Things to Consider About Offering P2P

Amy Donaghue

By: Emily Nelson, AAP, Manager, Audit Services

As payment systems evolve, many consumers hold a long-standing assumption that this means money will be in their account faster. While financial institutions want to offer faster payment options to their account holders, some things need to be addressed regarding person-to-person (P2P) transfers. Let’s discuss risks associated with this service, housekeeping that should be conducted and how Regulation E may apply.

Risks that should be evaluated before offering P2P services include, but are not limited to, credit, fraud and Third-Party risk.

While you may not initially think so, credit risk still applies to P2P entries since the settlement of the entry could be anywhere from one to two days. P2P entries are also subject to fraud risk due to these entries primarily being initiated over the internet. The Third-Party risk would also apply when a financial institution’s management does not have direct control over activities related to the P2P entries. While levels of risk will apply with all payment channels, there is something financial institutions can do to better mitigate those risks.

Before allowing P2P services to consumers, financial institutions should have a risk assessment conducted. The risk assessment should address security, operations, settlement, exceptions, business continuity, vendor management, credit, fraud and compliance associated with P2P entries. Upon completing the risk assessment, the financial institution should develop policies and procedures related to the P2P service. The policy should address who the financial institution will offer the service to and authentication standards. While the procedures should include internal controls to mitigate the risks identified within the risk assessment.

Authentication standards for credit entries initiated over the internet were updated in 2011 by the Federal Financial Examination Council (FFIEC). The FFIEC indicated that financial institutions should implement multifactor authentication, layered security or other controls deemed commercially reasonable. Commercially reasonable methods would include methods utilized by similar entities engaging in similar activities. While there are many forms of commercially reasonable tools available to authenticate, a financial institution must determine which tools best suit its needs and risk appetite.

The financial institution should also revise their language within their online banking agreement for consumers utilizing the service to include language outlining, but not limited to, what constitutes termination of the service, transaction limits, responsibilities of the consumer to notify the financial institution of errors and all applicable rules, regulations and laws. By conducting due diligence before offering the service, a financial institution can address the items identified in their risk assessment and stay within their risk appetite while also providing good customer service.

When it comes to fraud, we know all too well how quickly and easily it can happen. However, oftentimes when scams or fraud occurs, the consumer is going to reach out to their financial institution to get assistance. While responding to consumers regarding such concerns is considered good customer/member service, it is also a regulatory requirement. The regulatory requirement I am referring to is Regulation E. If a consumer were to call into your institution today, you would need to gather some information to determine if Regulation E applied. One thing you would need to identify is if the P2P entries in question were transferred by your client or not. If the client indicates their credentials were stolen, then Regulation E would apply because the entry was initiated by a person who did not have authority to initiate the transaction and the consumer did not benefit from the transaction. While there are many ways in which consumers could be scammed, Regulation E outlines a financial institution's responsibilities regarding unauthorized Electronic Funds Transfers (EFTs).

So, what is your financial institution’s approach to P2P entries? Are you currently offering these services and HAVE addressed the items listed above? Or does your institution have some things to touch up before launching this service? No matter what the answer may be, the items above will remain prevalent if P2P entries exist. It never hurts to periodically test your controls, review your agreements, touch up your policy or update your procedures. These are the items that can not only better protect your institution but also your clients.