Speech

Patrikis: Internet Banking and Payment

January 23, 1997
Ernest T. Patrkis, First Vice President

Remarks by First Vice President Ernest T. Patrikis before the Queen Mary and Wesfield College and UNISYS International Management CentreA. Introduction.

Good afternoon. I want to share with you today some observations and speculations gathered this and last year about banking and the Internet. I will be speaking in my capacity as a central banker -- which includes monetary policy, banking services, bank supervision, and payments system oversight -- and as a surfer of the 'Net. Let me state, at the outset, that, while the Federal Reserve Bank of New York does not conduct "Internet banking" as such, we do have a home page (/) with much useful information about our institution, with over three million recorded hits to date. Finally, let me add that some of what I say here today could, very easily, be obsolete in two months' or even two weeks' time. But I will try to point out those areas in advance.

The title of this portion of the program gives rise to two issues of definition. The first is "What is the Internet?" The second is "What is banking?" As I am sure you are well aware, in the United States we are a litigious sort. We even have a legal definition of the Internet. According to one recent case, the "Internet" is "an international computer 'supernetwork' of over 15,000 computer networks used by about 30 million individuals, corporations, organizations, and educational institutions worldwide."1/ Another case described the "Internet" as "a global communications network linked principally by modems which transmit electronic data over telephone lines [with] approximately 20 million to 30 million users."2/

"Banking" raises a host of issues in the United States. There is commercial banking and investment banking. The products offered by "banking" firms range from deposit taking (including payment services), investment advisory and management services, trading in financial instruments, brokering and underwriting financial instruments, lending, and trust services. A bank can offer all of these services on the Internet. For the purposes of this discussion, I will basically confine myself to deposit taking (including payment services) and lending.

A Central Banker's View

From a United States central bank perspective, the most fundamental question of banking and the Internet is: What are the monetary-policy implications, especially were we to assume the enormous, widespread scale that some have been predicting? From this perspective, the answer appears to be: probably not much. If the Internet is used merely to facilitate existing banking and payment transactions, such as executing electronic bill payments or transferring funds from one bank account to another (which more or less describes what electronic bill payment really is anyway), the combination of banking and the Internet should have few, if any, implications for the conduct of United States monetary policy, or the measurement of the United States money supply. "Money," as defined by M1, M2, or M3, would still be held in accounts at banks that would be reported to the Board of Governors of the Federal Reserve System through the existing mechanisms that such funds are reported today.

If, however, Internet banking evolved to the point where digital "coins," account-based cards and PCs, or other private-sector initiatives produced electronic representations of money that began to be used and circulated like currency, the potential implications for United States monetary policy are much greater. The key questions here are related to amount and velocity -- that is, (1) how would digital bills or notes, or digital coins, be represented on the books of a bank or depository institution; and (2) how many times would this electronic coin or bill circulate in the general economy without somehow being processed and recorded by a bank? In this regard, the October 1996 Bank for International Settlements report "Implications for Central Banks of the Development of Electronic Money" states "E-money could lead to shifts in the velocity of money which might temporarily reduce the usefulness of the monetary aggregates, especially narrower ones, for countries that rely on them as targets or indicators." In a June 1996 speech before a cyber-payments conference, Governor Edward Kelley of the Board of Governors stated that, with respect to a bank's liabilities incurred through issuing stored-value cards, such liabilities should be included in the statistical reports that banks must currently submit to the Board of Governors.3/ It is difficult to argue that bank liabilities resulting from the issuance of electronic "coins" or electronic "bills and notes" should be reported any differently.

A more problematic question arises when considering the matter of nonbank issuance of electronic coins or bills. Currently, the largest nonbank issuers of travelers checks are not required, but do volunteer to the Fed, the outstanding balances of their travelers checks, so that this information can be statistically recorded and reported in United States monetary aggregates by the Fed. If the issuance of private electronic money grows to a significant level in the real economy, and if much of that growth is provided by nonbank issuers of electronic money, there could be a similar request for nonbank issuers to provide information about the volume of their issuance and their outstanding electronic money liabilities, to the extent these liabilities are not recorded on the books of a bank every time they are circulated in the general economy.

A Bank Supervisor's View

From this perspective, combining banking and the Internet offers both great opportunity and great potential risk. First, the good news -- it is primarily cost-related. It has been reported by several banking studies that the cost of a typical transaction at a bank branch is now over $1.00; the cost of an ATM transaction is approximately $0.25. The cost of an Internet transaction, however, has been estimated at about a penny. I do not vouch for this statistic, but the difference is substantial. Such figures make a compelling argument for banks to get on the Internet sooner rather than later, and to move as many of their customers on to electronic or Internet banking as soon as they possibly can. Indeed, some banks offer low-fee accounts where the customer is not expected to enter an office physically -- mail, phone, and ATM are sufficient.

As stated by Board of Governors Chairman Alan Greenspan: "it is useful...to begin by reminding ourselves just why there is bank supervision and regulation. At bottom, of course, is the historical experience of the effects on the real economy of financial market disruptions and bank failures, especially when the disruptions and failures spread beyond the initial impetus."4/

A bank supervisor should have concerns other than cost, and these comprise the bad news -- the "risk" aspect of banking on the Internet. In the simplest terms, while we strive to ensure that banks remain efficient and cost-effective, we also have to ensure that banks know what they are getting into, and that they are capable of handling the risks that accompany banking on the Internet. The tension between the two is very constant and real, particularly because the technology today seems to be moving so much faster than bankers or bank supervisors can fully absorb.

At the Federal Reserve Bank of New York, we are being proactive in this area. We currently conduct on-site, information systems examinations of State member banks in our district -- in addition to commercial, trust, trading, and compliance examinations -- in which we try to review and constructively criticize the examined bank's entire MIS infrastructure. There is no separate, independent electronic or Internet bank exam as such. However, a part of the information systems examination reviews the bank's electronic and Internet activities and plans, and all examiners ask general questions that we feel that any bank offering on-line banking services should be able to answer responsively.

In addition, we have convened a special task force at the Federal Reserve Bank of New York to review security issues involving on-line and Internet banking. The goal of this task force is two-fold: (1) to gather, review, and benchmark current and future on-line security procedures and policies of State member banks in our district; and (2) to then somehow disseminate, without unduly disadvantaging any specific depository institution that provided us with its information, the best of these policies and procedures into a kind of "sound practices" security guide for banks to use for their electronic and Internet banking services. The task force should issue its first report in the summer of 1997.

In a similar vein, I believe that the United States Federal bank supervisors, while mindful of the risks, have tried to be as supportive of electronic and Internet banking as possible. Each of the various bank supervisory agencies, i.e., the Board of Governors, the Office of Thrift Supervision ("OTS"), the Federal Deposit Insurance Corporation ("FDIC"), and the Office of the Comptroller of the Currency ("OCC"), has dealt in some immediate way with the issues posed by electronic and Internet banking. Both the OTS and the Board of Governors have dealt directly with Internet banking through the bank applications approval process. In May of 1995, the OTS approved the application of a new thrift, the Security First Network Bank ("SFNB"), that sought explicitly to provide the majority of its electronic banking services over the Internet.5/ In May of 1996, the Board of Governors approved the application of SFNB's parent, a bank holding company, for SFNB to acquire a data-processing firm specializing in data processing activities that would provide nationwide banking and financial services over the Internet.6/ In December of 1996, the Board of Governors approved the application of a Minnesota bank holding company and two foreign banks to join a consortium of 15 North American banks and IBM to form Integrion Financial Network, LLC.7/ Integrion itself has announced that it will not provide electronic or home banking services, but will instead design and operate a secure electronic gateway or interface system linking bank customers to their depository institutions, including links via the Internet.8/ Finally, the Federal Reserve Bank of New York and the Board of Governors are currently processing an application from a foreign bank, with a United States securities brokerage subsidiary, to acquire a software firm planning to design software for customers of brokerage firms to place securities buy-and-sell orders over the Internet.9/ The OCC, meanwhile, confirmed in correspondence in August of 1996 that, in addition to providing home banking services to its customers through the Internet, a national bank subsidiary could also provide Internet access to customers and nonbank customers in the bank's service area.10/

In the midst of all this supervisory "support," however, I should also mention some of the as-yet unsettled issues dealing with the unique regulatory burdens facing depository institutions offering financial services over the Internet. Among the most difficult will be the proper application of the Community Reinvestment Act ("CRA"), a United States statute that requires depository institutions to meet the credit needs of the communities where they accept deposits. What exactly is a deposit community in cyberspace? Nobody really knows. This has not yet become a significant issue because most depository institutions offering on-line services still have brick-and-mortar branches, on to which current definitions of a CRA community are based. Still, for exclusively on-line depository institutions, the CRA issue will become increasingly important as their market share grows. Some early discussions with the relevant compliance supervisors may be in order. I also note that this also raises interesting questions on the definition of the relevant geographic market in the analysis of bank mergers.

