InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Credit union to pay $558,000 in cyber fraud case
On January 12, the U.S. District Court for the Eastern District of Virginia ruled that a credit union (defendant) is responsible for $558,000 in compensatory damages for processing a payment order that was allegedly induced through fraud by the beneficiary, but later rescinded its decision to award punitive damages. According to the initial opinion and order, in October 2018, the plaintiff received a “spoofed” email from an unknown third party claiming to be one of the plaintiff’s suppliers. The email instructed the plaintiff to change its banking remittance information for the supplier. However, unknown to the plaintiff, the new banking information contained in the email belonged to an individual who had opened a personal account with the defendant months prior. The order stated that from October to November in 2018, the plaintiff made four payments to the individual’s account held by the defendant, identifying the supplier as the beneficiary. The plaintiff sued alleging that the defendant failed to “comport with basic security standards that resulted in the unlawful diversion of funds.” According to the opinion and order, the court found that Virginia Commercial Code required the defendant to reject the deposits if it knew there was a discrepancy between the intended beneficiary and the account receiving the deposit. The court further wrote that the defendant did not have a duty to “proactively” discover a discrepancy, but found that “the evidence at trial illustrated that [the defendant] did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If [the defendant] had exercised due diligence, the misdescription would have been discovered during the first [] transfer.” Additionally, the court stated the defendant did have “actual knowledge” of the fraud because “the transfers generated real-time warnings that the name of the intended beneficiary [] did not match the name of the owner of the account receiving the [deposits].” The court awarded the plaintiff $558,000 in compensatory damages and $200,000 in punitive damages. However, the court rescinded the punitive damage award stating that the plaintiff has not provided sufficient evidence to support punitive damages.
FTC orders card company to let merchants use other debit networks
On December 23, the FTC ordered a payment card company to stop blocking merchants from using competing debit payment networks. According to an agency investigation, the company allegedly violated provisions of the Durbin Amendment, which requires “banks to enable at least two unaffiliated networks on every debit card, thereby giving merchants a choice of which network to use for a given debit transaction,” and “bars payment card networks from inhibiting merchants from using other networks.” The FTC claimed that the company’s policy requires the use of a token when a cardholder loads a company-branded debit card into an ewallet. Ewallets are used to make online and in-app transactions, the FTC explained, adding that because competing networks cannot access the company’s token vault, merchants are dependent on the company to convert the token to process ewallet transactions using company-branded debit cards. Moreover, since the company allegedly did not provide conversion services to competing networks for remote ewallet debit transactions, the FTC asserted that it is impossible for merchants to route their ewallet transactions on other payment networks.
Under the terms of the proposed order, the company will be required to (i) provide other payment networks with customer account information in order to process ecommerce debit payments, and prohibit any efforts that may prevent other networks from serving as token service providers; (ii) provide notice to affected persons; (iii) provide 60-days advance written notice to the FTC before launching any pilot programs or new debit products that would require merchants to route electronic debit transactions only to the company; (iv) file regular compliance reports with the FTC; and (v) notify the FTC of any events that may affect compliance with the order.
Fed finalizes updates to policy on payment system risk
On December 2, the Federal Reserve Board finalized clarifying and technical updates to its Policy on Payment System Risk (PSR). The changes, which are adopted largely as proposed in May 2021 (covered by InfoBytes here), expand depository institutions’ eligibility to request collateralized intraday credit from the Federal Reserve Banks (FRBs), and ease the process for submitting such requests. The final updates also clarify eligibility standards for accessing uncollateralized intraday credit; modify the PSR policy to support the launch of the FedNow instant-payments platform, which is scheduled for mid-year 2023 (covered by InfoBytes here); and simplify and incorporate the related Overnight Overdrafts policy into the PSR policy. Updates related to FedNow and the Overnight Overdrafts policy will take effect once the FRBs start processing live transactions for FedNow. The remaining updates are effective 60 days following publication in the Federal Register.
