Operational Resilience in Payments

podcast

Operational Resilience in Payments

Protiviti Podcast Transcript Transcript

Kevin Donahue, Protiviti
Kevin

Hello. This is Kevin Donahue with Protiviti, happy to bring you a new edition of Powerful Insights. Operational risk and resilience are in the spotlight that continues to grow ever brighter, and one of the many important considerations with regard to resilience is payment systems, particularly because, as I learned, there really are only two settlement systems in place for clearing and payments despite the mounting number of financial products in the market.

Nathan Hilt is a managing director with Protiviti. Based in San Francisco, he serves as the cross-solution payments leader within Protiviti’s Technology Strategy and Operations group, which is within our Technology Consulting practice for the financial services industry. I had the pleasure to sit down with Nathan to discuss operational resilience and, in particular, viewing it through a payments lens. So, Nathan, great to talk with you today.

 

Nathan
Thank you. Happy to be here.
Kevin Donahue, Protiviti
Kevin
Nathan, tell me first off, how important are payment systems – particularly high - value systems that financial institutions rely on – to look at, from a global perspective, our monetary and financial stability?
Nathan

I would say those systems are critical. There aren’t very many of them, so a lot of people don’t realise that the settlement systems for clearing and payments in general – there are only two: There’s the Fedwire, and then there’s the ACH [automated clearing house]. So, I think when people think about payments, they think about those that are on their app or that their bank provides, et cetera, and I would say those have been built on the fringe, on the outside – they’re touching consumers or people in businesses, but then, the reality is that the settlement between the banks goes on either one system or the other.

I think they’re critical because the volume (meaning, the number of transactions) and then the dollar value (very, very large) are continuing to grow, and then I think the fact that there are only two, and no one is building a third system – because it’s hard to do that and create the connectivity and the legacy – it means that these two systems are going to be around for a while longer, even with all the innovation that’s out there, and the financial inclusion, and having more people participate in payments and settlement banking.

Kevin Donahue, Protiviti
Kevin
Nathan, quick follow-up there: There are two systems, so if even one of those goes down, it sounds like that would be crippling.
Nathan

It would. It’s not just that if, say, we both own a bank and transactions flow between the two of us, the system goes down – you can’t settle, and I can’t settle. It’s that there’s a ripple effect. It’s all the endpoints that use that – and a lot of systems that, again, are built on the fringe, they have net settlement between the endpoints. Some settle individually across all of them, but either way, the bank, then, that you’re interacting with on the other side would not be able to receive payment.

So, with this ripple effect, if one or both of those systems go down, all of the endpoints around there are affected, and all of them aren’t able to settle and clear and have the transactions, whether it’d be on a daily basis or if there’s a multiday aspect to it, all of them start to go down. So, again, it’s critical because there are a lot of transactions that flow across; there aren’t very many of these systems. And then the counterparty aspects of settling between the entities is a ripple effect. If one goes down, pretty much everything goes down.

Kevin Donahue, Protiviti
Kevin
Historically, have we had any major events that have come close to this type of crippling scenario disrupting our payment systems? And if we have, what lessons did we gain from those experiences?
Nathan

There are two good examples. Bad things happen, but they’re good examples of what does happen when something bad happens. The first is 9/11. When 9/11 happened, it basically shut down the banking system. The reason why that happened is because before 9/11, transactions were still settled via paper. There still was clearing and settlement for checks and check processing – large-volume, paper-based. So, what happened is that when all of the systems shut down and the streets shut down and there were no cars moving and planes flying, then you could not transfer the paper that was needed in order to do settlements.

The lesson that was learned out of that is, we need to hurry up and get out of the paper of the clearing and settlement process. There were things that were done in order to “electronify” checks, because at the bottom of every check, there’s a transit routing number that can flow through the ACH system, but the banks were still using, for legacy reasons, a lot of paper processing. There was a lot that was done over the next few years in order to learn, to get away from payment, because these things, they do go down at some points when an emergency happens, and we need to move to something that’s electronic.

However, the second event was the 2008 recession. That was more of – you realise that there was one entity, so when Lehman Brothers went down, it created this ripple effect within the other financial markets that if they can’t settle – so, it wasn’t a systematic thing, but it was that a participant in this system went down, and so all the other counterparties that were relying upon whatever Lehman Brothers was doing for that day, they no longer could meet those obligations.

So, what came out of that was regulation. The Dodd-Frank Act and other regulations were put into place, and the main thing was to protect the consumer so that if there were things that happened, it wouldn’t affect the endpoints. There was a lot of regulation, and then they protect the consumer, but also stress-testing – it gave a lot of scrutiny to the different banks that were participating to make sure that they were healthy so that you couldn’t have, again, this one entity that would fail, or multiple entities, because then, the whole financial system in the U.S. was going to fail. So, there was a point, and from those two, I think we did learn good lessons: Move from paper to electronic, and then make sure all the participants are healthy and that there’s protections for the end consumers.

Kevin Donahue, Protiviti
Kevin
I am segueing next to today, or the rapid technological developments we’re all hearing about. In this environment we’re in today, what are some of the biggest threats or risks facing the payments industry that you see? And to my earlier point, how are those risks changing with rapid technology development, digital transformation and such?
Nathan

The main one is that there are just more people using these systems. If you look at any of the statistics around payments and volumes and transactions, they’re all growing. Now, they ebb and flow where they’re growing 10% or 6%, but the volume is consistently growing, and it’s all electronic. So, back to the clearing and settlements systems in the U.S., which are either Fedwire or the ACH; they’re getting used more and more and more. The biggest risk is that when you have something bad happen, it’s going to affect a lot more people.

People really don’t understand often that even though you have a credit card or some sort of mobile wallet and you’re doing transactions on that, behind the scenes, it’s still the same two settlement systems. So, Visa and MasterCard, although they have very complex systems and products, they still move money, at the end of the day, through Fedwire, and so does PayPal, and so does Zelle, and Venmo. They all use the same core train tracks for settlement, and there’s no one building new train tracks.

So, I think the big risk is that, one, more people are using it, so the effect, if something bad happens, becomes more and more and more, and the people that are using the services don’t really understand what’s going on behind the scenes. Although there are protections, they don’t realise that – and I’ll share a story that a banker doesn’t necessarily understand settlement systems, and that they don’t understand that while I have access to the money, maybe immediately, or that the data’s been delivered immediately, settlement is still happening behind the scenes. The movement of money between the banks happens behind the scenes, and those are still the same two settlement systems, and it’s still in batch processing.

I was at a conference, and there was a bankrupt – granted, he was talking about sanctions and AML and things that are not necessarily on the fringe of payments, but he started to give an example of Zelle, which is a bank-to-bank system that allows person-to-person transfer. It’s very popular. He was talking about how that’s what he uses to send money to his daughter, and that he knows that it’s real-time because he sends the money and then he hears the ping when he’s talking to his daughter on the phone, and she has the money. But then, later on in the story, he realises that that runs off the ACH, and the ACH is not a real-time system.

So, even though the data arrives real-time and you may have access to the money, the movement between the banks – because that’s a closed system and trusted parties – still happens in batch. The ACH is getting faster ¬– there’s multiday settlement within the ACH – but it‘s still not real-time. So, to your question around “What is the risk?” it’s that more people are using them, they’re using them in more transactions at smaller amounts, and yet we’ve still not built a third rail in order to process and clear the transactions.

Kevin Donahue, Protiviti
Kevin
Even with this massive growth in payment products and options – you mentioned Zelle, Venmo, PayPal, so forth – even with the massive growth in those last five years, you’re saying the underlying infrastructure around these payments has not changed.
Nathan

Not at all. Zero. And I would even take it a step further: From what I have seen in the industry – I follow this pretty closely – no one’s even designing a third rail. There’s nothing even in the works. So, if you follow the faster payments – which the Fed has been leading, and there’s a new initiative, FedNow – that’s not to create a third rail for Federal Reserve and federal-initiated payments between the banking system, it’s just to make what they currently have, faster, to do things in a real-time manner.

Same thing with ACH; the ACH is moving to multiday settlement within the ACH window – again, getting to faster payments – but no one is designing another ACH. All this has been innovated on the fringe. It’s not just in the U.S.; it’s the same thing with each country. They will have an equivalent of these products and services. So, if I’m a multinational bank and let’s just say, something – knock on wood – goes down in the U.S., I may be able to transfer some of those volumes to other domestic systems. But again, they have similar systems. They have some sort of real-time, gross settlement system that the federal banks, or the Bank of England, or those that are national banks are able to participate and run, and then they have some sort of ACH-like transactional system. But I’m not aware of any country that has a third system. So, all the innovation, but still the same underlying systems for settlements.

Kevin Donahue, Protiviti
Kevin
You’ve mentioned that no one’s developing a third system. I think I know the answer to this question, but we’ll ask it anyway. What can financial institutions do to enhance the resilience of payment services and manage the risk of a technology-related outage and potential catastrophic results that might come from that?
Nathan

I think the main piece is that there’s education around this, that there’s an understanding that, yes, there is a lot of innovation on the fringe and we still are relying upon the same settlement systems. That’s a piece of it. The second is that, even within each of the financial institutions, it’s one of those things: The weakest link of the chain is what ends up breaking it down, but if they’re all strong and there is guidance around resilience and the critical business functions and services within a bank in clearing and settlements, and payment is one of those pieces. So, if they’re following the resiliency policies in order to look at the business impact and how that works with counterparties, then that will make a healthier financial system, and that’s to everyone’s benefit.

But if you really wanted to make sure you’re not dependent on just two systems, somewhere, you would have a third system. The only thing that I’ve seen as to what may be a third system is cryptocurrency, and that often is a bad word within the banking sector because they don’t necessarily believe in the current cryptocurrencies that are out there. Again, at this banking conference, the bankers are saying it’s a Ponzi scheme¬ – Bitcoin is a Ponzi scheme, not to be trusted. So, there are a lot of varying opinions upon how to use cryptocurrency. If you read about it today in the U.S., Facebook is trying to stand up Libra as a currency, even though it’s a stable coin pegged to the U.S. dollar, so that would effectively create a third way of clearing and settlement between entities. It’s not exactly the same as the two systems that exist today, but it would be an alternative. But from what I’ve read and seen in the press, it doesn’t seem like Libra is going to get off the ground. As far as what is out there in innovation, I’ve only seen cryptocurrencies or some version of blockchain that could effectively become a “third rail.”

Kevin Donahue, Protiviti
Kevin
So, Nathan, one final question for you – a fascinating discussion here – what role, if any, can the regulators play from a policy standpoint to enhance the resilience of payments or otherwise ensure the stability of the system?
Nathan

In the banking system, like I said, the output out of the 2008 recession has been a good framework, and it’s stress-tested; it’s given banks another set of eyes to what they do and how they do things. I don’t think that we need another version of that. I do think that extending some of the criticality of what the regulators look at to these other third-party systems that are critically important is probably something that they’re going to take a look at.

So, when you think about the amount of money that is moved through the card networks – so, this would be AMEX, although they are regulated as a bank, and Discover, a portion of that is regulated as a bank, but VISA and MasterCard are not regulated as a bank, PayPal is not regulated as a bank. So, I think they would possibly need additional scrutiny to make sure that they are resilient. Certainly, to this day, they’ve been resilient. There have been a few outages, but what you realise is that it’s not just the card networks. The card networks all talk to processors, and within the consolidation in the U.S., you basically have three very large processors – FIS [Fidelity National Information Services], Fiserv and Global Payments – that process the vast majority of the consumer payments in the U.S.

So, it’s like, “OK, do you need to have, because of the criticality and importance, a further view into what those entities are doing?” Then you have the fintechs that are then also putting services together on the fringe. Where do they fit in the grand scheme of things? And you get into the cryptocurrency space, and the regulators are looking at how to manage the cryptocurrencies, and the New York DFS [Department of Financial Services] has put something out there. But I think all of those are more about functionality. It’s not necessarily around “Are these things going to stand up? If one of you fails, then what’s the failover? And if multiple of you fail, what happens then?”

And really, the main piece is, what is going to happen to the end consumer? Because at the end of the day, with larger amounts of people, financial inclusion, all of the innovation, you have more and more people at younger and younger ages that are using these financial systems and these tools. What’s going to happen if somehow, there is a breakdown? I think that’s the piece that, really, is not well understood, and there would have to be continued discussion around that.

And there is an example. In some of the European countries, more than 90% of the transactions that happen at a consumer level flow through either one processor or one card network. What the governments have realised is that they are critically important, and they want to keep their finger on the pulse of those entities, and even have oversight from a board perspective, or an understanding of what goes on and how those companies are run and the decisions that are made, because, again, when 90% of the transactions go through and somehow there is an outage – there was one in the UK last year – it affects a lot of people, and there isn’t another way to transact other than we all go back to cash, but then oftentimes, in order to get cash, you’re going to an ATM, and those ATMs are run by the same networks that have an outage. So, there really isn’t a third way to get funds and to transact.

Kevin Donahue, Protiviti
Kevin
Nathan, this has been great. Thanks for sitting down with me today.
Nathan
You’re welcome.
Kevin Donahue, Protiviti
Kevin
Thanks for listening today. You can find more information and thought leadership on Operational Resilience page. I also invite you to subscribe to our Powerful Insights podcast series wherever you find and download your podcast content.
KATEGORIE INDUSTRIE:
Financial Services
SUBSCRIBE TO PODCASTS: