Category: Payment systems

Loosely-coupled MaaS payments

27th February 20197th August 2020by John Elliott2 Comments

I was a panellist discussing the barriers to mobility as a service (MaaS) at the Transport Ticketing Global (TTG19) conference in London in January. In fact, many of the presentations over the two-day conference were about MaaS and reasons why it is proving very hard to deliver. Perhaps one of the most mature MaaS offerings is the one from MaaS Global branded as ‘Whim’ which launched in the UK in the West Midlands but, by their own admission, has struggled to gain a foothold.

Until recently, MaaS providers have avoided London. We have seen some excellent journey planning apps exploiting Transport for London’s (TfL) open APIs, but nobody was going that extra mile and actually proving a complete MaaS solution in a single app that allow both planning journeys together with payment and ticketing (i.e. proving authority to travel when entering the transit network). TfL has been very clear that they will not provide any cut of the fares to MaaS providers, so they will have to find other ways to make a profit.

So, the announcement from CityMapper that they are about to launch a MaaS solution in London surely doesn’t make any sense? Given the above barriers to MaaS and the high complexity of London’s public transport network, why on earth would you start there?

The answer is payments and identity, two of our favourite topics. These are services needed in order to offer account-based ticketing (ABT) and ABT is a corner-stone of MaaS. Passengers need to identify themselves to their customer account so that their journey charges can be calculated. Payment for the journeys needs to be handled in a way that is suitable to the particular customer.

One of the barriers I suggested on the TTG19 panel is that payment and identity are too ‘closely coupled’ in modern account-based ticketing offerings. I am old enough to remember the emergence of service oriented architectures in the ‘noughties’. The idea was that by ensuring services are ‘loosely coupled’, they can freely evolve without affecting consumers or implementations. I argued that if everyone rushes to implement the open-loop payment models with the payment networks like TfL has done, then we will be left with fare collection services that are highly dependent on the payment schemes and constrained from evolution. The identifier the passenger uses at the gate is their bank card (or its emulation on mobile or wearable devices). This identifies them to their ABT travel account but it also identifies their means of payment. Some would say this is convenient, I am suggesting it is too closely coupled and will stifle innovation.

Open banking APIs are a subject close to our hearts at the moment. The APIs are very new and they seem not to be thinking about transit payments at this stage. However, one could imagine that there could be future open banking APIs that would allow passengers to consent to transit payments from their bank to their MaaS provider without the need for the payment networks in between. I expect this will be subject of future blogs or white papers from Chyp.

The reason CityMapper is launching in London is that all the public transport modes accept open-loop payments and the CityMapper solution to payments and identity is to provide their MaaS customers with a Mastercard-branded prepaid card, ‘Pass’. CityMapper will offer a subscription model at a discount on TfL prices and any travel on TfL modes outside of this will simply use the prepaid bank card like any other.

This works for all London public transport modes, but there are very few other cities that have committed so totally to the open-loop models. It will be interesting to see whether CityMapper can make a profit and if they do, whether they can replicate it outside of London. Right now, it looks like they are using investment funding and planning on taking a loss to start with since they are offering to undercut the TfL fares and as stated above TfL has said they will not offer discounts to Maas providers. Or perhaps city mapper is planning on selling advertising space or plans to sell anonymised travel data to make up the shortfall? Only time will tell.

Meanwhile, may all your transit tokens be loosely coupled and your payment instruments plentiful.

Tough decisions for Acquirers and PSPs in 2019

14th February 2019by Consult HyperionLeave a comment

In 2018/2019 both merchants and payment providers face pressing, strategic questions related to the selection of the payment methods they support, that need to be answered.

European regulatory initiatives like PSD2, promoting instant payments, open banking, and data sharing have created a new payments ecosystem. Acquirers, PSPs and card schemes, threatened by the risk of being bypassed by Third Party Providers, are now looking at new business models and the roles they can play in this new ecosystem. However, the key questions remain, whether to continue playing in the traditional card acquiring space and/or to take full advantage of PSD2 by opting for PISP/AISP licensing? What can be done in-house, and what in collaborating with partners for those opportunities that lie outside the expertise?

