faq file

Name/Stock Illustration Source

Rethinking Business

Electronic Bil Payment and Presentment and Aggregation

By Ann Spiotto
and Brian Mantel

hat drives consumers to use electronic bill payment or financial

account aggregation? What are
the risks to consumers associated
with electronic bill payment, finan-

cial account aggregation, and related

services? And what can financial institutions do to promote the use of these
services? This article briefly addresses
these and related questions.

36 May/June 2001 ABA Bank Compliance

A study in 1999 found that banks earn as

much as $60 billion a year from their
payment system operations and that for
some institutions these services can
account for up to 40 percent of their
total revenues. By decreasing the costs
associated with payment system revenues, banks can increase profit margins.
Future revenues can also be derived
from cross-selling consumers additional
products. In terms of customer relationships, research has also suggested that
electronic banking customers are more
loyal and valuable customers. Offering
electronic bill payment services helps
to solidify and maintain the banks
status as the primary provider of financial services. As a result, consumer

electronic bill presentment and payment (EBPP) and financial account

aggregation (aggregation) are important
subjects for the industry. In order to
more thoroughly discuss the consumers
perspective, it is important to first
clarify what we mean by electronic bill
payment and aggregation.
EBPP. EBPP services involve the collection of information from billers about
bills and the payment of those bills.
These services are offered online, usually for a small monthly fee. With electronic bill presentment, certain bills are
remitted to consumers over the Internet
or a paper bill is scanned and presented
online. With electronic bill payment, the

consumer initiates an electronic bill payment to the biller through direct payment
(automated clearing house), PC banking,
a telephone, or a third-party provider.
ACCOUNT AGGREGATION. In contrast to
EBPP, aggregation involves only the
retrieval and display of information from
various financial accounts (e.g., checking,
savings, insurance, mortgage, credit card,
investment, and brokerage) and monthly bills. Aggregation is provided by financial institutions, Web portals, and other
companies (aggregators). The most common method used today is screenscraping, in which the consumer
provides the aggregator with his or her
ID codes and passwords; these are then
used to access online accounts and to
scrape information from the account
site. The aggregator or financial services
provider then allows the consumer,
using a password, to access the information online at the aggregators Web
site for one-stop viewing. Generally, a
third-party aggregator has no contract
with the account-holding financial institution (AHFI) and the AHFI assumes no
responsibility for the accurate display of
this information by the aggregator.

Influences on
Payment Decisions
Wealth
The first level of the payment instrument
decision-making process relates to consumers ability to fund payments in the
foreseeable future. Consumer financial
characteristics influence not only choice
of payment instrument, but also the
availability of instruments that consumers can choose in some cases. For
example, individuals who routinely do
not have sufficient funds to make payments will more likely be influenced by

the expectations of corporations who

seek to minimize the risk of bounced
checks and so forth. Furthermore, even
if consumers preferred paying bills
electronically, financially constrained
individuals might use checks and credit
cards more frequently for their float and
funding benefits.

erences must be discussed in the context of a specific relationship (e.g., electricity bill versus medical bill). Personal
involvement includes the well-known
desire for social interaction as well as
the sense of accomplishment one gets
from doing a job like budgeting on
behalf of ones family.

Offering electronic bill payment

Transaction-specific factors

services helps to solidify

and maintain the banks status
as the primary provider of
financial services.
Personal preferences
Consumers personal preferences, including control, recourse, and customer service; budgeting and record-keeping;
incentives and low cost; convenience;
privacy and security; and personal
involvement also influence payment
instrument choice. For instance, consumers desire for control includes the
ability to review, initiate, stop, and
record payments, as well as placing
importance on recourse and customer
service if problems arise. In addition to
minimizing cost, preferences for incentives include other benefits such as
reward programs and the feeling that a
person knows they are getting a good
deal. Convenience involves not only the
ability to easily sign up for electronic bill
payment, but also the expectation that
the entire process, including error resolution, will be convenient and tailored to
meet an individuals particular needs.
Preferences for privacy/security include
the ability to withhold information that
may be detrimental if disclosed and
using payment instruments that minimize the risk of being physically harmed.
It also should be noted that privacy pref-

The third factor that influences consumer decision-making in the payment

instrument arena relates to the specific
nature of the payment being made,
where it is being made, and how the
consumer views his/her relationship with
the merchant. For instance, the extent
to which bills are for small dollar
amounts and/or fixed amounts positively influences the likelihood of using
electronic bill payment. The degree to
which billed amounts vary and/or are
for larger amounts tends to reduce the
likelihood of electronic bill payment
use. Furthermore, consumer beliefs
about the quality and timeliness of customer service with particular institutions appear to have a strong influence
on their willingness to consider electronic bill payment. Clearly the broad
availability of a payment instrument
has a significant influence on the consumers choice.

