Analysis: CFPB's Faster Payment GuidelinesRegulator's Recommendations Raise Questions, Concerns
The Consumer Financial Protection Bureau, one of the five regulatory agencies in the Federal Financial Institutions Examination Council, has released consumer protection recommendations - including security steps - that banking institutions should consider as they develop solutions for faster payment systems.
See Also: Taking Advantage of EMV 3DS
One security expert questions if the CFPB's recommendations will have much impact, while another says this could be a first step toward more regulations for banks and credit unions. And a third contends that some of the recommendations, if mandated, would do more harm than good, because they could establish contradictory regulatory examination requirements for banking institutions.
The CFPB's recommendations highlight consumer privacy and data security concerns that should be addressed as the private sector works to conform to faster payments initiatives outlined by the Federal Reserve System and NACHA - The Electronic Payments Association earlier this year.
The CFPB calls out nine principles that it says banking institutions should consider to ensure faster payments systems are transparent, accessible, safe and efficient for consumers.
- Consumer Control Over Payments - Faster payments should align with what consumers have authorized and should include rules for limiting the time period for which payment authorization is valid.
- Data and Privacy - Consumers should be informed about how their data is being transferred through any new payment system, including what data is being transferred, who has access to it, how the data can be used and potential risks.
- Fraud and Error Resolution Protections - System architecture for faster payments should ensure that information is created and recorded to facilitate post-transaction evaluation and provide consumers with mandated regulatory protections.
- Transparency - Faster payments should include real-time access to information about the status of transactions.
- Cost - Any fees associated with faster payments should be disclosed in a way that allows consumers to compare the costs of using different payments options.
- Access - Any new faster payments system should be broadly accessible to consumers.
- Funds Availability - Faster payments should decrease consumer risk of overdraft and declined transactions due to insufficient funds.
- Security and Payment Credential Value - New payments systems should have built-in protections to detect and limit errors, unauthorized transactions and fraud.
- Strong Accountability Mechanisms that Effectively Curtail System Misuse - Systems operators should be accountable for the risks, harm and costs they introduce to payment systems, and therefore should be incentivized to prevent and correct fraudulent, unauthorized or otherwise erroneous transactions for consumers.
The CFPB's recommendations likely won't carry much weight on their own, contends Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation.
"Nothing's been communicated as yet about how compliance will be monitored, proven and enforced," Wills says. "It's hard to see how they'll move the needle in terms of actually protecting consumers against cyberthreats."
On the other hand, Al Pascual, director of fraud and security at Javelin Strategy & Research, says banks and credit unions should be bracing for some of these recommendations to soon become regulatory mandates.
"This recent statement is similar to those seen from other financial regulators, such as the FDIC on third-party vendors or the OCC on cybersecurity risks, which in turn eventually became part of the FFIEC dogma," Pascual says. "In the next few years, financial institutions and other players in the payments space should expect this statement to transition from position to enforcement, especially if the development and adoption of faster payments accelerates."
More Harm than Good?
Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite, contends that some of the new recommendations, if mandated, would do more harm than good.
"While consumers absolutely deserve protection, a financial services regulator with a single focus can be very disruptive," she says. "In this uncertain global economy, all regulators should be examining banks with many perspectives in mind, particularly safety and soundness. ... But a couple of these guidelines really illustrate the single-minded focus of the CFPB, and the lack of a big picture view."
In reviewing the recommendations, Inscoe calls out two principles of particular concern for banking institutions - allowing consumer control over payment authorization, and accountability for fraud.
"Allowing consumers to revoke authorization of a near real-time payment, as suggested in the first guideline, would only serve to make the payment system unreliable," she says. "One tenet of faster payments should be guaranteed funds; otherwise, recipients will have little confidence in the payment system. Consumers shouldn't choose to use faster payments unless they are certain they want to actually make the payment."
And suggesting that new payments systems providers be accountable for implementing mechanisms that reduce fraud seems "naÃ¯ve," Inscoe contends.
"With the card networks in particular, we have seen little to no accountability for merchants, universities, governmental agencies or other entities that use poor security mechanisms and allow data breaches to occur," she says. "Card issuers bear the brunt of these losses and the associated operating costs in their fraud and customer service departments. ... For the CFPB to think any payment network can change that scenario seems naÃ¯ve. All this translates to higher fraud losses for financial institutions, hence, the need for all financial services regulators to be cognizant of safety and soundness issues, not solely focused on what is good for the consumer at all costs."
Source of Confusion
The CFPB's regulatory role has been a source of confusion for banks and credit unions, Inscoe says.
On July 21, the CFPB will celebrate its four-year anniversary as an FFIEC regulatory agency (see CFPB: What is New Regulator's Role?). The bureau oversees depository institutions with more than $10 billion in assets and has authority over non-banking entities, such as mortgage companies, payday lenders and private education lenders.
But the CFPB's actions and supervision relate only to accountability and oversight of the consumer financial marketplace, which has made FFIEC-related banking examinations challenging, Inscoe says.
"Clearly, the CFPB considers themselves to be a regulator on the same par as the OCC, FDIC, etc.," Inscoe says. They conduct exams in financial institutions and act like any other regulator. This is confusing for financial institutions, which are caught in the middle and must answer to multiple 'masters' from a regulatory perspective."
The CFPB did not respond to Information Security Media Group's request for comment about why the recommendations were issued.