There are other questions relating to the future direction of European Card Acquiring. In 2018, cards continued to grow their share of the European payments market, but the increasing scheme fees are eroding the benefits of interchange regulation. The British Retail Consortium warned in 2018 that scheme fees increased 39% in 2017. Various consumer groups asked the European regulators to step in to protect merchants from hidden fee increases. The UK Payment Systems Regulator (PSR) announced in July 2018 a market review into card-acquiring services, including a public consultation whether there is effective competition and supply of card-acquiring services.

What’s next for Card Acquiring, Scheme fees and Interchange Fee Regulation in Europe in 2019?

The future of card acquiring, fees evolution, new merchant payments options, Open API technology are among the key topics to be discussed at the MPE 2019, Europe’s Largest Merchant Payment Acceptance Conference in Berlin, February 19-21. Consult Hyperion are delighted to support MPE once again. If you’d like to meet with the team, please email sam.wakefield@chyp.com to arrange a meeting.

You can request the Agenda & register at www.merchantpaymentsecosystem.com.

Mobile Payments and Acceptance: The Future Is Soft

8th February 20198th January 2021by Assad UmarLeave a comment

The last year has seen a lot of activity in the mobile payment ecosystem with regards to the risk associated with Consumer Off The Shelf (COTS) devices becoming not only a payment method (Google Pay, Samsung Pay etc) but more significantly becoming payment terminals ready to accept payments. A ‘COTS device’ is a mobile device (e.g. phones & wearables) intended for distribution and use by the mass-market, and traditionally were not designed exclusively for making or accepting payments.

Continue reading “Mobile Payments and Acceptance: The Future Is Soft”

Why can’t I use Apple Pay for everything online?

11th January 2019by Consult Hyperion1 Comment

Pottering around on Twitter, I noticed an interesting question:

Why can’t I use Apple Pay for everything online? Shouldn’t there be some way for me to hold my phone up to the screen when I get to an order page online and scan a QR code and hold my thumbprint or something? — Joe Weisenthal (@TheStalwart) January 2, 2019

Joe has a point. Apple Pay is far more secure, and far more convenient, than messing around typing card numbers in to web pages as we did back in 1998. And globally, merchants lose some $20-$30 billion per annum in card-not-present fraud, so why aren’t we using our (secure) mobile payment systems to pay for things we buy on the (insecure) web already?

Well, first of all you can use Apple Pay to pay for things on the web but only if you are using Safari and only if the merchant has implemented Apple Pay. The merchants, however, don’t want to implement a solution that only works for a small proportion of their customers (ie, people who use iPhone, Safari on the web and have Apple Pay configured correctly). Merchants would prefer a more universal solution such as W3C or SRC.

Change, however, may be just around the corner.

Barclays Equity Research put out an interesting note on payments in November. Called “Sleepwalking into 3DS2.0 and PSD2”, it kicks off by saying that “the mandated 3-D Secure 2.0 and the requirement for two-factor Secure Customer Authentication (SCA) are around the corner, but the industry does not seem ready for this major change in transaction processing protocols”.

Well, quite. I’m glad to see they agree with our decision to make SCA the highest priority of our “Live 5” areas for our clients to focus on in the coming year.

In this note, Barclays say that an unintended consequence of PSD2 will be a better e-commerce experience on mobile, where biometrics are a convenience technology, rather than the desktop, and this should benefit digital wallets (again as we note in our Live 5). In the store too, mobile may have the advantage. Contactless payments will require a PIN entry every five transactions or €150 (depending which the issuer mandates), unless an online transaction in the interim authenticates the card and restarts the counter.

