Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

July 18, 2022

Policy Updates Help Independent ATM Operators and Cash Users

Like many people, I take cash for granted. It's available when I need it, I can buy just about anything with it, and I can use it to pay anyone, anywhere. For me, the easiest way to get cash is at an ATM, and I take these machines for granted, too. They're everywhere: at all types of retail stores and shops, mall kiosks, standalone places all down the street, and banks.

Some recent Take On Payments posts focused on the importance of cash in times of crisis and the needs of people who are cash reliant and those who live in rural areas. In this latter post, we referred to a barrier some independent ATM deployers, or IADs, have faced. The barrier was rooted in banks sometimes closing existing IAD accounts or not allowing IADs to bank with them in the first place. This post picks up that thread, this time with some good news for the industry.

But first, what would make some banks reluctant to do business with IADs? Banks must comply with the Federal Financial Institutions Examination Council's (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) rules. A previous edition of the BSA/AML Examination Manual used language indicating that ATM operators could be a fraud and money-laundering risk. But without a bank account, IADs can't operate. A sudden closure of an account causes business disruption at best, ultimate failure at worst. This was a real problem for the IAD providers who found themselves without an account and the people in communities that rely on cash but don't have access to a nearby ATM.

Late last year, thanks to efforts from ATM industry groups, the FFIEC, in consultation with the Financial Crimes Enforcement Network, recognized the efficiency of the controls that are in place for ATM transaction settlement and cash replenishment. Accordingly, the FFIEC revised the section in its manualOff-site link on "Independent Automated Teller Machine (ATM) Owners or OperatorsOff-site link" in a way that should help banks view ATM operator accounts more positively. It states that:

  • financial institutions are "neither prohibited nor discouraged from providing banking services to independent ATM owner or operator customers..."
  • an operator that maintains a separate cash settlement account with the bank for its ATMs presents a lower risk of money laundering, terrorist financing, or other illicit financial activity "because the bank knows the source of funds and can compare the volume of cash usage to EFT settlements to identify suspicious activity."

With access to cash remaining an important financial need nationwide and with a change in language that could help some IADs be more successful in running their businesses, perhaps more independent operators will contribute to serving populations nationwide. What do you think?

February 7, 2022

Data Privacy Legislation: Stuck on Pause?

How did you celebrate National Data Privacy Day on January 26? Oh, that celebration didn't make it onto your social calendar? Almost three years ago, I asked on this blog whether a federal privacy law would be passed in 2019. The short answer is no. Nor did a data privacy law pass in 2020 or 2021, despite numerous attempts by sponsors of both political parties. Some of the proposed bills provided comprehensive consumer protections for a business's use of personally identifiable information (PII). Others targeted specific elements of data privacy, such as requirements for businesses to protect data they collect or to notify customers in the event of a data breach.

It was thought that the European Union's passage of the General Data Privacy Regulation, or GDPR, which took effect in 2018, would spur federal activity in the United States. That same year, the state of California passed its comprehensive privacy law, the California Consumer Privacy Act. Some expected that Congress would head off state initiatives by passing federal laws to provide a consistent set of rights and responsibilities for all stakeholders. In the 117th US Congress, 30 data privacy/protection bills have been introduced, 12 in the House of Representatives and 18 in the Senate. Primary points of political disagreement have centered around preemption of state law and a private citizen's right to bring action against the offender rather than the enforcing governmental agency. No bill including either of these provisions has received bipartisan support. Social media platforms and their use of personal data have come under congressional scrutiny on several occasions over the last year with no formal action resulting from those hearings.

With little movement on the federal front, two states—Virginia and Colorado—followed California's lead in passing a comprehensive data privacy/protection law in 2021. Mississippi and Vermont recently introduced comprehensive data privacy legislation. Many other states have introduced some form of data privacy legislation addressing specific types of data such as healthcare or specific classes of people such as minors. The International Association of Privacy ProtectionOff-site link provides an excellent source for tracking federal and state privacy legislation and news about data privacy issues.

We will continue to monitor developments on this important issue. In the meantime, place a candle in your choice of dessert, change your password, and have a belated celebration of National Data Privacy Day.

