Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 23, 2019
Designing Disclosures to Be Read
Have you ever wondered if consumers actually look at disclosures for payment services? And if they do look at them, how much time do you think they spend reading them? If the average adult reads around 250 words per minute and a disclosure page contains 1,000 words—likely a low estimate—then a consumer would spend four minutes on the page before clicking accept or reject. I am confident that a more realistic estimate of time consumers spend on these pages falls far short of the time required to read the legally required consumer protection information. How many of us just click on the "I Accept" button without reading the disclosure? Maybe it's time to come up with a better way to disclose.
I believe that disclosures are one of the more dreaded elements in designing, launching, and managing financial services. If you haven't experienced the dread first hand, you can find evidence of it in the countless comment letters submitted by payments stakeholders and posted to the Federal Register when a proposed rule could affect disclosure terms. The work and expense of delivering disclosures at precisely the time required by law are completely wasted when consumers fail to read them.
The goal of disclosures is to educate consumers on a product's terms and conditions, to define their responsibilities, and to ultimately protect them from financial harm or surprises. With this information, consumers can make informed decisions. We should hope consumers comprehend and retain the critical information provided.
Opportunities exist to present important consumer protection information in ways that are far more easily digestible than a thousand-word disclosure in a four-point font. For instance, a gamification model could ask the consumer direct questions related to fees in pop-up windows with animated visual representations of the scenarios. You can brainstorm to come up with messages, jotting down quick ideas—for example, "You chose instant transfer, the fee is $1, Accept or Decline." Or, "Help us monitor your transactions daily, instant transfers will be $0, Accept or Decline." A large font and short words can quickly articulate the key points and big risks. Moreover, building the disclosure logic into the technology better protects the consumer.
Here's some good news—you now have the support of the Consumer Financial Protection Bureau (CFPB) to test your innovative solutions in making disclosures likelier to achieve their aim. The CFPB's Office of Innovation recently issued new policies to encourage innovation. For example, the office instituted a trial disclosure program and has committed to granting or denying applications for these trials within 60 days of submission. Accepted applicants will have up to two years to test their disclosures. They will also have access to state and global regulators through the CFPB's affiliation with the Federal Financial Institutions Examination Council, the Global Financial Innovation Network, and the newly formed American Consumer Financial Innovation Network.
Applicants and disclosures need not be company- or product-specific, although that is an option. Service providers, trade associations, consumer groups, or other third parties may also use the trial application program. Group applications could help spread trial disclosure development costs such that smaller entities would be able to afford to participate in the program. Such intention has been evidenced in the CFPB's Office of Innovation's first "No-Action Letter," issued to more than 1,600 HUD housing counseling agencies, stating that it will not take enforcement action with agencies that enter into "certain fee-for-service arrangements with lenders for pre-purchase housing counseling services."
Have you considered redesigning a payment product or service disclosure that consumers will be likelier to read? Apply to test it , and good luck!
May 20, 2019
Could Federal Privacy Law Happen in 2019?
Some payments people have suggested that this could be the year for mobile payments to take off. My take? Nah. I gave up on that thought several years ago, as I've made clear in some of my previous posts. I'm actually wondering if this will be the year that federal privacy legislation is enacted in the United States. The effects of the European Union's General Data Protection Regulation (GDPR) that took effect a year ago (see this Take on Payments post) are being felt in the United States and across the globe. The GDPR essentially has created a global standard for how companies should protect citizens' personal data and the rights of everyone to understand what data is being collected as well as how to opt out of this collection. While technically the GDPR applies only to EU citizens, even when traveling outside the European Union, most businesses have taken a cautious approach and are treating every transaction—financial or informational—that they process as something that could be covered under the GDPR.
A tangible impact of the GDPR in the United States is that the state of California has passed a data privacy law known as the California Consumer Privacy Act of 2018 (CCPA) that is partly patterned after the GDPR. The CCPA gives California residents five basic rights related to data privacy:
- The right to know what personal information a business has collected about them, where it was obtained, how it is being used, and whether it is being disclosed or sold to other parties and, if so, to whom it is being disclosed or sold
- The right to access that personal information free of charge up to two times within a 12-month period
- The right to opt out of allowing a business to sell their personal information to third parties
- The right to have a business delete their personal information, except for information that is required to effect a transaction or comply with other regulatory requirements.
- The right to receive equal service and pricing from a business, even if they have exercised their privacy rights under the CCPA.
According to the National Conference of State Legislatures (NCSL) 17 states have mandated that their governmental websites and access portals state privacy policies and procedures. Additionally, other states have privacy laws related to privacy, such as children's online privacy, the monitoring of employee email, and e-reader policies.
Take On Payments has previously discussed the numerous efforts to introduce federal legislation regarding privacy and data breach notification with little traction. So why do I think change is in the air? The growing trend of states implementing privacy legislation is putting pressure on Congress to take action in order to have a consistent national policy and process that businesses operating across state lines can understand and follow.
What do you think?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
-payments">Retail Payments Risk Forum at the Atlanta Fed
April 22, 2019
The Prepaid Rule: All Jokes Aside
A payments compliance rule took effect this year on April Fools' Day, and it occurred to me that when a compliance deadline is approaching, you might not feel like joking around. The Prepaid Accounts Final Rule was issued a few years ago, in 2016, but after a number of postponements, its effective date is finally behind us.
