bank adoption of zelle, venmo and other p2p payment apps...
TRANSCRIPT
Bank Adoption of Zelle, Venmo and
Other P2P Payment Apps: Regulatory
and Operational Issues, Risk Mitigation
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
WEDNESDAY, APRIL 17, 2019
Presenting a live 90-minute webinar with interactive Q&A
Sachin Devand, Managing Director, Goldman Sachs, New York
Stephanie R. Hager, Attorney, Stevens & Lee, Reading, Pa.
Frank A. Mayer, III, Chair, Financial Services Regulatory and Enforcement Group,Stevens & Lee, Valley Forge
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-570-7602 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
Frank A. Mayer, III
Chair, Financial Services Regulatory and Enforcement Group Stevens & Lee
Stephanie R. Hager
AttorneyStevens & [email protected]
Sachin Devand
Managing DirectorMarcus by Goldman [email protected]
Bank Adoption of Zelle,
Venmo and Other P2P Payment Apps
STEVENS & LEE/GRIFFIN
Today’s Speakers
6
Frank MayerChair, Financial Services Regulatory and
Enforcement Group, Stevens & Lee
Advises and defends financial services organizations, foreign banking
organizations, U.S.-insured depository institutions, non-bank credit providers,
mortgage loan product platforms, payment systems and related participants,
directors, special board committees and officers in relation to supervisory and
enforcement matters and mergers and acquisitions.
Stephanie HagerAttorney, Corporate Finance and Capital
Markets Group, Stevens & Lee
Represents financial institutions and other public companies in a wide range of corporate matters, including capital formation, mergers
and acquisitions, corporate governance, reporting requirements under the Securities
Exchange Act of 1934, and financial institution regulatory matters.
Sachin DevandManaging Director, Goldman Sachs
Sachin is global head of Application Development for Digital Finance Technology. He oversees the
development and execution of the firm’s loan and deposits platforms while helping to expand the
Consumer & Commercial Banking Division’s business strategy. Sachin is a member of the Digital Finance Operating Council. Prior to joining the firm, Sachin
was co-founder, president and chief technology officer of AHAlife, an online marketplace for luxury
products that began publicly trading in 2015. Earlier in his career, Sachin held a variety of roles, including vice
president of Platform Products at 33Across, Vice President of Advertising Services at LucidMedia and
Director of Engineering at Entrieva.
STEVENS & LEE/GRIFFIN
Agenda
• Insights on the Fintech Ecosystem
• The Rise of P2P Payment Applications
• Regulatory Issues and Operational Concerns
• Bank adoption of mobile payment systems
• Recent enforcement actions
• Managing Mobile Payment Risks
• Q & A
7
STEVENS & LEE/GRIFFIN
The Fintech Ecosystem
• Insights from the industry
• Sachin Devand, Managing DirectorMarcus by Goldman Sachs
8
STEVENS & LEE/GRIFFIN
Fintech Industry Segments
• Payments technologies
• Marketplace lending and alternative finance
• Digital wealth management
• Other categories
9
STEVENS & LEE/GRIFFIN
The Rise of P2P Payment Applications
• PayPal/Venmo1
• In FY 2018, total P2P volume was $139 billion, up 49% from prior year. Includes $62 billion in payments processed by Venmo during FY 2018
• Zelle 2
• In FY 2018, processed $119 billion in payments on 433 million transactions, up from $75 billion on 247 million transactions for prior year
10
Source: 1 PayPal, Inc. Form 8-K filed 1/30/19; 2Zelle Press Release dated 1/24/2019
STEVENS & LEE/GRIFFIN
Background: U.S. Payments System
• Four “core” payment systems
• Credit card networks
• Debit card networks
• ACH
• Wire transfer
• In addition, nonbank payment processers, payment service providers and money transmitters help drive speed, security, efficiency
• “Emerging” payment systems
• Mobile payments and mobile wallets
• Peer-to-peer transfers
• Mobile banking
• Remote deposit capture
• Virtual currencies
11
STEVENS & LEE/GRIFFIN
What are Mobile Payments?
• Mobile payments transactions • Mobile wallets
• Stores payment card information on the mobile device and allows payments to be made using a mobile device• Uses traditional retail payment channels such as ACH, EFT, and
debit/credit card networks to process the payments
• P2P payment applications• Use recipient’s email, mobile phone number or other identifier
to initiate payment from mobile device• Uses traditional retail payment channels such as ACH, EFT, and
debit/credit card networks to process the payments
12
STEVENS & LEE/GRIFFIN
Mobile Payments by Bank-provided Zelle
• Established by consortium of major banks and operated by a bank-owned technology services company
• Customer access to Zelle through two methods
• Zelle Network
• Accessed through bank’s mobile banking app and website
• Current participants include 229 financial institutions
• 77% regional and community banks or credit unions with assets less than or equal to $1 billion
• Standalone Zelle application
• Bank account to Bank account13
STEVENS & LEE/GRIFFIN
Zelle Partners
14
• Provide simplified implementation of Zelle services • Zelle partners include CO-OP Financial Services, FIS, Jack
Henry & Associates, Inc.
• Fiserv
• In addition to Fiserv's own P2P service, Popmoney, Fiserv partners to offer a turnkey implementation of Zelle
• Simplifies bank implementation of Zelle by providing interface, risk management, alerting, settlement and other services
STEVENS & LEE/GRIFFIN
Regulatory Environment: Mobile Payment Transactions
• No federal law or regulation governs mobile payments specifically, so existing laws apply to the extent existing payment systems are used
• Several factors determine the laws applying to mobile payments, including
• Whether P2P processor is a bank entity or nonbank money transmitter (affecting regulatory agency jurisdiction)
• Mobile payment providers’ relationship to depository institutions
• Underlying funding sources used to make a mobile payment (e.g. Reg. E - debit cards; Reg. Z – credit cards)
15
16
Source: GAO-17-361
STEVENS & LEE
Table 3: Federal and State Regulators and Agencies with Oversight Responsibilities Related to Financial Services offered by Financial Technology Firms (Cont’d)
17
Source: GAO-17-361
STEVENS & LEE
STEVENS & LEE/GRIFFIN
Agency Jurisdiction: Bank or Nonbank Entity
• Banks and credit unions that provide money transmission services are subject to oversight by
• Federal Deposit Insurance Corporation (FDIC)
• Federal Reserve System (FRS)
• National Credit Union Association (NCUA)
• Office of the Comptroller of the Currency (OCC)
• Consumer Financial Protection Bureau (CFPB)
• Nonbank P2P services are "nonbank money transmitters" subject to oversight by
• Financial Crimes Enforcement Network (FinCEN)
• Office of Foreign Assets and Control (OFAC)
• Federal Trade Commission (FTC)
• CFPB
• State banking regulators
18
19
Source: GAO-17-361
STEVENS & LEE
Table 2: Examples of Federal Laws and Regulations Relevant to Mobile Payment Transactions (cont’d)
20
Source: GAO-17-361
STEVENS & LEE
STEVENS & LEE/GRIFFIN
Laws and Regulations: Bank Services Company Act
• Relationship with Depository Institution
• Gives FDIC, OCC, and FRS authority to examine a federally insured bank’s third-party service providers to see what risks they impose
• FFIEC Examination Handbook encourages financial institutions to effectively assess, manage, and monitor risk with respect to third-party mobile financial service providers
• The Federal Deposit Insurance Act authorizes the federal banking agencies to take enforcement actions against “institution affiliated parties” which may include third-party service providers
• Zelle
• Bank vendor and similar arrangements
21
STEVENS & LEE/GRIFFIN
Laws and Regulations: Electronic Fund Transfer Act (Regulation E)
• Protects consumers who use electronic fund transfer services
• Applies to mobile payment transactions when the underlying payment is made to or from a consumer’s account via an electronic fund transfer (e.g. debit card)
• Provides certain consumer rights regarding the electronic transfer of funds to and from consumers’ bank accounts
• Requires disclosure of terms and conditions of electronic transfers, limits consumer liability for unauthorized transfers, and establishes procedures for preauthorizing transfers and error resolution procedures
22
STEVENS & LEE/GRIFFIN
Recent Developments: CFPB’s Final Prepaid Accounts Rule Amends Reg. E, Reg. Z
• Prior law created ambiguity for certain P2P transactions• Reg. E may not apply to transactions made through mobile
