Are Consumer Payments the CFPB’s Next Battleground in Fintech?
January 23, 2024
By: Tyler Brown
Big Tech, fintech, and the banking industry are locked in a dispute over rules for consumer digital payments and what the Consumer Financial Protection Bureau (CFPB) can or should do about them. In December, the CFPB released a proposed rule “to define a market for general-use consumer payment applications,” including digital wallet and peer-to-peer (P2P) apps. It in theory would clarify the CFPB’s supervisory authority over Big Tech and fintech based on language in the Dodd-Frank Act.
The proposed rule appears friendly to the banking industry, purporting to make technology companies and fintechs “play by the same rules as banks and credit unions.” To no one’s surprise, the fintech and technology industries have accused the CFPB of ill-considered rulemaking and regulatory overreach.
In January, the banking, technology, and fintech industries responded to the proposed rule with official comments. Based on the responses, the American Bankers Association and the CFPB are on one side, and the technology and fintech industries (represented by the Computer and Communications Industry Association and the Financial Technology Association) are on the other.
“The CFPB’s ability to monitor for emerging risks is critical as new product offerings blur the traditional lines of banking and commerce […the rule] can help level the playing field between nonbanks and depository institutions, which the CFPB regularly supervises and which also provide general-use digital consumer payment applications.”
“We recommend that the CFPB evaluate its supervision to ensure that the requirements for nonbanks to meet their consumer protection obligations are examined and enforced consistently with the examination and enforcement practices applied to banks without changing the requirements of those banks.”
“The Proposed Rule […] fails to focus on a specific market, fails to identify specific consumer harms in that market, and fails to adequately address the costs and benefits of its attempt to combine disparate markets.”
The CFPB’s concerns are to ensure “markets for consumer financial products and services that are fair, transparent, and competitive.” It says it wants to make sure that Big Tech doesn’t get in the way of open banking or “the development of open ecosystems for payments.” The agency also implies that its consumer protection mandate extends to the collection, use, and retention of consumers’ financial data by apps that are used in consumer payments. In its research on digital wallets published several years ago, the CFPB notes that a way digital wallet providers monetize their products is by using the data unique to each consumer generated by their activity to inform product development or marketing.
Meanwhile, the banking industry stakes its position on regulatory “fairness,” or the idea that the technology and fintech industries should fall under the same scrutiny as traditional institutions, while those industries say that the CFPB’s proposed rule is broad, vague, and fails to address a real problem. Both arguments have merit: Fintech and Big Tech for the most part don’t have the same compliance burden as banks — but, to the Financial Technology Association’s point, in search of unproven consumer harm, the CFPB may be trying to define a market that’s too broad to effectively regulate.
There’s no guarantee that this proposed rule will become final. But tension between the CFPB and the technology and fintech industries will likely persist regardless. The proposal picks up a protracted battle between the banking industry and nonbanks over control of the customer relationship, which includes day-to-day competition between banking apps, wallets like Apple Pay and Google Pay, and P2P apps like Venmo. And the CFPB seems intent on acting as referee — as it argues, “regardless of whether they are subject to the CFPB’s supervisory authority [nonbanks] are subject to the CFPB’s regulatory and enforcement authority.” As such, we can expect more to come.
Instant Payments Pose a Fraud Management Challenge
January 16, 2024
By: Tyler Brown
FedNow launched in July 2023 with 35 early adopting financial institutions (FIs), and over the course of about six months, it added another 400. Such rapid growth of the network could very well make it increasingly attractive to fraudsters, and two characteristics point to the nature of that possible fraud:
- FedNow, unlike FedACH, only allows for push payments (from the sender). As a result, it is particularly vulnerable to fraud that involves either getting access to consumers’ accounts or tricking them into making payments.
- Payments settle instantly, and the money can be withdrawn within seconds. There is no recourse for a payment sent in error.
In other words, if a fraudster can induce someone to send a payment or get access to their account, the money is as good as gone. How do banks address it? Several years ago, the Faster Payments Council wrote a framework for how to manage fraud in faster payments. A key component of that framework is the tools and technology from banks and providers.
In the case of FedNow, some of the technology comes from the Fed itself. But to operate instant payments with minimal risk of fraud, banks need to bring more technology into the fray. FedNow itself provides basic anti-fraud features that include the ability to set risk-based transaction limits, manage conditions for rejecting payments, digitally sign the contents of payment messages, and reconcile transactions with the institution’s ledger. But the ability to manage payment fraud at scale depends on technical advances. Three areas where advances are required include:
- Authentication. “Zero trust” identity is the idea that users should be “authenticated and authorized based on all available data points.” That ultimately includes identity verification in the creation of an account, the authentication of a session in which an account is used, and the continuous reassessment that someone logged in to an account is who they say they are. Day to day, that suggests consumers use both a password or other credential to log in and their behavior related to location, transactions, and device use is tracked. As of now, this kind of holistic approach to identity is still pretty rare.
- Analytics. The shorter the time between sending and settling a payment, the less time there is to accurately flag and address fraudulent transactions. There is therefore a greater need for tools that monitor transactions in real time and enable straight-through fraud detection and prevention. Machine learning algorithms, a core component of modern fraud detection, can adapt transaction monitoring to new fraud patterns and help with faster fraud scoring. But such technology is certainly not universal.
- Integrated data. Data that can inform fraud models is often fragmented across tech stacks that are patchworks of systems and not designed to exchange data automatically and seamlessly. To manage payment fraud, banks need to be able to follow patterns across channels and across payment methods for many different customers and do so continuously as data is created.
Additionally, there is a human component to staying ahead on this. What has happened with Zelle, a faster payment method that’s also push-only and free from purchase protection, is instructive. Zelle scams involve both credential theft (via phishing or smshing) and a variety of schemes that get consumers to voluntarily part with their money. Those schemes can include fake ecommerce listings that take Zelle as payment and social engineering schemes that trick consumers into sending money to false accounts. Consumer education is therefore also an important issue to address.