Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

February 7, 2022

Data Privacy Legislation: Stuck on Pause?

How did you celebrate National Data Privacy Day on January 26? Oh, that celebration didn't make it onto your social calendar? Almost three years ago, I asked on this blog whether a federal privacy law would be passed in 2019. The short answer is no. Nor did a data privacy law pass in 2020 or 2021, despite numerous attempts by sponsors of both political parties. Some of the proposed bills provided comprehensive consumer protections for a business's use of personally identifiable information (PII). Others targeted specific elements of data privacy, such as requirements for businesses to protect data they collect or to notify customers in the event of a data breach.

It was thought that the European Union's passage of the General Data Privacy Regulation, or GDPR, which took effect in 2018, would spur federal activity in the United States. That same year, the state of California passed its comprehensive privacy law, the California Consumer Privacy Act. Some expected that Congress would head off state initiatives by passing federal laws to provide a consistent set of rights and responsibilities for all stakeholders. In the 117th US Congress, 30 data privacy/protection bills have been introduced, 12 in the House of Representatives and 18 in the Senate. Primary points of political disagreement have centered around preemption of state law and a private citizen's right to bring action against the offender rather than the enforcing governmental agency. No bill including either of these provisions has received bipartisan support. Social media platforms and their use of personal data have come under congressional scrutiny on several occasions over the last year with no formal action resulting from those hearings.

With little movement on the federal front, two states—Virginia and Colorado—followed California's lead in passing a comprehensive data privacy/protection law in 2021. Mississippi and Vermont recently introduced comprehensive data privacy legislation. Many other states have introduced some form of data privacy legislation addressing specific types of data such as healthcare or specific classes of people such as minors. The International Association of Privacy ProtectionOff-site link provides an excellent source for tracking federal and state privacy legislation and news about data privacy issues.

We will continue to monitor developments on this important issue. In the meantime, place a candle in your choice of dessert, change your password, and have a belated celebration of National Data Privacy Day.

August 16, 2021

Consumer Banking and Dental Woes

I have been unhappy with my personal banking relationship for some time. Most of my dissatisfaction stems from the fact that my debit card doesn't work outside the state where I live due to what I view as onerous risk controls the institution has implemented, such as requiring customers to provide advanced notice of interstate travel. But I've resisted changing banks because—let's face it—establishing a new banking relationship is about as unpleasant as having to undergo a root canal. I'd have to change direct deposits, electronic debits, and online bill pay; get a new online banking app; and, broadly, establish a new history and customer relationship. An executive orderOff-site link issued on July 9 aims to make this process a lot less painful for consumers.

The Executive Order on Promoting Competition in the American Economy contains several dozen proposed initiatives across numerous federal agencies, but the intended outcome that stood out to me most was:

Make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor.

At the heart of this initiative is the concept of open banking, defined by the Boston Fed report Modernizing US Financial Services with Open Banking and APIsOff-site link as "a system that offers businesses and customers a range of products and services based on open flows of data." In October 2020, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemakingOff-site link to standardize how consumers access their financial data or obtain a record of consumer-authorized third parties with access to their financial data. The July 9 executive order seeks to build on this consumer access "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions."

The United States lags behind the UK and the European Union (EU), who both legislated consumers' right to data portability in 2018 under their respective General Data Protection Regulation. In the United States, only California, with its Consumer Privacy Act, has legislated consumer data portability.

In the UK, data portability is supported by a set of software standards, employed by participating organizations, that includes specifications for common secure APIs (application programming interfaces) as part of the country's overall Open Banking Standards. The EU's Revised Directive on Payment Services, known as the PSD2, established in 2019 an open banking framework that allows authorized third-party providers to access a consumer's account information using APIs that are provided upon request by the sending financial institution. US standards are a necessary, but as yet undefined, component to achieving data portability, whether through industry cooperation and collaboration or through regulatory mandates.

Recently, my colleague Doug King blogged about upcoming suggested regulatory guidance in the United States on third-party risks. What are the potential cybersecurity risks for organizations if their open banking APIs were to somehow be compromised? What might this mean for other organizations that use the same APIs? Does open banking create additional risks to consumers' data and privacy?

