With Real-Time Payments from The Clearing House rapidly gaining traction among banks and FedNow set to launch next July, one might believe that adoption of instant payments among network participants and users will be smooth sailing. However, recent regulatory actions illustrate some of the challenges that banks and fintechs face in implementing instant payments:
- OFAC recently released Sanctions Compliance Guidance for Instant Payment Systems, highlighting sanctions risk factors and considerations for instant payment systems. While the guidance acknowledges that domestic instant payment systems generally pose a lower risk of sanctions exposure than instant payment systems that permit cross-border transactions, there is currently no OFAC guidance for instant payment systems that expressly allows participants to rely on the recipient bank for compliance with OFAC sanctions programs, even for domestic payments. For international instant payments (which are not yet supported by RTP or FedNow, but are enabled by Visa and Mastercard), it seems likely that sending banks will need to rely on the payment system to perform due diligence on all participants in advance in order for payments to settle in real time.
- OFAC also recently brought a number of enforcement actions against fintechs and payment processors, based in part on their failure to use geolocation tools to identify whether recipients of reward payments were located in sanctioned jurisdictions. These actions highlight the compliance challenges facing U.S. banks and fintechs originating outbound international payments. While there are clear know-your-customer (KYC) obligations applicable to their customers that necessitate the collection, verification, and screening of sender information under anti-money laundering laws, the same KYC obligations are generally not applicable to non-customer recipients. Recent OFAC enforcement actions show that OFAC expects payment platform providers to also screen the information that is available to them on recipients, which in many cases may only include email, IP addresses, and device geolocation information.
- Recently, the Consumer Financial Protection Bureau (CFPB) and some Democratic senators appear determined to expand the scope of Regulation E to protect consumers who are defrauded into initiating a payment from their account to a fraudster or mule account. Under current CFPB FAQs, only electronic fund transfers initiated by a third party from a consumer's account without the consumer's authorization (including if the authorization was fraudulently obtained) are subject to Regulation E error resolution requirements. While at first glance this may seem like a logical expansion of the error resolution requirement to include both transactions initiated by a defrauded consumer as well as those initiated by the fraudster, there is good reason why credit "push" transactions initiated by the accountholder are currently excluded:
- Under the current scope of Regulation E, banks and other account-holding institutions or service providers are responsible for properly authenticating the sender. If an accountholder's credentials are compromised and the bank allows a fraudster to initiate a payment from the compromised account, this may indicate a gap in the bank's customer authentication procedures. In this situation it is fair that the bank be required to resolve the error and assume liability beyond the consumer's liability limits. Contrast this to a situation where the accountholder is tricked into making a payment to a fraudster and authenticates access to their account to initiate the payment. The bank has no visibility into why the payment was initiated and can only manage its risk by investigating the circumstances surrounding each payment, which is an unsustainable burden when millions of transactions are initiated daily. The other alternative to investigating transactions would be for the bank to accept the risk of fraudulent transactions, which will likely result in significant losses for instant payments as these are generally irreversible and unrecoverable due to the funds becoming available to the recipient instantly. Credit transactions generally clear and settle in real time, and the funds can be made available to the recipient instantly, provided that settlement is final. Any reversal rights or delay in clearing or settlement due to the need to investigate a transaction may in turn cause funds not to be available to the recipient in real time, which would undermine the entire purpose of instant payments. Consumers already enjoy significant protections with respect to debit/pull transactions (such as card payments) from their accounts, including extensive and extended return/chargeback rights and timeframes. Regulators should bear in mind the distinguishing characteristics of credit payments (faster clearing, instant availability, fewer sender protections) compared to debit payments (slower clearing, delayed availability, more sender protections) and their respective ideal uses and benefits to accountholders before further expanding the scope of Regulation E.
- Banks already face significant complexity in managing error resolution requirements, particularly with respect to intermediated transfers, as this recent TCH white paper demonstrates. With banks facing unprecedented difficulties in hiring and retaining compliance and risk management staff, any further expansion of investigation and reporting requirements is likely to result in a reduction in payment processing capacity.
The factors described above have the potential to significantly reduce the speed and ubiquity of faster payment networks, particularly with respect to international payments. We are confident that they can be overcome through collaboration among participants, regulators, and payment systems, but resulting policy should reflect an appropriate balancing of risks and incentives for the parties concerned. We will continue to monitor industry and regulatory developments and to report on any significant developments.