CFPB seeks additional public input on big tech payment platforms
On October 31, the CFPB announced it will reopen the public comment period for 30 days on a 2021 notice and request for comment related to the Bureau’s inquiry into big tech payment platforms. In October 2021, the Bureau issued orders to six large U.S. technology companies seeking information and data on their payment system business practices to inform the agency as to how these companies use personal payments data and manage data access to users (covered by InfoBytes here). The Bureau is inviting additional comments to broaden its understanding of the risks consumers face and potential policy solutions on topics related to, among other things, “companies’ acceptable use policies and their use of fines, liquidated damages provisions, and other penalties.” A notice will be published in the Federal Register with additional details on the public comment period in the coming days.
FDIC’s Gruenberg discusses the prudential regulation of crypto assets
On October 20, FDIC acting Chairman Martin J. Gruenberg spoke before the Brookings Institution on the prudential regulation of crypto-assets. In his remarks, Gruenberg first discussed banking, innovation, and crypto-assets, which he defined as “private sector digital assets that depend primarily on the use of cryptography and distributed ledger or similar technologies.” He stated that innovation “can be a double-edged sword,” before noting that subprime mortgages, subprime mortgage-backed securities, collateralized debt obligations and credit default swaps were considered financial innovations before they were “at the center of the Global Financial Crisis of 2008.” Gruenberg further discussed that such innovations resulted in catastrophic failure because, among other things, consumers and industry participants did not fully understand their risks, which were downplayed and intentionally ignored. He then provided an overview of the FDIC’s approach to engaging with banks as they consider crypto-asset related activities, and the potential benefits, risks, and policy questions related to the possibility that a stablecoin could be developed that would allow for reliable, real-time consumer and business payments. He stated that “[f]rom the perspective of a banking regulator, before banks engage in crypto-asset related activities, it is important to ensure that: (a) the specific activity is permissible under applicable law and regulation; (b) the activity can be engaged in a safe and sound manner; (c) the bank has put in place appropriate measures and controls to identify and manage the novel risks associated with those activities; and (d) the bank can ensure compliance with all relevant laws, including those related to anti-money laundering/countering the financing of terrorism, and consumer protection.”
Gruenberg pointed to an April financial institution letter from the FDIC (covered by InfoBytes here), which requested banks to notify the agency if they engage in crypto asset-related activities. He added that as the FDIC and other federal banking agencies develop a better understanding of the risks associated with crypto-asset activities, “we expect to provide broader industry guidance on an interagency basis.” Regarding crypto-assets and the current role of stablecoins, Gruenberg noted that payment stablecoins could be significantly safer than available stablecoins if they were subject to prudential regulation, including issuing payment stablecoins through a bank subsidiary. He cautioned that disclosure and consumer protection issues should be “carefully” considered, especially if custodial wallets are allowed outside of the banking system as a means for holding and conducting transactions. Specifically, he said that “payment stablecoin and any associated hosted or custodial wallets should be designed in a manner that eliminates—not creates—barriers for low- and moderate-income households to benefit from a real-time payment system.” Gruenberg added that if a payment stablecoin system is developed, it should complement the Federal Reserve's forthcoming FedNow service—a faster payments network that is on track to launch between May and July of next year—and the potential future development of a U.S. central bank digital currency. In conclusion, Gruenberg stated that although federal banking agencies have significant authority to address the safety, soundness and financial stability risks associated with crypto assets, there are “clear limits to our authority, especially in certain areas of consumer protection as well as the provision of wallets and other related services by non-bank entities.”
