August 19, 2011 |
Person-to-person payments are generally considered payments via an email address or cell phone number when the person’s bank account number is not known. Recently Bank of America and Wells Fargo announced that they were beta testing a new service to allow person-to-person payments. Both banks recently announced an agreement with ClearXchange. As several Javelin employees are customers of these banks, it was with great anticipation that we tested this service. While this was an informal test and not subject to the rigors of a Javelin evaluation, it was disappointing experience. In all fairness, this is a Beta but frankly, after our experience, it felt more like an Alpha. On the other hand, we give credit to the banks for being willing to move into this space – one that we see growing in the future.
Our first test was to transfer from a Bank of America online account to an email address belonging to a Well Fargo customer. The online account at Bank of America had to be enrolled in the transfer service. At the present time, all transfers are free (probably short-lived until the bugs are worked out). One interesting aspect of the enrollment was that the bank asked for account verification through the debit card (or a credit card) even though it had already authenticated the user via login/password/multifactor authentication etc. As the ‘security guy’, this was a good thing to see. Once the enrollment was complete, it was fairly easy to enter an email address and make the transfer.
According to the terms and conditions of this service, this transfer can take up to three days. Three days? That seems a bit long in this day and age. The Wells Fargo recipient received an email which prompted them to enroll their account in the services. The money was quickly debited from the Bank of America account and within minutes the recipient got an email saying that an amount was being transferred to them. A couple hours after the debit, the credit still has not been posted – it will be interesting to see exactly how long this takes.
OK, the email transfer did not seem too bad even if it could possibly take up three days. It was the transfer to a cell phone where the system did not work as well as might be expected. A Javelin employee who is a customer of Wells transferred a sum to a Bank of America customer using only their cell phone number. Sure enough, within minutes, the Bank of America user got an SMS message stating that Wells Fargo customer had transferred $cash (followed by a confirmation number). In this text message was an embedded URL to retrieve the funds (URL’s embedded in SMS or emails can be a source of phishing) and an 800 number to call for information.
The URL wasn’t even the standard Wells URL (it was //labs.wellsfargo.com/tap/receivemoney) and it directed you to what appeared to be the Wells Fargo mobile application (that URL is www.wf.com etc). The last option on that screen is “Not a Wells Customer?” and so our intrepid Bank of America customer bravely clicked in the hopes of retrieving their money. No, not so fast. They are directed to yet another Wells Site that states (Not a Wells Customer? Claim your Money!) along with a pitch to become a customer. The site does provide the Bank of America customer a link to click on to hopefully receive the funds.
Here we have the first appearance of a Bank of America Website which states, in effect, if you are receiving a transfer “Enter the password contained in the notification”. Hmmm…password, what password we asked ourselves? We went back to the original SMS notification and there was a confirmation number but not a password. We tried that. Nope – no money yet. We then tried the user’s Bank of America online password, nope – no money yet. But wait, there was an 800 number on the SMS notification. Let’s call that number and they can help us get our money. We were trying to do the entire transaction over the phone.
We called the 800 number and encountered a very friendly Wells Fargo CSR (can any of the FI’s see the $’s start to mount here?). After about 15 minutes of trying different things and asking around, he reluctantly referred us to Bank of America. He had no idea why we were getting the confirmation number and not the password. He had us retry what we had already tried and his conclusion was “I guess this really isn’t quite ready for prime time.” Frankly, he represented Wells very well and was very professional but we still didn’t have our money.
We called Bank of America and got on the phone with another friendly CSR. As was the case with our Wells person, the rep had no idea why it wasn’t working. Again, after about 15 minutes of poking around, she discovered that the receiving phone number must be pre-registered online before any transfers could be made to it. We uncovered that on the Bank of America website and registered the inbound mobile phone number. Once registration was completed, voila, confirmation numbers started to fly. The Bank of America site currently shows the transfer pending this evening in the target checking account. The Wells Fargo online site does not yet show the pending credit.
In all fairness to both Bank of America and to Wells Fargo, we know from personal experience that these institutions work tirelessly on both the customer experience and security and this is ‘new space’ for them. That being said, there are what appears to be some surprising misses. Probably the most notable is the password/confirmation issue and the fact that a transfer to Bank of America is initially referred to a Wells Fargo employee for resolution. We also worry about embedded url’s in an SMS message as a potential phisher’s paradise. While the transfer to email seemed to work pretty well, the transfer to a cell phone number was pretty ‘rough’ from a usability perspective. Our hats off to both institutions for being willing to ‘experiment’ with these new services, however, before rolling this out more comprehensively, it is in both FIs’ best interests to smooth out this user experience.