Risks in Payment Systems

Eric Bonnell, SVP FLOD Risk Management, Atlantic Union Bank

Money movement is an integral part of banking. Customers rely on safe and sound processes for getting money into their accounts, purchasing goods and services, paying their debts, making sure their children have lunch money, giving gifts, and squirreling away funds for retirement. Payment systems are key to maintaining a safe and effective supply chain for businesses and consumers.

How can a financial service company provide safe and sound money movement? Like any other effort, it takes people, processes, and technology. Understanding the risks around payment systems means knowing your people, processes, and technology. What is important to customers and service providers? Where can processes go wrong? What technology supports a secure and efficient workflow to move money from one person/place to another?

Each payment and money movement type has its own benefits and idiosyncrasies. For example, payment-to-payment systems, such as Zelle®, move money quickly and personally, making it convenient to provide money to family, friends, and small businesses. However, when used to move money in large amounts or to people we do not know that well, the process is prone to fraud, and it may be difficult to recover funds. Wires and ACH have more checks and balances, which can make them less convenient but more reliable for transactions with people and businesses that are less familiar to us. Debit and credit cards are prone to personal information compromise if not well-managed but are also convenient to use, especially through vehicles such as Apple Pay, Google Pay, or PayPal, which use expensive technology to keep things secure.

General Payment Risk

When researching money movement systems, there are some general risks to address. Each of these will have its own nuances, especially from a regulatory perspective. Work with your Legal, Regulatory, and Risk partners to assess these in more detail as you develop them, update them, and on regular review cycles:

For more information, see my earlier article entitled, Safeguarding Against Payment Fraud through Strategic Perspectives: https://data-security.enterprisesecuritymag.com/cxoinsight/safeguarding-against-payment-fraud-through-strategic-perspectives-nid-2962-cid-15.html

• Fraud Risk Mitigation: Securing the transfer of money from one place to another over different channels is important to protect the customer’s confidential information and funds, as well as transaction integrity that can lead to fraud loss. Fraud security controls start with validating and safeguarding customer identity information, employing strong transaction authentication, and leveraging effective fraud detection and prevention systems.
• Customer-Facing Risk Mitigation: Customers need to be aware of how different payment systems operate and what their expectations should be. This is accomplished with payment contracts and notices, along with ongoing customer awareness campaigns, addressing the types of cybersecurity and fraud along with information on how to protect against them. Customers should understand the best payment channel to use for different types of transactions, such as understanding the dangers of sending Person-to-Person (P2P) transactions to unknown individuals and with larger payments. Having effective monitoring and dispute resolution processes to make customers whole when fraud occurs is not only good customer service but prevents complaints that might imply unfair practices.
• Operational Risk Mitigation: Having a strong resiliency program is key to being prepared when systems and processes fail. Payment systems should be considered as key critical functions of financial institutions, which implies that plans to sustain and recover operations when errors and failures occur must be comprehensive, current, and thoroughly tested throughout the lifecycle of transaction initiation, assessment, and processing. It is imperative that plans and testing extend to all key third and fourth-party people, processes, and technology that support payment transaction processing.
• Legal and Regulatory Risk Mitigation: Failure of any of the above controls may result in regulatory failures and may, in some circumstances, lead to the threat of legal action from irate customers. Regulatory discrepancies may lead to higher levels of scrutiny by your examiners. This is especially threatening if the financial institution’s practices are found to be potentially or actually unfair, deceptive, or abusive (UDAaP) violations. The financial institution should acquire insurance to cover any negative legal and operational events that might occur, including the costs of crisis mitigation, formal external and customer communications, and reputational impact mitigation.

Conclusion

Safe and sound payment transaction execution is unmistakably critical to customers, consumers, merchants, vendors, suppliers, and financial institutions. Different types of transactions are best processed through specific money movement channels. Each channel has distinctive risks due to the nature of how it operates. Regardless of the payment channel, the issues that can be experienced are related to:

• lack of validation and ongoing maintenance of customer information
• failure to protect sensitive customer, teammate, and company information from unauthorized access and/or acquisition
• inability to implement and operate strong authentication practices to validate transacting customers and recipients of payment transactions
• lack of customer awareness of how different payment systems operate, which are best to use for their situation, how to protect themselves against fraudulent activity, and how to formally dispute potential fraud
• failure to plan for and practice steps to sustain and recover from anticipated and likely operational system and process errors and/or outages, especially with third and fourth-party partners
• inability to address customer complaints and fraud disputes to their satisfaction within the expectations within contracts and terms
• failure to address lessons learned from errors, outages, complaints, and disputes to correct any existing problems and drive continual improvements

Additionally, it is recommended to have a strong insurance program that will consider potential impacts and cover the costs of crisis mitigation.