P2P Payments: What You Need to Know

Early-Adopters Discuss Security Considerations Behind New Trend
P2P Payments: What You Need to Know
U.S. banking institutions are quickly adopting the new, simple payment solution called "Person-to-Person" (P2P) for customers to send money to family and friends via email or text message. At the top of the list for reasons to deploy this new mobile payments solution: Customer convenience.

But at a time when fraudsters prey upon electronic transactions, what are P2P's unique security concerns?

For insights on P2P, we spoke to two institutions that have deployed the service, as well as a P2P solution providers.

The Business Case: Convenience

Already, according to industry estimates, more than 500 U.S. banks and credit unions are offering some form of P2P services.

Count among this group Boeing Employees Credit Union (BECU), the largest credit union ($8.6 billion in assets) in Washington state, which launched P2P to its 600,000 members starting March 20. "It was the ease of use for our members that convinced us," says Howie Wu, Vice President of Virtual Banking. "Members want to transact with their friends and family, and it's easy to do so without the financial data, routing. P2P makes it much simpler to send money."

Convenience and value were also the deciding factors behind First Hawaiian Bank's move to offer P2P to its customers, says Jaylene Tsukayama, Vice President and Manager, Home Banking Department, at the $13.4 billion Honolulu-based bank. "With P2P, our customers have more ways to send money to other individuals through their secure login with the bank," says Tsukayama.

The P2P service BECU and First Hawaiian use is called Popmoney, a CashEdge product. It is an email and mobile person-to-person payments service that allows customers to send money directly from their online or mobile banking service by using the recipient's email, mobile number or bank account information.

Both banking leaders say the business case to add the payment service boiled down to the ability to offer more remote banking and online banking services. Popmoney's use of mobile phone numbers and email addresses to send payments "increases our customer's reach, thereby providing more convenience and value to customers," says Tsukayama.

An added plus: increased security for both the sender and the recipient by not having to share financial account information in order to do the transaction. Instead, the transactions are run through the institutions' ACH networks.

Wu says he is pleased with results so far. Since the March 20 launch, there are more than 2,000 members enrolled in the service, and they are moving about $200,000 per day through P2P. The target audience is comprised of the tech-savvy, younger members -- "those who live and breathe on their mobile device," Wu says.

But What About Security?

Both BECU and First Hawaiian did lengthy due diligence checks before deciding to add the P2P service, performing security assessments of the new payment solution.

At First Hawaiian, customers must log into the secure FHB Online banking service in order to access the P2P function. "We are leveraging all of the security of our online banking service (and in some cases more) to secure a customer's P2P request," says Tsukayama.

The risk management issues that the First Hawaiian evaluated when deciding on the service included the need to ensure that customer payment requests would be initiated and sent securely. The bank also had to ensure that there were adequate safeguards around the retrieval of the payment to ensure the payment was delivered or received by the intended payee.

Regulatory inquiries into the new payment solution haven't happened at First Hawaiian yet, says Tsukayama, "The service is fairly new, so we have not yet had a regulatory review since implementing the service," she says.

At BECU, the challenges of security that had to be addressed were, in Wu's opinion, pretty straightforward. Because the credit union's online channel changes are made at least once a quarter, the only things that had to be answered before the launch were the amount of risk the credit union wanted to take. "The biggest security consideration we had to decide was the amount of money that a member can send in a one-time transaction, and set daily and monthly limits for each member," Wu says.

The chances of a fraudster hijacking a member's account or creating a fake account to send or receive transactions were considered, and Wu says transaction limitations and monitoring of new accounts during a new account's 90-day demo period help stop that from happening. "Once the account has been proven, and the member is shown to be reliable, we loosen the restrictions," he says.

One added security feature of BECU's P2P service includes "out of wallet" type of security questions. "These are answers that a fraudster won't have access to, off of a person's credit report, in the form of multiple choice questions," Wu says.

The Vendor's View

Advancing in the payments evolution, core banking service provider FIS partnered with PayPal, the online payment company, to offer a P2P solution for FIS' banking clients. The solution was launched last fall says Jeff Lewis, President of FIS ePayment Solutions. The partnership with PayPal brings 60 million registered users -- many of them merchants -- to FIS' banking clients.

FIS' strategy is to offer P2P payment solution centers on the banks' internet portal -- a different kind of model than what PayPal is used to, Lewis says. Risk management due diligence was done by both companies, and FIS asked PayPal to change and "blend" its risk management "so the banks didn't have to do things differently in the back office."

FIS' P2P solution is fully integrated into the online bill pay solution it already offers, and has all of the checks and screening required by OFAC. All of the governors and throttles are already built into the system, and it gives the bank real control over how P2P transactions happen, Lewis notes. Add to this the fraud analytics engine FIS has, he says, and banks can know that the transactions are being fully monitored. One type of fraud the engine looks for are account takeovers, where a customer's banking credentials have been taken via a trojan or a keylogger. The transactions made by a fraudster look completely different than a regular bill pay or P2P transaction, says Lewis, and the fraud analytic engine picks up on that difference.

The information that the engine uses to detect fraud comes from the consumers themselves -- how old they are, what kind of transaction it is, this kind of data is put through the fraud analytic engine. Doubling the fraud detection on P2P payments, PayPal on its end has an algorithm that looks for fraudulent transactions.

Where are P2P and mobile payments evolution headed? Lewis sees P2P converging on the online banking page of many institutions. Customers are ready for it, he says. "In the next 12 to 18 months we see this space changing dramatically," Lewis says. A recent survey conducted by FIS shows that 48 percent of consumers have interest in using P2P if it is offered by their financial institution.

"Gen X and Gen Y'ers don't have a land line; they're as comfortable on their (cell) phone as they are on their PC," Lewis says. Their idea of payments is that they should just be able to send money -- "They don't even think of writing a check," Lewis says. FIS' strategy extends to the baby boomer generation, who need it for a different reason, to manage money for their aging parents or their college-age kids.

P2P Advice: Getting Started

BECU's Wu offers two pieces of advice for other institutions looking to add this type of payment offering: "Make sure you have good business case and that your customers want it." Then, Wu says, figure out the security requirements, so you know how to manage P2P without reducing its value to your customers.

First Hawaiian's Tsukayama says that while the intuitive thought is P2P would be a service most utilized by the younger generation, the bank is seeing utilization by more mature customers, too. She points to a perfect example -- parents who are sending money to their college-aged children on the mainland. "The service is convenient for the parents since it's accessible via their online service, and the delivery is convenient for their children via email or mobile phone," she says.

Some quick tips from the P2P pioneers:

  • Make a solid business case to add the service;

  • Gauge your customers' desire for P2P;

  • Do your due diligence in choosing a P2P service provider;

  • Set transaction levels for one-time, daily and monthly amounts for new users;

  • Make sure to have fraud monitoring and transaction throttles in place;

  • Add additional "out of wallet" security features to prevent account takeover fraud;

  • Market service to everyone, including business customers.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.