However, an Apple Pay or Google Pay mobile transaction would be authenticated every time and because of CDCVM, can ignore the contactless limit (currently £30 in the UK). While a card is arguably marginally easier than mobile wallets today for contactless, this may be enough to shift the advantage to mobile.

Thus, the future of secure retail transactions will converge on the smartphone, irrespective of whether those transactions are physical or virtual.

IATA Pay and the unintended consequences of PSD2

10th January 2019by Consult HyperionLeave a comment

The Irish central bank’s decision to authorise Google Payment Ireland under the second Payment Services Directive (PSD2) attracted a fair bit of comment, some of it informed. As Finextra pointed out, this does not grant Google with the ability to offer a full banking service including bank accounts, but they don’t need to because with a PI licence they can obtain API access to bank accounts under PSD2.

The licence means that Google can offer PSD2 Payment Initiation Services (PIS) and Account Information services (AIS)

It’s an obvious move for Google. My good friend Simon Lelieveldt noted in his blog on the subject, that this makes “Google Brexit-proof and PSD2-proof” which would be reason enough to do it, but it’s important to understand just how disruptive this licence might be.

I wrote about this back in 2017 for Wired, pointing out that changes in regulation “mean the tech giants will soon be able to access customers’ bank account data” and that companies such as Google would take this obvious step in order to gain access to financial services infrastructure without the overheads and scrutiny that a banking licence involves. Similarly, I’ve commented before that it makes sense for Amazon to get such a licence, not a banking licence because there is nothing that the banks can do to stop Amazon from becoming a neo-bank. PSD2 means that bank customers will give Amazon permission to access their bank accounts, at which point Amazon will become the interface between the customer and financial services.

Hence my point just how disruptive this might be. Only last month, banks in Spain were complaining (with some justification) that there are considerable implications to Google, Amazon and Facebook entering the financial services industry. This is because the introduction of PSD2 means that these new “big tech” entrants can benefit from asymmetric regulation and extend their appeal to consumers. The regulation is asymmetric, as my colleague Tim Richards I discussed in our “fireside chat” last year, because it means that tech companies can access banks’ customer data but the banks do not get to access the tech companies’ customer data.

The impact of open banking is, of course, not limited to the tech giants. IATA Pay is an industry-supported initiative to develop a new payment option for consumers when purchasing airline tickets online. It uses PSD2 to instruct transfers direct from customer accounts and I think it might turn out to be one of those things that economists call a “weak signal” of change? Looking back, I think we’ll see a kind of inflexion point where major retailers started to bypass the card networks and use open banking to go straight to the customer account.

“Hello this is British Airways. Click here to pay by IATA Pay and get double Avios”.

We spend a lot of time speculating on what might happen when the internet giants get access to bank accounts, but it could be just as big a deal across major retail categories. A year ago we wrote “platform-provided strong authentication to retailer apps will allow them to bypass the existing card infrastructure (with some projections indicating that a third of European card volume could disappear in the coming years) and perhaps even the physical POS itself”.

We’ve said it before and we’ll say it again: open banking is a much bigger deal than many people think.

Money2020 China

3rd December 2018by Consult HyperionLeave a comment

What an interesting experience the first Money2020 in China was. It was held in Hangzhou, the home of AliPay, and I was delighted to have been invited along to share some of our experiences in the payments and to learn first hand about the Chinese approach to the sector.

Money2020 China gets underway

The event was well-staged and with simultaneous translation from Chinese it provided an opportunity to hear about the wide variety of fintech activities in China. It was, as you might imagine, very different from the Las Vegas event last month. There was no discussion of cryptocurrency because of the Chinese regulatory context and while I did see one presentation on the use of digital signatures in smart contracts, there was little discussion of blockchain and related technologies.

