Risks in Fast Payment Systems and Implications for National Payments System Oversight June 2021 © 2021 International Bank for Reconstruction and Development / The World Bank Group 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org All rights reserved. Disclaimer This work is a product of the staff of The World Bank Group. The World Bank Group refers to the member institutions of the World Bank Group: The World Bank (International Bank for Reconstruction and Development); International Finance Corporation (IFC); and Multilateral Investment Guarantee Agency (MIGA), which are separate and distinct legal entities each organized under its respective Articles of Agreement. We encourage use for educational and non-commercial purposes. The findings, interpretations, and conclusions expressed in this volume do not necessarily reflect the views of the Directors or Executive Directors of the respective institutions of the World Bank Group or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this work is subject to copyright. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission to reproduce portions of the work promptly. Since the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for non-commercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. ii Acknowledgments This paper would not have been possible without the generous support of the Bill & Melinda Gates Foundation, and the Ministry of Foreign Affairs of the Kingdom of the Netherlands through the Financial Inclusion Support Framework program, and the Swiss Secretariat for Economic Affairs (SECO) through the Remittances and Payments Program. The paper was authored by Biagio Bossone (World Bank). Comments were provided by Oya Ardic, Holti Banka, and Nilima Ramteke, (all World Bank). Overall guidance was provided by Harish Natarajan (World Bank). iii Table of Contents I. Setting the Context ..........................................................................................................................1 II. Background ........................................................................................................................................1 III. Roles of the Central Bank in the Context of Fast Payments ......................................................1 IV. Risks in Fast Payments ................................................................................................................... 2 V. Oversight Requirements in Fast Payments ................................................................................. 4 5.1 Legal Framework ...................................................................................................................................... 5 5.2 Governance ................................................................................................................................................ 6 5.3 Risk Management .................................................................................................................................... 6 5.4 Settlement................................................................................................................................................. 6 5.5 Operational Risk and Operational Resilience ..................................................................................... 7 5.6 Resiliency ................................................................................................................................................... 8 5.7 Security & Safety ..................................................................................................................................... 8 5.8 Efficiency and Effectiveness .................................................................................................................11 5.9 Competition............................................................................................................................................. 12 5.10 Accessibility ........................................................................................................................................ 12 5.11 Usability ............................................................................................................................................... 13 5.12 Predictability ...................................................................................................................................... 13 5.13 Scalability and adaptability ............................................................................................................. 13 5.14 Cross-Border Functionality ............................................................................................................. 13 VI. Conclusion ...................................................................................................................................... 14 iv and internet banking, mobile payments and other I. Setting the Context technological developments have increased the flexibility and convenience of making retail payments. As a result, the number of jurisdictions The World Bank (WB) has been monitoring closely with services and systems that allow users to the developments of Fast Payment Systems (FPS) by conduct (near) real-time payments on a central banks and private players across the globe.1 continuous basis has grown impressively since 2010, with the prospect of further future This comprehensive study of FPS implementations substantial growth in the years to come. across the world has resulted in the design of a policy toolkit on the implementation of FPS, in order to In particular, fast retail payment services have guide countries and regions on the likely alternatives been deployed (or are being developed) in many and models that could assist them in their policy and jurisdictions. In several jurisdictions, the interest of implementation choices when they embark on their National Payments System (NPS) stakeholders on respective FPS journeys. The FPS Toolkit work can be fast payments is becoming manifest, both on the found at fastpayments.worldbank.org and consists supply and demand side, as providers compete to of the below components: offer better services and users demand more of them. 1. Main report entitled: Considerations and Lessons for the Development and Implementation of Fast Payment Systems. III. Roles of the Central Bank 2. A set of country case studies that have in the Context of Fast already implemented fast payments. 3. A set of short focus notes on specific Payments technical topics related to fast payments. In the context of an FPS, and depending on its This Note is part of the third component of the design, the central bank may play diverse and Toolkit and aims to provide inputs on Oversight important roles.2 The central bank may act as the aspects from a fast payment perspective. It settlement agent of the system, the entity identifies the oversight requirements appropriate operating the system, the trustee for holding for an FPS and provide central banks with both an participant funds (in deposit-based model – see indication of the extra capacity needed to conduct below), the catalyst of system development, and it effective oversight when an FPS will be in place fulfils the oversight role in relation to this specific and a tool to ensure that the FPS will be designed type of retail payment system. In the context of consistently with sound standards of safety and activities oriented towards the development and efficiency. modernization of the NPS, the central bank can undertake measures aimed at establishing the system or can provide support to the entities that take the initiatives. In any case, the setting of an II. Background FPS should be preceded by discussions on the potential need to create the system, which would involve the payments industry, and all relevant The retail payments landscape has changed NPS stakeholders more broadly. The central bank dramatically in recent years worldwide. One such would be responsible for holding this policy development involves improvements in the speed dialogue. Its roles can be further detailed as and convenience for users of retail payment follows. services. Enhancements to payment speeds, driven by demand for (near) real-time