Show Report: NACHA Payments 2013 – Day 1 Focuses on Innovation

Estep said that the payments industry is at a crossroads, in which industry players are all constantly challenged to innovate, all the while trying to decrease expenses and respond to changing regulations. She emphasised that payments professionals must focus on the possibilities of tomorrow, rather than just the needs of today. Even great companies can suffer from the “innovator’s dilemma,” in which they fail by doing everything exactly right, she noted.

“If you’re focusing on today’s customer needs and today’s solutions, the problem you may encounter is that you aren’t anticipating tomorrow’s needs, and a solution that can help bring everyone forward,” said Estep. “And with that, you may fall behind. That is where many in the payments industry find themselves today.”

Estep also discussed some of NACHA’s own innovative initiatives, including the XML Remittance programme, which launches in May. The programme enables the use of the XML data format for transmitting business-to-business transactions through the ACH Network. NACHA said that the programme will help banks, service providers and corporates facilitate the electronification of the business to business (B2B) remittance process.

Up next was keynote speaker Brett King, founder and chief executive officer (CEO) of Moven and 2012 American Banker Innovator of the Year, who discussed disruption in financial services. He likened the current state of the financial services industry to the music industry, which went through drastic changes over the past decade following the advent of Napster and – later – iTunes.

Financial services have gone from physical banking – a face-to-face interaction with a live person – to internet and mobile banking – something one does on their own time with little to no interaction with another individual. Therefore, King believes it is imperative for banks to rework their approach to customer engagement, branding and innovation in payments. He was adamant that innovation in financial services now lies in mobile payments and banking.

However, King stressed that banks and non-bank providers cannot just take their current services and put them into a new (mobile) platform. Instead, they must create products that understand mobile and its users. They must “lead with mobile,” he said. And if they do not, they are going to be left behind.

King noted that the reason Square has been so successful is because the startup gave merchants a frictionless way to accept card payments. This is a stark contrast to the long, expensive process of setting up payment terminals through a bank. “Square’s innovation isn’t turning the phone into the point of sale [PoS]. It’s getting rid of the friction of merchant onboarding,” he said.

Cyberthreats and Cybercrime

Following the opening general session, the first round of educational sessions began. Charles Bretz, director, payment risk, Financial Services Information Sharing and Analysis Center (FS-ISAC), discussed the most prevalent cyberthreats to corporates and banks in the session Cybersecurity Threat Mitigation: Prevailing Intelligence & Practices.

Bretz provided details on account takeovers, which are among the most prevalent threats being used by cybercriminals. Many of these attacks begin though spear phishing emails, such as the infamous malware-laced emails that impersonated NACHA in 2011 and requested payments. Many account takeover attacks originate in Eastern Europe and unfortunately the authorities in these countries cannot be counted on to effectively crack down on the criminals, said Bretz.

Bretz also weighed in on distributed denial-of-services (DDoS) attacks, used in conjunction with account takeovers. This practice enables criminals to move money out of a corporate account and the launch a DDoS attack so that the client cannot see the fraudulent transaction.

Bretz noted that these attacks can result in massive fraudulent overseas wire transfers that range from US$90,000 to US$7 million.

In the session Best Practices for Mitigating Fraud in Payments Processing, Gail S. Ball, AAP, CTP, senior vice president, treasury management operations, Capital One, Barbara Dank, AAP, CTP, general manager, NCO Financial Systems Inc., and Tim Romick, director, treasury risk at NCO, discussed policies that corporate practitioners can implement to safeguard company cash from fraud. 

The panel citied the Federal Reserve’s 2012 Payments Fraud Survey, which broke out which payment types are the most prevalent methods. Cheques are still the most commonly used payment type targeted for fraud. Credit cards became the highest loss payment type for 33% more companies in 2011 versus 2010. ACH debit – though still small – is rising fast, with more than double the companies reporting it as their highest loss type (10% in 2010 versus 22% in 2011).

In regards to check fraud, the panel discussed how some older, tried-and-true controls are becoming relevant again with new technology and the current environment. These include daily monitoring and reconciliation, internal controls, separation of duties and separation of accounts for collections and disbursements. Other effective controls include positive pay/payee positive pay, post no checks restrictions for depository accounts and increasing the use of electronic payments.

After breaking for lunch, the concurrent sessions started up again. In the session Implications of Reform on Healthcare and Insurance Payables, Cecilia Walpole-Griffin, vice president, treasury operations and services, United Health Group and Ravin Yadav, vice president, treasury services, J.P. Morgan, weighed in on the many changes brought about by the Patient Protection and Affordable Care Act (PPACA).

Yadav explained that the ACA aims to make healthcare more efficient and less costly. One way it attempts to do this is encouraging electronic payment. However, Yadav noted that the ACA does not force electronic payment. “There is a push towards electronic, but there is not a mandate,” he said.

Walpole-Griffin discussed the challenges United Health Group faced in complying implementing electronic funds transfer (EFT). The insurance company’s rapid growth resulted in a complex technology infrastructure with multiple claim adjudication platforms and payment applications. Healthcare providers have been reluctant to adopt EFT payments because they are often required to complete multiple enrollments for one payer. So UHG simplified its platforms and enrollment processes with a new programme that encouraged electronic enrollment.

Consumer Payments

Next up was another general session, Industry Agenda – Responding to Forces of Change in Consumer Payments, which looked at how major – and often unforeseen – changes, cause organisations to abandon old practices in favour of new ones. Brad Larson, CTP, vice president, global treasurer, Claire’s Stores; Marie Gooding, first vice president and chief operating officer (COO), Federal Reserve Bank of Atlanta; Dominic Venturo, chief innovation officer, retail payment solutions, U.S. Bank; Wesley Wright, senior vice president, global product development and marketing, global payment options division, American Express; and moderator David Stewart, senior expert, McKinsey & Co., shared their thoughts on consumer behaviour, technology, changing regulations, fraud and other topics influencing the payments space.

In the session PCI in 2013 and Beyond: People, Processes & Technology, Robert Russo, general manager, PCI Security Standards Council LLC, discussed how his organisation provides education on the PCI Security Standards.

PCI has been around since 2006. But prior to that, from about 2001, each one of the credit card brands used a version of the standards. “So these standards are reasonably mature and pretty much cover everything we’ve seen out there,” he said. “So as people begin to bring more and more technology into it, there are clarifications that we need to do. And that’s the majority of what we’ve done for the last two releases of the standard.”

Russo discussed how many retailers – in particular, restaurants – open themselves to fraud by not changing default passwords. “This is the biggest issue that we’re seeing,” he said. “Somebody comes in and installs a device or a piece of software and leaving the default password in there. And it’s a very simple matter – you go online and say ‘Tell me what the default password is for this device’ and it will tell you.”

The Council is getting ready for PCI 3.0, which goes into effect on January. The standard has a three-year lifecycle. Once the new standard is released, users will have one year to become compliant with the new version. The next year, the Council will gather feedback on the standard. “We’ll take all of that feedback and that feedback becomes what the next version,” he said.


Related reading