Consult Hyperion is a specialist consulting company in the secure electronic transactions field. The company has almost three decades’ worth of experience advising the private and public sectors around the world. We have offices in New York USA and Guildford UK. We have detailed and significant experience in the specification and deployment of mass-market payment systems and are recognised thought leaders in the fields of digital money and digital identity through our “Tomorrow’s Transactions” series of blogs, podcasts and events.
Full details on the company are, of course, to be found on our web site at http://www.chyp.com/.
We are in general agreement with the gaps and opportunities identified in the documents although we might summarise them at high level slightly differently by saying that the essential complaints of stakeholders concerning the operation of the national payment system might be categorised in three summary concerns that the system is too expensive; too slow; and too opaque.
We think it might be better to restate the desired outcomes for payment system improvements in wider terms recognising the responsibility of the payment system to the economy as a whole. One way of doing this might be to look for more quantifiable targets that can be negotiated and agreed. One suitable candidate target might be the total social cost of the payment system. There has been significant academic work in recent years looking at the calculation of overall social costs by more properly accounting and cross-referencing the individual private costs of participants and this work has probably reached the point whereby a meaningful target could be established by the Federal reserve in consultation.
We recommend “The Social and Private Costs of Retail Payment Instruments — A European Perspective” by Heiko Schmiedel, Gergana Kostova and Wiebe Ruttenberg (European Central Bank Occasional Paper Series no.137) as a useful input. We hope our comments on this paper may prove useful.
Suppose it were to be determined that the total social cost of the payment system is in the region of 1% then a ten-year target to cut this in half could serve as an aggressive focus for strategy and give immediate direction to tactics, including the creation of national, ubiquitous near-real time payment system. For the sake of brevity and wit, we propose to refer to such as a system as the UR (US Real-time) system.
We think the Federal Reserve should initiate a conversation about balancing the payment system to fulfil wider social goals and recognising that the payment system is not a stand-alone “machine”. It might be relevant to begin discussions with taxation, welfare and law enforcement representatives to examine the potential for reducing cash-based transactions and reducing the amount of cash in circulation, particularly the high-value notes that fuel crime.
We feel that the role of the Federal Reserve as catalyst will be central to the changes and improvements needed over the coming decade.
We would disentangle the issues brought together under the discussion of ubiquitous near real-time payments into three areas where the Federal Reserve might support the industry in making significant and lasting improvements to the payment infrastructure.
The first issue is that of UR itself, the institutions that it might interconnect and the nature of the accounts that it would access.
The second issue is that of the identification, labelling and addressing of the accounts that would be reachable through UR. While we understand the natural focus on the mobile phone number as a suitable labelling system, we would like to take this opportunity to point out that mobile phone numbers are not exactly analogous bank account numbers. We commented on this in the UK in response to the report from the Independent Commission on Banking in 2011 and we think that short diversion into this topic might provide useful support to later arguments!
A phone number is an indirect reference to the phone (actually, it’s a reference to the SIM card in most of the world) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When a consumer switches on their phone, the SIM tells the mobile operator which phone it is in and then “registers” with a network. In most countries there is an “All Call Query” or ACQ system: a database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated.
It’s entirely possible to envisage a similar system working for UR, whereby we separate the equivalent of the mobile phone number — let’s call it the Transaction Account Number (TAN) — from the underlying account and have an industy database that maps TANs to (for banks) IBANs. This database would be the equivalent of the ACQ database. An employer might send a salary payment via UR to the TAN, and the database tells UR which actual IBAN to route it to. No matter which bank accounts the consumer might use or change throughout their employment, the employer always sends the salary to the same TAN and thus reduces their costs. We assume that a consumer might log on, or call, at anytime to change their TAN to any target account and that this change would be almost immediate.
The third issue is that if there is to be a generalised identification system for payments, some kind of “payment name” might be more convenient for consumers than either some form of virtual IBAN or a TAN. The equivalent of a Twitter name or Facebook name might make sense. We suggest that the Federal Reserve initiate work to look at the introduction of a payment name, perhaps better labelled a “financial services identifier” (FSI), that could be bound with appropriate credentials — post customer due diligence (CDD) — to form a secure financial services passport which could then be used to effect considerable cost reductions in the financial services industry as a whole and shift more transactions online. Again our comments on this in connection with the UK’s Current Account Switching Service (CASS) are online.
As an aside, we think that the easiest way to do this would be to assign an FSI to a person or other legal entity the first time that they go through a CDD process. One someone has one of these FSIs, then there would be no for them to go through CDD again at other institutions. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. It doesn’t matter if a person has multiple FSIs, because each FSI will have been obtained as the result of a CDD process. Consumers might want to have personal financial persona and a small business financial persona that point to a personal and to a business accounts and use them for different purposes.
Once again we think that the issue of the addressing of the counterparty accounts should be decoupled from the issue of system functionality. A single credit push model is sufficient to provide all of the functionality required by the stakeholders and we agree that the confirmation of good funds on initiation and near real-time availability of those funds to the payee are the key features. We will make some further comments about the architecture of the system based on the U.K.’s experiences with the faster payments service (FPS) in response to question 14 below.
There are several reasons why we think that the creation of a separate system is a better solution than building on the existing a ACH or debit card infrastructure. The most important of these is that we for see the need to interconnect a wider range of transaction accounts than the existing accounts held by banks. There is no obvious reason why someone should not be able to use the system to send money from their checking account to their iTunes account, for example.
As the Federal Reserve observes, many legacy payment systems demand accounts that are “cumbersome to establish”. We agree, and suggest that the Financial Action Task Force (FATF) recommendations concerning risk-based regulation of new payment technologies are entirely appropriate. Therefore, the high-level requirement for the new system is for the general interconnection of transaction accounts that may be held by non-bank organisations with minimal CDD for low-value accounts.
In response to the final sub-question concerning payment scenarios we would like to add the observation that our specific experiences gained working on the M-PESA scheme in Kenya (where we were the consultants responsible for the initial feasibility study and the specification of the initial scheme) is that creating a system with open, transparent and non-discriminatory access is a more crucial step towards meeting any strategic goals that might be defined for this important piece of national infrastructure than attempts to optimise elements of the infrastructure for specific payment scenarios. Therefore whether the scheme is more likely to be used for (for example) B2B or P2P scenarios should not shift the design to make it less than optimal for other solutions. Indeed, one of the key lessons learned from the early deployment of M-PESA was that the addition of open APIs would have accelerated the creativity and innovation that has come to characterise the use of the scheme because the market, rather than the system designers, is most effective at identifying and exploiting efficiencies.
We do not see any benefit to diverting resources into incremental improvements in the check payment system. The use of checks in the United States has a cultural context that even the Federal Reserve’s own studies have been unable to understand in rational calculation. Check usage seems to be driven by habit more than it is driven by concerns around float, the commonly-given reason.
It is very clear that any system for real-time or near real-time transfers carries with it increased vulnerability to fraud. In the case of a national, ubiquitous system of the kind envisaged by the Federal Reserve, we feel that the most effective route to minimise the exploitation of these vulnerabilities is by strengthening the identification and authentication of counterparties. To put it glibly, identity is the new money. This is why the creation of some kind of financial services passport, as we discussed in response to question four, might be so beneficial because it would optimise countermeasure expenditure for the stakeholders overall. While previous efforts at strong authentication, including two factor authentication (2FA) for bank account access, have had issues with consumer acceptability, privacy and security, costs and benefits, we feel that the obvious fact that the mobile phone will become the most common authentication device for this kind of service means that the Federal Reserve can raise the bar on identification and authentication without undermining consumer interfaces.
We note that there are issues around consume protection that will need to be investigated further depending on the nature of the system. If, for example, transactions are immediate and irreversible then consumers will need clear mechanisms for challenging apparently incorrect transfer and for rectifying errors made in good faith.
The existence of an UR system would obviously revolutionise the specific mobile payment subsector of mobile-initiated account-to-account (M-A2A) transfers. The extent to which this particular subsector would come to substitute for other payments and mobile payments systems can only be a matter of speculation at this point. We do, however, think that a scenario with a degree of plausibility is that M-A2A transfer will increase in popularity for interpersonal payments in the first instance and will then begin to substitute for certain third party payment mechanisms that are currently used to compensate for the non-existent near real-time system at present as well as for other mechanisms such as cheques in the small business environment.
The opportunity cost of not implementing a near real-time payment service in the United States might be expected to be high unless there are compensating regulatory changes to make it easier for similar services to be developed and implemented by nonblanks. The straightforward comparison of the total social cost of payments in the US and, for example, the UK does not give a full account of the opportunity costs because innovation that is currently being directed into overcoming the limitations of what has rather amusingly been termed the “disco-era” payments infrastructure would, one might imagine, instead be directed into other areas of endeavour.
The estimated costs of implementing such systems for the US could be estimated by scaling the solutions chosen for the UK and Australia, but we think that a realistic estimate must take into account not only the sheer volume of interconnecting financial institutions in the US but the disparity in requirements between different categories of institution. This would suggest that some industry structures will need to be created to keep the expenditure realistic. It might be, to pick an obvious example, that a single gateway into the credit union system might be more cost-effective than the need for new systems at every credit union.
Given that the architecture of a target system depends on the ongoing input to this consultation process is difficult to make any comments on the impact on existing core processing and back-end systems. It might be useful to observe, however, that in the evolution of the Single European Payment Area (SEPA) most banks and commercial organisations found it effective to implement gateways for interconnectivity rather than to interrupt their normal cycles of core system review and replace them and we imagine that a similar process might evolve in the US.
If some kind of if some kind of semipermanent pseudonym (whether a TAN or a payment name) is to be used instead of account numbers, a development that we regard as both inevitable and desirable, then it is clear that a directory will be necessary. Whether this directory should be centralised or distributed is a matter for appropriate technical consideration downstream and is not, as far as we can see, either a complicated or uncertain element of the overall system. Techniques for managing large-scale distributed directories are well-known and well understood.
We think that the appropriate industry direction with respect to checks is to develop solutions that make electronic payments “better” than paper ones. Since there are a great many ways that this could be done (the use of APIs, the integration of remittance data, speed and cost, and others) we do not see any need to make separate plans to accelerate replacement of checks other than as part of an overall national payments plan to reach the desired level of total social costs as already discussed.
We agree that a barrier to electronic payments in some sectors has been the inability to link payment and remittance (and other) information. It seems likely therefore that a coordinating role for the Federal Reserve in other aspects of a near real-time payment system would extend to working with other industry bodies to integrate other appropriate initiatives in adjacent sectors. There is experience to draw on from the European initiatives in this area as well as from other industries and an early engagement with interested parties would be greatly beneficial.
With respect to the specific issues around the adoption of recurring payments – through both the ACH debit mechanisms and continuous authorities on card payments – we regard these as “hacks” developed to bypass inadequacies in the existing payment infrastructure and we see no need to replicate such functionality in a future system.
To give a simple example: the consumer gets a message on their smart phone indicating that the utility bill has fallen due and giving the amount, the consumer can either select more information and examine the bill in more detail or simply authorise the payment at which point a credit push settles the bill. This gives the consumer full control over the payment and means there is no need for direct debits or continuous authorities thus considerably reducing the cost and complexity of the structure.
We think the adoption of the XML-based ISO 20022 format is a sensible step for the United States. We think it is reasonable to comment on the UK Faster Payments Service (FPS) that with the wisdom of hindsight it might have been better to have implemented this standard in the infrastructure rather than staying with legacy standards. The inability of FPS messages to carry other than minimal remittance data does hamper the evolution of the service.
As a general point, we feel that the regulatory environment will have more of an impact on the shape of cross-border services than any constraints of technology. There will be no technical issue in creating, once again to give an obvious example, a gateway between the UK FPS and a US near real-time service assuming that the directory standards allow for cross-border addressing.
While not specifically on issue of cross-border payments, we feel that the European Commission’s approach to the regulation of payments, and specifically the separation of payments regulation from banking regulation, provides a useful example for the Federal Reserve and other stakeholders to consider. We might also add at this point that the European Commission’s current consultation on licensed third-party direct access to transaction accounts (the so-called “XS2A” consultation) might also result in some useful input to a design process in the US. Without jumping ahead to technical solutions, it is entirely reasonable to imagine that the system that allowed such third-parties circumscribed access to transaction accounts under consumer control could add substantial functionality to the infrastructure and mean significant cost savings across the stakeholders. Much as a consumer might give Facebook permission to access their Twitter account, they might give Verizon permission to access their bank account (directly, that is, so that Verizon could initiate credit push transactions that fell within certain limits).
