Category: Payment systems

The Tale of Money 2020 Vegas, Last Part

7th November 2016by Consult Hyperion1 Comment

I stuck my head around the corner of a conference session, and to my surprise found that it was people talking about the blockchain again. Someone said that putting identity on the blockchain would help refugees and I said that I thought that might well be true, but I couldn’t be sure as no-one had defined what they meant by “identity” or “the blockchain”. I wasn’t entirely sure what they meant by “refugees” either. Talking of which, I found one wandering aimlessly through the corridors of the Venetian. Since I couldn’t offer him an identity, I decided to offer him breakfast instead.

Mr X, as I shall call him, was a refugee from IBM’s World of Watson. I’d been sent an invitation for this and had registered, but I never got a confirmation. I’m not sure why, but it might have been something to do with the form I had to fill in. The form said that if you told Watson the reason for your visit, then Watson would set up an agenda for you at the event. So I told Watson that the reason for my visit was to overthrow the United States government and to set up a workers and peasants’ anarcho-syndicalist commune. So not only did I not get my invite, but now I’m on the no-fly list as well. Anyway, Mr. X told me that there was a lot of fun stuff going on over in the AI world and I don’t doubt it. But I didn’t have time to stay and chat because I was off to the theatre.

It turns out that I couldn’t get a ticket for the actual theatre so I decided to set up a security theatre instead. All week, I kept getting asked for “photo ID”. The first time it happened, I explained to the young woman that carrying identity around with you is something that I associate with continental socialism and that since I came from the Disunited Kingdom and not North Korea I was not in the habit of carrying and presenting my papers. In fact, as I further explained to her, since my identity is important and valuable and hard to replace, I had locked it up in the safe in my hotel room. She remained unmoved and demanded photo ID. So I showed her the expired building pass for CHYP Tower in New York. This is apparently perfectly acceptable as proof of identity throughout the continental United States and the woman was happy to charge my card following its presentation. Throughout the rest of my visit, every time I was asked for photo ID I presented by expired building pass and every time it was accepted without question. Every. time.

Meanwhile, it was time to go downtown and get involved in some serious fintech shenanigans. I decided to sniff around payments, but most of the camp fire talk was about the transition to in-app and the use of tokenisation to move chip and PIN security online (see the MasterCard announcement, for example) and I read one of the chaps from Bell ID talking about “in-apptitude” (which I rather like) to describe the new strategies for secure and convenient remote payments. But this is old hat. I’ve been boring our clients to death with this stuff for years. And no-one would disagree that #appandpay is going to be more important than #tapandpay. Right?

I decided to seek out more controversial opinions. Here I am engaged in a heated debate with a noted retail banker over the likely future identity and verification ecosystem. He said that given the dynamics of the space, and given that banks already have to carry out rigorous KYC, it makes sense for banks to develop a co-operative sector-wide kind of financial services passport that could be used cost-effectively by third-parties while the underlying identities are strongly protected by tried and tested cryptographic techniques including tokenisation and blinding. I said “wha-hey you’re my best mate you are! Up the Blues!” and we agreed that Terry Phelan was a great player.

By the final morning, I was going about my normal business, albeit in a persistent vegetative state, when I ran into the shy and retiring head of the Emerging Payments Association. We had a fruitful discussion about using strong biometric authentication against revocable tokens to use pseudonyms (with strongly-attested attributes) in transactional environments and making it the de facto model that will deliver both security and privacy for transactions of many kinds. He said that he thought that this might be where the blockchain makes sense because the transparency around shared reputation management was a positive, whereas sharing private transactions was a negative and would require complex strategies to maintain commercial confidence. I said “stop shouting”.

I think that for our clients and friends in the USA, the most important commercial announcement was the launch of Zelle by EarlyWarning. Zelle will launch in 2017, the equivalent of Paym/PingIt in the UK: instant account-to-account payments. It launched with 19 banks: Ally Bank, Bank of America, Bank of the West, BB&T, BECU, Capital One, Citi, Fifth Third Bank, FirstBank, First Tech Federal Credit Union, Frost Bank, JP Morgan Chase, Morgan Stanley, PNC, USAA, U.S. Bank and Wells Fargo. Pretty impressive. If you look at Venmo’s hockey stick, it’s clear that a P2P proposition has a ready market. But my sense of Venmo is that it suceeded because of social media integration so I suspect that Zelle’s long term role will be as an API for other platforms (e.g., Facebook) to use rather than as a standalone app or something that is tucked away in bank apps. This is the sort of thing that is best considered with a Mai Tai, by the way.

I was left trying to work out exactly how much I lost in the casinos. I think it might have been as much as $80, because I’m pretty much of a high roller, especially when egged on by VocaLink Vixens and Money2020 Molls. It’s well known that men take risks in the presence of attractive women and I have a suspicion that this may form part of the casinos’ business model. Just a suspicion. Still. Vegas.

It’s amazing who you bump into at Money2020. I caught up with a great many old friends and made quite a few new ones. It’s hard for me to say what the key takeaways from the event were this year but I’ll try to name a top three and then see if any of you agree with me via the comments section!