Furthermore, considering the CRA issue brings forth another, broader issue: what is the role of nonbanks in the realm of Internet financial services, particularly payment services, which are still largely the province of banks and other regulated depository institutions? Because banks have been so intricately involved in the United States payments system, banks today face unique regulatory burdens: CRA, reserve requirements, deposit insurance premiums, and the costs of good supervision and good supervisors. If nonbanks begin to take significant market share away from banks because of an inherently lower cost structure, that raises real questions about a level playing field and whether or not banks can ever fairly compete. If nonbanks begin offering through the Internet many of the payment services, or alternatives to the payment services now offered exclusively by banks, that raises real concerns about the ultimate value of a bank charter, and what it really means to be a "bank." Or is this "banking"? Another issue that may be relevant here is the implication of a firm that has a balance sheet that looks like that of a bank but does not have direct access to the lender-of-last resort.

Finally, and especially in light of the issues just raised, I think it is important for me to emphasize that the bank supervisors have expressed a clear willingness to listen to what the banking community has had to say on the issues involving electronic and Internet banking. Regulation E, promulgated by the Board of Governors, implements the Electronic Funds Transfer Act of 1978, and establishes primarily for consumer protection purposes the basic rights, liabilities, and responsibilities of consumers who use, and financial institutions who offer, retail electronic funds transfer services. 11/ Among the protections provided are required disclosures, error resolution procedures, and loss protection. In 1996, when the Board of Governors issued its proposed regulations concerning the applicability of Regulation E to stored-value cards, the Board of Governors explicitly requested that commenters to the proposed revisions indicate whether the commenters believed that part or all of Regulation E should apply to electronic "money" or "value" residing on a computer system or a personal-computer hard drive.12/

Similarly, the FDIC, while holding public hearings on its General Counsel Opinion No. 8 on stored-value cards and Federal deposit insurance coverage,13/ specifically requested additional commentary on Federal deposit insurance coverage and electronic value represented on computer systems or personal computers. I believe the message is clear: as bank supervisors, we are open to what the banking community has to say on this rapidly evolving market. New ideas and reasoned arguments are welcome. We must try not to restrain important new services developed by the banking industry but should remain vigilant as banking-type services are offered by nonbank institutions.

A Payments Systems Overseer's View

From the perspective of a payments system overseer, I see much activity, but thus far, few genuinely revolutionary innovations with respect to banking and the Internet in the United States. Mainly, I see the application of faster, cheaper electronic processing of older, more established paper-based methods of transferring payments between parties. Credit card payments on the Internet are one example. Instead of using a telephone, a normal card reader, and a customer's signature, one leading Internet payments company has devised a secure method of allowing a bank customer to shop on-line with a credit card, by never releasing "in the clear" the customer's credit card number on the Internet itself. Instead, the company only releases the credit card number and a merchant's request for payment to the customer's issuing bank, away from the Internet, after verifying on-line with the customer that the purchase was authentically made. The bank processes the transaction as it would any other credit card purchase; the value added by the company is that the customer's credit card number is never on-line, a benefit indeed in today's security-poor Internet.

It is not hard to imagine that another step in this direction is for a third-party organization (perhaps even a bank subsidiary) to issue secure, encrypted electronic checks on the Internet on behalf of bank customers, or even unaffiliated parties, wishing to make purchases on-line. Much legal uncertainty remains in the United States about establishing such a process, however. Basic questions remain unanswered. What, exactly, would be an authorized signature on an electronic check? Put another way, what types of entities would be authorized to act as certification authorities on the Internet for such commercial conveniences as electronic purchase orders, electronic negotiable instruments, or their bases, digital signatures? Would these certification authorities be entirely private sector derived? Or would they be established and operated by the government, by the individual states, some of whom already have enacted digital signature statutes? What is the role of banks in this process? In particular, what are the risks to the bank, in allowing a nonaffiliated third party to act as a certifying authority for electronic checks drawn from the accounts of bank customers?

