| |
On
June 20 and 21 , 2005, the Payment
Cards Center of the Federal Reserve
Bank of Philadelphia, in conjunction
with the Electronic Funds Transfer
Association (EFTA),
hosted a day-and-a-half forum, “Risky
Business: Managing Electronic Payments
in the
21st Century.” The Center and
EFTA invited participants from the
financial services and
processing sectors, law enforcement,
academia, and policymakers to explore
key topics
associated with the challenge of
effectively managing risk in a payments
environment that is increasingly
electronic. The meeting’s goal
was to identify areas of potential
risk and explore interindustry solutions.
Below is a summary of the keynote
address.
The views expressed here are those
of the author and do not necessarily
represent the views of the Federal
Reserve Bank of Philadelphia or the
Federal Reserve System.
Summary by:
Marilyn Bochicchio,
EFTA
Stanley Sienkiewicz, Federal
Reserve Bank of Philadelphia
Keynote Address –
Risk: Another Word for Payments
Suzette Massie, President, Global
Payments Consulting, Carreker Corporation
Summary: The second day’s
session began with a broad overview
by Suzette Massie. Risk management
organized around payment silos is
not appropriate or effective in today’s
highly electronified and extremely
complex payments environment. Financial
institutions must strive to move
risk management to the enterprise
level, migrating payments and risk
management in tandem to achieve this
goal.
According to Massie, managing payments
risk was once a sideline of the payments
business.
Today, that has changed:
- Fraud occurrences and types
are exploding
Examples include phishing, spoofing,
keystroke logging, account takeover,
identity theft, money laundering,
and customer data breaches.
- Regulation
has mushroomed
New payment-based regulation has
come from a variety of legislation,
including the Bank Secrecy Act,
the Patriot Act, and Sarbanes-Oxley,
section 404.
- Spending is up
Financial institutions plan to
spend $1.8 billion on security
this year, a 12 percent increase
over last year.
- Competition
is fierce
Competition for customers, new
products, and evolving services
never ends. Massie argued that,
in this environment, financial
institutions can scarcely make
decisions about the direction
their payments system will take
without considering enterprise
risk each step of the way.
Enterprise Payments and Enterprise
Risk
She emphasized that payments are
now a critical part of the industry,
representing a $200 billion business
in the United States and $600 billion
globally, and contributing 8 percent
of operating income to the top 50
U.S. banks.
Traditionally, payments have operated
within a highly fragmented structure
within the banking environment, but
that is changing. “Many financial
institutions are now in the early
stages of reorganizing to focus on
payments, investing in image applications
and bringing together disciplines
to create a more robust operating
environment,” she said. “Looking
ahead, financial institutions will
create payment services tailored
to unique requirements of communities
of interest; conducting straight
through processing of multiple payment
types; automating and strategic sourcing
to increase value, quality, and cost;
embedding payment risk management
and authorization at the point of
presentment; and expanding products
and services to leverage customer-valued
information as an extension of transactions.”
She acknowledged that while all
financial institutions believe it
is important to break down payment
silos, only half have embedded or
are attempting to fully embed enterprise
risk in their risk initiatives. Citing
a study conducted by the Aite Group
of 10 of the top 50 banks, she noted
that 80 percent of antifraud units
report to a single manager and 90
percent do not centralize fraud detection
on a single platform Yet, 90 percent
believe that centralized processing
is necessary.
Driving Factors
Massie suggested
that both legislation and regulation
are the key drivers that necessitate
the
move to an enterprise approach to
fighting fraud. On the national level,
provisions of the Patriot Act, Gramm-Leach-Bliley
Act, and the OCC Banking Circular
35 (disaster recovery) require financial
institutions to have a full view
of their payments from an enterprise
level. On the global level, financial
institutions are affected by the
Basel II Accord (risk-based capital
backing) and Sarbanes-Oxley 404 (disclosure
and certification). In past eras,
financial institutions addressed
fraud and risk on their own terms.
In today’s highly charged environment,
much of the choice that
financial institutions enjoyed has
been taken away; timelines for compliance
are no longer exclusively under the
control of financial institutions.
