Nonbanks and Risk in Retail Payments

Nonnks n Risk in Retil Pyments By: Memers of Europen Centrl Bnk Oversight Division * Memers of Feerl Reserve Bnk of Knss City Pyments System Reserh Funtion Working Pper 07-02 Pper for presenttion t the Joint ECB-Bnk of Engln Conferene on Pyment Systems n Finnil Stility Frnkfurt, 12-13 Novemer 2007 Astrt This pper ouments the importne of nonnks in retil pyments in the Unite Sttes n in 15 Europen ountries n nlyses the implitions of the importne n multiple roles plye y nonnks on retil pyment risks. It shows tht nonnks ply multiple roles long the whole pyment proessing hin of five min pyment instruments (r pyments, eletroni heques, reit trnsfers, iret eits n e-money n other pre-fune/store vlue instruments). The importne of nonnks is ssesse s prominent in the Unite Sttes ross ll the onsiere pyment instruments, n high n growing in Europe where however ifferenes mong the vrious ountries n pyments lsses persist. In Europe the importne of nonnks is expete to grow in the future, riven y inustry n regultory evelopments. The pper rgues tht nonnks presene hs shifte the lous of risks in retil pyments towr higher relevne of opertionl risk in its vrious forms (mlfuntioning, t seurity, n t protetion), s well s higher relevne of fru risk n system-wie impt of isruptions t key proviers onentrting proessing for importnt pyment mrket segments. Bnks hve eome inresingly epenent on nonnk servie proviers, n the option of new tehnologies in pyments proessing, prtiulrly s regrs ommunition networks, while on the one hn supporting mitigtion of reit n liquiity risks onnete to pyments uthoristion, inreses the numer of possile points long the proessing hin tht my e vulnerle to fru n illiit use. The pper reviews the min regultory sfegurs in ple, n onlues tht there my e nee to reonsier some of them in view of the growing role of nonnks n of the glol reh of risks in the eletroni er. * Simonett Rosti. The views expresse in this pper re those of the uthor n o not neessrily reflet the views of the ECB or the Eurosystem. Terri Brfor, Fumiko Hyshi, Christin Hung, Rihr J. Sullivn, Zhu Wng, n Sturt E. Weiner. The views expresse in this pper re those of the uthors n o not neessrily reflet the views of the Feerl Reserve Bnk of Knss City or the Feerl Reserve System. Pge 1

Tle of Contents 1. Introution...3 2. Nonnks in retil pyment systems...4 2.1 Methoology...4 2.1.1 Definitions...4 2.1.2 Pyment types n pyment tivities...5 2.2 Nonnk prevlene...6 2.2.1 Overview...6 2.2.2 EU nonnk prevlene...7 2.2.3 U.S. nonnk prevlene...13 3. Risks in retil pyments proessing...15 3.1 Risks in retil pyments...15 3.2 Risks long the proessing hin...18 4. Impt of nonnks on risk...22 4.1 Risks n nonnk presene in the EU...22 4.1.1 Risks tht n e generte t vrious points long the whole proessing hin...22 4.1.2 Risks relte to settlement tivities...23 4.1.3 Creit n liquiity risks outsie the settlement stge...24 4.1.4 Risks relte to outsouring to thir prties...25 4.2 Risks n nonnk presene in the U.S...26 4.2.1 Comprison of nonnk prevlene to risk in pyment tivities...26 4.2.2 Risk implitions...27 4.2.3 Puli regultion n oversight of pyment risk mngement in the U.S....28 4.2.4 Supervision n regultion...29 4.2.5 Oversight of the U.S. pyment system...30 4.3 Chnging risk profiles: implitions of rising nonnk presene for risk...31 5. Conlusions n losing remrks...36 REFERENCES...39 Pge 2

1. Introution Retil pyment systems throughout the worl ontinue to evolve in mny wys. Chief mong them is the ontinue migrtion from pper-se to eletroni-se systems. Aompnying this eletronifition of pyments hs een n inrese in the prevlene of nonnks in the pyments system. In n erlier pper (ECB, FRBKC 2007), we took first step in oumenting n nlysing the role of nonnks in Europen n U.S. retil pyment systems. We foun tht nonnks re most prominent in the Unite Sttes ut re prominent n eoming ever more so in mny Europen ountries s well. We lso foun tht the regultory frmework surrouning nonnk pyments prtiipnts is uneven oth within n ross ountries. This seon fining is prtiulrly importnt for entrl nks euse entrl nks re lmost uniformly hrge with ensuring tht pyment systems re sfe s well s effiient. At the ore of sfety onsiertions, of ourse, is the presene n mitigtion of vrious types of risk. The erlier pper spent some time exploring risk issues, ut t firly generl level. The purpose of this pper is to elve more eeply into risk issues. Speifilly, this pper explores the vrious types of risk ssoite with the mny tivities long the pyments hin, n sks, to wht extent oes the presene of nonnks heighten or lessen these risks? As with the first pper, this pper rws on the results of joint stuy unertken y stff t the Europen Centrl Bnk (ECB) n the Feerl Reserve Bnk of Knss City. The fous is on eletroni (non-pper) retil pyment servies in the Europen Union (EU) n the Unite Sttes. The pper opts ommon set of efinitions n uniform nlytil frmework. The following questions re resse: 1. Wht pyments tivities n sutivities re performe long the pyments hin? 2. Wht types of risk re ssoite with these tivities n sutivities? 3. Do the risks ssoite with vrious pyments tivities n sutivities vry y type of pyments instrument? 4. Does the inrese presene of nonnks in vrious pyments tivities heighten or lessen the egree of risk? 5. Are equte sfegurs privte n/or puli in ple to ensure tht risk levels re mngele n eptle? The pper is orgnize s follows. The next setion ssesses the importne of nonnks in retil pyments. It first summrizes the methoology use in this n the previous pper: the efinition of nonnk, the ifferene etween front-en n ken pyment servies, n the vrious tegories of pyment types n pyment tivities. It then ouments the role plye y nonnks in the EU n the Unite Sttes. Pge 3

The thir setion of the pper tkes up risk in retil pyments. It first esries the vrious types of risk tht my e present in pyments environment, for exmple, settlement risk, opertionl risk, reputtionl risk, n so forth. It then exmines whih types of risk re most likely to e ssoite with whih types of tivities long the pyments proessing hin. The fourth setion of the pper superimposes this risk nlysis on the prior setion s oumenttion of nonnk presene y tivity, permitting one to evlute t reltively etile level nonnks potentil impt on pyments risk. Finlly, the pper loses with summry n suggestions for future reserh. 2. Nonnks in retil pyment systems 2.1 Methoology Nonnks n perform funtions t ll stges of the pyments proess. For ll forms of pyment (reit rs, eit rs, eletroni-heques, reit n eit trnsfers, e- money 1, n store-vlue trnstions) n for ll points on the pyments hin (hrwre n softwre provision, onsumer n merhnt intertion, kroom proessing, lering n settlement, n post-trnstion ounting) nonnks n ply mjor role. This susetion provies frmework for oumenting n nlyzing these roles. 2.1.1 Definitions A nonnk pyment servie provier is efine in this stuy s ny enterprise tht is not nk n whih provies, primrily y wy of eletroni mens, pyment servies to its ustomers. In the Europen ontext, nonnks inlue ll entities tht re not uthorize s reit institution; hene, eletroni money institutions (ELMIs) re onsiere to e nonnks. In the U.S. ontext, nonnks inlue ll entities tht o not ept emn eposits. A nonnk pyment servie provier my e either nkontrolle or nonnk-ontrolle. 2 A nonnk pyment system provier s ustomers my e either: (i) en-users of retil pyment servies, in whih se the nonnk is proviing front-en servies; (ii) nks or 1 In Europe, e-money is efine s monetry vlue s represente y lim on the issuer whih is: (i) store on n eletroni evie, suh s hip r or omputer memory; (ii) issue on reeipt of funs of n mount not less in vlue thn the monetry vlue issue; (iii) epte s mens of pyment y unertkings other thn the issuer (Diretive 2000/46/EC). Thus, stritly speking e-money is not pyment instrument ut mens of pyment, tht is, sustitute for sh n eposits. E-money issune is usully ompnie y the servie or evie neee to trnsfer it, n for simpliity in this survey with the term e-money we refer to the pyment evise or instrument use to trnsfer e-money. E-money n e issue only y nks n y e-money liense institutions (ELMIs), entities sujet to simplifie pruentil regime whih is however moelle on tht of nks, n re sujet to ertin limittions (for instne in terms of tivities they n rry out, n investment of the funs). 2 Exmples of nk-ontrolle nonnk pyment servie proviers inlue susiiries of nks, for exmple, TSYS, lrge U.S. proessor owne y Synovus Bnk (lthough out to e spun off), n nk ssoitions, for exmple, Vis Europe, the lrge Europen reit n eit r network. Nonnkontrolle servie proviers re firms without governing nk ffilition, for exmple, First Dt Corportion, PyPl, Hyperom, Vofone, et. Pge 4

other nonnk pyment servie proviers, in whih se the nonnk is proviing ken servies; or (iii) oth types of ustomers. Exmples of front-en servies inlue money-trnsfer servies provie to househols n quiring servies provie to merhnts. Exmples of k-en servies inlue k-offie t proessing, uthentition n uthoriztion, n hosting of pyments-enle we sites. An exmple of firm with oth types of ustomers is ompny tht is lesing point-of-sle (POS) evies to merhnts n t the sme time performing proessing n routing servies on the t pture on those evies for the nks issuing the ssoite pyment rs. Suh firm woul e onsiere to e proviing front-en servies to the merhnts n k-en servies to the issuing nks. 2.1.2 Pyment types n pyment tivities There re two wys to think out the pyments proess. One is to think out pyment types the mens n instruments through whih trnstion is unertken. Exmples re reit r trnstions, eit r trnstions, reit n eit trnsfers, n person-to-person Internet pyments. The seon wy is to think out pyment tivities the vrious steps n servies tht re provie s given trnstion tkes ple. These two onepts pyment types n pyment tivities re lerly very losely relte. Tle 1 (p. 41) shows the ro pyment types tht re use in this pper. Ctegories inlue eletroni heques; reit trnsfers; iret eits; pyment (reit n eit) rs; n e-money n other prefune or store-vlue instruments, inluing Internet person-to-person (P2P) pyments. 3 The first tegory, eletroni-heques, re those pyment types tht egin with pper heque, or informtion from pper heque, ut re onverte to n eletroni pyment t some point in the proess; en-to-en, tritionl pper heques re exlue. The seon n thir tegories, reit trnsfers n iret eits, utilize greements tht reit or, with preuthoriztion, eit ounts. The fourth tegory, pyment (reit/eit) rs, relies on networks to ess either line of reit or emn eposit ount to enle pyment. The fifth tegory, e- money n other pre-fune/store-vlue instruments, uses n eletroni store of monetry vlue, whih my not neessrily involve nk ount, to mke pyment. A seon wy of thinking out the pyments proess is to exmine pyment tivities, tht is, the vrious steps n servies tht re unertken s trnstion moves from eginning to en. The pyments proess n e thought of s hin of events in whih four prinipl tegories of servies re performe: pre-trnstion tivities enompssing ustomer quisition n the provision of front-en infrstruture; uring-trnstion Stge 1 tivities enompssing onnetion, ommunition, uthoriztion, n fru etetion tivities; 3 ECB, FRBKC (2007) inlues two itionl instrument tegories: money remittne n trnsfer trnstions; n other pyment instruments. They re not onsiere in this pper euse of insuffiient t in some of the surveye ountries. Pge 5

uring-trnstion Stge 2 tivities enompssing lering n settlement tivities; n post-trnstion tivities enompssing sttement provision n reonilition tivities. All in ll, one n ientify twenty-three primry pyment tivities tht unerlie, to vrying egrees, ll pyment trnstions. Within these twenty-three primry tivities, there re, in turn, host of sutivities, numering over fifty. The full list of primry tivities n sutivities is shown in Tle 2 (p. 42). 2.2 Nonnk prevlene 2.2.1 Overview A pyment trnstion n e initite in severl wys, n the relte pyment informtion n instrutions n e pture n trnsmitte using severl methos. Nonnks n e involve t mny points long the proessing hin, s well s in the iret provision of pyment servies to en ustomers. Nonnks hve long h presene in ore pyments proessing, s nks n other finnil institutions hve sought to outsoure suh tivities s t proessing, file trnsmission, n relte tsks. Other uring-trnstion tivities in whih nonnks hve een hevily involve inlue network servies, suh s gtewy provision n swithing servies, uthoriztion servies, n fru n risk mngement servies. All of these tivities re importnt elements of the retil pyments proess n re of key importne in mintining puli onfiene in the sfety of pyment instruments. Aitionlly, nonnks hve een tive in the rnge of tivities tht tke ple efore n fter the exeution of given pyment trnstion. Exmples of suh pretrnstion tivities inlue the evelopment n provision of hrwre for eletroni pyments (for exmple, r proution n POS evies) n the estlishment of ontrtul reltions with rholers n merhnts. In the se of emerging pyments, in mny ses these pre-trnstion servies involve new wys of proviing ess to tritionl pyment types, for exmple, reit trnsfers initite vi the Internet or vi moile phones, or we portls tht onsolite illing n filitte pyment initition. Moreover, nonnks hve lso een importnt in mny post-trnstion servies, inluing sttement provision, reonilition, n retrievl. This susetion ouments in systemti wy the role plye y nonnks in the EU n U.S. retil pyment systems. The nlysis is onute through the use of tles showing, for eh of the vrious pyment tivities n eh of the vrious pyment types, the importne of nonnks reltive to nks. In the se of Europe, five tles re presente, one for eh of the mjor pyment instruments, Pyment Crs, Creit Trnsfers, Diret Deits, e-cheques, n e-money. Within eh of these tles, for eh pyment tivity, the egree of nonnk prevlene is shown, moving, left to right, from surveye ountries ounting for the lrgest shre of EU27 pyments of tht type to ountries ounting for the smllest shre of EU27 Pge 6

pyments of tht type. Thus, eh tle is mtrix, in whih the rows re pyment tivities, the olumns re ountries, n the entry in n iniviul ell is the uthors ssessment of whether nonnk presene is prevlent (lue), high (green), meium (yellow), low (ornge), or nonexistent (pink) for tht prtiulr pyment tivity-pyment type-ountry omintion. In the se of the Unite Sttes, single tle is presente. Rows re gin pyment tivities. Columns re now pyment types, moving, left to right, from those pyment types ounting for the lrgest shre of nonsh pyments to those ounting for the smllest shre of nonsh pyments. Thus, the tle is gin mtrix, in whih the entry in n iniviul ell is the uthors ssessment of whether nonnk presene is prevlent (lue), high (green), meium (yellow), low (ornge), or nonexistent (pink) for tht prtiulr pyment tivity-pyment type omintion. For oth the Unite Sttes n Europe, ells in grey re not pplile, while ells in white inite insuffiient informtion to juge. The ssessments re se on survey results, inustry t, n other soures. Also inite in eh ell is n ssessment of the qulity of the t (high, meium, or low) on whih the prevlene ssessment is se. 2.2.2 EU nonnk prevlene The role of nonnks in pyments in Europe ws nlyze y rrying out survey mong Pyment Experts of the Ntionl Centrl Bnks (NCBs). The survey ws voluntry, n not ll the ESCB Ntionl Centrl Bnks prtiipte. The results presente inlue 15 ountries, 10 from the euro re (Austri, Belgium, 4 Germny, Finln, Frne, Greee, Itly, the Netherlns, Portugl n Sloveni) n five from EU Memer Sttes tht hve not yet opte the euro (Bulgri, Cyprus, Czeh Repuli, Ltvi n Lithuni). These ountries together proess out 67 perent of the numer of pyment trnstions in the Europen Union. However, s the NCBs of the lrgest non-euro re Memer Sttes i not prtiipte in the survey (in prtiulr the U. K., whih lone ounts for more thn 20 perent of the numer of pyments proesse in the EU), the fous of the nlysis is minly on the euro re: the ove mentione 10 euro re ountries in the survey together proess out 92 perent of the totl numer of euro re pyment trnstions, n 66 perent of the totl EU pyment trnstions. 5 All in ll, these ten ountries represent 65 perent of the EU GDP (88 perent of the euro re), n 54 perent of the EU popultion (86 perent of the euro re popultion). The survey ws rrie out using ommon methoology. Some responents stresse tht they fe t limittions tht i not llow onsiering the results s omprehensive n exhustive esription of the role of nonnks in their respetive ountries. Thus, the survey oes not imply tht these re the only tivities tht nonnks perform in pyment proessing or tht ll pyment solutions offere to ustomers in the surveye ountries re overe. Moreover, the level of etil n the qulity of the t 4 For Belgium n ssessment of nonnks importne ws ville only for rs n e-money pyments. 5 The perentges provie re se on 2003 t n inlue the ountries tht joine the EU in 2004 (i.e., exluing Bulgri n Romni who joine in 2007). Pge 7

