Payment card issuance errors leave you vulnerable to fraud

Major payment cards

As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.

Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.

No Delay to SCA

Since the FCA announced a further 6 month delay in the UK’s deadline for Strong Customer Authentication there’s been a general expectation that the EBA would follow suit and relax the date for the EEA. However, it now appears that won’t happen – the 31st December 2020 remains the key date and there won’t be any further relaxation in the rules.

This hasn’t been officially announced but appears to have been the gist of a letter by the European Commission’s Executive Vice President Valdis Dombrovskis which makes clear that there’s no consideration in place for a delay and that, in the Commission’s view, the Coronavirus pandemic and the subsequent rise in e-commerce makes it more urgent to implement rather than less. It looks like the Commission is not for turning and with only a little over six months left to be prepared any merchant or payment service provider than hasn’t been planning for this is likely to be in full panic mode.

At one level it’s hard to disagree with the Commission’s position – the deadline has been shifted already from last September in order to accommodate the industry’s inability to implement in time. Although, in fairness, it ought to be noted that original requirements require a degree in semiotics to fully understand and clarifications have been fitful and, on occasion, too late. However, there’s a degree of real-world pragmatism missing from the decision – the last thing the European economy needs right now is an e-commerce cliff edge right in the middle of the busiest shopping period of the year.

The divergence between the UK and Europe also starts to raise some interesting questions. PSD2 applies to countries within the EEA and not to transactions starting or finishing outside – and as of January 1st 2021 the UK will be fully outside. PSD2 will apply within the EEA ex-UK and within the UK ex-Europe but, barring some kind of passporting agreement, not between them. One option for desperate European e-tailers may be to shift operations to the UK where the SCA deadline is a further 9 months away. Of course, the same applies in reverse: logically there ought to be a compromise, but those seem thin on the ground.

Overall, then, the message to all organisations involved in electronic payments is to assume that SCA will be  enforced from January 1st next year and any firm that can’t support it should expect to see transactions declined. Merchants and PSPs may choose or may not be able to handle SCA but issuers will be ready and won’t want to be upsetting the regulators. For any companies out there that don’t know what to do come and talk to us, we can help guide you through the process – first by helping ensure you’re compliant and then by addressing the additional friction that SCA will introduce.

It isn’t too late to do something about SCA but it does very much look like we are at the eleventh hour.

Consult Hyperion’s Live 5 for 2020

At Consult Hyperion we take a certain amount of enjoyment looking back over some of our most interesting projects around the world over the previous year or so, wrapping up thoughts on what we’re hearing in the market and spending some time thinking about the future. Each year we consolidate the themes and bring together our Live Five.

2020 is upon us and so it’s time for some more future gazing! Now, as in previous years, how can you pay any attention to our prognostications without first reviewing our previous attempts? In 2017 we highlighted regtech and PSD2, 2018 was open banking and conversational commerce, and for 2019 it was secure customer authentication and digital wallets — so we’re a pretty good weathervane for the secure transactions’ world! Now, let’s turn to what we see for this coming year.

Hello 2020

Our Live Five has once again been put together with particular regard to the views of our clients. They are telling us that over the next 12 months retailers, banks, regulators and their suppliers will focus on privacy as a proposition, customer intimacy driven by hyper-personalisation and personalized payment options, underpinned by a focus on cyber-resilience. In the background, they want to do what they can to reduce their impact on the global environment. For our transit clients, there will be a particular focus on bringing these threads together to reduce congestion through flexible fare collection.

So here we go…

1. This year will see privacy as a consumer proposition. This is an easy prediction to make, because serious players are going to push it. We already see this happening with “Sign in with Apple” and more services in this mould are sure to follow. Until quite recently privacy was a hygiene factor that belonged in the “back office”. But with increasing industry and consumer concerns about privacy, regulatory drivers such as GDPR and the potential for a backlash against services that are seen to abuse personal data, privacy will be an integral part of new services. As part of this we expect to see organisations that collect large amounts of personal data looking at ways to monetise this trend by shifting to attribute exchange and anonymised data analytics. Banks are an obvious candidate for this type of innovation, but not the only one – one of our biggest privacy projects is for a mass transit operator, concerned by the amount of additional personal information they are able to collect on travellers as they migrate towards the acceptance of contactless payment cards at the faregate.

2. Underpinning all of this is the urgent need to address cyber-resilience. Not a week goes by without news of some breach or failure by a major organisation putting consumer data and transactions at risk. With the advent of data protection regulations such as GDPR, these issues are major threats to the stability and profitability of companies in all sectors. The first step to addressing this is to identify the threats and vulnerabilities in existing systems before deciding how and where to invest in countermeasures.

Our Structured Risk Analysis (SRA) process is designed to help our customers through this process to ensure that they are prepared for the potential issues that could undermine their businesses.

3. Privacy and Open Data, if correctly implemented and trusted by the consumer, will facilitate the hyper-personalisation of services, which in turn will drive customer intimacy. Many of us are familiar with Google telling us how long it will take us to get home, or to the gym, as we leave the office. Fewer of us will have experienced the pleasure of being pushed new financing options by the first round of Open Banking Fintechs, aimed at helping entrepreneurs to better manage their start-up’s finances.

We have already demonstrated to our clients that it is possible to use new technology in interesting ways to deliver hyper-personalisation in a privacy-enhancing way. Many of these depend on the standardization of Premium Open Banking API’s, i.e. API’s that extend the data shared by banks beyond that required by the regulators, into areas that can generate additional revenue for the bank. We expect to see the emergence of new lending and insurance services, linked to your current financial circumstances, at the point of service, similar to those provided by Klarna.

4. One particular area where personalisation will have immediate impact is giving consumers personalised payment options with new technologies being deployed, such as EMV’s Secure Remote Commerce (SRC) and W3C’s payment request API. Today, most payment solutions are based around payment cards but increasingly we will see direct to account (D2A) payment options such as the PSD2 payment APIs. Cards themselves will increasingly disappear to be replaced by tokenized equivalents which can be deployed with enhanced security to a wide range of form factors – watches, smartphones, IoT devices, etc. The availability of D2A and tokenized solutions will vastly expand the range of payment options available to consumers who will be able to choose the option most suitable for them in specific circumstances. Increasingly we expect to see the awkwardness and friction of the end of purchase payment disappear, as consumers select the payment methods that offer them the maximum convenience for the maximum reward. Real-time, cross-border settlement will power the ability to make many of our commerce transactions completely transparent. Many merchants are confused by the plethora of new payment services and are uncertain about which will bring them more customers and therefore which they should support. Traditionally they have turned to the processors for such advice, but mergers in this field are not necessarily leading to clear direction.

We know how to strategise, design and implement the new payment options to deliver value to all of the stakeholders and our track record in helping global clients to deliver population-scale solutions is a testament to our expertise and experience in this field.

5. In the transit sector, we can see how all of the issues come together. New pay-as-you-go systems based upon cards continue to rollout around the world. The leading edge of Automated Fare Collection (AFC) is however advancing. How a traveller chooses to identify himself, and how he chooses to pay are, in principle, different decisions and we expect to see more flexibility. Reducing congestion and improving air quality are of concern globally; best addressed by providing door-to-door journeys without reliance on private internal combustion engines. This will only prove popular when ultra-convenient. That means that payment for a whole journey (or collection or journeys) involving, say, bike/ride share, tram and train, must be frictionless and support the young, old and in-between alike.

Moving people on to public transport by making it simple and convenient to pay is how we will help people to take practical steps towards sustainability.

So, there we go. Privacy-enhanced resilient infrastructure will deliver hyper-personalisation and give customers more safe payment choices. AFC will use this infrastructure to both deliver value and help the environment to the great benefit of all of us. It’s an exciting year ahead in our field!



Consult Hyperion’s Live 5 for 2019

It’s that time of year again. I’ve had a chat with my colleagues at Consult Hyperion, gone back over my notes from the year’s events, taken a look at our most interesting projects around the world and brought together our “live five” for 2019.  Now, as in previous years, I don’t expect you to pay any attention to our prognostications without first reviewing our previous attempts, otherwise you won’t have any basis for taking us seriously! So, let’s begin by looking back over the past year and then we’ll take a shot at the future.