Ron Kalifa talking about value-added merchant services

I particularly enjoyed Worldpay vice-chairman Ron Kalifa’s fireside chat (in which he said that people were underestimating the impact of open banking) and presentation of their annual world payments report. To a payments nerd like me this was a great opportunity to look at key trends in payments on a country-by-country basis and try to work out which trends are relevant to our clients around the world as they formulate strategies for the always-on, mobile-centric, open-banking future. Key to these strategies is, of course, security and so I always pay attention to the big picture presentations around fraud. In China, these have scary numbers attached to them, but you have to take into account the size of the Chinese economy (I think the Chinese cybercrime losses are lower than in many other countries).

Real, and scary, fraud numbers

Given the widespread use of scores of one form or another to determine trustworthiness it is no coincidence that China sees a rise in frauds relating to the manipulation of these scores. Without commenting on the benefits or otherwise of such models (most Brits, myself included, can only think of Black Mirror when social scores are discussed) it is worth making the point that preventing “gaming” of these scores while preserving individual privacy means dealing with paradoxes that might well be resolved through the use of cryptographic techniques that have no conventional analogues and are therefore difficult for policymakers to bear in mind.

Reputation fraud in action

Most of what I found thought-provoking, both in the presentations and the water cooler discussions, was to do with business models rather than new technologies. The new business models emerging in a regulated, platform-centric, dynamic market are what we should be studying. We might choose to implement some of these models in a slightly different way taking into account the varying cultural norms around security and privacy, but the idea of separating payments from banking and then turning payments into platforms, and then using these platforms to acquire customers at scale for other businesses is certainly very interesting.

These new models, of course, centre on data and value-adding using that data. When people pay for everything with their mobile phone, they lay down a seam of data that is waiting to be mined. Despite this, the convenience of the mobile-centre platforms is so great that people are clearly willing to put privacy concerns to one side. I chaired a great session on privacy with CashShield, Symphony and eCreditPal with, I think, gave out a very comforting message: if you build services with privacy in the first place, then actually complying with GDPR and other global regulations is actually not that much of a problem.

One more thing that struck me about the context for these developments that it seems to me that China is making its e-money regulation more like the EU’s. With an EU electronic money licence, the organisations holding the funds must keep them in Tier 1 capital and are not allowed to gamble the customer’s money, whereas in China there was no such restriction. Now the People’s Bank has said that from January 2019 the Chinese operators will have to hold a 100% reserve in non-interest bearing deposits at a commercial banks, a decision that will likely cost the main players (Tencent and Alipay) a billion dollars or so in revenue.

It was interesting spend a few days inside the mobile-centric, QR-everywhere, always-on, app and pay world of the future and picking up some useful lessons for our clients. A very interesting week.

Does AI mean the End of PIN on Glass?

23rd November 2018by Consult Hyperion1 Comment

The launch of PCI’s SPoC specification, Software PIN on COTS – Commercially Off The Shelf (thats PIN on mobile / PIN on Glass, to you and me) raised an eyebrow or two at Consult Hyperion. Could PIN on mobile actually be secure? The researchers at Newcastle University produced a paper stating that PINs entered on mobiles can be recovered by capturing the mobiles sensor data.

We’re well versed in building the security architectures and systems needed to secure payment cards on mobile devices using software only solutions, think Google Pay / Barclaycard Contactless Mobile, or Worldpay’s fabulous My Business Mobile card reader, all of which protect card PANs in one way or another. As well as building security, we are just as adept at testing such architectures and implementations to validate their security. This leads us to ask the question; is securing a cardholders’ PIN the same as securing a card PAN?

Gut instinct would suggest that exposing a PIN is more risky than exposing a PAN, however one is of no use without the other. A PIN cannot be used without the PAN whereas a PAN can be used without the PIN. Indeed the PAN could be used for online payments, the PIN is only of use if the physical card is present.

PCI SPoC sets out a comprehensive architecture to protect the cardholders’ PIN involving the mobile device, card reader and host system, which is all very sensible. From a business point of view, reducing the cost of the card reader device by removing the physical keyboard, may make accepting payment cards a more attractive option from a cost perspective. Equally from a customer experience point of view, it appears quick and easy and less cumbersome than interactions with a different PED.

