Matt Swinehart is an attorney in Washington, DC
The views expressed here are the author’s own and not necessarily the views of the United States government
Two familiar tenets make up today’s conventional wisdom about fintech. The first tenet is that the financial services industry is undergoing nothing short of a revolution. The second tenet, building on the first, is that this revolution requires a broad rethinking of financial regulation. A failure of financial regulators to adapt to these developments, it is said, will reduce the competitiveness of U.S. financial services firms, hinder efforts to increase basic access to financial services, and even undermine their own regulatory objectives. This logic may well apply to many financial services, but a closer look at one key segment – payment services – suggests that this revolution narrative does not hold in all cases.
By some measures, no part of the financial sector has a better claim to that revolution narrative than payment services, which every year move more than a quadrillion—or one thousand trillion—U.S. dollars globally and more than 175 trillion U.S. dollars in the United States alone. In the last two decades, payments have moved away from cash, paper checks, and other relatively slow and expensive mechanisms to incrementally faster and cheaper digital payment services. Digital payments – powered both by incumbents like banks and by new entrants like Stripe and Venmo – now account for more than 80 percent of all U.S. consumer purchases of goods and services and nearly 100 percent of all other commercial transactions.
But by constructing a simple “payment stack model” we can see that the fintech revolution narrative does not explain the state-of-play in the payments world. The model is useful in visualizing two concepts essential to understanding the potential effects of financial change on payments regulation: one, that despite the vast array of payment services and providers, both old and new, they sort into a relatively small number of interconnected categories; and two, that despite the smattering of seemingly disparate U.S. payments regulations and regulators, payment services within each category are generally subject to the same types of rules and standards, irrespective of technology and business model. This technology and business-model neutrality means that payments regulation is more durable in the face of financial change than the conventional wisdom would predict.
The Payment Stack Model
In the United States, the payments ecosystem sorts into seven categories as shown below.
Platform services (encompassing both new entrants like Apple Pay and old standbys like physical credit cards) allow end-users to initiate payment transactions. Processing services (think Stripe, Amazon Web Services, and First Data) perform the complex information technology functions underlying payments. Account services (which range from checking accounts at banks to PayPal and Venmo accounts) hold funds on behalf of payment senders and recipients. Connection services (primarily a banking function) provide relationships with banks and access to settlement infrastructure. Messaging services (including Visa, Mastercard, and other payment card networks) enable payment senders to communicate with payment recipients. And settlement services (including Fedwire and The Clearing House Interbank Payment System) effect the actual transfer of funds from the payment recipient to the payment sender.
Each payment service provider falls into one or more of these categories – or provides all of these services and falls into a seventh category, end-to-end services (such as person-to-person payment services from Western Union).
The Technology and Business-Model Neutrality of Existing Payments Regulation
The functional categorization of these services embodied in the payment stack, coupled with an understanding of the three core regulatory objectives specific to payment services – consumer protection, law enforcement, and financial stability – shows that regulators have taken an approach to their treatment of these services that is largely technology and business-model neutral. Application of these regulatory approaches to the payment stack is illustrated below.
Consumer Protection—Consumer protection rules, at both the federal and state level, attach to account services from banks like JP Morgan Chase and money transmitters like Venmo because they contract directly with consumers and hold funds in payment accounts on their behalf.
The most important federal consumer protection rules are those that govern the allocation of losses internal to individual consumer transactions and provide incentives to account service providers to ensure that they process only transactions that have been authorized by their customers. These rules allocate nearly all risk of losses due to unauthorized transactions to the banks that issue credit cards to consumers (under the Truth in Lending Act and Regulation Z) or to entities that enable payments using funds held in payment accounts, including through a debit card, an ATM, an automated clearinghouse transaction, or The Clearing House’s new retail real-time payment service (under the Electronic Funds Transfer Act and Regulation E). Private contracts between card issuers and other network participants, including merchants, as well as state laws, may then re-allocate these risks.
A class of state-level laws also seeks to protect consumers from entity-level risks associated with account services. The rules seek to ensure that nonbanks providing “money transmission” services—generally defined as the receipt and transmission to others of customer funds—maintain sufficient liquidity to fulfill payment instructions and the ability to honor the withdrawal of funds from accounts in a timely manner, through surety bonds, sound investment practices, and other safeguards.
