Faster Payments Rails Governance (2025 AFPP Handbook PDF)

Summary

This document provides a framework for Faster Payment rails, outlining the operating rules, regulatory guidelines, and compliance requirements. It details principles, stakeholders, and governance for a variety of financial transactions.

Full Transcript

Day-to-day operations of Faster Payment rails are governed primarily by the operating rules of the individual
Faster Payment Systems i.e., the Nacha Operating Rules, RTP rules, FedNow rules, Visa Direct rules, and
Mastercard Send rules. Visa and Mastercard also ensure compliance with the PCI/DSS rules since processing
cardholder data is subject to PCI/DSS rules. Regulatory guidance about Faster Payments plays an important
role in safeguarding the secure and streamlined processing of transactions. Several regulatory entities, including
FinCEN, FFIEC, FDIC, OCC, and others, issue and revise guidance. It is imperative financial institutions and
participants in the Faster Payments ecosystem stay informed of the latest regulations and guidance, as these
updates can significantly impact their operational procedures.

Faster Payments operate in a highly regulated space with multiple guidance and compliance arising from
legislation, regulation, and network specific rules. Following is a non-exhaustive list of some of the major
rules that govern Faster Payment rails:

120
 TABLE 59: REGULATIONS GOVERNING FASTER PAYMENT RAILS

Network-specific Rules: Each Faster Payments network has its own set of operating rules that govern the entire payment chain.
Same Day ACH, FedNow, RTP,
Visa Direct, Mastercard Send
Federal Reserve Banks This circular complements the FedNow Service Operating Procedures, which provide operational
Operating Circular No. 8 details on key areas such as participant and service availability expectations, connection profiles, fraud
mitigation and reporting, and ISO 20022 messaging used within the FedNow Service.
PCI-DSS rules PCI-DSS is the global data security standard adopted by the card industry applicable to all entities that
process, store, or transmit cardholder data and/or sensitive authentication data. It consists of steps that
ensure security best practices in cardholder data handling.
FFIEC FFIEC (Federal Financial Institutions Examination Council) develops uniform reporting systems
for federally supervised financial institutions, their holding companies, and subsidiaries. It publishes
guidance for the industry in the form of handbooks on cybersecurity, risk management, and other IT
systems safety.
OCC The Office of the Comptroller of the Currency’s (OCC) Committee on Banking Supervision (CBS)
supervises the payments function of a bank to determine the potential operational, compliance, credit,
liquidity, strategic, and reputation risks and how these are incorporated into bank-wide risk assessments.
OCC examiners also assess bank risk management practices, including governance and controls of
change management, information technology, information security, compliance, and fraud for
FedNow participants.
The Bank Secrecy Act (BSA) Legislation aimed at preventing criminals from misusing financial institutions to hide or launder money.
FIs are required to provide evidence of necessary and reasonable actions taken to identify and prevent
money laundering and criminal incidents.
OFAC Office of Foreign Assets Control (OFAC) is responsible for administering and enforcing economic
sanctions based on US foreign policy and is responsible for developing, administering, and managing US
sanctions programs.
Uniform Commercial Code 4A A set of laws that provide standardized guidance and regulations governing commercial transactions and
fund transfers, particularly electronic fund transfers, including ACH transactions. Article 4A specifically
focuses on fund transfers, establishing rules related to security, liability, warranties, and dispute resolution
in a transaction.
USA PATRIOT Act Establishes standards for identifying consumers at account opening utilizing a Customer Identification
Program (CIP). The CIP must be clearly documented and should include risk-based procedures for
verifying the identity of each customer to a reasonable and practicable extent.
Regulation E Regulation E implements the Electronic Fund Transfer Act (EFTA), which establishes a basic framework of
the rights, liabilities, and responsibilities of participants in the electronic fund and remittance transfer systems.
Regulation J Regulation J provides the legal framework for depository institutions to collect checks and other items,
and to settle balances through the Federal Reserve System. This regulation is supplemented by operating
circulars issued by the Reserve Banks.
EFAA and Regulation CC The Expedited Funds Availability Act (EFAA) is a law that deals with the problem of banks taking too
long to make deposited money available to customers. It has three main rules for banks: they must make
money deposited in regular accounts available quickly, pay interest on certain accounts promptly, and tell
customers about their policies as to when funds will be available. The EFAA is enforced by a set of rules
called Regulation CC, which has four parts. Part A explains terms and who enforces the rules. Part B sets
the schedules for when banks must make funds available and includes exceptions, disclosure rules, and
interest payment rules. Part C has rules to speed up the processing of checks, and Part D covers rules for
substitute checks.

FedNow and the RTP network are governed by distinct structures. FedNow is operated by the Federal Reserve,
with its functionality shaped by public feedback and insights from the FedNow community, consisting of private
sector stakeholders., , The RTP Network is managed by The Clearing House, which is owned by a consortium
of large banks, and governed by the RTP Business Committee, which includes representatives from both owner
banks and non-member financial institutions, ensuring a diverse and inclusive governance model.

