UK Finance is the wrong idea

Payments used to be a banking business. Now it is not, and the interests of the banks and the payments industry are no longer wholly coincident. The banks don’t own Visa and MasterCard any more, kids using Venmo neither know nor care whether it is a bank or not and there are plenty of non-bank players out there who want to have (and are going to get) access to the payments infrastructure. It seems to me that regulatory frameworks such as PSD2 cut across institutional boundaries: they are not “bank things” and they need a response from a wider constituency. The general thrust of regulation is to separate payments from banking further — separating the systemically risky from the systemically non-risky — and to drive competition in the provision of payment services. I’m sure we all agree that this is a good thing.

Back in 1999, the Federal Reserve Bank of New York Economic Policy Review said that “Economic theory on the operations of commercial banks cannot, by itself, explain why they provide payment services on such a large scale”. Quite.

From Separation, not divorce | Consult Hyperion

I wrote that a decade ago, drawing on work from a decade before. This is hardly a radical or futuristic position. The provision of payment services and the provision of banking services are different ecological niches in the modern economy and they need to be filled by different and better-adapted organisms.  This, it seems to me, further implies that there should be different consumer organisations, trade bodies and lobby groups in each of these niches as well. It would be a logical, sound and practical structure for the UK (for example) to have some kind of an Association for Payment Institutions (UKAPI) and some kind of an Association for Credit Institutions (UKACI). Well… that’s not what is happening. Since the start of this month, the UK has had a new trade association for the financial services industry. It’s called “UK Finance”.

Stephen Jones has been appointed as the chief executive of the new banking group, which will merge the British Bankers’ Association, Council of Mortgage Lenders, Payments UK, Asset Based Finance Association, UK Cards Association and Financial Fraud Action UK.

From Stephen Jones named as UK Finance CEO | ICAEW Economia

Just as a recap, the old trade associations were:

  • The British bankers Association which had 200 member banks that operate in 180 jurisdictions worldwide and whose activities span both retail and wholesale banking and capital markets;

  • The Council of Mortgage Lenders which represented 133 UK mortgage lenders accounting for almost all of the UK’s residential lending;

  • Payments UK which represented the U.K.’s payment industry;

  • UK Cards Association which had 32 members who accounted for the vast majority of cards issued in the UK;

  • The asset-based finance association which represented around 95% of the companies from the UK and Ireland providing factoring invoice discounting and asset-based lending (which will join in a second phase).

So what was the rationale for this daft rearrangement that will inevitably have to be reversed within a few years? Well, as I understand it from talking to a variety of different people in the industry is that first of all there was duplication of effort in the different trade bodies and hence money wasted and secondly that it was thought a unified trade association might have more influence.

As to the first point, I’m sure that this was true, so some kind of merger or rearrangement made sense (but not this one).

As to the second, I have my doubts  and while reading through Statutory Instrument 2017 no. 752 (the transcription of the Second Payment Services Directive into UK law), those doubts crystallised.  This is because of the new organisations that will come into the space as PSPs of one form or another and will not only be allowed access to bank accounts via open banking APIs. Note that new organisations will further be allowed access to the payments infrastructure. I expect to see an interesting variety of plays in this space. I suggest you take a look at the excellent Emerging Payments Association report from that year which argued that, under the appropriate licence conditions, non-banks should be allowed access to instant payments infrastructure through the use of a new kind of limited pre-funded settlement account at the Bank of England. This is now happening.

The Bank of England is announcing today that a new generation of non-bank payment service providers is now eligible to apply for a settlement account in the Bank’s RTGS system.

From Bank of England extends direct access to RTGS accounts to non-bank payment service providers | Bank of England

The Bank’s decision will open up competition in an area previously the preserve of the main banks. It will give non-bank PSPs direct access to full and final settlement in central bank money through systems including Faster Payments, BACS, CHAPS and the (under construction) digital cheque imaging system. This must, and will, lead to a shake up in the payments sector as the new players (with new business models) come into the space. Just to pick one obvious example: suppose Amazon bring Amazon Reload to the UK, but with direct access to settlement so that you can send money between bank accounts and your Amazon Prime account? That could make Amazon Pay a lot of fun. But why would it be represented through the same trade association as the people who give you mortgages? How are their interests coincident? Further, there are important benefits that come from having more specialised trade associations [see Patel, K. “Trading places”. Financial World. London (2016)]. One of the main functions of these associations is to scrutinise new rules and regulations (the nutty ban on credit card surcharging, to give a current example) and such bodies have a closer connection to and deeper understanding of the markets they represent. Now that there is going to be a New Payment Architecture (NPA) in the UK, there should be a New Payment Trade Association to go with it.

The consolidation of the three main UK retail Payment System Operators: Bacs Payment Schemes Limited (BPSL), Cheque and Credit Clearing Company Limited (C&CCCL) and Faster Payments Scheme Limited (FPSL). A PSO Delivery Group (PSO DG) was established by the Bank of England (BoE) and the Payment Systems Regulator (PSR) to plan the consolidation of the three PSOs into a single entity – the New Payment System Operator (NPSO).

There are a lot of great people at UK Finance but they have been put into a decidedly suboptimal structure, especially at a time when that just-released new national payments strategy in the UK is going to bring together the payment rails under the single body. In my opinion, there is no logic to the jumbling together of payments and other banking activities in a single trade association. I give it a couple of years tops before the non-bank complaints result in a new payments industry trade association. I suggest we call it the Association of Payment and Cashless Services (APACS) and we can invite the by-then former Prime Minister to be the Honorary Chair. She can use her old business cards.

AMLD4.1, AMLD5 or 5AMLD?

I recently came across a statistic that surprised me.

Approximately 50% of new bank accounts are opened by customers that have recently arrived in the UK to work or study.

http://www.openidentityexchange.org/wp-content/uploads/2016/10/Digital-Identity-Across-Borders-FINAL-Feb2016-2.pdf

I had wrongly assumed that the majority of new bank accounts openings in the UK would be from students just about to go off to University, like my son, and that migration whilst high (as the media keeps telling us) would still be a minority. But based on some back-of-the-envelope calculations it appears that the 50% number is about right.

As the OIX report above points out, these new arrivals in the UK are very difficult to perform KYC (“Know Your Customer”) on due to the lack of data. They have no history in the UK. This is exactly where eIDAS should be able to step in. For example, a person arriving from France should be able to use their French government-issued eID as one piece of evidence to help meet KYC requirements. The proposed new AML legislation – the amendment to the fourth AML directive – which I have seen referred to as AMLD4.1, AMLD5 and 5AMLD, explicits call out to eIDAS as a potential solution.

There are however some issues with this:

Firstly, to become part of the eIDAS scheme, governments have to “notify” their eIDs into the scheme. To date only Germany has done so.

Secondly, eIDAS provides a switching infrastructure that makes all eIDs interoperable but initially this will only available to the public sector. If a private sector organisation, such as a bank, wishes to leverage an eID it will need to find another way to access or read it.

Thirdly, the mobile channel is becoming increasingly important with banks needing to be able to onboard customers directly in that channel, as well as performing identification and verification of existing customers when provisioning a mobile app. Several of the existing eIDs are smart-card based. These will only be readable by phones if the cards themselves are contactless (which many of them are). They will not however be readable on iPhones, even with the limited opening up of the NFC interface expected in iOS11.

There is clearly therefore a need for some alternative mobile based technology. Fortunately such technology exists in the form of mobile document and selfie capture and verification. One of the vendors in this space, Mitek, kindly commissioned Consult Hyperion to write a paper on this very topic which I had the privilege of presenting at Money2020 last week. You can download the paper here:

Bitcoin and banks

My old friend Alistair Milne has just published a very interesting paper on Cryptocurrencies from an Austrian Perspective (SSRN, 12th April 2017) in which he explores the use of new technology to reimplement money by taking away money creation from commercial banks and proposes 

using [cryptocurrency] to move both bank money and money-financed bank loans off balance sheet onto a single shared cryptocurrency ledger, together with government issued fiat money. This stops bank failures disrupting money and payments and hence helps achieve monetary outcomes desired by the Austrian school of economics: reducing excessive state interference in the market for credit (through bank regulation, lender of last resort and bail-out) and discouraging unsustainable money and credit expansions (leading to financial crisis and depression).

From Cryptocurrencies from an Austrian Perspective by Alistair Milne :: SSRN

As part of this interesting proposal, he talks about the “Austrian cryptocurrency myth” that tokens created in the operation of a double permissionless shared ledger could compete with fiat currencies in everyday use and concludes that for reasons relating to both technology and governance they could not. Other people disagree. Bitcoin pioneer Hal Finney (who sadly passed away in 2014) wrote this about Bitcoin back in 2010. (It’s a long quote but I need to include it in full to give context to some later comments.)

“Actually there is a very good reason for Bitcoin-backed banks to exist, issuing their own digital cash currency, redeemable for bitcoins. Bitcoin itself cannot scale to have every single financial transaction in the world be broadcast to everyone and included in the block chain. There needs to be a secondary level of payment systems which is lighter weight and more efficient. Likewise, the time needed for Bitcoin transactions to finalize will be impractical for medium to large value purchases.

Bitcoin backed banks will solve these problems. They can work like banks did before nationalization of currency. Different banks can have different policies, some more aggressive, some more conservative. Some would be fractional reserve while others may be 100% Bitcoin backed. Interest rates may vary. Cash from some banks may trade at a discount to that from others.

George Selgin has worked out the theory of competitive free banking in detail, and he argues that such a system would be stable, inflation resistant and self-regulating.

Bitcoin Bank

In my new book “Before Babylon, Beyond Bitcoin” I explore the “5Cs” who might create digital money in the future: central banks, commercial banks, companies, cryptography and communities. Hal is here talking about the second case, that of what is called “free banking”, and is right to point to George Selgin as a leading scholar in this field (here’s a podcast I recorded with George a few years ago) and his books are a must-read if you are serious about money. (You should probably also read Lawrence White’s Free banking in Scotland before 1844 to understand the relationship between competition and innovation under such circumstances.) Hal went on to talk further about this Hayekian scenario with cryptocurrency replacing gold or central bank balances for settlement.

I believe this will be the ultimate fate of Bitcoin, to be the ‘high-powered money’ that serves as a reserve currency for banks that issue their own digital cash. Most Bitcoin transactions will occur between banks, to settle net transfers. Bitcoin transactions by private individuals will be as rare as… well, as Bitcoin based purchases are today.”

Bitcoin Bank

Hal Finney was a much smarter guy than I am so I feel rather sheepish about disagreeing with him on this point. It is entirely possible that cryptocurrency will come to exist as a settlement money that connects other different monies (although my suspicion is that these will be community-based more than simply bank-based). But is this a role for Bitcoin? This kind of settlement role for blockchain technology is mentioned in BBVA Research’s recent paper on central bank digital currencies (Central Bank Digital Currencies, Gouveia et al, March 2017) which concludes that the most likely near-term use of “digital fiat” is precisely for such inter-bank payments, saying that

The most likely option in the short term is the use of blockchain technology only for wholesale payment systems. Under this scheme the CBDC would be held by banks and other participants in wholesale payment systems (but not by the general public), identified (as opposed to anonymous) and non-interest bearing. This scenario would increase the efficiency of wholesale payment systems, and has few drawbacks for the public at large or for policy makers, although banks could be hit due to higher competition with non-bank payment institutions.

While the BBVA report talks in general about central bank digital currency, it refers repeatedly to distributed ledger technology as the mechanism for managing this currency. Note that in the summary above, however, it refers specifically to “blockchain technology”. I would have thought this the least-likely form of distributed ledger to implement such a system. The main reason for using a blockchain is that it is resistant to attacks from untrusted actors who are part of the consensus-forming network. But if the central bank is going to, for example, use commercial banks as the nodes in the consensus-forming network then surely these must be trusted actors? If a rogue bank starts introducing bogus transactions, the central bank has a lot more to worry about than maintaining retail balances. But that’s by the by.