August 16, 2021

Consumer Banking and Dental Woes

I have been unhappy with my personal banking relationship for some time. Most of my dissatisfaction stems from the fact that my debit card doesn't work outside the state where I live due to what I view as onerous risk controls the institution has implemented, such as requiring customers to provide advanced notice of interstate travel. But I've resisted changing banks because—let's face it—establishing a new banking relationship is about as unpleasant as having to undergo a root canal. I'd have to change direct deposits, electronic debits, and online bill pay; get a new online banking app; and, broadly, establish a new history and customer relationship. An executive orderOff-site link issued on July 9 aims to make this process a lot less painful for consumers.

The Executive Order on Promoting Competition in the American Economy contains several dozen proposed initiatives across numerous federal agencies, but the intended outcome that stood out to me most was:

Make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor.

At the heart of this initiative is the concept of open banking, defined by the Boston Fed report Modernizing US Financial Services with Open Banking and APIsOff-site link as "a system that offers businesses and customers a range of products and services based on open flows of data." In October 2020, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemakingOff-site link to standardize how consumers access their financial data or obtain a record of consumer-authorized third parties with access to their financial data. The July 9 executive order seeks to build on this consumer access "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions."

The United States lags behind the UK and the European Union (EU), who both legislated consumers' right to data portability in 2018 under their respective General Data Protection Regulation. In the United States, only California, with its Consumer Privacy Act, has legislated consumer data portability.

In the UK, data portability is supported by a set of software standards, employed by participating organizations, that includes specifications for common secure APIs (application programming interfaces) as part of the country's overall Open Banking Standards. The EU's Revised Directive on Payment Services, known as the PSD2, established in 2019 an open banking framework that allows authorized third-party providers to access a consumer's account information using APIs that are provided upon request by the sending financial institution. US standards are a necessary, but as yet undefined, component to achieving data portability, whether through industry cooperation and collaboration or through regulatory mandates.

Recently, my colleague Doug King blogged about upcoming suggested regulatory guidance in the United States on third-party risks. What are the potential cybersecurity risks for organizations if their open banking APIs were to somehow be compromised? What might this mean for other organizations that use the same APIs? Does open banking create additional risks to consumers' data and privacy?

Given the time needed to enact new consumer regulations, I will likely have to endure my personal banking woes for a while longer until I can easily and painlessly change banks. Meanwhile, it's time for a trip to the dentist.

August 9, 2021

Bank Regulatory Agencies Release New Joint Guidance

Risks stemming from financial institutions' relationships with third-party service providers have been a continuous topic at the Risk Forum during my 10-plus-years' tenure. As a quick refresher, third parties are entities that provide products or services to financial institutions (FIs) or on behalf of FIs, and often will have access to an FI's privileged systems. Given the significant growth in the fintech sector and subsequent growing relationships with FIs, understanding the also-growing risks associated with third parties has become critical for many FIs. Traditionally, the three federal bank regulatory agencies—the Federal Deposit Insurance Corp, or FDICOff-site link; the Office of the Comptroller of the Currency, or the OCCOff-site link; and the Federal Reserve Adobe PDF file formatOff-site link separately issued guidance related to managing third-party risks.

Early in July, these agencies broke from tradition and released joint guidance Adobe PDF file formatOff-site link related to managing third-party risks. This guidance will be open for public comments for 60 days once it is published in the Federal RegisterOff-site link.

While the joint agency guidance is not very different, FIs and their third-party providers should welcome it as it is likely to remove any nuances and differences they faced from the separate guidance. After my first extremely fast pass of the lengthy document, it doesn't appear to include major changes but is truly an amalgamation of the previous guidance from these agencies. What is new is the guidance encourages FIs to collaborate with one another to share information when they can and also share their risk management responsibilities related to regulatory compliance. What is not new is that FIs remain accountable for any risks arising from their third-party agreements.

Managing third-party risks can be a significant burden for FIs depending on the number of such relationships they have and on the depth and breadth of their regulatory and compliance department. No matter the burden, and with the growth in third-party relationships, risk management of third parties is a constant necessity to protect the integrity of the financial system. I encourage any FI or other entity that will be affected by this joint guidance to review it and let their voices be heard during the public comment period.