vries from ountry to ountry, s responents relie on ifferent t soures n reserh methoologies, rnging from pulily ville informtion to interviews with mjor nks n nonnks. For some ountries, the survey s finings provie more of n overview thn fully representtive piture. These ifferenes in omprehensiveness n qulity of t gthere in the vrious ountries mke it iffiult to rry out rossountry omprisons, n require re in onsiering the results. Nevertheless, in the sene of more preise or homogeneous t, we ept these t limittions n elieve tht the survey provies useful overview of the role of nonnks in pyments, sheing some light on n spet of the Europen pyment inustry tht ws not thoroughly investigte previously. The results re reporte, for eh pyment instrument (eletronilly proesse heques, reit trnsfers, iret eits, pyment rs, e-money n other pyment instruments), in Tles 3-7 (pp. 43-47). The results re presente following the orer of importne of the vrious shless pyment instruments in terms of numer of trnstions proesse in Europe: in 2003 (the most reent yer for whih ross-ountry omprle t re ville) rs represente 31 perent of Europen pyment trnstions, followe y reit trnsfers (30 perent), iret eits (24 perent), heques (13 perent 6 ), n e-money (1 perent). It shoul e note tht omprehensive sttistis re not ville for money trnsfers or for other, innovtive pyment instruments inlue in the survey sent to responents. Furthermore, the t ollete through the survey on nonnks for these two instruments were extremely limite n o not llow mking ny ut preliminry ssessment of the role of nonnks. Before moving into eh tle, it is importnt to unerline three preliminry oservtions: First, informtion on the role of nonnks is not eqully ville ross ountries n ross pyment instruments, s shown y the lrge white res in mny of the ountries. Informtion on entities involve in retil pyments proessing my e more esily ville for those pyment instruments tht re more populr in the ountry: ntionl preferenes in the use of pyment instruments re very mrke in Europe, refleting ulturl preferenes, 7 tritions, historil evelopment of the inustry, or ifferent stges of mturity in the pyment servies inustry. For instne, heques re not use in the Netherlns (where their use eline lrey in the 90s, n the Duth 6 Sttistis on heques in the Europen Union inlue ll heques sumitte for lering. The figures inlue vrious types of trnstions (e.g. trveller s heques, petrol heques, nkers rfts n promissory notes), s there re no seprte sttistis for e-heques. However, most heques re trunte in Europe, n pper en-to-en proessing n e onsiere s n exeption tking ple only in few ountries. (For instne, in the Unite Kingom hnge in the lw in 1996 remove the requirement for heques to e presente physilly t the rnh on whih they were rwn. Most nks now follow prtilly trunte proess wherey heques re retine t entrl point n). In Frne ll heques re trunte n emterilise sine 2002; in Itly 80 perent of heques re trunte; in Portugl, 98 perent of heques were trunte in 2005. In some ountries (e.g. the Netherlns) heques hve een ompletely ismisse s pyment instrument n o exist either in pper or in eletroni form. See ECB (2006) n ECB (2007) for further etils. 7 The impt of preferenes in terms of ulturl similrities, geogrphil proximities, n lnguge ws shown y Rosti n Seol (2006) for lrge-vlue ross-orer pyments in euro. It is likely tht in the retil mrkets ulturl preferenes my lso ply role. Pge 8

nks stoppe issuing heques in July 2001), they re rrely use in Austri n Finln, n their use is very limite, ompre to other pyment solutions, in Germny, while they re still ommon in Frne (where more thn 55 perent of ll EU heques trnstions tke ple), Itly, Cyprus, n Portugl (lthough their use is, in generl, elining) 8. Itly, Belgium, n Finln n e onsiere reit trnsfers ountries (n in Bulgri out 90 perent of pyments re reit trnsfers) while iret eits hve een introue reltively reently in severl ountries n re eoming inresingly populr (in 2003 iret eits were out 24 perent of pyments in EU, ut in Austri, Germny, n Spin they represente out 40 perent of the ntionl volumes). In ontrst, r pyments re ommon n populr in most ountries. Thus, responents were le to ssess the importne of nonnks for lmost ll the relevnt pyment tivities with reltively high onfiene for pyment rs. Seon, nonnk presene vries signifintly y ountry. In generl, when onsiering nonnks importne ross ll pyment instruments for eh ountry, ountries n e ivie in three groups (ECB, FRBKC 2007). In first group, inluing Austri, Germny, the Netherlns n Itly, nonnks ply lrger role ompre to other ountries in the tivities of most pyment types. Finln, Frne, Ltvi n Sloveni re in the seon group, where nonnks seem to ply more limite role. The lst group inlues the remining ountries: Bulgri, Cyprus, Czeh Repuli, Greee, Lithuni n Portugl. Nonnk presene in these ountries n e onsiere somewhere in etween. Thir, in the mjority of the 15 ountries, the role of nonnks for pyment rs is high or prevlent in mny of the tivities onsiere. This is proly ue to the high utomtion of the pre-trnstion n uring-trnstion Stge 1 tivities (e.g., swith routing, uthentition, n rel-time uthoriztion of the trnstion) n, lso, to the interntionl imension of rs-proessing stnrs. It shoul e note tht in Europe there re numer of ntionl r shemes tht re usully o-rne with the interntionl shemes like Vis n MsterCr to llow ustomers to use the r ro. In ition to o-rning, in Europe there lso re few exmples of (ilterl) interoperility greements etween ntionl (minly eit rs) shemes, prtiulrly to llow use in the EU ross-orer ontext. As result, rs proessing is lrgely orgnize roun ommon moel, exept for the settlement phse, whih my e rrie out ifferently in the vrious ountries. (In some ountries, ntionl r trnstions re settle in the ACH or other ntionl retil pyment system. In others, they my e settle y nks ilterlly. Furthermore, s it reltes to interntionl rs trnstions, the orresponent nking hnnel normlly is use for settling internk positions). The tles show tht the role of nonnks is high in most surveye ountries for rs, with the exeption of Frne (where there is trition of reserving the pyments usiness to nks) n the Czeh Repuli, where it ws ssesse s meium for ll 8 This explins why Frne is the ountry where heques proessing is highly utomte lso in the initil stges of the proessing hin (pre-trnstion n uring-trnstion Stge 1, e.g. provision of heques reers/pos, provision of heques verifition softwre n of heques verifition servies) n more informtion is ville on nonnks roles in heques proessing, while in other ountries the heques olumn ontins goo el of white n grey ells. Pge 9

pyment instruments. However, in Frne, nonnks still ply n importnt role in the pre-trnstion stge. For the other pyment instruments, s mentione erlier, responents to the survey were le to provie reltively less t, s shown y the high numer of grey n white ells. Where more informtion ws ville (s for reit trnsfers n iret eits) nonnks seem to ply reltively more importnt role in those ountries tht represent higher shre of the EU trffi in tht instrument n the pyment instrument onerne represents high shre of the ntionl pyments (for exmple, for reit trnsfers: Germny, Austri, Itly, the Netherlns), gin, with the exeption of Frne. Finlly, irrespetive of the role plye in pre-trnstion n other uring-trnstion tivities, the settlement phse remins prerogtive of the nking setor in Europe, n this is true for ll pyment instruments, not only for rs. In the se of tritionl pyment instruments, this my e expline y the ft tht nks re normlly those entities tht hve ess to the retil pyment systems (n, in mny ses, ntionl nking ssoitions tully hve set up or own the ntionl lering n settlement ompnies) or those to whom the legisltion in ple reserves settlement ounts provision n mngement. In very few ountries (the Netherlns n Bulgri), however, nonnks my ply role in the settlement stge. However, loser look t the entities involve shows tht they re jointly owne y the nking setor, n thus n e onsiere in the nking omin (e.g. the ompnies Equens in the Netherlns, Bori (Bnk Orgnistion for Pyments Initite y Crs) n Bnkservise in Bulgri). A notle exeption is Belgium, where nonnks importne in settlement tivities 18 n 18 from Tle 2 (posting reit n eit t eh finnil institution s entrl nk n ommeril nk ount) is ssesse s prevlent. This is relte to the role plye y the rs ntionl proessor, the previously nk-owne Bnksys. The ompny is now integrte into Atos Origin ( Frne-se multintionl IT servies group proviing en-to-en tehnologil pyment servies). Thus, this is n exmple of shift from the nking setor to nonnk (n nonnk-owne ompny) of tivities t the hert of the settlement yle. For e-money n other innovtive pyment solutions, settlement lso remins lrgely ominte y nks, whih is onsistent with two oservtions on the evelopment of new pyment methos in Europe. First, tht innovtion seems to hve fouse on mens (using moile, Internet tehnology) to ess tritionl nking funs trnsfers servies (i.e. the so-lle ess prouts ), rther thn pyment instruments lterntive to those offere y nks. 9 Seon, e-money s n lterntive to instruments trnsferring nk eposits hs remine somewht unerevelope ompre to initil expettions n most e-money shemes in Europe re tully nk ventures with some notle exeptions (e.g., PyPl, whih until reently, when it requeste nking liense in 9 See ECB (2005), where reporting the results of survey on pyment innovtion (with sope wier thn e-money prouts only), it is onlue tht two-thirs of the (surveye) ompnies re relte to the nking setor, either y liense or y ownership n, s onsequene, most of the e-prouts inlue link to settlement. This is lso onsistent with wht ws reporte y Msi (2004), who notes tht the gretest prt of the new pyment inititives oes not moify the lering n settlement phses of the pyment yle whih re mnge n regulte y nks. Pge 10

Luxemourg, h operte s n ELMI). 10 In summry, se on the limite t ville, it n e onlue tht nonnks ply n importnt role in severl Europen ountries, n we expet their role to grow further, prtiulrly t the k-en, in those ountries where their role is still somewht more limite. Drivers will e: first, the growth of shless pyments; seon, SEPA, n the resulting restruturing n onsolition ongoing within the pyments proessing outsouring inustry; thir, the mturing of pyments mrkets segments n sustitution mong pyment lsses fvouring instruments whose growth is lrgely supporte y nonnks (rs n iret eits); n fourth, t the front-en, following the regultory opening up of the mrket to new tegory of nonnk pyment servies proviers, the pyment institutions. From k-en perspetive, it shoul e note tht the growth of the use of rs n the evelopment of ntionl r shemes hs gone hn-in-hn with the growth of the mrket for r trnstion proessing, whih ws often hrterize y ntionl hmpions onentrting most of the trnstions n llowing the exploittion of sle eonomies t the iniviul ountry level. 11 This mrket now seems to e unergoing very ynmi phse in Europe, riven y the reent evelopment of SEPA, the projet to rete single Europen pyment re y removing ll legl, tehnil n ommeril rriers within the Europen inustry n mking shless pyments in euro s esy, effiient n sfe s it is toy within one ountry. 12 Mzzi (2007) reports tht oring to figures n estimtes ville for the mrket shre of thir-prty proessors in the rs issuing mrket (EU 15 ountries), for instne, in the four-yer-perio etween 2002 n 2006, the numer of eit rs inrese from 293 million to 342 million, n reit rs inrese from 278 million to 362 million. In-house issuer proessing y nks erese from 42 perent to 33 perent for eit rs, n from 60 perent to 51 perent for reit rs while the mrket shre of thir-prty proessors inrese from 3 perent to 7 perent for eit rs, n from 21 to 28 perent for reit rs (the rest ws proesse through shre nk-owne utilities). Furthermore, onsolition proess hs strte with the ojetive to hieve suffiient sle to llow repositioning of ntionl plyers s Europen plyers serving the ommon euro pyment re. The proess hs reently elerte n hs tken vrious forms, through wve of llines n joint ventures, ut lso mergers n quisitions, involving ompnies tive t the sme stge of the proessing hin (horizontl 10 In 2003, e-money ounte for only 0.5 perent of pyment trnstions in Europe. EC (2006) reports eviene tht the e-money mrket hs evelope more slowly thn expete, n is fr from rehing its full potentil, n tht s of lte 2005 there were only four ELMIs, lthough the numer ws expete to inrese s t lest five-to-eight pplitions were either in proess or expete shortly (however, out 72 ompnies were operting t ntionl level in seven Memer Sttes uner wiver) noting lso tht, two-thirs of the e-money in irultion ws issue y nks, n only one-thir y ELMIs (p.6). 11 For exmple, SBB in Itly or Bnksys n BCC in Belgium (the Belgin ompnies, previously owne y onsortium of Belgin nks, re now owne y Atos Origin, n interntionl IT group.) 12 SEPA is n inustry-le projet supporte y the Europen Commission n y the ECB. Detile informtion n e foun on the wesites of the ECB (www.e.europ.eu) n of the Europen Pyment Counil (www.europenpymentsounil.eu), the eision-mking n oorintion oy of the Europen nking inustry in reltion to pyments). Pge 11

integrtion) n t ifferent stges of the hin (vertil integrtion). 13 For instne, in Septemer 2006 the Duth ACH Interpy n the Germn pyments proessors Trnsktioninstitut gree to merge to form Equens, ompny iming t serving the Europen mrket. Similrly, the interntionl rs pyments proessor SiNSYS ws rete y three ntionl proessors (from Itly, the Netherlns, n Belgium), n is now owne y SIA-SSB (n Itlin firm proviing tehnology for rs pyments, finnil mrkets, pyment systems n networks) n Atos Origin. At the eginning of 2007, Atos Origin quire the Belgin ompny Bnksys (whih offere hrge uthoriztion, seurity n gurntee of eletroni pyments in the ountry) n BCC (whih ffilites merhnts n mnges the pyment systems linke to Vis n MsterCr on ehlf of nerly forty Belgin nks). The geogrphil sope of the SEPA projet is wier thn the euro-re ountries n lso inlues ll other Memer Sttes of the Europen Union, together with Ieln, Liehtenstein, Norwy n Switzerln (the ltter four sujet to their option of onsistent legl frmework). It is no surprise, therefore, tht the onsolition evelopments mentione ove lso hve strte to involve these ountries: for instne, in Mrh 2007, the Dnish rs proessor PBS n the Norwegin nking servie provier BBS gree to merge their r trnstion proessing tivities into the new ompny Northern Europen Trnstion Servies (NETS), with the im to servie Nori n Europen nks. An exmple of glol firm expning in Europe y mens of quisitions is First Dt. 14 The group, whih hs opertions in 38 ountries worlwie inluing 13 Europen ountries, hs quire severl ntionl plyers in vrious Europen ountries, e.g. in Poln (POLCARD, leing inepenent merhnt quirer n r proessor), in Germny (Gesellshft für Zhlungssysteme mh, leing proessor of shless, r-se pyment trnstions, n Telesh, the ountry s premier network servies provier), in Austri (Austrin Pyment Systems Servies, the ntionl proessor), n in Greee (Delt Singulr Outsouring Servies, leing pyments proessor). The ompny hs lso quire leing r proessor in Centrl n Estern Europe (EuroProessing Interntionl), n the r proessing unit of n Itlin nk. Inustry onsolition in Europe hs tken ple t the ross-orer level oth horizontlly (involving ompnies operting t the sme stge in the proessing hin) n vertilly (involving ompnies operting t ifferent stges, e.g. ACH n rs proessor). An interesting tren oserve in this inustry trnsformtion proess is tht in vrious ses leing ompnies tht were nk-owne n sometimes proesse lrge shre of their ntionl trnstions hve move outsie the nking omin from governne point of view, n now elong to speilise IT interntionl or multintionl firms. The proess of onsolition in the pyments outsouring usiness is not 13 Corone (2004) n Moeller (2006) provie ifferent exmples of suh oopertive ventures. See lso Mzzi (2007) for generl piture out the sttus of the inustry onsolition. 14 First Dt ws puli ompny until Septemer 2007, when its gree quisition y n ffilite of the privte equity firm Kohlerg Krvis Roerts & Co. (KKR) ws omplete. Pge 12