The rule standardizes disclosures, error resolution procedures, consumer liability limits, and access to records. These changes are intended to provide comprehensive consumer protections for prepaid accounts under the Electronic Fund Transfer Act, or Regulation E. The rule is fairly comprehensive, but for the sake of brevity, I'm going to look at only a couple areas of the rule—those that stand out to me.
Consumers can now expect protections over their transaction accounts regardless of whether the account is offered directly by a traditional financial institution or by a third party, such as a fintech or merchant, as they make electronic payments (debit, prepaid, ACH). Also, fintech companies that allow consumers to store funds or are thinking about adding that ability may want to prepare themselves to be designated as prepaid services providers and therefore subject to the regulatory and licensing requirements that go along with that designation. To that point, I am not surprised to see several big names recently listed on the FinCen Money Service Business Registration as "Providers of prepaid access." (To see the list, scroll down the web page to the MSB registration form; on the MSB ACTIVITIES field, click the down arrow to open the dropdown list; select Provider of prepaid access and click the Submit button.)
Established prepaid issuers have long been preparing for the new prepaid rule despite the stops and starts of an effective date and the uncertainty about some of its key provisions. Because consumers open prepaid accounts in a variety of ways—from starting a new job to purchasing prepaid cards at a retail checkout lane—it can be difficult to accommodate the disclosure requirements, such as those for listing fees, that the prepaid rule prescribes. Most issuers have changed product packaging to accommodate the new disclosures. These changes required complicated logistics coordination for the prepaid supply chain to replace old, noncompliant inventory with new, compliant card packages. Some issuers are still grappling with how to list types of fees that may not apply to their particular account program.
Many issuers had already been providing some level of consumer protection from unauthorized transactions before the rule requirement took effect. Now there will be a standard expectation. Limited liability and error resolution benefits need apply only to customers who have successfully completed the identification and verification process, if there is one for their particular program. Regulation E's error resolution and limited liability requirements do not extend to prepaid accounts (other than payroll or government benefit accounts) that have not completed the verification process, one of the key revisions after the rule's initial issue.
The rule will change the way we categorize prepaid services. For instance, in the past, discussion around prepaid products focused on whether the product was open- or closed-loop, and whether it was reloadable or nonreloadable. While those characteristics still exist, they are not necessarily a determinant as to whether the rule applies to a particular product or not. There are clear exclusions for certain products like those that are marketed and labeled as gift cards, health care savings cards, or disaster relief cards. However, even if a product doesn't have "prepaid" on its label, it may still fall under Regulation E. Coverage extends to asset accounts that consumers can use to conduct transactions with multiple, unaffiliated merchants for goods or services, to pull cash from automated teller machines, or to make person-to-person transfers.
For both incumbents and those finding themselves new in prepaid, it has been no joke to prepare to comply with the new rule. Despite the extra burden, do you think we will look back on this milestone favorably in the future? I think the new prepaid rule will lead to strengthening trust and confidence in these products. The Consumer Financial Protection Bureau (CFPB) pledges to be vigilant in evaluating new rules. Moreover, the CFPB is required to submit a formal evaluation five years following a rule's effective date. The industry should be ready to help measure the rule's impact.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 11, 2019
AI and Privacy: Achieving Coexistence
In a post early last year, I raised the issue of privacy rights in the use of big data. After attending the AI (artificial intelligence) Summit in New York City in December, I believe it is necessary to expand that call to the wider spectrum of technology that is under the banner of AI, including machine learning. There is no question that increased computing power, reduced costs, and improved developer skills have made machine learning programs more affordable and powerful. As discussed at the conference, the various facets of AI technology have reached far past financial services and fraud detection into numerous aspects of our life, including product marketing, health care, and public safety.
In May 2018, the White House announced the creation of the Select Committee on Artificial Intelligence. The main mission of the committee is "to improve the coordination of Federal efforts related to AI to ensure continued U.S. leadership in this field." It will operate under the National Science and Technology Committee and will have senior research and development officials from key governmental agencies. The White House's Office of Science and Technology Policy will oversee the committee.
Soon after, Congress established the National Security Commission on Artificial Intelligence in Title II, Section 238 of the 2019 John McCain National Defense Authorization Act. While the commission is independent, it operates within the executive branch. Composed of 15 members appointed by Congress and the Secretaries of Defense and Commerce—including representatives from Silicon Valley, academia, and NASA—the commission's aim is to "review advances in artificial intelligence, related machine learning developments, and associated technologies." It is also charged with looking at technologies that keep the United States competitive and considering the legal and ethical risks.
While the United States wants to retain its leadership position in AI, it cannot overlook AI's privacy and ethical implications. A national privacy advocacy group, EPIC (or the Electronic Privacy Information Center), has been lobbying hard to ensure that both the Select Committee on Artificial Intelligence and the National Security Commission on Artificial Intelligence obtain public input. EPIC has asked these groups to adopt the 12 Universal Guidelines for Artificial Intelligence released in October 2018 at the International Data Protection and Privacy Commissioners Conference in Brussels.
These guidelines, which I will discuss in more detail in a future post, are based on existing regulatory guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. They call out that any AI system with the potential to impact an individual's rights should have accountability and transparency and that humans should retain control over such systems.
As the strict privacy and data protection elements of the European Union's General Data Privacy Regulation take hold in Europe and spread to other parts of the world, I believe that privacy and ethical elements will gain a brighter spotlight and AI will be a major topic of discussion in 2019. What do you think?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud