Economy Matters

February 16, 2023

Editor's note: The opinions expressed in this article are intended for informational purposes and are not formal opinions of, nor binding on, the Federal Reserve Bank of Atlanta or the Federal Reserve Board of Governors.

The Atlanta Fed's Americas Center and Payments Inclusion teams partnered with the Southeast Chapter of the Brazilian-American Chamber of Commerce in May 2022 to cohost a webinar, "The Risks and Rewards of Real-Time Payments: TheBrazilian Experience."

Atlanta Fed Supervision and Regulation Division senior vice president Doris Quiros discussed some of the supervisory risk considerations that can arise with instant payments, and a panel discussion explored lessons the United States can learn from Brazil's experience with implementing instant payments. While several months have passed, many of the supervisory risk considerations are still top of mind and very relevant as financial institutions work to ready themselves for a more ubiquitous instant payments environment. This article recaps those supervisory risk considerations and offers additional resources.

Supervision and Regulation function of the Federal Reserve System ensures the safety and soundness of certain financial institutions in the United States and their compliance with federal banking regulations. For this reason, supervisory teams are discerning how real-time or instant payments, such as The Clearing House's RTP® network and the Federal Reserve's FedNowSM Service (launching this year), will adjust the risk profile of individual financial institutions and the greater US payments system.

The current instant payments market, valued at approximately $16 billion, will expand by a 33 percent compound annual growth rate to a market value of $277 billion by the end of 2032, according to estimates in a recent study¹.

Because these payments are irrevocable and reduce credit risk in the transaction due to their instantaneous settlement, instant payments differ from traditional payments. Financial institutions should develop a holistic strategy around instant payment offerings that considers the changes needed to their operating systems and risk management practices to manage instant payments in compliance with existing regulations.

Three key risk management components financial institutions should consider when preparing for instant payment offerings are liquidity risk management, third-party risk management, and fraud and compliance risk management.

Liquidity risk management

Instant payments are processed and settled individually and continuously. This means that instant payment network participants or their correspondents must maintain adequate balances to settle transactions at any time. Federal Reserve discount window operating hours remain unchanged, so participating financial institutions will be unable to access any funds after hours, if the need were to arise from an instant payment issue. (See below for information on securing credit through the discount window.) Furthermore, payments activity may shift from existing deferred net settlement systems depending on customer volume and preference, which may affect a bank's supply and demand of liquidity throughout the day.

Financial institutions planning to participate in or provide settlement services for instant payments will also need a strategy to maintain liquidity that fits within their risk appetite. Some ways firms could manage liquidity include:

• Leveraging available intraday credit in accordance with the Federal Reserve Policy on Payment System Risk
• Securing additional credit through the discount window during normal operating hours² to support after-hours liquidity needs
• Accessing private-sector liquidity markets
• Adjusting balance sheets to accommodate more highly liquid assets
• Taking advantage of liquidity management tools that instant payment network providers offer, such as FedNow Service liquidity management transfers

Financial institutions also may need to reconsider existing manual controls for clearing and settling payments after business hours and determine if automated solutions are necessary. Closely monitoring inflows and outflows after adoption can help financial institutions forecast volume and timing of intraday liquidity needs, while scenario analysis could help them prepare for more extreme events and implement measures to ensure adequate liquidity in rare "tail events," which may result in severe, adverse financial consequences.

Third-party risk management

Third-party service providers participate in many different stages of the payments processing flow and have been integral in helping financial institutions deliver instant and real-time payment services to customers. These providers facilitate payments by offering technologies such as point-of-sale equipment and application programming interface software, connecting payment system participants and integrating transaction processing into existing platforms. More than 70 percent of payments are processed by companies in Atlanta and around Georgia, earning Atlanta the nickname "Transaction Alley."³

The significance of the service provider system in facilitating payments makes third-party risk management a top risk consideration for supervisors, as third-party risk permeates the entire financial institution and intersects with other payment system risks, most notably liquidity, cyber, compliance, and operational risks.⁴ Importantly, supervised institutions remain accountable for any risks introduced by the use of third parties and cannot outsource the risk to service providers. Financial institutions are expected to have appropriate governance over third-party risk management and to have robust internal controls to ensure that they appropriately measure, monitor, and mitigate those risks throughout the organization.

When engaging third parties to implement and operate instant payment services, financial institutions should continue to appropriately vet vendors through a robust third-party risk management program that will identify and escalate risks to a financial institution's decision-makers. An institution's reliance on a third party should align with its outsourcing strategy and risk appetite. The financial institution should perform initial and periodic risk assessments as well as ongoing risk identification and management, which includes concentration risk. Financial institutions should ensure that they report risks thoroughly and accurately to appropriate governance bodies. This reporting should include appropriate metrics and key risk indicators that would allow a firm to assess the risks that any new or existing third parties who support instant payment services might introduce.

Fraud and compliance risk

The speed, finality, and around-the-clock operation of instant payments pose unique challenges to combatting fraud. Consequently, financial institutions should develop a holistic strategy for detecting and preventing fraud while maintaining compliance with the applicable regulations covering payment services and consumer protections. This strategy can start with close coordination among key stakeholders—including client services, payment operations, treasury management, fraud monitoring, and legal and compliance teams—to educate front-, middle-, and back-office personnel on requirements for implementing a payment service and ensuring that go-to-market strategies are aligned with the financial institution's risk appetite and that messaging is consistent with consumer laws.

Operationally, financial institutions should consider whether existing preventive and detective fraud and anti-money-laundering (AML) controls are appropriate for instant payments for both account origination and transaction monitoring. Many of today's fraud alert models rely on machine learning algorithms that require robust historical data to accurately detect patterns. However, historical data relationships may not persist when introducing a new type of payment offering, because customer use of the service may diverge from traditional payment systems. Financial institutions will likely need to iteratively tune and test internal fraud alert models to expected and actual customer activity within instant payment networks so they can better identify type I and type II errors.⁵

Furthermore, many firms have established AML processes that require some level of manually screening transactions to identify suspicious activity. Staff augmentation or system revisions may be necessary to ensure that AML reviews, Office of Foreign Assets Control screening, and customer due diligence practices remain compliant with the Bank Secrecy Act. The legal framework that would apply to the use of instant payment networks is also an important consideration. Instant and real-time payments are governed by existing payment system regulations such as the Electronic Fund Transfer Act and its implementing regulation, Regulation E, and Article 4A of the Uniform Commercial Code, but many services should also comply with dedicated operating rules. Certain regulations also likely require adjustments to accommodate instant payment services. For example, in May 2022, the Federal Reserve finalized a rule under Regulation J, Subpart C, which went into effect October 1, 2022⁶ , that governs funds transfers over the FedNow Service.

The instant or real-time payments market is a promising innovation to the financial sector. With prudent risk management from the many stakeholders involved in the payments, clearing, and settlement processes, it has the potential to greatly benefit the economy and consumers.

¹ S.N. Jha. Global Real-Time Payments Market Outlook (2022-2032).

² Institutions who want access to the discount window for funding must establish appropriate legal agreements and collateral for pledging. The Atlanta Fed has produced a short flyer to help banks establish credit lines at the discount window.

³ Don Campbell, Sarvady, G. Georgia's Fintech Ecosystem: Strong andGrowing Stronger. Technology Association of Georgia 2021 Report.

⁴ Board of Governors of the Federal Reserve System, "Guidance on Managing Outsourcing Risk," February 26, 2021, and "Guide for CommunityBanking Organizations Conducting Due Diligence on Financial TechnologyCompanies," August 27, 2021. (Financial institutions less than $10 billion) provide supervisory expectations for third-party risk management.

⁵ In statistics, a type I error is a false-positive conclusion, while a type II error is a false-negative conclusion. In relation to fraud, a type I error is when a fraud event is detected but no fraud is present, while a type II error is a missed fraud event.

⁶ Board of Governors of the Federal Reserve System. "Federal ReserveBoard finalizes rule that governs funds transfers over the Federal ReserveBanks' FedNow Service." May 19, 2022.