Expert Payments Advisors “Payments Sleeper Risk” November 13, 2014

1129 20th Street, Northwest | Suite 300 | Washington, DC 20036 | 202-721-9120 | www.mcgovernsmithadvisors.com

• Financial industry regulatory expert • Co-author of Gramm-Leach-Bliley Act (GLBA), Data Protection Regulation • 28+ years compliance & risk experience (13 with Department of Treasury in D.C.) • Visionary behind outsourced management compliance products & services Paul Reymann Partner, McGovern Smith Advisors

Payments system risk come from regulations, technology, cyber criminals, fraudsters, consumers, 3rd party vendors, merchants, competition, & innovation. 2

Payments Sleeper Risk Fraud Cyber Crimes EMV & Tokenization Open Source Code Merchant Breaches Reputation

3rd Party Processors Program Managers Merchants Silo Back Office Ops. Enhanced Training Operational

Security

Consumer Compliance; Strategic; Financial; IT; Info Sec; Reputation

Strategic

Regulations

Technology

Card Act AML Durbin Overdraft UDAAP Reg. E Disclosures Op Choke Pt. EMV APPs SmartPhones Mobile Money Credit Cards Debit Cards Prepaid Cards Innovation Apple Pay

Innovation vs. Fast-follower Strategy

Consider your payments strategy:  Revenue growth.  Build one branch or build a national solution.  EMV is coming, but Swipe continues.  SmartPhones reaching critical mass.  Understand your customers’ needs.  Analyze customer transaction data.  Security will always be paramount.  Vendor management is the next frontier of efficiency. 4

A Prepaid Card Example

Understanding Success Factors

Life of a Card? Sociodemographic? Transaction Frequency?

• Fees • No load vs Reloadable (i.e., type of reload) • Other factors (e.g., alerts, email, OD) • Gender • Nationality • Age & Education Levels

• Direct Deposit (21X/mo.) • Monthly fee (17X/mo.) • Over Draft (23X/mo.) Source: FRB of Kansas City. “General Purpose Reloadable Prepaid Cards: Penetration, Use, Fees and Fraud Risks” (Feb 2014)

5

Credit Card Sales Volume Growth Exceeds Debit Volume

Credit Card Profitability “After Tax Income” 2010 1.8% 2011 4.2% 2012 3.9% 2013 4.4% Source: FDIC QTRLY Banking Profiles – Institutions with managed credit card loans exceeding 50% of total assets. 6

Align Card Issuing Options & Bank’s Goals Card Issuing Infrastructure Spectrum

Agent Bank

Enhanced Agent Bank

• 3rd-party issuer controlled - Owns accounts - No conveyance • Fixed payments to FI (usually per new account + ongoing card renewal payments) • Marketing support 3rd-party issuer has access to FI customer list for marketing purposes

• Same as Agent Bank EXCEPT: - Revenue sharing vs. fixed payments

Servicing Structure

Profit Share

Joint Venture

• FI owns some / all of portfolio

• FI & issuer agree on a P&L measurement structure

• True separate entity created between FI & issuer

• Issuer provides card account servicing on a fee for service basis • All asset risk is FI’s for assets owned • All profits on owned accounts accrue to FI

• Profits are shared as agreed • Investments, costs shared as agreed

• Each party contributes resources as agreed • Value to each party ascribed based upon resources contributed • Profits shared based upon equity stake

Self Issuance

• FI issues cards directly • FI takes all risk / retains all profits • FI either builds or buys needed infrastructure, skill sets

• Numerous strategic, financial & regulatory considerations

7

Evaluate Key Parameters of Card Options Economics

Ease of

Investment Ongoing Commitment

Implementation Management

Risks

Controls

Operational Credit Regulatory Financial & IRR Reputation Strategic

Member Experience Pricing Underwriting Rewards Network Relationships Marketing Bank Resources

Dedicated Accounting Marketing

8

Debit Cards & Interchange

Investments in Debit Issuing

Thumbs Up for EMV Competition

• Members like debit cards • Attractive DDA-based payment • Debit issuers are likely to return to a growth agenda to match consumer demand • Current interchange rates will remain intact

• MC, Visa, & PIN debit networks for cross-line applications, opens gates for EMV enabled debit cards • Home Depot, Target and other data breaches push fraud agenda and EMV • MC & Visa waive PCI DSS annual validation

• Prepaid has emerged as competitive DDA alternative • Prepaid and credit card are Durbin exempt • Debit cards still favored for security & control

9

Innovation & Apple Pay

5 Reasons CU’s May Like Apple Pay One more means to make payments & transactions Growing percentage of iPhone users

Works with over 50% of cards issued today

Security: - NFCommunication enabled (except MCX CurrentC network) - TouchID – Finger print scan on iPhone 6 - Tokenization – Assigns 1-time codes

EMV retrofits likely to include mobile communications

10

Expect Significant Growth in Electronic Wallets

11

NAFCU's October 2014 Economic & CU Monitor Survey

Source: Risk Based Security

Source: Privacy Rights Clearinghouse

Credit unions' are concerned and focus on data and cybersecurity in order to safeguard their members. 12

Retailer Breaches Hit CUs The Air Academy Federal Credit Union said it had blocked about $20,000 in potentially fraudulent activity tied to debit cards compromised in the Home Depot breach. “A lot more activity off this one than Target," chief financial officer Brad Barnes said. About 5,800 debit cards out of his credit union's 25,000 total debit cards were compromised by the breach, he added. Credit unions were socked with $28 million in costs for the Target breach, according to research from NAFCU. The Home Depot attack could result in even greater damages. Source: Fraudulent charges from Home Depot breach surface (CBS MoneyWatch, September 24, 2014) The Target data breach will cause financial institutions to lose $480 million in card replacement costs and other expenses, according to estimates by NAFCU. 13

CREDIT UNIONS WORK HARD TO PROTECT MEMBERS AND ADDRESS DATA SECURITY ISSUES 14

PR Newswire

Up to 63% of security infractions & business disruptions attributed to suppliers & vendors.

3rd Parties / Vendor Management Risk

The Next Frontier of Operating Efficiency Customer Service

New Challenges

Selling

Competitive Landscape Compliance Tsunami

New Products & Services Consumer Compliance

Your Core Focus

Revenue & Profits

Speed to Market

Economies of Scale

Complexity of Technology

Cybersecurity Breaches

Manage Risk to Company & Consumer

Need Intelligent Expertise

Increasing enforcement activity from third party relationships. 116 Regulatory VM Publications. Sky Rocketing Cost & Complexity

Intelligent Operational Resources

Outsourcing Savings & Simplicity 16

Strategic Validation of 3rd Party Business Needs

Develop a plan tailored to: Inherent Risk

Benefits

Complexity

Customer Interaction

Information Security

Contingency Planning

Compliance

Oversight

17

Getting More Attention

Contract Development, Review, & Performance Monitoring • Develop and negotiate contracts that address the 18 elements outlined by the OCC. • Identify and incorporate mutually beneficial performance indicators and key risk indicators into contracts to enable effective quantitative monitoring of performance against anticipated outcomes. • Review existing contracts on critical vendors, as material changes warrant. • Renegotiate at the earliest opportunity, if problems are identified. 18

Just Announced on 11/4/14

19

Quick Reference Resources - NAFCU Data Security Website - CFPB RFI on Mobile Financial Services (June 2014) - FRB of Boston Payment Strategies - FRB of Boston Mobile Payments Industry Workgroup - Other Fed Payments Groups & Research: • FRB of Atlanta Retail Payments Risk Forum • FRB of Philadelphia Payment Cards Center • FRB of Kansas City Banking & Payments Research • FRB of Kansas City - General Purpose Reloadable Prepaid Cards: Penetration, Use, Fees and Fraud Risks (Feb 2014) Paul Reymann P: 410-212-5955 [email protected] twitter.com/paulreymann www.mcgovernsmithadvisors.com 20