retail Settlement Agent: The role of the settlement payments, is a notable trend across jurisdictions, 1 agent is one of the roles most frequently fulfilled system operated by the Swiss National Bank). by the central bank in the context of an FPS. As a Under a different variant, the RTGS system settlement agent, the central bank performs final includes a dedicated but separate and yet settlements of payments cleared through the FPS. connected module for the processing of fast Settlement in the central bank money guarantees payments (e.g., the NPP in Australia). Yet under its final and irrevocable nature and enhances the another variant, the FPS is an entirely separate – reliability of the payments processed in the standalone – system, and the RTGS only settles FPS system. The settlement in the central bank money payments (e.g., Fast in Singapore). is aimed at limiting or removing the credit and liquidity risks that is associated with the asset used Catalyzer: The central bank is typically involved in for settlement.3 the process of creating an FPS. This may come at the instigation of the central bank or it could be Trustee: This role involves the central bank upon the initiative of some banks or other PSPs as operating accounts for the needs of the processing they consider the business potential in the payments in the FPS. This account is used to collect domestic market for retail payment services and participants' funds as a security for the payments identify areas for potential improvements.5 As a being executed in the system or to set aside the result of such an exercise, they may evaluate liquidity of the participants, which is then used for whether a demand for creating an FPS exists in the settlement. Such solution, which is typically country, and the central bank would be engaged in adopted by FPS that are based on the deposit the process to evaluate the opportunities and model, guarantees the integrity of the funds challenges and to determine whether to proceed, deposited in the account in case of bankruptcy of and how best to support the process if the decision a participant or the entity operating the system (if to move forward is taken. this is not the central bank) and their exclusive use only for FPS settlement. As an alternative to the Overseer: As overseer of the NPS, the central real-time settlement model or deferred bank holds the responsibility to oversee the FPS settlement model, an FPS can operate on the basis and the provision of fast payment services. As of the so-called "deposit model." Here, payments discussed at length below in this note, the goals of are executed based on deposits pre-accumulated oversight include ensuring the safety and by the participants and held on a dedicated efficiency of the fast payment system and services, account. Each participant has a defined limit of setting regulations and standards, monitoring aggregate transaction amount, covered by the pre- PSP’s compliance with rules and regulations, and funding of the dedicated account. Transactions are maintaining public confidence in the FPS. executed only up to the level of the limit set for a given participant. If the limit for the sent orders of a given participant is exceeded, the payment is IV. Risks in Fast Payments rejected. This limit is often referred to as the “Net Debit Cap” (NDC). Participants manage the level of their liquidity on the settlement account of the Fast payments are a specific type of retail system and, depending on the situation, may payments. As with other retail payment services, complement the required limit or transfer the actors involved in fast payment transactions on surplus of funds collected over the limit to their both the demand and supply sides face various account.4 types of risk. The main risk categories considered are those mentioned in Chapter 2 of the Principles System Owner and Operator: In some cases, for financial market infrastructures (cit.): legal, the central bank owns and operates its own system credit, liquidity and operational risk. Particular (ACH or RTGS) in which fast payments are also attention is paid to security risks, particularly processed. In such cases, the ACH/RTGS systems, fraudulent activity, due to the potential besides executing interbank orders, enables direct, importance that security plays for user confidence immediate execution of large volumes of retail in retail payment service in general, and fast payments in the 24-hour mode (e.g., the SIC payments in particular. An additional area that 2 deserves special attention is reputational risk, irrevocably, and the payee may have used them which is the risk of losing revenue or customers immediately for other transactions. resulting from negative publicity or loss of confidence (whether based on fact or generated Liquidity Risk: For payers, liquidity risk would not by misperceptions). be different in fast payments as compared with other payment services. For payees, liquidity Legal Risk: Fast payments, like other retail issues are mitigated in an FPS, because the funds payment services, need to be supported by sound are available immediately and with finality, legal arrangements according to their specific whereas in other types of service the funds are design, operation, and use. Payment service paid later or, in some cases, conditionally, so that providers (PSPs) need clarity on the rules and payments could be reversed or subject to regulations that apply when they process fast conditions. In an FPS, however, irrespective of the payments. Rules could be general (i.e., not specific settlement model, liquidity risk arises between to fast payments), but the speed that characterizes PSPs, because PSPs require liquidity to ensure fast payments could make it more challenging to inter-PSP settlement. In an FPS with deferred fulfil some of the requirements. In fast payments, settlement, liquidity would be needed only at the it is especially important to have clear rules on end of each settlement cycle; yet liquidity risk may payments finality and post-transaction resolution arise if the system conducts inter-PSP settlement of fraudulent or erroneous transactions, and to cycles outside normal business hours. In this case, make sure that netting is legally recognized. The such tools as prefunding, liquidity or collateral related customer liability aspects must also be pools, or agreements with liquidity providers can considered. be used to ensure that sufficient funds are available for settlement. The adequacy of these Credit Risk: Credit risk in fast payment services tools to support, when needed, settlement cycles does not normally arise between the payer or the outside normal business hours may be an payee but may exist between their respective important consideration in an FPS with deferred PSPs. The payer’s PSP would normally require settlement. In particular, this requires considering funds to be present in the payer’s account in order scenarios where the NDC is exceeded or where the to initiate a fast payment, and the payee’s PSP will collateral management and large value payment immediately credit the funds with finality in the systems are not functioning (due, say, to a business payee’s account. Should the payer’s PSP allow holiday). payments to be made on a credit push or debit pull basis, this would normally be a consequence of a Operational Risk: Continuous availability on a bilateral agreement between the service provider near-24/7 basis is very demanding in terms of and the customer, and the credit risk would be operational reliability for the FPS and its managed by the PSP. Credit risk may arise between participating PSPs. Due to their speed, any PSPs in the FPS depending on the settlement operational incident that results in the delay or model. If settlement takes place in real time and interruption of fast payment services would be before the PSP of the payee credits the funds in the immediately observable by users. Delays in account of its customer, credit risk does not arise. processing are not easily accommodated in an FPS, If settlement is deferred, the PSP of the payee will as a processing delay will not allow the provision of advance the funds to its customer before receiving an immediate payment