Payments in the Digital Era: Who Bears the Risks of High-Speed Transactions?
Today’s financial technology allows consumers to make transactions in the blink of an eye on their mobile devices. What should banks and payment intermediaries do to slow down financial criminals?
The ability to perform financial transactions on our computers and mobile devices is so seamless these days that we take it for granted. And that’s just the way the technology is designed to work — we don’t have to give a thought to the complex ecosystem that puts our accounts at our fingertips.
Behind the scenes, though, this remarkable functionality relies on sophisticated digital payment intermediaries that are disrupting traditional banking. Some act akin to digital messengers, stepping between customer and bank solely to facilitate payments on established banking networks. Others provide a suite of online services, like stored-value accounts and credit and direct payments processing, in effect becoming digital banks themselves.
Whatever the service, consumers find the simplified account-opening procedures, fast transactions, low fees and reduced friction for cross-border or cross-currency transactions highly appealing. Recent surveys indicate that more than 75 percent of us have used a digital payment service at least once, sometimes indirectly when we purchase goods online.
By 2023, payments via mobile devices alone are expected to exceed USD$2 trillion globally.
For all the speed and convenience these upstarts bring to the game, however, they have also stirred up new risks in the financial system. Consider the fact that incumbent banks traditionally perform financial vetting of their direct customers and their payments and transactions. Within the new digital landscape, intermediaries sit between the bank and the end client, which can leave banks in the dark and vulnerable to customer malfeasance.
Financial regulators are aware of the myriad disruptions and are working to refresh the existing rules stemming from traditional banking with the aim of allocating and managing all potential risks.
What does this new landscape look like for incumbents, upstarts and regulators, and how is it expected to evolve in the coming years? What actions should incumbents and upstarts take now?
Balancing Innovation, Inclusion and Risk
As financial regulators observe activity through new channels, they often adjust rules to encourage — or discourage — certain activities and re-allocate risk in the system accordingly. Mobile and tech-enabled payments are no exception.
Revised oversight strategies must respond to three key aspects of the digital payments era:
- Reduced information: Initial account setup and subsequent transactions happen exclusively online, making identity verification more difficult.
- Faster transaction speeds: Near-instantaneous transactions raise financial system stability concerns while reducing time to perform precautionary checks. This poses a challenge to existing anti-money laundering (AML) and counter-financing of terrorism (CFT) programs.
- Novice participants: While low market barriers foster innovation, they also leave inexperienced service providers responsible for mitigating financial crime risks.
Regulators in different jurisdictions have started to address these risks in stages. By doing so, they are also working to protect consumer benefits such as increased financial access and choice. Ultimately, these measures can ensure system-wide financial stability and a fair playing field for both challengers and incumbents.
The Regulatory Trend
Early response to the rise of digital payment intermediaries focused on credit risk, interoperability and transparency. Regulators that have identified mobile and online offerings of traditional banking services have often extended existing regulations to the new domain.
The Hong Kong Monetary Authority (HKMA), for instance, established capital and licensing requirements in 2016 for stored value facilities (e.g., digital wallet providers) that are similar to those applied to banks. Other measures by regulators have attempted to standardize and illuminate the linkage when new digital providers are facilitating payments among traditional banks.
Four years ago, the People’s Bank of China created NetsUnion, a centralized online payment clearinghouse, and required all third-party digital payment intermediaries to connect to the system.
This move greatly improved regulatory transparency in China — which has the world’s largest digital payments market — by transitioning from an opaque network of hundreds of separate, bilateral-payment intermediary-to-bank connections to a centralized system where all parties face the clearinghouse.
More recently, regulators have upped their focus on financial crime and cybersecurity risks in digital payments. Singapore, for one, recently passed legislation that ranks the intermediaries by risk level and then assigns tiered capital requirements and corresponding AML and cybersecurity responsibilities. Australia’s financial crimes regulator, AUSTRAC, made news when it recently ordered independent investigations of online payment providers Afterpay and PayPal.