Goodbye 2018

As we start to wind down 2018, let’s see how we did…

  1. 1. Open Banking. Well, it was hardly a tough call and we were bang on with this one. We’ve been working on open banking projects in the UK, on the continent and beyond. What seems to be an obviously European issue, is of course a global one and we’ve been helping the global payment brands understand the opportunities. Helping existing market participants and new market entrants to develop and implement responses to open banking has turned out to be intellectually challenging and complex, and we continue to build our expertise in the field. Planning for the unintended consequences of open banking and the potentially un-level playing field that’s been created by the asymmetry of data, was not the obvious angle of opportunity for traditional tier one banks.

  2. 2. Conversational Transactions. Yes, we were spot on with this one and not only in financial services. Many organisations are shifting to messaging channels for customer support and for transactions, in both the banking and retail sectors. The opportunity for this continues with the advancements of new messaging enablers, such as the GSMA backed RCS. But as new channels for support and service are introduced to the customer experience, so are new points of vulnerability.

  3. 3. The Internet of Cars. This is evolving although the security concerns that we spoke about before, continue to add friction to the development of new products and services in this area. Vulnerabilities to card payments or building entry systems are security threats, vulnerabilities to connected or autonomous vehicles are potentially public safety threats.

  4. 4. Artificial Intelligence. Again, this was an easy prediction because many of our clients were already active. Where we did add to thinking this past year, it was about the interactive landscape of the future (i.e. bots interacting with bots) and how the identity infrastructure needs to evolve to support this.

  5. 5. Tokens/ICOs. Well, we were right to highlight the importance of “tokens” (the basis of Initial Coin Offerings, or ICOs) and our prediction that once the craziness is out of the way, then regulated token markets will become significant looks to be borne out by mainstream commentary. At Money2020 Asia in Singapore, I had the privilege of interviewing Jonathan Larsen, Corporate Venture Capital Manager at Ping An and CEO of their Global Voyager Fund (which has a $billion or so under management). When I put to him that the tokenisation of assets will be a revolution, he said that “tokenisation is a really massive trend… a much bigger story than cryptocurrencies, initial coin offerings (ICOs), and even blockchain”.

As we said, 2018 has seen disruption because the shift to open banking, starting in the UK,has meant the reshaping of financial services while at the same time the advance of AI into the transaction flow (transactions of all types, from buying a train ticket to selling corporate bonds) begins to reshape the way we do business.

Hello 2019

This year we are organising our “live five” in a slightly different way, listing them by priority to our clients rather than as a simple list. So here are the four key technologies that we think will be hot throughout the coming year together with the new technology that we are looking at out of the corner of our eyes, so to speak. The mainstream technologies are authentication,cross-sector digital identity, digital wallets for ticketing and secure IoT in the insurance sector. The one coming up on the outside is post-quantum cryptography.


So here we go…


  1. 1. With our financial services customers we are moving from developing strategies about open banking to developing implementation plans and supporting the development of new systems and services. The most important technology at the customer interface from the secure transactions perspective is going to be the technology of Strong Customer Authentication (SCA). Understanding the rules around which transactions need SCA or not is complicated enough, and that’s before you even start working out which technologies have the right balance of security and convenience for the relevant customer journeys. Luckily, we know how to help on both counts!

As it happens, better authentication technology is going to make life easier for clients in a number of ways, not only because of PSD2. We are already planning 3D Secure v2 (3DSv2) and Secure Remote Commerce (SRC) implementations for customers. Preventing “authentication friction” (using e.g. FIDO) is central to the new customer journeys.

  1. 2. Forward thinking jurisdictions such as Canada and Australia have already started to deliver cross-sector digital identity (where in both cases we’ve been advising stakeholders). New technologies such as machine learning, shared ledgers and self-sovereign identity, if implemented correctly, will start to address the real issues and improvements in know your customer (KYC), anti-money laundering (AML), counter-terrorist financing (CTF) and the management of a politically-exposed person (PEP).  The skewed cost-benefit around regtech and the friction that flawed digitised identity systems cause, mean that there is considerable pressure to shift the balance and in the coming year I think more organisations around the world will look at models adopted and take action.

