Banks to Roll Out Real-Time PaymentsSecurity Experts Highlight Fraud, Security Risks
All of clearXchange's member institutions, which includes five of the six largest U.S. banks as well as several regional banking institutions, are expected to offer real-time payments to their customers, clearXchange says in a statement. The network, formed in 2011, enables banks to provide person-to-person, business-to-consumer and government-to-consumer payments.
The network is equally owned by Bank of America, Capital One, JPMorgan Chase and Wells Fargo. None of the banks that own the network responded to Information Security Media Group's request for comment.
Some security experts caution that faster payments create new security risks.
"Faster payments means faster fraud," says Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "Many of the anti-fraud tools and processes used by banks today are either manual, or geared to the time delay inherent in current payment transactions."
Wills notes that today's slower payments processes give institutions more time to detect and react to possible fraud. And while faster payments have provided many efficiencies to customers in Mexico, Sweden, Singapore and the U.K., where they are already deployed, increased fraud risks are a real worry.
But Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite, says clearXchange's longstanding fraud-prevention measures appear to be stronger than those in place at most institutions, where fraud screening only occurs in a "day-2" batch environment.
"ClearXchange requires consumers to register and collects a lot of information about them, their online sessions, etc.," she says. "There are only a few banks on the network, and I am sure their fraud folks are connected as well, so they can work together to shut down fraud attempts quickly."
Infrastructure challenges, limitations of existing ACH rails, and the sheer volume of various payments transactions that are unique to the U.S. make the move to real-time payments challenging, says anti-money-laundering expert Mary Ann Miller, senior director and fraud executive advisor at security solutions provider NICE Actimize.
Still, the U.S. has to move toward faster payments, if it expects to keep up with the global market, Miller contends. "The U.S. is playing catch-up in some ways," Miller says.
For the past two years, the Federal Reserve has been gathering feedback about how real-time payments can be deployed in a secure way (see Fed's Payments Overhaul on Fast Track).
But Aite's Inscoe says clearXchange's real-time payments platform could be a great test case for the Fed to watch. "The Federal Reserve's project team could learn from clearXchange and use that knowledge as they make plans," she says. "Wells Fargo, one of Clearxchange's owner banks, is part of the Fed's project team, so hopefully the knowledge will be shared."
The ClearXchange platform for real-time payments isn't limited to member banks; it's available to banks that are not part of the network.
ClearXchange did not explain in its announcement how it is facilitating these real-time payments. But David Lott, a payments risk expert with the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, says that because the platform allows non-member institutions to exchange real-time payments with member institutions, some transactions are likely being run through the ACH network, rather than an entirely closed clearXchange rail.
"The overall issue with business payments is not so much the financial part of the transaction, but any accompanying information that needs to go with the transaction, such as the customer's account number at that business, purchase order or other payment control information," he says.
Authenticating and verifying all of that information before a payment is approved is a challenge, especially when transactions are being conducted via an open ACH rail, some security experts say.
To initiate payment, users only need an email address or mobile number. Funds are sent directly to a checking or savings account through either a closed clearXchange rail or via ACH.
"More than 100 million online banking customers already have access to the network through their bank's online banking platforms, and all others can access services through clearxchange.com," according to the network's June 15 statement.
Any innovations in payments increase fraud risk, says NICE Actimize's Miller.
"We know from other faster-payment launches globally that the fraudsters treat the online portal like a casino," she says. "Fraud attempts go up, account takeovers increase and cyber-attacks increase. Fraud follows speed and popularity. Simply launching faster payments without a carefully orchestrated fraud risk plan only turns back the clock to low limits and a poor customer experience."
And Ontrack Advisory's Wills says the manual tools banks use today to authenticate transactions won't be effective once real-time payments take effect.
"The use of strong authentication , real-time behavioral analytics, which consolidate a variety of data associated with the transaction across multiple service channels - such as enrollment, authentication, login, service-use, money movement, device identity, and others - will be key."