Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:
- The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
- Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
- Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type
The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.
These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.
Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.
Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.
This overview supports the Payment Lifecycle and Security Profile for the Wire Payment Type.
Wire Definition: A wire payment (or funds transfer as specified in UCC 4A) is the transfer of funds from the payer’s account at one financial institution to the payee’s account at another financial institution.Overview of Laws, Regulations and References on Payment Security (Including Challenges and Improvement Opportunities)
Legal and Regulatory References
Uniform Commercial Code Article 4A (UCC 4A): Funds Transfers (as adopted by the states)
Regulation J, Collection of Checks and Other Items by Federal Reserve Banks and Funds Transfers through Fedwire® 12 Code of Federal Regulation (CFR) § 210.25 et seq.
Financial Crimes Enforcement Network (FinCEN) Bank Secrecy Act, 31 U.S. Code (U.S.C.) § 5311, et seq.; 31 CFR § 1010.100, et seq. (implementing regulations); Federal Financial Institutions Examination Council (FFIEC), Bank Secrecy Act/Anti-Money Laundering Examination Manual (2014)
Customer Identification Program (CIP), 31 CFR § 1020.220, et seq.
Theft Red Flags Rules, 12 CFR § 41.90 (OCC); 12 CFR § 222.90 (FRB); 12 CFR § 334.90 (FDIC); 12 CFR § 717.90 (NUCA); 16 CFR § 681.1 (FTC); 17 CFR § 162.30 (CFTC); 17 CFR § 248.201 (SEC)
Board of Governors of the Federal Reserve System, Guidance on Managing Outsourcing Risk (Dec. 5, 2013) – FRB SR 13-19: Third party oversight guidance, set of cyber-risk oversight activities which includes reporting and expectations for Boards of Directors and Senior Management.
FFIEC IT Exam Handbooks: Some of the handbooks are more frequently a factor in exams, but they all contain provisions that impact payments compliance in the areas of confidentiality, availability, data integrity, privacy and third party oversight.
- FFIEC, IT Examination Handbook, Wholesale Payment Systems (July 2004)
- FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
- FFIEC, IT Examination Handbook, Retail Payment Systems (Apr. 2016)
- FFIEC, IT Examination Handbook, Supervision of Technology Service Providers (Oct. 2012)
FFIEC, Authentication in an Internet Banking Environment (Oct. 12, 2005); FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)
FFIEC, Cybersecurity Assessment Tool (CAT) (June 2015): The CAT is a support tool issued by the FFIEC to assist financial organizations with managing cyber-risk. CAT is strongly encouraged by some US states, but in general it is based on existing guidance and thus does not constitute new regulation.
Gramm-Leach-Bliley Act (1999), 15 U.S.C. § 6801 et seq.
Regulation P, Privacy of Consumer Financial Information 12 CFR 1016.1 et seq. – enacted to control how financial institutions manage the private information of individuals. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information include provisions associated with the role of risk management, boards and third party oversight.
Federal Trade Commission Act (1914), 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”); 16 CFR § 314.3 (requiring companies to develop written information security programs to protect customer information)
Consumer Financial Protection Act of 2010, 15 U.S.C. § 5531 et seq. (prohibiting “unfair, deceptive, or abusive act[s] or practice[s]. . .” in consumer finance)
State-based cybersecurity and breach laws: A challenge due to the variation among those sets of regulation which include:
- All 50 States address unauthorized access, malware and viruses
- 20 States address spyware
- 23 States address phishing
Source: National Conference of State Legislatures
International cybersecurity regulations and related data-protection laws: Vary widely and continue to evolve, e.g., European Union General Data Protection Regulations (May 2018); Japan: The Act on the Protection of Information (May 2017)
Office of Foreign Assets Control (OFAC)/Sanction Screening
Other References
Society of Worldwide Interbank Financial Telecommunications (SWIFT)/International Organization for Standardization (ISO) 20022: Financial Services – Universal financial industry message scheme
- Interbank communications system that provides standardized method to share financial information between financial institutions globally.
SWIFT Customer Security Program (CSP)
American National Standards Institute (ANSI) X9.69-2012 Framework for Key Management Extensions
ANSI X9.73 Cryptographic Message Syntax – ANS.1 and XML
National Institute of Standards and Technology (NIST) Cybersecurity Framework
NIST Special Publication 800-53
Clearing House Interbank Payments System (CHIPS) Rules and Administrative Procedures
- International funds transfers, operated by The Clearing House
Source: https://www.theclearinghouse.org/-/media/files/payco%20files/chips%20rules%20and%20administrative%20procedures%202016.pdf?la=en, pp. 7-10
Federal Reserve Operating Circulars 5 – Electronic Access; and 6 – Funds Transfers Through the Fedwire® Funds Service
Fedwire® Application Interface Manual (FAIM)
Principles for Financial Market Infrastructutes (PFMI)
Committee on Payments and Market Infrastructure (CPMI) – International Organization of Securities Commissions (IOSCO) guidance on cyber resilience for financial market infrastructures
Challenges and Improvement Opportunities
Enrollment: Need enrollment standards to identify/authenticate people authorized to initiate transfers.
Authorized access requires dynamic controls with expanded notifications. Terminals need to be protected from allowing unauthorized people from making transfers. Standards needed for token (hardware or software) authentication.
Management and exchange of encryption keys and having right keys to communicate.
Need to encrypt end-to-end, not just payment data, not just transmission. Breaches occur by getting at unencrypted data. Quantum computing could make breaking current/common encryption trivial, but new approaches (including non-key based) could resist quantum decryption.
Data integrity checks sometimes spot problem transactions, but need to gate permitted transaction completions.
Many wire transactions are transmitted over encrypted networks, but that doesn’t mean the actual payment and associated data are themselves within the transaction are encrypted. No existing standards for data encryption.
Inconsistent/lack of controls over user ID vetting, monitoring, verification etc. for initiating wire transfers.
Greater focus on development and adoption of risk-based cybersecurity rules, frameworks, and open standards could enhance security.
Last Updated: 02/21/2018
Footnotes
1Generally wire payments flow in one direction.