Along with the rise of digital payments comes new channels associated with the risk of financial crime. This environment has grown so large so quickly and become so systematically important that it cannot be ignored. As regulators tailor their rules to this new reality, banks and payment intermediaries are growing more aware that their relationships — and responsibilities — are as deeply intertwined as the payments architecture itself.
Banks are familiar with financial crime risks and with the expectations of their financial regulators. In traditional transactions, banks are responsible for customer due diligence, risk analysis, ongoing transaction monitoring, etc. In short, they need to know who their customer is, how they obtain funds, the purpose of their transactions, and whom they are transacting with. The riskier the bank deems a customer’s activities, the closer it should monitor them.
When a digital payment intermediary gets involved, these responsibilities can shift — but they do not disappear. Sometimes regulators assign responsibility to the payment intermediary. In other cases, the onus remains on the bank. More frequently the responsibilities are loosely (and often ambiguously) split among the two financial service providers, especially when the digital payments company offers bank-like services to its customers.
In these cases, banks are right to be concerned about residual risk, such as the financial crime risk passed on when it executes transactions on behalf of the payment intermediary, because regulators will ultimately hold the bank responsible if a breach occurs. Banks will logically push for increased transparency into potential risk exposure from the intermediaries’ underlying customer and related transactions and the intermediaries’ internal compliance efforts.
For that reason, intermediaries need to have sound compliance. Payment intermediaries with inadequate financial crimes detection and mitigation measures in place will struggle to find or maintain key connections to the established payments architecture that traditional banks provide.
Notwithstanding the new era, banks and payment intermediaries are under pressure to improve. Already, regulators and counterparties are forcing them to implement new measures and design an efficient compliance solution to mitigate the risk of financial crimes. The key areas they are focusing on include:
- Risk-based: Service providers must fully understand their customer bases — be they consumers or businesses for payment intermediaries, or the payment intermediaries themselves for banks. They must also identify the key risks and align resources accordingly (or decide not to serve customers deemed too risky).
- Tech-enabled: Fast and flexible (cross-border, multi-currency, etc.) transactions are central to the value proposition of the digital payment intermediaries. Embracing cost-effective reg-tech solutions and moving away from analogue risk mitigation measures will be the only way to satisfy customers, regulators and counterparties.
- Practitioner-designed: Compliance policy must respond to, and integrate with, the daily flow of the business. Practitioners familiar with both the regulatory landscape and the routines of frontline personnel are best placed to adapt a tech-enabled solution to the business’s needs.
- Forward-looking: Making targeted investments to stay ahead of financial crimes is good business. It sends a strong signal to current and potential counterparties that the company is dedicated to mitigating risks, solidifying critical relationships and opening doors for new ones.
The evolving interface between banks and payment intermediaries is fraught with uncertainty and risk. Viewed from another perspective, however, the situation holds great potential.
There is much to be gained on both sides from treating the effort as more than a standard, check-the-box risk mitigation exercise. Banks have hard-won risk management experience to bring to the table, while payment intermediaries have a data-based understanding of their customers’ activities and preferences. The continued growth of digital payments and complementary expertise of the upstarts
If they succeed, consumers will be giving a thumbs-up for years to come.
1: Statistics on digital payment usage/volumes: https://www.statista.com/outlook/296/100/digital-payments/worldwide#market-revenue
2: FATF guidance for money value transfer services: http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf
3: FATF guidance for correspondent banking: http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-Correspondent-Banking-Services.pdf
4: BIS report on correspondent banking: https://www.bis.org/cpmi/publ/d147.pdf
5: BIS report on big tech/PIs: https://www.bis.org/publ/arpdf/ar2019e3.htm
6: HKMA governor speech: https://www.hkma.gov.hk/eng/news-and-media/speeches/2019/11/20191106-1/
7: Singapore Payment Services Act (2019): https://sso.agc.gov.sg/Acts-Supp/2-2019/Published/20190220?DocDate=20190220
8: AUSTRAC’s increased focus on payment intermediaries: https://www.afr.com/companies/financial-services/austrac-targets-paypal-on-transaction-reporting-concerns-20190924-p52u9r
© Copyright 2020. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
Senior Managing Director