THE 2025 AFPP HANDBOOK 121
The FedNow Service Operating Procedures along with Federal Reserve Banks Operating Circular No. 8
provide operational details for funds transfers through the FedNow Service, while the RTP System Operating
Rules define the rights and responsibilities of participants and TCH concerning the RTP system. RTP
participants are also obligated to comply with the RTP Technical Specifications, which include the messag-
ing specifications and terminology., ,

In terms of transfer limits, as of 2024, FedNow defaults at a limit of $100,000, though participants can
adjust this to a ceiling of $500,000 based on their business needs and risk preferences. The RTP Network
also allows credit transfers up to $1 million. Both systems offer settlement in real-time on a bilateral gross
basis, but FedNow settles through debit and credit entries to participants’ reserve bank accounts whereas
the RTP Network’s settlement is backed by pre-funded balances in a joint account at the Federal Reserve
Bank of New York,

Non-payment messaging functionality is slightly different between the two systems. FedNow provides
additional messaging features, including requests-for-payment, request for returns (for payments sent in
error), status, information, confirmation of posting, account balance, and activity reports, all adhering
to the ISO 20022 standard. In comparison, the RTP Network supports functionalities such as requests
for payment (RfP), acknowledgment of receipt, information requests, returns of funds, and remittance
advice, with the ability to include links to external documents. Payment routing methods are very similar
for both FedNow and the RTP Network, both systems route payments based on the account number and
routing number of the receiving bank, with the RTP network providing additional support for routing using
alpha-numeric domain-controlled tokens., ,

Both systems emphasize the importance of preventing fraud and promoting security, though they take different
approaches. FedNow rules allow participants to set lower limits and conditions for transaction rejection and
have plans to introduce enhanced fraud prevention tools in subsequent releases while the RTP Network rules
require participating financial institutions and payment service providers to implement strong authentication,
fraud detection/prevention, fraud reporting (to the network), and consumer protection policies. All transactions
are required to be digitally signed and encrypted. The Clearing House tracks reported fraud and participating
financial institutions are required to investigate suspected fraud cases. In terms of alias or directory support,
FedNow permits participants using external alias directories for P2P services, whereas the RTP Network allows
independent third-party networks to facilitate alias or directory-based initiation of payments routed over the
network. Neither network has any type of embedded nor overlay directory services., ,

The PCI Security Standards are a set of technical and operational criteria established by the PCI Security
Standards Council (PCI SSC) to safeguard cardholder data. The PCI SSC includes PCI Data Security
Standards (PCI DSS) applicable to all entities that store, process, and /or transmit cardholder data. These
standards cover technical, and operations system components included in or connected to cardholder data.
Oversight and management of these security standards falls under the purview of the Council. Enforcement
of PCI standards is carried out by the founding members of the Council, namely, American Express,
Discover Financial Services, JCB, Mastercard, and Visa Inc.

Faster Payment systems such as Visa Direct or Mastercard Send that enable push-to-card payments
to process transactions need to ensure compliance with the PCI DSS requirements. The following list
includes key stakeholders:

1. Payment processors: Any entity involved in the processing, transmission, or storage of payment
card data for Faster Payments needs to comply with PCI DSS requirements.

122
 2. Financial institutions: Banks and other financial institutions that are part of the Faster Payments
ecosystem and handle payment card data in various forms need to ensure that their systems and
processes comply with PCI DSS if they engage in card payment activities.
3. Payment service providers: Payment service providers, including those offering services for Faster
Payments, are responsible for PCI DSS compliance if they are involved in processing or transmitting
payment card data.
4. Merchants: Merchants that accept payment cards, even in the context of Faster Payments, are
subject to PCI DSS compliance if they store, process, or transmit cardholder data.
5. Technology and solution providers: Companies providing technology solutions, software,
or infrastructure supporting Faster Payments may also be stakeholders responsible for PCI DSS
compliance, especially if their systems handle payment card data.
6. Networks and switches: Payment networks and switches that facilitate the transfer of funds in Faster
Payments need to ensure that their systems comply with PCI DSS if they handle payment card
information during the transaction process.
Specific PCI DSS compliance requirements for each stakeholder can vary based on the role and functions of
each stakeholder in payment processing. Stakeholders need to regularly assess their specific responsibilities and
compliance obligations based on their role in the Faster Payments system.

The Federal Financial Institutions Examination Council (FFIEC), an interagency body, holds significant
influence in shaping the regulatory landscape for Faster Payments systems. Empowered by federal financial
regulatory agencies, including the Board of Governors of the Federal Reserve System (FRB), the Federal
Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office
of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), the
FFIEC prescribes uniform principles, standards, and reporting forms for the examination of financial
institutions, including Faster Payments systems. Responsibility for developing uniform reporting systems
extends to federally supervised financial institutions, their holding companies, and relevant subsidiaries.
The FFIEC, through its supervisory role, conducts examiner training programs for federal and state agency
personnel overseeing financial institutions.
In the context of Faster Payments, the FRB acts as the lead examiner of The Clearing House for examinations
conducted under the Bank Service Company Act through an arrangement among the federal financial
regulatory agencies through the Federal Financial Institutions Examination Council. Its authority over The
Clearing House and its operation of the RTP Network is extremely broad. The Federal Reserve entity that
directly regulates the RTP Network is the Federal Reserve Bank of New York, under a regulatory framework
established by the FRB. The FFIEC’s supervisory oversight extends to other Faster Payment networks such
as Visa Direct, Mastercard Send, and the Same Day ACH network under federal banking laws. ,

In the regulation of Faster Payments, the FFIEC issues essential guidance in the form of handbooks, booklets,
and statements. These materials cover operational, risk management, and system security aspects, providing
a framework for standardized supervision. They serve as valuable tools for examiners, ensuring consistent
evaluation of financial institutions and service providers involved in critical financial services within the Faster
Payments systems.

