Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 20, 2019
Could Federal Privacy Law Happen in 2019?
Some payments people have suggested that this could be the year for mobile payments to take off. My take? Nah. I gave up on that thought several years ago, as I've made clear in some of my previous posts. I'm actually wondering if this will be the year that federal privacy legislation is enacted in the United States. The effects of the European Union's General Data Protection Regulation (GDPR) that took effect a year ago (see this Take on Payments post) are being felt in the United States and across the globe. The GDPR essentially has created a global standard for how companies should protect citizens' personal data and the rights of everyone to understand what data is being collected as well as how to opt out of this collection. While technically the GDPR applies only to EU citizens, even when traveling outside the European Union, most businesses have taken a cautious approach and are treating every transaction—financial or informational—that they process as something that could be covered under the GDPR.
A tangible impact of the GDPR in the United States is that the state of California has passed a data privacy law known as the California Consumer Privacy Act of 2018 (CCPA) that is partly patterned after the GDPR. The CCPA gives California residents five basic rights related to data privacy:
- The right to know what personal information a business has collected about them, where it was obtained, how it is being used, and whether it is being disclosed or sold to other parties and, if so, to whom it is being disclosed or sold
- The right to access that personal information free of charge up to two times within a 12-month period
- The right to opt out of allowing a business to sell their personal information to third parties
- The right to have a business delete their personal information, except for information that is required to effect a transaction or comply with other regulatory requirements.
- The right to receive equal service and pricing from a business, even if they have exercised their privacy rights under the CCPA.
According to the National Conference of State Legislatures (NCSL) 17 states have mandated that their governmental websites and access portals state privacy policies and procedures. Additionally, other states have privacy laws related to privacy, such as children's online privacy, the monitoring of employee email, and e-reader policies.
Take On Payments has previously discussed the numerous efforts to introduce federal legislation regarding privacy and data breach notification with little traction. So why do I think change is in the air? The growing trend of states implementing privacy legislation is putting pressure on Congress to take action in order to have a consistent national policy and process that businesses operating across state lines can understand and follow.
What do you think?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
-payments">Retail Payments Risk Forum at the Atlanta Fed
April 29, 2019
In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.
I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:
- The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
- The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
- In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.
I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).
When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.
What is your bank doing to educate the next gen of security ninjas?
April 22, 2019
The Prepaid Rule: All Jokes Aside
A payments compliance rule took effect this year on April Fools' Day, and it occurred to me that when a compliance deadline is approaching, you might not feel like joking around. The Prepaid Accounts Final Rule was issued a few years ago, in 2016, but after a number of postponements, its effective date is finally behind us.
The rule standardizes disclosures, error resolution procedures, consumer liability limits, and access to records. These changes are intended to provide comprehensive consumer protections for prepaid accounts under the Electronic Fund Transfer Act, or Regulation E. The rule is fairly comprehensive, but for the sake of brevity, I'm going to look at only a couple areas of the rule—those that stand out to me.
Consumers can now expect protections over their transaction accounts regardless of whether the account is offered directly by a traditional financial institution or by a third party, such as a fintech or merchant, as they make electronic payments (debit, prepaid, ACH). Also, fintech companies that allow consumers to store funds or are thinking about adding that ability may want to prepare themselves to be designated as prepaid services providers and therefore subject to the regulatory and licensing requirements that go along with that designation. To that point, I am not surprised to see several big names recently listed on the FinCen Money Service Business Registration as "Providers of prepaid access." (To see the list, scroll down the web page to the MSB registration form; on the MSB ACTIVITIES field, click the down arrow to open the dropdown list; select Provider of prepaid access and click the Submit button.)
Established prepaid issuers have long been preparing for the new prepaid rule despite the stops and starts of an effective date and the uncertainty about some of its key provisions. Because consumers open prepaid accounts in a variety of ways—from starting a new job to purchasing prepaid cards at a retail checkout lane—it can be difficult to accommodate the disclosure requirements, such as those for listing fees, that the prepaid rule prescribes. Most issuers have changed product packaging to accommodate the new disclosures. These changes required complicated logistics coordination for the prepaid supply chain to replace old, noncompliant inventory with new, compliant card packages. Some issuers are still grappling with how to list types of fees that may not apply to their particular account program.