However, what if you could use the mobile devices own sensors to steal the PIN? Is this possible? Can you use a mobiles sensor data to recreate a PIN? Even if it were possible surely a PIN entry application would ensure the sensor data was blocked? Researchers at Newcastle University published a paper on “Stealing PINs via Mobile Sensors: Actual Risk versus User Perception.” In this paper the team of researchers claim an accuracy of 80% on obtaining PINs from mobile sensors, which if true, would significantly compromise PIN on Glass solutions as set out in the PCI SPoC standard.

We set our Hyperlab team the task of recreating the research to fully understand the proposed attack and if it did indeed translate into a realistic attack, and if so could we counter it. We contacted the researchers at Newcastle University who were very helpful in setting us on the right path to recreate their work. We built the PIN Logger App and the AI engine which would process the data to attempt to “guess the PIN”. The attack works by feeding mobile sensor data into an AI / Machine Learning engine, actually it’s a Neural Network, which is then able to determine the PIN number pressed. However in order for the AI Engine to correctly guess the PIN number, it needs to learn the patterns of sensor data associated with the PIN number. This takes data, lots of data, and lots of processing power.

In their paper, the researchers at Newcastle University used 1.4million data points (that’s 140,000 per PIN digit) to train their Neural Network over 10million iterations, after which they were then able to achieve a 70-80% accuracy on a restricted number of PINs (just 50 PINs from ~10,000 possible PINs).

Our Hyperlab team worked their magic, and by applying a few restrictions and limitations (i.e. using fewer data points and restricting the mobile PIN entry to a single plane) we were able to reproduce the attack with a 30% accuracy. We were able to adjust the accuracy level by feeding fewer or more data points when training the Neural Network, which leads us to believe that the results obtained by the Newcastle researchers are achievable. What’s more it’s not possible to block a background app in Android from obtaining the sensor data whilst PIN entry (as defined in PCI SPoC) is taking place. Surely this is a disaster for software PIN on Glass?

There are several things to consider here. In order to mount the attack you need 1.4million data points, and plenty of processing power to train the Neural Network, and that’s just for a single mobile device. Plus the training app needs to use the same keypad layout as the keypad you are trying to steal PINs from. A malicious data gathering app then needs to be present and active on a PCI SPoC device. However even then it does not know when a PIN will be entered, and will have to find the PIN entry within the rest of the screen taps, e-mails, SMS, rounds of Candy Crush that a merchant may use their mobile for on a normal day. This amount of entropy itself would render the attack method futile.

Hats off to the researchers at Newcastle University their paper and attack vector is enlightening and should be taken seriously. Whilst we do not believe it is a scalable attack it will certainly be taken into consideration when we build our next clients security architectures to support PCI SPoC PIN entry.

Consult Hyperion is known for robust architecture designs and rigorous test plans, making sure our clients launch products and services that protect their customers financial and personal data, and the brand reputation of the client. If you would like to talk to us, please do get in touch – info@chyp.com.

And Relax …

29th October 2018by Consult HyperionLeave a comment

According to a reputable news source well, the (Daily Mail) the Royal Mint is casting (sic) around to find things to do when the Treasury caves to the inevitable and tells them to quit wasting everyone’s time and money by minting coins. They’ve come up with the idea of making a credit card out of real gold. This isn’t the Royal Mint’s idea, of course. They stole it wholesale from 30 Rock a few years ago.

The cards will have the owners signature engraved on the back (I’ve no idea why, since the card schemes are discontinuing the use of the pointless signature panels on cards) and will apparently be worth $3,000 each which (as a number of Twitterwags immediately pointed out) will greatly increase the number of fake ATMs in the streets around Belgravia after midnight. They are apparently working on ways to get these 18-carat gold cards to work in ATMs and, of course, at contactless terminals.

Wait, what?

Contactless?

How do you make metal cards work in contactless terminals? The metal card messes with the magnetic jiggery-pokery that makes contactless cards work. I know this because Consult Hyperion’s awesome contactless robot test rig (below) has a frame for the card, terminal or card under investigation that is made from wood so the there’s no metal in the field when testing.

The metal contactless cards that I’ve seen before are made using a plastic laminate or by cutting a segment from the metal and replacing it with plastic, so I discounted this report on the Royal Mail’s bold ambitions and filed it away and went off to enjoy Money20/20 in Las Vegas with my Consult Hyperion colleagues.

I had a great time in Las Vegas chairing the “Around the World of Identity” session on the first day, and then I enjoyed the tremendous privilege of interviewing Jed McCaleb and Adam Ludwin of Interstellar on the main stage on the third day. Interstellar is the crypto giant formed by the takeover of Adam’s Chain by Stellar’s Lightyear. This was particular fun for me because I’d visited both Stellar [here] and Chain [here] for our “Tomorrow’s Transactions” podcast series some time ago (we rather pride ourselves on helping clients to spot what’s coming next) and had noted that both of these guys were really smart and really nice. As they proved on stage.

During a break from conference sessions, business meetings and blackjack I went for a stroll around the exhibition floor to catch up with old friends and see what sort of fun fintech things are heading our way. You could have knocked me down with a feather when spotted a stand from Amatech, who are based in Galway in Ireland. They were prominently displaying the bold claim that they had working contactless metal cards. Naturally, I went to investigate, it turns out that they were telling the truth. They’ve developed a clever manufacturing process that combines multiple layers of metal with different elecromagnetic characteristics so that the metal card now helps the chip on a card to communicate contactlessly instead of blocking such communications. Wow. Very cool (and they can do it with graphite too). I saw it working with my own eyes…

For all the talk about changing business models in the self-sovereign identity world to orient around data sharing, re-imaging AML with AI to change the cost-benefit around the regulations and on using cryptocurrency to transfer value across borders, you just can’t beat talking with someone who has made something that you didn’t know existed until you saw it. The satisfying clunk of a metal card on a glass counter was the highlight of the day for me. Apart from running into Shaq in the green room, of course.

Money2020 was exhausting, because all of our clients (and a great many of our prospective clients) are all there and I loved meeting all of them, but I wouldn’t miss it! I’m already looking forward to flying the CHYP flag at the inaugural Money2020 China next month. See you all there!

Securing Payments in a Post-EMV Chip World

23rd October 2018by Consult Hyperion2 Comments

Now that the US has (finally) migrated from magnetic stripe to chip payments, and signature will soon be going too, the time has come to think about where the fraud will go next. This was the topic of a great discussion at Money 20/20 involving amongst others EMVCo, Capital One and USAA.

Obviously the first place fraud will jump to will be card-not-present transactions such as e-commerce. This is well understood by those of us who went through the EMV chip migration over a decade ago. Brian Byrne outlined the various initiatives in EMVCo to secure these transactions – Tokenisation, 3DS 2.0 (with live solutions being imminent) and SRC (which is open for public comment).

Increasingly though it’s an identity problem. Identity theft and synthetic identities are being used to attack payments in a number of ways.

Because EMV chip cards are much harder to counterfeit than magnetic stripe cards, fraudsters instead will try to get their hands on genuine cards. This could be through opening a fraudulent account or by taking over an account and ordering a replacement card.

Identity fraud will be a big issue in faster payments too, with a need for good authentication on both ends of the transaction.

Synthetic identities are a particular challenge. Detecting them is tough, spotting the subtle clues that indicate that an identity record which looks legitimate has actually be cultivated over time by a fraudster. And this is big business, with criminals using the latest machine learning and ready access to data (thanks to all of those breaches) to launch well organised attacks at scale.