If BBVA are correct, and the future involves an inter-bank “high powered” digital fiat, then was Hal right to think that this would be Bitcoin? Here I agree with Alistair. It is not clear to me at all, even if we do get past the issues with mining centralisation, segregated witness, lightning networks and hard forks, that Bitcoin (or Bitcoin-like) blockchain-based cryptocurrencies are the way to do it but I’m open to informed debate on this point. And I imagine I’ll get it at the 20th annual Consult Hyperion “Tomorrow’s Transactions” Forum in London on April 26th and 27th. Thanks to the generous support of our Platinum sponsors Vocalink and Worldpay, our Gold sponsor Paysafe and our Silver sponsor CMS (and with the help of our superb communication partner ccgroup) we will be continuing our tradition of information discussion, expert comment and honest debate with a variety of leading-edge perspectives on topics ranging from W3C web payments and KYC in developing markets to zero-knowledge proofs and PSD2. And, thanks to those sponsors once again, the closing keynote on the first day will be Professor Lisa Servon from the University of Pennsylvania, a leading thinker on financial inclusion and the author of “The Unbanking of America”.

You’d be mad to miss it, so head on over here and grab yourself one of the few remaining delegate places. See you first on 26th April for another great Forum.

PSD2 SCA: Risk and Reward?

Everyone is still picking over the new PSD2 RTS on strong customer authentication (SCA) from the EBA but the major talking point is around the introduction of an exemption on risk based transaction analysis. One of the major criticisms of the previous RTS was that it would force up to 70% of online transactions through SCA, introduce friction into the payment process and impact overall economic activity.

The new exemption allows banks to avoid the full friction-filled horror of two factor authentication on payments if they can keep fraud levels below certain designated limits. Note, however, that there’s no equivalent exemption for any of the non-payment use cases, and it’s not clear how edge cases such as e-mandates for direct debits will be treated.

The definition of “fraud” is interesting as well – it’s the total value of unauthorised or fraudulent transactions divided by the total value of all remote transactions over that channel. So potentially you could have a lot of small, fraudulent transactions and still meet the exemption: and the exemption for low value payments has been lifted from €10 to €30, and transit transactions are completely exempt.

The fraud limits are different for card-based payments and credit transfer (or PSD2 push payments, if you’d prefer) and are tiered by transaction value – so the lower the fraud rate the higher the transaction value permitted using risk based transaction analysis. The catch is that if these fraud rates are exceeded for two consecutive quarters then the PSP concerned loses the right to the exemption and needs to fall back to full two factor SCA.

Now that, of course, would be a disaster for the institution concerned – if you’re the only bank that has to make your customers apply SCA for online transactions then you’ll rapidly see them migrating to other banks. So the penalty for losing this exemption is likely to be severe.

The EBA has helpfully supplied a minimum list of things that PSPs have to do in order to meet the requirements for risk based transaction analysis (I quote from the RTS):

  • no abnormal spending or behavioural pattern of the payer has been identified;
  • no unusual information about the payer’s device/software access has been identified;
  • no malware infection in any session of the authentication procedure has been identified;
  • no known fraud scenario in the provision of payment services has been identified;
  • the location of the payer is not abnormal;
  • the location of the payee is not identified as high risk.

No doubt risk teams are currently looking at their current solutions and trying to figure out whether they’re compliant or not.  Which we’re quite pleased about, as this type of analysis is a core part of our business.

And all of this will need to be audited, which will be a nice new earnings stream for audit firms. Quite how the compliance regime for this will work will no doubt emerge over the next eighteen months or so.

There are lots of other interesting features in the new RTS. It’s clarified, for instance, that SCA can be performed by either the payer’s PSP or the payee’s PSP but not by the merchant. So presumably large on-line retailers will be gearing up to become PSPs themselves. Also PSD2 is now only mandatory for transactions that start and finish in the EEA.

Oh, and, apparently, card-on-file transactions are outside of the scope of PSD2. Which is interesting, if a bit head-scratching.

We’ll be analysing this further and updating over the next few weeks.  So either follow us here on Tomorrow’s Transactions or get yourself added to our mailing list.  Or come and join us to discuss PSD2 and other issues in the future of digital transactions at the annual Tomorrow’s Transactions London Conference.

Account-based ticketing workshops

We’ve been having a lot of fun in recent months leading workshops for transport operators about account-based ticketing. Sharing our recent experience with clients such as the UK’s Transport for London (TfL) and Transport for the North (TfN), Hungary’s BKK, New Zealand’s NZTTL, Belgium’s De Lijn and Stockholm’s Storstockholms Lokaltrafik (SL) and Singapore’s LTA.

The workshops are designed to help transport operators who are new to account-based ticketing understand the issues and options, including how Open-Loop bank cards can be blended with existing smart ticketing. A typical agenda covers the following subjects:

Trends

  • Customer propositions should drive everything
  • Smart ticketing trends
  • Technology roadmap
  • Benefits of ABT and Open-Loop

Architecture

  • Basic architecture overview
  • Generic architecture
  • Open loop vs closed loop (the back office)
  • Providing for the unbanked

Open-Loop solutions

  • Open loop implementatons in other countries
  • The 4-party model for payments
  • Transit Transaction Models (’Models 1-3’)
  • Transit Charging Framework (generic, global)

Compliance

  • EMV
  • PCI DSS
  • Working with a QSA

Our latest workshop was sponsored by Mastercard and hosted by Swedbank in Riga, Latvia, and had an audience of 40 including:

  • Transport operators
  • Government bodies
  • Industry suppliers
  • Media

We are looking forward to leading more similar workshops in 2017 across Europe.

Riga view from workshop at 9am.
Riga view from workshop at 9am.
Riga workshop sponsored by Mastercard and hosted by Swedbank.
Riga workshop sponsored by Mastercard and hosted by Swedbank.
Discussing a 'strawman' solution for Riga's needs.
Discussing a ‘strawman’ solution for Riga’s needs.