THE 2025 AFPP HANDBOOK 123
Private sector rules and banking regulations in the payments industry mutually reinforce each other. On the
one hand, banking regulations frequently establish legal frameworks that guide the private sector; on the
other hand, private sector payment rules have been developed to enable and support the changes and
development of new payment products. Thus, private sector rules and banking regulations complement
each other, providing valuable support across various domains such as compliance, risk management, and
consumer protection while fostering competition and innovation.

Financial regulators such as the Federal Reserve and the Consumer Financial Protection Bureau (CFPB)
establish compliance standards for financial institutions such as Anti-Money Laundering (AML) processes,
Know Your Customer (KYC) procedures, and other data privacy laws. This was strengthened by the Patriot
Act which was enacted to ensure national security by preventing terrorist financing via money laundering
and any other financial crimes that may be related to terrorism. As such, banks are subject to regular
compliance examinations and are held to rigorous standards to ensure financial stability. These regulatory
requirements have been adopted for FIs and payment processors to ensure adherence to industry standards
and best practices in the form of merchant compliance requirements and anti-fraud measures.

Concerning risk management, FIs seek to identify, assess, and mitigate risks that may arise from various
sources within the payment system. This can include fraud prevention via cybersecurity measures, liquidity
management, and contingency planning to prevent fraud. Private sector actors may implement various
authentication and authorization measures that comply with banking regulations present in the industry
while adapting diverse measures for monitoring transaction activities. Some individual financial institutions
may implement transactional limits though this can also be supported by banking regulations.

The Federal Reserve and Congress strive to protect consumers, financial institutions, and the payment system
itself by strengthening laws and policies. The rules set by the Federal Reserve Board for consumer payments and
related federal laws typically don’t cover the payment systems between banks. These rules do not usually spell
out who is responsible if something goes wrong with interbank payments, even if a bank is legally required to
protect its customers. For example, Regulation E provides strong protections for consumers if there are mistakes
or unauthorized payments made from their accounts.

Rules set by private entities and governmental regulations can have either a positive or negative impact on
innovation and competition within the Faster Payments sector. Private sector rules often support innovation
by encouraging the use of new technologies, business strategies, and services. However, banking regulations
must carefully manage innovation to maintain financial stability, market fairness, and consumer protection.
Regulatory bodies may choose to have adaptable approaches to regulation, allowing for emerging payment
innovations while ensuring adherence to essential regulatory principles and goals.

124
The various Faster Payment rails are governed by several prevailing laws and regulations, including the Uniform
Commercial Code (UCC) Article 4A, which governs funds transfers and establishes the rights and responsibilities
of parties involved in such transactions while also covering payment order obligations of sending and receiving
liability for late or improper execution, etc. Each state has adopted it. According to UCC Article 4A, if a funds
transfer is not authorized by the customer the sending customer is not responsible to the sending bank for that
transfer. Moreover, UCC 4A primarily applies to wholesale or large-value funds transfers between financial
institutions, often involving business-to-business or interbank transactions. For this reason, UCC Article 4A
does not apply to transactions governed by the EFTA or Regulation E. The EFTA and Regulation E address
consumer electronic fund transfers and are the primary federal laws in the consumer payments area.

The Federal Reserve included the rules from UCC Article 4A into Subparts B and C of Regulation J, which
pertain to FedNow transactions. This means that payments made by consumers through FedNow are subject
to both UCC Article 4A and Regulation E.

The Office of Foreign Assets Control (OFAC) requirements generally support compliance efforts with
sanctions regulations and mitigating the risks associated with instant payment systems. In addition, the
Consumer Financial Protection Bureau (CFPB) broadly enforces Unfair Deceptive, or Abusive Acts or
Practices (UDAAP) rules to prevent actions that may cause financial harm to consumers. The CFPB has
outlined guiding principles to make sure that consumer protections are integrated into new payment systems
from the outset, emphasizing the importance of developing secure transparent accessible and affordable
payment systems to provide protections against fraud and errors.

Many other requirements were reinforced for financial institutions by the Patriot Act. The customer identification
program (CIP), for instance, mandates that financial institutions employ a program to verify the identity of
customers who open accounts. Suspicious Activity Reporting (SAR) requirements mandate financial
institutions to report suspicious activity that may be related to money laundering or terrorist financing to
the Financial Crimes Enforcement Network (FinCEN).

In addition to current banking regulations, Faster Payment solutions are regulated by specific rules associated
with each system. For instance, Same Day ACH operates under the guidelines outlined in the Nacha Operating
Rules, while still complying with broader regulations like Regulation E and UCC 4A. Similarly, The Clearing
House sets forth Operating Rules and Participation Rules for RTP transactions, although various Service Level
Agreements might be established among transaction partners. Mastercard Send and Visa Direct also comply
with Regulation E as well as PCI DSS for data security on top of their own network rules and policies.