  1. 3. In our work on ticketing around the world, we see a renewed focus on the deployment of real digital wallets. Transit and other forms of ticketing (such as for sporting events) are the effective anchor tenants of the digital wallet, not payments. In the UK and in some other countries there has been little traction for the smartphone digital wallet because of the effectiveness of the deployment and use of contactless cards. If you look in your real wallets, most of what your find isn’t really about payments. In our markets, payments alone do not drive consumers to digital wallets, but take-up might be about to accelerate. It’s one thing to have xPay put cards into a digital wallet but putting your train tickets, your sports rights and your concert passes into a digital wallet makes all the difference to take-up and means serious traction. Our expertise in using the digital wallets for applications beyond payments will give our clients confidence in setting their strategies.

  2. 4. In the insurance world we see the business cases building around the Internet of Things (IoT). The recent landmark decision of John Hancock, one of the oldest and largest North American life insurers, to stop selling traditional life insurance and instead sell only “interactive” policies that track fitness and health data through wearable devices and smartphones is a significant step both in terms of business model and security infrastructure. We think more organisations in the insurance sector will develop similar new services.  Securing IoT systems becomes a priority. Fortunately, our very structured risk analysis for IoT and considerable experience in the practical assessment of countermeasures, deliver a cost-effective approach.

  3. 5. In our core field of security, we think it’s time to start taking post-quantum cryptography (PQC) seriously not as a research topic but as a strategic imperative around the development and deployment of new transaction systems. As many of you will know, Consult Hyperion’s reputation has been founded on the mass-market deployments of new transactions systems and services and this means we understand the long-term planning of secure platforms. We’re proud to say that we have helped to develop the security infrastructure for services ranging from the Hong Kong smart identity card, to the Euroclear settlement system and from contactless payments to open loop ticketing in major cities. Systems going into service now may well find themselves overlapping with the first practical quantum computer systems that render certain kinds of cryptography worthless, so it’s time to add PQC to strategies for the mass market.

And there you have it! Consult Hyperion’s Live 5 for 2019. Brexit does not mean the end of SCA in the UK (since PSD2 has already been transcribed into UK law) and SCA means that secure digital identities can support transactions conducted from digital wallets, and those digital wallets will contain things other than payment instruments. They might also start to store transit tickets or your right to travel, health and fitness data for your insurance company. Oh, and all of that data will end up in the public sphere unless the organisations charged with protecting it start thinking about post-quantum cryptography or,as Adi Shamir (one of the inventors of public key cryptography) said five years ago, post-cryptographysecurity.

Money2020 China

What an interesting experience the first Money2020 in China was. It was held in Hangzhou, the home of AliPay, and I was delighted to have been invited along to share some of our experiences in the payments and to learn first hand about the Chinese approach to the sector.

Money2020 China gets underway

The event was well-staged and with simultaneous translation from Chinese it provided an opportunity to hear about the wide variety of fintech activities in China. It was, as you might imagine, very different from the Las Vegas event last month. There was no discussion of cryptocurrency because of the Chinese regulatory context and while I did see one presentation on the use of digital signatures in smart contracts, there was little discussion of blockchain and related technologies.

Ron Kalifa talking about value-added merchant services

I particularly enjoyed Worldpay vice-chairman Ron Kalifa’s fireside chat (in which he said that people were underestimating the impact of open banking) and presentation of their annual world payments report. To a payments nerd like me this was a great opportunity to look at key trends in payments on a country-by-country basis and try to work out which trends are relevant to our clients around the world as they formulate strategies for the always-on, mobile-centric, open-banking future. Key to these strategies is, of course, security and so I always pay attention to the big picture presentations around fraud. In China, these have scary numbers attached to them, but you have to take into account the size of the Chinese economy (I think the Chinese cybercrime losses are lower than in many other countries).

Real, and scary, fraud numbers

Given the widespread use of scores of one form or another to determine trustworthiness it is no coincidence that China sees a rise in frauds relating to the manipulation of these scores. Without commenting on the benefits or otherwise of such models (most Brits, myself included, can only think of Black Mirror when social scores are discussed) it is worth making the point that preventing “gaming” of these scores while preserving individual privacy means dealing with paradoxes that might well be resolved through the use of cryptographic techniques that have no conventional analogues and are therefore difficult for policymakers to bear in mind.

Reputation fraud in action

Most of what I found thought-provoking, both in the presentations and the water cooler discussions, was to do with business models rather than new technologies. The new business models emerging in a regulated, platform-centric, dynamic market are what we should be studying. We might choose to implement some of these models in a slightly different way taking into account the varying cultural norms around security and privacy, but the idea of separating payments from banking and then turning payments into platforms, and then using these platforms to acquire customers at scale for other businesses is certainly very interesting.

These new models, of course, centre on data and value-adding using that data. When people pay for everything with their mobile phone, they lay down a seam of data that is waiting to be mined. Despite this, the convenience of the mobile-centre platforms is so great that people are clearly willing to put privacy concerns to one side. I chaired a great session on privacy with CashShield, Symphony and eCreditPal with, I think, gave out a very comforting message: if you build services with privacy in the first place, then actually complying with GDPR and other global regulations is actually not that much of a problem.

 

One more thing that struck me about the context for these developments that it seems to me that China is making its e-money regulation more like the EU’s. With an EU electronic money licence, the organisations holding the funds must keep them in Tier 1 capital and are not allowed to gamble the customer’s money, whereas in China there was no such restriction. Now the People’s Bank has said that from January 2019 the Chinese operators will have to hold a 100% reserve in non-interest bearing deposits at a commercial banks, a decision that will likely cost the main players (Tencent and Alipay) a billion dollars or so in revenue.

It was interesting spend a few days inside the mobile-centric, QR-everywhere, always-on, app and pay world of the future and picking up some useful lessons for our clients. A very interesting week.

Rearranging the banks

In his new book “Digital Human“, Chris Skinner sets out a straightforward vision of the bank of the future. He says (I paraphrase slightly) that the back office is about analytics, the middle office is about APIs and the front office is moving to smart apps on smart devices. I was thinking about this in an open banking context, and it gave me an idea for a useful way to help people think about the impending change in retail financial services in general and retail banking in particular. Let’s start from the traditional manufacturing/distribution model of retail banking that we are all familiar with and remember the broad economics of that model. On a global basis (these are the McKinsey version of the figures, but others are similar), it is distribution that takes the lion’s share of the profits and makes the better return on equity (ROE).

Dynamics of Open Banking

So now let’s rebuild that model for an open banking world using Chris’ back, middle and front office structure and think about the key technologies that will be transforming the businesses. I’ve invented the word “packaging” to describe the additional essential process that is needed to complete what we call the “Amazonisation” of banking, whereby products are manufactured as API services and distributed throughout the consumption of API services. This gives the three part model that Chris describes a practical technological backbone to make it work. 

Front, Middle and Back Office

What we don’t know, of course, is how this model will redistribute ROE. How will banks and “challenger banks” (we prefer the term “niche banks”), non-banks and neo-banks respond to the split of manufacturing and distribution that the new “packaging” layer (again, not sure if that’s the right term, I just couldn’t think of a better one) brings? That’s obviously a key question and one that is pretty important for organisations who are planning any kind of strategy around financial services in general or payments in particular. Since this includes many of our clients, we spend a lot of time thinking about this and the connection between technological choices that are being made now and the long-term strategic options for organisations.

Consult Hyperion took part in a recent American Banker Open Banking “Bootcamp” (a two-part webinar) on the topic. My colleague Tim Richards and I were able to explore some of our ideas and draw on some of our practical experiences with bankers, suppliers and other practitioners. It was fun to take part in it and we really enjoyed it because we were able to learn as well as to share. I mention that webinar here because as part of the bootcamp, Mark Curran from CYBG (The Clydesdale Bank, Yorkshire Bank, “B” Bank Group and now also Virgin Money) set out a very clear high level view of the three strategic options available to retail. We think it’s useful to share them here: the “traditional” bank, the banks as a platform (think Starling) and the bank as an aggregator (think HSBC and Citi).

