The reason that I really enjoyed this session was that Innopay had chosen a real and practical example. The example that was being discussed was direct debits, and the efficiency that might be obtained from the electronic signing of direct debate mandates. The EPA rule book talks about the possibility for an electronic mandate for a SEPA Direct Debit (SDD) but merely refers to an electronic document that is securely signed. This is a nice test case for pan-European identity infrastructure. SDD promises “a simple and secure way to pay bills across 32 European countries” but it can’t be realised unless that infrastructure is in place. In the session I co-chaired there were three presentations from three different countries with three different approaches.
Slimpay from France presented their solution for electronic mandate management for consumers. They are PI licenced by Banque de France who have decided to focus on the SCT and SDD space by providing a “saas” service. They’ve gone down the mobile route that I was nodding towards a couple of days ago, with OTP via SMS as the means to comply with 1999/93/EC (the electronic signature directive) and Article 1316-4 al.2 (the French transcription thereof) and deliver idenfication; evidence of consent; a “strong link” with the signed document, and a (generally) reliable infrastructure.
The completed mandates are sent to the consumers as a digitally-signed PDF. Interestingly, where the “credit score” is marginal, they use the same technique as PayPal and everybody else to link the person to the bank account: they send a SEPA Credit Transfer (SCT) with a random code.
SIBS from Portugal presented their co-operative approach. This has worked very well in the ATM case, providing sophisticated services that were available in Portugal (eg, mobile top-up) long before they were available in other countries. ViaVerde RFID tag has been very successful, as has what they call their “proxy card” service whereby you can get a virtual card number from the ATM. The ATM is the focus of many services (such as electronic bill payment) and these are free to consumers (oddly, they are not free on the Internet). They have a full SDD e-mandate implementation, where when you sign up for something at a merchant, you are redirected to your own bank to log in and authorise the mandate (this means running a directory service as well).
Unfortunately, since SIBS cannot impose proper 2FA on the members, they are stuck with a bit of a problem. The banks are worried about man-in-the-middle attacks against password or OTP use. The criminals set up a dummy website, people think that they are signing up for a magazine subscription, they are directed to what they think is their bank but is actually a bogus site, and the criminals use the intercepted credentials to loot the consumer’s account. Hence they are demanding separate validation.
Digidentity were the last to present and they were very interesting (I recorded a podcast with them). Their founder explained how he had the idea for the company after being invited to connect with the Prime Minister on LinkedIn, only to find a few days later that it was a prank. When he went to the police to complain, he was told to call the Child Pornography Unit, because they’re the ones dealing with the “identity problem”. Fascinating. In the Netherlands, you cannot use your state electronic identity (the “DigiD”) for commercial purposes, so Digidentity created a parallel service.
The Dutch have also started at E-Herkenning (“e-recognition”) initiative to standardise the ways that companies identify themselves and interact with the state online.
Without getting sidetracked into the issues about “push” SDD countries and “pull” SDD countries, let’s just note that the direct debits work differently, and are used differently, across Europe. But the point remains that as a typical consumer an SDD solution is important for cross-border bills of many kinds and perhaps for future payment services. I will not create a continuous authority (CA) on any of my payment cards. These do not have the same legal protections built in to them and I often hear stories from people who found themselves accidentally signing up to a CA for a shopping club (or whatever) and then having to actually cancel their credit card to stop it!
Risk levels vary across markets. The electricity utility does not have much risk, the company selling computer games does. Therefore they may see the problem of identity and authentication quite differently. If banks could provide the equivalent of AVS, for example, or even a basic authorisation service, then the SDD could be used more flexibly. As it is, many billers will not accept cross-border direct debit mandates for banks in Bulgaria, Latvia and other countries.
There is, however, one category of organisation that already handles direct debits on a large scale, that bills interoperably across Europe, that could have a role to in payments and controls the only realistic candidate for the medium-term mass market authentication device, and that is mobile operators. I’m clearly missing something here, because it seems to me that if the operators were to add a PKI application on the UICC, then all of the ideas we discussed around the SDD and identity infrastructure would be cheaper and simpler. And make money for the operators from the money saved by the banks and billers.
This is the sort of thing I hope to be discussing to at the European Payments conference in London on 6th and 7th December 2012. Our friends at ICBI have put together a great programme with an impressive line up of European experts (and me) and it looks as if they’ll have some top-notch talks. Not only have they done a great job on the programme, but as a service to the community they have given the Tomorrow’s Transactions blog a free delegate place worth an astonishing ONE THOUSAND FOUR HUNDRED AND NINETY NINE POUNDS STERLING (plus VAT) to award as a prize! So if you are going to be in London on those days and you’d like to attend this terrific event, all you have to do is to be the first person to comment on this post with the name of the Dutch politician who was the first president of the European Central Bank.
In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been designed to be carbon neutral. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
That would be Wim Duisenberg.
Congratulations! We have a winner!! Please send your contact details to me Martijn and I will arrange for your delegate place.