Digital payments: managing risks in high-speed transactions
June 2021 | TALKINGPOINT | BANKING & FINANCE
Financier Worldwide Magazine
June 2021 Issue
FW discusses digital payments and managing risks in high-speed transactions with Kristina Sanger, Kevin Dalvi and Jennifer Lucas at EY.
FW: Could you provide an overview of recent key trends in the digital payments ecosystem? How would you characterise the shift toward high-speed transactions, and the extent of their proliferation?
Lucas: The emergence and growth of digital payments players over the past 12 to 36 months have been staggering. Real-time payments, spurred by government sponsorship in some countries and adoption of innovative services in others, have moved forward to become more mainstream. In the US, we are seeing digital payment adoption across many use cases, such as buy now, pay later, contactless payments, and card not present, among others. It is apparent that global economies are moving past traditional-based economies, as digital expansion of front-end and back-end capabilities continues to accelerate.
Dalvi: The emerging shift toward digital payments is underscored by utility as users, and their networks, shift toward the digital model. The increased global adoption rate is not only driving new entrants and technology innovation into this space, but also forcing traditional financial institutions (FIs) to consider offering digital payments to address soaring customer demand. Heightened awareness and public discourse are fuelling this growth with emerging technologies, such as biometric authentication, mobile points of sale, smart speaker payments, and social media payments becoming embedded in everyday life.
Sanger: We expect that the trend of large global FIs offering digital payment services will continue to become more common as a mechanism for value transfer globally, given the access it provides to financial services for underserved communities. We are also starting to see many non-traditional organisations emerging as players in this space and disrupting traditional payment models, by creating their own payment capabilities or partnering with existing money service businesses (MSBs).
FW: Drilling down, how would you characterise the impact of the coronavirus (COVID-19) pandemic on accelerating digital payment trends?
Lucas: The volume of digital payments volumes has soared since the onset of the coronavirus (COVID-19) pandemic, generating as much as 10 years of growth in just four months. The trend has been spread across business-to-consumer, business-to-business and peer-to-peer spaces, and much of it appears poised to stick. The payments world is transitioning to digital-first and there is no turning back. Since the beginning of the COVID-19 pandemic, we have seen an acceleration of digital payments as contactless transactions skyrocket. Quick response becomes more prevalent as ‘touchless’ commerce becomes a necessity and manual back-office payables and receivables become more challenging in a work from home environment. While payment providers historically have focused on systems resiliency, the need for operational resiliency has become equally important.
Sanger: Payment providers are seizing on adoption rates as an impetus to accelerate digital projects, but significant challenges and risks remain. The move to digital requires stronger security, advanced authentication and better transaction decisioning. From a regulatory perspective, while COVID-19 has certainly changed the format of exams – all virtual – it has not dampened regulator interest in policymaking or enforcement around Bank Secrecy Act (BSA), anti-money laundering (AML) or Office of Foreign Assets Control (OFAC) sanctions. Regulators have been active through providing risk summaries and requests for comment and if anything, the COVID-19 pandemic and the remote nature of exams have reinforced the importance of communication with examination teams.
Dalvi: The COVID-19 pandemic has changed the way we live in many ways. It has certainly expedited the transition to the gig economy. The fate of the gig economy, where freelancers are connected with customers using digital platforms, seemed uncertain prior to the spread of COVID-19. While global electronic commerce and mobile delivery predated COVID-19, such conveniences moved from consumer habits to necessities. Practical use cases for rapid, borderless payments began to emerge as the world descended into lockdown. The pandemic led to the booming popularity of instant global commerce that is becoming somewhat reliant on digital payments. This phenomenon can be simultaneously viewed either as temporary or as a harbinger of a future world that necessitates the wider acceptance of digital payments.
“Going forward, expect to see greater adoption of machine learning and artificial intelligence both for authentication and in risk management models.”
FW: What kinds of risks are attached to digital payments processes, including high-speed transactions? How have these risks evolved in recent months?
Sanger: The money laundering and terrorist financing risks associated with digital payments vary greatly depending on the customers served, specific products and services offered, and geographic access available through the product. On the lower end of the risk spectrum, a low value, domestic automated clearing house (ACH) network payment between two US-based retail customers would typically be considered at lower risk of money laundering and terrorist financing because of the ability to ascertain customer identity and ‘follow the money’. On the higher end of the risk spectrum, digital asset transactions potentially allow for obfuscation of beneficial ownership, high velocity and a lack of geographic boundaries, particularly with the use of anonymising services.
Lucas: As payments become digital and real-time, fraud is on the rise, centred most notably on higher volumes of ‘card not present’ transactions and scams in the P2P arena. At the same time, providers with unsophisticated fraud prevention strategies were forced to adapt to changes in customer behaviours, such as buying 10 bottles of hand sanitiser at 3am. Going forward, expect to see greater adoption of machine learning and artificial intelligence both for authentication and in risk management models and the development of risk and analytical tools that can leverage big data in new and innovative ways.
Dalvi: While risks have evolved, the fundamentals remain very similar to traditional payment services. Credit risk remains when a party cannot provide the necessary funds for a settlement to take place. Liquidity risk remains where there is an inability to settle an obligation. Systemic risk has taken on a new form as the newly established networks and upstream and downstream dependencies evolve across these new platforms. We have certainly seen financial crimes and fraud risk face new challenges. Evolution of the techniques used by criminals means that compliance and risk professionals must continue to evolve in their use of innovative technology to identify and mitigate fraud and money laundering risk.
FW: How are regulators addressing digital payments in their oversight of the banking and finance industry?
Sanger: Regulatory expectation and oversight are evolving quickly with the changes to traditional payment overall – particularly in high value payments, real time payments, cryptocurrency and new product development. Payment processors, including peer-to-peer services, meet the definition of a ‘financial institution’ as MSBs and are therefore considered within scope of the requirements shared by the Financial Crimes Enforcement Network (FinCEN) and other regulatory agencies, and subject to BSA/AML regulatory requirements. In January 2021, Congress enacted the National Defense Authorization Act (NDAA), further reinforcing its commitment to BSA/AML compliance. As it relates to digital asset payments, while the impact of this legislation is far from settled, the Act expanded the definitions within the BSA to incorporate digital payments into the BSA framework.
Dalvi: Globally, the Financial Action Task Force (FATF) has been active since 2014 in identifying the risks associated with digital assets. Most recently, in March 2021, draft FATF guidance has prompted concerns from industry players related to the expanded definition of virtual asset service provider (VASP), the FATF’s statements related to the risks associated with peer-to-peer transactions and additional requirements related to the FATF Travel Rule, which requires VASPs to collect and share identifying information about counterparties in transfers of $1000 or more. Financial industry regulators are focused on the risks associated with the wider adoption of digital asset payments and have increased efforts to evolve oversight capabilities.
Lucas: We expect to see the continued emergence of multi-agency examinations in payments. These examinations will be looking for end to end ownership of particular payment activities and risk, focusing on third-party risk management, resiliency, cyber and other vectors of risk that can affect payments. Regulators are also looking closely at emerging neo-banks that are being established for the underbanked. As more cash is taken out of society, the pressure will increase to provide services to those who do not have bank accounts. Regulators will continue to focus on this area and the risks it poses.
“Financial industry regulators are focused on the risks associated with the wider adoption of digital asset payments and have increased efforts to evolve oversight capabilities.”
FW: How important is for companies and payment intermediaries to view compliance with anti-money laundering (AML) and combatting the financing of terrorism (CFT) regulations as more than a standard, check-the-box risk mitigation exercise?
Sanger: AML compliance goes beyond a check-the-box exercise for payment processors and is fundamental to business growth and sustainability. Failures in this area can result in regulators preventing licensure and limiting business activities. Beyond the threat of regulatory action, many FinTechs and VASPs are in a period of rapid growth, and sound compliance and risk management practices are fundamental in building and maintaining customer trust and investor interest. With a complex global regulatory landscape that is rapidly changing, it is critical that FIs invest in taking these regulatory obligations seriously. It is important to embed risk appetite and AML obligations into business expansion plans and the offering strategy.
Lucas: The cost of an ineffective AML programme or regulatory findings has the potential for significant business repercussions, including increased regulatory scrutiny, negative financial impacts and amplified reputational risks. These all have the ability to not only cap business growth but also put an FI out of business.
Dalvi: It is imperative that digital payments industry participants embrace the spirit of AML and combatting the financing of terrorism (CFT) regulations, as this asset class is more susceptible to criminal abuse. Crimes such as child exploitation, human trafficking and elder abuse continue to plague our societies and are made possible through the misuse of our financial system. Business leaders must view AML/CFT compliance as a foundation for sustainable growth. Aside from the potential for regulatory action, criminal misconduct facilitated by indifference from payment providers can serve to delegitimise innovative payment products.
FW: In what ways can technology assist with managing risks in high-speed transactions? What advice would you offer to companies on assessing the solutions on offer?
Lucas: Real-time payments driven by technology means fraud checks, authentication, authorisations and data analysis cannot happen later – they have to happen in the moment. So, technology is completely integral to payment orchestration. We are also seeing application programming interface (API) connectivity between a bank and its customers proliferating, enabling payments to happen in a constant stream rather than in a bulk file format. One of the major benefits of real-time payments is the data – making information available about the payment, in real-time, to both the sender and receiver, is extremely valuable in providing certainty, so it is incredibly important to have digital channels and alert notifications in place. As this money moves in real-time, there is no batch processing – the technology throughput and ability to make decisions in real-time, whether it is a risk decision, limit decision or authorisation decision, will continue to be accelerated.
Sanger: Innovative, customer centric and frictionless technology is at the cornerstone of all successful payment processors. Customers expect a user-friendly experience not burdened by compliance requirements which has led to the use of new technologies to collect and verify identity. Compliance professionals must have some level of technology fluency in order to continuously evolve their programme to keep pace with the rapidly evolving nature of the payments business. FinTechs are not burdened by many of the issues facing traditional FIs, such as legacy systems, infrastructure built through acquisition and legacy customer interfaces.
