August 2024
Going Too Fast? Managing Instant Payment Risks*
by Susan Goldberg, Director of Examinations, Supervision and Regulation, Federal Reserve Bank of Atlanta, Joseph Vall-Llobera, Director of Examinations, Supervision and Regulation, Federal Reserve Bank of Atlanta, and Robert Canova, Senior Examiner, Supervision and Regulation, Federal Reserve Bank of Atlanta
The payments ecosystem is rapidly evolving, leading to a number of enhancements and challenges for financial institutions. According to a recent payments report,1 instant payments represented only a sliver of the overall payments volume in the United States in 2023, accounting for just 1.5 percent of the total payments. Increasingly, however, consumers and businesses are seeking financial partnerships that allow for transactions to occur in real time, not in hours or days. According to new Federal Reserve Financial Services surveys,2 86 percent of businesses and 74 percent of consumers said they used faster or instant payments in 2023.
Although nonbanks have generally taken the lead in experimenting with greater payment efficiencies, for the most part, federally insured depository institutions have supported payment innovations such as instant payments. One reason for federally insured depository institutions’ hesitancy in adopting payment efficiencies is the introduction of different risks. Instant payments differ from traditional payments, as instant payments are irrevocable because of their instantaneous settlement. While the speed of instant payments reduces a traditional type of risk for federally insured depository institutions — credit risk due to the speed of settlement — they increase other types of risks related to payment transfers. However, prior to the introduction of FedNow by the Federal Reserve in 2023, only one instant payment service existed. With the introduction of FedNow, more federally insured depository institutions are expected to join the 700 plus institutions already using the service to provide instant payments to their customers.
In moving to an instant payment environment, federally insured depository institutions need a holistic strategy that appropriately considers any changes to operating systems and risk management practices that are needed. Key risk management components that federally insured depository institutions should evaluate when preparing to engage in instant payment offerings include fraud risk, liquidity risk, compliance risk, and third-party risk.
How Fast Is Fast?
As the speed of payment network transmissions increases, the terms instant payments and real-time payments are often used interchangeably. The Federal Reserve refers to instant payments as those that can be made at any time of day, any day of the year, with real-time interbank settlement and immediate funds availability for receivers. Therefore, with an instant payment, the transfer of funds between the federally insured depository institutions is final, and the receiving financial institution is required to make the funds available in a matter of seconds.3 In contrast, older systems such as the automated clearing house (i.e., FedACH) could take hours, if not an entire business day, to make funds available in a customer’s account. Instant payments also feature availability 24 hours a day, seven days a week, which is not true for the existing FedACH.
Instant Payments Require Enhanced Liquidity Risk Management
Instant payments are processed and settled individually and continuously on a round-the-clock basis. Given the speed and available time frame to conduct transfers, federally insured depository institutions, or their correspondents, participating in instant payment systems must maintain adequate balances to settle transactions. Furthermore, payment activity may shift from existing deferred settlement systems, depending on customer volume and preference, which may affect a bank’s available liquidity throughout the day. To help financial institutions enact appropriate liquidity risk management practices, the Federal Reserve developed the Federal Reserve Policy on Payment System Risk4 and published the Guide to the Federal Reserve’s Payment System Risk Policy on Intraday Credit.5
Federally insured depository institutions planning to participate in or provide settlement services for instant payments will also need a strategy to maintain liquidity that aligns with their overall risk appetite. Effective liquidity risk management practices for institutions with instant payments activities include:
- leveraging available intraday credit in accordance with the Federal Reserve Policy on Payment System Risk;
- securing additional credit through the discount window during normal operating hours6 to support after-hours liquidity needs;
- accessing private-sector liquidity markets;
- adjusting balance sheets to accommodate more highly liquid assets; and
- taking advantage of liquidity management tools that instant payment network providers offer, such as FedNow Service liquidity management transfers.7
Federally insured depository institutions may also need to reconsider existing manual controls for clearing and settling payments after business hours and determine whether automated solutions are necessary. Closely monitoring inflows and outflows after adoption can help an institution forecast the volume and timing of intraday liquidity needs. In addition, scenario analysis could help institutions prepare and implement measures to ensure adequate liquidity in “tail events,” which are rare but have the potential to result in adverse financial consequences. To assist in managing instant payment risks, federally insured depository institutions may take advantage of tools available on instant payment networks. For example, on the FedNow Service, transaction limits are configurable up to $500,000, and in the future, velocity controls will be available. Additionally, federally insured depository institutions may join the FedNow Service as a receiver only rather than as both a receiver and originator.
Instant Payments Heighten Operational and Compliance Risks
The speed, finality, and around-the-clock operation of instant payments pose unique challenges, especially for combating fraud. Consequently, federally insured depository institutions need to develop a holistic strategy for detecting and preventing fraud while maintaining compliance with the applicable regulations covering payment services and consumer protections. This strategy can start with close coordination among key operational stakeholders, including client services, payment operations, treasury management, fraud monitoring, and legal and compliance teams. The strategy should also encompass staff training, particularly on requirements for implementing an instant payment service, including messaging that is consistent with consumer laws. Furthermore, an institution should pursue market strategies that align with the overall risk appetite set by the institution’s board of directors.
Operationally, federally insured depository institutions should consider whether existing preventive and detective fraud and anti-money laundering (AML) controls are appropriate for instant payments for both account origination and transaction monitoring. Many of today’s fraud alert models rely on machine learning algorithms that require robust historical data to accurately detect patterns. However, historical data relationships may not exist when introducing a new type of payment offering because customer use of the service may diverge from traditional activity. Federally insured depository institutions will likely need to iteratively tune and test internal fraud alert models for expected and actual customer activity within instant payment networks so that they can better identify statistical type I and type II errors.8
Furthermore, many institutions have established AML processes that require some level of manual transaction screening to identify suspicious activity. Staff augmentation or system revisions may be necessary to ensure that AML reviews, Office of Foreign Assets Control screening, and customer due diligence practices comply with the Bank Secrecy Act. The FedNow Service provides tools that federally insured depository institutions can decide to use in their efforts to mitigate fraud risk.9
The legal framework that applies to the use of instant payment networks is also an important consideration for institutions. Instant and real-time payments are governed by existing payment system regulations, such as the Electronic Fund Transfer Act10 and its implementing regulation, Regulation E,11 and Article 4A of the Uniform Commercial Code.12 Certain regulations have been modified to reflect instant payment services. For example, in May 2022, the Federal Reserve finalized a rule under Regulation J, Subpart C,13 that went into effect October 1, 2022, and governs funds transfers over the FedNow Service, such as the ability not to post payments immediately if there is reasonable cause to believe that the customer receiving the payment is either not entitled or not permitted to receive it.14 Beyond existing regulatory requirements, institutions should also comply with dedicated operating rules.
Instant Payments May Increase Third-Party Risk
The significance of the service provider system in facilitating payments makes third-party risk management a top risk consideration. Federally insured depository institutions need to appropriately manage third-party risk, as it intersects with other payment system risks, most notably liquidity, cyber, compliance, and operational risks.15
Third-party service providers participate in many different stages of the payment process and have been integral in extending instant payment services to financial institution customers. These providers facilitate payments by offering technologies, such as point-of-sale equipment and application programming interface software, connecting payment system participants, and integrating transaction processing into existing platforms. More than 70 percent of the payments are processed by companies in Atlanta and around Georgia, earning Atlanta the nickname “Transaction Alley.”16
However, an institution’s reliance on third-party vendors for conducting instant payments should align with its outsourcing strategy and risk appetite. As outlined in Supervision and Regulation (SR) letter 23-4, “Interagency Guidance on Third-Party Relationships: Risk Management,” when engaging third parties to implement and operate instant payment services, financial institutions should assess vendors through a robust third-party risk management program that identifies risks and escalates a discussion of potential risks to senior management. The financial institution should perform initial and periodic risk assessments as well as ongoing risk identification and management, including an assessment of concentration risk.
Financial institutions should also ensure that their management information systems provide thorough and accurate information about these risks to appropriate governance bodies and board committees. This information should include appropriate metrics and key risk indicators that enable the institution’s management to assess the risks that any new or existing third parties that support instant payment services might introduce. Importantly, federally insured depository institutions are required to operate in a safe and sound manner and in compliance with applicable laws and regulations. Consistent with interagency guidance on third-party relationships,17 an institution’s use of third parties does not diminish its responsibility in this regard.
