bank adoption of zelle, venmo and other p2p payment apps...

Bank Adoption of Zelle, Venmo and

Other P2P Payment Apps: Regulatory

and Operational Issues, Risk Mitigation

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

WEDNESDAY, APRIL 17, 2019

Presenting a live 90-minute webinar with interactive Q&A

Sachin Devand, Managing Director, Goldman Sachs, New York

Stephanie R. Hager, Attorney, Stevens & Lee, Reading, Pa.

Frank A. Mayer, III, Chair, Financial Services Regulatory and Enforcement Group,Stevens & Lee, Valley Forge

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-570-7602 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Frank A. Mayer, III

Chair, Financial Services Regulatory and Enforcement Group Stevens & Lee

[email protected]

Stephanie R. Hager

AttorneyStevens & [email protected]

Sachin Devand

Managing DirectorMarcus by Goldman [email protected]

Bank Adoption of Zelle,

Venmo and Other P2P Payment Apps

STEVENS & LEE/GRIFFIN

Today’s Speakers

6

Frank MayerChair, Financial Services Regulatory and

Enforcement Group, Stevens & Lee

Advises and defends financial services organizations, foreign banking

organizations, U.S.-insured depository institutions, non-bank credit providers,

mortgage loan product platforms, payment systems and related participants,

directors, special board committees and officers in relation to supervisory and

enforcement matters and mergers and acquisitions.

Stephanie HagerAttorney, Corporate Finance and Capital

Markets Group, Stevens & Lee

Represents financial institutions and other public companies in a wide range of corporate matters, including capital formation, mergers

and acquisitions, corporate governance, reporting requirements under the Securities

Exchange Act of 1934, and financial institution regulatory matters.

Sachin DevandManaging Director, Goldman Sachs

Sachin is global head of Application Development for Digital Finance Technology. He oversees the

development and execution of the firm’s loan and deposits platforms while helping to expand the

Consumer & Commercial Banking Division’s business strategy. Sachin is a member of the Digital Finance Operating Council. Prior to joining the firm, Sachin

was co-founder, president and chief technology officer of AHAlife, an online marketplace for luxury

products that began publicly trading in 2015. Earlier in his career, Sachin held a variety of roles, including vice

president of Platform Products at 33Across, Vice President of Advertising Services at LucidMedia and

Director of Engineering at Entrieva.


Agenda

• Insights on the Fintech Ecosystem

• The Rise of P2P Payment Applications

• Regulatory Issues and Operational Concerns

• Bank adoption of mobile payment systems

• Recent enforcement actions

• Managing Mobile Payment Risks

• Q & A

7


The Fintech Ecosystem

• Insights from the industry

• Sachin Devand, Managing DirectorMarcus by Goldman Sachs

8


Fintech Industry Segments

• Payments technologies

• Marketplace lending and alternative finance

• Digital wealth management

• Other categories

9


The Rise of P2P Payment Applications

• PayPal/Venmo1

• In FY 2018, total P2P volume was $139 billion, up 49% from prior year. Includes $62 billion in payments processed by Venmo during FY 2018

• Zelle 2

• In FY 2018, processed $119 billion in payments on 433 million transactions, up from $75 billion on 247 million transactions for prior year

10

Source: 1 PayPal, Inc. Form 8-K filed 1/30/19; 2Zelle Press Release dated 1/24/2019


Background: U.S. Payments System

• Four “core” payment systems

• Credit card networks

• Debit card networks

• ACH

• Wire transfer

• In addition, nonbank payment processers, payment service providers and money transmitters help drive speed, security, efficiency

• “Emerging” payment systems

• Mobile payments and mobile wallets

• Peer-to-peer transfers

• Mobile banking

• Remote deposit capture

• Virtual currencies

11


What are Mobile Payments?

• Mobile payments transactions • Mobile wallets

• Stores payment card information on the mobile device and allows payments to be made using a mobile device• Uses traditional retail payment channels such as ACH, EFT, and

debit/credit card networks to process the payments

• P2P payment applications• Use recipient’s email, mobile phone number or other identifier

to initiate payment from mobile device• Uses traditional retail payment channels such as ACH, EFT, and

debit/credit card networks to process the payments

12


Mobile Payments by Bank-provided Zelle

• Established by consortium of major banks and operated by a bank-owned technology services company

• Customer access to Zelle through two methods

• Zelle Network

• Accessed through bank’s mobile banking app and website

• Current participants include 229 financial institutions

• 77% regional and community banks or credit unions with assets less than or equal to $1 billion

• Standalone Zelle application

• Bank account to Bank account13


Zelle Partners

14

• Provide simplified implementation of Zelle services • Zelle partners include CO-OP Financial Services, FIS, Jack

Henry & Associates, Inc.