Basic Bank Responses to Open Banking

If, as many people think, it turns out that ROE will remain higher in distribution then the commoditisation of the manufacturing function (as it turns into a “utility”) may well threaten some of the incumbents, because they will not be able to adjust the economics of their manufacturing operation quickly enough to stay in business! This may sound like a radical prediction, but it really is not.

The reality for many banks will, of course, be more of a mixture of these approaches, but you can see the point. The decoupling of the manufacturing and distribution means that banks will have to make some important decisions about where to play, and soon. We’ve already seen how some banks (eg, HSBC) have moved to exploit the aggregator strategy and how some banks (eg, Starling) have moved to become platforms with rich app stores. But what we think may be under-appreciated is the extent to which the traditional bank can develop the packaging process not to shift to one of these strategies but to make itself more efficient and to improve the time-to-market for new products and services while keeping the costs of IT infrastructure under control.

In other words, it makes sense for banks to amazonise themselves.

Open (but asymmetric) warfare

You’ve probably noticed that something big is going on in the UK. It’s called “open banking” and although it hasn’t made much difference to the man at the Clapham ATM just yet, it will. In computer terms, it’s rather as if the banks are being obliged to install sockets in customer accounts that anyone can plug in to access those account (with the customers’ permission, of course). So, you can tell your bank to let (eg) Amazon access your bank account and there’s nothing they can do about it. In a recent speech Karina McTeague, director of retail banking supervision at the Financial Conduct Authority (FCA), said that while banks must be “aware of their legal obligations in respect of data protection and consumer protection”, they should allow their customers to make use of [third-party services] in relation to those payment accounts without penalty, including allowing their customers to share their credentials”

So, basically, it’s on. Third parties can have access to bank customer data and there’s nothing that banks do about it. Who will benefit from this? We have long advised our clients that the competition to incumbent financial services providers will not be fintechs. I wrote last year that the major beneficiaries of the regulators pressure to open up the banks will be the internet giantswho already have the customer relationships. Of course, when I say it, no listens. But when the woman at the top of Europe’s biggest retail bank weighs in, I suspect one or two people may sit up and pay attention.

Ana Botín, executive chairman of Santander, told the Financial Times that the EU’s Second Payments Services Directive “needs to be reviewed for the digital age. The theory is good but it needs to be fair — at the moment it’s not symmetrical.”

From Santander chair calls EU rules on payments unfair.

Her point is that by creating the asymmetry described above, regulators may well have created the conditions to replace an uncompetitive oligarchy (as they it) of banks with an uncontrollable oligarchy of internet giants. This is not, as my colleague Tim Richards wrote last month, a theoretical issue. He used the example of UK insurer Admiral, which created a scheme to allow people with limited credit histories access to insurance products using social media data. The idea was that if people were willing to grant Admiral access to this data they could perform a form of social identification and verification with an element of personality checking to identify people with traits conducive to good driving. It’s didn’t last. Facebook blocked Admiral from getting access to the data:

Is this, as Ms. Botin asks, really fair?

If it isn’t, what should be done about it?

Earlier this year, I had the honour of chairing Scott Galloway at the KnowID conference in Washington. Scott is the author of “The Four”, a book about the power of internet giants (specifically Google, Apple, Facebook and Amazon). In his speech, and his book, he sets out a convincing case for intervention. Just as the government had to step in with anti-trust acts of the early 20th century in recognition of the fascist nature of monopoly capitalism, so Scott argues that they will have to step in a century on and, again, not to subvert capitalism but to save it. His argument centres on the breaking up of the internet giants, but I wonder if the issue of APIs might provide an alternative and eminently practical way forward?

Two and The Four

With Scott Galloway at KnowID

Ana suggested that organisations holding the accounts of more than (for example) 50,000 people ought to be subject to some regulation to give API access to the consumer data and it seems to me that this might kill two birds with one stone: it would make it easier for competitors to the internet giants to emerge and might lead to a creative rebalancing of the relationship between the financial sector and the internet sector.

