As more companies embrace the move to digital payments, one of the newest payment rails in the United States has created an opportunity for businesses to move money in real-time with a simple and secure process.
The RTP® Network from The Clearing House represents a new phase in the evolution of the payments industry within the United States. The RTP® Network is the cutting edge of payment innovation and is poised to transform the way we understand bank transfers.
However, diving into the world of online payments can be intimidating for any new or established company. Integrating Dwolla’s payment API to offer faster payments is the easy part. How your business communicates the benefits of real-time payment processing to your customers is just as important as maintaining the necessary controls to provide a positive user experience.
Use this blog to understand what it means to be a real-time payment company.
What to Know About Real-Time Payments
Real-time payments are similar to ACH payments in that funds are sent between bank accounts. And when using Dwolla, a business can toggle between an ACH payment and a real-time payment with a simple channel request change in the API.
The financial institution that is sending and receiving the RTP transaction must choose to participate in the RTP® Network through an agreement with The Clearing House. It’s important to note that not all banks currently participate in the RTP® Network. As businesses and their consumers continue to demand faster payment options—and adoption of real-time payments grows—we can expect the percentage of banks that participate in the RTP® Network to increase as well.
Currently the RTP® Network reaches 56 percent of U.S. demand deposit accounts with its real time payment capabilities.
Dwolla partners with innovative financial institutions to allow a business to keep its existing banking relationship and still send instructions for transfers directly through our RTP API. This means you can send transfers over the RTP® Network without directly integrating with a participating bank.
The Clearing House created the RTP® Network in 2017 to provide nearly-instantaneous payments between eligible bank accounts. And as with any payment method, faster payments come with the possibility for additional risk.
Risk With Real-Time Payments
Most payment modalities–including ACH, payment cards and checks–offer a way for the payor to dispute, recall or stop a payment before or after it is processed. With the RTP® Network, all participants have agreed that once a real-time payment is initiated, that transaction is final and irrevocable.
The RTP® Network is based on a “good funds model” and is strictly a “credit push” payment system. A “good funds model” means participating banks are required to have funds available at the Fed at the time they send money out (so the participating banks as a result require that the funds are actually in the sender accounts at their banks).
Sending financial institutions can ask a receiving bank to send back a payment sent in error, but the receiving bank is not obligated to honor the request.
Developing Your Risk Appetite
Businesses need to send and receive payments without exchanging paper checks or making in-person cash transactions, particularly in an increasingly digital economy—and one with largely distributed workforces for the foreseeable future. Real-time payments is an alternative payment method for a faster transfer with settlement happening in real-time. Currently, the RTP® Network is for credit-only transfers that are irrevocable for the sender.
Said another way, once a real-time payment is sent there is no opportunity to cancel, stop or initiate a return. The finality of an RTP® transaction allows participants to consider a payment complete without having to wait days for the funds to actually become available. This also means that users need to be extra vigilant about not sending payments in error or exposing their credentials to potential fraudsters.
Businesses want to process payments to vendors as quickly as possible and leverage the Network’s additional information options to ensure proper tracking of expenses with remittance data on bank statements. Consumers want to be able to send money to pay for a bill or to purchase goods without planning ahead to make sure the payment will arrive in time.
As a business or consumer a necessary question to consider is, “Does the value of speed outweigh the risk for a quicker payment?”
It’s important to note that Dwolla does not perform fraud protection or fraud mitigation on behalf of our clients. Our clients are innovating across a variety of industries and the best people to understand normal payment patterns on your application–and thus detect fraud–are your own team members.
Additionally, clients have more contextual information about the end users interacting with their applications to understand whether a payment pattern makes sense for that user.
For those reasons, Dwolla expects our clients to responsibly implement the fraud prevention controls most appropriate for their situation. This includes the processes, procedures and monitoring programs necessary to protect your business and prevent potential losses.
Now that you have integrated an RTP API, what’s next? Your business will need to take responsibility in managing your business risk and that of your users by ensuring:
- Confidence in the identity of the recipient of any transaction initiated.
- Established controls to verify the amount of the transaction is correct before being initiated.
- Procedures are in place for handling potential disputes with receiving parties directly.
Implementing dual approvals and verification steps can assist in preventing errors in sending a real-time payment. For example, a business can create a two-step approval process where the user verifies the information submitted and agrees to continue with the process of the payment with an acknowledgement that all transactions are final.
Businesses who support payments between their users may want to consider developing a strategy to group users into tiers based on risk exposure. If a new business or consumer signs up for your platform, it might be wise to require them to establish a successful transaction history utilizing other payment methods before allowing an enhanced experience by granting access to faster payments.
It should be strongly considered to forgo the option of a faster payment if the receiver is not a known business or individual to the sender or otherwise creates an unacceptable level of risk. Another option could be allowing users who undergo enhanced due diligence, ie. providing financial statements along with a personal ID for additional verification, real-time capabilities.
The processes and procedures laid out above can function most effectively if they are coupled with suitable system design principles and automated mechanisms.
Even with 24x7x365 customer service availability, when a transfer can be initiated and completed in seconds, relying on trying to correct an error after the fact is risky. Your business must take reasonable steps to ensure that transactions are authorized in advance otherwise you could end up being responsible to your end users for erroneous payments.
Consider the following types of preventative, detective or corrective controls:
- Ensure that all users (or applications) that are able to initiate faster payments are strongly authenticated. This means properly storing passwords and ensuring they require sufficient complexity, as well as making use of multi-factor authentication to mitigate any remaining password-related risk. In the case of automated processes, using a secure scheme such as OAuth2 (as used by Dwolla) can prevent abuse.
- If the sources of RTP requests are known and static, such as a fixed endpoint in your cloud infrastructure, you can further mitigate the risk of abuse by restricting access to any payment-initiating endpoints by IP address. Of course, you could go further with Mutual TLS authentication if your risk considerations warrant.
- Ensure that you limit authorization to send faster payments to only those users and applications that require that ability. Keeping this list as small as possible will keep multiple risk factors at bay.
- Ensure any public-facing portions of your application, such as login pages or API endpoints, are appropriately protected against abuse by automated tools or botnets. This can include the use of CAPTCHAS, where appropriate, using a third-party service to protect your perimeter or ensuring you have password lockout or login rate-limiting controls in place on login forms.
- Monitor your system to flag any unusual activity, such as payment requests from unexpected users, IP addresses, user agents or other indicators such as large volumes of incorrect password attempts. The horse might be out of the barn at that point, but the sooner you know about it, the sooner you can initiate your incident response procedures and work to mitigate the issue.
- You might also wish to investigate whether you can identify anomalous transactions by other indicators, such as volume, timestamp, destination, etc. These considerations are very situation-dependent.
Become a Real-Time Payments Company
The RTP® Network and RTP transactions are a game changer for companies ready and willing to take the leap into digital payments. Using Dwolla’s modern payment platform, your business can choose from a variety of payment options to move money at your speed—not based on predetermined intervals that are limited to normal business hours.
Take more control of your payments and meet the expectations of your consumers with Dwolla.