Central bank digital currency, again

I had a really enjoyable time chairing the “futures” panel in the closing plenary of Intergraf’s Security Printers 2016 in Seville. This is a conference for the people who (amongst other things) print banknotes so I had a fun time behind enemy lines learning about paper, ink, substrates, polymers, foils and special machines that print serial numbers.

Sevillestage  1

One of the topics that came up on the panel was the role of central banks as currency issuers. I think this is a pretty interesting topic because it may be that the switch from physical to digital currency will change the way that the medium of exchange is managed. As Marilyne Tolle from the Bank of England noted on their “Bank Underground” blog recently, one might imagine a central bank-issued electronic money that she labels “CBCoin”:

If households and firms were given access to CBcoin accounts at the CB, banks’ dominant role as providers of payment services would be called into question.

From Central bank digital currency: the end of monetary policy as we know it? | Bank Underground

Indeed it would. Note also that Marilyne is clearly describing a digital currency not a cryptocurrency, but that’s by the by. Right now, money reaches the public through commercial banks, a practical structure that stems from the banks role in providing payment services. In response Marilyne’s hypothetical example, I might observe that not only is there no fundamental economic reason why banks should be the dominant providers of payment services, there is no fundamental economic reason why they provide them at all — see, for example, Radecki, L., Banks’ Payments-Driven Revenues in “Federal Reserve Bank of New York Economic Policy Review”, no.62, p.53-70 (Jul. 1999) — and there are many very good reasons for separating the crucial economic function of running a payment system to support a modern economy and other banking functions that may involve systemic risk. Marilyne goes on to note 

The conflation of broad and base money, and the separation of credit and money, would allow the CB to control the money supply directly and independently of credit creation

From Central bank digital currency: the end of monetary policy as we know it? | Bank Underground

As far as I can tell, this would be a good thing. But we must recognise that impact that it will have on commercial banks. According to the management consultancy McKinsey (2016), global payment revenues are around $1.7 trillion (and will be $2 trillion by 2020) and these account for around 40% of global bank revenues! So if payments go away, banks are going to have to think of something else to do instead.

I have a suggestion (you know what’s coming, don’t you) and I think it’s a practical one. The Security Printers panel was actually called “the future of banknotes and identity” which I think shows us the way forward… If you can move money from anyone to anyone else, instantly and for free with final settlement in central bank money, and this is provided as a utility service provided by the central bank, then the fraudsters who are plaguing the Faster Payments Service (FPS) in the UK will have a field day.  Perhaps, then, the role for the central bank is to issue the digital currency and run the digital currency payment platform that will (in a fairly short time I would think) replace commercial bank (and all other) payment services. Not so much CBCoin as CBPesa, since it would manage balances not coins. 

However, the central bank doesn’t want to do KYC on millions of people, run mass-market authentication services, perform AML checks, manage black lists and run interfaces with law enforcement and so on. Just like Bitcoin, the central bank accounts would be pseudonymous. The central bank would know that account no. 123456789 belongs to a retail consumer, but not which consumer. It would know that account no. 987654321 belongs to a retailer, but not which retailer. This way the central bank could generate a dashboard of economic activity for the Chancellor to look at when he wakes up, but not routinely monitor what you or I are up to.

It would be the commercial banks provide the services linking the pseudonymous accounts to the “real” world (and get paid for them). Then your Sterling bank account will just be a pass-through API to a central bank digital currency account (what Marilyne calls the “CBCoin Account”) because my Barclays current account and your Lloyds current account are just skins on the Bank of England UK-PESA platform and the commercial banks can chuck away their legacy payment systems and focus delivering services that add real value.

Sevillecrowd  1

Commercial banks will then have an important function as the vaults that look after identity, not money. As I told the panel in Seville, money and identity look like very different topics, but in reality they are the same.

Mutable and immutable blockchains

Now we all know what the bitcoin blockchain is, don’t we? It’s just one particular version of the general class of blockchains, which share the characteristics that data is stored in blocks and because of some cryptographic jiggery-pokery the blocks are chained together, so that you can’t go back and change the contents of a block without having to then change the contents of every subsequent block. And depending on the consensus protocol that is used, you can’t change the blocks without everyone else agreeing to let you do it. Thus it is, as my colleague Salome Parulava describes it, “mutable by consensus”.

Whereas auditing at present entails the confirmation of transactions and balances on a company’s accounting ledger at the end of the period, a transaction on the blockchain would provide a permanent and immutable record of the transaction almost immediately.

From Blockchain and the Auditing Revolution – Real Time Audit within the Capabilities of Blockchain | Fintech Schweiz Digital Finance News – FintechNewsCH

The reason that this kind of structure is called immutable, even though it is mutable by consensus, is that it is computationally infeasible to go back post-consensus and make a change. Even if you obtain consensus and co-ordinate more than half of the “hashing power” in the case of bitcoin, and could in theory go back to the very first block, change it to send the bitcoins in it to yourself, and then go forward rewriting all of the subsequent blocks, it would take years and years of massive computing power. Someone could, in theory, treat all of the bitcoin transactions from the last checkpoint up until now as the wrong side of a fork. (For all we know, secret mining pools are As my good friend Gideon Greenspan pointed out to me, just because you could see that corrupt agents were rewriting history in this way it doesn’t mean that you could stop them. But it’s not a realistic attack. We can live with the description “immutable” to mean “theoretically mutable but not mutable under any practical circumstances that we can envisage”.

If you had a different kind of blockchain, however, you could design it work in a different way. It could be mutable by consensus, or mutable by a dictator, and it could be mutable in a computationally feasible way. This is what some researchers in the US and Italy have put forward in a paper called “Redactable Blockchain, or Rewriting History in Bitcoin and Friends” (5th August 2016). Giuseppe Ateniese, Bernado Magri, Daniele Venturi and Ewerton Andrade say: 

We put forward a new framework that makes it possible to re-write and/or compress the content of any number of blocks in decentralized services exploiting the blockchain technology. As we argue, there are several reasons to prefer an editable blockchain, spanning from the necessity to remove improper content and the possibility to support applications requiring re-writable storage, to “the right to be forgotten”.

We don’t need to go into the clever mathematics behind this. Just take forward the idea that you can use that clever mathematics to substitute for massive amounts of computing power that I mentioned above and can rewrite a block without having to go forward and rewrite all subsequent blocks. The well-known and well-respected outsourcing company Accenture has filed a patent on this idea with Professor Ateniese.

By allowing a central administrator to amend or delete information stored on a blockchain, the [outsorucing company, Accenture] says that its prototype will make the technology more attractive to the financial services industry.

From Accenture to unveil blockchain editing technique – FT.com

This announcement was met with widespread derision on social media, and I can understand why. One of the key reasons for considering a blockchain to implement certain kinds of financial services is that the state of the blockchain, the shared world view, is locked down and the end of each block. If the shared world view can be changed, it wouldn’t be useful for these services any more. Now, I can see why some people might want an accounting system that works this way (see, for example, the case of Kingfisher Airlines in India) but I wouldn’t have thought that society wants accounting systems that work this way at all. Why would you want a ledger that can be edited either by some group or subgroup of the consensus forming stakeholders or by some central authority? I can think of a few reasons, but none of them make any sense.

The financial services industry needs to face the question of how to balance the appeal of pristine accounting with the demands of the real world, where some things simply need to be struck from the records.

From Downside of Bitcoin: A Ledger That Can’t Be Corrected – The New York Times

Nothing ever needs to be “struck from the records”. If a bank makes a mistake — let’s say it accidentally opens a couple of million bogus accounts — then it can’t just go back and scrub the backup tapes and pretend it never happened. The way to correct a wrong debit is with a correct credit. The Financial Times quotes blockchain entrepreneur and serious player Blythe Masters, the former JPMorgan banker running Digital Asset Holdings, as saying of Accenture’s approach that “we think it is innovative and can strike the right balance between preserving blockchain’s key features and adapting it for real-world requirements within some permissioned systems.” But what are these real-world requirements within some permissioned systems that Ms. Masters is referring to?

I don’t think anyone would use the bitcoin blockchain consensus protocol that was designed for an open, permissionless  blockchain (i.e., proof of work) for a closed, permissioned blockchain so you would never need to edit it this way. My reading of the paper, from a not-a-cryptographer perspective, is that it does not deliver against the real-world requirements for permissioned systems in financial markets. The use cases that are set out in the paper are the need to remove child pornography from a public blockchain, the “right to be forgotten” and the need to consolidate records financial transactions. My feeling is that none of these are real-world requirements.

As for the first use case, this is not something that our clients need consider since none of them are proposing to implement critical national financial infrastructure on a public blockchain with arbitrary content controlled by unaccountable consensus groups. If, for example, a stock exchange were to implement a blockchain settlement system, it would not be of such a type as to allow members of the general public to store child pornography on it (or at least it wouldn’t be if it had people such as Consult Hyperion designing it).

What’s more, if a stock exchange were implemented on an editable blockchain, it would be utterly chaotic since at the execution of any transaction, no-one could be certain about the state of the ledger (since it would be possible for some future intervention to change it). My granny dies and leaves me IBM shares. I sell you my IBM shares. I use the money to buy a car. Then a decade later a court order overturns my granny’s will as it turns out she had a son that we’d never heard of. So we go back and change the blockchain so that the IBM shares belong to him instead of me. So now I didn’t have the money to buy the car. So I have to give the car back. But the car was scrapped… and so on. Interstellar overdrive… then I go back five years later because it turns out he wasn’t her son at all and now I want the blockchain changed to give me my IBM shares…

Richard Lumb, global head of financial services at Accenture, told the Financial Times that financial institutions and regulators would need a means to quickly correct errors on the blockchain before using it in securities markets. He gave the example of a “fat finger” trading error, or a trade assigned to the wrong counterparty.

From Accenture to unveil blockchain editing technique – FT.com

That’s not how you correct errors, by just rubbing out mistakes. These are regulated financial institutions, not the mafia. No-one is going to build a financial services market on top of a mutable blockchain. In one of the comments I saw about this proposal, someone said that it would be OK because the market participants would keep an audit log of the changes and who agreed them. I thought that perhaps such an important log might need to be stored on an immutable ledger. Uh oh, blockchain Inception

As for the next use case, I am not a lawyer, but I think that the paper misinterprets the so-called “right to be forgotten”. However misguided the European Court’s decision on this might be, it does not demand the rewriting of history. If you publish an article about me that I think contains “old, inaccurate or even just irrelevant data“, and I manage to persuade Google that it should be harder to find, then the article is not deleted. The link to the article is removed from Google search results but the article is still there. Here, for example, is the Daily Telegraph’s full list of stories that have been removed from search results.

Newspapers are not required to go back and tear out articles from their archives, they are exempt (but in Europe, Google opted not to be regulated as media company so is not exempt). And I’m sure none of us what would to live in a world where politicians could obtain court orders to go back a change the historical record! When it comes to the serious use cases (e.g., revenge porn) it is already impossible to purge the matrix and it won’t make any difference whether they are stored on a blockchain or not (although with a permissioned blockchain you would at least know who had put them there and therefore who to arrest).

The third use case, the consolidation of financial records is not clear to me at all. Since the invention of double-entry bookkeeping, the whole point of keeping a ledger has been that you have a record of all of the credits and debits that contribute to the current world view. Companies do not delete old transactions every few months to save space. In fact the law requires them to maintain the transaction records for years. Here’s one example: in the UK, the “direct debit guarantee” has no time limit at all, so all records relating to direct debits need to be kept forever. If there is something about this use case that I haven’t understood, I would be genuinely interested to be corrected.

In summary, then. We all appreciate the clever mathematical tricks behind the mutable blockchain, but when it comes to the serious world of banking and financial services, it seems like (in the casual demotic of our unlearned age) a bit of a chocolate teapot.

Me, Vanessa and crossing the streams

The UK’s Competition and Markets Authority (CMA) has published its report on the retail banking market. It says, that “the timely development and implementation of an open API banking standard has the greatest potential to transform competition in retail banking markets”. I can’t say that I read all 766 pages, but given that I think that account switching is waste of time and money, this did strike me as the most important “remedy” (as they call it) in the report.

One of the CMA’s key measures is to make high-street banks adopt a digital standard called “open banking” by 2018.

From Competition watchdog’s high-street banking probe disappoints — FT.com

By 2018? I can hear your jaws hitting the floor from here. That’s 15 months from now, which is a dog decade but a core banking weekend. 2018?? This is correct. I heard the chap from the CMA talk about this on Radio 4. I got to talk about it on Radio 2 because I’m all about the mass market and the man using the Clapham ISP.

Vanessa discusses the Open Banking Programme, witnessing the birth of a sibling, life after the London riots and the man who buried himself underground for three days.

From BBC Radio 2 – Jeremy Vine, Open Banking and London Riots

I was in the first segment, about Open Banking. The second segment, about a celebrity chef’s wife giving birth made me feel sick and so I didn’t listen to the last segment about riots. Anyway, on Radio 4, the head of the CMA was saying (and I’m paraphrasing from memory) that consumers will be able to use a currently non-existent mobile phone app to connect with a currently non-existent interface at their bank according to some currently non-existent standards in order to get recommendations from some currently non-existent big data cloud thingies that will slurp up currently non-existent standard format bank transaction data and analyse it to suggest a more cost-effective current account. By 2018.

I think that in order to understand what might actually happen on the ground in the UK, you need to imagine what will happen at the crossing of three streams.

The first stream is the PSD2 provisions for APIs access to payment accounts. As you may recall, these include a set of proposals that are due to come into force in 2018. A group of those proposals are what we in the business call “XS2A”, the proposals which force banks to open up the aforementioned APIs to permit the initiation of credit transfer (“push payments”) and account information queries. Even at a pure compliance level these PSD2 regulations pose significant questions for the structure of the existing payments industry. Straight off, an open payment API allows a third-party – let’s say a giant internet retailer at a browser near you – to ask consumers if they’d mind permitting direct account access for payment. It won’t be too hard for these organisations to find some incentive for customers to do this and once permission is granted then the third-parties can bypass existing card schemes and push payments directly to their own accounts. Meanwhile the account information API allows third-parties to aggregate consumer financial data and provide consumers with direct money management services. It’s not hard to imagine that these services will be able to disintermediate existing financial services providers to identify consumer requirements and directly offer them additional products such as loans and mortgages.

This, you might think, could be a bit worrying for banks and payment schemes – and you’d be correct. Unless they take action the banks will see their customers intercepted and a great deal of their cross-selling opportunities will disappear. End of the world stuff? No. Generally speaking these changes (which are all about more competition) are good for the banking industry and for end consumers, and it doesn’t have to be carnage among the existing incumbents, if they’re smart enough to embrace the opportunity. One way of thinking about this change is that it breaks up existing payment workflows. No longer is a payment simply a request in and a response out; now bits of the internal payment workflow – authentication, risk management, authorisation, tokenisation, rewards programs, key management, etc, etc – can be externalised through APIs. And one thing we know about APIs is that when they’re made available the generations of smart developers out there can do things we can’t even imagine, let alone build. The roadmap to the PSD2 APIs is in the hands of the European Banking Association (EBA) which has been tasked with developing the Regulatory Technical Standards (RTSs) for that access. They have just published the RTS on strong authentication, which you might see as a prerequisite to practical API use.

As expected, the RTS do not provide us with technical specifications that one can actually implement. Additional work by ‘the industry’ is required

From EBA RTS: Three key business implications for bank decision makers

So, as our good friends at Innopay note here, RTSs are not really technical, and for that matter they’re not really standards in the sense that I would mean either, but suffice to say that there is a framework for open banking coming together at the European level.

DCSI Schematic v2

The second stream is Her Majesty’s Treasury’s push for more competition in retail banking. This led to the creation of the Open Banking Working Group (OBWG), which published its report earlier this year.  Right underneath the heading “Open Banking Standard”, the document says that its goal “in publishing this Framework today is to enable the accelerated building of an Open Banking Standard in the UK”. So it’s not really standard either. I thought the document might set out some actual APIs (preferably in line with the EBA RTS) so that that both banks, fintechs, regulators and entrepreneurs could plan new products and services but the truth is it reflects the political realities of the pending complex “settlement” between banks, the regulators and others.

I’m not that interested in open data (e.g., ATM locations) and not that excited by being able to download my bank account as a spreadsheet that I can upload it to Money Supermarket . What I’m interested in is transactions and transaction data, especially through the more transactional APIs envisaged under PSD2. It would be crazy for banks to have to implement multiple infrastructures, so it’s logical to create an infrastructure for OBWG access to customer transaction data that can also be used for XS2A transaction initiation and account information services. Despite the title, then, the OBWG report is a holding document, setting us on a path to allowing access to the open data held by banks while leaving proprietary data alone. Now, let me stress that I was not party to any of the discussions, and I am not breaking any confidences by saying this, but I imagine the discussions about what data the banks consider “proprietary” and what data the banks consider “open” must have been rather convoluted. But let’s move on and assume that my transactions are considered open data and that I want to share them with third-party service providers. Since the report did contain any APIs or even a framework for APIs, we can’t use it to start planning services right now, but we can focus on the positives and look at what the document did.. What it did set out was a four part framework, comprising:

  • A data model (so that everyone knows what “account”, “amount”, “account holder” etc means);
  • An API standard.
  • A security standard.
  • A governance model.

None of these currently exist, so they need to be created. If we focus on the APIs, the document does say that, as I have noted, that because of PSD2 (and the General Data Protection Regulation, GDPR), many of the APIs will need to be built anyway. Hence co-ordinating the APIs will be a near-term priority. 