omplete n is expete to elerte further. 15 At the front-en, the role of nonnks is lso expete to grow in the future, s one of the min innovtions introue y the reently opte Pyment Servies Diretive 16 is the opening up of the mrket y llowing tors other thn nks n e-money institutions to provie pyment servies, the pyment institutions, whih re entitle to provie the pyment servies liste in nnex to the Diretive. There re five tegories of servies whih enle the trnsfer of funs hnle y the users: sh withrwls n eposit trnstions, trnstions from n ount or line of reit inluing r pyments, reit trnsfers n iret eits, interntionl money remittnes, trnstions using moile phones or the Internet, n issune of pyment instruments n quisition of t relte to the susequent trnstions (Mrgerit, 2007). Contrry to e-money liense institutions, the pyment institutions will e llowe to rry out other usiness tivities (for instne, they oul e merhnts or telephone ompnies), ut uthorities my require them to estlish seprte entity for the pyments servies. The Diretive speifies tht they my not onut the usiness tivity of tking eposits within the mening of nking legisltion, ut they my provie reit if ertin requirements re met (e.g. reit n e grnte exlusively in onnetion with the exeution of trnstion, short term, it nnot e grnte from the funs reeive or hel for pyment trnstions, n sujet to the pyment institution hving n pproprite level of its own funs). One importnt innovtion is tht pyment institutions will e llowe to set up pyment ounts in the nme of users, ut the Diretive introues ertin requirements ime t sfeguring the funs reeive from users (the sfeguring mesures introue re esrie in more etil in setion 4.1). 2.2.3 U.S. nonnk prevlene To ssess the role of nonnks in pyments in the Unite Sttes, stff t the Feerl Reserve Bnk of Knss City omplete the sme survey s tht istriute to EU survey responents. Informtion utilize inlue inustry iretories n news rtiles, interviews with nonnks n inustry oservers, n other soures more neotl in nture. Tle 8 (p. 48) presents the results for the Unite Sttes. Rows re the vrious pyments tivities n sutivities previously expline. Columns re the prinipl pyment types foun in the Unite Sttes. Pyment types re liste in esening orer, 15 See for instne the Atos Origin Hlf Yer Report 2007 (p.12 the pyment servies usiness proess outsouring (BPO) mrket is extremely iverse, ontining omintion of suppliers with kgroun in vrious inustry-speifi proesses, s well tehnology speilists n IT servies proviers. The mrket is strting to mture n we expet onsolition mongst servie proviers to ontinue. Growth is eing riven y regultory hnges (suh s the Single Europen Pyments Are), prolifertion of pyment styles (suh s moile pyments), n seurity (suh s hip n PIN in the Unite Kingom, n the use of hologrms) ). 16 Diretive 2007/64/EC of the Europen Prliment n of the Counil of 13 Novemer 2007 on pyment servies in the internl mrket mening Diretives 97/7/EC, 2002/65/EC, 2005/60/EC n 2006/48/EC n repeling Diretive 97/5/EC (hereinfter, the Pyment Servies Diretive) (Offiil Journl No. L319, of 5th Deemer 2007. Aoring to Artile 94(1) of the Pyment Servies Diretive, Memer Sttes will hve to ring into fore the neessry legisltion to omply with its provisions efore 1st Novemer 2009. Pge 13

from those ounting for the highest shre of nonsh trnstions in the Unite Sttes (in terms of numer of trnstions) to those ounting for the lowest shre of nonsh trnstions. Shres re se on 2004 t. In 2004, pyment rs ounte for 45.9 perent of nonsh trnstions; iret eits ounte for 6.9 perent; reit trnsfers ounte for 6.0 perent, e-heques 17 ounte for 4.4 perent, n the e-money shre ws nerly negligile. Within some of these roer tegories, in turn, re shown more speifi pyments instruments: three types of pyment r trnstions (four-prty reit n signture eit (e.g., MsterCr n Vis), PIN-eit, n three-prty reit (e.g., Amerin Express, Disover, n privte-lel); three types of iret eits (utomti, one-time, n those omplete uner, for exmple, the Tempo n PyByTouh shemes); n four types of e-money n other pre-fune or store-vlue instruments (open-loop prepi r, lose-loop prepi r, PyCsh, n PyPl trnstions). The most striking generl oservtion out Tle 8 is the high egree of lue n low egree of ornge n pink in the tle, initing tht where nonnks n ply role in the pyments proess, tht role is lmost lwys n integrl one. Looking ross the pyment type olumns, lmost ll pyment types show signifint nonnk presene in lmost ll fets of the pyments proess, with two exeptions. The first re those tivities, shown in grey, tht re not pplile, either euse (i) they re inherently nk funtions involving emn eposits, for exmple, some pre-trnstion tivities for reit trnsfers n utomti n one-time iret eits, or (ii) they re tivities tht re not pplile to tht pyment type, e it nk or nonnk, for exmple, trnstion uthoriztion tivities for utomti eit trnstions. The seon exeption to signifint nonnk presene is settlement tivities tht involve posting reits n eits to finnil institutions ommeril n entrl nk ounts here nks ominte. 18 Virtully everywhere else, nonnk presene reltive to nks is high, n, inee, prevlent. A more speifi oservtion is tht four-prty pyment rs n open-loop prepi rs hve the lrgest numer of lue n green ells. This is euse these pyment types require more uring-trnstion Stge 1 tivities nmely network swithing n trnstion routing through r-issuer proessors thn other pyment types. A omplementry oservtion is tht reit trnsfers hve the smllest numer of lue n green ells. This oes not imply nonnks importne in the reit trnsfer pyment tivities is reltively low; rther it implies this type of pyment oes not require s mny tivities s the other types of pyment o. The messge from Tle 8 is ler nonnks re fore in the U.S. retil pyments system, ominting lrge numer of pyments tivities for lrge numer of pyment types. 17 A physilly written heque is either trunte n eomes n ACH pyment t some point of heque proessing (ARC, BOC, n RCK) or is use s evie to pture informtion to rete n ACH pyment t the point of trnstion (POP, TEL, n WEB). 18 This lso is prinipl fining of Brfor, Dvies, n Weiner (2003). Pge 14

3. Risks in retil pyments proessing 3.1 Risks in retil pyments During the pyments proess vrious types of risks my rise, ffeting ifferent prties t ifferent stges, n to vrying egrees. This susetion provies rief review of vrious risk tegories relevnt to proessing retil pyments n to lering n settlement proeures 19. Liquiity n Creit Risks The risk tht ounterprty will not settle n oligtion for full vlue, either when ue (liquiity risk) or t ny time therefter (reit risk). Opertionl Risk Opertionl risk is efine s the risk tht efiienies in informtion systems, internl ontrols, humn errors, or mngement filures will result in unexpete losses (internl n externl events). Thus, one importnt omponent of opertionl risk is relte to mlfuntioning, whih my e the result of unintentionl irumstnes or events (e.g. omputer rekown or proessing slowown, or orgnistionl efiienies) or intentionl irumstnes or events (e.g., ttk or misuse of informtion or proeures). Reent hnges in the retil pyments system hve inrese wreness of the following types of risk, whih re often thought of s sutegories of opertionl risk. Dt Seurity Risk: form of opertionl risk involving unuthorize moifition, estrution, or islosure of t use in trnstions or use to support trnstions. Fru Risk: risk of finnil loss for one of the prties involve in pyment trnstion rising from wrongful or riminl eeption. The risk tht trnstion nnot e properly omplete euse either the ientity of the pyer nnot e esily sertine or the pyee oes not hve legitimte lim on the pyer. Counterfeit: the legl offene of mking flse instrument in orer tht it my e epte s genuine, therey using hrm to others (forgery). Opertionl risk is, in generl, relevnt long the entire proessing hin in the form of mlfuntions. Other types of opertionl risk my e speifi to ertin tivity or ertin pyment instrument. For exmple, fru risk is most relevnt for those steps of the proessing hin involving uthentition or ientifition with the relte t eing trnsmitte over teleommunition networks. For pyment instruments tht involve the 19 The efinitions use in this setion erive from vrious soures: for efinitions of risks in the ontext of pyments lering n settlement (reit risk, liquiity risk, opertionl risk, settlement risk, n systemi risk) see BIS (2003) n the glossry nnexe to ECB (2007(). On vrious spets of settlement risk, see lso Bsel Committee on Bnking Supervision (2000). On risks onerning, more speifilly, retil pyments (e.g. fru risk, risk of system-wie impt n reputtionl risk) see ECB (2007) n CCBS (Hnook No.8). Pge 15

use of speifi hrwre (e.g. r reers), fru risk is relevnt if the hrwre n e ompromise or ltere for illiit purposes (e.g. skimming or loning of rs). Dt seurity risk is relevnt for ll tivities involving the storge n trnsit of pyment sensitive t (t tht my e use for ientity theft or for illiit uthentition or uthoristion of pyment trnstions). Dt seurity risk my result in fru risk if expose reors re then use for illiit purposes. Tritionlly, ounterfeit risk pplies to urreny tht is reproue without uthoriztion. Due to reent tehnologil evelopments, some pyment rs n tokens my store monetry vlue (e-money store on r/e-wllet). E-money tht is reproue or ltere without uthoriztion hs hrteristis tht re omprle to ounterfeit pper money. The term ounterfeit is now lso ommonly pplie to unuthorize mnufture of heques, r pyment instruments or other physil tokens use in monetry trnstions. 20 Settlement Risk The risk tht settlement in trnsfer system oes not tke ple s expete, usully ue to prty efulting on one or more settlement oligtions. It omprises reit risks, n liquiity risks when they emerge in lering n settlement systems. It lso inlues speifi form of reit risk, the risk of filure of the settlement gent, tht is, the entity whose ssets re use to settle the pyment oligtions (settlement gent reit risk). Settlement risk my lso result from rystllistion of opertionl risk, s inequte opertionl reliility, seurity n usiness ontinuity my ffet the integrity of the t exhnge within the lering n settlement proess, n my result in finnil losses for the involve or lile prties. Legl Risk The risk of loss euse of the unexpete pplition of lw or regultion or euse ontrt nnot e enfore. For instne, pplition of lw or enforement of legl rights my e omplex or hllenging in se of pyment instruments use interntionlly or in se of innovtive prouts whose nture is not initilly lerly efine, s n hppen when new pyment solution presents elements of ifferent pyment instruments. In generl, legl risk in lering n settlement rrngements my e soure of settlement risk if the unexpete pplition of lw ffets the positions of prtiipnts in the lering n settlement proess (e.g. unwining, or insolveny of the ounterprty resulting in freezing of ssets or revotion of trnsfers y the liquitor). Reputtionl Risk The risk tht the mteriliztion of nother risk tegory mges the onfiene in pyment servie provier. For exmple, it my result from the mterilistion of 20 A heque tht ers flse signture or hs een ltere is properly lle forgery. For our purposes, we inlue forgery with ounterfeit risk. Pge 16

opertionl or legl risk involving en-users n mging the pyment servie provier rn or the pyment instrument more generlly in the se of generlise isruption. The loss of reputtion in pyment servie provier my further inrese tul prolems of tht servie provier (e.g. ess to liquiity) n my even finlly result in the loss of puli onfiene in the pyment instrument. Compline Risk The risk of loss ssoite with non-ompline with lws, rules, regultions, presrie prties, or ethil stnrs. The risk is orne y the issuing, the istriuting, n the trnstion rhiving institutions n in generl y the institutions sujet to ompline uty. The tivities where this risk is most relevnt re those relte to seurity-relte tehnology where mrket stnrs re in ple (suh s the Pyment Cr Inustry (PCI) t seurity stnr), n those where puli regultions n lws ime t omting the riminl use of the pyment system (suh s ex-nte nti-money lunering n terrorist finning ontrols n ex-post t rhiving n reporting to uthorities for the purpose of k-feeing to ex-nte tses n efining suspet opertions profiles). At times these stnrs my ffet pyment prtiipnt iniretly, suh s when nk pyment quirers re iretly responsile for PCI stnrs ut they hol firms to whih they outsoure pyment proessing responsile for the stnrs. 21 To the extent tht pyment shemes re sujet to oversight y the entrl nks (s is the se in severl Europen ountries), ompline risk my rise if the rules n mngement of the pyment sheme o not omply with the regultory stnrs. Systemi risk The risk tht the filure of one prtiipnt in trnsfer system, or in finnil mrkets generlly, to meet its require oligtions will use other prtiipnts or finnil institutions to e unle to meet their oligtions (inluing settlement oligtions in trnsfer system) when ue. Suh filure my use signifint liquiity or reit prolems n, s result, might threten the stility of finnil mrkets. As fr s retil pyment systems re onerne, systemi risk oes not usully represent thret ue to the limite vlue of pyments settle. However, there re ses where some retil pyment systems re onsiere to e systemilly importnt s their mlfuntioning my threten the finnil mrket (in the Euro re, when ssessing the systemi importne of retil pyment system, the ECB n the NCBs tke ount of the mrket penetrtion within the respetive retil pyments mrket, the finnil risks pertinent to the system, n the risk of omino effets). System-wie Risk From the perspetive of speifi pyment instruments, it is unlikely tht the isruption of the funtioning of single pyment sheme or the impossiility to settle speifi pyment instrument my result in systemi risk. However, system-wie impt 21 Similrly, mnufturers of point-of-sle pyment terminls n ATM mnufturers re not iretly oligte y ontrtul reltionships with pyment networks, ut must omply with network seurity stnrs if they hope to suessfully mrket their prouts. Pge 17

is possile, tht is, the filure to settle n entire lss of trnstions oul uner ertin onitions isrupt, t lest temporrily, the funtioning of the rel eonomy y severely ltering the pity of eonomi gents to ishrge their oligtions on ount of the unvilility of n/or lk of onfiene in the pyment instrument onerne (n sustitutle pyment instruments). Of ourse, the severity of the impt will in prtie e epenent on the mrket struture for pyment servies n, in prtiulr, on the importne of the speifi pyment instrument n its sustitutes (see for exmple ECB (2007) for the se of rs shemes). 3.2 Risks long the proessing hin As riefly esrie in the previous susetion, vrious types of risks my rise uring the pyment proess, n prties involve my e expose to some of them t ifferent stges, n to ifferent egrees. Opertionl risk is present when pyment orers re trnsmitte over ommunition networks. Prties tht exhnge ssets to extinguish pyment oligtions my e expose to finnil risks (for exmple, liquiity n reit risk). All prties entering into ontrtul reltions in the ontext of pyments proessing my e expose to legl risk. Finnil institutions tht prtiipte in lering n settlement systems re vulnerle to opertionl, liquiity, n reit risk. These risks sometimes ompoun one nother: if opertionl risk results in omputer outge, one pyment prtiipnt my not reeive funs from other prtiipnts, n it my nee to refinne t higher pries, or suffer liquiity risk if it is unle to fulfil susequent pyment oligtions, or inur legl risk if it is hel lile to other prties. In se of outsouring of tivities to thir prties, they my eome sujet to legl risks (if the responsiilities of the prties re not suffiiently ler or leglly soun), n opertionl risk (if the outsouring prty eomes epenent on n improperly mnge thir prty). In the se of outsouring to thir prty tht onentrtes the tivities for whole pyment mrket segment, system-wie risk my rise if the thir prty eomes suenly impire or unle to operte. For pyment servie proviers whose outsouring tivities re sujet to regultion (s in the se of nks), ompline risk my rise. These risks n their relevne for the sfe n smooth funtioning of the pyment system, finnil mrkets, n the eonomy hve een nlyze t length, prtiulrly y entrl nks, n pproprite priniples for their mngement n mitigtion hve een set t n interntionl level. Although in generl retil pyments o not rry systemi risk, there re ses where retil pyment systems hve een onsiere systemilly importnt. In this setion we look t the vulnerility of ertin pyment tivities to speifi tegories of risk y using mtrix representtion (see Tle 9, pp. 49-50). Our im is to ientify the types of risk to whih speifi pyment tivities re expose, ut we o not ttempt to inite the mgnitue of the risk exposure. In lter setions we will isuss ontrols tht re in ple to mitigte these risks. Before entering into etile nlysis of the risks long the proessing hin, we nee to unerline tht ertin risk tegories y nture hve generl relevne n re Pge 18

