As more companies embrace the move to digital payments, one of the newest payment rails in the United States has created an opportunity for businesses to move money in real-time with a simple and secure process.
The RTP® Network from The Clearing House represents a new phase in the evolution of the payments industry within the United States. The RTP® Network is on the cutting edge of payment innovations and is poised to transform the way we understand bank transfers.
Understanding Real-Time Payments
Real-time payments are similar to ACH payments in that funds are sent between bank accounts. The financial institution that is sending and receiving real-time payments must choose to participate in the RTP® Network through an agreement with The Clearing House. It’s important to note that not all banks currently participate in the RTP® Network. As businesses and their consumers continue to demand faster payment options—and adoption of RTP grows—we can expect the percentage of banks that participate in the RTP® Network to increase as well.
Dwolla partners with innovative financial institutions to allow you to send instructions for transfers directly through our API, which means you can send transfers over the RTP® Network without directly integrating with a participating bank.
The Clearing House created the RTP® Network to provide nearly-instantaneous payments between eligible bank accounts. And as with any payment method, providing increased speed comes with the possibility for additional risk.
Most payment modalities–including ACH, payment cards and checks–offer a way for the payor to dispute, recall or stop a payment before or after it is processed. With the RTP® Network, all participants have agreed that once a real-time payment is initiated, that transaction is final. Senders can ask a receiving bank to send back a payment sent in error but the receiving bank is not obligated to honor the request.
Developing Your Risk Appetite
Diving into the world of online payments can be intimidating for any new or established company. Businesses need to send and receive payments without exchanging paper checks or making in-person cash transactions, particularly in an increasingly digital economy—and one with largely distributed workforces for the foreseeable future.
Real-time payments is an alternative payment method for a faster transfer with settlement happening in real-time. Currently, the RTP® Network is for credit-only transfers that are irrevocable for the sender.
Said another way, once a real-time payment is sent there is no opportunity to cancel, stop or initiate a return. This finality allows participants to consider a payment complete without having to wait days for the funds to actually become available. This also means that users need to be extra vigilant about ensuring they do not send payments in error or expose their credentials to potential fraudsters.
Businesses want to be able to process payments to vendors as quickly as possible and leverage the RTP® Network’s additional information options to ensure proper tracking of expenses. Consumers want to be able to send money to pay for a bill or to purchase a good without planning ahead to make sure the payment will arrive in time. As a business or consumer a necessary question to consider is, “Does the value of speed outweigh the risk for a quicker payment?”
It’s important to note that Dwolla does not perform fraud protection or fraud mitigation on behalf of our clients. Our clients are innovating across a variety of industries and the best people to understand normal payment patterns on your application–and thus detect fraud–are your own team. Additionally, clients also have more contextual information about the end users interacting with their applications to understand whether a payment pattern makes sense for that user. For those reasons, Dwolla expects our clients to responsibly implement the fraud prevention controls most appropriate for their situation. This includes the processes, procedures and monitoring programs necessary to protect your business and prevent potential losses.
Your business will need to take responsibility in managing your business risk and that of your users by ensuring:
- Confidence in the identity of the recipient of any transaction initiated.
- Established controls to verify the amount of the transaction is correct before being initiated.
- Procedures are in place for handling potential disputes with receiving parties directly.
Implementing dual approvals and verification steps can assist in preventing errors in sending a real-time payment. For example, a business can create a two-step approval process where the user verifies the information submitted and agrees to continue with the process of the payment with an acknowledgement that all transactions are final.
Businesses who support payments between their users may want to consider developing a strategy to group users into tiers based on risk exposure. If a new business or consumer signs up for your platform, it might be wise to require them to establish a successful transaction history utilizing other payment methods before allowing an enhanced experience by granting access to real-time payments.
It should be strongly considered to forgo the option of a faster payment if the receiver is not a known business or individual to the sender or otherwise creates an unacceptable level of risk. Another option could be allowing users who undergo enhanced due diligence, ie. providing financial statements along with a personal ID for additional verification, real-time capabilities.
The processes and procedures laid out above can function most effectively if they are coupled with suitable system design principles and automated mechanisms.
Even with 24x7x365 customer service availability, when a transfer can be completed and final in seconds, relying on trying to correct an error after the fact is risky. Your business must take reasonable steps to ensure that transactions are authorized in advance otherwise you could end up being responsible to your end users for erroneous payments.
Consider the following types of preventative, detective or corrective controls:
- Ensure that all users (or applications) that are able to initiate real-time payments are strongly authenticated. This means properly storing passwords and ensuring they require sufficient complexity, as well as making use of multi-factor authentication to mitigate any remaining password-related risk. In the case of automated processes, using a secure scheme such as OAuth2 (as used by Dwolla) can prevent abuse.
- If the sources of RTP requests are known and static, such as a fixed endpoint in your cloud infrastructure, you can further mitigate the risk of abuse by restricting access to any payment-initiating endpoints by IP address. Of course, you could go further with Mutual TLS authentication if your risk considerations warrant.
- Ensure that you limit authorization to send real-time payments to only those users and applications that require that ability. Keeping this list as small as possible will keep multiple risk factors at bay.
- Ensure any public-facing portions of your application, such as login pages or API endpoints, are appropriately protected against abuse by automated tools or botnets. This can include the use of CAPTCHAS, where appropriate, using a third-party service to protect your perimeter or ensuring you have password lockout or login rate-limiting controls in place on login forms.
- Monitor your system to flag any unusual activity, such as payment requests from unexpected users, IP addresses, user agents or other indicators such as large volumes of incorrect password attempts. The horse might be out of the barn at that point, but the sooner you know about it, the sooner you can initiate your incident response procedures and work to mitigate the issue.
- You might also wish to investigate whether you can identify anomalous transactions by other indicators, such as volume, timestamp, destination, etc. These considerations are very situation-dependent.
Become a Real-Time Payments Company
The RTP® Network and real-time payments are a game changer for companies ready and willing to take the leap into digital payments. Using Dwolla’s modern payment platform, your business can choose from a variety of payment options to move money at your speed—not based on predetermined intervals that are limited to normal business hours.
Take more control of your payments and meet the expectations of your consumers with Dwolla.