Conclusion
Once a federally insured depository institution has the proper risk management systems in place, it should benefit from increased efficiency in processing routine transactions. Embracing instant payments also allows an institution to stay competitive as fintech companies look to reduce the friction in existing payment systems. Additionally, innovation in the instant payment market can spur new services that an institution can provide to its customers, expanding noninterest income revenue potential. With prudent risk management practices in place, instant payments have the potential to greatly benefit federally insured depository institutions, the economy, and consumers.
- * This is a modified version of an article that originally appeared in the Atlanta Fed’s Economy Matters (February 16, 2023). The article is available at www.atlantafed.org/economy-matters/banking-and-finance/2023/02/16/key-risk-considerations-for-implementing-instant-real-time-payments.
- 1 For more information, see the 2024 Prime Time for Real-Time report from ACI Worldwide and GlobalData, available at https://www.aciworldwide.com/prime-time-for-real-time-report.
- 2 For more information, see the Federal Reserve Payments Insight Brief: Digital Wallets Emerge on Businesses’ Radar for Improved Customer Experience and Cost Efficiency, available at fedpaymentsimprovement.org/wp-content/uploads/043024-business-research-brief.pdf, and the Federal Reserve Payments Insight Brief: Banking My Way — Gen Z and Millennials Are Driving Change in Payments, available at fedpaymentsimprovement.org/wp-content/uploads/042624-consumer-brief.pdf.
- 3 See “Fast, Faster, Instant Payments: What’s in a Name?” from the Federal Reserve System, available at www.frbservices.org/financial-services/fednow/instant-payments-education/whats-in-a-name.html.
- 4 The policy is available at www.federalreserve.gov/paymentsystems/files/psr_policy.pdf.
- 5 The guide is available at www.federalreserve.gov/paymentsystems/files/psr_guide.pdf.
- 6 Institutions that want access to the discount window for funding must establish appropriate legal agreements and collateral for pledging. The Federal Reserve Bank of Atlanta has produced a flyer to help banks establish credit lines at the discount window.
- 7 The liquidity management tool is an example of accessing private-sector liquidity markets (the tool enables such access on weekends). See question 5 of the FedNow Additional Questions, available at www.federalreserve.gov/paymentsystems/fednow-additional-questions-and-answers.htm.
- 8 In statistics, a type I error is a false-positive conclusion, while a type II error is a false-negative conclusion. In relation to fraud, a type I error is when a fraud event is detected but no fraud is present, while a type II error is a missed fraud event.
- 9 See Fraud Prevention Tools, available at www.federalregister.gov/documents/2020/08/11/2020-17539/service-details-on-federal-reserve-actions-to-support-interbank-settlement-of-instant-payments.
- 10 See the act, available at www.ftc.gov/legal-library/browse/statutes/electronic-fund-transfer-act.
- 11 See Regulation E, available at www.federalreserve.gov/boarddocs/supmanual/cch/efta.pdf.
- 12 See Article 4A, available at www.uniformlaws.org/committees/community-home?CommunityKey=2985cf6d-9c22-4abe-abf1-1f36f8a27201.
- 13 The rule is available at www.federalregister.gov/documents/2022/06/06/2022-11090/collection-of-checks-and-other-items-by-federal-reserve-banks-and-funds-transfers-through-fedwire.
- 14 See Regulation J, subpart C, section 210.44 b(3), available at www.ecfr.gov/current/title-12/chapter-II/subchapter-A/part-210/subpart-C/section-210.44.
- 15 See Supervision and Regulation (SR) letter 23-4, “Interagency Guidance on Third-Party Relationships: Risk Management,” available at www.federalreserve.gov/supervisionreg/srletters/SR2304.htm, and SR letter 24-2/Consumer Affairs letter 24-1, “Third-Party Risk Management: A Guide for Community Banks,” available at www.federalreserve.gov/supervisionreg/srletters/SR2402.htm.
- 16 See Don Campbell and Glen Sarvady, Georgia's Fintech Ecosystem: Strong and Growing Stronger, a 2021 report from the Technology Association of Georgia, available at www.tagonline.org/wp-content/uploads/2021/06/2021-FinTech-Ecosystem-Report-spreads.pdf.
- 17 See SR letter 23-4.