FRBs to adopt new Fedwire format in 2025
On October 24, the Federal Reserve Board published a notice in the Federal Register announcing that the International Organization for Standardization’s (ISO) 20022 message format for the Fedwire Funds Service will be adopted on a single day, March 10, 2025. The Fedwire Funds Service is a real-time gross settlement system owned and operated by the Federal Reserve Banks that enables businesses and financial institutions to quickly and securely transfer funds using either balances held at the Reserve Banks or intraday credit provided by the Reserve Banks. A single-day implementation strategy is preferable to a three-phased implementation approach, the Fed said, explaining it is both simpler and more efficient and is likely to reduce users’ overall costs related to software development, testing, and training. The Fed also announced a revised testing strategy and backout strategy, as well as other details concerning ISO 20022’s implementation.
FSB releases G20 roadmap for enhancing cross-border payments
On October 10, the Financial Stability Board (FSB) published its priorities for the next phase of work under the G20 Roadmap for Enhancing Cross-Border Payments. According to the FSB, the plan includes steps to strengthen external engagement during the next phase of the group’s work. The FSB noted three priorities for the payment program’s next phase, which include: (i) payment system interoperability and extension; (ii) legal, regulatory and supervisory frameworks; and (iii) cross-border data exchange and message standards. The FSB further noted that it will coordinate work to develop further details of the actions that will take place to follow through with the plan, including discussions with industry participants. The updated roadmap will be provided during the first G20 Finance Ministers and Central Bank Governors meeting in 2023.
OFAC issues guidance on instant payment systems sanctions compliance
On September 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published Sanctions Compliance Guidance for Instant Payment Systems, which emphasizes the importance of taking a risk-based approach to managing sanctions risks in the context of new payment technologies, such as instant payment systems, and highlights considerations relevant to managing those risks. According to OFAC, the guidance “encourages developers of instant payment systems to incorporate sanctions compliance considerations and features as they develop these systems.” The guidance, among other things, describes: (i) risk factors and considerations for instant payment systems; (ii) domestic vs. cross-border payment system; (iii) availability of emerging sanctions compliance technologies and solution; (iv) nature and value of payment; and (v) OFAC engagement and resources.
Fed’s FedNow instant-payments platform to launch mid-2023
On August 29, the Federal Reserve Board announced that its FedNow service will launch mid-year 2023, targeting May to July as the production rollout window for the anticipated instant-payments platform. The FedNow pilot program is scheduled to enter technical testing in September with more than 120 organizations taking part. As covered by a Buckley Special Alert, in May, the Fed issued a final rule for its FedNow service that offers more clarity on how the platform will work. According to the Fed, the FedNow service will be accessible to financial institutions of any size to help expand the reach of instant payments to communities nationwide. FedNow pilot program participants “will complete a certification process to ensure operational and messaging readiness and then move into production once the service is launched,” the Fed said, noting that as the pilot program moves into the testing phase, it will engage non-pilot financial institutions and service providers interested in being early adopters.
“Just as the Federal Reserve has made a substantial commitment to our new instant payment infrastructure, we are calling on industry stakeholders to do the same,” Fed Vice Chair Lael Brainard said during a speech at the FedNow Early Adopter Workshop. “The shift to real-time payment infrastructure requires a focused effort, but the shift is inevitable. The time is now for all key stakeholders—financial institutions, core service providers, software companies, and application developers—to devote the resources necessary to support instant payments.”
Special Alert: New Fed guidelines clarify, but do not transform, master account and payment services access
The Federal Reserve Board recently issued final guidelines for the Reserve Banks to use in reviewing requests from a range of financial services providers for access to Federal Reserve master accounts and payment services. Master account and Federal Reserve services allow institutions to transfer money to other master accountholders directly and hold funds in the Federal Reserve System, while others must go through third parties — which can add cost, delay, and further complication to transactions.
The final guidelines are substantially similar to those proposed in 2021 and a supplement issued earlier this year. They make the application process more transparent by describing the risk factors that a Reserve Bank should take into consideration and by applying a three-tier approach regarding the intensity of a Reserve Bank’s review. However, the guidelines do not broaden the categories of entities that are eligible to apply in the first place, do not establish application processing timelines, and do not provide a clear path forward for entities that lack federal bank supervision, including novel charter types.