payment app account balance
• Consumer liability may not be limited for unauthorized transactions funded through the mobile payment app account balance
• Final Prepaid Accounts Rule, effective April 1, 2019• Extends Reg. E coverage to prepaid accounts
• Includes "digital wallets" and any account whose primary function is to conduct person-to-person transfers
23
STEVENS & LEE/GRIFFIN
Laws and Regulations: Gramm-Leach-Bliley Act (Regulation P)
• Protects consumers against financial institutions’ use of nonpublic personal information
• Applies when a financial institution handles information of a “consumer” or “customer”
• Limits when a financial institution may disclose “nonpublic personal information” to nonaffiliated third parties
• Requires financial institutions to notify their customers about their information-sharing practices and to tell consumers of their right to “opt out”
• Applies to nonbank money transmitters (FTC enforces)
24
STEVENS & LEE/GRIFFIN
Other Federal Laws/Regulations
• Consumer Protection
• UDAAP
• Prohibits unfair, deceptive, or abusive acts or practices
• CFPB
• Section 5(a) of the Federal Trade Commission Act (UDAP)
• Protects consumers from unfair or deceptive trade practices
• FTC
25
STEVENS & LEE/GRIFFIN
Bank Secrecy Act Requirements for Nonbank Money Transmitters
• FinCEN• Requires nonbank money transmitters to
• Register with the agency
• File transaction reports
• Implement anti-money laundering programs
• OFAC• Requires nonbank money transmitters to ensure that the
transactions they process do not involve a party on the “specially designated nationals,” or SDNs list and are not in violation of OFAC regulations
26
STEVENS & LEE/GRIFFIN
State Money Transmitter Laws for Nonbank Money Transmitters
• Default regulatory regime for nonbank money transmitters
• 49 states, D.C., Puerto Rico and U.S. Virgin Islands have laws regulating money transmission
• State definitions of “money transmission” vary
• State licensing requirements - State banking regulators
• State consumer protection laws – State attorneys general
27
STEVENS & LEE/GRIFFIN
Risks Presented by P2P Payment Methods
28
• Misplaced or stolen devices
• Unauthorized access to the mobile wallet or user credentials resulting in unauthorized payments and funds transfers and/or fraudulent purchases
• Data Security
• Fraud
• Zelle vs. Nonbank money transmitters• Differences in account features (e.g. ability to cancel
payment transactions)
• Regulatory risk
STEVENS & LEE/GRIFFIN
Allocation of Liability for Fraud
• Payment Card Network Rules and ACH Rules• Credit card networks (Visa, MasterCard, American
Express, and Discover), debit card/ATM networks (e.g. New York Currency Exchange and STAR) and ACH operator National Automated Clearing House Association (NACHA) operate via network operating rules and procedures and contractual agreements
• NACHA Rules• ACH debit fraud: originating bank has liability for any fraud
that may occur in transaction, loss usually shifted contractually to merchant/biller
29
STEVENS & LEE/GRIFFIN
Allocation of Liability for Fraud (cont’d)
• Customer liability for fraudulent ACH transfers governed by two independent frameworks • Consumer accounts: EFTA (Reg. E)
• Consumer not liable for unauthorized transactions if consumer files a dispute within 60 days
• Business accounts: Article 4A of the UCC
• UCC §4A-202 shifts the risk of loss to the customer if the bank can show • (1) commercially reasonable security procedure was in place, and
• (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction
30
STEVENS & LEE/GRIFFIN
Allocation of Liability for Fraud (cont’d)
• UCC §4A-202 – factors affecting “commercial reasonability” of security procedure
• Customer instructions expressed to the bank
• Bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued
• Alternative security procedures offered to the customer
• Security procedures in general use by similarly situated banks and customers
31
STEVENS & LEE/GRIFFIN
Enforcement Actions against Venmo
In 2016, the FTC brought charges against PayPal/Venmofollowing consumer reports of fraud and inadequate security
32
STEVENS & LEE/GRIFFIN
Enforcement Actions against Venmo (cont’d)
• FTC allegations included• Disclosure failures amounting to deceptive acts or practices
under FTC Act (15 U.S.C. § 45(a))• When transferred funds would be available• Privacy• Security
• Represented that consumers’ financial information was secured with “bank grade security systems” when it was not
• Failure to comply with GLBA requirements • Failure to provide clear and conspicuous privacy notice (Privacy
Rule, 16 C.F.R. § 313.9; Reg. P, 12 C.F.R. § 1016.4(a))• Violation of the Safeguards Rule (16 C.F.R. § 314.4)
33
Issue: Misrepresentations regarding timing of availability of funds
• Despite claims that incoming funds were available for transfer to external bank accounts, Venmo waited until funds transfer request to review transaction, resulting in substantial delays or reversal of transaction
STEVENS & LEE
34
Issue: Privacy misrepresentations regarding “Transaction Sharing Setting” override of user selection
35
Issue: Privacy notice not clear and conspicuous
• Despite having a visible privacy notice, FTC determined the gray tone and font of the notice was too difficult to read
36
STEVENS & LEE/GRIFFIN
Enforcement Actions against Venmo (cont’d)
• FTC Settlement Agreement, February 27, 2018
• Requirements relating to various audit and disclosure matters
• State public enforcement actions against Venmo
• 2014 California Commissioner of Business Oversight
• 2016 Texas Attorney General
37
STEVENS & LEE/GRIFFIN
Bank Adoption of P2P Payment Systems
• Benefits of Bank Partnerships
• Banks remain competitive by meeting the needs of their customers, and mobile payment firms benefit from banks’ experience with regulatory compliance
• Policies and procedures should be in place around risk management and customer support
• Integrated messaging
38
STEVENS & LEE/GRIFFIN
Managing Mobile Payment Risks
• FFIEC Information Technology Examination Handbook Appendix E: Mobile Financial Services
• Identify risks associated with MFS, particularly
• Strategic risks
• Operational risks
• Regulatory risks
• Reputation risks
39
STEVENS & LEE/GRIFFIN
Operational Risk Mitigation
• Management controls should include
• Risk management;
• Transaction monitoring and geolocation tools;
• Fraud prevention, detection, and response programs;
• Additional controls (e.g., stronger authentication and encryption);
• Authentication and authorization processes (e.g., processes to enroll customers and devices in the mobile channel);
• Application development and distribution controls (e.g., process for approving and submitting mobile application code to distribution partners);
• Application security controls (including strategy to deactivate older application versions);
• Contracts and agreements;
• Customer awareness processes; and
• Logging and monitoring processes
40
STEVENS & LEE/GRIFFIN
Mobile Payments Risk Mitigation
• Mitigating controls in mobile payments should include discussions between bank and its mobile payments provider to identify and minimize potential risk factors
• Bank management should work with mobile-payments platform developers to encourage the use of the following:• Traffic filtering to help prevent or minimize denial-of-service attacks• Trusted platform modules• Secure telecommunications protocols • Tokenization to limit the transmission of account information• Encryption to minimize the opportunity for the interception of traffic• Anti-malware software• Authentication controls of both the user and application• Encryption of personal information stored on the mobile device
41
STEVENS & LEE/GRIFFIN
Vendor Management
• Critical to ensuring safety and soundness of mobile payments
• Banks should develop policies to minimize risk of data breach and fraud and ensure third party adherence to policies for protection of sensitive financial information
42
DISCUSSION
This presentation consists only of general information based on the knowledge and experience of Stevens & Lee professionals. By making this presentation, Stevens & Lee is not providing legal, business, financial or other professional advice or service. This presentation should not be used as a basis for any decision you might make or action you might take that would affect your business or personal circumstances. Do not make any such decision or take any such action without consulting your own legal or other appropriate professional advisor. Stevens & Lee and its affiliates and related entities shall not be responsible for any loss or damage sustained by any person who acts in reliance on this presentation.
Stevens & Lee expressly disclaims any liability related to the use of this presentation or its contents.
The views expressed in this presentation are not necessarily those of Stevens & Lee.
2019 Stevens & Lee. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Stevens & Lee. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of law.