thus not represente s olumns in the mtrix. For instne, legl risk pplies to pyment trnstions n to the pyment proess s whole, n thus nnot e restrite to speifi tivities. Similrly, systemi risk my ffet the funs trnsfer systems (where lso retil pyments my e settle) ut it woul e inpproprite to tth it to speifi tivity in the proess hin of n iniviul retil pyment trnstion. The likelihoo n the severity of system-wie impt woul epen on the hrteristis of the pyment inustry s whole. Finlly, reputtionl risk is generl tegory risk tht pplies to ll tivities s eh of them, if unuly performe, hs the potentil to mge the reputtion of the pyment servie provier or ffet puli onfiene in the sfety or effiieny of the involve pyment instrument. In the mtrix we show liquiity risk, reit risk, n settlement gent reit risk. The mtrix highlights with yellow kgroun where these risks mterilize in the settlement proess (settlement risk). Outsie of the settlement proess, reit n liquiity risk is orne y vrious prties involve in pyment sheme epening on the timing of the proess, wht prty hs ustoy of funs, n on the esign of (n legl n ontrtul provisions governing) the speifi pyment instrument involve. For instne, typilly merhnt epting pyment instrument in exhnge for goos or servies is expose to reit risk unless the pyment is settle with suess in rel time or t the sme time of the elivery of the goos or servies, or unless the pyment instrument ontrtul frmework provies for its mitigtion or trnsfer to nother prty (for exmple, pyments y rs my e ssiste y gurntee provie y the r issuer or y the r sheme). In r shemes, the r issuer is typilly expose to reit risk vis-à-vis rholers of its rs. When r trnstion is properly uthorise n epte for exeution y/within r sheme, the r issuer tkes the reit risk y gurnteeing pyment to the merhnt. In the se where retil pyment is exeute using eit trnsfer orer (for exmple, iret eit) the pyee s ount my e reite in some ses efore the tul eiting of the pyer s ount in the ooks of its nk. When this is the se, n if the pyee s nk hs vne the funs to its ustomer efore the suessful finl eiting of the pyer s ount, it my e expose to liquiity risk or reit risk if the ltter (pyee) hs lrey withrwn the reite funs. In generl, prepi pyment instruments entil reit risk for the holer of the instrument vis-à-vis the issuer (suh s in se of prepi rs or e-wllets), while in se of post-pi pyment instruments it is the pyment servie provier of the pyee or the pyee itself tht is expose to reit or liquiity risk. For exmple, this hppens with post-illing pyment servies provie y ertin moile n teleommunition ompnies. This my lso hppen when pyment servie is provie in rel time to oth pyer n pyee, ut the top-up overing the speifi pyment is settle t lter stge (for exmple, PyPl pyment toppe-up y iret eit on the pyer s nk ount). As fr s opertionl risk is onerne, we represent in Tle 9 its generl spet (suh s mlfuntioning or humn error) whih is pplile to ll tivities, n opertionl risk in onnetion with t seurity n ounterfeiting. Dt seurity hs reently ttrte ttention euse numerous t rehes hve llowe unuthorize ess to sensitive t. Beuse the primry onern of t seurity is the potentil for pyments fru s well s violtion of responsiility to protet privy of ustomers, the Pge 19

olumn notes these onsequenes in its lel. Counterfeiting oes not generlly get the ttention of t seurity, ut sttistis for the Unite Sttes suggest tht in terms of its ost, fru through ounterfeiting is fr more ostly thn tht from t rehes. Cheque fru, for exmple, is estimte to ost 10 to 20 illion ollrs per yer in the Unite Sttes, sum tht is lrger thn estimtes of fru in ll other forms of retil pyments. In r shemes, the prty suffering the loss eriving from mterilistion of fru risk is etermine y the sheme s rules, n epens on numer of ftors, inluing the physil environment in whih the trnstion ws exeute (POS or r-notpresent), the time of the trnstion in se the rholer h informe the issuer tht the r h een stolen or lost, n the seurity n risk mitigtion tehniques employe y the merhnt n quirer; s rule, the loss is suffere y r holers only up to ertin mount (ut they my lso e exempte) provie they hve omplie with notifition requirements, y the r issuers if the trnstion h een uthorise n epte, y the merhnt if it h not omplie with the seurity stnrs for POS trnstions, n y the quirer in the se of r-not-present fru. Although opertionl risk is relevnt to the settlement proess, it hs prtiulr prominene for retil pyments, n we fin it useful to highlight those tivities where the pyments proess my e prtiulrly vulnerle to it. The next-to-lst olumn of Tle 9 shows ompline risk. Pyment prtiipnts n e require to omply with speifi lws, regultions, n ontrtul rrngements. In the Unite Sttes, pyments re sujet to legl requirements uner the uniform ommeril oe n regultions suh s the Feerl Reserve s Regultion E. Memers of pyment networks (ATM, ACH, online eit, offline eit, n reit r) re ontrtully oun to omply with operting n seurity stnrs set y the network. One of the most signifint reent efforts to improve t seurity in r pyments is the pyment r inustry t seurity stnr (PCI stnr). 22 The stnr ws revise in Jnury 2005 n the pyments inustry is in trnsition phse to the new stnr. Bnks tht re in the prtiipting r network re responsile for omplying with the stnr s well s ensuring tht its outsouring prtners n pyment lients omply with the stnr. Pyment prtiipnts sujet to ompline risk n fe signifint penlties if it is foun tht they o not properly follow guielines set forth for t seurity n other opertionl requirements. The lst olumn of Tle 9 is for risk ssoite with illiit use of pyments. One of the tritionl fouses of lw enforement efforts to ur illiit use of pyments is money lunering. Pyment prtiipnts, suh s nk, re sometimes require to monitor use of nk ounts n to report suspiious tivities. More reently, poliymkers hve een onerne with the use of the pyments system to fun terrorist tivities, whih is nother form of illiit use of the pyments system. A tool use to omt illiit use of the pyments system is to refully ientify n sreen new ustomers efore grnting ess to the pyments system. In the Unite Sttes, nks re now require to use more relile forms of ientifying onsumers when they open nk ounts. Bnks re lso oligte 22 The stnrs were evelope s ollortion etween Amerin Express, Disover Finnil Servies, JCB, MsterCr Worlwie, n Vis Interntionl. Pge 20

to refully ientify n sreen merhnts efore epting them s lients for pyment servies, n to monitor their ongoing use of pyments. These efforts help to keep out those who esire to use the pyments system for illiit purposes. Pyment prtiipnts tht fil to implement require guielines to ur illiit use of pyments fe the risk of penlties if their filure to omply is isovere. In Europe not only nks ut lso other prties re require y the Thir Anti Money Lunering Diretive 23 to omply with oligtions onerning ustomer ue iligene, reporting of suspiious trnstions, reor keeping n sttistil t, n to tke other supporting mesures, suh s ensuring the proper trining of personnel n the estlishment of pproprite internl preventive poliies n proeures. In Tle 9 we ssoite the vrious pyment tivities with liquiity, reit n settlement risks, with opertionl risk n its min sutegories, n with ompline n illiit use risk. We elieve there re three ro messges evient in the tle. First, settlement risk is prominent feture of retil pyments. But, though it is present, nlysts n poliymkers generlly elieve tht settlement risk in retil pyments is well ontrolle. 24 Seon, ounterfeit risk is limite to smll numer of pyment tivities. However, espite the limite impt on pyment tivities, ounterfeit risk is one of the most signifint prolems in pyments toy, ounting for most of the losses ue to pyments fru. Thir, opertionl risk is one of the most prominent soures of risk in terms of the numer of pyment tivities it ffets. Most of the risk is in prolems suh s mlfuntions n in t seurity. Assoite with the prominene of opertionl risk is ompline risk, euse imposition of rules n regultions on pyment prtiipnts is mjor ontinment tool use y regultors n pyment networks to ompel ehviour tht properly mnges opertionl risk. 25 The key to unerstning the prominene of opertionl risk is the shift of pyments towr eletroni forms. The pyment tivities n sutivities liste in the tle re ominte y proesses tht filitte or epen upon eletroni forms of messging. These proesses hve emerge s we hve opte eletroni pyments. As result the lous of retil pyments risk hs shifte towr opertionl risk. In the light of the ove results, o nonnks rise speil risk onsiertions? In the next setion we look t this question in the light of the importne of nonnks in pyment tivities s esrie in Setion 2.2. 23 Diretive 2005/60/EC of the Europen Prliment n of the Counil of 26 Otoer 2005 on the prevention of the use of the finnil system for the purpose of money lunering n terrorist finning is pplile to the finnil setor s well s lwyers, notries, ountnts, rel estte gents, sinos, trust n ompny servie proviers. Its sope lso enompsses ll proviers of goos, when pyments re me in sh in exess of 15,000. 24 This serves s reminer tht the purpose of Tle 9 is to help ientify where risk ours in the mny tivities tht unerlie pyments, not their severity. 25 This metho of ontining risk in retil pyments is ommon, in prt euse methos suh s priing for risk or insurne hve proven inequte to ring the level of risk in retil pyments to tolerle levels (see Brun et l, forthoming 2007). Pge 21

4. Impt of nonnks on risk 4.1 Risks n nonnk presene in the EU As seen in setion 2.2.2, nonnks re importnt in severl Europen ountries, n we expet their role to grow further, oth t the front-en n t the k-en, prtiulrly in those ountries where their role is still somewht more limite. Their role is most visile n seems more importnt in proessing of pyment instruments where the pre-trnstion phse is highly utomte, s in the se of rs. 4.1.1 Risks tht n e generte t vrious points long the whole proessing hin The growth of pyment instruments whih re proesse online n hrterise y rel-time uthoristion rings long usiness moel where ll the prties involve n not only the nking setor ommunite with eh other n intert. This involves more omplex mehnism with multipliity of ontt points n the issemintion of sensitive t t vrious points long the proessing hin, n the onsequent vulnerility to risks in terms of t seurity n t (privy) protetion s ny intertion point n e, in itself, wek point in the hin suitle to eing exploite y riminl to intrue the pyment network for illiit purposes. Pyments fru implies possile liility for nks even if the t ompromise enling the fru my hve tken ple t nonnk level. In this sense, nks nee to ooperte n oorinte with nonnks to properly ontrol risk throughout the proessing hin. The inustry n regultors re mking gret efforts to omt pyments fru on severl fronts, inluing regultory (the implementtion of the Pyment Servies Diretive will, inter li, filitte the use of t for pyments fru prevention purposes), n in terms of oopertion etween the puli n privte setor n mong enforement genies. As regrs the inustry, the option y merhnts of PCI omplint systems n proesses for t seurity n the implementtion of EMV stnrs re n importnt step towr mitigtion of these risks. In Europe the migrtion to EMV is progressing (Aoring to inustry reports, 58.8 perent of the pyment rs, 66.1 perent of the nk ATMs, n 51.7 perent of the point of sle terminls hve lrey een migrte to EMV in Europe. Work is progressing towr full migrtion in time for SEPA (2010). There re however signifint ountry ifferenes). 26 As fr s PCI is onerne, it ws reently reporte tht 57 perent of the surveye lrge merhnts were not omplint with t lest one PCI stnr (the perentge fell from 73 perent lst yer 27 ). In the Europen ountries where rs mrket penetrtion is less vne n still growing, s is the use of e-pyment solutions whih often rely on rs trnsfers for ompletion or top-up, these risks my not yet e prtiulrly pereive. However, these ountries my e etter positione in ensuring tht these threts re properly minimise t n erly stge of option, n well efore mturity, euse nks n nonnks (merhnts in prtiulr) re not onstrine y legy systems n my opt 26 Fru Prevention Experts Group (2007). 27 Compline-mgzin.e (2007), esse on 24.10.2007. Pge 22

iretly stte-of-the-rt n PCI n EMV omplint tehnology. There re initions tht fru is phenomenon of interntionl n in Europe, of pn-europen imension, s orgnise rime opertes from multiple lotions n exploits to its enefit the glol reh of the internet (Vulpini, 2006 n Srzin 2006). This rises n issue of interntionl oorintion mong inustry memers, regultors n enforement genies. The reently opte Pyment Servies Diretive hrmonises ompletely the regultion of liility relte to fru n exeution of unuthorise trnstions. Here the nk or nonnk nture of the pyment servie provier is not relevnt s the provisions pply to ll pyments generlly (efore notifying the servie provier of the loss or theft or fruulent use of its pyment instruments the onsumer my hve to er loss of up to 150 EUR, ut Memer Sttes my reue this p when trnsposing the Diretive into ntionl legisltion (Mrgerit, 2007)). Other risks tht re relevnt in generl n my generte from improper ontrol throughout the whole proessing hin re legl risk, reputtionl risk n, uner ertin irumstnes, systemi risk. The Eurosystem hs sttutory ompetene in the fiel of oversight of pyment systems, inluing oth pyment systems n pyment instruments, n therefore my ensure monitoring n, if require, intervention (in vrious forms, regultory, opertionl, through morl susion n inustry oopertion) ime t preserving puli trust in the sfe n effiient funtioning of pyment systems in the euro re. 4.1.2 Risks relte to settlement tivities Settlement tivities remin lrgely prerogtive of the nking setor, n in the euro re lering n settlement systems re sujet to oversight y the Eurosystem. The ft tht in some Europen ountries nonnk proessors my ply role lso t the settlement stge my point to the importne of nonnks in tivities tht re t the hert of internk trnsfers, n thus possile impt in terms of settlement risk. However, only in one se (Belgium), the nonnk ompny involve is toy lso nonnk owne. The hnge ws mostly relte to governne only, n the ompny ws n ontinues to e sujet to oversight y the Ntionl Centrl Bnk. This ensures tht its role n impt on the funtioning of the pyment systems re fully unerstoo n mnge. One issue tht my e relevnt from the point of view of settlement risk is the nture of ssets use for ishrging oligtions mong prtiipnts in four-prty r shemes. As mentione in Setion 2.2.2, in Europe there re ifferent solutions in ple s regrs the settlement stge of rs-relte internk oligtions. In some ountries (s in Frne), ntionl r trnstions re settle in the ACH or other ntionl retil pyment system. In others, they my e settle y nks ilterlly (for exmple in Austri). Furthermore, s it reltes to interntionl rs trnstions, the orresponent nking hnnel normlly is use for settling internk positions. When trnstions re settle in ommeril nk money, memers of r sheme re expose not only to reit risk vis-à-vis the other memers tht prtiipte in the sheme s multilterl lering, ut lso to the filure of the settlement gent. This risk is usully minimise y the sheme Pge 23

seleting lrge n high-stning nks s settlement gents. However, the risk nnot in priniple e rule out. Moreover, when lrge mounts re involve, or the pyment instrument is prominent one for ountry or there re no esy sustitutes, morl hzr issues my rise s the settlement gent nk my e onsiere too importnt to fil. In Europe, the ntionl entrl nks tht rry out oversight of pyment instruments usully lso oversee the ntionl r sheme n ontriute to ensuring the sfety n sounness of these pyment n the systems involve. Furthermore, the Ntionl Bnk of Belgium oversees MsterCr Europe. 28 In My 2007, the Eurosystem strte puli onsulttion of Drft Oversight Frmework for Cr Pyments Shemes (CPSs) proposing requirements whih, if oserve, woul ontriute to the sounness of CPSs. The requirements emnte from risk nlysis onute y the Eurosystem. 29 4.1.3 Creit n liquiity risks outsie the settlement stge We hve seen tht reit n liquiity risks my e relte to vrious steps in the proessing hin n the prty tht is expose to them epens on the ontrtul fetures of the speifi pyment instrument onerne. We relte these risks to the tivities involving the enrolment of ustomers n merhnts n s fr s the uring trnstions stges re onerne, the initition of the reiting or eiting of the prties ounts. In the EU, pyment servies n e provie y reit institutions, y e-money liense institutions, n y other nonnk proviers. The regultory overge of pyments servies lrgely epens on the nk versus nonnk sttus of the pyment servie provier, n its ffilition to nking group: Bnking regultion pplies to ll tivities rrie out y reit institutions, inluing those relte to the provision of pyment servies. The nks settlement usiness line is expliitly onsiere in the frmework of opertionl risk mngement n sujet to overge in the form of pitl requirements 30. As other nonnk unertkings whih elong to group inluing reit institution, nonnk proviers of pyment servies whih elong to nking group fll within the sope of supervision of the reit institution on onsolite sis, following speifi riteri of onsolition. Pruentil supervision uthorities my otin from ll unertkings within group the informtion neessry to hieve their ojetive to ssess the finnil sitution of the reit institution within the group. As fr s other nonnk front-en proviers of pyment servies re onerne, pyment servies my urrently e provie uner very ifferent onitions within the Europen Union, s shown in EC (2003) 31. Overll, the regultory provisions for the ifferent types of pyment servies vry signifintly ross the Memer Sttes, 28 ECB (2007), Blue Book 2007, Volume I, p. 78. 29 ECB (2007). 30 The revise (BASEL II) solveny requirements for reit institutions, envisges n 18 perent pitl hrge for pyment n settlement servies provie y reit institutions uner the stnrize pproh. 31 Comprtive tles of the ntionl regimes in ple in the vrious Memer Sttes re ville t http://e.europ.eu/internl_mrket/pyments/frmework/omprison_en.htm. Pge 24