The US has no equivalent of the Payment Services Directive (PSD) and therefore no equivalent of the Electronic Money Institution (ELMI) or Payment Institution (PI), so that innovators in payments must either operate under banking licences or state money services licences. As the Federal Reserve is undoubtedly aware, approximately half of the PI licences issued in Europe are for money transmitters (who thus have no need to obtain licences in individual countries), approximately a quarter are card acquirers who want direct access to cards schemes and the remaining quarter are new “niche” PIs. In Europe, essentially, the regulators have begun to separate to regulation of payments and electronic money from the regulation of banking. This is in marked contrast with the current US framework and there seems little pressure for change and the banks want payments to continue to be limited to regulated banking institutions. We feel this is possibly too narrow a view that underestimates the potential benefits to banks from a more efficient infrastructure (since payments are, of course, a substantial cost to banks as well as source of income).
One avenue to explore might be to recognise EU-registered PIs and ELMIs and allow them to passport to the US or for the US to create equivalent legal categories.
We have already dealt with the issues around device authentication and the authentication of counterparties, so these do not need amplification. The security of the infrastructure will of course be a matter for the specification of that infrastructure and based on our experiences carrying out detailed risk analysis for scale transactional systems we see no reason why an appropriate level of exposure and countermeasure expenditure could not be identified to the satisfaction of the stakeholders. In short, we do not see security as a barrier to deployment.
Centralised clearing of threat and incident reports would indeed be a useful adjacency. The extent to which third parties might be allowed to monitor, control or block certain transactions is a matter for serious discussion and debate that is well outside the scope of this consultation. We do feel it would be irresponsible not to integrate the legitimate requirements of law enforcement and consumer protection agencies into the operation of the system, but we recognise that this must take place inside a more open debate and transparent multi-party settlement around privacy.
It is not clear to us that any specific new standards are required in this area provided that the minimum standards set for the identification and authentication of counterparties are of a reasonable degree. We do not think it makes sense to develop specific standards either for the payments industry or for the financial sector as a whole, and thinking much wiser to integrate the requirements of the financial sector into wide initiatives such as the US National Strategy for Trusted Identities in Cyberspace (NSTIC), the FIDO Alliance and the Open Identity Exchange (OIX) to name but a few.
As is clear from our response to question 19 we feel that the Federal Reserve might be best placed to coordinate requirements relating to a new near real-time payment system with other financial sector requirements and work with the variety of organisations developing the wider identity management and authentication solutions throughout business, government and academia. It is a more cost-effective route for the payments industry to use the standards than to develop specific standards (such as the “Europay, MasterCard and Visa”, or “EMV”, standard for payment cards).
We think there is work to be done in understanding the national context to improvements in the payment system since there are clearly US specific cultural factors at work. These are manifest in many areas of US exceptionalism, including the continued use of low-value banknotes instead of coins, the continued use of extremely low-value coins, the persistent use of cheques even when that use delivers no rational benefit to counterparties, the fragmented infrastructure and the relatively high cost of payments. It might be useful for the Federal Reserve to continue its good work in researching some of these “softer” factors as they might help shape the near real-time system to make it even more desirable and useful.
We have recently been involved in work for both private and public sector clients looking at the relationship between financial and social inclusion and we certainly feel that the extension of real-time payments beyond regulated bank accounts (particularly to low value non-bank transaction accounts) might be of national benefit. We have also been involved in a project for UK government agencies looking at the delivery of financial services, including welfare benefit payments, to excluded groups. This has alerted us to the benefits of interconnecting a wide range of different accounts so that some institutions can develop specialities in helping, for example, the elderly or the housebound or people with varying degrees of disability. Specialised institutions built around transaction accounts in these areas might deliver better and more effective services than conventional banks and so these kinds of accounts need to be factored into the Federal reserve’s plans. We note that this would also be beneficial to the banks operating conventional accounts since many of these customers are money-losing propositions.
The innovation and creativity that we associate with the US technology sector will undoubtably, given the right regulatory environment, exploit the existence of a ubiquitous near real-time payment system to deliver incredible products and services that we cannot currently envisage. For this reason we are wholly behind the creation of such a system and believe that it will bring sustained benefits to our clients in the payments sector and beyond.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers