AMLD4.1, AMLD5 or 5AMLD?

I recently came across a statistic that surprised me.

Approximately 50% of new bank accounts are opened by customers that have recently arrived in the UK to work or study.

http://www.openidentityexchange.org/wp-content/uploads/2016/10/Digital-Identity-Across-Borders-FINAL-Feb2016-2.pdf

I had wrongly assumed that the majority of new bank accounts openings in the UK would be from students just about to go off to University, like my son, and that migration whilst high (as the media keeps telling us) would still be a minority. But based on some back-of-the-envelope calculations it appears that the 50% number is about right.

As the OIX report above points out, these new arrivals in the UK are very difficult to perform KYC (“Know Your Customer”) on due to the lack of data. They have no history in the UK. This is exactly where eIDAS should be able to step in. For example, a person arriving from France should be able to use their French government-issued eID as one piece of evidence to help meet KYC requirements. The proposed new AML legislation – the amendment to the fourth AML directive – which I have seen referred to as AMLD4.1, AMLD5 and 5AMLD, explicits call out to eIDAS as a potential solution.

There are however some issues with this:

Firstly, to become part of the eIDAS scheme, governments have to “notify” their eIDs into the scheme. To date only Germany has done so.

Secondly, eIDAS provides a switching infrastructure that makes all eIDs interoperable but initially this will only available to the public sector. If a private sector organisation, such as a bank, wishes to leverage an eID it will need to find another way to access or read it.

Thirdly, the mobile channel is becoming increasingly important with banks needing to be able to onboard customers directly in that channel, as well as performing identification and verification of existing customers when provisioning a mobile app. Several of the existing eIDs are smart-card based. These will only be readable by phones if the cards themselves are contactless (which many of them are). They will not however be readable on iPhones, even with the limited opening up of the NFC interface expected in iOS11.

There is clearly therefore a need for some alternative mobile based technology. Fortunately such technology exists in the form of mobile document and selfie capture and verification. One of the vendors in this space, Mitek, kindly commissioned Consult Hyperion to write a paper on this very topic which I had the privilege of presenting at Money2020 last week. You can download the paper here:

Sorting out sorting

Another waste of money is around the corner for the UK banking sector.

“Almost 1 million UK bank customers will be forced to have to use new six-digit sort codes… The change has been caused by the Vickers rules, which force banks to ringfence their high street operations from other banking activities.”

Almost 1m UK bank customers will be forced to use new sort codes | Business | The Guardian

It’s time to put a stop to this yonks old nonsense about sort codes and account numbers and I think I know just the woman to do it: Andrea Leadsom, now Leader of the House of Commons, but formerly City Minister. In her evidence to Parliament in 2012, she said that:

“Full bank account portability would be good for the consumer and good for challenger banks. It would also be good for established banks—they should have nothing to fear from it being easier for customers to switch”

via House of Commons – Banking Standards: Written evidence from Andrea Leadsom MP

I have to admit to had a very soft spot for her when she was Minister. In a letter to The Daily Telegraph back in September 2013, she noted that — just as I had predicted — the Current Account Switching Service (CASS) which launched that month was (I paraphrase) a bit of a waste of time and money. In fact earlier this year, BACS promised to “remedy the system” because so few people have used it. The then Minister went on to say that customers should have account number portability and be able to switch banks as easily as they can switch mobile phone operators.

This was not new thinking. Six years ago the Independent Commission on Banking published an interim report on their Consultation on Reform Options. This report raised the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seemed reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seemed a plausible request back in 2011, but the truth is that phone numbers and account numbers aren’t quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM.

Hence a diversion into how mobile phones work. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then “registers” with a network. I am writing this in Copenhagen, where I just turned on my iPhone, so now my O2 SIM card is registered with a Danish operator. When you call my number, O2 will route the call to the Danish operator, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an “All Call Query” or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

So, back to the point. I am not against the principle that the Minister espoused. On the contrary, I am very much in favour of making it easier for customers to move accounts. It’s the implementation that is the problem.  She formulated the problem as:

Ever since I was first elected I have been campaigning to ensure customers can change their bank accounts as easily as a customer can change their mobile phone provider.

Andrea Leadsom | Home

If we treat the bank account number as the SIM number then we need to find something else to be the equivalent of the mobile phone number. It’s entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let’s call it the International Current Account Number (iCAN) — from the underlying bank account and have an industy database that maps iCANs to IBANs. This database would be the equivalent of the ACQ database. So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduce their own costs and your own hassle.

But what, in the UK, would be the actual iCAN? A good option is to have virtual account numbers. I’ve previously put forward the “7-0” solution around this.

The 70 code is unused, so we can issue people with [numbers] of the form 70-XX-XX 99999999. These would be compatible with all existing systems and with the IBAN scheme.

A suggestion for doing something about account switching in the UK

The idea here is that the customer gives billers, employers, counterparties the “70” account number that never changes but then chooses which bank account to map it to. They can change this at any time, there’s no need to go back to the billers, employers, counterparties and get them to change anything. This is a simple and inexpensive solution: allow anyone with a bank account to apply online for an iCAN and then let them change the account it maps to whenever they want to in the future. Bank customers could use the iCan immediately. And because of this strange quirk of British sort code allocation, it would mean that just as all mobile phone numbers begin 07, so all mobile account numbers would begin 70 and form the “unique identifier – in essence, a portable account number that would be retained by an individual/business on an ongoing basis” that the Minister referred to in her evidence.

The other way to approach the problem,  and the better way in the long run, is to stop messing about with 1960s sort codes and account numbers and just use names instead. I used to have a CompuServe number (100017,3342 if memory serves) but now I have a Facebook id, a Twitter id and a LinkedIn id. Why can’t I have an Money id? As I said at the Payment Innovation conference a couple of years ago…

This all links to the discussions about the idea of a financial service passport (or a “payname”) at techUK last year. I really think that the idea of pseudonymous, strongly-authenticated CDD-inside identities is an idea whose time has come. 

Payment system regulation as barrier to payment system innovation

In this concept, we just want a simple, portable, pointer to a person that can be used to index into their KYC (“know your customer”) persona. The easiest way to do this would be to assign a unique financial services identifier to a person or other legal entity the first time that they go through a KYC process. This would be a money identifier (£ID) that could be a target for payments.

I might have the identifier “citizendave!barclays.co.uk”, for example. One someone has one of these IDs, then there would be no need to drag them through KYC again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your ID and watching the application form magically populate by itself on screen.

Now, each of these £IDs would be associated with a payment account (a bank account, a prepaid account, an electronic money account or whatever else) that is “reachable” in EU banking parlance. That is, a Payment Initiation Service Provider (PISP) can from the £ID work out which account it is linked to it and make a credit transfer to that account. Then someone could send you money by giving your £ID: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the ID  into the ATM, or their internet banking screen, or (most likely) their mobile app.

Even better, of course, would be to make the £ID point to an iCAN rather than a bank account number. That way, we obtain the benefits of both approaches. It doesn’t matter if a person has many of these £IDs, because each £ID will have been obtained as the result of a KYC process. If the Directory ends up with two “Dave Birch” entries, so what? It’s not an ID card scheme, it’s a “save money for the financial services sector and make life easier for consumers” scheme. And it wouldn’t matter either if both of my £IDs point to different bank accounts: I might, for example, have a personal persona and a small business persona—lets say citizendave!barclays.co.uk and citizendave!rbs.co.uk and that point to my personal and my small business accounts—and I want to use them for different purposes. No problem.

Picture this new world of fintech and regtech in harmony. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the £ID (obtained from your bank) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is presented for you to sign and, once you have, you are given the option of pointing your iCAN associated with the ID to the new account. No fuss, no effort, done. And if your employer sends you salary to your ID one second later, it will correctly route into the new account.

Thus, I can make Andrea’s dream come true and in a cost effective manner. Stage 1: create the “70” virtual account number directory and make sure that credit transfers to iCANs work properly. Stage 2: mandate that all banks give account holders the means to obtain an iCAN for each of their accounts. Stage 3: introduce financial services identifiers and allow holders of identifiers to map a default iCAN to that identifier.

Together with my colleagues at Consult Hyperion, I stand ready to answer the nation’s call. If they really want portable account numbers, we know what to do.

PSD2 SCA: Overloading Banks?

A few months ago I had the pleasure of sharing a platform with Chris Skinner where we both gave the same message in rather different ways: many current core banking systems will struggle to meet the demands of the 21st century. Chris blogged about that session, APIs is all about trains, ships and standards.

The underlying point we were making will be brought sharply into focus by the latest PSD2 SCA requirements. These impose service levels on banks for information access and imply further processing load through fraud level requirements on remote payments. These fraud levels must be hit in order for banks to use frictionless risk based transaction analysis instead of instrusive two factor secure customer authentication.

PSD2 lays out two forms of remote payer initiated payment – card based payment and credit transfers. These have different authentication exemption fraud levels, with the transaction value permitted under the exemption rising as fraud levels reduce. And this has implications for existing bank systems.

Card transactions use existing systems: many of those weren’t originally designed for the online world, but are protected from the full horror of real-time access by buffering and caching systems. Overwhelm those intermediate systems with too many requests and you can push them into fallback mode, with limited access to real account data and into less than full authorisation processes. Which may be problematic, as we shall see.

The new PSD2 credit transfer systems will be built around modern web technology so should be able to handle the peaks and troughs of an on-demand world. But they still face the ultimate limitation of having to access the underlying account data in real time. Under PSD2 any appropriately authorised intermediary is allowed to access a consumer’s account in order to get real-time information up four times a day. That’s before we take into consideration customers requesting additional access to account information or the use of the other PSD2 APIs. Or SEPA instant payments, on the way later this year.

The risk is that core payments systems overloaded by peak transaction volumes may end up doing limited authorisation processing on live data, opening up potential security flaws. In fact, if payments are hitting bank systems from both the card and credit transfer side at the same time then fraud and risk systems may need to be reconfigured. And remember that at the heart of the new requirements is an exemption from two factor authentication if and only if some very difficult fraud rates are achieved.

The definition of fraud rate in the RTS is worth examining in this content (Article 16 4(d):

The overall fraud rate for each type of payment instrument should be calculated as the total value of unauthorised or fraudulent remote transactions, whether the funds have been recovered or not, divided by the total value of all remote transactions for the same type of payment instrument …

So a PSD2 fraud rate is not calculated based on the value of fraudulent transactions. Instead it’s calculated on the basis of the value of unauthorised transactions. But what, exactly, is an “unauthorised” transaction? Comment [1] on respondent feedback defines “authorisation”:

Authorisation refers to a procedure that checks whether or not a customer or PSP has the right to perform a certain action, e.g. to transfer funds or have access to sensitive data

If a bank lets the payment go through without performing full authorisation – as they may do if systems are struggling to cope with demand – then presumably this counts in the fraud statistics, even if the customer doesn’t request a chargeback? Well, it’s not clear but the targeted “fraud rates” to achieve exemption levels are pretty stiff anyway. The fraud rates for e-commerce fraud in the UK in 2015 were running at 0.124%, but that’s for fraud, not including unauthorised transactions. The minimum exemption level for PSD2 remote card payments – €100 – starts at 0.13%.

It should be pointed out that there’s lots of wriggle room for the authorities. The definition of a “remote electronic payment transaction” isn’t nailed down (which seems like a fundamental problem, frankly), and it’s unclear how exemptions work with each other. Remote transactions under €30 are exempt from strong customer authentication but presumably low value fraud counts towards the overall fraud rates. Or maybe not.

However, if we assume consumer behaviour remains constant and they prefer providers that allow frictionless authorisation then any bank that doesn’t hit the fraud rate exemption figures is going to lose business. With a little over 18 months before the RTS comes into force then making sure payments systems can meet these requirements should be a priority for most banks.

We’ll be discussing this further at our Tomorrow’s Transactions Annual Forum. Or follow us here on Tomorrow’s Transactions and yourself added to our mailing list.  

Why can’t digital identity be easy, like payments?

 

I have often seen payments (especially the card networks) used as an analogy for digital identity. In fact, I brought up the analogy myself at the fun OIX meeting in Amsterdam last Thursday. Certainly when you look at something like GOV.UK Verify there are some striking comparisons:

  • A central scheme with a brand, rule book, governance body and switching infrastructure (i.e. Verify itself),
  • Issuers (i.e. the private sector identity providers), and
  • Merchant acquirers (well merchants anyway, in the form of government relying parties).

We have to keep reminding ourselves that these card networks did not appear overnight. What we have today is a result of 60 or more years of evolution. Admittedly the pace of change has increased significantly but we need to recognise it often takes time to build scale and gain adoption. There are special cases of course. PayPal, for example, grew out of a significant pain point within eBay – which gave it immediate scale.

There is however one key difference between payments and identity. You cannot sell stuff online without a means to receive payment and normally that means integrating with a payments scheme that works for your customers. You can however sell stuff without leveraging an external identity scheme – you just give the user an ID and password specific to the service. This is however bad news for users – resulting in the fragmented personal data and password mess we find ourselves in today. There needs to be an incentive for merchants to do something different to this. Perhaps merchants need a big stick? Like GDPR for example. Merchants are going to have to be a lot more careful with personally identifiable information in the future. One thing they could do is use an identity provider to hold that data and in the process reduce their risk.

Individuals also need to realise that their personal data is valuable, just like their money. That is going to require some education because so far they’ve been taught to share data without considering the consequences.

In the UK, arguably the most significant digital identity initiative over the past 5 years has been the GOV.UK Verify programme. They are at the stage where they need to grow. The scheme is up and running and so they are now busily signing up citizens and services. It is a critical point in its development. We are very pleased that David Rennie who leads industry engagement on the programme will be taking time out of his busy schedule to join us at Tomorrow’s Transactions. Come along and find out how it is going.

You can also get added to our mailing list here.

PSD2 SCA: Risk and Reward?

Everyone is still picking over the new PSD2 RTS on strong customer authentication (SCA) from the EBA but the major talking point is around the introduction of an exemption on risk based transaction analysis. One of the major criticisms of the previous RTS was that it would force up to 70% of online transactions through SCA, introduce friction into the payment process and impact overall economic activity.

The new exemption allows banks to avoid the full friction-filled horror of two factor authentication on payments if they can keep fraud levels below certain designated limits. Note, however, that there’s no equivalent exemption for any of the non-payment use cases, and it’s not clear how edge cases such as e-mandates for direct debits will be treated.

The definition of “fraud” is interesting as well – it’s the total value of unauthorised or fraudulent transactions divided by the total value of all remote transactions over that channel. So potentially you could have a lot of small, fraudulent transactions and still meet the exemption: and the exemption for low value payments has been lifted from €10 to €30, and transit transactions are completely exempt.

The fraud limits are different for card-based payments and credit transfer (or PSD2 push payments, if you’d prefer) and are tiered by transaction value – so the lower the fraud rate the higher the transaction value permitted using risk based transaction analysis. The catch is that if these fraud rates are exceeded for two consecutive quarters then the PSP concerned loses the right to the exemption and needs to fall back to full two factor SCA.

Now that, of course, would be a disaster for the institution concerned – if you’re the only bank that has to make your customers apply SCA for online transactions then you’ll rapidly see them migrating to other banks. So the penalty for losing this exemption is likely to be severe.

The EBA has helpfully supplied a minimum list of things that PSPs have to do in order to meet the requirements for risk based transaction analysis (I quote from the RTS):

  • no abnormal spending or behavioural pattern of the payer has been identified;
  • no unusual information about the payer’s device/software access has been identified;
  • no malware infection in any session of the authentication procedure has been identified;
  • no known fraud scenario in the provision of payment services has been identified;
  • the location of the payer is not abnormal;
  • the location of the payee is not identified as high risk.

No doubt risk teams are currently looking at their current solutions and trying to figure out whether they’re compliant or not.  Which we’re quite pleased about, as this type of analysis is a core part of our business.

And all of this will need to be audited, which will be a nice new earnings stream for audit firms. Quite how the compliance regime for this will work will no doubt emerge over the next eighteen months or so.

There are lots of other interesting features in the new RTS. It’s clarified, for instance, that SCA can be performed by either the payer’s PSP or the payee’s PSP but not by the merchant. So presumably large on-line retailers will be gearing up to become PSPs themselves. Also PSD2 is now only mandatory for transactions that start and finish in the EEA.

Oh, and, apparently, card-on-file transactions are outside of the scope of PSD2. Which is interesting, if a bit head-scratching.

We’ll be analysing this further and updating over the next few weeks.  So either follow us here on Tomorrow’s Transactions or get yourself added to our mailing list.  Or come and join us to discuss PSD2 and other issues in the future of digital transactions at the annual Tomorrow’s Transactions London Conference.

Account-based ticketing workshops

We’ve been having a lot of fun in recent months leading workshops for transport operators about account-based ticketing. Sharing our recent experience with clients such as the UK’s Transport for London (TfL) and Transport for the North (TfN), Hungary’s BKK, New Zealand’s NZTTL, Belgium’s De Lijn and Stockholm’s Storstockholms Lokaltrafik (SL) and Singapore’s LTA.

The workshops are designed to help transport operators who are new to account-based ticketing understand the issues and options, including how Open-Loop bank cards can be blended with existing smart ticketing. A typical agenda covers the following subjects:

Trends

  • Customer propositions should drive everything
  • Smart ticketing trends
  • Technology roadmap
  • Benefits of ABT and Open-Loop

Architecture

  • Basic architecture overview
  • Generic architecture
  • Open loop vs closed loop (the back office)
  • Providing for the unbanked

Open-Loop solutions

  • Open loop implementatons in other countries
  • The 4-party model for payments
  • Transit Transaction Models (’Models 1-3’)
  • Transit Charging Framework (generic, global)

Compliance

  • EMV
  • PCI DSS
  • Working with a QSA

Our latest workshop was sponsored by Mastercard and hosted by Swedbank in Riga, Latvia, and had an audience of 40 including:

  • Transport operators
  • Government bodies
  • Industry suppliers
  • Media

We are looking forward to leading more similar workshops in 2017 across Europe.

Riga view from workshop at 9am.
Riga view from workshop at 9am.
Riga workshop sponsored by Mastercard and hosted by Swedbank.
Riga workshop sponsored by Mastercard and hosted by Swedbank.
Discussing a 'strawman' solution for Riga's needs.
Discussing a ‘strawman’ solution for Riga’s needs.

Making money for the masses

The discussions around digital currency continue. I had an interesting sort-of-argument with someone about this recently, and I mentioned in passing the dynamics of the shift from specie to token money during the industrial revolution. I think it’s worth expanding on this here, as to my mind it informs the debates about central bank digital currency vs. private digital money, an important debate for our times. There’s lots more about this on the blog and there’s a podcast about it too if you are interested in learning more.

Forum friend George Selgin gave an excellent talk on this at [Consult Hyperion’s 2010 Forum], exploring the transition to industrial-age money.

[From The problem of change | Consult Hyperion]

The essence of George’s talk was that industrialing Britain saw unexpected changes in the way that money worked as it strove to re-invent money for its new economy. As the nature of that economy had changed, so the nature of money had needed to change too, but there is a lag and a tension between the needs of the economy and the money that the economy has inherited from an earlier age. At the time, it was not clear exactly what needed doing. People could see that there were problems, but not what do to about them.

Naturally I refer to this time because the Internet, mobile phones and online commerce are creating a vortex that is sucking in monetary innovation at an accelerating rate. My point is that we have been there before and can learn from those distant times. Consider the relationship between private and public provision of small change (coins, essentially) that has been brought back into focus by discussions about micropayments in an online world before. When that industrial revolution caused an explosion in population and commerce in Georgian England, the lack of small change shifted from being an annoyance to being a major national problem, holding back growth and development. Factories had no coins to pay their workers, workers had no coins buy their essentials and the economy was suffering. Josset’s description from “Money in Britain” (1962) is lovely:

Rarely was any transaction made without an argument. No trader would sell goods without stipulating the weight of the coins in which he was to be paid. Quarrels over money values were continuous; market days and fairs were regularly scenes of brawls. Wages paid by employers to their workers were the cause of many Saturday night disputes regarding the value of their money. Such was the result of the apathy and ignorance of the government in so neglecting the currency.

Essentially, as I wrote before, it was Main Street vs. Wall Street as usual (there you go brining class into it again):

What happened in that case was that there was money for the wealthy (bank notes and gold and silver coins) but there was no money for the masses. You couldn’t by a loaf of bread or pint of beer with the banknote or a silver coin, so private industry stepped in to mint copper token money, and this money circulated particularly in industrial centres in order to (very successfully) facilitate wage payments and retail spending.

[From Up a gum tree | Consult Hyperion]

By the end of the eighteenth century, most of the coins in circulation in the Britain were counterfeits. Gresham’s Law meant that there was widespread acceptance of counterfeits because there were no legal coins in circulation and that the good counterfeits served a useful economic purpose. A shopkeeper might have four copper trays in his till: pennies, ha’pennies, good counterfeits of same and “raps”, or counterfeits that could not easily be passed on.

The government did nothing about it. The people who did do something about were technologists: those at the centre of the industrialisation storm, largely from Birmingham, which was the Georgian Silicon Valley. The nascent metal-bashing industry there, the emergence of organised production (Matthew Boulton’s factory) and the expanding skill base meant that the skills, techniques and supply chain for medals, buttons (and the machines to make them) could be readily adapted to coins. The industrialists used the latest technology of steam presses whereas the government did not. At the same time, the supply of copper (the world’s largest copper mine was in Anglesey in those days) meant that the right raw material was in the right place at the right time.

What was the result of this technological change? It was that coins changed from commodity money (ie, gold and silver to the face value) to token money (ie, base metals and alloys worth a fraction of the face value). And it was, crucially, the private sector that caused the shift, with the public happy to accept the token money that, presumably, no-one in the government would. (As an aside, George Selgin asks in his splendid book why the private mints put so much effort and invention into creating such good quality tokens and suggests that part of it was marketing: good-quality tokens were good publicity and advert for the skills of the companies.)

These tokens gained rapid acceptance and by the end of the 18th century  the problem of small change was almost solved with the official (or “Tower”) coins trading at a discount against the private alternatives. What happened then? Well around two decades later, the official government mint adopted token currency and began issuing modern coins. This is, I think, a marker for our age and one of the reasons why I am so certain that, at some point in the future, the government will adopt a digital money that is in widespread use in the private sector (let us set aside exactly which technology for the time being) as a national digital currency and make the final shift of cash from atoms to bits.

The reason that I am so interested in this particular case study is that I think it has tremendous resonance in the current day. We are living through the post-industrial revolution but we are still using the money of a different age. Just as people in the early 17th century couldn’t have imagined the Bank of England, paper money and the Gold Standard that were just around the corner, so we can’t imagine the money of the near future.

Bank of England Charter sealing 1694

Somewhere out there, private enterprise (a student in a garage or a researcher in a regtech) is working on the money for the post-industrial age but we don’t yet know what it is. I’m pretty sure it’s not Bitcoin, and I’m pretty sure it will have something more to do with the communities that it serves than the fiat currencies of the nation-state do, but I don’t know what it is any more than anyone else does. However, it is interesting to speculate that the trajectory might replay. There will be competition to produce the money that the new economy needs and then when that competition means it’s no longer possible to make a living from the means of exchange because the transactions fees are driven down to zero, it will become some form of public good (even if the definition of public is more limited to “public within multiple overlapping communities”).

In which case, the world’s central banks might at well starting providing digital money as a public good now! Seriously, how much would it cost to set up Bank of England PESA? They might even look at some form of shared ledger solution, where copies of the “national ledger” are maintain by regulated financial institutions (e.g., banks – whereby taking part in the consensus-forming process would be a condition of a banking licence) and the entries in those ledgers related to transfers between pseudonymous accounts (i.e., your bank would know who you are but the central bank, other banks and auditors would not). I think this is just the sort of topic that we should explore at the twentieth annual Consult Hyperion “Tomorrow’s Transactions Forum” in London on the 26th and 27th April 2017, so you should probably block those days out in your diary right now…

MasterCard and VocaLink is a big deal

I’m sure by now you’ve all read about MasterCard’s acquisition of VocaLink. If not, you can listen to me talking to David Yates, the CEO of VocaLink, about it on the latest podcast in our Tomorrow’s Transactions series, either via iTunes or directly via our web site. It’s very interesting, in my opinion, to hear David’s rationale for the deal and his very positive view of the future that has VocaLink experience in instant payments married to MasterCard’s global presence. And for more on this deal, Karen Webster over at Pymnts spoke to MasterCard’s Chief Product Officer to look into the “why VocaLink and why now” behind the acquisition and wrote a nice piece about it.

With VocaLink’s Zapp proposition, Miebach explained, a consumer can go to a merchant’s checkout, use their mobile device to access their trusted bank’s mobile app, and see a variety of payment options including Zapp’s pay-by-bank offering.

From Mastercard Talks VocaLink Acquisition | PYMNTS.com

Personally, I think this initial analysis didn’t touch on a couple of issues that are relevant to understanding the deal. First of all, the reason why VocaLink was worth so much to MasterCard rather than anyone else (and thanks to the collapsing Pound was a bargain for them) is that Visa dominates the UK debit market and the push future for “instant payments” at retail presents a debit-like proposition to consumers. Zil Bareisis made this point over at the Celent blog.

Visa controls 97% of the debit card market in the UK. I would imagine that a Zapp-like solution would have more of an immediate impact on debit card transactions rather than credit card spend.

From The Future of Zapp and Other Musings on MasterCard and VocaLink

Secondly, if a push payment debit-like in-app and in-browser alternative to the traditional debit card which did not run through the card network but through the Faster Payment Service (FPS) is attractive enough for consumers to want to use then merchants will have to accept it and potentially pay more than they do for existing debit cards (which they will do, because the push product will have more attractive rules and rights) and that will give scope for MasterCard to offer rewards of one kind and another.

Somehow this takeover didn’t make the news headlines, but mark my words it was one of the most significant events in the evolution of the UK payments industry since Reg Varney got a tenner out of that first ATM in Enfield half a century ago. It’s a significant milestone on the road to #cardmaggedon, and it’s not only me who thinks this. Using mobile phones to make instant payments is going to impact the use of traditional plastic cards and plastic card products. Not just because the card will vanish into the phones but because the products themselves will be reinvented for the new age.

As ANZ rolls out Android Pay to its customers, the Australian bank’s chief executive Shayne Elliott has predicted that mobile payments could displace plastic cards in well under a decade.

From ANZ chief predicts mobile will kill off cards in less than a decade – BayPay Members Blogs

This is exactly what Anthony Jenkins said (when he was head of Barclaycard, before he was the CEO of Barclays) when he said, as memory serves, that mobile phones would get rid of cards long before they get rid of cash. But I think the change is more profound than he was thinking about back in the day.

The mobile phone isn’t just going to get rid of the 1940s embossing and 1950s card and the 1960s network and the 1970s magnetic stripe and the 1980s chip and the 1990s online card-not-present use and the 2000s 3D secure and keep only the 2010s network tokenisation in devices but it is going get rid of the whole bundling of PAN-based payment with credit and fraud management and merchant guarantee. The push for push, as they say (or, at least, I say) is inexorable.

A manifesto for cashlessness in Europe

My good friend Geronimo Emili invited me along to a session at Money2020 in Copenhagen today to deliver a manifesto for cashlessness in Europe. He challenged me to come up with a five minute talk (which is very, very difficult for me) that would contain practical advice for European politicians setting their political and economic stalls before an uninformed public. So this is what I said…

Manifesto pic from Scott

Speaking at this year’s World Economic Forum in Davos, John Cryan (the co-CEO of Deutsche Bank AG), said that cash could become history “within a decade”, going on to note that it is terribly inefficient. Mr. Cryan also focused on the way in which cash supports the underground economy, saying that cash should be dematerialised and that governments should be interested in this process because it would make transitions more traceable and would help to combat crime. I agree. Hence it seems to reasonable to ask, and were I to have been present in Davos I would certainly have asked, why it is that central banks keep pumping the stuff out? On Deutsche Bank’s home turf, for example, cash is already undermining the law-abiding majority. The Bundesbank estimate that only 10-15% of the cash in Germany is used to support the needs of commerce and this tallies with the Bank of England’s estimates of the cash used for what they call “transactional purposes”.

So in two of the world’s largest economies, at most a quarter of the cash out there is actually used as a medium of exchange. And this fraction is, as you might imagine, steadily falling as cash is replaced at POS and, increasingly, in inter-personal transactions.

If we look around the world, we can see that some countries are on the verge of cashlessness, others are a long way from it. In Europe, we should make it a goal! We must aim to be effectively cashless in the timescale he discusses. By cashless, incidentally, I do not mean that every single banknote and every single coin has been ritually cursed and then hurled into Mount Doom. By cashlessness, I mean that cash has ceased to be relevant to monetary policy, become irrelevant to most individuals and vanished from most businesses.

As we look to the future, we can begin to ask, quite reasonably, whether developments in digital payment technology and changes in payments and banking regulation will bring us to the point of this kind of cashlessness within, say, a generation (as Mr. Cryan and I expect)? The answer is probably yes, but that doesn’t mean we can’t take action to make sure! Assuming there still is a European Union in a decade then there will still be Euro banknotes and there will still be Euro coins. But they won’t matter for business or for the economy. Without policy changes, however, this will leave us with a cashlessness that is too conservative to reap the benefits of a truly cashless economy, too disorganised to reign in the criminal exploitation of cash and too wedded to the symbolism of physical money to switch it off (just as we switched off analogue TV not that long ago).

That “rump cash” (and I exclude various categories of post-functional cash from this definition) should be actively managed out of existence.

Europe needs politicians to take this seriously and put forward concrete and reasonable plans to achieve effective cashlessness. This is hardly a new thought! Returning to Davos, two decades ago at the 1997 World Economic Forum there was a discussion about the electronic cash that attempted to cover all of the relevant topics and I think it provides a useful starting point. I’ve updated that list of issues and brought them together in a structure that I think rather helpfully identifies four key policy areas for European governments to focus on.

Electronic Money Issues grey

 

Identifying practical actions to take in each of these policy areas gives us a “manifesto for cashlessness” that policy makers can add to their agendas across the continent. There are immediate and significant benefits to countries, companies and citizens.

Money supply

Governments are responsible for managing the money supply, but they presumably want to the system to deliver an efficient money supply for the modern age. But right now, European money is really, really inefficient. Jack Dorsey of Twitter and Square fame once tweeted that “In general, the shift toward a cashless society appears to improve economic welfare.” He is, of course, correct and we must “nudge” consumers toward this future.

The European Central Bank has published a detailed analysis of the costs of retail payments instruments (Occasional Paper no. 137, September 2012) with the participation of 13 national central banks in the European System of Central Banks (ESCB). It showed that the costs to society of providing retail payments are substantial, amounting to almost 1% of GDP for the sample of participating EU countries. Half of the social costs are incurred by banks and infrastructures, while the other half of all costs are incurred by retailers.

My friend Professor Leo van Hove, Europe’s foremost expert on such matters has long held that cross-subsidising cash is not a welfare-maximising strategy. The social costs of cash payments represent nearly half of the total social costs and as the proportion of retail payments made in cash falls, so in some countries cash already does not have the lower cost per transaction. These social costs of payments systems have only recently been studied to any degree of accuracy by, for example, the Dutch and Belgian central banks (who found the social cost to be .65% and .74% of GDP respectively). In both of these countries, which have well-developed debit infrastructures, cash accounts for three quarters of the total social cost. (In other words, each family in the Netherlands pays about 300 Euros per annum to use cash.)

Dr Laura Rinaldi from the Centre for Economic Studies at Leuven University, carried out some research which confirmed that customers see cash as being “almost free” despite the costs. She concluded that proper cost-based pricing would shift debit cards from being 4% of retail transactions in Europe to a quarter, a change that would add 19 basis points to the European economy.

Manifesto Commitment 1: we will halve the total social cost of the payment system in the next decade, starting by allowing retailers to surcharge for all forms of payment including cash, except for “card present / cardholder present” debit.

Criminal activity

The high-value notes account for more than half the outstanding currency in many OECD nations, are mainly held for stashing, hoarding and exporting. The non-utility of these notes was highlighted in a 2011 ECB survey among households and companies that estimated that only around one-third of the €500 notes in circulation were used for transaction purposes and that the remainder were hoarded as store-of-value in the euro area or held abroad. Recent figures from the Bank of England show a similar pattern, with about a quarter of the cash in circulation used for transactions. High-value notes no longer support trade and industry. Dr. Rinaldi’s research mentioned above further concluded that shifting European economy away from cash would grow it an additional nine basis points because moving to electronic money would shrink the cash-based “shadow economy”.

The European Commission has already said that it wants to investigate the connection between cash (specifically €500 notes) and terrorism. Cash, however, is desirable for all sorts of criminal purposes, not merely terrorism. Now, clearly, removing cash won’t end crime. The reason to make electronic money a firm policy goal is to raise the cost of criminal activity. Whether that crime is drug dealing or money laundering, bribing politicians or evading tax, cash makes it easy and cost-effective.

Manifesto Commitment 2: We will remove €100, €200 and €500 notes from circulation within five years and €50 (and £50) notes from circulation in a decade.

Social policy

UK research indicates that families who use cash are around hundreds of pounds per annum worse off than families who don’t. The reasons are multiple: the cost of cash acquisition, the inability to pay utilities through direct debit, exclusion from online deals and a variety of losses. There’s something unfair about this. People who choose to exist in a cash economy to avoid taxes (e.g., gangsters) are cross-subsidised by the rest of us. People who have no choice but to exist in a cash economy are not cross-subsidised at all.

Those Europeans trapped in the cash economy are the ones who are most vulnerable to theft and extortion, most likely to lose their hard-earned notes and coins or have them destroyed by monetary policies, paying the highest transaction costs, lacking credit ratings or references and (in an example I once heard from Elizabeth Berthe of Grameen at the Consult Hyperion Forum back in 2011) most likely to have their life savings eaten by rats. So what should be done?

Well, the answer is clear. Make electronic payment accounts, capable of supporting account-to-account push payments available to every European citizen at no cost. Notice that I do not say “bank accounts”. Bank accounts are an expensive route to inclusion. Now, financial exclusion is often associated with an inability to provide a proof of identity or address (e.g. immigrants, homeless people), unemployment or financial distress in general and low educational attainment. Electronic money itself does not attack any of these issues hence we must have relaxed KYC for low-maximum balance accounts.

Manifesto Commitment 3: We will regulate for an on-demand electronic payment account capable of holding a maximum of €1,000 without further KYC other than unique recognition (e.g., a mobile phone number).

Control and regulation

With electronic payment accounts available to all and no necessity for cash in day-to-day transactions, we must be sensitive to privacy of transactions. Regulatory authorities ought to be able to monitor economic activity and the advantages of knowing in near real time what is happening in the real economy ought to be substantial for national economic management. However, there is a world of difference between the Minister of Finance knowing that people spent €1,548,399 in restaurants yesterday and knowing that I spent $8.47 on a burrito in Chipotle.

