Whether the legacy payments players like it or not, the case is strong for much greater intervention by the Fed in improving payments.
With July’s release of Part Two of the Faster Payments Task Force Final Report, which speculated that near real-time payments could/should be on the payments scene by 2020, the industry appeared to settle back to figure out where the beef is. But then, with September’s response to the report from the Federal Reserve, additional options for moving forward have emerged, and are already in motion.
Now it seems that the Fed’s trump card for keeping things moving is to establish a clear case for making near-term improvements in payment security—in advance of getting speedier payments.
The growing national concern about security in payments and financial services—magnified greatly by the Equifax breach disclosed this summer—is providing a critical and useful second wind to the Fed’s efforts to push for faster payments to support the digital-transactions world.
The Fed’s response to the now-retired Faster Payments Task Force (FPTF) and its final report provides some options and clues for how the Fed can move the payments system to higher ground—even if the biggest legacy participants continue to demonstrate no meaningful motivation to do so themselves.
Logical Next Step
Everyone knows the bulk of U.S. payments fraud comes from payment cards, namely signature-based credit and debit cards. EMV, while coming late to the United States, will help address some counterfeit fraud. But the pervasive threat remains largely unaddressed because most card-account credentials remain in the clear—even from the chip—and mag-stripe mode is nearly always on the back of the chip card. Tokenization might help, but end-to-end encryption is the growing consensus choice to solve the problem.
Remarkably, banks and network brands in the U.S. are largely silent on or are opposed to embracing encryption (or digital IDs, for that matter). After all, that will cost money. Instead, they seem more concerned about protecting themselves from critiques of their payment modes that might impact the various interchange and PIN-suppression lawsuits currently in play.
Some of this disdain for acknowledging the crippled state of card-payment security surfaced in the Fed task force proceedings, as banks and network brands worked in concert to steer discussions away from the need for any external (i.e., regulatory) interventions—especially by the Fed.
As a result, the deliverables coming out of the Fed task forces, one on security and one on faster payments, only hint at the source of most of these problems. Moreover, the actual data on card fraud is ferociously protected from the public eye by the legacy providers, as is fraud data from ACH and wires.
So, the logical next step for the Fed—if the brands and card issuers won’t provide or share their data—is to conduct a comprehensive study to definitively assess how serious the fraud problem really is in this country vs. the rest of the world, and work out what solutions might begin to address the problem.
Lo and behold, the Fed’s response in September proclaims that such a study is in the offing.
A second logical step is to define the problem areas that are known (for example, ATM skimming, e-commerce friendly fraud, account takeover), and consider what can and should be done about them—as well as with what priority. That dimension also appears to be an important part of the new study. It will likely build on the Secure Payments Task Force’s (SPTF’s) efforts to identify a significant number of security concerns that exist in various payment streams.
Trusting ‘Faster’
Identifying payment-system gaps and opportunities was part of a Fed consultation paper in 2013 and of the January 2015 paper that launched the task forces. The SPTF was initiated coincidentally with the FPTF in June of 2015, and enlisted 180 members.
During the two years since, SPTF workgroups have considered and debated key topics such as payments-identify management, data protection, fraud-information sharing, assessment of industry standards available or needed for new security approaches, and what laws and regulations might have to be updated, changed, or created to accommodate the new approaches.
A key SPTF premise was that moving payments faster would naturally introduce new risk-management challenges: the faster the funds moved, the quicker they could be in the hands of thieves and hackers—if the existing physical-world (i.e., paper, cards, etc.) risk-management processes that required and were dependent upon latency periods couldn’t be re-engineered for near real-time.
That meant that real-time security had to be in place before real-time networks could be entrusted to safeguard digital payments.
That’s a major reason that 11 of the 36 effectiveness criteria by which the FPTF’s 16 faster-payments system proposers were measured (“Sweet 16,” September) dealt with security and safety. As with proposer responses on governance (e.g., “it would be left up to existing processes”), in general, these proposals discussed security at a very high level (e.g., “it would use encryption”).
Both governance and security will need in-depth development—and standardized, auditable implementation—before users of the new payment systems could be expected to trust “faster.”
Meanwhile, FPTF has launched a follow-on process with two dozen mostly legacy payments-system representatives (termed the Interim Collaboration Work Group, or “iCWG”) to begin working on more detailed implementation requirements for governance as well as rules and standards, among other aspects (e.g., a master directory) of faster payments recommended by the task force in its final report.
The iCWG is expected to conduct its work over the next 12 months—constituting a permanent CWG about the time the security study is finished.
Fire-Fighting
The security challenge, however, is far bigger and broader than figuring out how to make real-time payments safe. Existing payment streams are badly in need of improvements, too. The Fed’s overall charter to “ensure the integrity and efficiency of the payment systems”—granted to it in 1990—provides it with wide purview to reduce risks.
That means fixing what’s dangerous (for example, account credentials moving in the clear, poor controls for user access to networks) and what’s broken, or about to be broken (such as 30-year-old versions of ISO 8583, 40-year-old electronic check-transfer formats, 20-year-old point-of-sale terminals still in the field, etc.).
On its own, the industry’s efforts with respect to security issues like these has largely consisted of fire-fighting on data breaches and struggling with PCI requirements. Neither effort has been very successful, as data-breach volumes keep rising, despite immense investments in protecting account credentials in the clear.
Adoption of the Payment Card Industry data-security specifications—ever a moving target—remains elusive for both merchants and financial institutions (which produce numerically more breaches than retail merchants, according to Verizon Business, a leading Qualified Security Assessor).