Safety and Liability

Considerations
The Relevant Legal Rules
When a consumer thinks about using
an aggregation site or EBPP service, one
concern is whether this is safe. The simple answer to this concern is that the
consumer is probably safe from liability
for unauthorized transactions and that
transaction errors should be corrected.
However, if problems such as those
ABA Bank Compliance May/June 2001 37

faq file

described below arise, the consumer

will not necessarily avoid short-term
inconvenience in connection with his
financial or bill payment accounts. Nor
will the consumer necessarily be able
to obtain reimbursement if losses are
suffered because the data provided by
an aggregation site are inaccurate or
incomplete.
Potential problems with using aggregation or
EBPP
To date, while theoretical problems
have been identified, reports of actual
financial losses suffered by consumers
resulting from use of EBPP or aggregation services have not risen to the
significant problem level. Most live
problems with EBPP have apparently
involved errors in executing transactions
rather than fraudulent transactions.
Institutions offering EBPP must resolve
such problems in accordance with the
error resolution requirements of the
Electronic Fund Transfer Act (EFTA) and
Regulation E. Generally, the inconvenience of having ones checking account
or relationships with billers disturbed
for a period of time due to an error may
be a more realistic problem than concerns about its ultimate resolution.
Concerns have differed regarding aggregation primarily because of the rapid
emergence in the past two years
of small aggregators with few assets. The
screen-scraping-based aggregation services received instant hype as, perhaps,
the next killer app in consumer financial services. It was feared that these
aggregators would create problems for
financial institutions; specifically, that
account information would be reflected
inaccurately or that consumers might act
in reliance on such bad data and then
look to banks to solve their problems.

38 May/June 2001 ABA Bank Compliance

Convenience involves not only

the ability to easily sign-up
for electronic bill payment,
but also the expectation
that the entire process,
ncluding error resolution,
will be convenient and tailored
to meet an individuals
particular needs.
There was also concern that inadequate
security would result in a significant
increase in unauthorized transactions for
which someone would be financially
liable. The concern was magnified because private consumer information was
being accessed in a manner outside the
AHFIs control, potentially producing dramatic increases in the amount of financial data available at small, unknown,
nonfinancial institution Web sites.
In hindsight, aggregators were not that
different from established EBPP providers in their accumulation of financial
data. Many initial concerns have diminished as aggregation business models
have evolved. Some aggregators have
shifted from competitive to partnering
relationships with financial institutions.
Presently, aggregation services are offered
by a number of financial institutions
and recognizable corporate entities;
consequently, the concern that significant problems would result from the
proliferation of small, no-asset providers
has lessened.
Responsibility for inaccurate, incorrect, or
incomplete data
It seems probable that an AHFI should
not be liable for a consumers financial
loss resulting from reliance on inaccu-

rate screen-scraped data displayed

without the AHFIs consent on an
aggregation site. General principles of
fairness do not support imposition of
such liability. This conclusion is even
stronger if the AHFIs account documentation disclaims liability for the display
of account data by unauthorized aggregators. These conclusions assume,
naturally, that the information at the
AHFIs Web site was accurate and that
appropriate disclosure was made about
whatever data limitations exist (e.g.,
that the data are accurate as of 9 a.m.).
Whether an aggregator has legal liability
to the consumer for losses resulting
from reliance on inaccurate, incorrect,
or incomplete information displayed at
the aggregation site is unclear. The
aggregator could attempt to limit, if not
eliminate, any potential legal liability
by advising the consumer of limitations
on the accuracy, completeness, or
correctness of data in its customer
agreement. However, whether specific
disclaimer language is adequate is a
question.
Liability for unauthorized transactions
There are two primary categories of
unauthorized transactions that could
potentially result from information being
provided to aggregation sites:
Those resulting from a hacker accessing the site and using information from
it. In the words of one analyst, Simply
put, an aggregation site is a hackers
dream. The wealth of passwords, personal data, and access to financial
accounts that aggregation sites contain
could make breaking into one aggregation site more worthwhile than breaking
into hundreds of individual sites.
continued on page 40