In the following session, Professor Pedro Domingos (author of “The Master Algorithm”) gave the great quote “if you try to fight machine learning with code you are doomed”. But it is not simply a case of implementing machine learning. As the Prof explained, the characteristics of fraud are constantly changing so any machine learning system will need to be constantly tuned and re-trained to keep up.

Definitely a case of whack-a-mole.

Financial Services messaging standard at the heart of new payment infrastructure in UK

25th June 2018by Consult Hyperion1 Comment

This June, the Bank of England launched a six-week consultation on the adoption of ISO 20022 as the single message standard for payments in the UK. In conjunction with the New Payments System Operator (NPSO) and the Payment System Regulator (PSR); the Bank of England has published ‘ISO 20022 consultation paper: a global standard to modernise UK payments’. In this document the commitment to the standard is clear:

‘The Bank and NPSO as payment system operators, and the PSR, as economic regulator of payment systems, are (therefore) committed to pursuing an effective UK-wide adoption of ISO 20022, and will use all the tools at their disposal to ensure that this is achieved.’

ISO 20022 is a multipart standard produced by ISO Technical Committee 68 (Financial Services). Way back in September 2005 ISO approved the first ISO 20022 compliant messages: a set of four Customer-to-Bank Payment Initiation messages. In the 12 years that followed the compliant messages have grown to number more than 400.

One of the first widespread implementations of ISO 20022 was in the introduction of Payment messages for the Single Euro Payments Area (SEPA) Direct Debit/Credit Transfer scheme. SEPA DD/CT used the ISO 20022 payment messages and created a framework document (Rule Book), detailing the way that these messages were to be used within SEPA. SEPA DD and CT have been mandated for Euro area countries since 2014 and Euro denominated payments in non-Euro countries since 2016. The take-up of ISO 20022 word-wide is now growing. In real-time payments, ISO 20022 has launched in the US and Australia. Indeed, such is the take-up of ISO 20022 Payment Messages for real-time-payments that there is now a group set up under the ISO 20022 umbrella with the objective of documenting a harmonised and consistent view of ISO 20022 business processes, message components, elements and data content for Real Time Payments.

In late 2016, Payments Canada announced that ISO 20022 would be rolled out across all its systems as part of the mission to modernise the Canadian payments system. In the U.S. the wire systems – FedWIRE and CHIPS will adopt ISO 20022 beginning in 2020. The number of countries implementing ISO 20022, particularly in payments is growing at a fair rate.

As mentioned at the start of this blog, the standard will be adopted in the UK across CHAPS, Faster Payments and BACS, the three main interbank payments systems, which together process over 8 billion payments per year, with a total value of over £90 trillion.

Moving away from their legacy message formats will give all UK Payment schemes opportunities to enhance their messages with additional data that can be carried in ISO 20022 messages. This will give users better insight into the message content, for example by including invoice data. It will also give fraud engines more data to work on and enhance the ability to detect financial crime. The Bank also proposes that the CCM should use of the Legal Entity Identifier (LEI) within a dedicated field. This will enable clear and unique identification of legal entities participating in financial transactions. It is proposed that this becomes the universal identifier in the UK economy and will be applied to all business extending its use among medium and small business.

Additionally, if uniform structures and data formats are utilised across all payment platforms there is the potential to channel payments between schemes to boost resilience of the payments system as a whole.

The implementation of the ISO 20022 CCM will be using XML as its ‘syntax’, the language that is used to convey the message content. However, with much innovation being based on the use of APIs, ISO 20022 is not resting on its laurels. In November 2017 23 countries including China, Singapore and the UK decided to focus effort and pool resources to develop the first ISO standard for APIs in financial services’ and ISO 20022 .

Things move slowly in the world of international payments standards but now the rate of ISO 20022 deployments is accelerating, and it has a firm place at the heart of the UK Payments Infrastructure. Rest assured Consult Hyperion will be there to help guide you through the interesting times to come.