Many issuers had already been providing some level of consumer protection from unauthorized transactions before the rule requirement took effect. Now there will be a standard expectation. Limited liability and error resolution benefits need apply only to customers who have successfully completed the identification and verification process, if there is one for their particular program. Regulation E's error resolution and limited liability requirements do not extend to prepaid accounts (other than payroll or government benefit accounts) that have not completed the verification process, one of the key revisions after the rule's initial issue.
The rule will change the way we categorize prepaid services. For instance, in the past, discussion around prepaid products focused on whether the product was open- or closed-loop, and whether it was reloadable or nonreloadable. While those characteristics still exist, they are not necessarily a determinant as to whether the rule applies to a particular product or not. There are clear exclusions for certain products like those that are marketed and labeled as gift cards, health care savings cards, or disaster relief cards. However, even if a product doesn't have "prepaid" on its label, it may still fall under Regulation E. Coverage extends to asset accounts that consumers can use to conduct transactions with multiple, unaffiliated merchants for goods or services, to pull cash from automated teller machines, or to make person-to-person transfers.
For both incumbents and those finding themselves new in prepaid, it has been no joke to prepare to comply with the new rule. Despite the extra burden, do you think we will look back on this milestone favorably in the future? I think the new prepaid rule will lead to strengthening trust and confidence in these products. The Consumer Financial Protection Bureau (CFPB) pledges to be vigilant in evaluating new rules. Moreover, the CFPB is required to submit a formal evaluation five years following a rule's effective date. The industry should be ready to help measure the rule's impact.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 15, 2019
For Customer Education, Map Out the Long Journey
Financially savvy consumers are good customers for financial services. They save for retirement and pay back loans. Those are among the findings of research looking into the effects of formal financial education. And, as readers of this blog already know, customer education is central to risk management.
Using data from the National Financial Capability Study, researchers at the University of Nebraska found that financial education encouraged positive behaviors in the long run, such as saving for retirement or setting up an emergency fund. For short-run behavior, which the researchers defined as tasks that "give continual feedback," the evidence was mixed. They hypothesized that, in the short run, people learn good behavior better from getting negative feedback like late fees.
A paper by researchers at the Federal Reserve Board looked at three states (including Georgia, Idaho, and Texas) that began requiring financial education in 2007. Students in school after the requirement was implemented had higher relative credit scores and lower relative loan delinquencies than young people in bordering states without financial education. The effects lasted for four years after high school graduation. Among the goals of the Georgia curriculum is one that says students should be able to "apply rational decision making to personal spending and saving choices" and "evaluate the costs and benefits of using credit." Through age 22, the researchers found that the students who studied personal finance were better off than peers who had not, as measured by relative credit scores and delinquency rates.
What this means: if I learn in middle school that cost should factor into college choice, perhaps I'll decide to take on less student loan debt when it's time to choose a college. If one of my college professors stresses the importance of saving for retirement, perhaps I'll be more likely to make sure I participate in my employer's 401(k) and qualify for its full match. If I receive regular reminders about phishing attacks, perhaps I would be less likely to reply to or open a link in a phishy email.
April is Financial Literacy Month. For parents, teachers, and financial institutions, it's encouraging to know that split-second timing is not necessarily critical to effective financial learning. Financial education need not be delivered at life's crossroads, but everyone should have an overview of the route before getting on the road.
Finally, let me share some tips:
- For parents of young children: Use these parent Q & A resources during story time. They are designed to help you talk about the importance of making careful decisions when saving versus spending and other personal finance topics related to their daily lives.
- For teachers: The Federal Reserve Bank of Atlanta offers professional development programs for teachers, designed to enhance classroom instruction of economics and personal finance, including a free webinar on April 16, "Personal Finance Basics: Classroom Resources."
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed