Category: Banking and Finance

Cardmaggeddon in China (and Canada)

30th August 2016by Consult Hyperion1 Comment

I nipped round to Waitrose to get some milk the other day. As I closed the door behind me I realised that I’d left my wallet on my desk. But guess what – I didn’t care. Waitrose takes contactless, and they’ve implemented in properly (with CDCVM), so there’s no need to take cards as consumers are forced to do in less-developed nations. I had my phone in my hand, so I used that. It’s the future, you know…

More than two thirds of the UK’s 16-34 year olds (67%) have used their mobile phone to make an in-store payment, research released by Worldpay reveals. Over half of all age groups surveyed (54%) expect smartphones to replace cards as their main method of payment within the next five years.

From Two in three young Brits have made a mobile payment in-store • NFC World

As Anthony Jenkins (former CEO of Barclays) accurately predicted years ago, mobile phones are going to replace cards before they replace cash. But when I got to Waitrose and used my phone, the ensuing transaction was just a boring (although very secure) old MasterCard credit card transactions running over the same old rails. But for how much longer? Look at what is happening in China right now. China has a very vigorous mobile payments market, and it’s dominated not by banks but by AliPay with about three-quarters of the volume and WEChat with around a fifth of the volume. The for all the excitement of a few years ago, the telcos are not even in the top 10! However, with falling revenues in other areas (text message volume was down 8% last year), the major carriers (who have held licences to provide mobile payment services since 2011) need to develop new businesses and mobile payments is one of them.

“We expect to overtake them once the next generation of payment technologies replaces QR codes,” [China Telecom Bestpay General Manager Gao Hongliang] told the financial magazine Caixin Weekly on August 12.

From China’s telecoms refocus on mobile payment market after falling way behind – Global Times

What are these “next generation of payment technologies”? China Mobile, the biggest carrier, is focussing on NFC. But I suspect that Bluetooth, wifi and other technologies will come along too. The “last millimetre” problem is fading. Meanwhile, the banks aren’t doing too well out of the mobile payments revolution either. Indeed, China gives us a very accurate glimpse at the #cardmaggeddon (the time at which cards will cease to dominate non-cash retail payments by volume) approaching in developed markets.

The move by more Chinese consumers to switch from swiping plastic cards to scanning QR codes with mobile wallet apps knocked $20bn from banks’ fee income in 2015

From China banks starved of big data as mobile payments rise – FT.com

If you think about it though, there’s a much bigger problem looming. It’s one thing for banks to lose interchange income (but they are losing that anyway because of the downward pressure on interchange everywhere) but hey, it’s only money. The truth is that they are losing something far more important. As the FT notes, when the banks don’t see the payment transactions, they don’t see the data either.

The loss of data poses a challenge to Chinese banks at a time when their traditional lending business is under pressure from interest-rate deregulation, rising defaults, and the need to curb loan growth following the credit binge. Big data are seen as vital to lenders’ ability to expand into new business lines.

From China banks starved of big data as mobile payments rise – FT.com

So #cardmaggeddon is about a much bigger shift in bank strategy than the replacement of income from interchange revenues. What can they do in response to this? Well, I’m going to be talking about this and making a couple of suggestions to begin the debate in Toronto on 29th September at the fourth Tomorrow’s Transactions Toronto Unconference. Here’s the skinny…

This year’s focus will be a peek at the post-card payments world because at some point in the imaginable future, mobile “tap and pay” and “app and pay” will overtake card payments or, as we prefer, #cardmaggedon or the #cardocalypse, where plastic card products no longer dominate and begin their slide into history.

Come and listen to global FinTech guru Dave Birch, Director of Innovation at Consult Hyperion and a Visiting Professor at the Surrey University Business School, moderate a day of discussions on the future of digital transactions.

Dave was named one of the global top 15 favourite sources of business information (Wired magazine) and one of the top ten most influential voices in banking (Financial Brand); was found to be one of the top ten Twitter accounts followed by innovators, along with Bill Gates and Richard Branson (PR Daily); was ranked in the top three most influential people in London’s FinTech community (City A.M.), was voted one of the European “Top 40” people in digital financial services (Financial News), was listed of the world’s top 100 most influential FinTech leaders (Hot Topics) and was rated Europe’s most influential commentator on emerging payments (Total Payments).

He has lectured to MBA level on the impact of new information and communications technologies and has contributed to publications ranging from the Parliamentary IT Review to Financial World. He is a media commentator on fintech issues and has appeared on BBC television and radio, Sky and other channels around the world. His most recent book “Identity is the New Money” was published in April 2014 and his new book “Before Babylon, Beyond Bitcoin”, about the future of money, will be published later this year.

Dave will be co-hosting with FinTech industry veteran, Debbie Gamble of NorthCommons, as they discuss the impact of FinTech and the new norm of digital transactions.

We hope you can join Dave, Debbie and other thought leaders for a day of colourful debate and speculation about what will happen when push payments replace pull payments and how the dynamics of the payments industry will change at the Tomorrow’s Transactions Toronto Unconference 2016.

And don’t forget to check us out on Twitter #TTTU2016.

It’s time to being planning for the post-card future of retail transactions and looking to see where your organisation can play in the new value chain built from instant payments, APIs, biometrics, mobile phones and the internet of things. Come along and get started on 29th September. The madmen are literally giving away the tickets for a measly CAD75, so it’s going to cost you more in gin and tonic for me than for the ticket itself. See you there.

ODA is a good thing, and not only for transit operators (are you listening USA?)

22nd August 2016by Consult Hyperion4 Comments

Following the success of Transport for London’s (TfL) Contactless Payments program, a project Consult Hyperion have contributed to since 2008, transportation agencies around the world are following TfL’s lead looking to bring the same convenience to their own customers. Operators are migrating from a world where customers have to exchange real money into transit money before they can ride on a bus or a subway, to a world where you simply tap your bank issued contactless credit or debit card on the transit reader.

The Problem

As brilliant as this new world of transit payment is, it does expose the operator to some level of risk as well as deliver a variety of benefits. I’ll address other risks and benefits in later posts, but for now I want to focus on the risk of accepting a counterfeit bank card in exchange for free travel.

Of course, the benefit of accepting payment cards for transit is that you can reduce the cost of card issuance through using the card customers already have in their pocket. Customers benefit from being able to pay for transit the same way they make other retail purchases every day. With this approach you get the additional benefit of payment card security and you don’t have to rely on proprietary cryptographic techniques that could one day expose your system to fraud. Easy, right?

Well, it’s not quite that simple.

While bank chip cards come with a toolkit of security options for card issuers to use, the majority of issuers of EMV cards in the US today have only implemented one of those options required for the domestic online-only market.

To understand the issue, remember that all EMV cards generate a unique code called a cryptogram which only the card issuer can validate. So for each transaction, the card details and cryptogram are captured and sent for direct verification with the card issuer, who returns a message to accept or decline the transaction to the merchant.

However, this ‘online-only’ option is not suitable for transit operators.

One issue for transit operators is rate of customer throughput. In cities looking to implement open loop payments for transit (the acceptance of EMV cards), there is a need to handle large numbers of passengers passing through the subway gates or boarding buses. There is not enough time, in this fast moving environment, to wait for each transaction to be authorised online by the card issuer, and there are genuine health and safety risks to slowing down people moving through the system. Hence the strict time limits on transactions:

[Shashi Verma, TfL] said “contactless cards could now deliver transaction times in under the crucial 500ms at which longer queues begin to form”.

http://www.telegraph.co.uk/technology/news/10990294/Tube-to-adopt-contactless-payment-cards.html

“Agencies who have carried out NFC pilots argue that a device must have a transaction time of less than 500ms to be viable, and prevent passenger delays at turnstiles.”

http://www.masstransitmag.com/blog/10615616/nfc-the-mass-transit-payment-revolution

Looking at the how the transit transaction times break down in detail, we find that:

There is some time spent by the reader to detect a card and determine what type of card it is. This should take in the order of 10ms but may increase if different card technologies are accepted at the transit reader
Then there is a longer period of time where the card and the reader exchange some data that typically takes anywhere from 300 to 400ms on contactless bank cards currently-issued.
Finally, the typical times for a card issuer authorisation that we have observed are anything from 500 to 2000ms.

As you can see, adding these times together we are well over the 500ms target the transit industry is seeking.

Now, transit merchants could take the risk on one transaction and check with the card issuer that everything is ok with the card while the customer is making their first journey. If the issuer declines the transactions, the transit operator could put the card on a hotlist to prevent further travel. Seems reasonable? The trouble with this is there is an opportunity for the intrepid fraudster to develop a simple mobile application that looks to a contactless reader like a normal payment card, but in fact, for each transaction, generates a new identifier that will sidestep the transit hotlist.

How Offline Data Authentication helps

There is another option available to card issuers in the EMV toolkit that helps the transit operator meet their 500ms target and also mitigates the risk from counterfeit cards – Offline Data Authentication (ODA). ODA is a method that allows the reader to determine the authenticity of the card and the card issuer using the cryptography provided in contactless bank card chips and readers. Using ODA has the following effect on the transaction time, now that we don’t need to go check with the issuer to authenticate the card:

As before, the time to detect the card and allow the card and the reader to exchange data remains the same, about 310 – 410ms
Now, the time to carry out ODA now adds around 50ms, meaning a new total transaction time of 360 – 460ms

This meets the 500ms target.

It’s time for ODA to be mandated for all Contactless

Contactless bank chip cards personalised with ODA, as mandated in most payment scheme regions, allows transit operators and other merchants alike to mitigate transaction risk by authenticating the card offline. If transit operators can prove the card is genuine and not on their own hotlist, they can open the gates or let the customer on the bus. The next step for the operator will be to get card issuer authorization while the customer is making their first journey. Now they have all the information they need to decide if the customer can make the second journey or not.

While transit operators in established contactless bank chip card markets (outside the US) can introduce open loop payments safe in the knowledge that contactless cards are all going to be supporting ODA, in the US, the picture is less than clear. Migration to bank chip cards is still in its first year, there are very few contactless card products issued and mobile payments such as Apple Pay and Android Pay represent the largest use of ‘contactless’. While transport operators are looking to accept contactless bank cards, they cannot risk doing so until the US domestic cards are ODA capable. If the card brands and US banks want a slice of the US transit market ODA must be at the top of the to-do list.

(By the way, ODA is not just beneficial for transit operators; there are other merchants where this technology can also be helpful. For example, following a natural disaster where communications go down but merchants still need to keep trading to ensure essential supplies get to the right people, or merchants who wish to offer quicker processing at peak periods).

The solution at TfL was simple and effective. If a contactless bank card is presented that does not support ODA, it is rejected and the customer is not allowed to travel. When ApplePay was launched in the US, not all implementations supported ODA and these were also rejected at TfL gates. By the time ApplePay launched in the UK, this problem had been fixed. From a customer support perspective, the US needs to be in a position where all cards have ODA and not just some. Transit operators don’t want to block brands (but could do to avoid confusion). It will be impossible to put a message across to customers that some can use the system and others can’t due to something obscure and technical like ODA!

