Understanding Non-cash Payment Processing – Part 1
As payment channels emerge, change, are adopted, or fade away, the associated risks also change, making it increasingly challenging to assess the impact on the risk/reward equation.
Senior Vice President, Internal Audit
Payments processing and other value added activities that are linked with emerging payments processes carry certain risks and rewards in the payments cycle process. To illustrate the point of changing risks, consider that when cash is used for purchasing goods, the key risks are that the cash may be counterfeit and that it is subject to theft. When checks are used, there is the risk of insufficient funds and the risk that the check is drawn on the account of an unrelated third party (fraud). As payment processes move up the developmental curve, the risks change. In the case of credit cards, the credit card associations provide a framework for card issuers and acceptors (acquirers) to manage these risks. Since card issuers and acquirers generally accept the risks, the question is whether users of these channels understand and effectively manage them.
Understanding card payment processing enables internal auditors to develop audit programs that capture the full spectrum of risks in both card payment acceptance and collection practices. It also positions auditors to assess whether compliance activities of their organizations are aligned with card association rules and changing regulations.
Consumers and businesses today pay for goods and services with cash, checks, wire transfers, ACH, credit, debit, stored value, or prepaid cards. Some of these now leverage electronic payments over the Internet and mobile devices. There is a steady trend away from checks toward electronic payments while cash remains relatively steady at around 20 percent of transactions.
The triennial 2010 Federal Reserve Payments Study covering 2006-2009 shows that at the end of 2009, payments made with cards and ACH exceeded three quarters of all non-cash payments with payments by check down to 22 percent in 2009 from 32 percent in 2006. During this period while credit card transactions remained stable, use of ACH, debit, and prepaid cards grew 9.4 percent, 14.8 percent, and 21.5 percent respectively, while check usage declined 7.1 percent. The largest decline in check usage was in the consumer to business category (17 billion in 2006 to 12.3 billion in 2009).
While non-cash payment processing can take many forms, payments are generally funded either from an existing account with funds (wire transfer, ACH/SWIFT, check, debit card, or stored value) or against a credit line (wire transfer, ACH, credit cards, or checks). The payment channel used may range from an in-person card or check-based transaction to card-not-present mail, telephonic, wired, or wireless channels. The key in all these processes is trust. For the process to work consistently, the payment recipient must trust that the payer is who they say they are (identity) and has the capacity to make the payment (good funds). The payer must trust the recipient to provide the good or services involved in the transaction and both the payer and recipient must trust that the intermediary (usually a bank) will complete the payment process as instructed. The process components are authentication (originator and transaction), authorization, and settlement among all parties in the payment processing chain.
In the case of cash transactions, both the buyer and seller use a mutually acceptable payment form, namely cash. Even with cash, a third party (the currency issuer), most commonly a sovereign entity (the Federal Reserve Bank in the United States), is involved at some level in the transaction. This currency issuer and the laws related to the issuance of currency provide comfort as to the value of currency at a given time. While no longer on the gold standard, trust in currency is foundational to all cash transactions. All other payment forms in any given currency are built on this trust.
Putting aside the currency issuer, when a non-cash payment is accepted, there are at least three parties to the transaction — assuming the payer and receiver have accounts at the same financial institution — the payer, the recipient, and the financial institution. If the payer and receiver had accounts at different financial institutions there would be two financial institutions involved in the process. There have been a number of attempts to streamline this to a two-party model though none have gained widespread acceptance.
When funds are held by a financial institution for a payer, it is often in the form of an account owned by the payer. Examples include deposit accounts, savings accounts, and checking accounts. Card payments processed against these accounts are considered to be debit transactions, whereas credit transactions are those where the financial institution extends credit to the payer to complete the transaction.
For another group, often referred to as the unbanked and includes consumers who do not qualify for bank accounts or have limited access to credit, stored value cards have emerged. Under the stored value model, a payer can load funds on to a card that the receiver can use at cash machines or merchants. Variations of stored cards are being used as gift cards and payroll cards.
