Payments for E-Commerce
Many businesses accept various forms of electronic payments for their products and services. Financial institutions play an important role in electronic payment systems by creating and distributing a variety of electronic payment instruments, accepting a similar variety of instruments, processing those payments, and participating in clearing and settlement systems. However, increasingly, financial institutions are competing with third parties to provide support services for e-commerce payment systems. Among the electronic payments mechanisms that financial institutions provide for e-commerce are automated clearing house (ACH) debits and credits through the Internet, electronic bill payment and presentment, electronic checks, e-mail money, and electronic credit card payments. Additional information on payments systems can be found in other sections of the IT Handbook.
Most financial institutions permit intrabank transfers between a customer's accounts as part of their basic transactional e-banking services. However, third-party transfers - with their heightened risk for fraud - often require additional security safeguards in the form of additional authentication and payment confirmation.
Bill Payment and Presentment
Bill payment services permit customers to electronically instruct their financial institution to transfer funds to a business's account at some future specified date. Customers can make payments on a one-time or recurring basis, with fees typically assessed as a "per item" or monthly charge. In response to the customer's electronic payment instructions, the financial institution (or its bill payment provider) generates an electronic transaction - usually an automated clearinghouse (ACH) credit - or mails a paper check to the business on the customer's behalf. To allow for the possibility of a paper-based transfer, financial institutions typically advise customers to make payments effective 3-7 days before the bill's due date.
Internet-based cash management is the commercial version of retail bill payment. Business customers use the system to initiate third-party payments or to transfer money between company accounts. Cash management services also include minimum balance maintenance, recurring transfers between accounts and on-line account reconciliation. Businesses typically require stronger controls, including the ability to administer security and transaction controls among several users within the business.
This booklet discusses the front-end controls related to the initiation, storage, and transmission of bill payment transactions prior to their entry into the industry's retail payment systems (e.g., ACH, check processing, etc.). The IT Handbook's "Retail Payments Systems Booklet" provides additional information regarding the various electronic transactions that comprise the back end for bill payment processing. The extent of front-end operating controls directly under the financial institution's control varies with the system configuration. Some examples of typical configurations are listed below in order of increasing complexity, along with potential control considerations.
- Financial institutions that do not provide bill payment services, but may direct customers to select from several unaffiliated bill payment providers.
- Caution customers regarding security and privacy issues through the use of on-line disclosures or, more conservatively, e-banking agreements.
- Financial institutions that rely on a third-party bill payment provider including Internet banking providers that subcontract to third parties.
- Set dollar and volume thresholds and review bill payment transactions for suspicious activity.
- Gain independent audit assurance over the bill payment provider's processing controls.
- Restrict employees' administrative access to ensure that the internal controls limiting their capabilities to originate, modify, or delete bill payment transactions are at least as strong as those applicable to the underlying retail payment system ultimately transmitting the transaction.
- Restrict by vendor contract and identify the use of any subcontractors associated with the bill payment application to ensure adequate oversight of underlying bill payment system performance and availability.
- Evaluate the adequacy of authentication methods given the higher risk associated with funds transfer capabilities rather than with basic account access.
- Consider the additional guidance contained in the IT Handbook's "Information Security," "Retail Payment Systems," and "Outsourcing Technology Services" booklets.
- Financial institutions that use third-party software to host a bill payment application internally.
- Determine the extent of any independent assessments or certification of the security of application source code.
- Ensure software is adequately tested prior to installation on the live system.
- Ensure vendor access for software maintenance is controlled and monitored.
- Financial institutions that develop, maintain, and host their own bill payment system.
- Consider additional guidance in the IT Handbook's "Development and Acquisition Booklet."
Financial institutions can offer bill payment as a stand-alone service or in combination with bill presentment. Bill presentment arrangements permit a business to submit a customer's bill in electronic form to the customer's financial institution. Customers can view their bills by clicking on links on their account's e-banking screen or menu. After viewing a bill, the customer can initiate bill payment instructions or elect to pay the bill through a different payment channel.
In addition, some businesses have begun offering electronic bill presentment directly from their own websites rather than through links on the e-banking screens of a financial institution. Under such arrangements, customers can log on to the business's website to view their periodic bills. Then, if so desired, they can electronically authorize the business to "take" the payment from their account. The payment then occurs as an ACH debit originated by the business's financial institution as compared to the ACH credit originated by the customer's financial institution in the bill payment scenario described above. Institutions should ensure proper approval of businesses allowed to use ACH payment technology to initiate payments from customer accounts.
Cash management applications would include the same control considerations described above, but the institution should consider additional controls because of the higher risk associated with commercial transactions. The adequacy of authentication methods becomes a higher priority and requires greater assurance due to the larger average dollar size of transactions. Institutions should also establish additional controls to ensure binding agreements - consistent with any existing ACH or wire transfer agreements - exist with commercial customers. Additionally, cash management systems should provide adequate security administration capabilities to enable the business owners to restrict access rights and dollar limits associated with multiple-user access to their accounts.
Electronic person-to-person payments, also known as e-mail money, permit consumers to send "money" to any person or business with an e-mail address. Under this scenario, a consumer electronically instructs the person-to-person payment service to transfer funds to another individual. The payment service then sends an e-mail notifying the individual that the funds are available and informs him or her of the methods available to access the funds including requesting a check, transferring the funds to an account at an insured financial institution, or retransmitting the funds to someone else. Person-to-person payments are typically funded by credit card charges or by an ACH transfer from the consumer's account at a financial institution. Since neither the payee nor the payer in the transaction has to have an account with the payment service, such services may be offered by an insured financial institution, but are frequently offered by other businesses as well.
Some of the risk issues examiners should consider when reviewing bill payment, presentment, and e-mail money services include:
- Potential liability for late payments due to service disruptions,
- Liability for bill payment instructions originating from someone other than the deposit account holder,
- Losses from person-to-person payments funded by transfers from credit cards or deposit accounts over which the payee does not have signature authority,
- Losses from employee misappropriation of funds held pending access instructions from the payer, and
- Potential liability directing payment availability information to the wrong e-mail or for releasing funds in response to e-mail from someone other than the intended payee.