Reports that a payment system was unavailable for a few hours in February 2021 may not sound like a big deal, especially to those outside the payment industry. But when that payment service is run by The Federal Reserve it merits closer examination. Is this an isolated incident, or part of a pattern that the banking industry needs to address?
It’s unclear what caused the “operational errors, as the Fed described it. According to reports, the outage affected multiple services, including its automated clearinghouse system, which connects depository and related institutions sending electronic credit and debt transfers.
We don’t know what went wrong or why, and don’t want to speculate. What is clear however, is that it is unlikely to be the last incident of its kind unless banks start to modernize their payment systems.
Volumes of electronic payments have been rising consistently and have accelerated through the pandemic. For example, traffic through the Fed’s Fedwire service was up 10% in 2020, twice the increase from 2019. The total volume of wire payments (those processed by the Federal Reserve’s Fedwire Funds Service) is 50% higher than from a decade ago.
In the United States, payments via the ACH (Automated Clearing House) electronic payment networks − the type that are used to process payroll direct deposits, utility direct debit payments, and other common transactions − have nearly doubled in the past decade.
Consequently, payment processing systems of all kinds, from those used by companies to those used by banks, to central clearinghouse and settlement systems like the ones run by the Fed, are feeling the strain.
The problem is not just the total volume of payments. It is also the timing and criticality of transactions. As business moves to a 24×7 operating model, and real-time payments are becoming the norm, the US’s payments infrastructure must accommodate the perfect storm: more payments, increasingly after hours and on the weekend, and the need to get from sender to receiver faster.
This creates a basic resiliency issue. Most of the payment systems that handle this traffic, whether at banks or clearing houses or the Fed, are 10-20 years old. They were designed for a different time, and different needs. It is not surprising therefore that failures are becoming more common. Over the past two years, there have been several outages, either at the Fed or other critical links in the processing chain.
It is also a major security issue. Hackers thrive on attacking the weakest link in a chain. So, how do we improve the IT security of bank payment systems?
- One, modernize every part of the payment lifecycle, from the devices that initiate payments to those that process payments such as banks, the Fed and other central clearing house providers
- Two, use decentralized/distributed models rather than traditional centralized models. This goes well beyond traditional backup data centers. Think about how the internet is organized, or the architecture of many digital currencies. They lack a central point of failure or even an overarching central authority. While government organizations like the Fed certainly must retain sovereignty over national payment systems, there are lessons to be learned from other approaches to transaction management that have arisen in the past two decades.
- Three, prioritize cloud and as-a-service models of payments processing. The technology that underpins modern cloud-native platforms is fundamentally different from the past. It is inherently real-time and 24×7. This is how cloud companies such as Amazon and Facebook can handle upwards of a billion messages per day in a system that’s hard for hackers to crack.
- Four, fintechs, banks, and central banks should work together to create the next stage in the evolution of the payments industry, with the encouragement of regulators.
- Five, any ecosystem participant providing payment processing and clearing and settlement services – whether a government organization, financial institution, or fintech service provider – should ensure their services meet availability and compliance standards such as SOC1, SOC2, and ISO 27001:2013.
Taking even some of the above approaches will help us all create a system in which the movement of money is not impeded by any central points of failure, and which is close to impossible to hack.
The systems that served us well through the last decades of the previous century will impede our progress into the coming decades of this century. Let us change that together.