Another driver highlighted was the
growing risk of financial loss. Attempts
to defraud and losses
from fraud are increasing, as are
the types of fraud being perpetrated.
She warned that as the massive transformation
of payments continues (with financial
institutions on the leading edge),
larger risk gaps are exposed, creating
opportunities for fraudsters to fill
those gaps. Every loss or compromise
deepens customer distrust of the
system, damages reputations, and
risks crippling fines. In addition,
the publicity galvanizes legislators
and regulators, a situation that
compounds the loss of control and
creates greater uncertainty.
Critical Imperatives and Possibilities
Massie recommended that banks consider
multiple agendas with almost every
initiative they undertake. She suggested
that the critical items on each agenda
will frequently merge:
- Agenda
one. How does
this initiative affect our ultimate
goal of merging our separate
payment silos into a single,
integrated payment business?
- Agenda
two. What risk
control points does this initiative
affect, open up, or cross paths
with? How does it create new
risk that we need to manage?
To illustrate her point, she posed
a series of questions:
- What are the imperatives
and possibilities for financial
institutions as they seek to
manage their
migration to enterprise payments
and risk while improving customer
service and profitability? How
do financial institutions challenge
the growing perception that payments
are synonymous with risk?
- How does a financial institution protect revenue
as it manages the two agendas? If revenue can’t
be protected, how will it be
replaced? Will financial institutions
need to reinvent a product to
sustain the revenue stream?
- How does a financial
institution match the pace of
change between the two agendas
when they
overlap? What happens, for example,
with an image archive when you
add a new partner and start
exchanging image files? Or if
a financial institution converts
its checks to ACH, does it create
a new risk management control
point that checks ACH files for
stop payments?
In general she noted that “financial
institutions that undertake this
new way of looking at payments and
risk will raise many new questions,
the answers to which will be different
depending on the customer segments
they’re dealing with, the
particular strategy involved,
the payments infrastructure,
and the risk management approach
and technology.”
Tandem Migration
Massie asserted that the key is
to balance the tandem migration of
payments and fraud/risk considerations
to achieve the goal of a fully integrated
payment system. She suggested the
following tangible actions to achieve
this goal:
- Lay a scalable sustainable
enterprise foundation.
Leveraging existing infrastructure,
focus on a modular customer-centric
approach that supports
consistent access to all payment
channels.
- Lift business knowledge.
Where is the knowledge base within
the financial institution? What
are the dynamics of processing
transactions? Financial institutions
should integrate what they know
and do
best into the new process.
- Identify quick wins.
Where will changes have the greatest
impact? Financial institutions
should set priorities and target
quick wins to deliver maximum
value.
- Make sure it works for
both risk and payments.
Again, using the example of converting
checks to ACH: What are the fraud-related
processes and
checkpoints that normally occur
in check payments that now need
to be seamlessly wound into
ACH payments? However, as Massie
explained, it can be more complicated.
For example, what
if a customer requests a wire
transfer but does so over the
website? It’s
critical that financial institutions
manage the wire risk as effectively
as the online risk (or vice versa)
and that they maintain consistency
across both channels. Otherwise,
they may be leaving a door open
for an enterprising crook, trained
to spot just such inconsistencies.
Or what if a financial institution’s
client elects to do corporate
capture at its own site? The
financial institution/client
contract probably still calls
for the financial institution
to verify signatures and large
item transactions, but now the
information isn’t
on the financial institution’s
system; it’s on the client’s.
What new risk control points
have been opened? How will the
financial institution ensure
that overall risk protection
is not diminished?
Conclusion
Massie concluded
her remarks by advising that “in the process
of balancing the migration of enterprise
payments and enterprise risk, only
the fittest will survive. And
to be the fittest requires careful,
planned management of the payments
and risk marathons as in-step partners
in the race. The process is challenging,
but it is an unprecedented opportunity
to reinvent and rebuild.
View the complete summary of Risky
Business: Managing Electronic Payments
in the 21st Century. |
|