The WEF blueprint for digital identity – the middle way

18th August 2016by Consult Hyperion3 Comments

The World Economic Forum (WEF) has just published their report on “A Blueprint for Digital Identity”. It begins with a disclaimer from “Deloitte”* saying that “This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business”. But what’s the point of reading a report that isn’t going change any decision or action that you make? I think quite the opposite: you should read the document and make the decision to have a strategy towards digital identity and start to explore different scenarios covering how it will affect your business right away.

First, let me admit that I was excited to see that WEF/Deloitte* have finally caught up with Consult Hyperion’s thinking on this kind of thing. Back in 2008, I wrote that:

Banks ought to be looking at both providing and consuming identity services and developing better identity and authentication services not merely for their internal use to reduce phishing and pharming but as a line of business in an online society. They are the obvious category of institution to provide credentials, manage personal information and deliver identity into the marketplace.

From Digital Identity: I’m sure banks have a strategy for this kind of thing

The WEF report says that “There is a strong business case for Financial Institutions to lead the development of digital identity systems” and goes out to categorise these are cost reduction, new revenue opportunities and transformational new models (i.e., outside core banking). I agree that it’s important to look at the saving money and making money opportunities in this way because in any bank that I’ve spoken to about this sort of thing, it’s been clear that the saving money business case has to stack up before there will be any investment.

As for the blueprint, the report suggests three approaches, – the institution, the consortium, the industry – which I paraphrase here:

A single institution could create its own system, focusing on cost saving but with limited potential for further adoption (but I think ”ChaseID” would struggle against “AppleID”);
A consortium could create a co-opetition infrastructure along the lines of the payment networks (some sort of financial services passport);
The financial services sector as a whole could create some form of industry identity utility that could be used to deliver “wholesale” identity services (I could get gas, electricity and identity all from the same retailer);

I’m rather in favour of the middle option as I think it delivers immediate improvements to the day-to-day transactions of modern life and it is, above all, feasible. But what exactly would it implement? The model of identity transactions that the WEF present (page 43), which divides identity transactions into authorisation, attributes and authentication is I think a little too narrow. The model we use at Consult Hyperion (“Three Domain Identity”, or 3DID) provides a better platform for discussion and exploration (but then I would say that wouldn’t I) because it makes the relationships between identities, attributes, credentials and so on more explicit.

When it comes to discussing archetypes (or “marketectures”) that will make sense (page 62), the use of the 3DID model makes it easier to understand the different options but considering who will control each of the domains. If, as WEF recommend, it is the financial institutions who control the Digital Identity and they link this to a variety of Mundane Identities from different sources and well as to a potentially large numbers of Virtual Identities (where credentials are held, essentially) it gives them a pivotal role. This might be in a federated structure, where each banks holds its own KYC and makes it available to other banks, or some other options. However it’s done, the authentication (proving you control the digital identity) is another matter.

One of the reason why I have such an interest in the “middle way” WEF blueprint is that I’ve been part of a techUK working group looking at this since 2014.

A ‘financial services passport’ refers to an aspirational digital identity, issued by UK financial services providers, and mutually recognised across the financial services industry.

From Workshop: Towards a Financial Services Passport

Such a passport would not only be used for financial services and for the benefit of financial institutions. It could be used to improve all sorts of services that desperately need a proper identity infrastructure. It could with internet dating, protecting people on twitter from trolls, access to adult services and other “sharp end” applications of digital identity that would be transformational not only for bank revenues but also for consumers in the mass market. The solutions to the big, immediate problems in these areas come not from the digital identity itself but from the virtual identities built on top of it, because the virtual identities are a way to communicate attributes rather than identity.

So what might banks do with your identity once they’ve got it safely locked away in their vaults? Well, one idea, particularly popular with me, is that they might give you a safe, pseudonymous virtual identity to go out an about with.

From Tired: Banks that store money. Wired: Banks that store identity | Consult Hyperion

The idea of strong pseudonymity is particularly appealing: a pseudonymous virtual identity with a bundle of credentials attested to by regulated financial institutions should be more than enough for almost all day-to-day transactions. This would allow for a new tranche of what economists call “incentive functions” to be created by banks, encouraging transactions where none would have taken place otherwise.

But back to the WEF report. In conclusion, despite my preference for our model (!), when it comes down to it, I think that the middle way (the consortium approach) is the place to start and I strongly agree with the principal recommendation of the report, which is that (page 101) “Implementation of a digital identity system should follow a bottom-up approach”. What the WEF calls “natural identity networks” I might be very tempted to label”communities”. So let’s create identity solutions for communities (starting with the financial services passport for the retail financial community of customers, providers and regulators) and find ways to interconnect them rather than trying to think up some kind of top-down “World ID” for the communities to implement.

* “Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.

Banking is going in-app just like everything else

25th July 2016by Consult Hyperion3 Comments

I very rarely use Internet banking these days and it seems I’m not alone. Almost every interaction with my bank takes place through one of my mobile banking applications: my Barclays banking application, my Barclays PingIt application (which I assume will soon disappear inside WhatsApp and Waitrose and Hailo and so on), my Simple application, my Barclaycard application, my American Express application and so on and so forth. Thinking about it, the only time I can remember using my home banking application in recent times was to search back through transactions to check on some payments on behalf of one of my kids at university and to set up a new payee for Faster Payments. Unusually, I appear to represent the man using the Clapham ISP in this respect, as the latest figures from the British Bankers’ Association show.

The number of internet banking logins made by Brits each day fell last year, as customers continued to migrate to apps, BBA research shows… The number of payments made using banking apps hit 347 million last year, a 54% rise. Internet banking still has the edge here, used for 417 million payments in 2015, but this was up just two per cent.

From Apps crush internet for UK banking logins

The BBC were kind enough to invite me to talk about this on Breakfast TV, because some of the members of the public that they had been talking to expressed concerns about the security of mobile banking. As this is a core area of expertise for Consult Hyperion (in fact, one of the biggest projects that we are working on right now deals with planning, executing and testing mobile app security strategy for one of the world’s biggest banks), I took the opportunity to reassure viewers that not only was mobile banking safe it was, in my opinion, much safer than internet banking. You can watch it here [at 25:50].

There are several reasons for this — the fact that the phone contains a smart card and tamper-resistant memory, the fact that the phone tracks you and (perhaps the most mundane of all) that if you lose your phone you notice fairly quickly — but the main point is that if you carry out any form of methodical risk analysis you will see that the mobile phone in essence offers a bundle of security countermeasures that work to reinforce each other. Of course we must be vigilant, but mobile security is doing OK.

Note also that mobile security extends across other channels: mobile is often used to secure internet login anyway. Right now this is often through the not-very-secure use of text messages but there are initiatives such as the GSMA’s Mobile Connect out there trying to introduce some real security. This is where I expect to see further real innovation in the not too distant future and why I keep posting repetitive tweets about annoying internet logins and anticipating the advent of Apple ID. Since just about everything on the Internet is insecure, the obvious way to improve the security of end applications is to (essentially) ignore the Internet completely in security terms. Just assume that everything sent across the Internet has no defence whatsoever against even the most basic assaults on integrity, confidentiality and availability. In planning terms, assume that the Internet is owned and operated by your nemesis! Thus, everything that goes across the Internet must be encrypted and digitally signed.

If we are going to do this then we need a place to store the private keys that are needed to make the encryption and signing work properly. We can’t store them inside PCs because by and large PCs are just as insecure as the Internet. But since everyone has smart phone, a rather obvious thing to do is to store keys inside the tamper-resistant storage that the handsets provide. After all, if the “secure enclave” (Apple’s name for the ARM Trusted Execution Environment, TEE) inside your Apple iPhone is safe enough to store payment tokens then it is safe enough to store a variety of the virtual identities that I need to operate in the online world. I’ll blog about how this might work in the banking case later in week, but at this point I just want to re-iterate what I told the BBC. When it comes down to it, mobile isn’t as secure as web, it’s much more secure than the web.

UK account switching a “complete waste of time” redux

21st July 2016by Consult Hyperion1 Comment

OK. I know this is going to annoy some people that I like and respect. But I do firmly believe you can disagree with integrity without dissing those on the other side of the argument. So. Let’s talk about something that I was against from the beginning but I understand why other people were in favour of it. You may remember that I have said one or two mildly critical things about the Current Account Switching Service (CASS) now and then. In fact, when it was launched, I said that it wouldn’t make “the slightest difference” to the number of people switching accounts.

“This will make not the slightest difference,” said David Birch, global ambassador at IT consultancy Consult Hyperion. “…True competitiveness means new competitors. Even if we reduce the process from 12 days to seven, who cares? We still haven’t taken out any cost. There are far better ways the money could have been spent.

From UK account switching a “complete waste of time” claims bank panellist » Banking Technology

As it turns out, I was wrong. It did make a difference. The number of people switching accounts went down after the introduction of CASS. This year it went down by another 5%.

“With 65 million current account holders in the UK, movement is minimal,” said Hannah Maundrell, editor of money.co.uk. “Even with big cash incentives on the table, people just aren’t switching.”

From Bank account switching falls by 5% despite incentives – BBC News

This is a well-established trend and one that has been noted by the regulator, which has been casting around for new ideas in response to the failure of CASS to stimulate migration in the mass market and therefore induce the banks to introduce more competitive products.

Just over one million switched their bank accounts last year, 11% down on the 1.15 million recorded in 2014 and the Financial Conduct Authority (FCA) has floated the possibility of full account portability, identifying two potential models: building it within the existing market structure and then running the additional infrastructure centrally, as is the case with Cass; or a new central utility model based on a shared platform.

From Bacs claims growing awareness for struggling UK account switching s…

CASS cost £750m to launch and it’s probably cost in total around a billion quid by now, so I don’t think tinkering about with it any further is really a good use of money.

The UK Payments Council-backed current account switch service (CASS) has gone live, promising to enable customers to move between banks in seven days or less.

From £750 million current account switching service launched | IT Business | Computerworld UK

By the way, I never understood what this has to do with the UK Payments Council or why it was in their (generally excellent) world-class payments strategy. But I digress. I just wanted to begin by saying that I wasn’t sniping at CASS out of snark, but because I genuinely thought that it was a bad idea that there were other ideas (e.g., mine) that were much better.

If the government genuinely wanted to increase the amount of account switching as part of their competition agenda, then as noted in the clip above, a much better way to do it would be through the use of portable bank account numbers or, as I have previously called them, Virtual Account Numbers (VANs). I did explain to the government how to solve this problem before, but no-one seems to have paid any attention. Once again, let me stress that I was not the only one who thought that account number portability (ANP) might be a better use of money (although I may have been the only one who thought that VANs were the best options). More than a year ago, in March 2015, the FCA published a report on “Making current account switching easier” detailing “the effectiveness of [CASS] and evidence on account number portability”. It said that:

Consumer organisations, while appreciating the benefits that such a system would give consumers, were also cautious about ANP, arguing that the real barriers to switching do not lie in the infrastructure but in the choice and differentiation of the current accounts available.

From Making current account switching easier – making-current-account-switching-easier.pdf

This is a fair point (note that it also explains the failure of CASS in a nutshell) but I think it misses the advantages to other stakeholders, not of ANP in general but of VANs in particular. I told the previous Economic Secretary to the Treasury about VANs and “paynames” ages ago.

I was the nutter at back who kept going on about “7-0” solutions, Angela.

From Account number portability is on the PSR’s agenda. Sorted. | Consult Hyperion

Angela Leadsom ignored my suggestion. I’m not saying that this directly led to her defeat by payments gal Theresa May (The Prime Minister and First Lord of the Treasury worked for Payments UK’s precursor, the Association of Payment and Clearing Services, APACS, for many years) but it would certainly have given her an inspiring idea forged in the white heat of new technology and capable of delivering immediate benefit to consumers and businesses alike. Just to remind you, my particular version of the VANs option was…

Now, you know how all mobile phone numbers in the UK begin with a “7”. Well, what if all virtual account numbers in the UK began with “7” as well? It turns out that the “7” sort codes in the UK have an unusual history…

From A suggestion for doing something about account switching in the UK | Consult Hyperion

The solution is straightforward. When someone opens a bank account, give them a virtual sort code that begins with 7 and then an account number. They keep this number for as long as they like. When they change bank accounts, they keep the 7X-XX-XX XXXXXXXX number but it now points to their new account. Employers, utility companies, P2P services and everyone else carries on using the that virtual number. No-one needs to update anything or notify anyone. Consumers could log in and map their VANs to any “reachable” UK payment account whenever they want to and it wouldn’t cause the slightest hiccough in the payments infrastructure, because all push payments to 7X codes would go through the directory service.

(Incidentally, I see the Bank of England is closing the “10-“ accounts for staff so that will free up another VAN sort code range for (e.g.) government services.)

ANP isn’t a good thing because CASS is a bad thing. We should have opted for ANP instead of CASS not because they are substitutes but because CASS didn’t solve a pressing problem whereas ANP means cost savings and convenience throughout the economy even if it doesn’t change account switching at all.

Payment competition and banking in a post-PSD2 world

19th May 2016by Consult Hyperion2 Comments

I happened to be talking about access to payment infrastructure (something I blogged yesterday) at a client event yesterday, and got involved in a discussion about how the fintechs might begin to work with banks in the new world of PSD2 and mandatory APIs. This has been subject of great interest to me at the recent Money 2020 Europe (with top, top players like Shamir Karkal from BBVA and Alex Mifsud from Ixaris explaining why the move to APIs will mean a big shift in the delivery of banking services) and other recent events. Generally speaking, and this is a sweeping generalisation, I think there has been a shift in European bank thinking in recent times. They well understand that if they do nothing, then in the instant payments, API-centric, PSD2 world they stand to lose significant income. The outsourcing company Accenture, for example…

estimates that the new new breed of payment initiation service providers will erode 33% of online debit card transaction volumes and 10% of online credit card transaction volumes resulting in a total market share of 16% of online retail payment volume by 2020.

From Banks set to lose 43% of retail payments revenue under PSD2

So the Payment Initiation Service Providers (PISPs) stand to capitalise on the new arrangements (if the banks do nothing, of course). What kind of services might they provide? Well, an obvious example is integration with social media. If you look at the use of instant payment “overlay services” (as they call them down under) in the UK (PingIt and PayM) it is far less than the use of, for example, Venmo in the USA. And Venmo doesn’t deliver immediate settlement (it works through the debit card networks). In the last quarter of 2015, Venmo transferred $2.5 billion. In January 2016 alone it transferred $1 billion. So why is it so popular? It’s the integration with social media. Just over half the users are 18-24 and half the payments relate to food and drink sharing! On a US college campus, “I’ll Venmo you” has entered the lexicon. In the UK, “I’ll PingIt you” has not. Paym is growing steadily, but it is still only transferring about £12 million per month.

So now imagine, post-PSD2, a combination of the immediate availability of funds like PingIt and Paym with the social media integration of Venmo. It will be a wholly different payment experience. I’ll give you an obvious example. My wife and some of her friends are planning a weekend break in August. They do this through a Facebook chat group. But when it comes to settling up for hotels and air fares, everyone has to log out, e-mail everyone for their bank details and log in to home banking and set them up as payees, then make the payments. Then everyone else has to log in to their bank accounts to see if the money has arrived and that it is the right amount. In 2018, however, it will all be different. Facebook will be integrated with instant payments through APIs so that it can function as a PISP. When my wife gets a message to say that she owes her friend £100 for her air ticket, or £25 for her share of the dinner, or £10 for the tickets to a show, then she will put money into her return message just as she adds emoticons today. Under the hood, Facebook (which of course knows the bank account of the person you are sending a message to) will initiate an instant payment and within a second or so her friend will get a message to tell that the money has arrived. Remember, Facebook already do this is in the US through debit cards (like Venmo).

It’s not all about payments though. The other category of organisation with direct access to the bank account, the Account Initiation Service Providers (AISPs) also stand to benefit from bank inertia. The row about “screen scraping” in the US adumbrates similar pressure for bank strategies in Europe.

JP Morgan Chase CEO Jamie Dimon is incensed about fintech startups like Mint, Acorn and Bloom “scraping” his customers’ data

From Banking App Competition; Why OTT “Skinny Bundles” Fail | AdExchanger

I’m sure his experienced strategists will be quick to reassure him that third-party access to bank accounts (the data is the customers, not the banks, of course) ought to be seen to be an opportunity for JP Morgan Chase to develop some terrific new products and services. The reason why customers of JP Morgan Chase use Mint is because JP Morgan Chase do not provide a suitable, better product for them to use instead. Mr. Dimon, as a champion of free enterprise, would surely object to organisations building walled gardens and using regulatory barriers to defend them. If Facebook or Amazon provide a better financial services app for customers to manage their JP Morgan Chase accounts, then good for them.

In fact, it seems to me, that this is a very likely outcome of rational market evolution. I buy my electricity from whichever supplier offers the best deal for our household. When I change suppliers, I don’t need to change my TV. When I change banks, why should I change my digital wallet if I don’t want to? With a standard API, might personal finance management (PFM) app and my wallet app and my social networks will all access my bank account, whatever my bank. And if I change banks, whatever.

So… what makes sense for banks? Why bother making the wallet or PFM apps? Why not instead provide the best possible API to people who are better at making these apps. Why bother with PingIt and PayM? Why not instead provide the best possible API for PISPs to use. Why bother with fancy applications at all? Why not instead provide identification and authentication services (through APIs of course) that all of these other apps, APIs and services will depend on. After all, if I’m going to give Facebook access to my bank account then Facebook need to be pretty sure that it’s actually me and I need to be pretty sure that it’s actually Facebook. My bank is a rather obvious middleman here.

All of which leads me to suspect, as I have mentioned before with tedious regularity, that the banks should focus on what the Euro Banking Association call the “non-mandatory, non-payment APIs” (as shown above) as a basis for strategic advantage and get together to agree a digital identity infrastructure and a common set of digital identity APIs. Nothing to it, really…

Access

19th May 2016by Consult Hyperion2 Comments

The U.K.’s Faster Payments Service (FPS) has been very successful. The ability to send money from one account to another account instantly is actually quite transformational, but I still think that the full impact has yet to be felt. As we move into 2018 and the world of the newly-published Open Banking Standard, PSD2 and APIs then we will see instant payments built in to the applications that support our everyday lives. This morning when I caught the bus to work the cost of the bus ticket was charged to one of my credit cards, which meant that the bus company had to store my card information and that I had to remember the three digit code on the back of the card to complete the purchase. In the future, I will tell the bus company I want a ticket and put my thumb on the home button of my iPhone and that will be that. The money will be sent from my bank account to the bus company’s bank account with no delays, intermediaries or additional friction. As I said before, there will be a push for push.

Since it is such a big deal, it is of course important who has access to the instant payments networks. The government is very keen to see more competition in the retail payments space and for this reason it wants to facilitate access to core payment systems, such as FPS. The opening up of access has already started. You might remember that last year, access was opened up to a new kind of aggregated access layer under the “New Access Model”.

The New Access Model, first published in December 2014, sets out proposals to enable technology vendors to offer technical access to Payment Service Providers (PSPs) by adding to their existing accounting platform technology, or providing a managed solution to either a single or multiple PSPs.

From New access market for Faster Payments gains traction | Faster Payments

This new model gave technology companies with experience in payments the ability to create systems to connect directly to FPS and then offer this connection to other players. These new offerings, including VocaLink’s PayPort service, are a terrific step forward and they make it very easy for new entrants to get up and running. Earlier this year, in fact, PayPort made access for new entrants even easier through their partnership with Raphael’s Bank.

As a member of the Faster Payments Scheme, Raphaels Bank will be able to provide other payment service providers with access to the UK’s core payments infrastructure through VocaLink’s PayPort service.

From VocaLink Connect – VocaLink partners with Raphaels Bank on Faster Payments

So now, new entrants who sign for agency access with Raphaels can use PayPort to launch their services. But access may well be opened up even further. There are plenty of non-bank players out there who want to have access to the infrastructure and the UK’s Emerging Payments Association recently presented a report to arguing that, under the appropriate licence conditions, non-banks should be allowed access to instant payments infrastructure through the use of a new kind of limited pre-funded settlement account at the Bank of England. In essence, a Facebook or a Google would be allowed accounts that they would load up with a few million quid in the morning and then use throughout the day. Under this kind of option you would be able to send money from your bank account to a friend on Facebook messenger in a jiffy. Facebook and other tech players could use PayPort to connect to FPS, giving them integration and all the services they need at the drop of hat.

Tech firms are in talks with the Bank of England to secure settlement accounts, a privilege only currently on offer the banks. The accounts would help give the finance technology (fintech) firms access to the payments system, the infrastructure which currently underlies much of Britain’s financial services industry.

From Fintech firms want to open accounts at the Bank of England – Telegraph

Why am I highlighting this? Well, the interpersonal services that deliver instant payments at the moment (such as PayM, which has more than three million registered users) are just a toe in the water! Imagine what some of these new tech players will be to do with those services when they integrate them with social media, mobile apps, retail platforms, public services and other organisations and businesses. I’m looking forward to some real innovation in this space and opening up access under the right conditions will energise the whole sector and I’m going to be writing some more about this tomorrow.