experience to users. As a them from the PSP of the payer and credit risk result, the impact of an operational incident might arises between the PSP of the payee and the PSP materialize much earlier than in traditional retail of the payer. In this case, the use of pre-funding or payments, in which a service interruption or collateralization arrangements would mitigate slowdown might go unnoticed. Additionally, as such risk. The main difference between fast users grow accustomed to fast payment services payments and other payment services is that, in and choose to send their payments on the the former, the payee’s PSP would normally be payment’s due date (rather than a few days in unable to block or recover the funds from the advance), if the FPS is unavailable due to an payee, because they have been credited operational incident, they would be immediately 3 affected and could incur penalties for late payment involved and oversight should make sure that they or have insufficient funds for other transactions. do so effectively. An FPS is exposed to security risk, as a specific type of operational risk, which can be defined as the risk Reputational Risk: Financial or operational that an actor’s assets are compromised following problems experienced by any entity involved in an unauthorized use, loss, damage, disclosure or the processing of fast payments could lead to modification of those assets, originating from both reputational impacts for that entity or for the internal and external sources, and is highly system as a whole. This type of risk affects mainly interrelated to operational risks in an actor’s IT the clearing and settlement arrangements and the systems and processes. PSPs participating in the system. It could also affect users, as consumers or merchants might Fraud Risk: Fraud risk is a subtype of operational risk that merits further discussion due to its also suffer reputational damage if their payments potential importance in an FPS. Fraud could are delayed due to a fast payment system encompass various situations, including: (i) the malfunction. The sources of reputational risk in an manipulation of the payer or payee by a fraudster, FPS are similar to those faced by traditional retail resulting in the issuance of a payment instruction payment systems. Yet, expectations in relation to by the payer acting in good faith, (ii) the initiation the FPS’s speed and time availability may lead to a of a payment instruction by a fraudster (who has quicker materialization of the risk in the event of fraudulently obtained the payer/payee’s sensitive service degradation. Reputational risk might also payment data) or (iii) the modification of an affect the central bank or other authorities, if they attribute (such as the account number, transaction have given the fast payment initiative their explicit amount, name of payee or payer) of a genuinely support, and especially if they own and operate issued payment instruction intercepted by the the FPS. fraudster. These fraud types might affect all actors in the payment chain, including end users, PSPs and the FPS overall, and they are common to both fast and traditional retail payments. However, V. Oversight Requirements in considering the end-to-end speed and, in Fast Payments particular, the immediacy of funds availability, an FPS may be a more attractive target for fraud than traditional retail payment system. If funds are As a retail payments system, the FPS could be immediately and unconditionally available to the designated as system-wide important (or critical, payee, a fraudster could attempt to quickly or important) and be subject to appropriate withdraw the funds before the fraud is detected, oversight standards.6 The relevant oversight and measures to reverse or recall fraudulent fast criteria discussed in this note should encompass payments may have limited effectiveness. the following four relevant dimensions of FPS: a) legal basis, b) governance, c) risk management, d) Risk to Data Integrity and Privacy: The use of efficiency and effectiveness. The oversight criteria FPS would require data and privacy protection. As discussed below build on a combination of three for all digital financial services, breaches of privacy sets of oversight tools: the Principles for financial and data security may result in identity theft, harm market infrastructures (PFMI), cited earlier; the to financial records, fraud, and other risks. criteria for effective fast payments developed in Mitigating such risks would necessitate legal and the U.S. under the aegis of the Federal Reserve regulatory provisions that, among other things, Banks;7 and the oversight requirements for clarify the rights of users, define data types, give payment instruments adopted by the European control to users over their personal data, and set System of Central Banks.8 out the legal obligations of data controllers and processors when interacting with data users and The criteria can be used both at the design stage of with each other. In delivering FPS services, PSPs the FPS as well as to assess FPS performance. The should consider the aspects of privacy protection criteria could thus be used to identify system 4 weaknesses and vulnerabilities that require including under netting arrangements. remedial actions. On request by the central bank, the FPS operator would be responsible for The FPS should require the payer’s PSP to approve implementing the criteria, setting system rules each payment following payment initiation in that are consistent with the criteria, and ensuring order to assure that the payer’s account has good that all relevant entities operating in the system funds. In assuring good funds, the FPS should comply with the rules. In its capacity as overseer, provide for customers to be fully informed by their the central bank would make sure that the FPS PSPs about account management implications and operator delivers on the criteria (and all other any related fees. Also, the permissibility of oversight requirements determined by the central overdrafts should be decided by an appropriate bank) and would hold the FPS operator to account regulatory authority and the FPS demonstrate for their observance. compliance with all regulatory requirements relating to overdrafts and credit, as applicable. The 5.1 Legal Framework finality of settlement should happen after good funds approval and not later than when funds are The FPS should have a sound legal basis. Consistent made available to the payee. with relevant national laws, the governance authority of the FPS should establish rules and The legal basis should provide for clear, risk-based, contractual arrangements for governing the proportional rules on market integrity. The system in such a way that it provides a complete, objective is to prevent the abuse of fund transfers unambiguous and enforceable legal and regulatory for financial crime purposes, to detect such abuse framework for the proper functioning of the should it occur, to support the implementation of system. restrictive measures and to allow relevant authorities to access the information promptly. The legal basis should have requirements, Rules should be in line with the International standards, protocols and procedures that govern Standards on Combating Money Laundering and the rights and obligations of all relevant entities the Financing of Terrorism and Proliferation, which operating in the FPS (i.e., participating PSPs, fast the Financial Action Task Force (FATF), adopted in service providers, users). The legal basis should 2012. Such standards determine, inter alia, which address: information on the payer and the payee PSPs have to attach to fund transfers. • Authentication of all entities, payments or messages connected to a payment. The legal basis should provide for consumer • Legal responsibility of PSPs. protection rules. These rules and procedures • Payment order initiation/authorization and should allocate in a clear and transparent way the termination of authorization. legal and financial responsibilities by which all • Cancellation of payments. relevant entities in the FPS would be bound in the • Delayed and failed payments. event of losses deriving from unauthorized, • Payment finality