TABLE 60: LAWS AND REGULATIONS GOVERNING PAYMENT RAILS

FedNow Regulation E, Regulation J Subparts B and C, UCC4A,
Service Level Agreements,
FedNow Operating Rules,
TCH RTP Regulation E, UCC4A, Service Level Agreements,
RTP® Operating Rules,
RTP® Participation Rules
Same Day ACH Regulation E, UCC4A, EFTA,
Nacha Operating Rules
Mastercard Operating Rules Regulation E, PCI DSS,
Mastercard Operating Rules
Visa Direct Regulation E, PCI DSS,
Visa Operating Rules

THE 2025 AFPP HANDBOOK 125
The laws and rules governing Faster Payments are managed by various government agencies to ensure they’re
efficient, secure, and fair. Regulatory bodies at the federal level, including the Federal Reserve, the CFPB,
and other agencies oversee and enforce regulations that govern Faster Payment solutions. These regulations
encompass a wide range of areas, including consumer protection, risk management, anti-money laundering
(AML) compliance, and interoperability standards. Congress enacted the EFTA and Regulation E with the
specific aim of regulating consumer electronic fund transfers, ensuring a high level of consumer protection
in electronic payment transactions. The evolving Faster Payments landscape requires constant vigilance and
adaptation from regulators to address emerging risks and promote innovation while safeguarding the financial
system’s integrity.

Regulations that govern electronic transfer funds can be largely divided into consumer and non-consumer
regulations. Consumer regulations are laws that focus on and provide consumers with protection from fraud
or unauthorized electronic payments. Consumers are defined as those who hold bank accounts for “personal,
family, or household” purposes and are differentiated from business customers. The Electronic Fund Transfer
Act and Regulation E issued by the Consumer Financial Protection Bureau are some of the main federal laws
that protect consumers. Under these regulations, consumers have limited liability for fraudulent electronic
payments, which are subject to prompt notice of requirements. Banks are held more responsible for verifying
whether payments from consumer accounts are authorized. As such, consumer regulations mandate consumer
disclosures, limit consumer liability for unauthorized transfers, and maintain procedures for resolving errors.
In contrast, non-consumer regulations govern electronic transfers between businesses. These may include
various operating rules established by the payment networks, interbank network rules as well as broader
financial regulations such as the Bank Secrecy Act and Anti-Money Laundering (AML) regulations.
Regulatory oversight, industry self-regulation mechanisms, and contractual agreements are used to enforce
non-consumer regulations. Violating non-consumer regulations can lead to contractual disputes, reputational
damage, or financial penalties, compared to refunds and damages relief under consumer regulations.

Both private rule sets and federal regulations play important roles in the Faster Payments industry, albeit
with distinct approaches and priorities. Federal regulations are enacted through a structured process,
involving legislators and regulators who solicit input through hearings and public comment. Although this
approach guarantees a democratic process in rulemaking, it can be challenging to balance different
responsibilities and priorities, which might hinder timely regulatory adaptation to market demands and
technological advancements.

For private rule sets, immediate access to industry experts is an advantage. This helps in developing relevant
interbank rules and procedures that are customized to the evolving needs of the payment landscape. This
accessibility fosters innovation and fair competition in the marketplace as payment service providers differentiate
themselves through their products and rules.

Federal statutes do not always cover payment systems and liabilities between financial institutions. Private-
sector payment systems have developed a detailed system for allocating losses associated with fraud and
unauthorized transactions among payment participants. This allocation depends on various factors, allowing
payment systems to encourage fraud reduction or other policies deemed important by their participants.

Federal regulations are created through a thoughtful process of mandating standards as a foundation of the regulatory
environment. However, they may face obstacles in keeping up with the rapid advancements of payment systems and

126
industry practices. Private rule sets, on the other hand, demonstrate speedy adaptation and innovation due to their close
engagement with industry experts and the competitive dynamics of the marketplace. The synergy between these two
realms can create a robust and balanced regulatory framework, wherein the strengths of each complement the limitations
of the other, ultimately enhancing the efficiency, security, and fairness of the payment ecosystem.

Data privacy laws are significant for US Faster Payments systems to protect consumers from fraud, scams,
and identity theft. The immediacy of funds availability in fast payment systems makes them attractive targets
for fraudsters who could exploit the system before fraudulent activities are detected. Data privacy laws play a
crucial role in safeguarding sensitive information and preventing breaches of privacy and data security that
could lead to identity theft, financial harm, and fraud. These laws establish rules on data security and privacy,
requiring institutions to obtain consumer consent before sharing data, anonymize data, and set minimum
standards on data storage and transmission across borders. In the context of faster payments, where real-time
transfers are not eligible for repudiation, adjusted rules and processes for remedial actions are necessary, highlighting
the importance of robust security frameworks to protect consumers’ privacy and identity in the face of emerging
fraud risks.

In the interest of data privacy, stakeholders participating in FedNow, the Federal Reserve’s instant payment
service, are subject to stringent requirements to ensure the security and integrity of transactions. Compliance
with Federal Reserve Operating Circulars 8 is mandated, encompassing regulations regarding access to Federal
Reserve Financial Services and data transmission protocols. Additionally, stakeholders accessing the FedNow
Service via FedLine Solutions must maintain robust information security programs, employing measures such
as message signing using public/private key pairs, encryption of data in transit and at rest, and adherence to
authentication protocols outlined by the Federal Reserve.