The third stream is the CMA report that triggered this blog post. This envisages APIs to improve competition in retail banking by focusing on the use of APIs to obtain access to personal data that can be shared with third-parties to obtain better, more cost-effective services. Hence the comments about the mobile app that will get you a better current account. Now, I identity these APIs as being congruent with, if not actually being the same as, the PSD2 AISPs. So if we gather to together these streams and try to integrate a picture of where we might go next, and we draw the mandatory consultant’s 2×2 matrix to hep us think through the possibilities, I think we end up with a rather interesting and useful way of thinking about the cross of the three streams. I’m particularly drawn to it because it gives me a way to locate the digital identity APIs that I think are so crucial to the future of banking.

PSD2_OBWG_ID_APIs

I think this is a useful diagram. The Digital Identity APIs will not be mandatory, but they may be the key way for banks to stay in the loop in the new economy as the mandatory APIs allow banking services to be provided by third parties. Interesting, and I’d appreciate your view on this. Anyway, there’s one obvious point to mention here and that’s security. Since banks do not currently offer these APIs and they are going to have to knock them up pronto, the potential for error is vast. Yet banks simply cannot take any risks with these interfaces.

APIs (application protocol interfaces), which are a major cornerstone of the CMA’s plan for banks to share consumer data, can also provide an easy route for attackers if not properly secure.

From Funny story, this. UK.gov’s ‘open banking app revolution’. Security experts not a fan of it • The Register

Word. But since neither the APIs, nor the security architecture, nor the practices, procedures and audit mechanism have been defined, it is simply impossible to say whether the UK OBWG implementation is secure or not. Hence I suspect that the way forward for most banks will be to expose a limited set of APIs to begin with by focusing on a manageable customer segment (not the general public) and then get working on stress testing and penetration testing. In fact, some banks have already begun to experiment in this area.

Wells’ tiptoeing into open APIs by offering them to commercial customers is typical of banks, which see such clients as the test case. Consumer applications hold the greater opportunity, but also carry more risk given cybersecurity and data issues.

From The Drumbeat for Open APIs Is Getting Louder | American Banker

I can tell you from personal experience (Consult Hyperion runs a very big penetration testing programme for one of the world’s biggest banks) that it takes a fair amount of time and money to get these kind of interfaces to the point where they can be exposed to the public, hence I am somewhat sceptical that they will be ready for action a mere 15 months from now.

The social cost of identity

The police are apparently fed up with Walmart. They cut staff, introduced automated checkout and saw a big increase in shoplifting, which they pass on to the police.

“The constant calls from Walmart are just draining,” says Bill Ferguson, a police captain in Port Richey, Fla. “They recognize the problem and refuse to do anything about it.”

From Walmart’s Out-of-Control Crime Problem Is Driving Police Crazy

You can see the logic from the company’s point of view. They pay for staff but they don’t pay for the police, so they may as well externalise the costs of managing bad behaviour. To some extent, of course, we all do this. We expect the authorities to stop people from hurting us in a variety of ways. But there has to be a balance. It would be crazy for car companies to save money by not fitting car alarms and instead fit a cheaper device to alert the police when the car is stolen.  But never mind Walmart and Ford. Isn’t this what Twitter and Facebook have done?

Scotland Yard will spend £1.7million on a ‘Twitter squad’ to hunt trolls

From Scotland Yard invests £2m into new ‘thought police’ unit to hunt down trolls | Daily Mail Online

The problem of bad behaviour online appears to be out of control. I’m sure that police have considerably better things to do with their time than track down lunatics posting threats on Twitter or bullying bereaved people on Facebook. I’m particularly annoyed about the problem on Twitter because I love it so much. Personally, when someone posts abuse at me (and this – astonishingly – does happen from time to time) then I just mute them and carry on. But for some people, especially those more in the public eye, the abuse makes Twitter unusable. 

I posted a screenshot of the email, and a few lines about how I would not be using Twitter until they figured out how to stop making incidents like this one (gross, but comparatively benign) a less constant component of my Twitter experience.

From Twitter Has Become a Park Filled With Bats — Following: How We Live Online

Over time, this is becoming a very serious problem. The “trolls” are not only annoying to individuals they are undermining the medium.

But it’s biggest problem are those trolls. They’re winning. Too often Twitter’s users are subject to pernicious streams of abuse and harassment. This dissuades new users from wanting to sign up, drives formerly loyal tweeters to close their accounts, and gives advertisers pause as they consider where to place their brand dollars.

From Stopping Trolls Is Now Life and Death for Twitter — Backchannel

Twitter has responded to this well-known and widespread problem in the past. But it is really not clear to me how they can do this in an automated fashion. If you call me names on Twitter, is that trolling? If you tell you – repeatedly – that your idea for a database of transactions hashes is not a blockchain, is that harassment? And if you get me banned for it, what’s to stop me from just creating another account and carrying on? It is undeniably a very difficult problem, made worse by the absence of any suitable identity infrastructure.

Twitter has long come under criticism for not doing enough to police abusive behavior on the often-freewheeling messaging service.

From Twitter announces crackdown after online abuse of ‘Ghostbusters’ actor | Reuters

So. There has been a huge amount of discussion  about the problems of Twitter and falling usage as people abandon the platform because of bullying and trolling. Here’s the big question then. How can we align the social costs of policing anti-social media more effectively so that we can deal with trolls without having to spend gazillions on the police, courts and jails? My argument has always been that it is more cost-effective to support the industry in developing a identity infrastructure that may be used for this purpose (amongst others). And I’ve come around to thinking that banks are probably the right people to get it going. We need to get Twitter to let people create accounts using a Bank Identity (for want of a better word). But not much has happened. Naturally, I’ve written about this before. And as well as moaning about it I’ve made some positive suggestions for things to do about it, largely based on developing strong pseudonymity as the key infrastructure. Other people have put forward similar practical ideas, but they all rest on the ability to authenticate against a “real” identity.

Allow users to not show their tweets to unauthenticated users. 

From Putting out the Twitter trashfire — Medium

Some people think that instead of fixing the problem properly as suggested, we should instead rely on “real” name policies, but I disagree profoundly. There are many issues that people might want to comment on but not use their real names. Again, something I’ve written about extensively. So the basic knee-jerk reaction about names, while understandable, does not work for me. I want people to post their honest opinions and comments about difficult subjects and they need privacy to do this (note, for the one-thousandth time) privacy is not anonymity.