rnging from no liense requirement in one ountry to the restrition of the tivity only to nks or other liense finnil institutions in nother ountry (for exmple, for money trnsmitters, in Denmrk no liense is require, in Spin there is speil liense regime for this type of tivity, while in Frne the lw requires reit institution liense with fully-flege pruentil regime). However, this is n re where gret innovtion hs een introue y the reently opte Pyment Servies Diretive. The Diretive hs in ft opene up the mrket y llowing tors other thn nks n e-money institutions to provie pyment servies, the pyment institutions, whih re entitle to provie the pyment servies liste in nnex to the Diretive. There re five tegories of servies whih enle the trnsfer of funs hnle y the users, knowing tht the funs my e withrwn y the users fter the trnstions hve een exeute: sh withrwls n eposit trnstions, trnstions from n ount or line of reit inluing r pyments, reit trnsfers n iret eits, interntionl money remittnes, trnstions using moile phones or the internet, n issune of pyment instruments n quisition of t relte to the susequent trnstions (Mrgerit, 2007). The pyment institutions will e sujet to simplifie pruentil frmework ompre to tht pplie to nks n e-money liense institutions, with the im to ensure their sfe n pruent mngement n to protet users from risks rising from pyments servies provisions. For instne, use of ustomers funs woul e sujet to limits (they only oul e use for pyment trnstions; the lne of n ount shoul not e ommingle with those of other user ounts, nor with the funs of the pyment servie provier, lthough uner ertin irumstnes the Memer Sttes or the ntionl uthorities my hoose lterntive solutions to funs segregtion, for instne proteting them from lims of other reitors of the pyment institutions in se of insolveny, or finnil gurntee). The Memer Sttes will hve to esignte the uthorities in hrge of liensing n supervising the pyment institutions. These uthorities oul onsult pyment systems overseers (the entrl nks) when grnting uthoristion, without prejuie to the Eurosystem s oversight sttutory powers. 4.1.4 Risks relte to outsouring to thir prties In the previous setion we sw tht the tivities require for proessing of retil pyments present possile vulnerility to the tritionl risks tegories long the whole proessing hin, not only t the settlement stge. Following the mssive option of eletroni ommunition n proessing tehnology in pyments proessing, there ws shift of risk relevne towr opertionl risk in its vrious forms. Does the role plye y nonnks in Europe impt on these risks trens? In those ountries where nonnk proessors n venors re lrey prominent, they hve often supporte the inustry growth n move towr stright-through-proessing (STP), whih sustntilly inreses effiieny n reues mlfuntioning relte to mnul hnling n humn error, ut inreses epeneny on utomte systems reliility. Bnks hve tritionlly een le to ontrol very well these opertionl risks when eling with pyments proessing in-house n through nk-owne proessors. From this perspetive, outsouring to ompnies tht re est equippe to grnt high levels of seurity n usiness ontinuity n signifintly ontriute to mintining the opertionl sounness of the pyments proess while reuing its ost (in ft, Pge 25

speilise proessors usully operte on lrge sle n n enefit from signifint eonomies). Through outsouring tehnil n IT-intense proesses, nks not only free up resoures tht they my evote to their ore usiness, ut ensure tht these proesses re hnle y speilise ompnies whih invest high resoures in stte-of-the-rt tehnology n onentrte speilise knowlege n skills. The vulnerility to risks inherent to the pyments proessing hin oes not epen on the nk or nonnk sttus of the proessor, ut on the wy risks re ontrolle. The relevnt regultion epens on the institutionl sttus of the outsouring ompny: Bnks re sujet to strit regultion whih ensures they ontrol risks n remin responsile for their mngement n ontinment vis-à-vis nking regultors lso when outsouring proesses to thir prties. Aoring to nking supervisory prties, outsouring remins the responsiility of the outsourer n in some ses it is sujet prior to pprovl y or informtion to supervisors. In the se of ELMIs, it is speifie tht the soun n pruent mngement, ministrtive n ounting proeures, n equte internl ontrol mehnisms they re require to put in ple shoul respon to the finnil n non-finnil risks to whih the institutions re expose inluing tehnil n proeurl risks s well s risks onnete to its oopertion with ny unertking performing opertionl or other nillry funtions relte to its usiness tivities (Art. 7 of Diretive 2000/46/EC). Regultory sfegurs regring outsouring y other nonnk proviers of pyment servies is not hrmonize t EU level, ut it will e one the Pyment Servies Diretive omes into fore: the Diretive presries informtion requirements to the ompetent uthorities n sets onitions n limits for outsouring of importnt opertionl tivities. 32 The Diretive lso speifies tht the uthorities supervising the pyment institutions woul e entitle, i.., to rry out on-site inspetions lso with ny entity to whom pyment servies tivities re outsoure In Europe, the onsolition proess implies the emergene of smller numer of lrger pyment proessors whih serve lrger shres of the pyments mrket segments. This onentrtion my ring out higher profile for system-wie risk, n n inrese epeneny of the nking setor on the nonnking setor. 4.2 Risks n nonnk presene in the U.S. 4.2.1 Comprison of nonnk prevlene to risk in pyment tivities Nonnks in the U.S. pyment system re sujet to every type of risk ite in Tle 9 n so the generl omments ove on risk in pyments pply oringly. There re some speifi sutivities tie to the enrolment of ustomers n uthoriztion of pyments where nonnks ply vitl role in ontrolling liquiity n reit risk. 32 An opertionl funtion shll e regre s importnt if efet or filure in its performne woul mterilly impir the ontinuing ompline of pyment institution with the requirements of its uthoriztion or its other oligtions uner the Diretive, or its finnil performne, or the sounness or the ontinuity of its pyment servies (Art 11). Pge 26

Nonnks re generlly present long the entire pyment proessing hin n so hve role in opertionl risk n the onsequent issues of relte risks suh s ompline, t seurity, n illiit use of pyments. 4.2.2 Risk implitions There is little quntittive informtion on the extent to whih nonnks ontriute to pyment risk in the Unite Sttes. Losses ue to fru re frequently ite mesure of pyments risk, ut there is no informtion ville tht llows n ssessment of nonnk responsiility for pyments fru. Dt rehes re wiely reporte s prolem for pyments n my serve s mesure of t seurity risk. Tle 10 (p. 51) shows n nlysis of t rehes tht hve ourre in the Unite Sttes from Jnury 2005 to April 2007. The t were ssemle y the Privy Rights Cleringhouse, whih relies on puli informtion soures. They list rehes where informtion expose woul e useful for ientity theft, whih often mnifests itself in fruulent use of some type of pyment. The informtion is suffiient to roughly ientify the setors of the eonomy where the t were ompromise. During this 28-month perio, 541 t rehes were pulily reporte. Most of the rehes 402 ourre in the seon hlf of the perio (fter April 1, 2006). We nnot onlue with ertinty tht the numer of t rehes tully inrese euse numerous new lws on notifition were implemente fter the mile of 2005, t lest prtilly using rise in pulily-islose t rehes. Still, the pulily-islose t rehes n e interprete s reveling one of two unesirle spets of retil pyments risk. Either the 139 inients reporte in the first hlf of the perio signifintly unerstte tul t rehes, or the numer of rehes inrese rpily in the seon hlf of the perio. Dt rehes ompromise nerly 154 million reors. Roughly three-qurters of the reors were ompromise in just three inients: the lrge t rehes t TJX n CrSystems, n t reh reporte in My 2006 t the U.S. Deprtment of Vetern s Affirs tht ompromise 28.6 million reors. These three inients ompromise totl of 116 million reors. Like mny mesures of risk, very few inients n ount for lrge portion of losses. Ourrenes of t rehes n ompromise reors o not neessrily go hn in hn. The nonnk pyment proessor setor ounte for only 2.5 perent of ll t rehes ut 26.5 perent of ompromise reors. This setor ws responsile for nerly 75 perent of ompromise reors in the first hlf of the perio. On this t, reevlution of puli poliy towr risk mngement for nonnk pyment proessors my e vlule. 33 The nk n finnil servies setor ounte for 9.4 perent of inients n 4.1 33 Given the flws in this t, this is tenttive onlusion tht shoul e explore further s etter t n more experiene with existing risk mngement proesses eomes ville. Pge 27

perent of reors ompromise over the entire perio. The worst lemish for nk n finnil servies ws the 10.7 perent shre of reors ompromise in the first hlf of the perio. However, the shre fell to only 0.6 perent in the seon hlf. Importntly, Tle 10 revels tht lrge numer of t rehes hve ourre in eution, retil, helth re, n government setors. These four setors together ount for 77 perent of t rehes in this prtiulr perio. Dt rehes in the eution n helth re setors ount for only 3.2 n 0.8 perent of ll reors ompromise, so these rehes ten to revel smll numers of reors. The retil n government setors hve een hit with rehes tht hve revele lrge numers of reors. However, given tht t rehes tht revel lrge numers of reors re rre, we nnot ssume tht it is unlikely tht the eution n helth re inustries will e vitim of lrge t reh. Any inustry tht stores signifint mount of sensitive t is n ttrtive trget for hkers. The eution, retil, helth re, n government setors re not normlly ssoite with the U.S. pyments system. However, to the extent tht sensitive informtion is useful to mking fruulent pyments, these setors my e importnt to efforts to reue the vulnerility of the pyments system. 34 4.2.3 Puli regultion n oversight of pyment risk mngement in the U.S. Puli poliy towr risk mngement in pyments hs enompsse onsumer protetion, t seurity, pruentil supervision, n lw enforement. 35 Tle 11 (p. 52) esries these res of onern, their legl sis, n other etils of regultion n enforement. The extent n omplexity of puli involvement vry ross elements of the pyments proess (from initition to finl settlement), institutionl spets of the pyments inustry, n the legl issues tie to pyments. As shown in the lst olumn of Tle 10, nk n nonnk pyment proviers fe ifferent oversight regimes in the re of t seurity n pruentil supervision. For exmple, the Grhm-Leh-Bliley At of 1999 set t seurity requirements for finnil institutions n therefore pplies to pyments t. If nk outsoures pyment proessing to nonnk, then the nonnk is sujet to the sme t seurity stnrs s nks. There is no similr feerl t seurity requirement for nonfinnil institutions. To some extent, the Feerl Tre Commission (FTC) hs fille this gp y enforing t seurity stnrs for retilers n other orgniztions. The FTC views rehes of pyments t seurity s n unfir n eeptive usiness tivity. In ses of rehes of pyments t, it hs rehe settlements with firms s iverse s retilers, pyment proessors, n softwre evelopers. 36 34 How importnt prtiulr eonomi setors re regring t rehes n pyments risk requires itionl reserh into the true unerlying risk ross eonomi setors. Feerl n stte islosure guielines, for exmple, re not uniform. If islosure stnrs were not equl, then t ross setors or sttes my not e omprle. In ition, expose reors ross setors my not e eqully useful for misuse. Dt from the nk n finnil servies or the nonnk pyments proessing setors my e prtiulrly useful in perpetrting pyments fru ompre to tht of other setors. 35 Another importnt re of oversight is systemilly importnt pyments systems, whih is governe in the U.S. y the Feerl Reserve System s Poliy on Pyments System Risk (2007). 36 Exmples inlue the retiler DSW, the reit geny ChoiePoint, n softwre venor Guine Softwre. Pge 28

4.2.4 Supervision n regultion The ifferene in pruentil supervision of some nonnk pyment proessors n e tre to enling legisltion tht reognizes the speil nture of nks n esire to limit the extension of nk-like oversight to nonnk entities. As result, oversight of some nonnk pyment proviers tht re susiiries of finnil institutions is onute uner the sme supervisory proess pplie to the nking orgniztion. Pyment proviers tht re ompletely inepenent of finnil institutions ut re in n outsouring reltionship with finnil institutions re supervise uner n lternte regime. In ition, some lrger nonnk pyment proviers tht re nk ffilite re lso supervise uner the lternte regime. 37 Selete nonnk pyments proviers re overseen y the sme genies tht supervise finnil institutions. Supervision of pyment proviers is onute within roer progrm tht oversees tehnology servie proviers (TSPs). The TSPs offer wie vriety of tehnology servies, n some (ut not ll) servies re relte to pyments. A risk evlution of iniviul TSPs ientifies those tht woul ome uner the supervisory progrm n etermines the time frme for exmintion n monitoring tivity. 38 At yer en 2004, 125 TSPs were supervise (Tle 12, p. 53). Both nk-ffilite n inepenent TSPs re in the progrm, ut twie s mny inepenent TSPs re supervise. Core proessing (omputer proessing of generl leger ounting n of informtion systems), offere y 68 of the supervise TSPs, is the single most importnt line of usiness. 39 But pyments re importnt to these TSPs, with nerly 70 perent offering t lest one type of pyment proessing servie. While the lrgest inepenent pyments proviers re proly represente in the TSP supervision progrm, it oes not over ll TSPs tht offer pyments servies. For exmple, fter 2005 seurity reh t pyments proessor, news stories reporte the existene of roughly 500 ompnies tht proess reit r pyments. 40 But t most 87 pyments proessors were supervise t yer en 2004 (Tle 12). One reson tht mny nonnk pyments proviers re not supervise is tht the enling legisltion is suffiiently nrrow to exlue mny signifint pyment proviers. In prtiulr, inepenent TSPs must e in n outsouring reltionship with nk to e eligile for supervision. But mny pyment proviers re ustomers of nks. For exmple, PyPl or Ceriin Corp. originte mny pyments n pss tht informtion to nks for further proessing. 41 In this instne the origintor is purhsing pyment 37 Sullivn (2007). Whether prtiulr pyments provier is supervise is not pulily ville informtion. 38 FFIEC (2003). 39 Business tivities shown in Tle 4 re se on informtion provie y exminers. Exminers o not expet tht these reports woul e sujet to sttistil nlysis n therefore the ompleteness of the reporte lines of usiness is unertin. However, it seems unlikely tht ny misreporting woul e ise regring pyments tivity n so the reltive position of nk versus nonnk pyments proviers shoul not e misleing. 40 Dsh (2005). There is no omprehensive t soure tht woul show the numer of ompnies tht provie pyment servies to finnil institutions. 41 If they o provie outsoure servies to nks, these orgniztions my e eligile for the TSP supervision progrm. Pge 29

servies from the nk. A similr reltionship exists etween nks n quirers of POS trnstions or origintors of mny ACH trnstions. As suh, risk mngement vi iret supervision is urrently not n option for these elements of the U.S. pyment network. There re two ftors tht my mke pruentil supervision of nonnk pyment proviers in the Unite Sttes weker thn supervision of finnil institutions. First, the purpose of TSP supervision is not the survivl of the TSP or the viility of its usiness moel. 42 Rther, the TSP supervision progrm is trgete s servie to the supervisors of epository institutions. It is useful euse exminers of epository institutions hve resoure tht they n rw upon to unerstn the risks tht n outsouring reltionship might pose for the epository institution. A TSP exmintion seeks to ensure tht there is ontrol environment tht equtely resses these risks. Protetion of the pyments system is seonry, though importnt, onern of pruentil supervision. Seon, supervisory genies n exmine inepenent pyment proviers ut hve limite enforement power if they fin weknesses t the orgniztion. Enforement powers over finnil institutions inlue voluntry greements, ese n esist orers, removl or prohiition of iniviuls from n institution or the inustry, ivil money penlties, termintion of eposit insurne, ppointment of nk onservtors, n ivestment of tivities. 43 Enforement powers over inepenent pyment proviers inlue only voluntry greements n prohiitions on finnil institutions from oing usiness with the servie provier. 4.2.5 Oversight of the U.S. pyment system The Feerl Reserve hs responsiility to oversee the pyments system y monitoring pyments systems, ssessing them for sfety n effiieny, n inuing hnge when neessry. 44 The Feerl Reserve System issue its Poliy on Pyments System Risk to provie guine on priniples n minimum stnrs for mnging risk in systemilly importnt pyments systems. 45 While ime primrily t wholesle, lrge-vlue pyment systems, it is lso relevnt to retil pyments systems. The Feerl Reserve pplies these stnrs to the retil pyments systems (ACH n heques) tht it opertes n where it hs expliit supervisory uthority over finnil institutions tht operte lering n settlement systems. The Feerl Reserve lso prtiiptes in ntionl n interntionl poliy proesses tht set stnrs for operting n ontrolling risk in pyments systems. The uthority of the Feerl Reserve System to oversee pyments, however, is limite. Reently Chirmn Ben Bernnke stte tht [i]n ontrst to the sitution in some other ountries, the Feerl Reserve lks expliit legl uthority to oversee systemilly importnt pyments systems. 46 Feerl Reserve exminers n review 42 Feerl Reserve Bor (2000). 43 Spong (2000). 44 Committee on Pyment n Settlement Systems (2005). 45 Feerl Reserve Bor (2007). 46 In ition, Chirmn Bernnke stte tht Feerl Reserve powers in this re erive to onsierle extent from its nk supervisory uthority. Notly, some key institutions proviing lering n settlement servies hol nk hrters tht ple them uner Feerl Reserve oversight...the Fe is lso either the iret or umrell supervisor of severl lrge ommeril nks tht re ritil to the pyments system Pge 30

