FDIC on Mobile Payments Risks
Regulator Defines Risks in Emerging Payments Technologies
As mobile payments continue to grow, financial institutions need to evolve their management of third-party service providers, says the Federal Deposit Insurance Corp.'s Rob Drozdowski.
The FDIC recently issued a resource dedicated to mobile payments in a late-2012 issue of Supervisory Insights. The resource, which aims to help card-issuing institutions and acquirers better understand the complexities of this emerging landscape, highlights the growth of technology companies and partnerships as an area institutions need to watch.
"Many of these companies appear to be more entrepreneurially oriented start-ups that may not have had experience in providing services for a federally insured bank in the past," says Drozdowski, a senior technology specialist within the Technology Supervision Branch of the FDIC's Division of Risk Management.
"Since FDIC-supervised banks tend to be smaller and more community-oriented in nature, our banks are much more likely to leverage third-party partnerships to offer new products and services than to develop them themselves," he says during an interview with Information Security Media Group [transcript below].
Matt Homer, a policy analyst within the Supervisory Policy Branch of the FDIC's Division of Depositor and Consumer Protection, also says growth in mobile payments marketplace means banks need to conduct due-diligence and establish provisions to govern vendor relationships.
"The way transactions are initiated is constantly evolving, and it often involves, as we discussed, non-bank technology service providers that are relatively new to the marketplace," Drozdowski says. "We believe that management of third-party technology service provider relationships is going to evolve as a key part of banks' overall mobile payments risk management strategy."
During this interview, Drozdowski and Homer discuss:
- What defines a mobile payment and the technology that facilitates it;
- The role banking institutions must play to ensure mobile providers and servicers comply with industry mandates, such as the Payment Card Industry Data Security Standard;
- Consumer privacy considerations impacting mobile transactions.
Drozdowski is a senior technology specialist within the Technology Supervision Branch of the Federal Deposit Insurance Corp.'s Division of Risk Management, where he supports the supervisory activities in the area of retail payments, privacy and technology service providers.
Homer is a policy analyst within the Supervisory Policy Branch of the FDIC's Division of Depositor and Consumer Protection, where he monitors and analyzes a number of policy topics, including mobile financial services, student lending, and other regulatory and consumer finance issues.
TRACY KITTEN: What are your roles with the FDIC are and how they touch mobile payments?
ROB DROZDOWSKI: I work in the Division of Risk Management Supervision and the Technology Supervision Branch where we focus on operations, payments, technology and third-party management risk. In addition, the area I work in is responsible for the policies and oversight of the FDIC's technology service provider program that includes many of the companies our banks are partnering with to provide mobile payment services to their customers.
MATT HOMER: I work on the policy staff, a Division of Depositor and Consumer Protection. In this role, my work touches mobile payments in two ways. The first is from a consumer protection and consumer compliance perspective, as we're interested in implications of mobile payments for consumers and also interested in ensuring these products comply with applicable consumer regulations. The second way I work on mobile payment issues is through the FDIC chairman's Advisory Committee on Economic Inclusion, which is interested in mobile financial services for its potential to draw the un-banked and under-banked into the banking system.
Mobile Payments Best Practices
KITTEN: Why did the FDIC think the time was right to issue a list of definitions and best practices for mobile payments?
HOMER: First, we wanted to point out that the article does not necessarily reflect any official views of the FDIC and instead only represents the views of the authors who wrote it. That said, as authors, we thought it would be useful to develop an overview of the mobile payments landscape that describes the current regulatory framework and identifies risks associated with this technology.
We thought this would be useful for several reasons. Mobile phone adoption continues to increase, and, as more and more people have mobile phones, they're increasingly using them to perform more sophisticated functions such as mobile payments.
At conferences and through other interactions with industry, we've heard a lot of questions about this space and have noticed that, although certain aspects of mobile payments have received considerable attention, less focus has been given to regulatory and risk considerations. With these factors in mind, we hope this article helps address some of those gaps by documenting the current lay of the land regarding mobile payments and how existing regulations apply to this technology.
DROZDOWSKI: We also recognized that there were a lot of new technology companies and partnerships emerging in the mobile payments marketplace, and many of these companies appear to be more entrepreneurially oriented start-ups that may not have had experience in providing services for a federally insured bank in the past. Since FDIC-supervised banks tend to be smaller and more community-oriented in nature, our banks are much more likely to leverage third-party partnerships to offer new products and services than to develop them themselves.
KITTEN: What can you tell us about some of the unique challenges that this summary of mobile payments raises about mobile payments?
DROZDOWSKI: I think it's important to recognize a few key observations about the mechanics of mobile payment technologies in the current marketplace. Based on our review, it clearly appears unlikely that any one technology for originating mobile payments will become dominant in the marketplace in the near-term. Rather, there's going to be a number of innovative technology solutions including NFC, bar codes, proximity and other technologies that will exist concurrently in the marketplace for at least the near-term. Regardless of the technology used to initiate mobile payment in the U.S. marketplace, almost all the solutions rely on established retail payment channels. ACH, credit/debit cards, networks, pre-paid programs and EFT networks are all fundamental to mobile payment. Since existing retail payment channels provide principal rails for mobile payments, banks will continue to play a key role in facilitating mobile payments.