I could ask some even more basic commercial law questions about banking in cyberspace. When is an Internet payment final? More specifically, when a payment over the Internet is made, has the maker of the payment made a provisional payment, as with writing a check, or a final payment, as with giving a certified check or making a wire transfer? Articles 3, 4 and 4A of the Uniform Commercial Code ("UCC") govern the above circumstances, but have nothing to say on Internet payments. Currently, private contract law governs; agreements between each of the parties in an on-line transaction should be very carefully drafted and reviewed. Still, if Internet banking and commercial transactions were to grow in volume and complexity, it is quite possible that private contract law could evolve into a specialized commercial law of cyberspace, and eventually be codified into parts of the UCC.

On a less theoretical note, I should mention that a multi-national Task Force on the Security of Electronic Money, established by the Committee on Payment and Settlement Systems and the Group of Computer Experts of the Group of Ten Central Bank Governors, and chaired by Israel Sendrovic of the Federal Reserve Bank of New York, issued a report on its findings entitled "Security of Electronic Money" in August 1996. This Task Force examined primarily consumer-oriented stored-value payment products by, among other activities, surveying the leading global suppliers of both card-based and software-based stored-value systems, and concluded that the technical security measures of these systems are being designed to achieve an adequate level of security relative to other forms of common retail payment, assuming they are implemented appropriately. I recommend the report to anyone interested in a general discussion about security issues and stored-value systems, Internet-based or not.

Moving away from consumer banking and the Internet, and looking perhaps not-so-distantly into the future, I have also had occasion to question what the repercussions are for large-value payments transfer systems, such as Fedwire, with the emergence of a different, much more secure Internet. Generally speaking, the Internet today is a "somewhat" secure environment in which to conduct banking and financial service activity. The current level of security is not adequate for large-value payments. Some Internet-based payment products are becoming more secure, but only after the creators of these products have spent a great deal of time, effort and resources making their products secure. Consistent fast transmission and processing are also essential for large-value payments. The Internet today has no authorized, universal means of prioritizing specific electronic messages from other messages. Faster and better hardware helps, certainly, but offers no guarantee.

One of my responsibilities is to serve as the Product Director of the Wholesale Payments Product Office of the twelve Federal Reserve Banks. This includes the Fedwire transfer of funds, transfers of securities against payment, and net settlement. In providing these payment services, the Reserve Banks must charge a fee designed to cover their costs, plus what we refer to as a "private sector adjustment factor," a proxy for the capital, taxes, and other costs incurred by private-sector service providers. Thus, I am keenly interested in the next stage of the Internet.

If messages sent across the Internet could be made timely, become much more secure at reasonable cost, and, if a widely-accepted prioritization scheme for electronic messages could be implemented so that large-value payment messages could move instantaneously, it is not inconceivable that the effect on existing large-value payments transfer systems could be substantial. Within a five-to-ten year time frame, I could see at least a portion of Fedwire large-volume transfers of funds and securities -- with real-time gross-settlement -- handled over the Internet. Please do not ask me exactly when this will come about. On the other hand, with potentially enormous, secure, bilateral netting arrangements occurring between clearing banks in real time over the Internet, volume on existing large-value transfer systems could decrease dramatically. The clearing banks could, conceivably, save themselves some real money.

Jurisdictional Issues

Any discussion of banking or any form of commerce over the Internet today would not be complete without at least a few words on the legal jurisdictional issues that the Internet presents. This is arguably the area of law most in flux, the most subject to change on a monthly or even daily basis, depending on the specific jurisdiction and long-arm statute under discussion. In the United States, cases have already been decided regarding court jurisdiction and the Internet over alleged trademark violations,14/ contract disputes,15/ and advertising disputes. 16/ Although I am as yet unaware of any banking organizations that have become embroiled in litigation over jurisdictional issues from being on the Internet, I cannot promise you that such a suit will never occur. If a State banking agency or a State attorney general decided one day that a Web-site or an Internet-based transaction conferred sufficient minimum contacts with a state resident so that the state's long-arm statute applied to the bank, a suit could easily be filed. Minnesota Attorney General Hubert Humphrey III filed six lawsuits in 1995 against six companies accusing them of engaging in illegal business practices or running outright pyramid schemes over the Internet, although none of the six companies was based in Minnesota, and no Minnesota citizen ever came forward to complain about the companies. The fact that a Minnesota resident could have accessed the scams run by the companies, claimed Attorney General Humphrey, was sufficient to confer jurisdiction of his lawsuits in the Minnesota courts.

Lest this argument sound wildly and improbably expansive, it should be noted that the "Internet access = jurisdiction" idea has already been accepted by some of the Federal district courts that have decided such cases, although it must also be noted that these courts' decisions have been inconsistent, have all had slightly different facts, and have taken great pains to distinguish themselves from one another. New case law on the issue of jurisdiction conferred by Internet access is undoubtedly being made as we speak. At a minimum, then, banks offering services through the Internet should have signed contracts with electronic and Internet banking customers that specify to the courts where claims or disputes may be brought. Web-sites designed merely to advertise a bank's financial services should be designed to be as controversy-free as possible, although that may be difficult without making the sites content-free as well. Banks should err on the side of caution until the jurisdictional issues have had more time to sort themselves out.

I would like to present a hypothetical fact situation to you which I think demonstrates some of the thorny legal and supervisory issues that could be raised by the existence of offshore banking entities doing business over the Internet with individuals in our jurisdictions. I travel to the island of Atlantis, where I obtain a Class Z banking charter. I am permitted under this charter to engage in the business of banking every place in the world, except with residents of Atlantis. As you have probably suspected, Atlantis is founded on the principle of free and open markets, unfettered by supervision and regulation of banks with Class Z charters. Atlantis also provides for strict adherence of the principles of banking secrecy. My bank is named The Internet International Bank ("IIB"). The IIB offers a full spectrum of banking services to Atlantis nonresidents. Being a modern bank, it conducts business principally on the Internet. IIB has a series of quite attractive Internet pages where its products are offered. These pages spell out the products, deposit terms and interest rates, and loan terms and interest rates. All agreements are governed by the law of Atlantis. All deposits are deemed received over IIB's "counters" in Atlantis, and all loans are paid out of Atlantis. Atlantis has an enjoyable ambiance even exceeding that of Nice and Saint Paul de Vence; therefore, I see no need to leave the island. I do receive and entertain customers when they visit Atlantis. I do place telephone calls to customers who have responded to my Internet page, but I do not make cold calls to customers. Communications with customers over the Internet are state-of-the-art secure. Customers receive account statements over the Internet, issue payment instruments to IIB over the Internet, and request loans over the Internet. All payments to and from accounts are made by wire transfer to IIB's correspondent account maintained on the books of Atlantis Bank, the only bank chartered under Atlantis law authorized to engage in banking transactions with Atlantis residents. Customers may instruct IIB to make payments for their account. These too are consummated by means of payments out of IIB's account at Atlantis Bank. Loans are disbursed and paid the same way.

The question presented is whether IIB is violating the law of the countries in which its customers are located. While I have my own views as to the application of United States banking and securities laws to this fact situation, I prefer not to spell those out in my prepared remarks. Instead, we all might prosper by sharing our views as to the proper application of our home country's laws to individuals in our countries who might do business with IIB. I should note that this fact situation is a pure figment of my imagination. The cooperative efforts of bank supervisors over the world should be designed to ensure precisely against this sort of bank. In other words, like Atlantis, IIB should never surface above water.

Our discussion should include responses to the following questions: (1) is IIB engaged in an impermissible activity in your home country; (2) if it is impermissible, what authority has responsibility for enforcing that law; (3) if impermissible, is that a civil or criminal violation; (4) if impermissible, is there any way for IIB to qualify to do business in your home country; and finally, (5) does your home-country court have jurisdiction to hear cases brought by a customer against IIB?

Conclusion

To conclude, I simply wish to commend the banking and legal communities for learning as much about electronic and Internet banking as they can, now, and for trying to stay ahead of the curve of ever evolving and improving technology. I fully agree with the philosophy of letting the markets decide what will work and what will not. We, as supervisor and central banker, will try to stay out of the way as much as possible, unless because of criminal activities or systemic risk concerns we have to jump in. The private sector seems to have done fairly well so far. To this end, I point out a recent creation of the Banker's Roundtable, an organization composed of some of the largest United States banks, in organizing the Banking Industry Technology Secretariat ("BITS").

BITS, as I understand it, is in the process of designing and implementing common technological standards for the inter-operability of systems linking banks and their customers, and is also hoping to act as a certification authority for its member banks for third-party system and software providers, to ensure that when an electronic or Internet banking transaction takes place, the bank's name is the only name the customer ever sees. Similarly, a certified software or systems provider would agree that the customer's payment information would stay with the bank and not the provider.

I mention this not as an endorsement of BITS, but as an example of the type of innovation and cooperative or collaborative effort that can occur when the banking community realizes the enormous challenge and opportunity it has in the next few years. Central banks and bank supervisors must also be equal to these challenges. In order for us to fulfill our responsibilities, it will be necessary for the private sector financial institutions to keep educating and challenging us. It is those dynamics that will help ensure good public policy in banking supervision and regulation of banking transactions over the Internet.





1/ Panavision Int'l, L.P. v. Toeppen, 938 F. Supp. 616, 617 (C.D. Cal. 1996).

2/ In Systems, Inc. v. Instruction Set, Inc., 937 F. Supp. 161, 164 (D. Conn. 1996). The most comprehensive judicial description of the Internet can be found in American Civil Liberties Union v. Reno, 929 F. Supp. 824, 830-48 (E.D.P.A. 1996).

3/ Remarks of Edward W. Kelley, Jr., Member of the Board of Governors of the Federal Reserve System, at the Cyberpayments Conference '96 (June 18, 1996).

4/ Alan Greenspan, Banking in the Global Marketplace, address before the Federation of Bankers Associations of Japan (Nov. 18, 1996).

5/ See OTS Order No. 95-88 (May 8, 1995).

6/ See Cardinal Bancshares, Inc., 82 Fed. Res. Bull. 674 (1996). In this Board Order, the Board stated that, "The Board believes the provision of computer banking services by SFNB to its customers in accordance with the authority granted by the OTS, and as specifically described in this proposal, is consistent with Cardinal's existing authority under the [Bank Holding Company Act] and Regulation Y to operate a savings association." Id. at n.1.

7/ See Royal Bank of Canada, et al., 83 Fed. Res. Bull. _____, (0rder approved Dec. 2, 1996).

8/ Integrion also stated that it will not function as an Internet service provider, but will provide a secure electronic link to one.

9/ See Notification to the Board of Governors Regarding Investment in Marketware International Inc. of Toronto Dominion Bank (Dec. 19, 1996).

10/ See OCC Interp. Letter No. 742 (Aug. 19, 1996).

11/ See 12 C.F.R. Part 205.

12/ I should note here that other consumer-protection regulations issued by the Board of Governors address consumer credit transactions.

13/ FDIC General Counsel Opinion No. 8 stated, in essence, that the FDIC would consider granting Federal deposit insurance coverage for electronic value residing on stored value cards issued by a bank, only if the value on the stored value card represented an obligation definitively linked to an existing bank customer's deposit account.

14/ See Panavision Int'l, L.P. v. Toeppen, 938 F. Supp. 616, (C.D. Cal. 1996) ; Bensusan Restaurant Corp. v. King, 937 F. Supp. 295 (S.D.N.Y. 1996) ; Playboy Enterprises, Inc. v. Chuckleberry Publishing, Inc., 939 F. Supp. 1032 (S.D.N.Y 1996).

15/ See CompuServe, Inc. v. Patterson, 89 F.3d 1257 (6th Cir. 1996) ; Edias Software Int'l, LLC v. Basis Int'l Corp., 1996 U.S. Dist. LEXIS 18279 (D. Ariz. 1996).

16/ See Maritz, Inc. v. Cybergold, Inc., 1996 U.S. Dist. LEXIS 14978 (E.D. Mo. 1996) ; Inset Systems, Inc. v. Instruction Set, Inc., 937 F. Supp. 161 (D. Conn. 1996).