The Federal Reserve will carefully scrutinize the security components of proposals it's receiving this month for technologies that can be used to enable faster payments in the United States. That's because a key issue in moving to faster payments is mitigating the greater risk of fraud.
See Also: 2016 State of Threat Intelligence Study
Next year, the Fed will issue a report designed to help the financial services industry identify what technology gaps still need to be filled to make faster payments a reality. That report will stop short of endorsing any particular technical approach. But the Fed plans to publish all the technology proposals it receives (see Will the Fed Support a Cryptocurrency?).
"Faster payments opens up all kinds of opportunities for fraudulent payments that must be addressed upfront, instead of trying to bake security back in after deployment," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner.
The proposals for how to achieve faster payments, Litan says, "should be very clear on the principles that must be followed to ensure strong security and fraud prevention. The proposals should stay away from prescribing technical solutions, since they will become outdated very quickly, as we have seen with other regulatory guidance in these and other technology areas."
The Next Steps
Last week, the Fed announced that it had hired the consultancy McKinsey & Company to help review the technology proposals, which are being accepted until April 30.
The consultancy will work with steering committee members from the Fed's Faster Payments Task Force to assess and review the submissions. Proposals can only be submitted by businesses that are among the 331 members that make up the task force, and the window for proposal submission closes April 30.
Whatever technologies ultimately are used to support faster payments must support banks' abilities to detect and limit fraud, says Paul Wilson, product manager at security firm Easy Solutions, which is a member of the task force.
"In the existing environment, the financial institutions have a relatively large amount of time to investigate transactions and dispute them before they are fully cleared," he says. "In some real-time payments systems, the transactions are cleared in real time and irrevocable once complete."
The irrevocable nature of faster payments will be a primary concern addressed during the review and assessment of solution proposals, Wilson says.
"By reducing the processing time, the time to look for and act on fraud is hugely reduced," he says. "Systems will be required that can both monitor transactions and take action on them, all in real-time. The faster payments are likely to be available across multiple channels (interactive voice response, online, mobile, kiosk), and so all of the monitoring will need to cover all channels and look for patterns of fraud or deviations from a customer's usual behavior."
Real-time transactions can't be reviewed for fraudulent activity after the fact, Wilson notes. "Each channel should provide non-repudiation, so that financial institutions do not end up taking the hit for a transaction that can't be reclaimed, but which the customer says he didn't make," he says.
Faster Payments' Impact on Banks
Once payments move to a real-time environment, banks and credit unions will have to perform real-time fraud checks before payments are submitted, Wilson says. And that's going to be a big change for most U.S. banking institutions, which are used to having days to review transactions for possible fraud, he adds.
"This will be the system connecting the banks to each other, and so security concerns will be around protecting the core system, providing integrity of transactions and preventing misuse," Wilson says. "The element regarding protection of end-customers is more likely to fall to the financial institutions themselves."
Wilson says the task force is likely to establish a security code of conduct similar to the code defined by the United Kingdom's Faster Payments Service, a banking initiative to reduce payment times between different banks' customer accounts from days to hours.
"Banks would be required to follow this code," he explains. "This code would outline the controls they have to implement on their own payments systems and gateways, along with giving guidance and rules that the financial institutions must follow to protect their end-customers. Such a code would be key in ensuring that the banks put sufficient controls in place, whilst also ensuring that the user experience is kept similar across different institutions."