HOMER: There are a couple of other potential challenges that arise from mobile payments. One of those is the unique set of stakeholders and regulations that may apply to a given product. For example, a product may have multiple stakeholders and third parties that implicate a number of different regulators. A product may also have multiple features or funding sources that implicate a number of different regulations and this creates a situation of which extra attention needs to be given to compliance. Another potential challenge involves applying a set of legacy regulations to a new type of technology.
KITTEN: How similar would you say that this particular summary about mobile payments is to other best practices that regulators have issued?
HOMER: That's a good question. Our understanding is this article is really unique in that it's focused exclusively on mobile payments, and although there are existing regulations and guidance out there that still apply, this is really unique in that it is tailored specifically for that context.
DROZDOWSKI: While no new federal regulations have been issued governing mobile payments, existing guidance, regulations and policies relate directly to mobile payments, most notably things like the Gramm-Leach-Bliley Act information security requirements that outline expectations for safeguarding customer information, and guidance related to authentication and third-party risk management.
Fraud, Security Concerns
KITTEN: What are some of the greatest concerns from an issuing and acquiring perspective?
DROZDOWSKI: One of our key takeaways from our review of the current mobile payments marketplace is that the fundamentals of payments risk management should remain constant for most banks, and they're getting involved. Transactions are going to continue to be received and sent, whether it's on the issuing or the acquiring side, through existing retail payments channels, at least in the U.S. marketplace right now.
However, the way transactions are initiated is constantly evolving and it often involves, as we discussed, non-bank technology service providers that are relatively new to the marketplace. Therefore, we believe that management of third-party technology service provider relationships is going to evolve as a key part of banks' overall mobile payments risk management strategy.
HOMER: From a consumer's perspective, studies and surveys show that consumers are concerned about privacy and security when it comes to mobile payments. Financial institutions will want to consider these factors as they seek to increase user-adoption of these technologies.
Emerging Payments: Bank Preparations
KITTEN: How would each of you say banking institutions are preparing for some of these emerging payments, such as the mobile wallet?
HOMER: Banking institutions seem to be waiting to see which products will emerge as dominant in the mobile wallet marketplace. From our perspective, we hope that as banks get involved in this space, they will pay close attention to the regulations and issues that are important to consumers, such as privacy and security. The other issue that we raise in the article, specifically regarding third-parties, we also hope that they'll conduct proper due-diligence in choosing vendors and establish appropriate contract provisions governing vendor relationships, and also conduct ongoing monitoring of vendor compliance.
KITTEN: What recommendations would you say regulators have to offer where the security of these cards that have been essentially loaded to mobile devices is concerned?
DROZDOWSKI: I think that the existing regulatory framework governing information security currently applies in this situation as well. Things like the Gramm-Leach-Bliley Information Security Program or authentication guidance are all key parts of what we should expect to see in applications that are offered on the mobile device for consumers.
KITTEN: This particular article that's related to mobile payments actually describes an array of different mobile payments options. Can you explain how some of those options differ?
HOMER: In the article, we identify a number of different technologies and several different uses of those technologies. For example, mobile payments can be used to make point-of-sale payments or facilitate person-to-person payments, but in either case mobile payments are facilitated by the increasing popularity of smart phones and the availability of point-of-sale terminals that are equipped to process transactions, and also near-field communications.
DROZDOWSKI: The only thing I'd add to that, Matt, is that the existing payment rails for actually moving the funds are still the traditional retail payment rails that exist in the marketplace - ACH, checks in some cases, credit/debit cards and pre-paid. They remain the fundamental rails for moving money, even in mobile.
KITTEN: When we look at some of the threats that are posed by these emerging payments landscapes, what would you say are some of the top risks that institutions need to consider?
DROZDOWSKI: While we didn't make any specific observations about how payments models will impact the banks' ability to leverage transaction data to identify anomalous behavior, detect fraud and provide customized content and product offers, it's an important point to recognize that the data that institutions get for conducting payments are key to many of the risk management processes. We don't provide recommendations in this area, but we believe that this is a factor that banks can consider and evolve in evaluating new payment product solutions.
KITTEN: What about compliance when it comes to consumer privacy laws and mandates, such as the PCI Data Security Standard? What recommendations are regulators offering there?
DROZDOWSKI: The Payment Card Industry Data Security Standard is a great example of industry coming together to establish a self-governance model to protect and preserve the integrity of the payments systems, and while the FDIC does not necessarily enforce PCI standards, we recognize that they've set forth a benchmark for managing payments in a safe and sound manner.
HOMER: In the article, we point out that although there are currently no federal laws or regulations that specifically govern mobile payments, the existing payment method, such as ACH or EFT, the laws and regulations that apply to that method will also apply to the mobile payment. Our article focuses on those federal laws and regulations with applicability to mobile payments. We also recognize there are other applicable standards or sub-national laws that are important to consider, too.
KITTEN: Do you anticipate any future guidance being issued by banking regulators that relates specifically to mobile?
HOMER: We're not aware of any current plans to issue formal guidance in this space. However, at the FDIC we continue to monitor the marketplace and we want to continue having a dialogue with relevant stakeholders as we have been having with folks in the industry.