The Clearing House requires a robust information security program for its RTP network, restricting physical
and logical access to customer data and ensuring its secure destruction. This program includes detailed
specifications for system architecture, firewalls, and intrusion detection systems, enhancing overall security
measures. TCH requires regular participant inspection of its security program and conducts regular audits
by independent auditors, aligning with regulatory standards and ensuring continual improvement. TCH
reviews the effectiveness of its security measures annually and commits to making necessary adjustments to
address any identified vulnerabilities. TCH requires participants to have contingency plans for data recovery
in the event of a breach and requires thorough background checks on all employees of participants that may
have access to customer information.

Participants in Same Day ACH payments must adhere to rigorous data security standards outlined in the
Nacha Operating Rules, emphasizing the protection of sensitive data throughout its lifecycle. Compliance
entails implementing access controls and encryption measures to safeguard account information used in
ACH transactions, alongside conducting self-assessments and verifying the identities of Third-Party Senders
and Originators. Additionally, participants must consider state and federal laws governing the secure storage

THE 2025 AFPP HANDBOOK 127
of data and sensitive documents, ensuring their storage methods align with regulatory requirements to
uphold the commercial reasonableness of their practices.

Mastercard Send mandates participants maintain a robust written information security program encompassing
technical, physical, and administrative safeguards. These measures are designed to safeguard the security and
confidentiality of personal data, protect against potential threats to data integrity, and prevent unauthorized
access or acquisition of personal data. Additionally, the program ensures proper disposal of personal data
and requires regular testing or monitoring to assess the effectiveness of implemented safeguards, reflecting a
commitment to ongoing security enhancement.

Visa Direct imposes stringent security and authentication requirements on users of its APIs, including Two-Way
SSL (Mutual SSL) authentication and channel encryption. This entails providing a username, password, and
installing an X509 security certificate issued by Visa. Additionally, message-level encryption is mandated to
further enhance data security.

The Bank Secrecy Act of 1970 was implemented to prevent criminals from using financial institutions to
hide or launder money including for financial terrorism to ensure financial integrity. All Faster Payments
FI participants are subject to this law. The BSA specifically imposes an AML program, record keeping, and
reporting requirements on all financial institutions designed to prevent and detect money laundering and
other crimes. It further specifies what an AML compliance program must include such as internal controls
independent testing of responsible persons and training. These regulations mandate customer due
diligence, transaction monitoring, and reporting of suspicious activities to regulatory authorities.

These regulations become even more crucial to ensure the integrity and security of financial transactions
with the advent of Faster Payment systems. The speed inherent to Faster Payments presents challenges for
regulatory authorities in detecting and preventing illicit activities, as traditional monitoring systems may
struggle to keep pace with the volume and velocity of transactions.

To address these challenges, financial institutions implementing Faster Payment systems must adhere
to stringent BSA and AML regulations. This involves implementing robust monitoring and reporting
mechanisms to identify suspicious transactions, conducting thorough customer due diligence to verify the
identities of individuals and entities involved in transactions, and implementing strong internal controls to
mitigate the risk of illicit financial activities. These monitoring programs must include measures to detect
payments that are suspicious in their value (i.e.,, frequent payments that are just under reporting thresholds
or transaction limits), and their frequency. Monitoring programs must also account for other factors, such
as the age of the account making these transactions. For example, accounts that have been opened recently,
making payments just under reporting or transaction limit thresholds would be suspicious. This requires
proper staff training and the establishment of proper investigation protocols to ensure that suspicious payments
are identified, without the generation of too many false positives. Additionally, collaboration between financial
institutions, regulatory agencies, and law enforcement entities is essential to effectively combat money laundering
and ensure compliance with regulatory requirements in the rapidly evolving landscape of Faster Payments.

128
An error refers to an unintended deviation or mistake that occurs in the processing of a faster payment.
There are different types of errors depending on which stage of the payment the error happens including
authentication, processing, authorization, settlement, and reconciliation errors. For instance, TCH defines
payment errors related to RTP payments as when the payment amount is erroneous, a payment is sent to an
unintended Receiving Participant or Receiver, or an RTP payment is sent twice (duplicate payment).

Error resolution includes the process of investigating whether or not an erroneous, unauthorized, or fraudulent
faster payment transaction has been made and the corrective measures taken by users and financial institutions.
Error resolution will differ based on the type of error as well as the rail involved.

Regulation E governs electronic fund transfers initiated to debit or credit a consumer account while the
Unified Commercial Code (UCC) governs commercial transactions in the U.S.

In terms of error resolution, Regulation E provides specific rights and protections for consumers when
errors occur in electronic payments, including specifications as to the timeframe for reporting errors and
investigation procedures for financial institutions. Regulation E also defines instances when consumers are
entitled to provisional credit for disputed amounts during investigations and ensures the timely resolution
of errors, thus safeguarding consumers’ interests and protects them from errors, unauthorized transactions,
and fraudulent activities.

Article 4A of the UCC provides a framework for the rights and obligations of banks and businesses involved
in funds transfers. It focuses on defining the responsibilities of entities involved in commercial transactions
such as giving notice to counterparties of erroneous or unauthorized transfers and investigating and resolving
errors for recipient entities when receiving notice. Article 4A also specifies liability allocation, enforcement
mechanisms, and remedies.

