Last month, I sat down with NEACH leadership to discuss what members might expect in 2024. Part one of our discussion focused on potential new rules going to ballot, regulatory initiatives with a heightened focus on transparency and digital assets, and increased CFPB activity, among other developments.
In part two of our discussion, the NEACH leaders below shared their thoughts on finding the balance between risk and innovation in a technology-forward payments landscape. They also discussed how FIs can stay up to speed on new developments, using education as a tool to mitigate challenges and maximize opportunities in the year ahead.
I discussed these topics with NEACH leaders including:
- Sean Carter, AAP, NCP, President & CEO
- Mark Dixon, AAP, APRP, NCP, Vice President, Education
- Elyssa Morgan, AAP, Vice President, Membership
- Mary Mumper-Morrison, AAP, APRP, CAMS, Director, Education
- Rayleen M. Pirnie, BCJ, AAP, CERP, Director, Risk & Fraud
RISK MANAGEMENT AND FRAUD
At NEACH, our certified experts in risk management review regulatory guidance and can identify sound business practices for FIs. However, risk management is always in motion. Vendors are constantly upgrading, refining, and merging with other providers, and FIs are modernizing systems. How can risk management keep up with the constant evolution of technology?
Dixon: You have to keep a continual pulse on what's happening, be willing to adjust practices, leverage available technology, and invest in ongoing education. What's hard in today's environment is that many of us wear multiple hats. It can prove challenging to keep your information current, but that is the most critical and essential part of ensuring risk management oversight is genuinely effective.
Pirnie: Agreed, and as FIs outsource more, they must accept that not all risks presented by these external parties can be controlled, representing residual risks the FI needs to understand and be willing to accept. Your contract can curtail some of this risk if you take the time to read and negotiate the contract before signing. FI also must understand "fourth-party" risk. Who does your solution provider rely on? What info does that party have access to? During the recent attack, over 60 credit unions' systems were held hostage; those 60 credit unions weren't attacked directly, but a supporting partner was. But it's the CUs who must answer to their account base.
Mumper-Morrison: That's why it's time for vendor management to evolve to include fourth-party risk management in their third-party risk management program. Who are their partners using as vendors/partners? Can those vendors/partners cause headaches for the FI, and if so, how will the FI manage that risk? That may mean an FI must reassess how deeply and how often it looks at its high-risk and critical partners. As payments become more sophisticated (and fraudsters/hackers do, too), FIs must also become more sophisticated in managing their partners. I recommend reviewing the Interagency Guidance on Third-Party Relationships: Risk Management to see how regulators approach this.
Carter: The keys to effective risk management are the same as they always have been, even facing new threats: solid risk assessment processes; education of staff and management (including the Board), on the activities of the FI; and ensuring you look at your control environment to check controls are working as expected. So even as technology evolves, the FI stands ready to address it from a risk perspective.
With new technology comes additional changes. Do instant payments present any new risks, including strategic risk? What if they don't offer instant payments? Is that a risk?
Dixon: Instant payments can prove challenging when we start balancing the implications of a credit-push system that is not revocable. While wire transfers are similar, there are so many established controls in place with wires that the risk has become mitigated in many cases. However, plugging an account number into online banking and sending $20,000 can be scary if you think you may not get it back. Further, there are Reg E and UCC4A implications. With consumers, what happens if they are scammed or hacked? Part of FIs' hesitation on sending in the industry is likely attributed to this.
Pirnie: Many FIs express shock at the almost immediate, large losses that result. This is mainly resulting from a lack of understanding that many of these providers "advertise" new FIs who have joined the club. Fraudsters see that and can target those institutions' consumer bases with phishing emails and malware, resulting in account takeover, scams, and more. Before implementing a new credit-push solution, evaluate risks such as the platform advertising your participation and how likely your consumers are to fall for scams, etc.
Carter: All payments carry a certain level of risk, and each payment is unique in the risk it presents, but you can't forget about strategic risk, which is really about meeting the needs of your customer/member base. If you are an FI in the FI servicing industry or have consumers who are less likely to want or need to receive and send instant payments, then your current offerings may be enough. The risk comes from those needs evolving or trying to enter new markets without the products needed to serve those markets.
Regardless of payment type, fraud has gotten more complicated, and bad guys are getting more sophisticated. It will continue to be a battle for FIs to avoid fraud. How do you think fraud may continue to evolve?
Dixon: Fraudsters will innovate and create new ways to perpetrate fraud schemes. From an immediate perspective, I think instant payments will feed into these fraud schemes, especially as they relate to cross-payment-channel risks.
Carter: I agree. Fraud will get faster and more complex as fraudsters use new tools such as AI. The evolution of new users to electronic communications and payments will continue to provide fraudsters with opportunities.
Pirnie: Just when we think we can anticipate their next move, they pull an "AI voice clone" or "deep fake" maneuver that throws us for a curve. Throw in a few million consumer PII records stolen yearly in data breaches and consumers who fall for scams that provide account info, and it's a perfect storm for fraud. Perhaps it's best to expect the unexpected while performing your fraud risk assessments and payments risk assessments. Use what you know are current threats but be constant in your endeavors to learn from others to stay current and anticipate threats.
As Rayleen mentioned, in 2023, we witnessed more than 60 credit unions taken down due to a ransomware attack. Reports indicate that they were down for almost five days. Is that something we should expect to see more of, or is it a signal to the industry to be even more vigilant?
Dixon: Will attacks go away? No. Will attacks get more sophisticated in response to increased awareness and planning? Absolutely. The industry will need to continue to respond with more tools and resources to help institutions develop effective programs and strategies to help combat cyber-events. For example, the Payments Innovation Alliance just released a series of cyber-attack planning exercises to aid businesses in testing and shoring up their responses.
Pirnie: Ransomware attacks are constantly getting worse. Companies (including hospitals, police departments, government agencies, and more) keep paying the ransom, incentivizing the bad actors to continue. That's why the FBI says, "Don't pay!" This is a friendly reminder to FIs that you cannot knowingly facilitate a payment related to ransomware. It's illegal to do so because these payments are laundering illicit proceeds, violating anti-money laundering laws. Instead, plan for the attack and be prepared to respond (it's not if a cyber incident will occur, but when).
Carter: Also, FIs will need to think more broadly about resiliency beyond physical threats. Nacha, as an example, has partnered with the Global Resilience Foundation to create a framework for ACH resilience that can be a model FIs use across their operations and with customers.
INNOVATION
Last year we said, "I see innovation as the primary area of focus for FIs this year." This year, we finally saw the release of FedNow® and rapid onboarding of over 100 institutions. We've also seen a maturing of Buy Now Pay Later, greater discussions and regulatory movement around open banking, as well as privacy. What do you think FI innovation priorities should or will be this year?
Carter: I wonder how the uneasiness some FIs have about the economy will impact innovation and new projects. Innovation that will increase revenue, deposits, or efficiencies will be welcomed. A good example would be FedNow as a receiving DFI. The efficiencies gained from not having to deal with the volume of exceptions you see in other systems are a benefit. However, that requires folks to make investments on the other side to allow users to initiate instant payments.
Dixon: I am a big proponent of not using a global idea to apply across an industry. Each institution needs to have a plan for innovation and diversification that meets its unique needs and addresses the characteristics and challenges of one's industry and market. However, I do believe we are in a time of evolving banking models and next-generation banking that is requiring institutions to focus more effort on not staying in the status quo and properly evaluating and translating opportunities into strategies and tactics to help move a company forward.
Morgan: We have seen so much growth and innovation in payments over the last few years. Understanding what is out there, what your customers want and need, and how your organization can meet those needs and wants is critical when developing a payments strategy that keeps your organization competitive in the industry.
STAYING UP TO SPEED
With so much happening, it seems like staying on top of payments will be a daunting task for FIs, which is partly why NEACH launched NEACH U-to gear targeted programs to payments professionals. How will it help our members address challenges and opportunities?
Carter: NEACH U allows for increased success in our members' organizational roles. It's one thing to take a session or two on a given topic and try to make a difference for the organization as opposed to getting a university-level understanding of a payment topic and bringing that back to the organization. It is truly a win for both employers and employees.
Morgan: Ensuring staff at all levels have access to industry insights, support, education, and resources to help build upon and maintain expertise will help organizations thrive in the payments industry.
Dixon: There is so much opportunity in the payment space and being able to develop and refine employee skills benefits everyone involved. I am enthusiastic for NEACH to be at the forefront of helping create these opportunities and drive our industry forward.
THE YEAR AHEAD
The year ahead is ripe with opportunities and challenges. As the team shared, NEACH U offers a wealth of opportunities to stay on top of all areas of payments and how they may impact your institution. In addition, webinars and on-demand trainings provide a way to ground in the fundamentals to ensure you have a firm understanding of your requirements.
As always, consider NEACH your strategic partner. Contact us at info@neach.org or call our payments hotline at 855-NEACHQA. We are here to support you as new questions emerge in today's dynamic landscape.
 |
... |
AUTHOR: Joe Casali, AAP, NCP
Executive Vice President
As the EVP of Payments Innovation for NEACH, Joe focuses on exploring innovative solutions and technologies that will help position members for success, both now and in the future. Connect with Joe to read more of his blogs, articles, and posts.
|