• Fiserv

• In addition to Fiserv's own P2P service, Popmoney, Fiserv partners to offer a turnkey implementation of Zelle

• Simplifies bank implementation of Zelle by providing interface, risk management, alerting, settlement and other services


Regulatory Environment: Mobile Payment Transactions

• No federal law or regulation governs mobile payments specifically, so existing laws apply to the extent existing payment systems are used

• Several factors determine the laws applying to mobile payments, including

• Whether P2P processor is a bank entity or nonbank money transmitter (affecting regulatory agency jurisdiction)

• Mobile payment providers’ relationship to depository institutions

• Underlying funding sources used to make a mobile payment (e.g. Reg. E - debit cards; Reg. Z – credit cards)

15

16

Source: GAO-17-361

STEVENS & LEE

Table 3: Federal and State Regulators and Agencies with Oversight Responsibilities Related to Financial Services offered by Financial Technology Firms (Cont’d)

17

Source: GAO-17-361

STEVENS & LEE


Agency Jurisdiction: Bank or Nonbank Entity

• Banks and credit unions that provide money transmission services are subject to oversight by

• Federal Deposit Insurance Corporation (FDIC)

• Federal Reserve System (FRS)

• National Credit Union Association (NCUA)

• Office of the Comptroller of the Currency (OCC)

• Consumer Financial Protection Bureau (CFPB)

• Nonbank P2P services are "nonbank money transmitters" subject to oversight by

• Financial Crimes Enforcement Network (FinCEN)

• Office of Foreign Assets and Control (OFAC)

• Federal Trade Commission (FTC)

• CFPB

• State banking regulators

18

19

Source: GAO-17-361

STEVENS & LEE

Table 2: Examples of Federal Laws and Regulations Relevant to Mobile Payment Transactions (cont’d)

20

Source: GAO-17-361

STEVENS & LEE


Laws and Regulations: Bank Services Company Act

• Relationship with Depository Institution

• Gives FDIC, OCC, and FRS authority to examine a federally insured bank’s third-party service providers to see what risks they impose

• FFIEC Examination Handbook encourages financial institutions to effectively assess, manage, and monitor risk with respect to third-party mobile financial service providers

• The Federal Deposit Insurance Act authorizes the federal banking agencies to take enforcement actions against “institution affiliated parties” which may include third-party service providers

• Zelle

• Bank vendor and similar arrangements

21


Laws and Regulations: Electronic Fund Transfer Act (Regulation E)

• Protects consumers who use electronic fund transfer services

• Applies to mobile payment transactions when the underlying payment is made to or from a consumer’s account via an electronic fund transfer (e.g. debit card)

• Provides certain consumer rights regarding the electronic transfer of funds to and from consumers’ bank accounts

• Requires disclosure of terms and conditions of electronic transfers, limits consumer liability for unauthorized transfers, and establishes procedures for preauthorizing transfers and error resolution procedures

22


Recent Developments: CFPB’s Final Prepaid Accounts Rule Amends Reg. E, Reg. Z

• Prior law created ambiguity for certain P2P transactions• Reg. E may not apply to transactions made through mobile

payment app account balance

• Consumer liability may not be limited for unauthorized transactions funded through the mobile payment app account balance

• Final Prepaid Accounts Rule, effective April 1, 2019• Extends Reg. E coverage to prepaid accounts

• Includes "digital wallets" and any account whose primary function is to conduct person-to-person transfers

23


Laws and Regulations: Gramm-Leach-Bliley Act (Regulation P)

• Protects consumers against financial institutions’ use of nonpublic personal information

• Applies when a financial institution handles information of a “consumer” or “customer”

• Limits when a financial institution may disclose “nonpublic personal information” to nonaffiliated third parties

• Requires financial institutions to notify their customers about their information-sharing practices and to tell consumers of their right to “opt out”

• Applies to nonbank money transmitters (FTC enforces)

24


Other Federal Laws/Regulations

• Consumer Protection

• UDAAP

• Prohibits unfair, deceptive, or abusive acts or practices

• CFPB

• Section 5(a) of the Federal Trade Commission Act (UDAP)

• Protects consumers from unfair or deceptive trade practices

• FTC

25


Bank Secrecy Act Requirements for Nonbank Money Transmitters

• FinCEN• Requires nonbank money transmitters to

• Register with the agency

• File transaction reports

• Implement anti-money laundering programs

• OFAC• Requires nonbank money transmitters to ensure that the

transactions they process do not involve a party on the “specially designated nationals,” or SDNs list and are not in violation of OFAC regulations

26


State Money Transmitter Laws for Nonbank Money Transmitters

• Default regulatory regime for nonbank money transmitters

• 49 states, D.C., Puerto Rico and U.S. Virgin Islands have laws regulating money transmission

• State definitions of “money transmission” vary

• State licensing requirements - State banking regulators

• State consumer protection laws – State attorneys general

27


Risks Presented by P2P Payment Methods

28

• Misplaced or stolen devices

• Unauthorized access to the mobile wallet or user credentials resulting in unauthorized payments and funds transfers and/or fraudulent purchases

• Data Security

• Fraud

• Zelle vs. Nonbank money transmitters• Differences in account features (e.g. ability to cancel

payment transactions)

• Regulatory risk


Allocation of Liability for Fraud

• Payment Card Network Rules and ACH Rules• Credit card networks (Visa, MasterCard, American