Social media users should be forced to reveal their real names so police can track down jilted lovers who post “revenge porn”, a peer has said.

[From Revenge porn: Peer says Twitter users must reveal real names – Telegraph]

The police do not need people to post their real names to do this. What they need is a route to the real names, which is why the idea of strong pseudonymity (pseudonyms managed by regulated institutions) is so appealing. If Barclays know who I am, then the police can ask Barclays and Barclays will tell them. But Barclays won’t tell anyone else, so I can post in privacy. Why banks do not get together to provide such an obviously beneficial identity services is beyond me. It’s all very well providing a bank identity to let me do my taxes, but I do this once every year, whereas I post abuse on social media almost hourly.

Cardmaggeddon in China (and Canada)

I nipped round to Waitrose to get some milk the other day. As I closed the door behind me I realised that I’d left my wallet on my desk. But guess what – I didn’t care. Waitrose takes contactless, and they’ve implemented in properly (with CDCVM), so there’s no need to take cards as consumers are forced to do in less-developed nations. I had my phone in my hand, so I used that. It’s the future, you know…

More than two thirds of the UK’s 16-34 year olds (67%) have used their mobile phone to make an in-store payment, research released by Worldpay reveals. Over half of all age groups surveyed (54%) expect smartphones to replace cards as their main method of payment within the next five years.

From Two in three young Brits have made a mobile payment in-store • NFC World

As Anthony Jenkins (former CEO of Barclays) accurately predicted years ago, mobile phones are going to replace cards before they replace cash. But when I got to Waitrose and used my phone, the ensuing transaction was just a boring (although very secure) old MasterCard credit card transactions running over the same old rails. But for how much longer? Look at what is happening in China right now.  China has a very vigorous mobile payments market, and it’s dominated not by banks but by AliPay with about three-quarters of the volume and WEChat with around a fifth of the volume. The for all the excitement of a few years ago, the telcos are not even in the top 10! However, with falling revenues in other areas (text message volume was down 8% last year), the major carriers (who have held licences to provide mobile payment services since 2011) need to develop new businesses and mobile payments is one of them.  

“We expect to overtake them once the next generation of payment technologies replaces QR codes,” [China Telecom Bestpay General Manager Gao Hongliang] told the financial magazine Caixin Weekly on August 12.

From China’s telecoms refocus on mobile payment market after falling way behind – Global Times

What are these “next generation of payment technologies”? China Mobile, the biggest carrier, is focussing on NFC. But I suspect that Bluetooth, wifi and other technologies will come along too. The “last millimetre” problem is fading. Meanwhile, the banks aren’t doing too well out of the mobile payments revolution either. Indeed, China gives us a very accurate glimpse at the #cardmaggeddon (the time at which cards will cease to dominate non-cash retail payments by volume) approaching in developed markets.

The move by more Chinese consumers to switch from swiping plastic cards to scanning QR codes with mobile wallet apps knocked $20bn from banks’ fee income in 2015

From China banks starved of big data as mobile payments rise – FT.com

If you think about it though, there’s a much bigger problem looming. It’s one thing for banks to lose interchange income (but they are losing that anyway because of the downward pressure on interchange everywhere) but hey, it’s only money. The truth is that they are losing something far more important. As the FT notes, when the banks don’t see the payment transactions, they don’t see the data either.

The loss of data poses a challenge to Chinese banks at a time when their traditional lending business is under pressure from interest-rate deregulation, rising defaults, and the need to curb loan growth following the credit binge. Big data are seen as vital to lenders’ ability to expand into new business lines.

From China banks starved of big data as mobile payments rise – FT.com

So #cardmaggeddon is about a much bigger shift in bank strategy than the replacement of income from interchange revenues. What can they do in response to this? Well, I’m going to be talking about this and making a couple of suggestions to begin the debate in Toronto on 29th September at the fourth Tomorrow’s Transactions Toronto Unconference. Here’s the skinny…

This year’s focus will be a peek at the post-card payments world because at some point in the imaginable future, mobile “tap and pay” and “app and pay” will overtake card payments or, as we prefer, #cardmaggedon or the #cardocalypse, where plastic card products no longer dominate and begin their slide into history.

Come and listen to global FinTech guru Dave Birch, Director of Innovation at Consult Hyperion and a Visiting Professor at the Surrey University Business School, moderate a day of discussions on the future of digital transactions.

Dave was named one of the global top 15 favourite sources of business information (Wired magazine) and one of the top ten most influential voices in banking (Financial Brand); was found to be one of the top ten Twitter accounts followed by innovators, along with Bill Gates and Richard Branson (PR Daily); was ranked in the top three most influential people in London’s FinTech community (City A.M.), was voted one of the European “Top 40” people in digital financial services (Financial News), was listed of the world’s top 100 most influential FinTech leaders (Hot Topics) and was rated Europe’s most influential commentator on emerging payments (Total Payments).

He has lectured to MBA level on the impact of new information and communications technologies and has contributed to publications ranging from the Parliamentary IT Review to Financial World. He is a media commentator on fintech issues and has appeared on BBC television and radio, Sky and other channels around the world. His most recent book “Identity is the New Money” was published in April 2014 and his new book “Before Babylon, Beyond Bitcoin”, about the future of money, will be published later this year.

Dave will be co-hosting with FinTech industry veteran, Debbie Gamble of NorthCommons, as they discuss the impact of FinTech and the new norm of digital transactions.

We hope you can join Dave, Debbie and other thought leaders for a day of colourful debate and speculation about what will happen when push payments replace pull payments and how the dynamics of the payments industry will change at the Tomorrow’s Transactions Toronto Unconference 2016.

And don’t forget to check us out on Twitter #TTTU2016.

It’s time to being planning for the post-card future of retail transactions and looking to see where your organisation can play in the new value chain built from instant payments, APIs, biometrics, mobile phones and the internet of things. Come along and get started on 29th September. The madmen are literally giving away the tickets for a measly CAD75, so it’s going to cost you more in gin and tonic for me than for the ticket itself. See you there.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.