pyment tivities of the nks in its jurisition n they lso prtiipte in the TSP supervision progrm. Feerl Reserve uthority to set regultions lso hs importnt influene on some opertionl spets of pyments n on inentives to ontrol risk y etermining liility in ses of fru n opertionl isruptions. But neither the Feerl Reserve, nor ny other feerl geny, hs expliit uthority to mnge retil pyments risk from system perspetive. 4.3 Chnging risk profiles: implitions of rising nonnk presene for risk The risk profiles of pyment systems (n the risk mitigtion tehniques employe to minimize exposure to them) my hnge over time, following the introution of new usiness moels, the restruturing of usiness proesses, the reorgniztion of systems, or simply the introution of new tehnologies n the option of innovtive mens of ommunition. In prtiulr, the reent use of open ommunition networks for the trnsmission n storge of pyment relte informtion (inluing sensitive personl t) hs ffete ll pyment systems. Beuse the pe of hnge hs elerte, risk tegory tht is prtiulrly relevnt for retil pyment instruments is reputtionl risk, ue to the reline on puli trust for their eptne. In ition, t seurity risk, fru risk n ounterfeit risk for e-money hve eome more prominent. This setion resses the question of how the wiespre n rising presene of nonnks in retil pyment proessing ffets risks tht re normlly present in pyment systems. Inlue re exmples of inients involving nonnks tht in theory oul hve ffete the sfe funtioning of pyments systems n pyment shemes or ffete puli onfiene in pyment instruments. Aess to pyment systems tritionlly hs een restrite, t lest in prt, to nks n other intermeiries tht re sujet to pruentil supervision. One reson is to reue risk exposures tht my emerge mong pyment systems prtiipnts uring the lering n settlement proess (typilly in retil pyment systems). Another reson is tht the ounts use y nks to settle reiprol pyment oligtions (s prinipls or on ehlf of their ustomers) re ounts hel either one-with-nother (nostro n loro ounts, s in orresponent nking) or with one entrl institution tht serves lrger nking ommunity. Exmples of suh entrl institutions re entrl nks, whih hve long trition of estlishing n operting pyment systems for the nking setor. Both self-interest n regultion hve le nks to evelop strong sfegurs ginst illiit intrusion in their informtion tehnology systems n networks. The rising importne of nonnks n the multiple roles they ply oth t the fronten n k-en of the pyments hin hs hnge this tritionl setting. In some wys, nonnks ontriute to n inrese in the relevne of ertin risks. In other wys, nonnks erese the relevne of other risks or filitte the ontinment of risks. Nonnk presene my inrese the vulnerility of pyment systems to ertin risks. This my hppen in t lest three wys. First, on the simplest level, nonnks pose risk euse they my offer lterntive points of entry for riminls into the pyments system, prtiulrly in the erly stge of through their lering n settlement tivities (Bernnke (2007)). By ontrst, the Bnque e Frne hs ro power to oversee nonsh pyments; see Europen Centrl Bnk Oversight Division (2007, p. 21). Pge 31

the introution of new pyment solutions. One exmple of this kin ourre in 2000, when two iniviuls use unuthorize ess to Internet servie proviers (ISPs) in the Unite Sttes to mispproprite reit r, nk ount, n other personl finnil informtion from more thn 50,000 iniviuls, hijke omputer networks n then use the ompromise proessors to ommit fru through PyPl n the online ution ompny eby. 47 Sine this inient, PyPl hs een suessful t improving its t seurity n fru etetion systems. 48 Seon, n more roly, nks tritionlly t s gtekeepers to the pyments system. When nks outsoure pyment proessing servies to nonnks they provie nonnks with e fto, tehnil ess to the pyments systems tht my inrese vulnerility to vrious soures of opertionl risk. Tritionlly, nks hve mnge these reltionships to reue this risk, ut inients my mterilize, s shown y reent exmple: the U.S. ompny CrSystems, In. experiene reh of its omputer system in 2005 tht expose 40,000,000 reors of trnstions with 263,000 reors stolen. Creit r ssoitions etermine tht CrSystems violte their seurity n reor retention stnrs n, s result, Vis hose to refuse trnstions from CrSystems. At the eginning of 2007, nother mjor t reh ourre t the lrge retiler group TJX, whih opertes over 2000 stores in vrious ountries, inluing the UK n Ireln. The reh expose more thn 90 million r ount numers. Losses to nks n other issuers hve een estimte t etween 68 million n 83 million USD for the 65 million Vis ounts expose lone (Kerer, 2007). In the perio etween en June 2004 n Novemer 2006, the MsterCr Stop-It servie to omting phishing resulte in ientifying 3,743 phishing/spoof sites, 99 perent of whih were tken own y the en of Novemer. The servie lso etete 1,334 ring/e-ommere sites (we sites where riminls sell rs t), of whih 95 perent were shut own within 24-48 hours, n ientifie 54,653 unique MsterCr ount numers for sle/tre. 49 Aoring to Vis Europe report on ount t seurity in 2005 there were 91 inients (one every four ys), n there were severl hks involving Europen quirers n merhnts. This resulte in over 1 million rs expose, n the ost of fru mounte to USD 30 million (Litts, 2006). Although these exmples point out tht riminls ttempt ttks on n inresingly lrge sle through IT tehnology, the tul level of fru n e onsiere low (for instne, oring to Vis Europe Annul Report 2006, the fru to sles rtio ws 0.069 perent of totl POS spening). Another inient involve t rehes relte to unloyl stff of outsouring ompnies. For instne, UK journlist reporte tht he ws le to uy etils out 1000 UK ustomers from Delhi ll entre worker, for GBP 4.25 eh, sying tht oth rs reit numers n ount psswors were for sle. 50 In ition to outsouring, very similr risk my rise when nks sell pyments servies to nonnks. Bnks mitigte this risk with know-your-ustomer prties tht llow nks to etet ttempts to exploit pyment servies n rry out illiit tivities. 47 U.S. Deprtment of Justie (2002). 48 Cox (2001); Grver (2005). 49 Ates (2006). 50 M Kenn (2005). Pge 32

An exmple of nk liility for improper monitoring of pyment servies provision to nonnk ustomer ws reporte in the Unite Sttes in 2003, when the Feerl Tre Commission issue press releses explining how it h lose own severl ompnies (the Assil Telemrketing Network n ffilites) tht engge in fruulent telemrketing tivities. Assil use the ACH servies of First Premier Bnk; the nk mitte tht it h file to perform ue iligene on the tivities n legitimy of its ustomers (ut it i supply informtion to the investigtive genies); the nk lter pi $200,000 in fines s prt of wier settlement n gree to vigorously engge in knowyour-ustomer tions n ongoing monitoring of ustomer tivity. 51 To limit suh risks, nks must sreen n unerstn potentil nonnk lients n servie proviers, exeute ontrts tht elinete responsiilities n liilities, n monitor the usiness tivity n internl ontrol environment of the nonnk. While this risk is not new to nks, the iffiulty fe toy is tht the pyment system gtekeeping funtion my e more of hllenge euse estlishe methos of sreening n monitoring my e inequte given the evelopment of new pyment types n emergene of new types of usiness (suh s online retilers). Moreover, this gtekeeping funtion my hve eome more ritil ompre to the pst euse of the omplexity of the omputer tehnology involve, whih n e exploite in mnner tht is fst, n e sle to lrge vlues, n n e iffiult to etet or tre. Thir, in some ses nonnks ply key role for the funtioning of n entire retil pyment system, either euse they run the infrstruture use y it, or euse they e fto onentrte the proessing for n entire retil pyments mrket segment. Uner these irumstnes, nonnk presene my hve implitions t the system level. While onentrtion is often the nturl onsequene of the huge sle eonomies present in the pyment inustry, it lso mkes these key servie proviers potentil single point of filure tht oul trigger lrge sle isruption. 52 For exmple, the interntionl reit r system relies on very few rs shemes. A mjor isruption t key plyer my hve the potentil to impir the ility of millions of ustomers in severl ountries to mke r pyments. Depenenies of nks on externl nonnk prties/networks other thn outsouring ompnies hve lso inrese, not only in terms of usiness reltions ut lso in terms of pility to mitigte risks. For instne, oopertion of pyment servie proviers with Internet proviers is key to omting pyment fru vi IT systems in terms of promptly shutting own fruster we sites n phishing sites. Nonnk thir-prty proessors my lso suontrt to other nonnks n one possile issue is how risk relte to tivities tht re suontrte is ontrolle, espeilly euse in se of prolems nks my fe ompline risk s well s the ultimte reputtionl risk with users of pyment instruments. The ove isussion points out tht nonnk ess to pyment systems my entil some risks. Furthermore, suh risks my e exerte y the tren towr eletroni pyments, s eletroni pyment networks require high egree of simultneous oorintion mong ll prtiipnts, with n inrese nee for oopertion etween nks n nonnks. In priniple, this is not iretly relte to the nonnk sttus of the 51 Iow Attorney Generl, (2005). 52 MPhil (2003). Pge 33

new servie proviers, ut rther to the ft tht the presene of mny ifferent entities in pyment network omplites its esign, its funtioning, the sequene n exeution of trnstions, n the regultion n implementtion of seurity stnrs. Nonnks hve een very tive in introuing new ess molities to tritionl nk pyment servies, n in filitting the onversion of one pyment instrument into n eletroni formt tht llows its proessing in the infrstrutures tht originlly where esigne for other pyment instruments. This innovtion hs use some lurring of the lines etween pyments hnnels. Vrious U.S. pyment hnnels, for exmple, re eoming less istint. Most visily, some heque pyments re now eing onverte into ACH pyments. But there re other hnges tht mke the lines etween pyments systems less ovious. The ACH system is eveloping its systems to e more n more useful for retil pyments. The ACH is lso eing use for some signifint lrge-sle pyments, suh s the settlement of pyments rising from the reit rs networks. A useful onept for resilieny in the pyments system is reunny: if one hnnel hs prolems, users my e le to get y using nother hnnel until the prolems re solve. But euse of the interepenene of pyments hnnels, the level of reunny my hve erese, with verse effets on servie ontinuity. The extension of pyments systems to new uses lso inreses potentil for ross-hnnel risk. For exmple, riminls typilly exploit weknesses in the pyments system. If one pyment hnnel improves its seurity, riminls will proe other hnnels s lterntives. This my explin why fru ttks onentrte on innovtive pyment ommunition networks n o not seem to ttempt the reltively more isolte n protete typil trnsmission networks suh s SWIFT. It shoul e note tht nonnks lso ring new tehnology n perspetives tht n signifintly ontriute to reuing risk in the pyments system. For instne, outsouring some seurity-relte tivities like ustomer uthentition to speilize firms my result, in priniple, in etter mngement y the outsouring nks of ertin threts to pyments seurity n, thus, in n improvement of the risk mitigtion tehniques they employ. Furthermore, the pyments inustry s whole enefits from the option of innovtive proess esigns for tritionl pyment instruments. For exmple, the overll level of reit risk exposure my erese y the option of online rel-time ontrols of funs or reit limit overge for sumitte pyment instrutions. Nonnk servie proviers re proposing to the inustry signifint innovtive tehnologil solutions, suh s iometri uthentition, whih my reue fru exposure. This my however ring out more omplex proessing moels, n inrese the profile of exposure to opertionl risk in its vrious forms. Dt seurity risk, fru risk, n reputtionl risk hve eome more prominent with the inrese ourrene of fru ses. Risk of intrusion (outsiers, hkers ttks) hs inrese, ue to higher numer of ontt points/links/interfes etween internl systems n open networks n inrese lol storge of pyment sensitive t tht my e use in remote pyment initition. In reent yers, pyment fru y using IT systems or IT-ompromise pyment t llowing flse uthentition n illiit exeution of pyments is onsiere to hve inrese in most Europen ountries, lthough omprehensive n omprle sttistis re not yet ville. In prtiulr, it is elieve tht in generl the orgnise rime hs shifte its ttention from ttks ime t iniviul users of e-nking n e-pyment solutions to the more potentilly effetive Pge 34

hking of t wrehouses (in terms of possiility to hieve mss t ompromise). The UK hs more vne effort to sttistilly monitor pyment fru. Even though the UK is not inlue in our survey, their figures my provie generl ie of the size of the potentil losses involve. UK uthorities hve lulte tht the losses resulting from pyment rs fru mounte in 2004 to GBP 504.8 million (out EUR 740 million). Of this mount, out 30 perent erive from r-not-present trnstions (GBP 150.8 million, or EUR 221 million) n nother 25 perent from ounterfeit rs, mnufture from skimme t or y r loning tehniques (GBP 129.7 million, or EUR 190 million). 53 Efforts to mitigte fru-relte threts hve een suessful, thnks to progress in tehnology for enryption, ientifition n uthentition, n to signifint inustry efforts suh s the migrtion to hip/pin rs n the use of smrtrs. However, s solutions re implemente to omt speifi thret, frusters evise new methos of exploiting other weknesses. In the UK the suessful option of hip n PIN rs le to erese in fru losses, n in 2006 the totl losses h eline to GBP 428 million (out EUR 627 million). In prtiulr, there ws 23 perent eline in ounterfeit r losses. However, this ws ompnie y strong inrese in r-not-present fru (up 40 perent from 2004). Thus, fru in the eletroni worl is moving trget n requires onstnt monitoring of IT threts employe t the expense of the finnil setor n of the pyments inustry in prtiulr. Reent evelopments in retil pyments systems hve rise onerns tht mrket fores my not equtely ontrol risk euse of greter reline on eletroni pyment networks n the ssoite inrese in nonnk pyment proviers. The primry issue is tht n iniviul prtiipnt in n eletroni pyment network hs inentive to implement risk ontrols tht reflet privte osts n enefits. But the interrelte nture of prtiipnts in the pyments network implies tht some enefit of iniviul risk ontrol rues to other network prtiipnts. This implies tht the soil enefits of implementing risk ontrols will e greter thn the privte enefits. From soiety s point of view, without some form of poliy interferene in the pyments mrket, insuffiient resoures my e pplie to ontrolling risk in pyments. 54 There re mny exmples of seurity inients t one point of the pyment system using prolems elsewhere in the system. Bnks hve een fore to reissue their pyments rs euse of unuthorize ess to t elsewhere in the pyments system. Merhnts re expose to hrgek expenses euse riminl uses ounterfeit r. Consumers hve een vitims of pyment fru tht results in signifint out-of-poket expenses. Nonnk proessors er the expense of upgring the seurity of their pyments infrstruture. In the en, ll prtiipnts in the pyments system re expose in some mnner. Insuffiient inentives to mnge risk in the pyments system my ontriute to these prolems. However, it is iffiult to know the severity of inentive prolems. Selfinterest will le to some risk mngement efforts y ll prtiipnts in pyments. Moreover, if everyone in the pyments system mnge risk in soilly optiml 53 Fru Prevention Expert Group (2007), Report on Ientity theft n fru, ville t e.europ.eu/ internl_mrket/fpeg/inex_en.htm. 54 Bnk of Engln (2000), p. 172. Pge 35

mnner, we woul still oserve some mount of seurity prolems n pyments fru. As result, lne puli poliy towr mngement of risk in pyments seems wrrnte. Efforts y privte inustry to mnge pyment risk shoul e enourge n supporte. Crefully esigne regultions n help oorinte inustry efforts n mintin inustry stnrs. Lws n riminl penlties n eter fru n other misuse of the pyments system. Finlly, the importne of onfiene in the overll pyments system-- puli goo--shoul not e unerestimte. 5. Conlusions n losing remrks In this pper we hve reviewe the role plye y nonnks in the retil pyments inustry, oth s front-en n k-en proviers of servies. We ssess this role s eing prominent in the Unite Sttes n high in severl of the surveye Europen ountries. In the Unite Sttes, this is true ross ll pyment instruments n long the entire proessing hin. In Europe, this is true for rs in most ountries n, in some ountries, for most pyment instruments, lthough there re ifferenes onerning ntionl preferenes in the use of ertin pyment prouts, s well s in ville t. In Europe, for some pyment instruments, little informtion is ville, prtiulrly for pyment instruments tht re not wiely use or whose use is elining. We onlue tht the role of nonnks hs mrgin for further growth in Europe, riven y the SEPA projet, the restruturing n onsolition of the pyments proessing inustry, n the growth of pyment instruments whose proessing moels rely more hevily on thir-prty proessors (for exmple, rs, whih imply rel-time uthoristion n interply mong the prties involve in the sheme). Cr trnstions re growing signifintly in Europe, prtiulrly in those ountries where mturing pyment instruments re eing reple with eletroni-se pyments. Finlly, hnges in the regultory environment will soon llow nonnk front-en pyment servie proviers (the pyment institutions) to operte within Europe in hrmonise frmework, n their role is expete to inrese. Next, we nlyse the risk tegories tht re most relevnt for retil pyments n showe tht, while some of them (legl risk, reputtionl risk, n systemi risk) re of generl nture, others my e ssoite iretly with speifi tivities long the pyments proessing hin. Due to the option of vne tehnologies n more omplex proessing n usiness moels (hrterise y the interply of numerous prties, IT systems, n tses), we foun tht some tegories of risk hve eome more prominent. This is prtiulrly the se with opertionl risk in its vrious forms (mlfuntioning, t seurity, n fru), n ssoite reputtionl risk. Evluting how these evelopments impt the nture n lne of risks etween nks n nonnks n the multiple roles they ply, we onlue tht ontrolling for risk my hve eome more hllenging in the new environment. First, nonnks inresingly hve gine ess to pyment systems (iretly, or iniretly in the form of tehnil ess following outsouring), n the resulting more omplex networks of systems, reltions, n intertions require higher egree of oorintion mong prtiipnts. The regultion n implementtion of seurity stnrs, for exmple, my hve eome more omplex, n ifferent inentives n Pge 36