Fintech isn’t the wild west any more and the use of new technologies to drive new business models in financial services is mainstream. Yes, legacy profit pools will be attacked, but unless the incumbents are totally stupid (and the ones that Consult Hyperion works for are, I can assure you, not) they will assimilate them: biometrics, chatbots, AI etc. The threats to my clients’ businesses are not their traditional competitors and not the fintechs, but Amazon, Apple, Google, Facebook and Alipay because these are where customers check in but may well never check out. Bumper sticker: It’s the discovery, stupid.
The ramifications of the shift to instant payments (of one form or another) and the switch to low cost push payments in retail remain unexplored. Although I can’t prove it with bar charts or spreadsheets, I have an uneasy feeling that the incumbents in developed markets are overconfident about the status quo and the regulatory times are a changin’ (© Nobel Committee 2016). The transaction margins in payments remain asymptotic to zero in the medium term, so new business models are needed. I tend to focus on the business models around identity, but I’m sure there are others in big data, analytics, risk management and so on. Bumper sticker: The bank is place to store your identity, not your money.
People talk a lot of rubbish about the blockchain. Bumper sticker: They’re not smart and they’re not contracts.

On which topic, one last tale.

The Tale of the Emporer’s New Blockchain

Once up time, there was an Emperor. He ran a marvellous financial institution. One day, a stranger came to town and she went to see the Emperor and showed him a blockchain. The Emperor said “I can’t see anything”. The stranger told him that only very clever people and management consultants could see the blockchain. The Emperor didn’t want to seem stupid, or provincial, or behind the times, so he told himself that he could see the blockchain after all and that it was beautiful.

The Emperor went and told all of the people about his blockchain and the people were very happy.

After a while, though, the people shouted that they wanted to see the blockchain, so the Emperor decided that he would show it to them and impress them. And he took out the blockchain that the stranger had given him and showed it to the crowed.

But then one small boy consultant standing at the back said “I can’t see a blockchain. And you have only one node so there is no need for a consensus mechanism”. And then everyone in crowd realised that was the boy said was true. There was no blockchain, just a database run by the Emperor as before.

The Emperor was upset at first, because everyone else had a blockchain and he didn’t. But then he realised that no-one else had one either, so he cheered up and started to invest in artificial intelligence chatbots instead and he lived happily ever after because he had a defined benefit pension.

Thinking about it, almost all of the interesting things I saw or heard about weren’t really about fintech and payments, they were about regtech and identity. It’s almost as if Identity2020 is the new Money2020, so to speak. See you next year.

<- Part 1 <- Part 2

Are the banks telling you that you may as well use bitcoin?

27th April 2016by Consult Hyperion2 Comments

Back on “frictionless payments” again. The bitcoin dream of instant (well, sort-of-instant) value transfer from anyone to anyone else with no third party that might be able to censor the transaction in the middle inevitably leads to what we used to call, in the first flush of digital bearer instrument debate, the “Grandma presses the wrong button and loses the house” problem that I touched on earlier this week. Or, to rephrase using the current examples, if the customer uses two-factor authentication to instruct the bank to send money to a crook is that the bank’s fault? Is it really a customer’s fault , for example, if their solicitor uses insecure e-mail to communicate with them instead of secure WhatsApp? There’s a spate of such frauds in the UK right now.

Mr Doyle instructed his bank to pay the money into this account. The couple then enjoyed their Easter weekend, little knowing their money had been stolen and their lives were about to be derailed. The truth emerged only the following Wednesday when TCS confirmed it did not have the money, and it became clear that the payment had been made to unrelated account operated by fraudsters.

From Property sellers warned not to email solicitors: ‘We lost £204,000’

The report then goes on to say that “the whereabouts of the money remain unknown” but this cannot be entirely true. Since the money had to be paid into a UK bank account and since UK banks perform stringent Know-Your-Customer checks before giving people bank accounts, the whereabouts of the money are very likely known, if not by the account holder (who could then be arrested) by whoever the account holder gave the login to (who could then be arrested). So it should be easy to get the money back… well, maybe…

Mrs Parkinson, a self-employed secretary and bookkeeper, was told that the remaining money could not be returned because the stranger who had the cash was “not able or willing to return the funds”.

From ‘I transferred £1,700 into the wrong account and I can’t get it back’

Payment UK recently released a report about payee identification that proposes to add another step to inter-bank transfers so that after you enter the bank account details of the recipient (which you shouldn’t be doing of course – a big part of the solution is to stop requiring customers to enter sort codes and account numbers) the system will send you back the name of the receipt and ask you to confirm. There’s a long way to go with this though, because there are privacy and other issues. Is it any of my business what the name on your account is? Nevertheless, fixing the problem is on the agenda.

The UK banks also have a new code of conduct for instant payments so that if you accidentally send money to wrong account then the banks will ask nicely to get it back, but if the person you sent it to doesn’t want to send it back, you basically have to go to court (and pay the banks’ lawyers somewhere between £80-£200 per hour).

the ombudsman ruled in favour of the banks, reiterating that MBNA and Santander had done all they could.

From ‘I transferred £1,700 into the wrong account and I can’t get it back’

If the bank can’t get your money back for you when you made a mistake, then you may as well have used bitcoin. Right? That’s what they appear to be telling you! This is why I will pay for the lovely antique map case I just saw using a credit card and not the faster payment service (FPS), which would have been quicker and cheaper for the me, the merchant and the bank. Of course, if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.

In other news, MasterCard are apparently launching a bid for VocaLink.

Old lags and new tricks

25th April 2016by Consult Hyperion

I imagine you are all familiar with the story of the Hatton Garden robbery in London. A group of elderly criminals with long police records (“old lags” in the English vernacular) staged the biggest burglary in British history by tunnelling through concrete into the vaults of a safe deposit company in London’s Hatton Garden district. They got caught and sent to jail. I don’t doubt the film rights have already been snapped up, because at the trial it was revealed that the pensioner perps included a look out who fell asleep, a deaf point-man and a gang that travelled using OAP Oyster cards. These guys must feel so out of place in the modern world, all Snapchat and no Sweeney, that given the demographic trends around cinema viewing, a comedy heist vehicle featuring Helen Mirren, Bill Nighy and Robert de Niro is frankly inevitable and I’m surprised that the idea hasn’t already cropped up in an episode of “New Tricks” (or, as my children call it, CSI:OAP) yet.

Meanwhile, if you want to see how proper bank robbers (i.e., the ones who don’t work for banks) are adjusting to the times, you need to check out what’s been going on in Bangladesh, where the governor of the central bank has just resigned in disgrace following the theft of an enormous sum of money from their reserves.

Bangladesh’s central bank chief resigned on Tuesday, the finance minister said, after hackers stole $81 million from the nation’s foreign reserves in an audacious cyber-heist that has hugely embarrassed the government.

From Bangladesh central bank governor quits over $81m heist | Inquirer News

Basically, crooks got into the central bank system (which according to Reuters had no firewall and was using $10 routers) and had access to the SWIFT gateway, so they sent messages instructing the Federal Reserve Bank of New York to transfers funds from the Bank of Bangladesh account to some accounts in the Philippines.

The problem is that the counterparty on the other side of the SWIFT order was not who the Fed thought, and what should have set off red lights is that the recipients was not the government of the Philippines but three casinos!

From The Incredible Story Of How Hackers Stole $100 Million From The New York Fed | Zero Hedge

As it turned out, the cybercriminals would have got away with a billion dollars had they not mis-spelled the name of one of the payees, a mistake that caused one of the banks in the chain to send a query. Otherwise, with the Bank of Bangladesh shut until the following Monday, they would have been home scot free. The money that was wired to the Philippines was then converted into bitcoins and spirited away NOT. Of course it wasn’t. Crooks don’t want bitcoin, crooks want flippin’ great wodges of cash. Some $30m was withdrawn in cash by an unidentified person and the rest, as I understand, was turned into casino chips!

Now on to the point (I promise you there is one). Is it a really a bank’s job to police where you send your money to? The reason I was thinking about the Bangladesh heist (I think Hatton Garden will make for a better movie, to be honest) is because of a discussion that broke out during the Biometrics Institute Financial Services Seminar in London. Nick Middleton from Nationwide put forward an interesting concept: he said we shouldn’t be working toward friction-free payments but “friction-right” payments.

Friction-free payments have risks. Contactless is fine for a cup of coffee but for a fancy meal you would ask for a PIN. Matching the friction to payment makes complete sense. If I tell Barclays to send $10 somewhere then they should just do it. If I tell Barclays to send $10 million somewhere then should they still just do it? Does it make any difference whether it’s a retail bank or the central bank? After all, the Fed had received a perfectly legitimate request from the Bank of Bangladesh and I shouldn’t think the Fed see it as part of their job to tell the Bank of Bangladesh where they may or may not send their money to.

“The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate.”

From N.Y. Fed Says Its Systems Weren’t Breached in $80 Million Cybertheft | American Banker

So: the back received a perfectly legitimate request on a secure channel. The problem lays with the security of the originator, not the receiver.

If no second factor of authentication was required for the Central Bank of Bangladesh’s transactions, then the hackers could meet Swift’s requirements by using the information they stole from the Bangladesh bank.

From N.Y. Fed Points Finger at Swift in $80 Million Cybertheft | American Banker

This seems cut-and-dried to me. If a bank gets an instruction to transfer, and that instruction has the appropriate digital signature, then the bank should execute the instruction. Clear. End of story. Me telling my bank to send money to somewhere, even if that somewhere is the Dunkin’ Donuts at the main railway station in Minsk, is that same as me sending my bitcoins from my wallet. The bank should just do it and if I’m sending it to crooks, that’s my problem. Right? Well, there was some controversy about this recently when a senior British policeman said that we may need to reconsider the distribution of responsibilities and liabilities around online financial services to help society tackle the tidal wave of fraud.

Metropolitan Police chief Sir Bernard Hogan-Howe said that the system “rewards” the public for being lax about internet security.

From Sir Bernard Hogan-Howe online fraud refund claim provokes anger – BBC News

Alan Woodward from the Department of Computer Science at our neighbours the University of Surrey responded to this on his blog.

I might have put the point slightly differently (something more like “One is not necessarily incentivised to protect oneself at present”) but essentially I think he had a point.

From Cyber Matters: Was Met Police Chief Right?

I said something similar on the BBC’s “World Tonight” [here at 18:50], pointing out that Sir Bernard was commenting on the well-known economic principle of “moral hazard”. If I write my PIN number on the back of my debit card and then lose the card, I have surely contributed to the subsequent looting of my account. It doesn’t seem right that people who carefully guard their PIN numbers should have to contribute to my retribution.

So does that get the banks off the hook? Does it mean they don’t need to spend money on cyber security? No, it doesn’t. The essence of the argument is that customers should be refunded unless they are negligent. But what constitutes “negligent”? Sir Bernard said that people who don’t choose a good password are negligent, but I think he’s wrong about this. What’s negligent is pretending that passwords are any form of security. Whether you chose a long password or not makes essentially no difference. The pie chart of typical bank fraud losses would, I’m sure, show that social engineering and malware are the dominant sources of loss and choosing longer password, passwords with a number in or passwords with a chemical symbol at the beginning and a sign of the Zodiac at the end won’t help one way or the other.

Under the principle of Strong Customer Authentication (SCA) banks are supposed to implement two-factor authentication (2FA) so if banks allows you to access your bank account using only a password then it’s the bank that is being negligent, not you. As I said in that interview, if we want to make progress on this we have to move away from passwords. If a fraudster tricks me in to sending them money and I do all the proper authentication with the bank, then they will send the money to the fraudster because I told them to. In this case, the bank isn’t being negligent – it’s my fault. Tough luck. Hard cheese.

But…

Is that what we really want? Doesn’t that make it too easy for the fraudsters? Do we want Grandma to be able to lose the house by pressing the wrong button after a dodgy e-mail? Nick is right: when you think about it, the public don’t really want “frictionless payments” at all, do they? So what is the appropriate level of friction? I’m genuinely curious to hear what you think about this.

Open-loop payment in transit

17th March 2016by Consult Hyperion4 Comments

In my previous blog, I talked about the trends in smart ticketing systems leading to account-centric and open-loop payments which I want to consider in more detail in this blog.

‘Open-loop’ Payments

‘Open-loop’ is the term used for transit payment instruments which can also be used for generic payments outside of the transit system. By contrast, traditional transit payment smart cards (such as Oyster in London) have required customers to convert their money to transit-only funds stored in a transit account and used to pay for travel. Customers have been prepared to do this because of the benefits of speed of access to the transit system without having to stop to purchase tickets. However, the down-side is that they have to periodically load funds to their CTCs, such funds then being unavailable for other purposes unless a refund from the CTC is sought.

There are many payment instruments emerging, but the one which is currently most ubiquitously accepted by merchants is EMV, the smart debit and credit standard used by the large payment networks including MasterCard, Visa and American Express whose members are the banks. These Payment Schemes are currently lobbying the transit sector for their open-loop cards to be accepted as payment instruments within transit.

This approach has the obvious benefits that (i) fewer CTCs need to be issued by the transport operator, and (ii) customers can arrive in a city from anywhere in the world and travel using the bank cards in their pockets.

The leading example of open-loop payments in transit is London where all Oyster readers have accepted contactless EMV (cEMV) payment cards from across the globe since 2014. Other transit schemes already committed to rolling out acceptance of cEMV open-loop payments include the national OV-Chipkaart scheme in the Netherlands and MTA in New York.

UKCA Transit Framework Model

The country with the most practical experience of a large-scale open-loop payment transit deployment is the UK, and, in particular, Transport for London which now sees more than one million journeys per day using ‘contactless payment cards’, the generic term used to described all EMV-compliant contactless devices, including ApplePay.

The deployment in London was pioneering and occurred before any models existed for cEMV use in transit. Subsequently, a payment model framework has been developed by the UK Cards Association (UKCA) in conjunction with the transport industry. The Association’s members issue the vast majority of debit and credit cards in the UK.

UKCA has identified three models which are described below. Two of the models are ‘pay as you go’ (PAYG) and the third model assumes that a ‘travel right’ or PAYG balance has already been purchased.

The important point to understand is that UKCA models 1 and 2 exploit EMV payments and are therefore bound to EMV-issuing banks, which are communicated with via the Merchant Acquirer. These models are different from transit account-centric solutions which could accept pre-payment from any payment instrument, not just bank cards. Furthermore, the ‘token’ used to identify the passenger in the account-centric solutions can be either an open-loop (CPC) or a closed-loop (CTC) token.

This last point is important in relation to ‘unbanked’ passengers. It has been shown (e.g. Ventra in Chicago) that cEMV technology cards can be issued to the unbanked and used as smart ticketing ID tokens to access pre-purchased transit products.

Developing services that change people’s lives

18th November 2015by Consult Hyperion1 Comment

One of the most exciting things about working here at Consult Hyperion is that you are involved in the design and delivery of services which have a huge impact on people’s lives. My family moaned when I asked the taxi driver that took us from the airport into Nairobi whether he used M-PESA. However they were soon having similar conversations as they realised how important the service is to every Kenyan they met. More recently they have accused me of being responsible for “card clash” on the London Underground and have resorted to buying shielded wallets to ensure that TfL only take money from the Oyster Cards that I fund!

Sat here as I am at the AidEx conference in Brussels, surrounded by the great and good of the Humanitarian Aid community, I feel that Consult Hyperion is on the verge of delivering yet another life changing service.

The refugee issue is a regular topic of discussion across all media. Most stories focus on the plight of the individuals walking across Eastern Europe. However there is a growing awareness of the impact of so many refugees on the local economy. For example Alex Forsyth, reporting for the BBC’s From Our Own Correspondent, highlighted that the holiday season in Lesbos has been extended, as people descend on the island to help the refugees arriving by sea.

The conversations in Brussels have focused on the need to provide aid to the refugees in the form of cash-based payments, rather than physical goods, such as rice or tents. The argument goes that if the refugees have the funds to buy the goods, then the entrepreneurs in the host country will invest in the distribution channels to ensure that the goods that the refugees need are where they want to buy them.

The trouble with cash is that it has a tendency to evaporate, i.e. not all the intended funds reach the recipient, even if it is transported into the region in 40 foot steel shipping containers on the back of a truck. As we discovered in Nigeria the principal alternative, paper vouchers, have some major disadvantages. They are difficult to manage in large numbers; they must be printed by specialist printers; they have to be ordered significantly in advance; they have to be the right value to allow the refugee to spend all the funds in one visit to the merchant, even when the local currency is devaluing; the merchant and the agency running the scheme have to reconcile the vouchers before the funds can be provided to the merchant; and the used vouchers have to be stored in case of dispute.

Recognising this, there is growing support within the Humanitarian Aid community for the use of Cash Based Transfers (CBTs), essentially smartcard based e-money schemes, which can be rapidly established in times of crisis and in which the reconciliation process can be done automatically in the Cloud. The trials to date have focused on prepaid card schemes. But these also have significant disadvantages, since they require access to expensive payment terminals designed to operate in clean retail environments typically found in urban areas, whilst creating a huge problem with cash liquidity in the local community.

Groups of representatives from the Humanitarian Aid community under the auspices of Electronic Cash Transfer Learning Action Network (ELAN), the Cash Learning Partnership (CALP) and the High Level Panel on Humanitarian Cash Transfers, sponsored by DFID, have analysed these trials and documented their requirements for CBT solutions.

Reviewing these with the retail payment experts within Consult Hyperion it became apparent we had already developed many of the building blocks required to deliver the Humanitarian Aid community’s ideal CBT solution:-

• A proven, robust and scalable beneficiary registration and voucher distribution service, The TAP Platform, which was used to register in excess of 500,000 subsistence farmers in Nigeria’s northern states to the Ministry of Agriculture and Rural Development’s GES voucher scheme. The transparent nature of the information stored within the system allowed us to remotely identify incorrect or fraudulent activity within the system and initiate remedial action accordingly.

• Mobile applications which can be used to complete transactions initiated by tapping a smartcard to the merchant’s mobile phone, replacing the payment terminals and removing the need for physical cash.

• AML/KYC compliance solutions developed for use in regions where regulatory supervision is limited, such as Somalia.

• A group of ethical hackers who could validate the security of the end to end service.

The result is TeMS (the TAP e-Money Service), which we are launching at the AidEx conference. Our market research tells us that TeMS will make it easier for the Humanitarian Organisations to rapidly and securely deliver cash payments in areas with limited or no communications or electricity.

But there is a lot more behind that simple statement. The local community will be more inclined to welcome the recipients as they will bring income into the region. The teams delivering the aid will be able to focus on the financial awareness of the merchants and recipients, helping them to learn how to plan and save, rather than spending time reconciling paper vouchers or ensuring that there is sufficient cash in the region. Donors will have access to detailed information about who is receiving what aid and where, allowing them to respond to the growing demand for value for money information from their local media.

My hope is that my daughter, who is planning to spend time within the Humanitarian Aid Community when she graduates from medical school, will again be able to ask the people she is working with how a product Consult Hyperion developed has changed their lives.

When is an acceptance mark not a mark of acceptance?

20th July 2015by Consult Hyperion1 Comment

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange. It is a safe bet that (with the odd exception) cash will be one of your available options. Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course. But this isn’t always possible, for instance due to language barriers. Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display. The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case. For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments. Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay. On the face of it, this seems a sensible decision. After all, if you want to use Apple Pay then it’s good to know where you can use it. But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol. Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark. It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction. For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all. Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay. Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees. As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme. This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept. Merchants may, for instance, choose to accept only debit cards and not credit. Or they may choose to accept everything except higher-fee rewards cards. “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU. In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information. It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance? Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

It was twenty years ago today

7th July 2015by Consult Hyperion5 Comments

Last week saw an important anniversary. I’m sure you are all thinking of July 4th, a date that is very important to many people because it is the anniversary of the birth of The Clash, who played their first live gig on 4th July 1976. For the older generation, of course, it is remembered for another reason: the end of food rationing in the UK on 4th July 1954. And it’s also, as the British Embassy in Washington so kindly reminded us all on the day, the 150th anniversary of the publication of Alice in Wonderland and should therefore be celebrated in all literate nations. But for me, there is a much more important and personal anniversary. Here is the front page of the Swindon Evening Advertiser from 4th July 1995, the day I finally made the front page of my home town newspaper.

The front page news? That Swindon had become forever embedded in the history of the technology of money.

I was there on 3rd July 1995 in Swindon town centre when Evening Advertiser vendor Mr. Don Stanley (then 72) made the first ever live Mondex sale.
[From Digital Money: Read all abaht it: retailers don’t really like cash]

And here is the photographic evidence of same — in case you don’t happen to have copy of that Swindon Evening Advertiser — as I emerge Zelig-style from the crowd to watch Don take the cash. It was a very exciting day because by the time this launch came, we at Consult Hyperion had been working on the project for some years (and for the first three or four years it was entirely in secret).

I went along on the twentieth anniversary, hoping to find a plaque marking the spot or a smart card embedded in the pavement for something. What I actually found was… nothing. This brought a tear to my eye as my home town’s special place in the history of financial service technology appears to have been wiped from the collective memory.

So for those of you who don’t remember what all of the fuss was about: Mondex was an electronic purse, a pre-paid payment instrument based on a tamper-resistant chip. This chip could be integrated into all sorts of things, one of them being a smart card for consumers. Somewhat ahead of its time, Mondex was a peer-to-peer proposition. The value was transferred directly from one chip to another with no intermediary and therefore no cost. In other words, people could pay each other without going through a third party and without paying a charge. It was true cash replacement.

The Mondex Card was invented at National Westminster Bank (NatWest) in 1990 by Tim Jones and Graham Higgins. In December 1993, (NatWest) launched Mondex, then called a “smartcard” as a form of electronic cash based the technology they developed. The next series of Mondex cards were issued in a joint development pilot with Midland Bank (part of HSBC) also in the UK and British Telecom (BT) in Swindon (a town of around 300,000 people, approximately 70 miles west of London.) .
[From Visa Cash and Mondex Cards – Mondex – United Kingdom]

Swindon had been chosen as, essentially, the most average place in Britain. Since I’d grown up there, I was rather excited about this, and while my colleagues carried out important work for Mondex (e.g., risk analysis, specification for secure transfer, multi-application OS design and such like) I watched as the fever grew out in the West Country.

When the day came, there was pretty good geographic coverage. The shops needed special POS terminals and they also need special “unlock” terminals, so it was quite a hassle for them. The cards could be locked using a four digit pass code, something that customers had requested in focus group discussions. But the only way to lock the cards was using the hardware electronic wallets and the phones that few customers had. Therefore all of the shops that accepted Mondex had to be fitted with a lock/unlock device. As it turned out, customers never bothered locking their cards and never used the lock or unlock stations, but it was the fact that the lock existed and that the lock/unlock stations were visible that gave them confidence in the system.

More than 700 of Swindon’s 1,000 retailers adopted Mondex: an impressive tally. Shopkeepers and publicans loved it as they didn’t have to mess around with change or cart sack-loads of coins to the bank. But the public, by and large, weren’t buying it. Swindon never became anything like a cashless society.
[From How smart was that? (From Swindon Advertiser)]

That’s an interesting comment. Many of the retailers were quite enthusiastic because there was no transaction charge and for some of them the costs of cash handling and management were high. I can remember talking to a hairdresser who was keen to get rid of cash because it was dirty and she had to keep washing her hands, a baker who was worried about staff “shrinkage” and so on. The retailers were OK about it.

“From a retailer’s point of view it’s very good,” said news-stand manager Richard Jackson. “But less than one per cent of my actual customers use it. Lots of people get confused about what it actually is, they think it’s a Switch card or a credit card.”
[From Welcome to Mondex City – Life & Style – The Independent]

It just never worked for consumers. It was pain to get hold of – I can remember the first time I walked into a bank to get a card. I wandered in with 50 quid and had expected to wander out with a card with 50 quid loaded onto it but it didn’t work like that. I had to set up an account and fill out some forms and then wait for the card to be posted to me. Most normal people couldn’t be bothered to do any of this so ultimately only around 14,000 cards were issued. I also pulled a few strings to get my mum and dad one of the special Mondex telephones so that they could load their card from home instead of having to go to an ATM like everyone else. British Telecom had made some special fixed line handsets with a smart card slot inside and you could ring the bank to upload or download money onto your card. I love these and thought they were the future! My parents loved it.

The main reason why they loved it was nothing to do with Mondex: it was because, in those pre-smartphone days, it was a way of seeing your account balance without having to go to the bank or an ATM or phone the branch.
[From E-cash in the attic | Consult Hyperion]

You could put the Mondex into the phone and press a button and hey presto your account balance would be displayed on the phone. This was amazing two decades ago. For the poor sods who didn’t have one of those phones (essentially, all Mondex card users) the way that you loaded your card was to go to an ATM. Now, the banks involved in the project had chosen an especially crazy way to implement the ATM interface. Remember, you have to have a bank account in order to have one of these cards and so that meant that you also had an ATM card. So if you wanted to load money onto your Mondex card, you had to go to the ATM with your ATM card and put your ATM card in and enter your pin and then select “Mondex value” or whatever the menu said and then you had to put in your Mondex card. Most people couldn’t be bothered. If you go to an ATM with your ATM card then you might as well get cash, which is what they did.

In September of 1995, twelve Mondex ticket machines were installed in 6 car parks. Four months later, card readers were installed in 80 metropolitan buses that, in May 1996, offered reduced fares for Mondex users.
[From Mondex International: Reengineering Money]

It is possible that I’m not remembering this absolutely accurately, but I do remember these are the two places where the hassle of getting the electronic value outweighed the hassle of using cash. My dad really liked using the card in the town centre car park instead of having to fiddle about looking for change but it often didn’t work and he would call me to complain (and then I would call Tim Jones to complain!). I remember talking to Tim about this some years later and he made a very good point which was that in retrospect it would have been better to go for what he called “branded ubiquity” rather than go for geographic coverage. In other words it would have been better to have made sure that all of the car parks took Mondex or make sure that all of the buses took it or whatever. Sadly, the car parks still take cash (and when I pulled in to park, I didn’t have any, so I had to leave the car and go to shop to get change and then come back to car).

Note that the machine doesn’t take cards: the mobile phone has become the key cash alternative. More on this later. Meanwhile not only did the car parking machine still take cash, and not only had Mondex vanished without trace, but I couldn’t find anyone else gathered in the square to celebrate this remarkable episode in Swindon’s history.

I turned a began a disconsolate nostaliga-fuelled stroll around The Brunel Centre. I can remember when this opened in 1973, a cathedral dedicated to modernity that represented the transformation of provincial life. A shopping mall! Watching real bands at The Brunel Rooms! And that is where I made the amazing discovery that to this day Swindon remains a place where retailer-led experiment in the payment systems of the future is ignored by the general population. I saw this with my own eyes. First, I was genuinely shocked to discover a shop advertising that they take Bitcoin!

I couldn’t resist it. Bitcoin wallet to the ready on my iPhone, I picked up an item of merchandise and approached the check out. I asked the guy if they did indeed take Bitcoin as advertised. He confirmed that they did. I asked him if anyone had ever paid with Bitcoin before and he said that they had not. So I waved my phone and attempted to claim their Bitcoin cherry. Unfortunately, no-one could remember the password to their Bitcoin wallet. They went off to get the manager, but he couldn’t remember either. So I paid with a MasterCard. It appears that neither Bitcoin nor Mondex have turned the heads of the moonrakers to the extent that they might provide a viable cash replacement option in popular retail outlets.

Then I had an idea. Surely the Museum of Computing, located a stone’s throw away from where the Mondex launch took place, would have an exhibit on this famous attempt to eradicate cash! Emboldened by the C5 they had parked out side, I strolled in and asked, but the young persons on the desk had not the slightest idea what I was talking about. I might as well have asked them if they had a cheque or a tally stick on display. (Actually, as it transpires, there is a Mondex card in the museum but they didn’t know about it.)

So Mondex didn’t take a chunk out of cash. It’s still around. “The death of cash has been greatly exaggerated,” the British Retail Consortium said only this week, reporting on their latest figures.

Consumers used 4.5 per cent less cash on high street and supermarket shopping in 2014 than they did the year before, while the number of transactions using cash dropped by 0.9 per cent to 52 per cent.
[From Death of cash? British Retail Consortium says the imminent arrival of a cashless society has been “greatly exaggerated” | City A.M.]

At the time of the Mondex launch, cash accounted for more than two-thirds of retail transactions. Now it’s half. There is progress, but it’s not because of electronic purses. So what are the lessons that Bitcoin and its descendants can draw from a study of the Swindon experiment?

I guess there are three things that I think about it looking back with perfect hindsight.

The first lesson is that banks are very probably the wrong people to launch this kind of initiative. Our experiences with (for example) M-PESA, suggest that a lot of the things that I remember that I was baffled and confused by at the time come down to the fact that it was a bank making decisions about how to roll out a new product. The decision not to embrace mobile and Internet franchises, the decision about the ATM implementation, the stuff about the geographic licensing and so on. I can remember when the publicans of Exeter asked the banks to install Mondex terminals in the pubs since all of the students had cards and the bank refused on the grounds that the University’s electronic purse was only for use on campus. Normal companies don’t think like this.

In retrospect, it seems clear to me that one of the key problems with these “ahead of their time” cash-replacement products was, oddly, that they were produced by banks.
[From Money museum | Consult Hyperion]

There were many people who came to the scheme with innovative ideas and new applications – retailers who wanted to issue their own Mondex cards, groups who wanted to buy pre-loaded disposable cards and so on. They were all turned away. I remember going to a couple of meetings with groups of charities who wanted to put “Swindon Money” on the card, something that I was very enthusiastic about. But the banks were not interested.

The second lesson is that the calculations about transaction costs (which is what I spent a fair bit of my time doing) actually really didn’t matter: they had no impact on the decision to deploy or not to deploy in any particular application. I remember spending ages poring over calculations to prove that the cost of paying for satellite TV subscriptions would be vastly less using a prepaid Mondex solution rather than building a subscription management and billing platform and nobody cared. I went to present the findings to a bank that was actually funding satellite TV roll out at the time, BT who were providing the backhaul and the satellite TV provider. Nobody cared. The guys at the bank told me that they didn’t have the bandwidth for it (which meant, I think, that they had no interest in spending money so that another part of the bank might benefit). The banks with big acquiring operations were being asked to compete against themselves and they didn’t care either. The transaction cost, which I thought was the most important factor, really wasn’t one of the drivers.

Back in 1995, I was wrong about the imminent arrival of stored-value smart cards in the mass market. I was just as wrong as the director of the US Mint, but for a completely different reason. I had simply made a calculation that told me that the cheapest way to move money around was over a ubiquitous and inexpensive digital network was using tamper-resistant chips at each end of the transaction to secure the system.
[From He was wrong, but so was I | Consult Hyperion]

Now we know, of course, that those tamper-resistant chips will be in mobile handsets and that they will be nothing to do with the banks (or, for that matter, the mobile operators either). We were right about the architecture and the need to anchor digital money in physical security, but wrong about who the builders would be.

The third lesson is that while the solution was technically brilliant it was too isolated. The world was moving to the Internet and mobile phones and to online in general and Mondex was trying to build something that was optimised not to use of any of those. At the time of the roll-out, I had an assignment for the strategy department of the bank to provide technical input to a study on the future of retail banking that one of the big management consultancies was working on. I remember being surprised that it didn’t mention the Internet, or mobile phones or (and here’s something that I thought would be big!) digital TV. Most of their work as far I as could see was on redesigning the furniture in the branches. Mondex was designed to be the lowest-cost peer-to-peer offline electronic cash system at exactly the moment that the concept of “offline” began to fade. It was not alone in failing to react to this fundamental change.

it’s an interesting point to consider with hindsight: why did we make systems such as Danmont, Mondex, VisaCash and use them to compete with cash in the physical world rather than use them in the virtual world where there was no cash?
[From Making a silk e-purse | Consult Hyperion]

This was clear to me very early on in the experiment. This isn’t hindsight: I drew the same lesson from the Mondex pilots in Canada and the USA as well. The banks put Mondex terminals in places where they already had card terminals that worked perfectly well.

you could use Mondex cards in Swindon in the places that acquired bank-issued payment cards (eg, supermarkets) but not in places where digital cash had a real competitive advantage: on the Internet, in vending machines and at the corner newsagents.
[From My generation | Consult Hyperion]

I hope I’m not breaking any confidences in saying that I can remember being in meetings discussing the concept of online franchises and franchises for mobile operators. Some of the Mondex people thought this might be a good idea, but the banks were against it. They saw payments as their business and they saw physical territories as the basis for deployment. Yet as The Economist said back in 2001…

Mondex, one of the early stored-value cards, launched by British banks in 1994, is still the best tool for creating virtual cash.
[From Dreams of a cashless society | The Economist]

Now, at the same time that all this was going on at Mondex, we were working for mobile operators who had started to look at payments as a potential business. These were mobile operators who already had a tamper-resistant smart card in the hands of millions of people and so the idea of adding an electronic purse was being investigated. Unfortunately, there was no way to start that ball rolling.

you couldn’t just put Mondex purses into the SIMs, you had to get a bank to issue them. And none of them would: I expect they were waiting see whether this mobile phone thing would catch on or not.
[From I wonder if mobile phones will really catch on? | Consult Hyperion]

Look at how it’s gone trying to get banks to use operator SIMs for NFC. Mondex didn’t begin to experiment with the Internet for another year and even then it was severely hampered by the lack of standards for online commerce and payments. I can remember many happy hours around the table with a variety of organisations working on what became “Internet Opening Trading Protocol” (IOTP) in an attempt to get something going here, but it never took off. And besides, there were already alternatives up and running (DigiCash went live a year before Mondex). In a fragmenting market, which now had Visa and MasterCard backing different horses, the proposition started to disintegrate.

So, for a variety of reasons, Mondex never caught on. It never got even half of the 40,000 hoped-for users in Swindon and usage remained low. And two decades on the contactless debit card and the mobile phone (and in a week or so the combination of the two in Apple Pay) continue to displace cash, we still don’t have a mass market cash alternative on the web (yes, I know, Bitcoin, whatever) and prepaid card propositions, while still expensive (because they use the existing debit rails), are widespread. A decade from now strong authentication, privacy propositions, push payments and immediate settlement networks will achieve what Mondex set out to do and reduce cash to rump payment mechanism (down to perhaps a third of transactions by volume and a tenth by value) and made person-to-person electronic payments safe and simple.

On 3rd July 1995, I thought I was witnessing the dawn of the new era of financial services. In actual fact, that happened a month later with the Netscape IPO on 9th August 1995.

Mobile payments will shortly be mainstream (really – this time)

16th April 2015by Consult Hyperion1 Comment

Mobile payments are fun again. Now that Apple have said that they paying with your phone is OK, all the cool kids want to do it. But how exactly are mobile payments going to work in the mass market?

Continue reading “Mobile payments will shortly be mainstream (really – this time)”

Another report on falling cash usage in the UK

14th April 2015by Consult Hyperion1 Comment

My son and I have been out and about, living the life of normal folk who don’t care about payments. We made a couple of cash payments and we made a couple of non-cash payments. We didn’t, however, make any chip and PIN or contactless or swipe payments.

Continue reading “Another report on falling cash usage in the UK”

What did the blockchain ever do for us?

9th April 2015by Consult Hyperion2 Comments

The narrative around Bitcoin has, if you hadn’t noticed, shifted toward the blockchain in recent times. So if that’s case, what is the technology and what are we going to do with it?

Continue reading “What did the blockchain ever do for us?”