Law Enforcement—Account service providers are subject to law enforcement rules—primarily at the federal level—that are designed to curb money laundering, terrorism financing, and other unlawful activities. Law enforcement regulations generally attach to this layer of the payment stack because they are designed to apply to companies with primary access to information, especially information on end-users, that has “a high degree of usefulness” in law enforcement activities. At the core of this regulatory regime is the Bank Secrecy Act, which requires all “financial institutions,” including banks and state-licensed nonbank money transmitters, to report cash transactions of $10,000 or more, verify the identities of their customers, conduct other customer due diligence activities depending on a customer’s risk rating, and file suspicious activity reports whenever they have to reason to suspect illegal or terrorist activity.
Financial Stability—The orderly settlement of payments, especially wholesale payments given their high value, is essential to maintaining financial stability by enhancing certainty in the actual transfer of funds among banks. Because settlement may give rise to financial, operational, and other risks to the participants and the settlement system operator, U.S. regulators operate their own settlement systems (including Fedwire) and subject the private operator of the one systemically important settlement system for payments (The Clearing House’s CHIPS) to regulation designed to achieve financial stability objectives. This designation means that The Clearing House is subject to heightened prudential and supervisory provisions intended to promote robust risk management and safety and soundness under the Federal Reserve Board’s Regulation HH.
The Future of Payments Regulation
What is striking here is that payments regulation is concerned with only two service categories – account and settlement services. Services in the other categories are generally not subject to payment-specific regulation. This is partly because account and settlement services are the ones that may pose payment-specific risks and partly because regulators may not need to impose payments-specific regulation on activities that are already subject to derivative and background banking regulation.
Mobile payment platforms like Apple Pay and most other providers of consumer platform services are not subject to consumer protection rules because—although they interact with consumers and allow them to initiate payment transactions—they do not maintain a contractual relationship with those consumers. U.S. financial regulators supervise processing services—a field dominated by nonbanks like First Data, Stripe, and Amazon Web Services—only when they are provided to banks and, even then, maintain only a derivative supervisory relationship with processing service providers as part of their oversight of those banks. Under the Bank Service Company Act, regulators are authorized to supervise the supply of those services to banks, primarily for operational and related risks that they may pose to the financial stability of the banks. And connection services are not subject to payments regulation either, although the overall regulatory regime governing other categories nonetheless assumes that connection service providers will provide their services and that they are composed of a particular class of firms—banks—that are subject to regulatory requirements that are markedly different from those applicable to nonbank financial service providers.
We are left, then, with an identifiable set of payments-specific regulations applicable to two categories of services. And the regulatory frameworks that apply to those two categories – risk allocation, investment and surety requirements, due diligence and reporting requirements, and government operation and systemic-importance designation – are all technology and business-model neutral because they can apply to new technologies and business models without modification in nearly all instances.
But all of this is not to say that payments regulation should be static. Even with this neutrality in payments regulation, financial change may require new approaches in some cases.
Two forms of “payment stack collapse” could occur, for example, reordering the payments ecosystem and challenging the existing regulatory model. If payments using open and permissionless distributed ledger technology (“DLT”) like bitcoin become ubiquitous, and there is no need for a user to rely on non-DLT payment services, account providers would become unnecessary and regulators could have no entity to regulate for consumer protection and law enforcement purposes. Similarly, if nonbanks become ubiquitous suppliers of payment services and supplant banks from the market, this displacement of the bank-centric payments model could lead to regulatory escape and reduced regulatory efficacy.
But both of these payment stack collapse scenarios would require significant market changes to occur, an unlikely possibility judging by current trends. This means that payments regulators have the opportunity to look beyond the conventional wisdom about fintech – and its call for large-scale reform – and to engage in fact-specific and nuanced strategies to address financial change.
This is an opportunity to evaluate areas of the payments ecosystem where new entrants and services have brought to light existing shortcomings and to determine whether something as simple as clarifying the application of existing rules to new technologies or business models may achieve regulatory objectives. Changes in technology or business model might also allow regulators to improve the ways they exercise their supervisory authority, especially through better information collection and analysis. Or financial change may present regulators with opportunities – like the Federal Reserve’s Faster Payments initiatives – to advance market-based solutions that benefit regulators, service providers, and customers. None of these approaches require the upending of the existing framework for payments regulation.