Trust in the safety, security, and integrity of the faster payments system is important for encouraging service providers and solution operators to participate in the system, and for end users to adopt faster payments. All payment systems, whether faster or not, are subject to a wide array of security threats and other risks that are ongoing and constantly changing. Addressing these risks in an effective way encompasses several elements. Strong security is essential to protect data and transaction legitimacy, and minimize and contain data breaches, cyber-attacks, and other threats. In addition, effective processes, practices, and controls within and across solutions are integral to minimizing and mitigating fraudulent and erroneous transactions. In the event that fraudulent and/or erroneous transactions occur, it is also critical to have effective dispute resolution processes and end-user protections to safeguard against financial and other losses. Finally, effective management of settlement risk is necessary for minimizing potential losses due to one or more service provider(s) being unable to meet their settlement obligations.
The task force believes that the industry must take advantage of this period of transition. Before new faster payments solutions are broadly adopted, the industry should embrace a security-first mentality. While it will never be possible to completely thwart ever-evolving payment security threats, implementation of these new, faster payments solutions presents a once-in-a-generation opportunity for all participants (solution operators, service providers, financial institutions, government agencies, businesses, and consumers) to embrace the latest best practices and security features in a comprehensive, holistic manner.
(see Box B, “Examples of Improved Security Practices” in the Final Report Part Two.)
The fact that faster payments transactions are expected to settle rapidly and irrevocably creates a number of challenges for participants in the faster payments system, regardless of whether payments stay within a single solution or cross solutions. Payer and payee service providers, solution operators and processors must exchange payment information in real time. This means accurate identification of payers and their accounts must occur during a short vetting window, making it challenging for payers’ service providers to recognize identity theft, account fraud, and account takeover. Robust techniques for data protection, authentication, enrollment, and payment identity management (e.g., end-to-end encryption, tokenization, behavioral biometrics, and device fingerprinting) can and should be leveraged to protect data and stop fraud before it happens. Effective rules and standards can help encourage proper use of these security and fraud prevention techniques.
Prevention, detection, and mitigation of fraud and security risks are also topics of interest to the Secure Payments Task Force (SPTF), a collaborative industry effort working to address payment security challenges broadly and advising this task force on faster payments-related security issues. The SPTF has a work group focused on enhancing industry information sharing for mitigating payment risk and fraud (Information Sharing Work Group). One of the key challenges they have recognized is that specific segments and trade associations within the industry collect and publish fraud information to their respective members; however, without a standardized set of requirements for defining, collecting, and formatting fraud data, the industry will continue to be challenged to accurately measure and benchmark fraud data and metrics across industry segments and payment types. To address this gap, collaboration is occurring with professional information sharing groups, trade groups, and government agencies.
It is also noteworthy that the SPTF is undertaking additional public-private collaborations beyond the Information Sharing Work Group (see Appendix 2), but these efforts have focused on addressing the challenges of existing payment systems. The task force believes supporting analogous work streams for faster payments is critical to ensure the safety and security of the emerging faster payments system.
In addition to real-time information exchange, the ability to flag exceptions quickly will be necessary to ensure trust in the integrity of the faster payments system. Payment exception processing, already an enormous task, could become more difficult for e-commerce retailers, billers, government entities, processors, and financial institutions. To meet these real-time requirements, many participants will need to upgrade their technological capabilities as well as their operational and managerial controls. For example, to comply with legal obligations, U.S. depository institutions must monitor transactions for suspected fraud or other transaction activity that meets suspicious activity reporting requirements under the Bank Secrecy Act (BSA) and screen for Office of Foreign Asset Control (OFAC)-restricted transactions. As faster payments volumes grow, increased processing and settlement speed will undoubtedly add stress to safety and security screening systems. For business end users and their payment service providers, supply chain risks could increase if business processes such as risk-scoring models and enterprise resource planning systems do not adapt to a faster payments environment.
Another risk with faster payments arises from the combination of real-time funds availability and irrevocability of the payment. This provides certainty to the payees of faster payments that the funds are available for use and will not be revoked at a later date. It also means that fraudulent or erroneous transactions cannot be revoked. However, irrevocability is not the same as indisputability: end users will want to be able to dispute unauthorized and erroneous payments. To this end, consideration needs to be given to the design of payer authorization processes and strong fraud / error resolution processes. Poorly designed authorization processes can result in confusion and user errors, which could in turn lead to unauthorized payments and customer dissatisfaction. Furthermore, complex or opaque resolution processes will add to end-user frustration and create a breakdown in trust. As such, it is critically important for faster payments solutions to have clear rules and effective processes for handling disputed payments depending on whether those payments are authorized by the payer (e.g., victim-assisted fraud) or unauthorized (e.g., lost, stolen, counterfeit, account takeovers, or in some cases debit-pull arrangements that were not explicitly agreed to by the payer). In addition, guarantees and/or indemnities that protect end users from unexpected losses due to error or fraud may be necessary. To the extent that solutions allow for the possibility of insufficient funds or account overdrafts, the penalties should be clearly and explicitly communicated to end users in order to minimize inconvenience and unexpected costs.
Some of these challenges are more complex when payments cross solutions. A faster payments solution operator and its participating service providers will not want to participate in payment arrangements with other solutions that do not have strong and compatible dispute resolution processes. They also will not want to expose their network to other solutions if they do not have confidence in the security and integrity of the other solutions’ network(s). A weak link in an interoperating network of multiple solutions compromises the security and integrity of all service providers in that network. Accurate assessments of security vulnerabilities are challenging given that solution operators and service providers may be unwilling to share details about their security measures. As a result, risk-averse solution operators and service providers may opt out of participating altogether. Furthermore, solutions based on digital currencies may face a particularly high hurdle in gaining the confidence of other, more traditional solution operators and service providers as well as end users, given that the regulatory requirements and end-user protections for digital currencies are not yet well defined.
The weak link concern is also applicable to settlement. Specifically, lack of trust in other service providers’ ability to fulfill their settlement obligations can be a deterrent to participation in payment arrangements across faster payments solutions. Within a given solution, operators employ a variety of tools to assess and manage the credit and liquidity risks associated with settlement, and some service providers incorporate pre-funding as a tool to manage these risks. However, when payments cross solutions, it could be more difficult to manage settlement risk. Key considerations in managing this risk include: how solution operators and service providers will be able to determine whether other solution operators and service providers are financially sound and able to fulfill their obligations; which risk mitigation measures are appropriate, such as pre-funding and capital requirements; and how solution operators should handle another operator or a provider having insufficient funds to meet financial obligations. For more information on settlement considerations, see Box C: “Settlement Considerations for Faster Payments Solutions” in the Final Report Part Two .