Once a payment is determined to have been misdirected, payers have certain liabilities under regulations
and/or network rules. The table below outlines these liabilities for each faster payment rail in the U.S.

TABLE 61: LIABILITIES OF PAYERS
RELATED TO MISDIRECTED PAYMENTS BY PAYMENT RAIL

FedNow Under Regulation E payers must give an oral and, upon request from its FI, a written notice of the error made
within 60 days of receiving a periodic statement or other documentation first reflecting the alleged error from
TCH RTP
its FI. The notice must include the customer’s name and account number, an explanation for why the error
Same Day ACH exists as well as the error’s type, date, and amount.
Mastercard Send Under UCC4A, payers must disclose an error related to misdirected payments and notify their bank within 90
days of receiving payment confirmation from their bank. If the payer fails to do so, he or she is liable for the
Visa Direct
amount sent and not more.

THE 2025 AFPP HANDBOOK 129
 TABLE 62: LIABILITIES AND ERROR RESOLUTION RESPONSIBILITIES
OF FINANCIAL INSTITUTIONS BY PAYMENT RAIL

FedNow Under Regulation E financial institutions must require written confirmation of an error from the consumer no later
than 10 days after receiving an oral notice and provide an address where said confirmation has to be sent. After
this, the FI must perform the following steps:
Promptly investigate the allegation of the error
TCH RTP Complete the investigation within 10 business days
Report the findings within 3 business days of completing the investigation
Correct the error within one business day after determining that an error was made
The FI is allowed to extend the length of the investigation to 45 calendar days if it provides provisional funds
Same Day ACH (including interest, where applicable) to the consumer within the original 10 business days if it advises the
consumer within 2 business days of the provisional credit and gives full use of the funds to the consumer during the
extended investigation. The FI is not required to provide provisional funds if the consumer fails to give a written
confirmation of the original error notice, except where the error involves an unauthorized EFT. After completing
Mastercard Send the investigation, if no error has been found, the FI is required to give a written explanation to the consumer,
including the documents based on which it made the determination.
Under UCC4A, receiving financial institutions are required to correct errors they made when executing payment
orders, whether the error was related to the amount or the identity of the beneficiary. This includes collecting an
additional amount from the sender if the amount debited to the beneficiary is lower than the original payment
Visa Direct
order, recovering and returning the excess funds if the amount collected is larger than the original payment order,
and recovering and returning the full amount of a payment order that was debited to a beneficiary different to the
one specified in the payment order.

Client/customer agreements serve as the legal cornerstone of the relationships between Faster Payment
stakeholders. These agreements outline the terms and conditions governing the use of faster payment
products and services, establishing the rights, responsibilities, and liabilities of the various parties involved.
These agreements allow providers to communicate policies concerning transaction limits, fees, dispute
resolution mechanisms, and data privacy policies and serve as mechanisms for regulatory compliance and
enforcement because regulators mandate the inclusion of certain provisions and disclosures to safeguard
the interests of consumers.

Disclosures serve as measures to promote transparency and mitigate risk associated with these Faster Payment
systems. Financial institutions and operators are obligated to furnish comprehensive disclosures that elucidate
the features, functionalities, and associated potential risks of Faster Payment products and services. These
disclosures must be provided to customers and clients in a clear, concise, and accessible manner, ensuring that
customers comprehend the implications of using these services.

TABLE 63: REQUIRED AGREEMENTS FOR FASTER PAYMENT RAILS

Required Origination RTP participant FedNow Service Digital Activity Visa Direct terms and
agreements agreements between Agreement and Security Procedure Agreement conditions
relevant parties Indemnity Agreement Program service
Authorization Designation of Service Provider agreement
agreements between Third Party Service Agreement for the Payment transfer
relevant parties Provider Agreement FedNow Service agreement

130
 TABLE 64: REQUIRED DISCLOSURES FOR FASTER PAYMENT RAILS

Required Designated data Daily reconciliation Transaction records Fee schedules Fee schedules
disclosures disclosure reports Fraud data Disclosure of Privacy agreements
Disclosure of nested Exceptions handling disclosures standards
relationships Pricing for Privacy policies
participants

For Same Day ACH payments several agreements must be in place to execute transactions and ensure legal
compliance. First and foremost, an origination agreement must be established between the ODFI and
originator, including any third parties involved. These agreements bind the originator to the Nacha
Operating Rules, authorize the ODFI to receive transactions on their behalf, specify limitations to transactions,
and include rights to agreement termination and the right to audit originators for compliance with legal
standards. Additionally, authorization agreements are necessary between originators and receivers to permit the
receipt of ACH entries, with the specifications of these agreements depending on whether the parties involved
are consumers or corporate entities and the specific dynamics of their relationship. ODFIs and RDFIs must also
have authorization agreements in place with their ACH Operator, whether this be EPN or Fed ACH, setting into
place the name and routing number of these institutions and the settlement arrangements for transactions.

The Clearing House requires two primary agreements be in place for the RTP network. The first is the RTP
Participant Agreement and Indemnity, which ensures that participant institutions agree to the terms and
conditions governing participation in the network. This agreement requires participants to adhere to RTP
rules and regulations, including security protocols and transaction processing guidelines. Additionally,
participants agree to indemnify The Clearing House against any liabilities arising from their access to the
RTP network. The second major agreement for the RTP network applies to participants that utilize a third-
party service provider to access the network. This agreement designates the third-party service provider to
act on behalf of the participant, outlining the scope of services provided and ensuring compliance with
RTP network standards.

For FedNow, the first agreement that participant financial institutions must agree to is the FedNow Service
Security Procedure Agreement. FIs agree to the provisions outlined in the Federal Reserve’s Operating
Circular 8, which governs access to the FedNow service. As the name suggests, this agreement relates to the
security procedures involved with FedNow and the Reserve banks acting upon authenticated instructions
coming from service participants.

The second major agreement for FedNow is the Service Provider Agreement and is necessary for participants
that wish to engage another entity to act on their behalf as a service provider. This agreement authorizes
the designated entity to perform specific services on the FI’s behalf within the FedNow ecosystem. These
services may include sending and receiving credit transfers, managing settlement processes, and handling
liquidity management transfers. Signing this agreement means that FIs ensure that their chosen service providers
adhere to FedNow’s standards and regulations. It should be noted that these FedNow-specific agreements come

THE 2025 AFPP HANDBOOK 131
on top of the agreements necessary for the FedLine interface solution that allows access to electronic Federal
Reserve services.

Mastercard Send requires several different agreements to legally ground and bind the relationship between
participants and the Mastercard scheme. The first of these agreements is the Digital Activity Agreement,
which commits users to a series of rules concerning the customer’s digital participation, sponsorship rights,
obligations, responsibilities, and usage abilities, among other concerns. Mastercard also requires compliance
with its Program Service Agreement, which reflects the customer’s responsibilities for establishing all
management and operating policies described in Mastercard standards. The third major agreement for
Mastercard customers is the Payment Transfer Agreement. This agreement applies to all customers
engaging in payment transfer activity and establishes rule compliance, responsibility for transactions,
transaction and authorization requirements, obligations to provide information to Mastercard, privacy and
data security requirements, and various other subject areas.

FIs must comply with a series of agreements to use the Visa Direct services. Among the various agreements
required by stakeholders for the usage of Visa services generally, the list of which is extensive, Visa Direct users
must also agree to the terms and conditions. These terms outline the rights and responsibilities of developers,
financial institutions, and merchants/consumers that access Visa Direct services. The agreement clearly defines
the parameters of usage for the Visa Direct web developer portal and the usage of the service for push and pull
transfers. This agreement grants users a limited license to use the Visa Direct API, while imposing restrictions
on distribution, sublicensing, and prohibited activities. Visa also reserves the right to regulate API calls and may
modify its methods periodically according to this agreement. In summation, this agreement governs the
utilization of Visa Direct services, API usage via the developer website, approval processes, usage limitations,
and Visa’s discretion over API access and support, to further codify the relationship between the scheme and
the users.

Required disclosures for Same Day ACH payments are sourced from the Nacha Operating Rules. Same
Day ACH payments necessitate several disclosures among stakeholders. Firstly, transparency regarding any
nested third-party relationships between third parties and their originating depository financial institutions
must be reported to the ODFI. Secondly, all participants must disclose their transaction data retention policies
to ensure accountability and facilitate effective communication among parties. ACH Operators must disclose
designated data related to entries transmitted throughout the system to Nacha. Comprehensive disclosure of
pricing structures, the process of exception handling, and other pertinent information must be provided to
participants to foster transparency and facilitate smooth operations within the system.

The Clearing House’s RTP network mandates several disclosures for system operation. The Clearing House
must disclose typical information concerning pricing, exceptions handling, policies, practices, and standards to
maintain clarity within the network. Participants must disclose pricing, standards and rules for RTP payments,
and exceptions processing handling to their customers using the service. Funding participants are required
to disclose their relationships with non-funding participants to TCH, enhancing transparency and oversight.

132
Participants must provide their respective customers with any necessary information contained in the designated
fields of Payment Messages, Payment Message Responses, or Non-Payment Messages as outlined in the RTP
Technical Specifications. Furthermore, TCH provides reconciliation reports to participants at the end of each
operating day, facilitating accountability and transparency. Funding participants are further obligated to furnish
non-funding participants with reconciliation reports detailing their activities at day’s end.

The need for disclosures among FedNow stakeholders arises from stipulations within Operating Circular 1,
Account Relationships. FedNow Participants utilizing the FedNow Service agree to allow the Reserve Banks
to utilize and/or disclose all transaction records and related information within the confines of applicable law.
This anticipated collection and utilization encompass various aspects, including directory or fraud services
essential for executing, managing, or enforcing transactions as well as guarding against actual or potential fraud,
unauthorized transactions, or liability claims. FedNow Participants affirm that they have provided all requisite
disclosures and acquired necessary consents or permissions for such usage by the Reserve Banks. Furthermore,
FedNow Participants are obligated to indemnify and safeguard the Reserve Banks against any claims, losses,
costs, or expenses resulting from failure to fulfill their participant obligations outlined in Operating Circular 8,
which governs the FedNow service.