Various stakeholders (card associations, regulators, and lawmakers) have promulgated standards to secure payment-processing channels. Some of these standards include Payment Card Industry Data Security Standards, the Gramm-Leach Bliley Act, and the Dodd-Frank Wall Street and Consumer Protection Act, to name a few. While the consumer or payer would want to know that only payments they authorize are processed against their accounts, the payment recipient needs assurance that a payment, once processed and approved, constitutes good funds. As the primary mover of funds, financial institutions need assurance that the transactions are not fraudulent.
The stakeholders include the currency issuer, the foundation for payments processing; the consumer (both seller and buyer); the settling intermediary or intermediaries, generally financial institutions; regulators who establish and manage regulations to provide safeguards for consumers and the payments system; and card associations.
THE CREDIT CARD
In its simplest form, consider a small town with one bank. That bank, which is a member of a card association, is authorized to issue credit cards and also to enable merchants to accept credit cards as a form of payment. Under this scenario, when the customer offers the card for payment at a merchant, the merchant processes the card to determine whether or not the payment is good. In this process, information is sent to the bank to determine whether or not the cardholder has sufficient credit to process the transaction. If so, the transaction is authorized and the bank transfers funds into the merchants account. If not, the transaction is declined. If approved, the bank becomes a creditor to the customer on the terms outlined in the credit card agreement.
When a bank issues a customer a credit card, it is effectively providing that customer with a revolving line of credit. The bank, therefore, leverages some level of credit review to determine whether or not to extend a credit line to a customer and if so, the amount and terms of that credit line. Next, the bank produces and issues a credit card to the customer. If the customer accepts the card, it is generally on standard contractual terms between the customer and the bank.
Similarly, the bank can allow merchants to accept credit cards. While not necessarily intuitive, allowing merchants to accept credit cards exposes the bank to credit risk. So, based on the bank’s evaluation of the merchant in terms of risk exposure (determined by a variety of factors), the bank establishes pricing and collateral requirements, if any, for merchants it authorizes to accept credit cards. The arrangement between merchants and the bank also are contractual.
As the town grows and a number of new banks are formed, each offering similar services under proprietary credit cards, it quickly becomes apparent that to service all the customers in that town, merchants need to be able to accept payments from customers at all the banks in town. That is, under the model described above, a customer of bank A can only make credit card payments at merchants who can process cards issued by bank A.
To address this, the banks can agree to a common standard by creating a joint venture with one card brand and one set of common rules for the banks, bank customers, and merchants. The joint venture would then route transactions to the appropriate banks for authorization and processing.
While that addresses one issue, that of widespread card acceptance, each bank would still need its own card production shop, authorization, settlement, and billing processes at relatively high cost. Consolidating these activities into one entity can bring economies of scale. These economic realities lead to the banks creating joint ventures to produce cards, manage the authorization data flow, settlement and billing processes, and customer billing, etc.
Over time, banks began to spin off these joint ventures, resulting in independent card associations and payments processing companies. Some of the more familiar names include Visa, MasterCard, Discover, American Express, JCB, China Union Pay, First Data, TYSYS, and Global Payments.
Under the current U.S. model, only banks can be members of the card associations. Being a member of a card association allows a bank to issue to its customers credit cards bearing the card association’s logo. The card will then be accepted at merchants that have signed agreements to accept that association’s cards. Payments processors can provide issuing services only on behalf of card association members. They also may process merchant acquiring transactions on behalf of merchants though the merchants must have a relationship with a member bank.
VALUE IN KNOWLEDGE
As payments move toward electronic settlements driven by debit and credit cards, the risk profiles for businesses change. Internal auditors need to understand how these risks change so they can adapt their audit program appropriately. These audit program changes range from providing independent reviews of compliance activities to assessing opportunities and exposure stemming from changes in payment processes.
Part 2: PCI-DSS security standards and regulations that apply to banking transactions.
To comment on this article, email the FSA Times editor at Shannon.firstname.lastname@example.org.