Given the time needed to enact new consumer regulations, I will likely have to endure my personal banking woes for a while longer until I can easily and painlessly change banks. Meanwhile, it's time for a trip to the dentist.

August 9, 2021

Bank Regulatory Agencies Release New Joint Guidance

Risks stemming from financial institutions' relationships with third-party service providers have been a continuous topic at the Risk Forum during my 10-plus-years' tenure. As a quick refresher, third parties are entities that provide products or services to financial institutions (FIs) or on behalf of FIs, and often will have access to an FI's privileged systems. Given the significant growth in the fintech sector and subsequent growing relationships with FIs, understanding the also-growing risks associated with third parties has become critical for many FIs. Traditionally, the three federal bank regulatory agencies—the Federal Deposit Insurance Corp, or FDICOff-site link; the Office of the Comptroller of the Currency, or the OCCOff-site link; and the Federal Reserve Adobe PDF file formatOff-site link separately issued guidance related to managing third-party risks.

Early in July, these agencies broke from tradition and released joint guidance Adobe PDF file formatOff-site link related to managing third-party risks. This guidance will be open for public comments for 60 days once it is published in the Federal RegisterOff-site link.

While the joint agency guidance is not very different, FIs and their third-party providers should welcome it as it is likely to remove any nuances and differences they faced from the separate guidance. After my first extremely fast pass of the lengthy document, it doesn't appear to include major changes but is truly an amalgamation of the previous guidance from these agencies. What is new is the guidance encourages FIs to collaborate with one another to share information when they can and also share their risk management responsibilities related to regulatory compliance. What is not new is that FIs remain accountable for any risks arising from their third-party agreements.

Managing third-party risks can be a significant burden for FIs depending on the number of such relationships they have and on the depth and breadth of their regulatory and compliance department. No matter the burden, and with the growth in third-party relationships, risk management of third parties is a constant necessity to protect the integrity of the financial system. I encourage any FI or other entity that will be affected by this joint guidance to review it and let their voices be heard during the public comment period.

July 20, 2020

Innovation with an Eye on Safety: Let Your Voice Be Heard!

Balancing safety and innovation in banking and payments is critical. The Federal Reserve Bank of Atlanta recognizes this so has been focusing its efforts on a safer payments innovation strategic initiative. In fact, the Atlanta Fed's 2019 annual report highlights this initiative, which includes meeting with fintech entrepreneurs and bankers to share information. Earlier this year, the Atlanta Fed hosted the Federal Reserve System's first "innovation office hours" to talk with entrepreneurs and bankers on topics such as payments security, regulation, and financial inclusion. Of primary concern to many of the participants of these office hours was regulatory compliance and clarity.

In June, the Office of the Comptroller of the Currency (OCC) issued an advance notice of proposed rulemaking on digital activities and other banking issues related to digital technology or innovation. The notice encourages all OCC-supervised institutions—national banks, federal savings associations, and federal branches and agencies of foreign banks—to respond. If you are among these, take this opportunity to let your voice be heard.

It's our job and the job of the OCC and other regulatory agencies to ensure the safety and soundness of banks and the payments system. But we also recognize that innovation is important when it comes to delivering services to consumers and businesses, and we know we are living in a changing technological environment that is bringing in entrants from outside traditional banking. So that the payments system can achieve balance in safety and innovation, it is critical that the regulatory agencies have an ongoing dialogue with those affected by laws, rules, and regulations.

Some of the topics the OCC is requesting comment on include:

  • How is distributed technology used or potentially used in activities related to banking?
  • What are the issues that are unique to smaller institutions regarding the use and implementation of innovative products, services, or processes that the OCC should consider?
  • What are the new payment technologies and processes that the OCC should be aware of and the potential implications of these technologies and processes for the banking industry?

Input from those affected by existing and new rules and regulations will help us create an environment where financial institutions can harness new technologies in a way that makes them competitive yet safe. Do your part to help create a regulatory environment that promotes safety and allows innovation to flourish. Reply to the OCC by the August 3 deadline.