A set of required disclosures is necessary to ensure transparency and compliance for Mastercard Send.
Institutions must be provided with the necessary standards relevant to service providers in the way of
required privacy policies, fees and pricing, and any other standards they will be held to before they become
customers of Mastercard. Participating financial institutions are also required to regularly disclose customer
reports of transaction activities to Mastercard. Participating FIs are also required to disclose all fees and
appropriate information to their customers using the Mastercard Send service as well by all applicable laws.

Originators are mandated to furnish customers with comprehensive Terms and Conditions, ensuring customer
acknowledgment before utilizing any Visa Direct-based service. It is the originator’s responsibility to regularly
update these Terms and Conditions to encompass necessary disclosures in alignment with legal requirements and
industry standards. Visa reserves the right to request copies of the updated Terms and Conditions for compliance
verification. Visa’s Core Rules are also disclosed to all participants, with compliance being required. Originators
are obligated to furnish senders with transparent information concerning fees and essential terms associated
with push payment services. This entails providing a detailed breakdown of all assessed fees in compliance with
relevant laws and regulations. Senders must be allowed to consent to these fees or opt to cancel the transaction.
In cases where third-party agents are involved, strict adherence to Visa’s rules and regulations is required and the
same sorts of disclosures must be provided.

As is the case with all of these Faster Payment rails, the central infrastructure is usually only liable in cases
of gross negligence or misconduct. ODFIs are obligated to indemnify RDFIs and ACH Operators for any
claims, losses, liabilities, or expenses, including legal fees, stemming from breaches of warranties made by
the ODFI under the Nacha Operating Rules or from the debiting or crediting of an entry to a receiver’s
account in line with entry terms. This indemnity extends to situations such as the return of items

THE 2025 AFPP HANDBOOK 133
or entries due to insufficient funds caused by a debit entry, ensuring that RDFIs and ACH Operators are
protected from financial repercussions resulting from ODFI actions. RDFIs must indemnify ODFIs and
ACH Operators against all claims, losses, liabilities, or expenses, including legal fees, resulting directly or
indirectly from any breach of warranty under Section 1.2 (general rule compliance) of the Nacha operating
rules. Gateway providers also assume these same warranties under Nacha rules.

The RTP Participant indemnity agreement covers indemnity arrangements between participants and TCH
itself. Participants agree to mutual indemnification to each other for transactions facilitated via the RTP
network and to their pre-funded account balance used to facilitate transactions. Regarding acts between
participants related to participation in the RTP system, TCH can only be held indemnible in cases of its
own gross negligence or intentional misconduct. The amount and basis of indemnity will correspond to the
gross negligence or misconduct that is directly attributable to TCH. TCH’s rules also stipulate that it shall
not be held liable for any fraud that occurs except in cases where it is deemed to be negligent. The recipient
bank of fraudulently sent payments is expected to cooperate with the sending bank in recovering said funds,
typically within 10 business days. The Zelle service, which in some cases utilizes the RTP network to facilitate
its transactions, has its own set of liability and indemnity arrangements.

The liabilities of the Federal Reserve for the FedNow service are delineated within the framework of
Operating Circular 8. In the provision of other services outlined in the circular, the liability of a Reserve
Bank is limited as explicitly stated within the circular or, in the absence of such explicit limitation, to losses
directly resulting from willful misconduct or failure to exercise ordinary care. Under no circumstances is a
Reserve Bank liable for special or consequential damages, regardless of foreseeability or prior notification.
Moreover, the Reserve Banks’ liability for damages resulting from the failure to exercise ordinary care or
good faith in processing a message is restricted to the amount of any fee paid for that message. Furthermore,
the Reserve Banks disclaim liability for any loss or damage arising from a FedNow Participant’s or Service
Provider’s use of third-party products or services not supplied, owned, or operated by the Reserve Banks,
even if these products or services facilitate access to the FedNow Service. This disclaimer extends to any
warranty, express or implied, concerning the accuracy, timeliness, completeness, merchantability, fitness
for a particular purpose, title, quality, or noninfringement of such third-party products or services. These
liability provisions are designed to delineate the boundaries of responsibility and manage risks associated
with the FedNow service.

Each customer is required to indemnify and hold harmless Mastercard, its parent and subsidiaries, directors,
officers, employees, and agents from any claims, losses, liabilities, or expenses resulting from acts or omissions
of the customer or any associated persons. This includes compliance with standards, access or use of the
Interchange System, failure to perform as required, or any actions involving Mastercard assets. Mastercard
disclaims all warranties regarding its systems and limits liability for damages, with any total liability capped
at the compensation received by Mastercard from the customer or USD 250,000, whichever is less, unless
prohibited by law. This indemnity and limitation of liability clause is a fundamental aspect of Mastercard
Send’s standards and conduct of activity.

134
Visa assumes liability solely for the loss or misdirection of funds in push-to-account Original Credit Transactions
if such issues are directly attributed to Visa, within the limitations outlined in the Visa Core Rules and Visa
Product and Service Rules. However, Visa disclaims responsibility for any indirect, incidental, consequential,
or special damages, including loss of revenue, profits, or business opportunities, irrespective of whether Visa
was aware of the possibility of such losses. Furthermore, Visa holds no liability for actions or omissions of
downstream entities, including partners, banks, and processing schemes, emphasizing that Visa bears no
responsibility for their conduct in the transaction chain.

THE 2025 AFPP HANDBOOK 135