and pundits are enamored with writing about and discussing how blockchain, distributed ledger technology, faster payments, or some other brave, new technology are going to be the next frontier in payments. And you know, they might be right one day, but it’s not going to happen anytime soon, certainly not before Mr. Brady finds his way into the Hall of Fame.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

March 18, 2019 in credit cards , debit cards , emerging payments , fintech , innovation | Permalink | Comments ( 0)

March 11, 2019


Payments Webinar Explores a Fintech Talent Gap

Developments in financial technology (fintech), as welcome as they may be, are pressuring one of our most valuable resources: our workforce. Not only are there not enough candidates experienced in new fintech, but also there is a growing gap between the skills employers want and the skills that employed professionals have.

As fast as fintech is moving, it is important not to be hasty when making talent development decisions. Now is the time to be strategic and intentional in evaluating the ways to bridge the fintech talent gap. Most new banking technologies, especially those that are payments related (whether they’re offered by a traditional financial institution or a non-bank entity), require a new approach to software and cybersecurity. With this in mind, a fundamental feature of workforce development is aligning education and training programs with real business needs.

In the next episode of our Talk About Payments (TAP) webinar series, our panel will explore the underlying emerging technologies that are essential core knowledge for the payments and fintech workforce. We will also explore initiatives that are under way to bridge the fintech talent gap. Our panel will include:

  • Jessica J. Washington, AAP, Payments Risk Expert, Federal Reserve Bank of Atlanta
  • James Senn, Founding Director, Georgia Fintech Academy
  • Allen Sautter, Information Security Officer, Federal Reserve Bank of Atlanta

We encourage financial institutions, merchants, fintechs, payments processors, law enforcement, academia, and other payments system stakeholders to participate. Participants will be able to submit questions during the webinar.

The webinar will take place on March 21, from 1 to 2 p.m. (ET). To participate in the webinar, you must register in advance (there is no charge). You can register here. Once you have registered, we will send you a confirmation email with the login and toll-free call-in information. You can direct questions concerning the webinar to David Lott at david.lott@atl.frb.org. We hope you will join us and be part of the discussion.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

March 11, 2019 in emerging payments , financial technology , fintech , payments innovation , skills gap , workforce development | Permalink | Comments ( 0)

March 4, 2019


The Importance of the Small

In Shakespeare's "A Midsummer Night's Dream," Helena said, "Though she be but little, she is fierce," in reference to the power of her romantic foe, Hermia. In today's pop culture, this quote can be found on T-shirts, coffee mugs, inspirational wall hangings, and social media memes touting women's power. But it has a broader meaning to me, one that says small voices are every bit as important as large ones.

In the payments industry, I think of the small voices as being the smaller financial institutions—which are crucial to the success of the Federal Reserve Payments Study, contributing a great deal to the study findings. The study, which estimates the number and value of noncash payments made by U.S. consumers and businesses as well as the data around payments fraud, is intended to inform policymakers, the industry, and the public about aggregate trends in the nation's payments system. Most recently, this work culminated in a benchmark report on U.S. payments fraud from 2012 to 2016.

One important component of the study is to collect data on checks, ACH, wire transfers, cards, cash withdrawals and deposits, third-party fraud, and related information from a nationally representative sample of commercial banks, savings institutions, and credit unions, from the largest to the smallest. So what exactly is meant by a "nationally representative sample"?

In a nutshell, for our estimates to be representative of national payment volumes, we have to account for all sources of volume. If we include only the largest institutions or leave out some segments, the estimates can be biased, either too large or too small. Even though much of payments volume is concentrated in the largest institutions, it is impossible to know how much so without having a good estimate for all segments of the banking population. Past surveys have shown that the segments can exhibit very different trends from study to study. For example, from 1995 to 2000, total checks at large commercial banks fell, while total checks at credit unions and savings institutions grew. (Read more about that in this report from the Federal Reserve Board of Governors.) Without the information from credit unions, the decline in checks would have appeared larger than it actually was.

Study participants are selected from among U.S. commercial banks, savings institutions, and credit unions. According to reports filed with the Federal Reserve in 2015, there were approximately 10,600 of these depository institutions (DI) in the United States that met the criteria (see the table). Using Call Report data filed with the Federal Reserve, a sample frame of slightly under 3,800 institutions was determined to be representative of the entire population of U.S. financial institutions. Each institution type is further grouped according to deposit size.

Institution Type Deposit Size (Maximum)* No. of U.S. Institutions No. Invited to Participate in Study
Commercial Banks  
50
50
$10,900,000,000
264
264
$ 799,500,000
247
237
$ 388,000,000
337
237
$ 232,000,000
618
308
$ 139,754,000
872
289
$ 83,909,000
1,190
444
$ 41,980,000
1,382
356
Subtotal  
4,960
2,185
Savings Institutions  
25
24
$ 1,650,000,000
48
48
$ 497,000,000
102
102
$ 195,000,000
132
104
$ 100,500,000
155
116
$ 46,300,000
292
96
Subtotal  
754
490
Credit Unions  
25
25
$ 730,000,000
47
46
$ 365,000,000
137
126
$ 185,000,000
174
143
$ 105,500,000
240
147
$ 58,000,000
399
167
$ 26,680,000
690
201
$11,190,000
3,144
242
Subtotal  
4,856
1,097
Total  
10,570
3,772

*For commercial banks and savings institutions, this is the sum of public checkable deposits (or checking account balances) and money market deposit accounts. For credit unions, this reflects public checkable deposits only.

Source: Table adapted from Geoffrey Gerdes and Xuemei Liu. "Improving Response Quality with Planned Missing Data: An Application to a Survey of Banks," in The Econometrics of Complex Survey Data: Theory and Applications (Advances in Econometrics, volume 39), ed. Kim P. Huynh, David T. Jacho-Chavez, and Gautam Tripathi. Available April 1, 2019.

As the table shows, financial institutions in each category with the lowest maximum deposit size comprise approximately 46 percent of the total number of U.S. institutions. Of this group, consisting of more than 4,800 DIs, just under 700 were invited to participate in the study, or approximately 18 percent of the total sample.

Take, for example, credit unions with a maximum deposit size of $11.2 million. In 2016, there were approximately 3,100 institutions in this category, and 242 were invited to participate in the study to represent that segment. Similarly, 96 savings institutions with a maximum deposit size of $46.3 million were selected to represent the overall segment of just under 300 institutions.

Grouping institutions in this way improves the quality of results, as the institutions within each category share many similar characteristics. The smaller institutions have a unique voice and experience that the larger DIs cannot represent. To develop a true and accurate national picture of the payments landscape, it is important that all voices be heard.

I hope your takeaway from this post is that the contributions of all financial institutions—large and small—are important to the accuracy and representativeness of the data that the Federal Reserve Payment Study reports. And although study participants may sometimes think their institutions are small fish in a big pond, their survey contributions serve as the voice of their peers, and in the collective, that whisper becomes a mighty voice.

Photo of Nancy-Donahue  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

March 4, 2019 in banks and banking , payments study | Permalink | Comments ( 0)

February 25, 2019


Fighting Discipline with Discipline

When I meet with law enforcement officers, they often describe the growing sophistication of criminal groups that commit large-scale fraud. Just like legitimate enterprises, these global organizations follow a disciplined process to reach their business goals. As a successful salesperson follows specific steps from prospecting to closing, successful criminal enterprises follow defined steps that improve their chances of successfully executing financial crimes.

Let's take a look at a disciplined, five-step process that criminals generally follow to successfully execute a business email compromise (BEC) attack. The process can also apply to other types of cybercrimes, such as account takeover.

  • Identify targets. Fraudsters scan specific industries to identify firms to attack. While firms handling real estate closings and trusts remain primary targets of BEC attempts, other businesses, across multiple industries, that have large-value accounts payable have increasingly become targets.
  • Gain access. Fraudsters attempt a variety of methods to gain entry to the business accounting or IT system. With BEC, the most common way in is to get an employee to open an email or click on a link containing malware that will result in the compromise of the employee's log-in credentials. Another method is to exploit a security gap in the company's IT access control system. Social engineering is also becoming more frequent.
  • Establish a foothold. Upon gaining access to the business records of the company, the fraudsters are likely to create hidden paths to enter and exit the company's systems without detection.
  • Conduct surveillance. More and more often, fraudsters take their time monitoring the activity and records of the company, sometimes for months. Doing so helps them better understand the company's controls related to authorizing large-dollar-value transactions and customer records maintenance. When they eventually conduct their misdeed, they stay within normal controls and therefore don't set off any additional oversight.
  • Steal and retreat. When the criminals have gained the necessary knowledge—by conducting their thorough, sometimes lengthy surveillance—they make a funds transfer request. In a BEC, this is generally an email from a senior official of the company to the finance department conveying some sense of urgency. In most cases, the request refers to a valid invoice or customer account number in an attempt to appear legitimate. Of course, the criminal controls the account that would receive the funds. If the request succeeds, the criminal may make additional funds transfer attempts. When they're done, they try to erase any evidence of their intrusion.

These sophisticated criminals achieve their results with discipline, but you can successfully stop BEC and similar attacks by relying on your own discipline in several areas. BEC is totally preventable if a business combines employee education and testing with meticulous authorization control processes, audit oversight, and IT security techniques. Instill this discipline and you won't be a victim.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 25, 2019 in cybercrime , cybersecurity | Permalink | Comments ( 0)

February 19, 2019


Acute Audit Appendicitis

My son came home from school the other day and told me that his friend’s kidney had "popped." With great concern and further investigation, I found out that his friend had suffered from appendicitis but had since recovered. Luckily, fifth grade boys and most of the human race can get along fine without an appendix. And, as it turns out, there is another type of appendix people can live without: Appendix Eight—Audit Requirements—in the NACHA Operating Rules. NACHA members recently voted to cut this part out.

But wait—don’t celebrate too soon. The change doesn’t eliminate the requirement to conduct an annual ACH rules compliance audit. Rather, members voted to modify "the Rules to provide financial institutions [FI] and third-party service providers with greater flexibility in conducting annual Rules compliance audits." Specifically, the change—which was effective January 1, 2019—affected the following areas of the NACHA Operating Rules:

  • Article One, Subsection 1.2.2 (Audits of Rules Compliance): Consolidates the core audit requirements described within Appendix Eight under the general obligation of participating DFIs and third-party service providers/senders to conduct an audit.
  • Appendix Eight (Rule Compliance Audit Requirements): Eliminates the current language contained within Appendix Eight; combines relevant provisions with the general audit obligation required under Article One, Subsection 1.2.2.

FIs and ACH payment processors must still conduct, either internally or outsourced, an annual audit of their compliance with the ACH rules each year. They also must retain adequate proof of completion for no less than six years and may, during that term, need to provide proof to NACHA or a regulator. And they will have to adjust their audit methodologies to ensure that they comply with all relevant rules rather than just rely on the former Appendix Eight checklist.

The new audit process necessitates a risk-based approach, which is a strategy regulators have been encouraging in recent years. With so many emerging technologies, products, and services in the payments industry, FIs and ACH payment processors can no longer take a one-size-fits-all approach for compliance. They also no longer have a single access point to ACH—rather, they must consider many access points when auditing for Rules compliance.

These institutions may not have previously had to take into account other areas that touch payments. For example, the risk-based audit doesn’t explore just the deposit operations department; it analyzes how the whole enterprise interacts with ACH systems. Additionally, it may need to include loan operations, online account opening, person-to-person (P2P) products, investment management, and other new digital channels.

Life without Appendix Eight will be an adjustment, but its removal won’t be fatal. I think ACH participants will recover quickly and be even healthier—embracing the new risk-based compliance model will likely strengthen enterprise risk management and promote increased safety and stability in our payment systems.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 19, 2019 in ACH , banks and banking , payments | Permalink | Comments ( 0)

February 11, 2019


AI and Privacy: Achieving Coexistence

In a post early last year, I raised the issue of privacy rights in the use of big data. After attending the AI (artificial intelligence) Summit in New York City in December, I believe it is necessary to expand that call to the wider spectrum of technology that is under the banner of AI, including machine learning. There is no question that increased computing power, reduced costs, and improved developer skills have made machine learning programs more affordable and powerful. As discussed at the conference, the various facets of AI technology have reached far past financial services and fraud detection into numerous aspects of our life, including product marketing, health care, and public safety.

In May 2018, the White House announced the creation of the Select Committee on Artificial Intelligence. The main mission of the committee is "to improve the coordination of Federal efforts related to AI to ensure continued U.S. leadership in this field." It will operate under the National Science and Technology Committee and will have senior research and development officials from key governmental agencies. The White House's Office of Science and Technology Policy will oversee the committee.

Soon after, Congress established the National Security Commission on Artificial Intelligence in Title II, Section 238 of the 2019 John McCain National Defense Authorization Act. While the commission is independent, it operates within the executive branch. Composed of 15 members appointed by Congress and the Secretaries of Defense and Commerce—including representatives from Silicon Valley, academia, and NASA—the commission's aim is to "review advances in artificial intelligence, related machine learning developments, and associated technologies." It is also charged with looking at technologies that keep the United States competitive and considering the legal and ethical risks.

While the United States wants to retain its leadership position in AI, it cannot overlook AI's privacy and ethical implications. A national privacy advocacy group, EPIC (or the Electronic Privacy Information Center), has been lobbying hard to ensure that both the Select Committee on Artificial Intelligence and the National Security Commission on Artificial Intelligence obtain public input. EPIC has asked these groups to adopt the 12 Universal Guidelines for Artificial Intelligence released in October 2018 at the International Data Protection and Privacy Commissioners Conference in Brussels.

These guidelines, which I will discuss in more detail in a future post, are based on existing regulatory guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. They call out that any AI system with the potential to impact an individual's rights should have accountability and transparency and that humans should retain control over such systems.

As the strict privacy and data protection elements of the European Union's General Data Privacy Regulation take hold in Europe and spread to other parts of the world, I believe that privacy and ethical elements will gain a brighter spotlight and AI will be a major topic of discussion in 2019. What do you think?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2019 in consumer protection , emerging payments , fintech , innovation , privacy , regulations | Permalink | Comments ( 0)

Google Search



Recent Posts


Archives


Categories


Powered by TypePad