Express, and Discover), debit card/ATM networks (e.g. New York Currency Exchange and STAR) and ACH operator National Automated Clearing House Association (NACHA) operate via network operating rules and procedures and contractual agreements

• NACHA Rules• ACH debit fraud: originating bank has liability for any fraud

that may occur in transaction, loss usually shifted contractually to merchant/biller

29


Allocation of Liability for Fraud (cont’d)

• Customer liability for fraudulent ACH transfers governed by two independent frameworks • Consumer accounts: EFTA (Reg. E)

• Consumer not liable for unauthorized transactions if consumer files a dispute within 60 days

• Business accounts: Article 4A of the UCC

• UCC §4A-202 shifts the risk of loss to the customer if the bank can show • (1) commercially reasonable security procedure was in place, and

• (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction

30


Allocation of Liability for Fraud (cont’d)

• UCC §4A-202 – factors affecting “commercial reasonability” of security procedure

• Customer instructions expressed to the bank

• Bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued

• Alternative security procedures offered to the customer

• Security procedures in general use by similarly situated banks and customers

31


Enforcement Actions against Venmo

In 2016, the FTC brought charges against PayPal/Venmofollowing consumer reports of fraud and inadequate security

32


Enforcement Actions against Venmo (cont’d)

• FTC allegations included• Disclosure failures amounting to deceptive acts or practices

under FTC Act (15 U.S.C. § 45(a))• When transferred funds would be available• Privacy• Security

• Represented that consumers’ financial information was secured with “bank grade security systems” when it was not

• Failure to comply with GLBA requirements • Failure to provide clear and conspicuous privacy notice (Privacy

Rule, 16 C.F.R. § 313.9; Reg. P, 12 C.F.R. § 1016.4(a))• Violation of the Safeguards Rule (16 C.F.R. § 314.4)

33

Issue: Misrepresentations regarding timing of availability of funds

• Despite claims that incoming funds were available for transfer to external bank accounts, Venmo waited until funds transfer request to review transaction, resulting in substantial delays or reversal of transaction

STEVENS & LEE

34

Issue: Privacy misrepresentations regarding “Transaction Sharing Setting” override of user selection

35

Issue: Privacy notice not clear and conspicuous

• Despite having a visible privacy notice, FTC determined the gray tone and font of the notice was too difficult to read

36


Enforcement Actions against Venmo (cont’d)

• FTC Settlement Agreement, February 27, 2018

• Requirements relating to various audit and disclosure matters

• State public enforcement actions against Venmo

• 2014 California Commissioner of Business Oversight

• 2016 Texas Attorney General

37


Bank Adoption of P2P Payment Systems

• Benefits of Bank Partnerships

• Banks remain competitive by meeting the needs of their customers, and mobile payment firms benefit from banks’ experience with regulatory compliance

• Policies and procedures should be in place around risk management and customer support

• Integrated messaging

38


Managing Mobile Payment Risks

• FFIEC Information Technology Examination Handbook Appendix E: Mobile Financial Services

• Identify risks associated with MFS, particularly

• Strategic risks

• Operational risks

• Regulatory risks

• Reputation risks

39


Operational Risk Mitigation

• Management controls should include

• Risk management;

• Transaction monitoring and geolocation tools;

• Fraud prevention, detection, and response programs;

• Additional controls (e.g., stronger authentication and encryption);

• Authentication and authorization processes (e.g., processes to enroll customers and devices in the mobile channel);

• Application development and distribution controls (e.g., process for approving and submitting mobile application code to distribution partners);

• Application security controls (including strategy to deactivate older application versions);

• Contracts and agreements;

• Customer awareness processes; and

• Logging and monitoring processes

40


Mobile Payments Risk Mitigation

• Mitigating controls in mobile payments should include discussions between bank and its mobile payments provider to identify and minimize potential risk factors

• Bank management should work with mobile-payments platform developers to encourage the use of the following:• Traffic filtering to help prevent or minimize denial-of-service attacks• Trusted platform modules• Secure telecommunications protocols • Tokenization to limit the transmission of account information• Encryption to minimize the opportunity for the interception of traffic• Anti-malware software• Authentication controls of both the user and application• Encryption of personal information stored on the mobile device

41


Vendor Management

• Critical to ensuring safety and soundness of mobile payments

• Banks should develop policies to minimize risk of data breach and fraud and ensure third party adherence to policies for protection of sensitive financial information

42

DISCUSSION

This presentation consists only of general information based on the knowledge and experience of Stevens & Lee professionals. By making this presentation, Stevens & Lee is not providing legal, business, financial or other professional advice or service. This presentation should not be used as a basis for any decision you might make or action you might take that would affect your business or personal circumstances. Do not make any such decision or take any such action without consulting your own legal or other appropriate professional advisor. Stevens & Lee and its affiliates and related entities shall not be responsible for any loss or damage sustained by any person who acts in reliance on this presentation.

Stevens & Lee expressly disclaims any liability related to the use of this presentation or its contents.

The views expressed in this presentation are not necessarily those of Stevens & Lee.

2019 Stevens & Lee. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Stevens & Lee. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of law.

bank adoption of zelle, venmo and other p2p payment apps...

Documents