and settlement. fraudulent or erroneous payments. In particular, • Timing of sending and receipt of payments. the FPS should delineate the roles, responsibilities • Records as proof of payment for payers and and liability allocation, which would protect payees. consumers, business and government payers • Resolution for disputed payments among against losses related to fraud or errors. users and PSPs.9 The legal basis should provide for rules to protect The legal basis has to provide clear and data privacy and integrity. These should secure unambiguous rules on payment settlement information that should not be disclosed, including finality. The FPS should define the point in time by setting limitations on collection of users’ and after which a payment is final, that is, the providers’ data and on the use or disclosure of associated transfer of value between the payer payment data to third parties, and by protecting and the payee is irrevocable and unconditional, data access and use in the FPS and at users’ and 5 providers’ locations. The rules for data privacy and FPS should address and manage actual, perceived, integrity should: or potential conflicts of interest. • Identify the nature and type of user data that 5.3 Risk Management may be required for security, legal compliance and authentication purposes within the FPS. The FPS should establish a sound risk-management • Indicate how users may get visibility into the framework for managing legal, credit, liquidity, data collected on them and limit sharing of operational, and other risks across the end-to-end such data. spectrum of the payments process. The risk- management framework should enable the FPS to • Identify and allocate legal and financial prevent, detect and respond promptly to responsibilities in the event of data breaches disruptions. In particular, it should enable the FPS at the FPS or at users’ and providers’ locations. to: 5.2 Governance • Address risks related to settlement. The FPS should implement effective, accountable • Address the risk of unauthorized, fraudulent or and transparent governance arrangements that erroneous payments. promote the provision of safe and efficient • Provide incentives (i.e., positive, negative, services. The internal decision-making process of financial, or non-financial) for the FPS operator the FPS should reflect appropriately the legitimate and providers to address and contain the risks interests of the system’s stakeholders. they pose to others. Weak governance may have adverse effects on the 5.4 Settlement FPS and eventually on the quality of its services, which could ultimately cause serious financial The risk management framework should provide losses to its stakeholders.10 Governance for tools to mitigate settlement risk. Where arrangements should aim to protect the feasible, an FPS should settle in central bank trustworthiness of the FPS and to promote public money. The FPS should ensure that all relevant confidence in it by placing a high priority on safety entities are fit to perform their role in the system and efficiency. They should: assign clear and direct by identifying the financial risks involved in the lines of responsibility and accountability within the payments process and by having the appropriate FPS; achieve effective decision making in crises and measures defined in order to address these risks. emergencies; and ensure that the risk- The risk management framework should provide management and internal control functions have for measures to mitigate credit and liquidity risk sufficient authority, independence, and resources. exposures arising from any lag between The governance arrangements should be publicly transaction finality and settlement and to ensure disclosed. that credit exposures among participants are fully covered. Also, credit and liquidity risk issues that The governance arrangements of the FPS should may affect users should be addressed on a be inclusive. They should allow for input and 24x7x365 basis. In an FPS with deferred representation from diverse stakeholders settlement, the credit risk borne by PSPs can be (irrespective of ownership) and should include managed through limits (to the aggregate net consideration of the public interest when making positions of PSPs), frequent settlement cycles, decisions and rules. In particular, they should loss-sharing agreements, collateralization, enable stakeholders or stakeholder groups to prefunding arrangements, or an agreement with proportionately influence the outcomes of the one or more liquidity providers. In an FPS with real- decision-making process. This could be achieved time settlement, as the liquidity needs extend by giving them appropriate representation in the beyond normal business hours, this might require governing body and/or by establishing with them procedures to ensure that sufficient liquidity is effective channels of communication and available in advance (e.g., through supplementary consultation. The governance arrangements of the funding in the FPS settlement accounts of the PSPs 6 or provided by the central bank). In an FPS with possibly undermining user confidence in it. Thus, deferred settlement, liquidity needs could be the governance arrangements of the FPS should mitigated as participating PSPs would require ensure that all relevant entities in the system have funds to cover only the net debit position at a adequate policies and procedures in place to specific settlement time. mitigate operational risk and to ensure business continuity. In this last regard, entities that use Participants in the FPS should be given access to outsourced services should make sure that their the information needed for them to evaluate and business continuity is protected against possible mitigate financial risks. However, sensitive contingencies affecting their service suppliers. The information should only be disclosed to the impact of an operational incident could in principle relevant actors on a need-to-know basis. be mitigated by measures similar to those used in other non-fast payment deployments: rigorous 5.5 Operational Risk and Operational processes for the identification and mitigation of Resilience operational risk, including cyber-resilience (see below), redundancy and business continuity Operational risk, including fraud, could have a arrangements to ensure the timely recovery of the serious impact on FPS settlement (Box 1). services in the event of a major disruption. Timely Operational risk results from the failure of internal communication and information to stakeholders in processes and systems as a result of human error case of operational incidents should be part of or external events and could lead to financial these operational risk management processes. losses for one or more of the parties using the FPS, Box 1. Operational Risk in FPS11 Fast payment systems are unlikely to eliminate much of what is considered customary operational risk. In fact, they may introduce new sources of operational risk. The new systems and processes of an FPS will have to coexist and integrate with legacy payment complexes that are largely batch environments. An FPS being unavailable for a few minutes can cause several hundred payments to fail and the consequences of any downtime to become even more serious than in traditional systems. Operating in a 24x7 environment also impacts how PSPs perform end-of-day batch tasks. With real-time payments flowing uninterrupted, PSPs can no longer afford the luxury of having downtime to process end- of-day runs, which have to be done while still processing payments from customers. This requires PSPs to run two processing sites, live, enabling them to switch from one site to another if downtime on one infrastructure is required. A 24-hour operation that doesn’t afford downtime, which will be required to operate continuously while moving ever-increasing volumes, is largely unique in the context of banking and legacy payments. Ceaseless operations of the nature being considered are not only more demanding and less forgiving on their face, they are arguably countercultural across a swath of payment franchises in the world of banking. This change could differ substantially and qualitatively from those that have come before. In spite of the many developments that the payments industry has experienced throughout its history, and even in more recent times due to the dramatic improvements in technology, it has never dealt with a similar change so far. And the industry may have come to be overly reliant on the occurrence of natural downtimes that exist in many operations and that are used for maintenance, repair, and cross-system assimilation and turn out to be unprepared to act in a no-interruption environment. Shouldn’t then planned downtimes be considered as a policy tool for an FPS? Planned downtime might serve as a mitigating measure to the risk that continuous operation may pose to the FPS and its stakeholders, and since an FPS could facilitate faster runs on banks, planned downtime, or the notion that downtime may be decided for policy purposes, might prove a useful tool in the context of slowing or halting the occurrence of a run. In any case, planned downtimes of the FPS and the systems of its participants 7 should be intimated in advance to the public at large, to enable them to make alternate arrangements for their payments. 