Contactless bank cards not safe

28th April 2016by Consult HyperionLeave a comment

According to Katie Morley from the Telegraph:

Millions of passengers across Britain could be left stranded under plans for every bus in Britain to go cashless despite widespread security fears over contactless technology.

She goes on to say:

Which? said that despite nine in ten of its members owning a card with a contactless option, 40% of them had not used it for at least 12 months, opting instead to pay via chip-and-pin.

This is odd, because TfL has found that in London, c. 25% of journeys are now paid for using contactless bank cards rather than Oyster or paper tickets.

She also asserts:

Busses in Scotland and Northern cities such as Manchester, Leeds and Sheffield are looking to copy London busses which do not allow travellers to pay by cash onboard, according to plans outlined in a major report by the UK Cards Association, a body which represents the payments industry.

This kind of justifies her headline:

Millions of travellers could be stranded under plans for every bus in Britain to go “cashless”

Except that it is not true. Yes, our work at TfN has plans for rolling out modern smart ticketing technologies across the north of England. Yes, there are current plans for contactless payments cards to be accepted by the largest bus operators across the UK. But they have not committed to banishing cash from buses like London has.

And when London did stop accepting cash on buses, were millions stranded? No.

You can’t handle the (single) truth

18th April 2016by Consult Hyperion

Another week, and another tidal wave of blockchain articles that I’ve been trying hard to keep up with. After chairing the session on the R3 Initiative at Money2020 Europe in Copenhagen, I’ve been surveying the ledger landscape to help our clients to develop their roadmaps.

I wonder if the blockchain is going to be important or not? Better get reading. Over the last few days I’ve had some time on planes, trains and buses to look through a whole bunch of articles on the subject.

Blockchain: a short-lived illusion or a real game changer? Experts discuss if, and how, blockchain can revolutionise payments

From EPC | Newsletter – Article

I read this article, and just like most of the other articles I read, it really doesn’t explain either how or why the blockchain might revolutionise anything. (It uses the blockchain, a blockchain and ledgers as interchangeable terms, which bothers, me.) I don’t really want to be known as the Victor Meldrew of the Blockchain (Michael Salmony of Equens is already there!), and I don’t mean to offend, but I do want to make a serious point: what is the point of the thousands of articles like this? Not to mention the articles about how the blockchain will / will not (*delete where applicable) mean the end of the stock exchange, child poverty or delays in firefighters using lifesaving equipment. OK, it was rhetoric, but when I told the students at the London Business School that most of what I’d read about the blockchain that day was (and I quote) “drivel”, I wasn’t exaggerating much.

These “blockchain will change banking / insurance / land registries” articles suffer from two fundamental flaws in my opinion:

They lack a basic model to facilitate communication between business and technologists so that the business idea that they are putting forward can actually be understood by anyone who might have an idea about how to deliver it, and

They lack an understandable narrative about the use of the new technology that might stimulate the development of those new business ideas.

This is why I think that some of the work that I’ve been involved in recently is so important, because it addresses both of these points in a manner that experience seems to indicate is of great benefit. I’ve been out and about using Consult Hyperion’s “4×4” model of the shared ledger technology (SLT) to help our clients to understand and explore the new business models that might be available to them. As you’ll recall, this “4×4” model works by thinking of the shared ledger as comprising four layers and the architectural choices that can be made in these layers give us four different kinds of ledgers to think about in business terms.

I think that the most important narrative is one of transparency. I’ve written before about “The Glass Bank” as a way to think about new kinds of financial markets built on radical transparency. Richard Brown of R3, my colleague Salome Parulava and I have a paper in the forthcoming Journal of Payments Strategy and Systems set out the basic model and the concept of “ambient accountability: which, I certainly think, will help to set the agenda around SLT in the coming months.

Transparency isn’t the only emergent property of SLT, of course. It also connects with the “single source of truth” without the need for a single point of failure. Goldman Sachs, for example, have spoken about this.

Overall, Duet’s comments were broad and positive, with remarks aimed at illuminating for his audience what Goldman Sachs saw as its biggest opportunities. To this, Duet answered that it was the blockchain’s ability to provide a “single truth” to the many institutions that need to share information on asset transfers.

From Goldman Sachs Director: Blockchain Provides ‘Single Truth’ For Banks at CoinDesk.

Who might benefit from shifting to this sort of technology? Well, Goldman Sachs might. They’ve just been fined for some problems to do with the transparency of securities holdings.

Goldman told those customers that it had arranged to borrow, or believed it could borrow, the security to settle the short sale, a process known as “granting locates.” Goldman, however, had not performed an adequate review of the securities customers had asked it to locate, the SEC said.

From Goldman Sachs to pay $15 million to settle SEC stock lending case at Reuters.

This is a good example of a specific problem that might be avoided to everyone’s benefit using the single source of truth that the Goldman chap referred to above. If an investment says it has a contract to borrow some stock, then customers could easily seem for themselves that contract is in a shared ledger and they could easily check that the counterparty either has the stock or has a contract to acquire the stock in time. And the regulators could have a simple application that checks whether an investment bank claiming to have such a contract has a “Turing complete” set of contracts in place, and the regulator would have the necessary decryption keys in place to look into contracts that they might see as suspicious.

In fact, thinking about it, in an environment of real ambient accountability, the system itself would not allow an investment bank to enter into an agreement that could not be fulfilled. A bank could not do a deal with customers on the basis that it had arranged to borrow stock unless it actually had. The contract with the customer just wouldn’t work if the “chain” is broken. I hope this won’t take all of the fun out of investment banking but hopefully it will make it safer for the rest of us. Bearing in mind that I don’t really understand shared ledger applications, investment banking or the SEC rules about anything, it all sounds easy to me.