This gives us the obvious regulatory response to the need to create a level playing field: let us put in place a set of reciprocal rights and responsibilities. Forum friend Simon Lelieveldt, who I always listen to on these matters, also suggests this as the way forward. He says that if the European Commission wants a “balanced” market with effective competition then it should “redress the design errors in the PSD-2 and allow banks to ask fees and allow them reciprocal access to the customer data”. I think this gives us a sensible outline manifesto for the next generation of PSD2/GDPR and such like: open, transparent and non-discriminatory pricing for API access to customer data (with the customer’s consent) irrespective of the nature of the organisation: bank, media, telecoms whatever.

Tim Richards and I will be running a workshop session on open banking and the strategies for incumbents, fintechs and competitors on Wednesday June 6th at Money 2020 in Amsterdam just a couple of weeks from now. Please do come along and join in the discussion and debate around this crucial topic. We look forward to seeing you there.

Merchants, payments and the open banking ecosystem

A major focus for the entire merchant payments ecosystem in the coming year, will be the new threats, opportunities and players in the emerging open banking world. Starting with the U.K.’s move to open banking in January (the implementation of the Competition and Market Authority’s “remedies”, or the “CM9”) and moving ahead with PSD2 across Europe, the ability for trusted organisations to access consumer bank accounts to not only obtain transaction information but also to instruct payments, will inevitably change the landscape.
 
There are new opportunities for acquirers to become broad-spectrum merchant service providers (MSPs) to facilitate interaction between the open banking infrastructure and the merchant community. This very appealing vision of the future (for merchants) will draw them towards a once in a generation change at point of sale. Merchants can easily afford to incentivise customers to switch to account-to-account “instant payments” and at the same time offer considerable customisation based on customer account data.
 
Merchants definitely need some help, and it’s not all about payments. A recent Consult Hyperion survey found that more than 90% of merchants want to use PSD2 to reduce card fees, three-quarters of them also want to use it to reduce the impact of fraud and data breaches. An Accenture survey last year also found that half of the retailers they surveyed want to use customers’ bank account data to provide special offers and customised services at POS.
 
Apart from anything else, we expect to see a resurgence of interest in the “decoupled debit” proposition whereby platform-provided strong authentication to retailer apps will allow them to bypass the existing card infrastructure (with some projections indicating that a third of European card volume could disappear in the coming years) and perhaps even the physical POS itself. It’s easy to imagine self-scanning around the supermarket and hanging up the scanner at the end, to see the store app popping up on the customer phone with the total, prompting touch ID to confirm, and the merchant instructing an instant payment from customer account to merchant account.
 
As a customer, the instant payment proposition seems just as familiar as a debit proposition: customer walks out of the merchant and the money walks out of the customers account. The fact that it never goes near the existing rails isn’t something a customer knows nor cares about. This, as is often pointed out (by me), is a great opportunity for new players (eg, Google, Apple, Facebook and so on) to join the ecosystem. These are players with a business model built on data, not merchant service charges, and thus the business models in the ecosystem will reorient. This was one of the key themes picked up at last year’s Merchant Payment Ecosystem conference in Berlin, and I wrote at the time that my impression was that some of the big plays coming would be big data, analytics and machine learning.
 
Having said that the existing rails may be bypassed, open banking also provides an opportunity for the schemes to reinvent themselves and their propositions. (As we think that the UK is about to become an interesting, exciting and unpredictable laboratory experiment in open banking, it seems to us that Mastercard’s work with VocaLink should be a focus of industry attention in this regard.) After all, a payment scheme isn’t just a data switch that connects consumers, banks, merchants and retailers. If it was, there wouldn’t be any. Rates, rules and rights are fields in which Visa, Mastercard, Amex, Discover et al have decades of experience to leverage through both their existing relationships and the new ones that will arise.
 
The retailers themselves, especially the millions of small retailers, will also benefit from this transition because a variety of new products and services will spring up to help them to manage their bank accounts, funding requirements and general financial services needs. I’m no expert on small business financing but the ability to see the details of a retailer’s bank account will surely lead to new opportunities for specialist financial services providers.
 
All things considered, 2018 is going to be a pretty interesting year and we are very much looking forward to learning about the new possibilities at Merchant Payment Ecosystem 2018 in Berlin. If you want to meet me or our Principal Consultant in the POS field, Gary Munro, at the the event then just drop us a note and we’ll see you there.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.