interests my nee to e reonile. In priniple, unless sfegurs re in ple, heightene nonnk presene oul present new points of entry for riminls into the pyments system. Looking to the future, s new tehnologies re introue n new ontt points n plyers enter the piture, new potentil vulnerilities my nee to e resse. For exmple, vulnerilities in WiFi ommunition networks oul present new seurity hllenges, n telephone mlwre oul e use to spre viruses to onsumer pplitions n to gin ontrol of pyments t store in ell phones or t wrehouses. These re just exmples to show tht the more ontt points there re etween networks n users n the more omplex their funtioning, the more hllenging is risk ontrol. Seon, the tren towr using given pyment infrstruture for ifferent pyment instruments (for exmple, onverting one pyment type into nother for esier proessing, or introuing pyment instruments tht present fetures of other instruments), inreses potentil for ross-hnnel risk. For instne, riminls my ten to fous ttks on more-reently opte open networks inste of nk-ontrolle proprietry networks. If riminls re le to mispproprite uthentition n uthoristion t n proeures, they my e le to sumit pprently orret instrutions to nks n into the pyment system. The result woul e fru, with the ultimte ost, in terms of oth finnil ost n reputtionl mge, orne in mny ses y nks. Thir, to the extent nonnk proessors onentrte lrger shre of pyments in ertin mrket, system-wie impt of isruption t key plyer is possile. While some of these risk issues o not originte from the nk or nonnk sttus of pyment servie proviers, their ontrol my e more hllenging euse the implementtion of risk sfegurs, prtiulrly those introue y regultion, my e esigne n enfore strting from the ssumption tht pyments sfety epens on nks. These moels my in some ses nee to e reonsiere or omplemente in light of the inrese importne of nonnks. In Europe, for exmple, the regultory frmework for nks n nonnks proviing pyment servies hs een hrmonise oth t the front-en n k-en. Furthermore, the Eurosystem hs ler sttutory ompetene in oversight of pyment systems n my tke tion in vrious forms, if eeme pproprite, to sfegur the sfety n effiieny of pyment systems, s well s puli onfiene in the pyment instruments, irrespetive of the nk or nk-nture of the entities involve. We lso note tht nonnks n some of the tehnologies they hve introue into pyments proessing hve in mny instnes ontriute to reue exposure to vrious soures of risks. Suh ontriutions shoul not e unerestimte, s they support nks n other nonnks efforts towr reuing opertionl risk n fru risk, in prtiulr. Given the glol reh n open-ess nture of mny of the tehnologies urrently eing utilise in pyments networks, inrese oopertion mong nk n nonnk supervisory uthorities, n mong nk n nonnk inustry plyers performing funtions t vrious stges of the pyments hin, woul e pproprite, not only t the omesti level ut, inresingly, t the interntionl level s well. Finlly, we note tht mny of the oservtions n onlusions in this pper re neessrily preliminry. Refleting the lk of omprehensive n omprle t, we Pge 37

oul not ssess the severity of the vrious risks tegories, nor the net overll effet on pyments sfety. Although efforts re eing me y oth the privte n puli setors, prtiulrly s regrs the relevne of fru risk, this is n re where more reserh is lerly wrrnte. As regrs the role of nonnks in Europe, the nlysis of this pper oul e omplemente one more etile n omprle t for the surveye ountries were ville. This stuy hs fouse primrily on the euro re. A more omplete ssessment of nonnks role in Europe woul require t for the remining Europen mrkets. Pge 38

REFERENCES Ates, E. (2006). Pyment r fru The involvement of orgnise rime, presenttion elivere t the EC High Level Conferene on Fru, Brussels, 22-23 Novemer. Atos Origin (2007), Atos Origin Hlf Yer Report 2007. Bnk of Engln. 2000. The Bnk of Engln s Oversight of Pyment Systems, Finnil Stility Review (Deemer), p. 173. Bsel Committee on Bnking Supervision (2000), Priniples for the Mngement of Creit Risk, Bnk for Interntionl Settlement. Berry, Kte n Dvi Breitkopf. (2006). Big Step for Vis My Prove Bigger For Inustry; Merhnts Gin More Clout; Assoition Moel Fes Further, Amerin Bnker, Otoer 26. Bernnke, Ben S. (2007). Centrl Bnking n Bnk Supervision in the Unite Sttes. Remrks given t the Allie Soil Sienes Assoition, Jnury 5, ville t www.feerlreserve.gov/oros/speehes/2007/20070105/efult.htm. Brfor, Terri, Mtt Dvies, n Sturt E. Weiner (2003). Nonnks in the Pyments System. Feerl Reserve Bnk of Knss City, ville t www.knssityfe.org/ pulit/psr/bksjournartiles/nonbnkpper.pf. Brun, Mihele, Jmie MAnrews, Willim Roers, n Rihr J. Sullivn. (forthoming 2007). The Eonomis of Mnging Risks in Emerging Retil Pyments. Feerl Reserve Bnk of New York Eonomi Poliy Review, ville t www.newyorkfe.org/reserh/epr/forthoming/0711ru.pf. Centre for Centrl Bnk Stuies, Bnk of Engln, Hnooks in Centrl Bnking, Pyment Systems, no. 8. Committee on Pyment n Settlement Systems. (2003). A Glossry of terms use in Pyment n Settlement Systems, Bnk for Interntionl Settlement (Mrh), ville t www.is.org/pul/pss00.htm.. (2005). Centrl Bnk Oversight of Pyment n Settlement Systems, Bnk for Interntionl Settlement (My), ville t www.is.org/pul/pss68.pf. Compline-mgzin.e (2007). Viele Unternehmen erfuellen PCI-Regeln niht, 24 Septemer 2007, esse on 24 Otoer 2007. Cox, Pul. 2001. PyPl n FBI Tem Up. Wll Street Journl, June 22. Pge 39

Corone, Niol (2004), SiNSYS: the irth of the new pn-europen relity in r proessing, in Giorgio Pifii n Pierugusto Pozzi, es., Money-on-line.eu Digitl pyment systems n smrt rs. Miln: Frno Angeli. Dsh, Eri. (2005). Tke Numer, The New York Times, July 30. Europen Centrl Bnk (2005), Report on retil pyment innovtions 2005. Frnkfurt m Min, Germny. (2006), Blue Book 2007, Pyments n Seurities Settlement Systems in the Europen Union, Aenum Inorporting 2006 Dt, Deemer.. (2007). Consulttion nnounement: oversight frmework for r pyment shemes, Press Relese, n Drft oversight frmework for r pyment shemes, 3 My 2007.. (2007). Blue Book 2007, Pyments n Seurities Settlement Systems in the Europen Union, August. Europen Commission (2006), Commission Stff Working Doument on the Review of the E-Money Diretive (2000/46/EC), Commission of the Europen Communities. SEC(2006) 1049,19.07.2006, Brussels: Belgium. Europen Commission (2003), Comprtive Tles of Ntionl Rules, ville t e.europ.eu/internl_mrket/pyments/frmework/omprison_en.htm. Europen Centrl Bnk Oversight Division n Feerl Reserve Bnk of Knss City Pyments System Reserh Deprtment. (2007). Nonnks in the Pyments System: Europen n U.S. Perspetives. Pper presente t the Feerl Reserve Bnk of Knss City Conferene on Nonnks in the Pyments System, ville t www.knssityfe.org/publicat/psr/proeeings/2007/pf/rosti_weiner.pf Feerl Finnil Institution Exmintion Counil. (2003). Supervision of Tehnology Servie Proviers, IT Exmintion Hnook, Mrh. Feerl Reserve Bor. (2000). Informtion Tehnology Exmintion Frequeny, Supervision n Regultion letter SR00-3 (SUP), Ferury 29.. (2007). Feerl Reserve Poliy on Pyments System Risk. Aville t www.feerlreserve.gov/pymentsystems/psr/poliy07.pf. Fru Prevention Expert Group. (2007). Report on ientity theft n fru. Aville t e.europ.eu/internl_mrket/fpeg/inex_en.htm.. (2007). Drft Minutes of the 12 th Meeting, 27 June 2007. Aville t e.europ.eu/internl_mrket/fpeg/inex_en.htm. Pge 40

Grver, Ro. 2005. "eby n Bnking: Is PyPl Serious Rivl? Amerin Bnker, Novemer 15. Iow Attorney Generl. 2005. First Premier Bnk Agrees to Deny Automti Withrwl Servies to Telemrketing Sms, July 6, ville t www.stte.i.us/ government/g/ltest_news/releses/july_2005/first_premier.html. Litts, R. (2006). Fru prevention hllenges fter the hip r migrtion, presenttion elivere t Seminr on pyment fru in the EU Memer Sttes, the EU Aession Countries & other Europen ountries, Brussels, 8 9 Mrh 2006. Aville t e.europ.eu/internl_mrket/pyments/os/fru/tiex_seminr/litts1st.pf. MKenn, B. (2005). Creit r etils in the ler n up for sle in Ini, Network Seurity, July. Mrgerit, V. (2007). The Pyment Servies Diretive, Bnque e Frne Bulletin, August 2007. Msi, Pol (2004), The Evolution of Eletroni Pyment Systems n Instruments, in Giorgio Pifii n Pierugusto Pozzi, es., Money-on-line.eu Digitl Pyment Systems n Smrt Crs. Miln: Frno Angeli. Moeller, Götz (2006), Outsouring Pyment Trnstion Proessing in SEPA Environment, Journl of Pyments Strtegy & Systems, 1: 71-86. Mzzi, G. B. (2007). Developing suessful strtegies n inresing profitility in SEPA environment, presenttion elivere t the EFMA Crs n Pyments Conferene 2007, 18 Septemer, Pris. MPhil, Kim. 2003. Mnging Opertionl Risk in Pyment, Clering, n Settlement Systems, Working Pper 2003-2, Deprtment of Bnking Opertions, Bnk of Cn, Ferury. Rosti, Simonett n Stefni Seol (2006), Explining Cross-orer Lrge-vlue Pyment Flows: Eviene from TARGET n EURO1 Dt, Journl of Bnking & Finne, 6: 1753-1782. Srzin, C. (2006). Implementing the SEPA Crs Frmework (SCF): Towrs greter seurity for r pyments. Presenttion ville t e.europ.eu/ internl_mrket/fpeg/meetings_en.htm. Sullivn, Rihr J. (2007). Risk Mngement n Nonnk Prtiiption in the U.S. Retil Pyments System. Feerl Reserve Bnk of Knss City Eonomi Review (seon qurter), pp. 5-40, ville t www.knssityfe.org/pulit/eonrev /PDF/2q07sull.pf. Spong, Kenneth. (2000). Bnking Regultion: Its Purposes, Implementtion, n Effets. Knss City: Feerl Reserve Bnk of Knss City. Pge 41

U.S. Deprtment of Justie. 2002. Russin Computer Hker Sentene to Three Yers in Prison, Otoer 4, www.yerrime.gov/gorshkovsent.htm. Vis Europe. (2007). Annul Report 2006. Vulpini, Domenio. (2006). Ientity theft: Seurity n Soil Impt, speeh elivere t the EC High Level Mintining the integrity of Ientities n Pyments -- Two hllenges to fru prevention, Brussels, 22-23 Novemer 2006. Pge 42

Tle 1: Bro Pyment Types 1 Eletroni Cheques 2 Creit Trnsfers 3 Diret Deits 4 Pyment (Creit/Deit) Crs 5 e-money n Other Pre-fune/Store Vlue Instruments (inluing Internet P2P) Pge 43

Pre-Trnstion 1 Customer quisition Primry Ativity 2 Servies for issuer's front-en ustomer (pyer) quisition 3 Provision of pyment instruments/evies to the front-en ustomer (pyee or pyer) 4 Provision of hrwre to ept pyment instruments/evies 5 Provision of softwre to ept pyment instruments/evies Tle 2: Pyment Ativities Sutivity Registrtion n enrollment of ustomers s pyers (onsumers) Registrtion n enrollment for merhnt ounts or eployments of ATMs Provision of reit evlution/reit risk ssessment tools Applition proessing servies Cr issune, r proution; r personliztion; r elivery; r tivtion Hrwre n softwre proution (suh s r reer) for usge with onsumer's online evie (PC, moile, hnhel) Provision of e-money wllet / ess oe to e-money vlues Cheque mnufturing Provision of ATM terminls (sell/lese; mnge) Provision of POS terminls Provision of heque reers/heque POS terminls We hosting servies Provision of shopping rt softwre Provision of softwre to onnet pyment gtewy servie proviers Provision of heque verifition softwre Certifite-uthority servies (suh s PKI-se seure environments); provision of igitl ientity servies for onsumer uthentition 6 Provision of internet seurity-relte tehnology/support Provision of online trnstion seurity systems to front-en ustomers (pyees, merhnts), n ken ustomers (suh s 3D-seure r trnstions vi internet) Provision of e-signtures n other e-uthoristions for pyment uthoristion purposes Pyment Cr Inustry (PCI) ompline servies to merhnts 7 n/or pyers 8 Provision of t enter servies to k-en ustomers Outsouring omplete t enter funtions/seure, supervise floor spe/multi-site kup storge for isster reovery 9 E-invoiing Cretion n elivery of eletroni invoies to front-en ustomers (pyer) During-Trnstion Stge 1 10 Communition onnetion for merhnts Provision of gtewy to quirer/pyment proessors Provision of gtewy to vrious networks/hek or ACH uthoriztion venors Provision of network swith servies; k-en servie Provision of ommunition onnetion etween networks n pyment instrument issuers 11 Trnstion uthoriztion (fun verifition) 12 13 Fru n risk mngement servies to r issuers 14 Fru n risk mngement servies to front-en ustomers (pyees) Initite the eiting of the front-en ustomer's (pyer's) ount (uring trnstion) 15 Ex-nte ompline servies During-Trnstion Stge 2 16 Preprtion 17 Clering 18 Settlement Post-Trnstion 19 Sttement 20 Reonilition, inl. olletion n reeivle mngement servies Mthing invoies n pyments Provision of eision mngement/fru sreening/neutrl network soring system to r issuers for uthoriztion Proess to verify n onfirm if pyer hs suffiient funs (or reit lines) ville to over the trnstion mount Verifition servies (ress, IP ress, r verifition numer, other t), Pyment instrument uthentition n uthoristion servies Ientity uthentition Deision mngement/fru sreening/neutrl network soring system (hoste t thir-prty servie proviers) Monitoring trnstions n notifying rholers of potentil fru, enling them to tke immeite tion Deiting the front-en ustomer's (pyer's) ount / e-money purse Anti-money lunering n terrorist finning regultion suh s ontrols to ientify suspiious trnstions (tse, softwre et.) Sorting merhnt's sles informtion y pyment instrument/network for lering Sumission of sles informtion to eh pyment instrument network Clultion of eh network memer's (either finnil institution or proessor) net position n trnsmission of net position informtion to eh memer Provision of trnsformtion servies into other pyment instrument formts (suh s MICR to ACH) e Provision of sorting trnstions y estintion groups to finnil institutions Trnsmission of lering orers (reit trnsfers, iret eits, rs, heques) to finnil institution Trnsmission of lering orers to ACH opertor Distriution of vies showing the mounts n settlement tes Clering (ifferent from n ACH) Posting reit n eit t eh finnil institution's entrl nk ount Posting reit n eit t eh finnil institution's ommeril nk ount Posting eit (reit in se of return) to front-en pyer ount Posting reit (eit in se of return) to merhnt (pyee) ount e Chek settlement Provie sttement preprtion/elivery servies for front-en ustomers (pyers) (suh s moile reit vie; online nk/r ount sttements) Provision of sttement/pyment reeipt notifition servies for merhnts (pyees) 21 Retrievl Provision of hrgek n ispute proessing servies to merhnts, suh s support servies for tresury n ounting 22 Reporting n t nlysis servies to onsumers to finnil institutions 23 Ex-post ompline servies Compline with nti-money lunering n terrorist finning regultion, suh s reporting to uthorities, k-feeing to ex-nte tses Pge 44