This is the sort of thing that R3, Intel (we have been working on a very interesting project for Intel in the blockchain space), Ripple and Michael Salmony will be discussing in the shared ledgers session at our 19th annual Tomorrow’s Transactions in Forum in London this week. So if you want to tap in to the leading edge of serious business discussion on the topic, come along. As always, the Forum (this year sponsored by our friends from WorldPay, VocaLink and Oslwang) will be limited to 100 people, so head on over to register for a place right now. I think there are a couple of places left and thanks to the amazing generosity of the sponsors, it’s only £295 for both days – you’d be mad to miss Barclays, Mondo, Fidor, Equens, Clearmatics, the FCA, Shell, Samsung Pay, World Remit, Visa Europe, Curve and many others in an environment of genuine discussion, debate and learning. See you there!

Tokenising Trust

21st September 2015by Consult HyperionLeave a comment

Research over the last 50 years has revealed that we’re subject to a bewildering array of psychological biases which often only become obvious when we start dealing with money. Famously, Amos Tversky and Daniel Kahnemann showed that people are risk averse in the presence of a gain and risk seekers in the presence of a loss – which is exactly the wrong thing to do when you’re doing something like trading stocks. It’s an example of a behavioural bias known as the disposition effect, but there are literally dozens, if not hundreds of them as the Big List of Behavioral Biases demonstrates.

Research by Brad Barber and Terry Odean in Are Investors Reluctant to Realize Their Losses went on to show that when people traded stocks the ones they sold went on to outperform the ones they kept. Worse, this effect is exacerbated by the internet because it makes it easier to trade. In fact, the internet and social media exaggerate many of these biases because of network effects where we all follow the same small number of opinion setters.

Although research into this area – behavioural economics as it’s known – has only been around for a few decades the underlying human behaviour has been understood by advertisers and marketers for a lot longer. Repeatedly exposing someone to a message – buy Whizzo washing powder – is more likely to make them buy it: the mere familiarity effect as it’s known. But this type of knowledge has evolved, piecemeal, as people and companies have figured out how to sell stuff by trial and error by exploiting our brains’ primeval logic failures when exposed to the modern world. Banks are no different in this and they’ve developed various ways of confusing people, often by introducing minute differences in products and then charging differently for what are essentially the same services.

Enter the big internet companies and you suddenly get a step change in this approach: they’re not evolving towards selling techniques, they’re designing them into their systems and operations by systematically using the research into behavioural bias. Here’s a doozy – product and service companies will deliberately introduce mid-range offers that make no sense and which won’t ever sell. Why would they do that? Because we are afflicted by a bias that causes us to cost things by comparing features and prices against reference points. And by introducing some truly and obviously stupid mid-range offers we can be induced to go for more expensive options:

There are times when the profitability of a product line can be increased by adding a (dominated) alternative that virtually no one ever chooses. The effect of a dominated alternative is to draw attention to a more profitable item rather than to generate direct sales.
[From Adding Asymmetrically Dominated Alternatives: Violations of Regularity and the Similarity Hypothesis]

It’s called the decoy effect, and it’s very effective.

So our poor benighted Millennials are being fooled by a bewildering array of marketing ploys designed to appeal to their generation while kidding themselves that they’re somehow different to everyone else. And, in a way, they are, because the brain is plastic under development in those first 24 years and their exposure to mass connectivity has changed the way that they’re wired. But that’s true in every generation – whether it’s my internet connected kids, my own TV exposed youth, my parents’ automobile based upbringing or my grandparents’ horse drawn cart and plough. That’s just programming, under the surface we all run the same operating system and, boy, does it makes DOS look advanced.

Beyond this, of course, is a question: in whom do we trust? And we’re getting idealist answers from technologists, as people hark back to the good old days when everyone knew everyone else and ostracism was the ultimate punishment: go back far enough and ostracism from the group meant death so it’s unsurprising we’re built to regard it as a serious issue. But the idea that we can reinvent this local world using the internet, and that we can rely on word of mouth (or at least Facebook likes) and reviews on websites to determine who we should trust is just plain silly. In a technological world everything can be gamed, and we are being socially engineered on a massive scale. Let’s face it, there was a time when burning witches was socially acceptable; now we out them on Twitter. In neither case can we be sure that the connected crowd is particularly wise, let alone correct.

Trust on the internet can’t be achieved without proof of identity and we have a massive problem as people are giving away their identities on social networking sites for free. To overcome this we get providers like Ashley Madison using credit card details to establish identity, or at least eligibility, and in the process storing a whole range of superfluous information which has now been hacked and distributed for all and sundry to poke around with. And now the witches are burning.

Here, oddly, we come full circle. Because regulation means that banks have to establish identity – and if they establish and manage identity then they can create proxy identities for any variable of the data that they hold by issuing tokens. My credit card can be tokenised to reduce to a value that says I’m over 24 and can be trusted to have an opinion – and my bank can authorise this token just as it authorises a tokenised credit card payment. I can’t do this with a social identity, I need to establish my real identity with my bank.

Banks are fusty old anachronisms in a world which is rapidly changing. They’re protected by regulation from the worst effects of competition and they’re not really much good at innovating, at least in the payments arena. But by re-purposing payments to support digital identity through tokenisation banks have an opportunity to establish themselves as guarantors of trust in a post-Millennial world: and, of course, to make themselves relevant to a whole new generation.