SPEAKER_01 0:00

Welcome to this episode of Defense Chat with Jason and Aiden. Let's jump right in to make the payment make that Jason, glad to be with you for another Wednesday recording session. And although by the looks of that beard, it seems like you haven't left the office since last week's recording session. And come to think of it, regardless of the time of day, when I log on to Slack, you're online working.

SPEAKER_00 0:36

Yeah, Hayden, the dev team and I have been working very hard on finalizing our first release of a really cool technology product that we're super excited about. Have totally been embracing the quarantine lifestyle and spending way too much time in the office.

SPEAKER_01 0:52

Yeah, I've seen you do a few demos and everybody has been pretty excited. Let's jump into today's stories. FedNow forwarding faster payments, another flavor in real-time payments ecosystem. Next, first data's dirty deals. Another FTC story about lack of oversight. And last, always available APIs and the key to API services that don't suck. Now let's jump right into our first story. The FedNow service is at the top of the priority list for the Federal Reserve and is currently in active development. They are working through the pandemic and expect to have it available in 2023 or 2024. Industry engagement is a key component of the new FedNow service development plan, and they are working on developing industry-wide collaboration on service and design.

SPEAKER_00 1:35

Yeah, Hayden, this is a super exciting initiative in the payments ecosystem, and we are certainly looking forward to contributing to the FedNow community. There's been so much innovation in real-time payments in the last couple of years, and FedNow is yet another flavor of real-time payments. Many people don't know this, but here in the US, there's actually two main clearinghouses for bank-to-bank transactions. There's the Federal Reserve Bank and the Clearinghouse, which launched their own real-time payments product called RTP in 2007. Clearinghouse is actually owned by the world's largest commercial banks. And smaller banks don't have direct access to RTP without using a third-party processor, thus increasing their costs. So most of the smaller banks are very excited about the FedNow initiative, which will give all banks access to online real-time payment capabilities.

SPEAKER_01 2:29

Jason, I know being a certified APRP, you have a ton of experience in how money moves between banks. And I understand the goal is for nationwide coverage through interoperability, where somebody can make a payment and have it seamlessly make it to the receiver, regardless of the service operator.

SPEAKER_00 2:46

Conceptually, FedNow and RTP will operate very similar to the ACH solutions, where regardless of what clearinghouse a bank is using, they'll communicate between each other so that the payment ultimately lands where it needs to land. Even smaller banks today that don't have direct connections to one of the clearinghouses rely on correspondent banks, and there's various third-party service providers that create vertically specialized solutions. But ultimately, I think the picture is gonna get more complex. Historically in this country, we've had two types of primary payment networks, card and debit networks, and then the ACH networks. And they've always played very nicely together. I think with the trend of these real-time payment solutions, and you have to look beyond just the FedNow solution and RTP, I think you also have to include Zell, Venmo, Square Cash, and a lot of these third-party applications that have been created that today are strictly peer-to-peer payment solutions, but ultimately want to break into consumer-to-business type solutions. What we're seeing is the transformation of the US payment supply chain to look very similar to many international countries where card payments or bank-to-bank transfers aren't the primary means of conducting transactions. And I think the picture here is going to continue to get more and more convoluted as all of these different players are making a drive to have merchants accept their form of payment. It's going to create new challenges for merchants, ISVs, and banks that are going to have to monitor and deal with all of these cross-channel risk type of scenarios.

SPEAKER_01 4:27

Jason, on the topic of risks, it looks like yet another FTC settlement has been reached. This time with First Data LLC and a former executive will pay over 40.2 million to settle Federal Trade Commission charges. The charges state that First Data knowingly processed payments and laundered or assisted laundering of credit card transactions for scams that target hundreds of thousands of customers. They allegedly looked the other way when repeatedly warned from employees, banks, and others that one of their independent sales agents, Chico, was laundering money and that First Data was facilitating the laundering of payments for companies that were operating unlawfully for years. And it turns out they actually hired the agent as a First Data executive.

SPEAKER_00 5:10

Hayden, this is gonna be my hot topic of the year, and we're gonna keep talking about this until this supply chain gets it under control. The fact that this continues to happen is simply a lack of due diligence and oversight. There's so many protocols that should be in place at every bank that has an acquiring program to protect against this type of activity. Visa has their global acquirer risk standards. MasterCard, their global risk management programs. Both of these programs outline the level of due diligence that a acquiring bank should be doing on its third-party payment providers and their subsidiaries. The problem is that most of these acquiring banks don't have systems in place to inspect what they expect from their third-party payment processors, and they're just operating on blind faith. They're relying on the third-party payment processors to generate the reports that they then in turn use to audit them on, which is a recipe for disaster. I think what a lot of acquiring banks don't appreciate is how well defined the risk standards are and how easy it is to actually put compliance programs in place that generate these reports in an automated fashion and make overseeing their third-party payment processors a significantly easier task.

SPEAKER_01 6:27

Well, according to the FTC, from 2012 to 2014, Co. used false names to open accounts, provided Wells Fargo with misleading information to open the accounts, and ignored evidence that his clients were committing acts of fraud. The money to be paid will go toward refunding any consumers harmed in any of these scams, and the company will be required to screen and monitor certain high-risk merchant clients, as well as establish and implement an oversight program to monitor its independent sales agents. And on top of that, for the next three years, First Data is required to hire an independent assessor to oversee the company's compliance with the settlements oversight program.

