With the submission period for faster payment solution proposals having recently come to a close, the Federal Reserve’s Faster Payments Task Force will soon face the onerous task of reviewing the proposals. Part of that review will include security. By their very nature, these systems process payments in near or actual real-time, and are irrevocable. The task force must consider how financial institutions can protect themselves and their customers against fraud in these new time frames.
The Faster Payments Task Force began accepting faster payment solution proposals from the private sector on April 1. The proposals will be analyzed using 36 effectiveness criteria identified by the task force. The task force will also identify strategic issues deemed important to the successful development of faster payments in the United States and consider potential industry actions required to advance implementation and adoption. The conclusions will be published in a final report in early 2017.
The Faster Payments Task Force and Secure Payments Task Force will coordinate to review the security of the solutions proposals. This particular evaluation will likely focus on the service’s core infrastructure; that is, the system connecting the banks to each other. Security concerns will focus on protecting the core system, providing transaction integrity and preventing misuse. While customer security will be a major consideration for the overall service, the responsibility of protecting customers is more likely to fall to individual financial institutions.
The primary challenge with a faster payment solution is detecting and preventing fraud. In the current payments processing environment, financial institutions have sufficient time to investigate transactions and dispute them before they clear. However, in some real-time payment systems, the transactions are literally cleared in real time – significantly reducing the amount of time that banks have to look for and respond to fraud.
To further complicate matters, payments completed via a faster payment solution are irrevocable. This means that the bank must perform real-time fraud checks upfront and be confident in a payment before sending it. As a result, banks will have to review their branch, online and mobile banking processes, looking at security in all areas in order to prevent increased losses.
Financial institutions will also need to upgrade their anti-fraud systems to those that can monitor transactions and act on them in real time. Because faster payments will likely be available across multiple channels (including IVR, online, mobile and kiosk), the systems must also be able to monitor all channels for patterns of fraud or anomalous activity. The transaction speed gives fraudsters more chances to move money around, take over genuine accounts and then transfer money between mule accounts before cashing out. Being able to correlate activities across multiple transactions and accounts will be key to finding this activity.
Additionally, access points to each channel should be further secured and provide non-repudiation. This will help reduce the risk that financial institutions have to take the hit for a transaction that can’t be reclaimed and that the customer says they didn’t make.
As financial institutions seek to secure real-time payments, customer convenience will also become a concern. Real-time payments create opportunities for more advanced use cases. For example, a customer can add funds to a prepay phone and be debited for airtime in a matter of seconds. Customers will become annoyed if their transactions are stopped, and yet there is greater impact if the bank doesn’t stop real fraud.
U.S. task forces are likely to look to the UK for guidance on how to handle these challenges. UK banks were concerned that their backend systems wouldn’t be able to handle the updates. To address this, they introduced a rule allowing banks up to two hours to post a transaction to the actual account post transaction. They also imposed a £100,000 limit per transaction, which was increased last year to £250,000.
UK banks also came up with a workaround to address concerns regarding the irrevocable nature of transactions. In some cases, a bank can request (offline) that a transaction be recovered back to the sending bank. Receiving banks aren’t obligated to return these, but because fraud is a mutual concern, they tend to cooperate through this process.
The U.S. may also consider having rules in place to help users if they key in the wrong account details and inadvertently send money to the wrong destination account. In the past, this money has been difficult to get back. But in January 2016, payment services firm Faster Payments and Bacs Direct Credit announced that payments sent in error would be refunded within 20 working days when there was no dispute that the money was sent in error.
U.S. task forces are also likely to look into creating a Security Code of Conduct, such as that defined for the UK’s Faster Payments Service. The Security Code of Conduct would outline the controls member banks must implement on their own payments systems and gateways, along with guidance and rules for protecting customers. Such a code would be key to ensuring that banks implement sufficient controls while ensuring that the user experience is consistent across different institutions.
[su_box title=”About Paul Wilson” style=”noise” box_color=”#336588″][short_info id=’69366′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.