Dalvi: Unlike cash payments, digital payments are backed by an electronic audit trail and, in some cases, as seen with digital asset payments on the blockchain, an immutable ledger that is publicly visible. As a result, advanced forensic software can identify illicit actors that transact digitally, and alert the involved FIs. Furthermore, the development of capabilities to detect electronic account access using malicious internet protocol addresses, such as Tor exit nodes, can help manage fraud incidents. Companies operating in the digital payments space should direct significant investment toward advanced analytical capabilities to properly manage risk. Failure to implement the available technology solutions can result in significant monetary losses and external scrutiny.
“Innovative, customer centric and frictionless technology is at the cornerstone of all successful payment processors.”
FW: What steps should companies take when designing and implementing an efficient solution to mitigate the risk of financial crime arising from high-speed digital payments? What are some of the typical challenges they need to overcome during this process?
Sanger: The foundation of a successful financial crimes compliance programme is a meaningful risk assessment that articulates the unique risks facing the business, defines the control environment and, most importantly, guides the business to areas of focus, aligning the firm’s activities with its risk appetite and identifying control gaps. Many payment processors in today’s environment are challenged with building and sustaining a compliance programme that can flex to large surges in customer demand, while managing cost. Business spend is typically focused on growth in these organisations and compliance must be accretive to this strategy, focusing on managing risk while promoting a positive customer experience.
Lucas: There needs to be a balance between frictionless, enjoyable customer experiences, and ensuring that compliance obligations are met. With the move to digital payments, customers expect an experience that includes fast onboarding to use the platform and payments that can be made immediately. These should be business priorities, but compliance obligations cannot be an afterthought. Finding that balance will be key going forward.
Dalvi: A key challenge for payment processors is managing risk for cross-border transactions that function as high-speed digital payments. Monitoring processes should prioritise efforts to adequately review, assess and detect any suspicious behaviour associated with these payments, moving away from traditional, rule-based scenarios. This is where some of the advanced technologies geared toward digital payment monitoring can make a difference and combat financial crime-related behaviour.
FW: How do you predict the digital payments landscape will unfold in the years ahead? Are companies sufficiently prepared to mitigate risk in a cashless society, or does more need to be done?
Dalvi: This truly feels like just the start of the digital payments landscape. Just as the internet revolutionised the world as we know it, the digital payments space looks to revolutionise finance. As it stands, almost every FI is currently having a conversation and mobilising on the topic, and every day FIs take a step toward further digitalising their payments ecosystems. In the years ahead, these products and services will be as embedded in society as physical cash is now. For example, we expect to see biometric authentication, a larger shift to both centralised and decentralised digital currencies, and contactless payments become commonplace. Companies are rapidly revamping their risk assessments to understand the risks associated with operating in this space and preparing to become a player. Just as fast as companies are looking to operate, we expect the same discipline to be followed when establishing a sound risk and compliance programme.
Sanger: Beyond the activity of digitally native firms, the expansion of traditional FIs, first into digital payment services and now into digital assets, demonstrates the shift that is happening toward a cashless society. One of the most significant challenges for risk and compliance professionals in this new world is the ability to attract and retain staff with an appreciation of the unique risks associated with the new products being offered, including digital assets. The ability to keep pace with product innovation is fundamental to the design of appropriate controls, technology enablers and a risk management programme that will sustain an evolving regulatory environment and business strategy.
Lucas: More needs to be done and will be done as more and more companies embrace fully digital and faster payments. From accounts payable and receivable to processes and communications in between, the years ahead will be critical in moving to a digital payment ecosystem. We expect that future innovation will drive future adoption, and we are excited to see what is to come.
Kristina Sanger is a lead principal supporting financial crimes compliance efforts across traditional and digital topics. Her work is focused on BSA/AML regulatory response, process improvement and the delivery of innovative solutions, leading to better business outcomes and increased regulatory compliance. She has worked closely with many of the industry’s largest banks, insurance providers, broker-dealers, FinTech and digital asset firms in the design and improvement of their BSA/AML and sanctions compliance programmes. She can be contacted on +1 (714) 258 6690 or by email: kristina.sanger@ey.com.
Kevin Dalvi leads EY Americas West region financial crime technology practice. He is experienced in designing innovative technology solutions for BSA/AML, know your customer, fraud, transaction monitoring, risk assessments, sanctions screening, financial investigations, unit transformations and other global regulatory compliance topics. He has a diverse technology and financial services background, helping build leading-edge solutions for many of the world’s largest companies, including banking and capital market, FinTech and digital asset clients. He can be contacted on +1 (415) 894 8595 or by email: kevin.dalvi@ey.com.
Jennifer Lucas leads EY Americas payments consulting services. She is an industry veteran, blazing her trail through the emerging payments space. She is a driven innovator and visionary strategist in this space, holding several patents and authoring frequent thought leadership. She is passionate about the future of payments and a globally connected ecosystem. She can be contacted on +1 (704) 444 9821 or by email: jennifer.m.lucas@ey.com.
© Financier Worldwide