5.6 Resiliency by the FPS operator and providers to authenticate providers and users to access the system. The FPS The FPS should have mechanisms and systems to should have mechanisms to ensure payments ensure high levels of end-to-end availability and reach the intended payees at the intended payee reliability under both normal and stressed accounts. For example, the FPS might i) require the operating conditions. The FPS should define target payee's PSP to explicitly communicate acceptance availability metrics. It should also have business of a payment before finalizing the transaction, ii) continuity and disaster recovery plans to ensure provide a mechanism for sending a pre-notification timely recovery and resumption of critical services or test message to help confirm the identity of the in the event of an outage or cyber-attack. The FPS payee and to validate the existence of the payee's should have mechanisms to minimize the chance account, and iii) require monitoring for payment that an adverse event would cause other market anomalies. The FPS should apply effective user participants to fail to meet their obligations (i.e., authentication controls across all delivery channels trigger system-wide risk). The FPS should and may vary the authentication procedure based demonstrate that sufficient resources are devoted on the risk-profile of a given transaction. The FPS to business continuity and resiliency and should should enable the user to be authenticated initially conduct regular contingency testing across all to the system (at enrollment and prior to operators and providers of its end-to-end systems. transactions) and should also require PSPs to re- authenticate users based on the risk-profile of a 5.7 Security & Safety transaction. The FPS should be able to adopt new The FPS should have identification and verification and decommission old authentication models procedures for enrolling and transacting with based on the evolving threat landscape. In providers and users. These procedures will be used particular, the FPS could be integrated with a national digital ID system. Box 2. Fast payments: Enormous Potential versus Financial Crime Risks12 Clients want their payments to be processed quickly because for them it increases efficiency, transparency, convenience, and financial control. For small and medium-sized companies, this form of payment processing can alleviate liquidity stress and counterparty risk. More broadly, people have grown accustomed to things moving fast, so they have little patience and understanding when payment processing is slow. Fast payments allow sellers and buyers to exchange money and purchase services in seconds. Funds are received in the payee bank account almost immediately, instead of requiring few business days. That can make a significant difference to a small business’s cash flow, in particular, and it means less time spent waiting for money to clear from the buyer’s point of view. Fast payments are a common requirement in the new economy: the current generations of customers (millennials and beyond) want to be able to make payments anytime, anywhere, using their mobile devices. But… Fast payment processing also makes it more difficult to detect financial crimes like money laundering and financial fraud. Criminals want to move money as quickly as possible through a number of accounts at 8 different international banks to disguise the origin of funds. There is no faster way to do this than with fast payments. How can a PSP detect money laundering activity in a real time world when transaction monitoring is conducted in a batch process? It is difficult enough for financial institutions to monitor against money laundering violations when it takes three to five days for a transaction to be cleared, or at best overnight. With fast payments, the near-impossible becomes totally impossible using conventional methods as transactions clear in a matter of milliseconds. Conventional here refers to suspicious transactions being put in a queue and investigated in batch mode, where AML systems generate too many false positives (typically between two and 15% of all transactions) and therefore imposes a huge workload on PSPs and investigators. With fast payments, this problem is greatly increased because PSPs are under pressure to meet the agreed level of service. Technology and risk management Transaction monitoring systems built on current technology and machine learning offers a credible answer. By creating algorithms that learn from past results with the expertise and knowledge of AML compliance officers, the system learns to identify false positives, and compliance officers can focus on alerts where there is a higher probability that money laundering is actually occurring. Another recently developed technology approach, called visual mapping, provides insights into how fast payments are moved around. Suspicious payments can be tracked as they move between customer accounts, regardless of whether the payment amount is split between multiple accounts or whether accounts belong to the same or different financial institutions. The software creates a visual map of where and when money has moved, providing new insights and intelligence for fraud and compliance teams to take action. By bringing together transactional data from multiple financial institutions and running sophisticated algorithms, such solutions can identify the so-called “mule accounts” that are used for money laundering and other illegal activity. Many of these accounts are not set up directly by the criminals themselves but via a number of scams including phishing, spam email, instant messaging. However, while technology is a necessary condition for successful FSP compliance with AML, it is not sufficient. Also, even with advanced technology, PSPs need to increase their staffing in order to meet the challenge and to ensure that they have enough staff with sufficient knowledge and authority to be available to review transactions quickly. Some banks have offshored or outsourced simple customer due diligence functions to keep pace. That said, the trend is definitely towards investment in more technology. As a recent article in The Economist put it, “Now, the biggest question for bank controllers is how many humans they can replace with bots without compromising compliance […] Banks are going into partnership with so me of the hundreds of ‘Regtechs’ that have sprouted in recent years.” Technology must be a large part of the solution, but banks will just need to take care and seek expert independent advice in reviewing the new Regtech apps: the regulators and the markets will penalize them should their techno-experiments fail.13 The FPS should be capable to comply with the anti- money laundering and counter terrorism finance The FPS should have procedures to authenticate (AML/CFT) rules and regulations. This involves payments.14 The FPS should require each payment both operational and other risk issues. Operational to be initiated only with the explicit and informed issues, such as inadequate or failed internal consent of the payer to the payer’s PSP, unless the processes or decisions made by people, can leave payment is pre-authorized prior to payment the system vulnerable to money laundering. Other initiation. If the FPS allows pre-authorization, it risks play a similar role since prominent or should enable the payer to pre-authorize the repeated breaches can harm the reputation of payer’s PSP to make one or more payments based PSPs with regulators and stakeholders (including on defined parameters, as relevant to those consumers), and the country reputation vis-à-vis payments (e.g., account from which funds are standard-setting bodies and the international drawn, payee, frequency, time and date, amount, community. Technology can be a precious ally in amount limits, duration of authorization, etc.) The the AML fight (Box 2). set of pre-authorizations made by the payer should 9 subsequently be made visible to the payer. If the However, these measures could be less effective in FPS allows pre-authorization, it should enable the an FPS, due to the small time-lapse between payer to revoke any pre-authorization of payments payment initiation and execution. For this reason, easily and timely or to change relevant pre- an FPS may face challenges in being able to authorization parameters easily and timely. complete the necessary security screening on payments while at the same time meeting end- Based on the rules for consumer protection under user expectations for speed.16 Yet, although the legal basis, the FPS should have controls and screening could be performed quickly and mechanisms to protect user data. These should automatically, the management of payments prevent the unintended exposure of user data, identified as suspicious might require both digital and physical, which should be interventions that could slow the process. Limits protected in transit and at rest, before, during and on the amounts of individual transactions are a after a transaction. The FPS should require that all potential mitigating measure to cap the exposure entities have in place robust controls and of payers and intermediary institutions to mechanisms (including for users), appropriate to fraudulent operations. Such limits would also their roles, to protect sensitive information make the fast payment deployment less attractive through the end-to-end payments process. The for fraudsters. FPS should have controls and mechanisms to protect sensitive information needed for account The FPS should require and facilitate timely and setup, transaction setup and problem resolution frequent sharing of information on fraud across all from unnecessary disclosure. For example, the relevant stakeholders and across systems. The FPS payer and payee should not need to know each should require the sharing of information to other’s account numbers or other sensitive facilitate managing and monitoring of fraud (e.g., information to initiate or receive the payment. patterns suggestive of risk, known instances of Also, the FPS should have controls and fraud, known vulnerabilities, the significance of the mechanisms to protect any sensitive information information and effective mitigation techniques). that is needed to process and complete a payment. Information shared for anti-fraud activities should For example, the payer and payee should not learn be used only for fraud management purposes. of one another’s account numbers or other Whenever possible, personally identifiable sensitive information at any point throughout the information should be excluded from information end-to-end payment process. Note that sensitive sharing; if shared, such information should be information should be defined by the FPS encrypted. The FPS should indicate how consistent with the applicable national law. proprietary data of entities other than PSPs would be aggregated, managed and protected for An FPS should protect user from the risk of fraud.15 purposes of fraud information sharing. The FPS Most of the measures applied in traditional should facilitate information sharing that supports systems to mitigate fraud risk (whether ex ante real-time and ex-post management and measures to detect fraud, such as security monitoring of fraud and should provide timely screening or ex post measures, such as SMS alerts updates and alerts. The FPS’s information sharing for users) might be used to help detect and mechanisms should be easy to implement, update manage fraud cases in fast payments. Some of and maintain. The FPS’s information sharing these measures may take advantage of the mechanisms should support differential access to information that accompanies fast payments; contents based on the roles and responsibilities of many fast payment systems have detailed each entity (i.e., operator, provider, regulator). information about the sender, recipient, time of The FPS’s information sharing mechanisms may transaction and geographic references, which can include a central trusted repository to perform enhance payments analysis to detect fraud. functions such as storage and aggregation of the 10 information. The FPS should have the ability to framework should be rigorously tested to aggregate fraud information to spot patterns that determine their overall effectiveness.17 may not be visible at the level of an individual entity. The FPS should monitor PSP compliance with risk management requirements on an ongoing basis. The FPS should have a robust system of controls in All participating PSPs should adhere to the FPS’s place to address and foster security, including but requirements relevant to their role and should not limited to the integrity and protection of data. fulfill all related obligations and responsibilities. The control system should be integrated with the The FPS should have effective processes in place to existing risk management processes. More in monitor and to enforce compliance by all relevant detail, the FPS should provide layered and robust entities, including by adopting appropriate technical, access, operational, procedural, and sanctions in the event of noncompliance. managerial controls strong technical access components and controls, including: The FPS operation should be consistent with the protection of market integrity. The FPS should • Identity verification and access management. require PSPs to put in place effective procedures to • Data encryption in-transit and at-rest. detect transfers of funds that lack the required • Data quality and integrity controls. information, and to determine whether to • Data breach prevention and detection. execute, reject or suspend such transfers of • Layered security controls. funds.18 • Components and controls that leverage industry standards. Finally, based on the rules for consumer protection • Data retention and disposal controls. under the legal basis, the FPS should have • Operations security, monitoring, and incident processes and timeframes for handling disputed response. payments. These would arise from fraudulent or • Communications and network security. erroneous activities and would require mechanisms to i) block funds availability (in a way The FPS should be robust against cyber risk and that is consistent with any applicable laws and/or resilient to it. It is important that FPS identifies its regulations) if an unauthorized, fraudulent, or critical business functions and supporting erroneous payment is identified by the receiving information assets that should be protected, in PSP prior to payment finality, and ii) hold rule order of priority, against compromise. The FPS violators accountable. The FPS should clarify how should implement appropriate and effective PSPs should act on error resolution and fraudulent controls and design systems and processes in line or unauthorized payments. The FPS should also with leading cyber resilience and information provide mechanisms for any party to the security practices to prevent, limit and contain the transaction to request prompt voluntary return of impact of a potential cyber incident. The FPS funds from the payee or the return of funds as should be able to detect the occurrence of required by law. potential cyber incidents and should be ready to take appropriate countermeasures against 5.8 Efficiency