SPEAKER_00 7:05

Hayden, outside of the fine, what is sad is that the penalties that are being opposed are things that the acquiring bank, in this case Wells Fargo, should have been demanding from FirstAd in the first place. Banks undergo a series of audits every year from regulators and those in the acquiring space from the card networks as well. I don't understand why they should expect anything different from their third-party payment processors. Over my career, I've had the absolute pleasure, and I actually mean that, of working with several great auditors. I'd be remissed if I didn't give a shout out to David Press from MasterCard, who, outside being a Miami Dolphins fan, is one of the most knowledgeable that I've ever worked with. We'll have to get him on an episode of SenseChat to not just talk audits, but maybe a little AFC East. Here's what I can tell you. If you're playing by the rules, an audit shouldn't be something you're scared of. But it's a second set of eyes to help you find and identify gaps. No matter how great your policies are, times change, fraud profiles change, people come up with new scams. And that's why, as financial institutions, as third-party payment providers, you should embrace these audits and work with the auditors to develop solutions that are going to protect the integrity of this supply chain.

SPEAKER_01 8:20

Well, Jason, now that Brady is out of New England, maybe your Buffalo Bills will have a chance this season. Anyways, moving forward, let's talk about a gap that seems to be closing very quickly. As we're slowly moving toward a coronavirus-free world, the role of an open banking API is growing, and we definitely expect to see a rise of open banking and digital first financial services.

SPEAKER_00 8:41

Yeah, Hayden, it it absolutely boggles my mind how many checks we still write. Or in the case of the CARES Act, how many checks the government had to write, and how many people had to rely on the Postal Service to deliver those payments. The fact that so many merchants still rely on outdated accounts receivable and account payable systems that don't have direct banking integration is mind-boggling. How can anyone run a business based on Excel spreadsheets these days? What's funny is that the US doesn't have a PSD2 payment service directive like the European Union does, which mandates that banks open their APIs and enhance consumer authentication, something known as SCA or strong customer authentication. But that isn't stopping rapid innovation in the US thanks to our strong fintech space. One of the biggest challenges with the payments and banking system is much of it is still based on legacy technology. Many of the modern solutions overlay 50-year-old mainframe technology that still powers much of the ecosystem.

SPEAKER_01 9:42

Yeah, well, the resiliency of technology is a key factor in a bank's dependency of an API, but monitoring API performance is just as important as deploying them in the first place. Service providers must make sure to monitor their API's performance to ensure functionality, accessibility, and don't have any downtime or tech issues that can otherwise lead to the loss of transactions.

SPEAKER_00 10:04

Hayden, this is actually one of the biggest topics that I talk to ISVs about is unreliable APIs. And I'll tell you, it absolutely drives them and their merchants nuts because it results in the loss of sales, angry merchants, angry consumers, potential chargebacks. And the industry trend is that everybody blames somebody else. If you're going to be producing APIs, you really need to understand high availability. Too many people are building solutions that work great in a small environment with a limited amount of data, but when you move it into a production environment and beat on it, it falls apart. It's more critical than ever for somebody who's playing in the financial services space, be it payment processing or banking, to have multiple data centers, perform extreme load testing, and have monitoring solutions in place so that you're not finding out you have a problem with your system when one of your customers is calling you. And equally as important is test all of these different solutions. Don't just have multiple data centers. Don't just do load testing. Don't just put a monitoring solution in place, but actually test to make sure that these things are effective when something does go wrong, because it will.

SPEAKER_01 11:16

Jason, I know you for one have been working on several technology initiatives focused on this exact topic. So, in your professional opinion, what do you see as the key differentiators?

SPEAKER_00 11:27

Well, Hayden, we've touched on this topic in a few episodes now, but we'll recap some of the key items. I think the first one is that it has to be easy to integrate to, and you have to have a development support team that is going to work in real time with those that are integrating to your solution. Secondly, a single API that exposes all of the different services that you offer. Don't have multiple versions of different flavors of APIs that you're forcing your customers to integrate to. You have to stay up to date with the latest functionality from upstream vendors. I can tell you horror stories of people who have built APIs that at the time they built them, they were cutting edge, but two years later they were so far behind the industry standards, it was mind-boggling. In fact, there are still gateways out there today that haven't implemented Visa mandates from two years ago. And it has a massive impact on authorization rates. We'll cover that in another episode. Next, high availability and penetration testing. We live in this development world where everything is rapid development, rapid deployment. And as you're building solutions and getting them out the door as quick as possible, don't forget to load test and penetration test those new features and functionality so that you're ensuring you're not setting yourself up for a compromise.

SPEAKER_01 12:51

Based on previous topics, I know data security isn't something to compromise on. Alrighty, Jason, the moment our listeners have been waiting for. How about those takeaways?

SPEAKER_00 13:01

ISVs. Make sure your payments technology partners are paying attention to domestic alternative payment methods, or you'll leave your merchants wanting more. Banks, don't rely on your third-party payment providers to produce reporting you use to audit them. It's a recipe for disaster. Technology service providers, if you're not building APIs that are fault tolerant and highly available, it's your fault when it breaks.