Compliance Requirements for Account Aggregation Services

The Office of the Comptroller of the Currency has become the first banking regulator to issue guidance regarding the risks
that may accompany offering account aggregation services. In its OCC Bulletin 2001-12, the agency says banks that offer
account aggregation services may be exposed to the following:
Strategic risk. This includes choosing the wrong technology and using an unstable third-party service provider.
Reputation risk. If the bank doesnt meet customer expectations, confidence can be undermined.
Transaction risk. Unless the data are accurate and current, they could adversely affect the customers decision-making. If the
bank receives and facilitates transactions, it may have additional risk of liability for unauthorized or disputed transactions.
Information security risk. The account aggregator becomes the keeper of the keys to all the customers financial data.
As the central repository for user names and passwords, its information security is crucial to safeguarding the confidentiality,
accuracy, and integrity of the customers information.
Compliance risk. This category is perhaps of greatest interest to readers of this magazine. The OCC points to three specific
areas of compliance risk posed by account aggregation services:
Regulation E. Account aggregation is not specifically addressed by Regulation E at this time, but the Federal Reserve asked
for comments on the issue in June 2000. In the absence of specific regulatory guidance in Regulation E, OCC urges banks
to take a conservative approach to interpretation of Reg. E compliance obligations to account aggregation services.
If the bank provides customers an automatic log-in feature to conduct electronic fund transfers on other entities Web sites,
this may trigger the application of Regulation E. If the automatic log-in allows a customer to click a hyperlink and cause
the customers user names and passwords stored by the bank as aggregator to be used to log in to the other sites, this may
be considered the equivalent of offering an access device for electronic fund transfer services!
In order to minimize liability, aggregator banks should design adequate security systems for access devices and maintain
the security of user names and passwords used to access the customers data on other Web sites.
Asset Management. If the bank compiles asset management information on customers, various requirements may apply,
including the Bank Secrecy Act and, in some cases, applicable fiduciary standards under the Employee Retirement
Income Security Act of 1974 and the national bank trust rule, 12 CFR Part 9.
Where the aggregator bank provides hyperlinks to unaffiliated sites that offer securities and insurance products, appropriate
disclaimers should be made to ensure that customers realize these products are not FDIC-insured and entail a risk of loss.
It should also be clear that the bank does not provide, endorse, or guarantee any of the third-party products or services.
Privacy. Because of the extremely sensitive nature of the data collected through aggregation, banks must pay particular
attention to the privacy challenges posed by aggregation services. The banks GLB privacy notice must reflect the types
of information the bank collects and discloses in its role as an aggregator. The OCC even notes that special privacy notices
for aggregation customers may be warranted so that the bank can fully and accurately describe its information practices
relating to these customers. While a bank may share information about its own transactions and experiences with
customers with its affiliates, if it chooses to share with its affiliates information about the customers transactions with third
parties that it gathers as an aggregator, it must first disclose that sharing and provide a right to opt out.
Mary Beth Guard, CEO Glia Group, Inc.

ABA Bank Compliance May/June 2001 39

faq file

continued from page 38

Those resulting from the use of information by those providing the site, their
agents, or employees. One industry
group recently noted, Although focus is
often placed on the Internet and the
hacker, the reality is that 75 percent to
85 percent of all compromises occur
from within a corporation.

Teaching the ability to develop goals and budgets and to make

The same types of unauthorized transactions clearly also could result from
account information being provided to
an EBPP service.

3. If the transaction involves an unauthorized merchandise purchase charged

to a credit card account, the card-issuing
AHFI is liable to the consumer under
TILA and Regulation Z.

The determination of liability when an

unauthorized transaction occurs depends
on the specific facts. The simple answer
under current laws and regulations is
that responsibility varies depending on
the type of transaction and/or account
from which the transaction is made.
However, generally, the consumer has
rights to be made whole by the AHFI
and, generally, a financial institution
(but not necessarily the AHFI) will
be the party ultimately responsible.
Examples of this include the following:
1. If the transaction involves a forged
signature on a counterfeit check, the
AHFI that pays the check is responsible
for reimbursing the customer under the
Uniform Commercial Code. If the check
is drawn against an open-end credit
account, the Truth in Lending Act and
Regulation Z also impose liability on the
AHFI.
2. If the transaction involves an ACH
debit drawn on a checking account, the
AHFI is liable to reimburse the consumer under the EFTA and Regulation
E. Under certain conditions, this liabilities may be subject to the AHFIs right to
impose certain liability upon the consumer (typically not more than $500),
40 May/June 2001 ABA Bank Compliance

trade-offs among competing needs are topics that will

require significant effort from private and public groups alike.
depending primarily upon the time
frames within which the consumer notifies the AHFI of the transaction or the
loss or theft of the access device.

4. If a credit account issuer suffers losses

due to opening an account for an identity
theft perpetrator, that issuer would take
the loss if charges are made against the
account and payment is not received.
5. If a checking/deposit account was
opened for an identity theft perpetrator,
the financial institution opening the
account would take the loss to the extent
that deposits are returned unpaid and
no funds remain on deposit to be offset
against.
Although the AHFI has legal responsibility to the consumer as has been
described, after taking care of the consumer the AHFI may be able to shift the
ultimate liability to another financial
institution under the ACH Rules or those
of the various processing associations
(e.g., Visa or MasterCard), depending on
the type of transaction. However, no such
rights to shift liability exist with respect
to losses on accounts opened on the
basis of identity fraud. It is also conceivable that the AHFI and the aggregator
might have entered into a contract that
assigns the ultimate responsibility for
losses to the aggregator or splits it under
some sort of sharing arrangement.

Simple answers, however, dont necessarily mean that the customer is always
made whole. Of crucial importance is
whether the consumers claim that a
transaction is unauthorized is believed.
If the financial institution does not
believe that the transaction is unauthorized (and instead concludes that it is
attempted customer fraud or that it
was authorized) it will not reimburse
the consumer voluntarily and litigation
may be necessary to resolve the issue.
Additionally, reimbursement may
depend on whether the AHFI knows the
law, and, perhaps more important,
whether its customer service staff understands what is legally required.
Generally AHFIs will follow the simplest
path, and if a charge-back opportunity is
available in connection with a disputed
transaction, the consumer will be reimbursed and charge-back will be
attempted. However, if charge-back
rights are not available, the AHFI might
refuse to reimburse the consumer if the
aggregator itself initiated the fraudulent
unauthorized transaction. This refusal
would be based on the argument that can
be made under EFTA and Regulation E
that the consumer is responsible for the
transaction since he voluntarily furnished all necessary information to the
aggregation site and has not notified the
AHFI that transfers by the aggregator are
not permitted.
The simple answer may change in some
of the situations described previously if
the consumer does not make a claim
against the AHFI and instead elects
to pursue the aggregator, attempting to

obtain direct reimbursement from it on

a common law or tort theory (e.g., negligence). Some aggregators may try to
avoid liability against this possibility by
contractually disclaiming liability for
such things as losses resulting from
unauthorized access to consumer information by a hacker.
The above answers remain much the
same when an EBPP site is involved. A
technical exception might be if the
fraudulent transaction was initiated via
the ACH directly from the EBPP
provider. In that specific situation the
service provider provisions of EFTA
and Regulation E may well be applicable, and responsibility to reimburse
the consumer for the transaction may
technically fall on the EBPP provider.
However, as a practical matter, if the
consumer contacted the AHFI alleging
an unauthorized transaction, the
customer service representative might
not notice this technical shifting
of responsibility to the EBPP provider.
The AHFI representative would then
open a billing error file, reimburse
the consumer, and charge-back the
transaction through the ACH system
to the originating financial institution.
While the answers suggested above are
relatively simple, the practical resolution of problems may not be simple
from a mechanical standpoint. The consumer and AHFI may not realize that an
aggregation or EBPP site was the source
of the information leading to unauthorized transactions. If this fact is not
recognized, then discussion concerning
aggregator or EBPP provider responsibility is irrelevant. Even if this fact is
recognized, there is no one party
responsible for resolution of problems
on accounts displayed at the site unless
the aggregation or EBPP provider steps

forward and assumes responsibility. In

most cases, if multiple accounts are
fraudulently accessed the consumer will
need to deal individually with the holder/issuer of each compromised account.

Looking Forward: Challenges

and Opportunities
Household budgeting: A critical requirement
The ability to pay electronically is closely
tied to the ability to fund payments. Perhaps one of the least reported but most
important obstacles to using electronic
payments such as electronic bill payment is illustrated by the following
statement: I dont have the money in
my account yet. In this vein, it is important to note that consumers use of
different payment instruments is driven
in part by imperfect attempts to budget
and control scarce household financial
resources.

tions) into monthly deductions that

ease time pressures on household
budgets while indirectly contributing
to budgeting.
Rethinking billing practices and the value of
credit-like services
The above point suggests what financial
institutions and merchants alike have
recognized for years credit-based
products are a highly valuable standalone product and add-on service to
consumers. Facilitating consumers ability to pay for larger dollar purchases
over periods of time is a beneficial
economic service for some consumer
segments. While some might read this
to be arguing for significant advances of
credit-based services that would trap
consumers, this analysis argues for
credit-based services when justified by
clear economic and budgeting principles. In a similar manner, adjustments

While control is many times perceived as a significant barrier

to the greater use of electronic payments, control should
be thought of as an economic good with a set of costs and
benefits associated with its provision.
Building budgeting capabilities into payment
systems
It will be important to consider how
electronic banking innovations can
promote improved budgeting rather
than increase uncertainty and potential for risk. For instance, consider the
risks preauthorized bill payment services introduce for variable-dollar payments versus the stability preauthorized deductions from payroll transactions. This is especially true when
employers are able to break larger
deductions (e.g., health care contribu-

to billing practices could address this

issue. For instance, some large utilities
routinely offer consumers the option
of paying one predetermined bill each
month, rather than variable bills each
month, and then handle differences at
the end of the year.
Consumer financial education
Clearly, as many individuals have noted,
improved consumer financial education
is critical. Teaching the ability to develop
goals and budgets and to make tradeoffs among competing needs are topics
ABA Bank Compliance May/June 2001 41

faq file

that will require significant effort from

private and public groups alike.
Rethinking control: From obstacle to opportunity
This analysis highlights that control
means different things to different consumers monitoring account balances
and bills, initiating payments, advance
knowledge of a payment, ability to stop
a payment, ability to get a payment
problem or dispute resolved conveniently, access to proof of payment, and
effectiveness in recording transactions.
While control is many times perceived
as a significant barrier to the greater use
of electronic payments, control should
be thought of as an economic good with
a set of costs and benefits associated
with its provision.
From biller-initiated to consumer-initiated bill
payments
Many consumers will prefer the greater
control offered by paper payment instruments for bills that vary in amount, may
be subject to more frequent errors,
where customer service and/or recourse
may not be perceived to be adequate,
or where the ability to make partial
payments is important. These same
consumers may also prefer electronic
payments for smaller, fixed-dollar payments. Consequently, it will be critical
for billers and financial institutions alike
to consider products and services that

42 May/June 2001 ABA Bank Compliance

increase consumers control over the

timing and amount of payments and that
allow for easier cancellation or changes
in payments.
Offering greater recourse and error resolution
Given the number of parties involved
in an EBPP transaction (i.e., the consumer, the consumers bank, the biller,
and the billers bank), consumers may
be apprehensive about entering into
an arrangement in which errors may
be difficult to settle. In addition, any
arrangement that involves multiple
institutions is subject to coordination
and incentive problems in dispute settlement. Consequently, services that begin
to replicate the functionality of the
credit card with its easy and reliable
1-800 customer service and error resolution may likely be desirable services.

Rethinking convenience
Some past electronic banking failures
have been labeled failures due to consumer reluctance to change. After all,
while electronic bill payment is advertised as being more convenient, interviews with consumers confirmed that
electronic bill payment is not incrementally more convenient until many or all
bills can be paid online and until error
resolution among banks and corporations can be easily addressed. This
suggests that electronic bill payment
in order to satisfy consumers convenience expectations may need to move
toward models that more closely tie
together improved sign-up, control, and
recourse attributes.
For more information

about ABA Bank Compliance or to subscribe,

call (800) BANKERS.

about the authors

Ann Spiotto is senior research counsel and Brian Mantel is program manager with the Emerging Payments Studies Department at the Federal Reserve
Bank of Chicago. The views expressed in this article are those of the authors
alone and do not necessarily reflect the views of the Federal Reserve Bank of
Chicago or the Board of Governors of the Federal Reserve System. Special
thanks to Timothy McHugh, research analyst, for research that contributed to
this article. This article is based on a presentation given by the authors at
NACHAs Electronic Bill Presentment and Payment Councils e-Billing 2000 Conference in Miami, Florida, in October 2000.