Most of the concerns that reasonable people have about moving away from cash are to do with privacy and security. Since we will have to have security in order to have privacy, we should set our goals around privacy as the central narrative to address these concerns. We have all of the technology that we need to deliver payment systems with the appropriate degree of pseudonymity for a democratic and accountable society.

Manifesto Commitment 4: We will create a privacy-enhancing infrastructure for transactions and for the sharing of transaction data, beginning with a law preventing payment cards from displaying the cardholder name either physically or electronically.

I hope that you will all agree that these deliver a sensible and practical set of steps to improve the lives of European citizens and I look forward to your comments!

EMV in the USA, Part 97: Recalcitrant retailers

American retailers have been lobbying the great and good to implement PIN for card transactions. We have chip and PIN, so we think this is nothing new. But note this is not what they are asking for. When it comes to chip and PIN, they are not that bothered about chip (after all, all transactions are online).

PIN is the most secure authentication technology currently available, and retailers should have the option to require PIN on credit and debit card transactions—the same protection provided at ATMs.

From Convenience Retail Industry’s Message to Capitol Hill | NACS Online – Media – News Archive

So, given a choice between chip and PIN, they choose PIN. And a lot of them already have PIN pads because of PIN debit. So: merchants want PIN, and they have PIN pads, so no problem and everyone’s happy. Well… not quite. Many of the America card issuers have decided to issue chip and signature cards. From the retailers’ perspective, this looks like the worst of both worlds. They have to buy a chip card reader but they still don’t get PINs.  And, so far as the retailers are concerned, it is because banks want to maximise revenue.

A 2012 Food Marketing Institute report mapped out the revenue losses for signature-based transactions versus PIN-based transactions and found significant differences in profit. Per $1,000 in transactions, banks receive $14.20 in revenue from signatures, versus $6.70 from PINs—a difference of $7.50.

From Chipping Away At Credit Card Fraud – Forbes

The upshot of all of this is that as of today the US banks are (bizarrely, to foreign viewers) issuing chip and signature cards, US customers are continuing to swipe (they don’t care about the liability shift) and US retailers are getting annoyed. Apart from anything else, their costs for chargebacks and for managing chargebacks are climbing.

Chargebacks for card-present transactions increased 50% following the Oct. 1 EMV liability shift,

From EMV Chargebacks Proving To Be a Card-Present Merchant Problem

You understand why this, I assume. It’s because before 1st October, if you spotted a $3.95 charge at Starbucks on your statement and you knew that you couldn’t possibly have made that transaction, then you would call up your issuer and complain and they would just eat the charge because it would have been more trouble than it’s worth to go back to Starbucks, pull the receipt, check the signature if there was one etc etc. However, after 1st October, if you spot a bogus $3.95 charge on your account and call up, the issuer will check the transaction codes and, if you had a chip card but it was swiped by a merchant who didn’t have (or didn’t use) a chip reader, then the $3.95 is charged back to the merchant. The net result is — entirely as expected and as it should be — that merchants see big increases in card-present chargebacks as previously hidden magnetic stripe fraud is revealed and transferred to them.

New US cards

 

A US colleague’s new credit cards. Not one is chip and PIN.

The retailers think, therefore, that chip and PIN has turned out to be a bit of scam for transferring liability away from banks and on to them. A group of retailers have, in fact, just filed a law suit along these lines, 

The 47-page complaint, filed Tuesday in U.S. District Court for the Northern District of California, comes just over five months after the liability shift took effect Oct. 1… The merchants, which are not yet ready for EMV, seek treble damages for what they claim are chargebacks and chargeback fees that have totalled more than $10,000 stemming from 88 chargebacks from Oct. 1 through Feb. 15. In the same period a year earlier, the merchants incurred only four chargebacks, the complaint says. The entire class of such merchants total hundreds of thousands of members that have incurred “billions of dollars” in chargebacks and fees since the shift took effect, according to the suit.

From Retail Duo Hits Networks, Banks, And EMVCo With Chargeback Suit, Seeks Class Status

This might indicate that US merchants have completely missed the lessons from the EMV migrations that have occurred in every other region in the world over the last decade, but more than that the muddle suggests to me that the card networks hold over the retail point-of-sale may not be a firm as it seems. If you look at what’s going on with ApplePay and ChasePay, WalmartPay and wallets, it’s clear that not only are there competitors closing in on them, but that there are stakeholders who are heavily motivated to find customer-friendly alternatives. Bitcoin isn’t one, but there are plenty of other candidates, especially in Europe where the regulation is about to change, to favour push payments and in-app payments (because they will have API access to payment accounts).

It’s clear that the pressure is building on what previously seemed to be the unshakeable redoubt of the four party payment model. If the networks’ grip on the retail point-of-sale is loosening then there really is a payments revolution underway. Right now the increase in EMV chargebacks is simply revealing fraud costs that were previously hidden. As EMV does what it says it does and blocks face to face fraud then the fraudsters will move elsewhere: and that’s when we will see whether the nascent competition to card networks have properly thought through their own risk models!


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.