PCI, which has come at an estimated cost in excess of $30 billion just for merchants since 2004, has at least broadened its purview from protecting payment card credentials at rest to trying to protect them in transit. But the PCI Council acknowledges that tokenization and encryption offer the additional protection needed in the future.
EMV deployment has cost an estimated $15 billion and counting—again mostly paid by merchants. But these transaction streams continue to expose most account credentials to compromise, and the protocol does nothing for e-commerce, and little for mobile-payment, security.
That’s billions that the industry could use right now to update the crumbling payments infrastructure and provide the much-needed digital-identity proofing and management. These are steps that many other developed countries are already implementing—mostly with the help of central banks and regulatory authorities that do have a legal mandate to regulate payments.
To create an effective critique of payment-security problems and derive solutions that actually work, the Fed could enlist truly collaborative (and experienced) experts to help them figure out what’s fixable in a realistic time and with a real return on investment. It could assess the relative impacts on all participants in the payments ecosystem to get a fair and balanced distribution of effort required and costs.
It could also set standards for security performance that create both a minimum level needed (over time) and foster sufficient interoperability so that competitive market forces can drive the prescribed ubiquitous availability, usage, and efficiency.
The Fed’s September response appears to suggest it is considering just such measures, and that it has no intention of stopping now in its effort to foster a vastly improved payment system.
The Australian Example
The Fed can look to other countries for both inspiration and methodology. The Reserve Bank of Australia (RBA, the central bank), for example, held several consultations with the industry over the years from 1996 to 2012. Among the findings were that banks were clinging to 30-to-40-year-old payment infrastructures, were not meeting user needs, and were failing to innovate—opening the door to providers such as PayPal.
The first consultation, in 1996-97, provided the foundation for giving the RBA a legal mandate to regulate payments—including the economics. The RBA found a need to intervene three times in that part of the market: lowering credit card interchange and enabling merchant surcharges (2003), lowering debit card interchange (2006), and lowering rewards card interchange (2016). But it largely used its bully pulpit to move that country’s payment system forward in many other respects, including faster payments.
After considerable nudging by the RBA, the Big Four banks in 2006 agreed to try to build their own real-time network—concluding that the only option that was worse than that was the RBA building one themselves.
Termed MAMBO (Me and My Bank Online), the project fell apart by 2009, and was mothballed for good in 2011. Consequently, another industry consultation on needs for innovation that began in 2010 concluded a year later that broader industry participation in the design, creation, and governance of a new faster-payments network was needed.
That second effort, eventually termed the New Payments Platform (NPP), came about in late 2014 and is going live by the end of this year, as soon as member banks are ready.
NPP offers end-to-end encryption at the network level, leaving originating and receiving FIs to handle security at their endpoints. No data is revealed within the network, and identification of parties is the responsibility of the banks. Business applications (payments use cases) are developed on top of the network as “overlay services”—leaving the choice of using them up to participants.
It’s all very reasonable. But the banks are nonetheless dickering over what the “interchange” fee should be for essentially risk-free bill payments, which constitute the first use case for NPP.
Collaboration is fostered by ingenious governance decisions. For example, the four big banks each have a board seat on NPP, but the 150 smaller FIs have four board seats of their own, and they must work together if they want to get anything passed (or blocked) by the board, which requires a 2/3 vote, or eight votes out of the dozen board seats.
The RBA sits on that board, owns shares, and is subject to capital calls—shoulder-to-shoulder with the banks. And while significant differences exist between the Australian and U.S. markets, payments are still pretty much payments, and the system down under has proven to be far safer and much less expensive than in the U.S., and yet still more than adequately remunerative to bank providers.
Getting Serious About Security
Such participation by a regulator—no matter how enlightened—in fostering innovative payment services seems to be anathema to most big banks and the network brands here. They argue that free-market forces should prevail.
But the reality is that real-time networks are not likely to be supported by U.S. banks for customers until 2020—perhaps at the earliest. In the meantime, rampant fraud, persistent data breaches, and escalating cyber-attacks pound away at the payments system and the economy overall.
As the massive Equifax hack has demonstrated, the credit card industry finds itself in a virtual war not just against merchants, but consumers as well—with no real security fixes in sight.
Yet the Fed is almost certainly going to be providing core support services for faster payments anyway, as the response to the FPTF Final Report described. Examples include the real-time settlement system (already in process), most likely a national directory of payment addresses (to support email and mobile-phone payments), facilitation for expedited business-to-business payments, and integration services for multiple faster payments networks.
So what’s the issue with it becoming a default operator for banks and users that are not well-served by marketplace offerings?
After all, the Fed processes half the ACH payments and most domestic wire transfers with its offerings to smaller banks, credit unions, and users today as part of its historic charter. Why not add default services for digital payments?
And with offerings from NACHA, The Clearing House and Fidelity National Information Services, Early Warning Services, Fiserv, and several others on the way, some objective, neutral operator that integrates the multiple offerings to ensure access for all users will be both necessary and inevitable.
Such logic aside, the ultimate case for Fed participation is the need to get started on vetting technology and developing standards for real-time security now. We can’t afford the risk that when these aspiring providers go to market three to four years from now, a consistent level of effective security will not be ready.
The Fed’s response notes that it will monitor the industry’s progress to both faster and safer payments, and will be prepared to invite itself into broader participation if the U.S. payments industry falls short.
As in other countries, legacy payments providers have not been able to achieve that themselves without some help from their central banks, finance ministries, or industry payments councils. There is no reason to expect a different outcome in the U.S. The Fed is clearly on a sustaining course to provide that help, and as faster payments enters a new stage of its evolution, the doors are finally now opening to get serious about payments security.
Steve Mott is principal at BetterBuyDesign, a Stamford, Conn.-based payments consultancy.