and Effectiveness breaches. The FPS should also design and test its The FPS should be efficient and effective in processes to enable the safe resumption of critical meeting the requirements of its participants and operations within two hours of a disruption and to users. This should hold as regards the choice of the enable itself to complete settlement by the end of clearing and settlement arrangement, operating the day of the disruption, even in the case of structure, scope of products cleared, settled, and extreme but plausible scenarios. Once employed delivered to users, and use of technology and within the FPS, the elements of its cyber resilience procedures. The FPS should offer convenient 11 baseline features and facilitate the provision of adopting open and accessible standards. The FPS value-added services to users and support cross- should be interoperable with payment format border payments. The FPS should be inter-linked standards (e.g., ISO 20022) and should utilize a with other payment systems and other FMIs, message format that: including, for instance, collateral management systems. Also, access to the FPS should be open to • Interfaces or interoperates with existing all non-bank PSPs that intend to offer fast payment payment format standards that are relevant services. The FPS should have clearly defined goals to use cases targeted by the FPS. and objectives that are measurable and • Enables cross-border interoperability. achievable, such as in the areas of minimum • Is cost effective to adopt. service levels, risk-management expectations, and • Facilitates innovation. business priorities, and should have mechanisms • Is adaptable to future needs and standards for regularly reviewing its efficiency and by permitting a mechanism for update. effectiveness. 5.10 Accessibility The FPS should provide the central bank with all relevant information and data on the pricing The FPS should enable any authorized entity to structure of its services. An FPS ecosystem initiate and/or receive payments to/from any normally features multiple points of pricing. The other entity (consistent with applicable legal pricing strategy employed at each point may differ, restrictions). The FPS should facilitate payments but the pricing scheme and fee structure charged to/from all types of payment accounts (or e-money to users by participants are dependent on the storing devices) based in the national jurisdiction pricing scheme adopted by the FPS and the and held at licensed PSPs and to/from all bank and participants. Information and data on pricing, nonbank PSPs. The FPS should authorize the use of covering participation fees and user charges, "open banking" practices and APIs [Application especially if benchmarked against same Programming Interfaces], which allow PSPs to information and data from FPS in other countries, access their clients’ account information, upon constitute essential inputs for the FPS and the client consent via dedicated interfaces. The FPS central bank to evaluate the overall level of should demonstrate how all entities choosing to competition within the system. use it can be sure that their payments can reach any and all payees. The FPS should address the 5.9 Competition needs of the unbanked or underserved to affordably send or receive payments and should The FPS should allow PSPs to compete to offer set up a credible plan for achieving widespread services. The FPS should allow choice of PSPs based adoption. The plan should demonstrate credibility on factors such as services (range and quality) and by showing that the FPS is technically feasible for prices, and consumer preferences more broadly. PSPs to adopt it and explaining how PSPs are The FPS should allow any entity to easily switch motivated to participate and to make the system among PSPs and/or to use multiple PSPs. The FPS available to users. If the FPS includes multiple should require PSPs to disclose in advance to their operators or networks, it should have a credible customers, all information necessary to easily plan to achieve interoperability across these understand the total cost of using their services. entities. The plan should demonstrate credibility The FPS should allow PSPs to provide value-added by showing that a payment initiated through one services. The FPS should not prevent, and should operator/ network/ provider can be received by a possibly facilitate, PSPs to offer additional services user served by another operator/ network/ beyond the FPS’s defined baseline features, as long provider. Finally, consistent with relevant law as the PSPs meet participation requirements. The provisions, the FPS should allow participating PSPs FPS should allow PSPs to integrate with the FPS by to make fast payment services available to their 12 customers through agents. The activity of PSP standard communication and messaging agents would be under the oversight of the central protocols. Finally, error resolution protections, bank. rights, and liabilities of the payer and payee should be clearly defined and easily understood by all 5.11 Usability parties. The FPS should provide a straightforward and 5.13 Scalability and adaptability simple user experience and be available anytime, anywhere, any way, using a variety of access The FPS should be able to readily adjust to ongoing points. The FPS should be available to users in a environmental developments and should thus variety of circumstances, and through a variety of demonstrate to be scalable and adaptable. The FPS channels, devices, and platforms (e.g., in person readily support projected transaction volumes, without a mobile device, in person with a mobile values, and use cases. The FPS technical design device, remote with a mobile device, online). The should support projected use cases and should FPS should enable an authorized entity to initiate a demonstrate the capacity to handle projected payment with limited information (e.g., with a volumes and values, including increased name, email address, and/or phone number) as transaction volumes and values during peak times appropriate for each use case and in a way that or periods of stress and to accommodate a cushion sufficiently supports receiver authentication. The above projections. The FPS technical design should FPS should be accessible to users on a 24x7x365 be readily adaptable to developments origination basis, including to initiate the payment, have from technology, the economy (e.g., financial visibility into payment status, and receive final system failures, economic crises), regulations, and availability of good funds. The FPS should be easy customer demands. to use, accommodate varying levels of user technological proficiency, and address the usability The FPS should support payments in multiple use needs of individuals with disabilities, the elderly, cases and should demonstrate to be adaptable to and individuals with limited language proficiency. new payment use cases in the future. Examples of Annex 3 provides a country example of access use cases include business-to-business, low-value, criteria for participation in an FPS. just-in-time supplier payments; business-to- person, high-value payments (e.g., medical 5.12 Predictability insurance claims); business-to-person, low-value payments (e.g., wages for temporary workers); The FPS should provide a reliable and standard person-to-person payment (e.g., payments to user experience for its baseline features. The FPS friends); person-to-business, remote, real-time design should ensure that the system can deliver a payments (e.g., emergency bill payments). defined baseline of core features. Baseline features of the payment experience (e.g., timing, 5.14 Cross-Border Functionality legal rights, costs, risks) should be defined, documented, and communicated so that they are The FPS should enable convenient, cost-effective, well known to users and compliant with consumer timely, secure payments to and from other protection and commercial law. Aspects that might countries. The FPS should allow for interoperability vary between payments (e.g., fees, timing) should with similar FPSs in other countries. Relevant be communicated by the PSP to the user in interoperability considerations might include advance and at the time of each payment. differences in messaging standards, languages, Communications should be appropriate for the character sets, mandatory data elements, audience, uniform, clear, concise and easily party/account identifiers, regulatory understood. In order to facilitate a consistent considerations, and timing of settlement and good experience for users, the FPS should adopt funds availability. The FPS should facilitate access 13 to PSPs that are active in cross-border payments as Oversight requires cooperation at various levels: well as to foreign remittance service providers. The from cooperation between regulators, supervisors FPS should require PSPs to make advance and overseers, to cooperation between the disclosure (both prior to and at the time of the authorities and all other relevant stakeholders. payer initiating the payment) of fees, exchange The aim of such cooperation is to foster rates, and other user costs, as well as the timing of communication and consultation in order for the authorities to support each other in fulfilling their good funds availability and any risks with the respective mandates and for them to solicit payment, consistent with regulatory collection action from stakeholders when needed. requirements. The FPS should allow conversion Cooperation needs to be effective in normal from one currency to another as necessary for circumstances and should be adequately flexible to cross-border payments. If the FPS does not have facilitate effective communication, consultation, cross-border functionality at implementation, it or coordination, as appropriate, including during should have a credible plan for implementing periods of market stress and in crisis situations. cross-border payments in the future. The plan should demonstrate credibility by showing the timeline for cross-border implementation and how the other considerations of this criterion will be addressed. VI. Conclusion This Note was intended to offer guidance on the oversight of FPS. The Note has identified the oversight requirements appropriate for an FPS and provides central banks with both an indication of the extra capacity needed to conduct effective oversight when an FPS will be in place and a tool to ensure that the FPS will be designed consistently with sound standards of safety and efficiency. 14 ENDNOTES 1 According to the Committee on Payments and Market Infrastructures (CPMI), a fast payment can be defined as a payment in which the “transmission of the payment message and the availability of ‘final’ funds to the payee occur in real time or near-real time on as near to a 24-hour and seven-day (24/7) basis as possible. 2 For a comprehensive review of the various FPS models, see Instant Payments Systems – Analysis of selected systems, role of the central bank and development directions, Narodowy Bank Polski, June 2015. 3 See Principle 9 (on Money settlement) of the Principles for financial market infrastructures, report by the Committee on Payment and Settlement Systems (CPSS) and Technical Committee of the International Organization of Securities Commissions (IOSCO), Bank for International Settlements, Basel, April 2012. Since October 2014, the CPSS has been renamed Committee on Payments and Financial Market Infrastructures (CPMI). 4 Express Elixir in Poland and BiR in Sweden are examples of this type of model. 5 The role of the Reserve Bank of Australia in spearheading the launch of the NPP is an example of the catalytic role that central banks can play for the development of FPS. 6 Designation is the process whereby the central bank, in its capacity as overseer of the NPS, identifies NPS entities (including systems, services providers, and payment instruments or schemes) and classify them according to specific classes of risk, such as systemically important, system-wide important (or critical or prominent), and others, which reflect their riskiness, that is, the level of risk that could emerge from their operation, and the extent to which such risk could spill over to other NPS entities, the financial system and the broader economy, or affect public trust in the NPS and the national currency. For each class of risk, the central bank would then identify appropriate and proportional oversight standards and requirements and require that the system observes them. 7 This section draws on Faster Payments Effectiveness Criteria, Faster Payments Task Force, Federal Reserve Banks, 26 January 2016. 8 See Harmonised Oversight Approach and Oversight Standards for Payment Instruments, European Central Bank, February 2009. 9 Disputed payments may originate from errors, unauthorized transactions or disputes in the payment process. 10 The term "stakeholders" refers not only to the entities that operate in the FPS, but also more broadly to the financial and nonfinancial industry that is involved in the production and delivery of fast payment and related services, the community of consumers and merchants, and the general public at large. 11 The content of this box draws on Weyman, J., ‘Risks in Faster Payments,’ Retail Payments Risk Forum Working Paper, Federal Re serve Bank of Atlanta, May 2016. 15 12 The content of this box draws on Instant payments: Enormous Potential versus Financial Crime Risks, by Paul Hamilton, AML Knowledge Centre, available at https://aml-knowledge-centre.org/instant-payments-enormous-potential-versus-financial-crime-risks/. 13 The past decade has brought a compliance boom in banking, Economist, 2 May 2019. 14 Financial authorities and international financial organizations have highlighted the relevance of developing a robust cyber-resilience framework to maintain the functioning of services of financial market infrastructure (FMIs), even after a cyber-attack. In June 2016, the CPMI and IOSCO have released the report Guidance on cyber resilience for financial market infrastructures, which provides FMIs with guidelines for developing and enhancing their cyber framework, focusing on the recovery of critical services within two hours after the incident occurs. In line with such guidance, the ECB has developed a powerful tool that can be adapted to systems at different levels of sophistication, see Cyber resilience oversight expectations for financial market infrastructures, European Central Bank, September 2018. 15 In May 2018, the CPMI issued the report Reducing the risk of wholesale payments fraud related to endpoint security. While focusing on large-value payment systems, the approach recommended in the report offers valid recommendations and insights that can be usefully implemented retail payment systems. 16 As reported by the CPMI, in some instances, end users may be willing to sacrifice some level of speed or service availability in order to better track payments activity and mitigate the risk of fraud. For example, in Korea, concerns about a rise in telecommunications fraud led to the introduction in October 2015 of the “delayed transfer system” under which a payer can delay the timing of otherwise fast payments for a certain period of time set in advance by the payer. 17 Financial authorities and international financial organizations have highlighted the relevance of developing a robust cyber-resilience framework in order to maintain the functioning of services of FMIs, even after a cyber-attack. In June 2016, the CPMI and IOSCO have released the report Guidance on cyber resilience for financial market infrastructures, which provides FMIs with guidelines for developing and enhancing their cyber framework, focusing on the recovery of critical services within two hours after the incident occurs. In line with such guidance, the ECB has developed a powerful tool that can be adapted to systems at different levels of sophistication, see Cyber resilience oversight expectations for financial market infrastructures, European Central Bank, September 2018. 18 Relevance guidance to this purpose is contained in Final Guidelines, JC/GL/2017/16, joint report by ESMA, EBA, EIOPA, and the Joint Committee of the European Supervisory Authorities, 22 September 2017. The report elaborates joint guidelines under Article 25 of Regulation (EU) 2015/847 on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information. 16