Tle 3: Nonnk Importne: EU: Pyment Crs % on ountry totl 31.7% 15.0% 33.5% 30.5% 58.4% 36.8% 44.9% 11.2% 8.4% 39.6% 53.5% 30.3% 37.5% 22.7% 8.9% % on EU27 22.7% 10.5% 6.3% 5.1% 3.5% 3.2% 2.7% 1.0% 0.3% 0.4% 0.3% 0.1% 0.1% 0.1% 0.0% FR DE* NL IT PT BE FI AT CZ SI GR CY LT LV BG Pre-Trnstion 1 2 3 4 5 6 7 8 9 During-Trnstion - Stge 1 10 11 12 13 14 15 During-Trnstion - Stge 2 16 e 17 18 e Post-Trnstion 19 20 21 22 23 * In Germny numer of nonnks re nk-owne Importne Prevlent High Meium Low Nonexistent Dt Qulity High Meium Low Not pplile Not le to juge Pge 45

Tle 4: Nonnk Importne: EU: Creit Trnsfers % on ountry totl 43.1% 18.9% 35.5% 31.5% 50.3% 49.4% 54.2% 7.8% 76.8% 86.1% 58.3% 11.6% 42.2% 8.6% % on EU27 31.7% 14.2% 7.0% 5.6% 4.8% 3.1% 2.0% 0.5% 0.4% 0.2% 0.2% 0.1% 0.5% 0.0% DE* FR NL IT AT FI CZ PT LV BG LT GR SI CY Pre-Trnstion 1 2 3 4 5 6 7 8 9 During-Trnstion - Stge 1 10 11 12 13 14 15 During-Trnstion - Stge 2 16 e 17 18 e Post-Trnstion 19 20 21 22 23 * In Germny numer of nonnks re nk-owne Importne Prevlent High Meium Low Nonexistent Dt Qulity High Meium Low Not pplile Not le to juge Pge 46

Tle 5: Nonnk Importne: EU: Diret Deits % on ountry totl 40.6% 17.2% 27.9% 37.1% 12.8% 37.4% 12.4% 5.6% 16.8% 4.9% 13.5% 0.1% 2.7% 0.4% % on EU27 36.6% 15.8% 6.7% 4.3% 2.8% 1.7% 0.5% 0.4% 0.2% 0.0% 0.0% 0.1% 0.0% 0.0% DE FR NL AT IT CZ PT FI SI BG CY GR LT LV Pre-Trnstion 1 2 3 4 5 6 7 8 9 During-Trnstion - Stge 1 10 11 12 13 14 15 During-Trnstion - Stge 2 16 e 17 18 e Post-Trnstion 19 20 21 22 23 * In Germny numer of nonnks re nk-owne Importne Prevlent High Meium Low Nonexistent Dt Qulity High Meium Low Not pplile Not le to juge Pge 47

Tle 6: Nonnk Importne: EU: E-Cheques % on ountry totl % on EU27 31.1% 15.6% 21.0% 1.0% 47.6% 24.2% 0.4% 0.0% 0.0% 0.0% 0.1% 0.1% 1.4% 54.7% 6.5% 3.1% 1.7% 0.3% 0.3% 0.1% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% FR IT PT DE* CY GR AT BG CZ LT FI LV SI Pre-Trnstion 1 2 3 4 5 6 7 8 9 During-Trnstion - Stge 1 10 11 12 13 14 15 During-Trnstion - Stge 2 16 e 17 18 e Post-Trnstion 19 20 21 22 23 * In Germny numer of nonnks re nk-owne Importne Prevlent High Meium Low Nonexistent Dt Qulity High Meium Low Not pplile Not le to juge Pge 48

Tle 7: Nonnk Importne: EU: E-Money % on ountry totl % on EU27** 3.0% 6.4% 0.3% 0.1% 1.0% 0.1% 0.1% 1.5% 0.1% - - - - - nv 35.5% 34.8% 12.1% 5.9% 5.7% 0.9% 0.4% 0.3% 0.3% - - - - - nv NL BE DE* FR AT IT PT LT FI BG CY CZ GR LV SI Pre-Trnstion 1 2 3 4 5 6 7 8 9 During-Trnstion - Stge 1 10 11 12 13 14 15 During-Trnstion - Stge 2 16 e 17 18 e Post-Trnstion 19 20 21 22 23 * In Germny numer of nonnks re nk-owne **(% my e overestimte ue to lk of t for e-money issue in the UK, whih is not inlue in EU totl) Importne Dt Qulity Prevlent High High Meium Meium Low Low Nonexistent Not pplile Not le to juge Pge 49

10 11 12 13 14 15 During-Trnstion - Stge 2 17 e e 19 20 21 22 23 Tle 8: Nonnk Importne: Unite Sttes Type of Pyment n Pyment Crs Diret Deits 45.9% 6.86% Pyment Ativity 4-prty Creit/ Sig. Deit PIN-Deit 3-prty Creit Automti One-time Pre-Trnstion 1 2 3 4 5 6 7 8 9 During-Trnstion - Stge 1 16 18 Post-Trnstion Shre of Nonsh Pyments Tempo/ PyByTouh Creit Trnsfers 6.03% e-cheques 4.41% Prepi Cr Open-Loop e-money 0.00% Prepi Cr Close-Loop PyCsh PyPl Importne Prevlent High Meium Low Nonexistent Dt Qulity High Meium Low Not pplile Not le to juge Pge 50

1 Customer quisition 2 3 4 5 6 7 Primry Ativity Servies for issuer's front-en ustomer (pyer) quisition Provision of pyment instruments/evies to the front-en ustomer (pyee or pyer) Provision of hrwre to ept pyment instruments/evies Provision of softwre to ept pyment instruments/evies Provision of internet seurity-relte tehnology/support Pyment Cr Inustry (PCI) ompline servies to merhnts n/or pyers Tle 9: Pyment Ativities n Selete Risks Liquiity Creit Settlement gent reit risk Mlfuntioning n/or other opertionl prolems Dt seurity risk ssoite with Counterfeit fru or n ssoite violtions of fru privy responsiilities Registrtion n enrollment of ustomers s pyers (onsumers) x x x x Registrtion n enrollment for merhnt ounts or eployers of ATMs x x x x x Provision of reit evlution/reit risk ssessment tools x x x Applition proessing servies x x Cr issune, r proution; r personliztion; r elivery; r tivtion x x x x Hrwre n softwre proution (suh s r reer) for usge with onsumer's online evie (PC, moile, hnhel) x x x Provision of e-money wllet / ess oe to e-money vlues x Cheque mnufturing x x x Provision of ATM terminls (sell/lese; mnge) x x x Provision of POS terminls x x x Provision of heque reers/heque POS terminls x x We hosting servies x x x Provision of shopping rt softwre x x x Provision of softwre to onnet pyment gtewy servie proviers x x x Provision of heque verifition softwre x x x Certifite-uthority servies (suh s PKI-se seure environments); provision of igitl ientity servies for onsumer uthentition x x Provision of online trnstion seurity systems to front-en ustomers (pyees, merhnts...), n k-en ustomers (suh s 3D-seure r trnstions vi internet) x x x Provision of e-signtures n other e-uthoriztions for pyment uthoriztion purposes x x x x x 8 Provision of t enter servies to k-en Outsouring omplete t enter funtions/seure, supervise floor spe/multi-site kup ustomers storge for isster reovery x x x 9 e-invoiing Cretion n elivery of eletroni invoies to front-en ustomers (pyer) x x x During-Trnstion Stge 1 10 Communition onnetion for merhnts 11 Trnstion uthoriztion (fun verifition) Provision of gtewy to quirer/pyment proessors x x x Provision of gtewy to vrious networks/hek or ACH uthoriztion venors x x x Provision of network swith servies; k-en servie x x x Provision of ommunition onnetion etween networks n pyment instrument issuers x x x Ativity Sutivity Pre-Trnstion Provision of eision mngement/fru sreening/neutrl network soring system to r issuers for uthoriztion Proess to verify n onfirm if pyer hs suffiient funs (or reit lines) ville to over the trnstion mount Liquiity n Creit Type of Risk Opertionl x x x x x x x Verifition servies (ress, IP ress, r verifition numer, other t), Pyment instrument x x x uthentition n uthoriztion servies Fru n risk mngement servies to front-en 12 Ientity uthentition x x ustomers (pyees) Deision mngement/fru sreening/neutrl network soring system (hoste t thir-prty servie x x proviers) Monitoring trnstions n notifying rholers of potentil fru, enling them to tke 13 Fru n risk mngement servies to r issuers x x immeite tion Initite the eiting of the front-en ustomer's 14 Deiting the front-en ustomer's (pyer's) ount / e-money purse; k-en servie x x x x (pyer's) ount (uring trnstion) Anti-money lunering n terrorist finning regultion suh s ontrols to ientify suspiious 15 Ex-nte Compline servies x trnstions (tse, softwre, n so on) Notes: Dt seurity risk is ssoite with the online environment. Counterfeit n ssoite fru is limite to physil pyment instruments (heks n pyment rs) use in n offline environment. Compline Illiit use (AML, terrorist finning) x Pge 51

16 Preprtion 17 Clering 18 Settlement 19 Sttement Primry Ativity Tle 9: Pyment Ativities n Selete Risks (Continue) Ativity Sutivity During-Trnstion Stge 2 Liquiity Liquiity n Creit Creit Settlement gent reit risk Mlfuntioning n/or other opertionl prolems Type of Risk Opertionl Dt seurity risk ssoite with Counterfeit fru or n ssoite violtions of fru privy responsiilities Sorting merhnt's sles informtion y pyment instrument/network for lering x x x Sumission of sles informtion to eh pyment instrument network x x x Clultion of eh network memer's (either finnil institution or proessor) net position n trnsmission of net position informtion to eh memer x x Provision of trnsformtion servies into other pyment instrument formts (suh s MICR to ACH) x x e Provision of sorting trnstions y estintion groups to finnil institutions x x Trnsmission of lering orers (reit trnsfers, iret eits, rs, heques) to finnil institution x x Trnsmission of lering orers to ACH opertor x x Distriution of vies showing the mounts n settlement tes x x Clering (ifferent from n ACH) x x Posting reit n eit t eh finnil institution's entrl nk ount x x x Posting reit n eit t eh finnil institution's ommeril nk ount x x x x Posting eit (reit in se of return) to front-en pyer ount x x x x Posting reit (eit in se of return) to merhnt (pyee) ount x x x x e Chek settlement x x x x Post-Trnstion Provie sttement preprtion/elivery servies for front-en ustomers (pyers) (suh s moile reit vie or online nk/r ount sttements) x x Provision of sttement/pyment reeipt notifition servies for merhnts (pyees) x x Compline Illiit use (AML, terrorist finning) Reonilition, inl. olletion n reeivle 20 mngement servies Mthing invoies n pyments x x x 21 Retrievl Provision of hrgek n ispute proessing servies x x to merhnts, suh s support servies for tresury n ounting x 22 Reporting n t nlysis servies to onsumers x to finnil institutions x Compline with nti-money lunering n terrorist finning regultion, suh s reporting to 23 Ex post Compline servies uthorities, k-feeing to ex-nte tses x x x Notes: Yellow shing of tle ells inite tivities n omponents of settlement risk. Dt seurity risk is ssoite with the online environment. Counterfeit n ssoite fru is limite to physil pyment instruments (heks n pyment rs) use in n offline environment. Pge 52

Tle 10: Pulily Reporte Dt Brehes in the Unite Sttes Jnury 2005 to April 2007 Setor of origin Bnk n finnil servies Nonnk pyment proessor Eution Retil Helth Cre Government Other or unknown Totl A: Numer of inients All inients efore 4/1/2006 fter 4/1/2006 All reors efore 4/1/2006 fter 4/1/2006 51 16 149 101 51 118 55 541 9.4% 3.0% 27.5% 18.7% 9.4% 21.8% 10.2% 16 6 58 21 14 11 13 139 11.5% 4.3% 41.7% 15.1% 10.1% 7.9% 9.4% 35 10 91 80 37 107 42 402 8.7% 2.5% 22.6% 19.9% 9.2% 26.6% 10.4% B: Reors ompromise 6,352,711 40,691,306 4,961,749 61,288,322 1,244,716 35,761,123 3,393,818 153,693,745 4.1% 26.5% 3.2% 39.9% 0.8% 23.3% 2.2% 5,725,850 40,200,526 2,491,827 2,765,590 391,300 960,183 1,227,330 53,762,606 10.7% 74.8% 4.6% 5.1% 0.7% 1.8% 2.3% 35.0% 626,861 490,780 2,469,922 58,522,732 853,416 34,800,940 2,166,488 99,931,139 0.6% 0.5% 2.5% 58.6% 0.9% 34.8% 2.2% 65.0% Notes: Dt re se on informtion ollete y the Privy Rights Cleringhouse n esse on their we site April 8, 2007. Clssifition y setor of origin n other lultions re y the uthors. Pge 53

Tle 11: Puli Regultion Relevnt to Pyment Risk Mngement in the Unite Sttes Are of Regultion Desription Legl sis Enforement uthority Regultions or guielines Consumer Stte hek lws; Eletroni protetion Funs Trnsfer At of 1978 Dt seurity Pruentil supervision Lw enforement Liilities n responsiilities in hek n eletroni funs trnsfers Sfeguring n islosing to ustomers the use of sensitive nonpuli ustomer informtion Perioi exmintion n ongoing monitoring of the finnil helth n pruentil opertion of the institution Efforts to ounter trens in illegl t rehes, ientity theft, n money lunering Grhm-Leh-Bliley At of 1999; vrious feerl n stte lws onerning unfir n eeptive ts in usiness trnstions Vrious lws enling supervision of finnil institutions; The Bnk Servie Compny At of 1962; stte lws overing money trnsmitters USA Ptriot At of 2001; Bnk Serey At of 1970; stte lw For heks, stte legl uthorities; for eletroni funs trnsfer, feerl genies (finnil institution supervisory genies* or the Seurities n Exhnge Commission oring to their jurisition) with the Feerl Tre Commission overing retilers n others pyment prtiipnts not overe y other genies Feerl finnil institution supervisory genies*; Feerl Tre Commission Feerl finnil institution supervisory genies* Feerl Bureu of Investigtion Cyer Opertions group; Seret Servie Eletroni Crimes Tsk Fore; Deprtment of the Tresury Finnil Crimes Enforement Network; stte n lol lw enforement For eletroni funs trnsfer, the Feerl Reserve Bor s Regultion E speifies islosure, pyment uthoriztion, trnstion reor, n ispute resolution requirements Feerl Reserve Bor s Regultion P n Regultion H (ppenix D2) Stte n feerl guine provie y supervisory genies; Feerl Reserve regultions overing pyments, suh s Regultions J (hek olletion) n CC (hek funs vilility) Eletroni Crimes Tsk Fore wesite (www. finen.gov/reg_guine. html); FinCEN wesite (www.seretservie.gov/ etf.shtml) Tretment of nk n nonnk orgniztions Equl Unequl etween finnil n nonfinnil orgniztions Generlly unequl with the possile exeption of where nks outsoure pyment proessing to nonnks *Feerl finnil institution supervisors inlue the Offie of the Comptroller of the Curreny, the Feerl Reserve System, the Feerl Deposit Insurne Corportion, the Offie of Thrift Supervision n the Ntionl Creit Union Aministrtion. Equl Pge 54

Tle 12: Business Lines Offere y Supervise Tehnology Servie Proviers Yer en 2004 Bnk ffilition sttus All TSPs Business Line Inepenent Bnk ffilite N Perent N Perent N Perent Core proessing 68 54.6% 37 44.6% 31 73.8% Any pyments-relte usiness line* 87 69.6% 55 66.3% 32 76.2% Other usiness line** 21 16.8% 19 22.9% 2 4.8% Totl numer of TSPs 125 83 42 *ACH proessing/servies, ATM proessing/servies/network/swith, ill pyment servie, reit r issune, reit n/or eit r merhnt proessing, reit r network/swith, hek proessing, hek proessing softwre venor lering n settlement, POS proessing/servies/network/swith, n wholesle pyments. **Retil e-nking/trnstionl wesite hosting, eletroni reor sfekeeping, imging, lon or mortgge proessing/serviing, orporte e-nking/sh mngement, wesite hosting (informtionl), isster reovery, investment proessing, ggregtion, sset/liility mngement, reit soring, other emerging tehnologies, employee enefit ount proessing, sset mngement proessing, nk imge proessor, eit r "servies", Internet servies, IRA "servies", pyroll "servies", sfe eposit, stuent lon proessor, trust proessing servies, Vis "servies." Notes: Mny TSPs re oule ounte euse they offer ore proessing, pyments, n/or other usiness lines. As result, the sum of the numer of TSPs in eh tegory is greter thn the totl numer of TSPs, n the sum of perentges is greter thn 100 perent. Bnk ffilition sttus is etermine y signifint ownership position y one or more epository institution, whether run s orportions, limite prtnerships or limite liility ompnies. An inepenent TSP hs no signifint ownership y epository institution. Pge 55