FinTech businesses focused on payments systems and foreign exchange have witnessed an explosion of demand in recent years. As these payment systems services continue to gain mainstream acceptance, financial regulators in the US are increasingly interested in monitoring and, as appropriate, prescribing policies or regulations concerning them, slowly casting a prudential regulatory framework over the FinTech payments systems industry.[1] The policy and regulatory landscape in this area is undergoing fundamental change.
Background
Regulation of the US payment system is highly fragmented and often ad hoc. In the foreign exchange sector, for instance, the appropriate regulator and the nature of the regulation depend on the type of transaction, location of the transaction, and type of counterparty to the transaction. For the most basic spot transactions, no prudential regulator may be involved, but for other transactions, federal securities, treasury, derivatives, and federal or state banking regulators may be involved. As to the money transmission sector, regulation occurs at both the federal level, via anti-money laundering laws and regulations administered by an office of the US Treasury Department, and at the state level, by any state that chooses to impose a supervisory regime, which most often takes the form of licensure and prudential supervision.
Electronic fund transfers that flow through financial institutions are also generally regulated as are entities that provide certain services to banks. Enforcement jurisdiction of prudential bank regulators extends to the banks’ affiliates and vendors. As to the largest systemically important payment processors, US law subjects them to potential supervision by the Board of Governors of the Federal Reserve System (“Federal Reserve”), as it does for systemically significant financial market utilities (firms that manage or operate a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions or between financial institutions and the firms).
The Federal Reserve, with this fragmented framework in mind and seeking to explore how it might influence and shape the future of the US payment system, published a consultation paper two years ago.[2] The paper sought public comment on ways to make the US payment system safer, more accessible, faster, and more efficient from end-to-end. Earlier this year, the Federal Reserve published a second paper which, based on the work the Federal Reserve has done, presents a multifaceted plan for collaborating with payment system stakeholders to enhance the speed, safety, and efficiency of the US payment system.[3]
On June 25, 2015 Federal Reserve Governor Jerome H. Powell delivered a speech entitled “The Puzzle of Payments Security: Fitting the Pieces Together to Protect the Retail Payments System.”[4] The speech serves as a good reminder of the keen and continuing interest US regulators have with respect to FinTech payments systems. Importantly, the speech unveiled the creation and working timelines of two task forces whose policy recommendations may shape the operating landscape of FinTech businesses providing payment systems services in the United States. The remainder of this client advisory details Governor Powell’s speech concerning recent policy developments in the sector.
Payment System Task Forces
To continue stakeholder dialogue with respect to advancements in the US payment system, the Federal Reserve established two task forces: one for faster payments and one for payment security, to work independently and in concert.
- Faster Payments Task Force. The steering committee for this task force met earlier this summer to begin developing timelines, processes, and criteria — including criteria related to security — that will be used to evaluate potential approaches to improving the speed of the payment system. By the end of next year, the task force hopes to lay out its detailed thinking on the most effective approaches to implementing faster payments in the United States.
- Secure Payments Task Force. This task force conducted its first organizational call in June and its steering committee will meet in mid-July.
Guidance on Regulatory Expectations for FinTech Businesses in the Payments Systems Sector
Governor Powell’s speech, while not prescribing specific regulations for FinTech firms providing payment system services in the United States, notes several points that likely foreshadow supervisory expectations for such businesses, as described below:
- Industry Benchmarking. Firms that process or store sensitive financial information, such as banks, merchants, and other FinTech payment processing businesses, should keep their hardware and software current with the latest industry standards. Implicit in such advice is that such firms should benchmark their technology standards against industry peers.
- External and Internal Threats. Governor Powell noted that methods to devalue payment data, like tokenization and encryption for data at rest, in use and in transit, mitigate the effect of a data breach, with respect to external firm threats. He further advocated the use of analytics to identify and prevent fraudulent transactions and firewalls and segmentation of technology supporting critical functions to protect networks from external attacks. As for internal threats, Governor Powell suggested that segregation of duties, background checks, and monitoring for anomalies can help reduce risks and, for protection against a firm’s partners and service providers, he advocated for strong vendor-management programs.
- Planning. Firms may look to the newly created cyber security framework released by the National Institute of Standards and Technology, which provides a voluntary, holistic, risk-based approach to planning for payment system security. The framework identifies five core functions: identify, protect, detect, respond, and recover.[5]
Identify. Firms can keep up to date on cyber developments and gather information about threats from information sharing forums such as FS-ISAC, US-CERT, and the FBI’s InfrGard.[6]
Protect. Firms should develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect. Firms should develop and implement appropriate activities to identify the occurrence of a cyber security event.
Respond. Firms should think through necessary responses to security breaches before they occur.
Recover. Firms should have plans in place to recover business functions, which may include investments in new tools and approaches to aid in rapid recovery.
Summary
The policy and regulatory landscape for FinTech businesses operating in or seeking to enter the United States market is still undergoing fundamental change. Positively, this change reflects regulatory and market acceptance of novel payments systems in the United States which, while still a step behind its peer countries, is rapidly catching up.
ENDNOTES
[1] For instance, the New York State Department of Financial Services recently passed its supervisory framework for regulating virtual currency businesses, as described in our client advisory “New York State Adopts “BitLicenses” and Comprehensive Rules for Virtual Currency Firms,” which can be found here.
[2] See Federal Reserve, “Payment System Improvement – Public Consultation Paper,” (September 10, 2013), available at https://fedpaymentsimprovement.org/wp-content/uploads/2013/09/Payment_System_Improvement-Public_Consultation_Paper.pdf.
[3] See Federal Reserve, “Strategies for Improving the U.S. Payment System,” (January 26, 2015), available at https://fedpaymentsimprovement.org/wp-content/uploads/strategies-improving-us-payment-system.pdf.
[4] Jerome H. Powell, Governor of the Board of Governors of the Federal Reserve System, “The Puzzle of Payments Security: Fitting the Pieces Together to Protect the Retail Payments System,” (June 25, 2015), available at http://www.federalreserve.gov/newsevents/speech/powell20150625a.pdf.
[5] National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” (February 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.
[6] See Financial Services – Information Sharing and Analysis Center (“FS-ISAC”), available at https://www.fsisac.com/; United States Computer Emergency Readiness Team (“US-CERT”), available at https://www.us-cert.gov/; InfraGard, available at https://www.infragard.org/.
The full and original memorandum was initially published by Arnold & Porter on July 1, 2015 and is available here.