Category: Political, legal and regulatory

Crossing continents for knowledge sharing

13th November 20177th August 2020by John ElliottLeave a comment

Chyp believes that collaboration and knowledge sharing across markets can help the advancement of the industry and this is particularly true in transport ticketing. For example, we have found that our work for TfL with a large population and high journey count is not all directly applicable to smaller countries who cannot make such significant investments in infrastructure to serve small populations.

Recently, we have been working for MMRDA in Mumbai, India. While the environment is very different in some respect, compared to the UK, they have large passenger numbers and administer a system that makes extensive use of private transport operators, two factors similar to Transport for the North (TfN).

Sharing knowledge not only helps speed to market of deployments but creates a trusted environment and one with credibility. MMRDA asked Chyp to facilitate meetings for them in the UK with transport operators and suppliers in order that they could learn from those who have done it before or are planning to deliver a similar project. The result was a tour of the UK starting in London and taking in Transport for the North. The picture above shows the meeting which was held in Leeds and included presentations from:

Transport for the North

Alastair Richards (Director Integrated and Smart Travel (IST))
Jo Tansley Thomas (Programme Manager (IST))
John Elliott (ABT Back Office Requirements Team Lead (Consult Hyperion))

MMRDA

Ashish Chandra (PWC India)

Partnerships are hard to form. We hope that MMRDA will benefit from the organisations they met and their sharing in experience planning and deploying ABT in complex environments in the UK, remembering that differences can be as important to learn as similarities.

From “Top of Wallet” to “Front of Phone”

10th August 2017by Consult HyperionLeave a comment

Over the last few weeks, I have been working with the team inside Consult Hyperion trying to understand the potential impact of the European Union’s PSD2 regulation on our clients’ business. One thing is for certain: it has generated a large number of not-quite-three letter acronyms that will ensure high scores in any game of Acronym Bingo running during a presentation on the subject.

It is clear that the Account Service Payment Service Provider’s (ASPSP or bank to you and me) mobile application will play an important role in any PSD2 compliant transaction. Every time I want to make a bank to bank payment to a new payee, a message will appear in my mobile banking application asking me to verify the transaction and authenticate myself. Will this be the reason I need to keep the mobile banking application on my phone?

Personally, I sit down once a month in front of a computer to do my expenses and pay my bills. I have sufficient standing orders to maximise the return on my Santander 123 account. The rest are settled using Faster Payments, when there are sufficient funds in my account. Being a payment geek, over the years I have loaded several banking applications and PingIt onto my phone. None of these survived the transfer to my next phone as I was not using them. The alternative (my PC and contactless Amex card) are more convenient or deliver the customer experience I need. But perhaps that is changing.

At Consult Hyperion’s excellent Tomorrows Transactions Forum in London earlier this year, Greg Wolfond, CEO of SecureKey, outlined the customer experience to be delivered by the blockchain-based digital identity and attribute sharing service they are building in Canada, with the support of local banks. At the centre of this service was a push notification from the bank, via their mobile banking application, that a third party wanted confirmation of my age or address and a request for permission for the bank to share those details with the third party. To me the bank is the logical place to keep valuable personal information. Most have been doing it for over 100 years usually in the form of paper documents – birth, marriage certificates and Land Registry Property Deeds. However, in a connected world third parties need to be able to access this information when I give them permission. This process must be instantaneous, as I am likely to be on the third party’s website or in their store signing up for a service when the request comes through. I will be in a similar place when I want to make a PSD2 compliant payment.

Earlier this summer, I sold the last of my larger toys, a Laser 1 dinghy. Kids have left home, wife prefers to ramble with the dog, sailing club just too far away, water too cold …. The list of reasons why I should keep it was getting too long.

I posted the boat on Apollo Duck, (think eBay for the sailing community) assuming people would come to view it, we would agree a price, they would give me a cheque, I would bank it and they come back a week later to pick up the boat, when the funds were in my account. Everything was going to plan, until it came to payment. Rather than pull out a pad of paper, he opened his Barclays’ mobile banking application, asked for my bank details and transferred the funds using Faster Payments. Five minutes later the funds were in my account and we were packing the boat up for him to take away. The whole process, from viewing to take away was reduced from 7 days to just over 90 minutes. We did not move from my front lawn, except to access my PC to check that the funds had gone into my account.

This appears to have been the vision of those very clever people in the European Union when they drew up the PSD2 regulations. However, is the mobile banking application the right channel for such services?

In the UK smartphone penetration rates are around 81% of all mobile phone users. However, this figure varies according to the subscribers age, from 90% of subscribers aged between 16 and 24 to 18% of those over 64 . The older generation are likely to have more savings spread across multiple products from multiple providers. If they prefer not to load the mobile banking application onto their phone are there alternative solutions which they can use to authenticate themselves to multiple ASPSP?

Barclays UK does a very good job verifying me using my payment card and their PinSentry device or mobile application across all the channels that I access their services. I can also use the PinSentry device with cards from other banks which support the CAP User Interface Specification, but don’t tell Barclays. There are other solutions from organisations such as FiTeq which remove the need for the separate CAP reader and the payment schemes who are promoting the use of their 3D Secure service for use with other payment solutions.

One of the drivers behind PSD2 was to drive innovation and competition. Is SCA the first place we will see this?

AMLD4.1, AMLD5 or 5AMLD?

5th July 2017by Consult HyperionLeave a comment

I recently came across a statistic that surprised me.

Approximately 50% of new bank accounts are opened by customers that have recently arrived in the UK to work or study.

http://www.openidentityexchange.org/wp-content/uploads/2016/10/Digital-Identity-Across-Borders-FINAL-Feb2016-2.pdf

I had wrongly assumed that the majority of new bank accounts openings in the UK would be from students just about to go off to University, like my son, and that migration whilst high (as the media keeps telling us) would still be a minority. But based on some back-of-the-envelope calculations it appears that the 50% number is about right.

As the OIX report above points out, these new arrivals in the UK are very difficult to perform KYC (“Know Your Customer”) on due to the lack of data. They have no history in the UK. This is exactly where eIDAS should be able to step in. For example, a person arriving from France should be able to use their French government-issued eID as one piece of evidence to help meet KYC requirements. The proposed new AML legislation – the amendment to the fourth AML directive – which I have seen referred to as AMLD4.1, AMLD5 and 5AMLD, explicits call out to eIDAS as a potential solution.

There are however some issues with this:

Firstly, to become part of the eIDAS scheme, governments have to “notify” their eIDs into the scheme. To date only Germany has done so.

Secondly, eIDAS provides a switching infrastructure that makes all eIDs interoperable but initially this will only available to the public sector. If a private sector organisation, such as a bank, wishes to leverage an eID it will need to find another way to access or read it.

Thirdly, the mobile channel is becoming increasingly important with banks needing to be able to onboard customers directly in that channel, as well as performing identification and verification of existing customers when provisioning a mobile app. Several of the existing eIDs are smart-card based. These will only be readable by phones if the cards themselves are contactless (which many of them are). They will not however be readable on iPhones, even with the limited opening up of the NFC interface expected in iOS11.

There is clearly therefore a need for some alternative mobile based technology. Fortunately such technology exists in the form of mobile document and selfie capture and verification. One of the vendors in this space, Mitek, kindly commissioned Consult Hyperion to write a paper on this very topic which I had the privilege of presenting at Money2020 last week. You can download the paper here:

Payments and passports

23rd January 2017by Consult HyperionLeave a comment

The new administrations in the UK and USA are apparently planning to work together to create a new transatlantic America First / Buy British trade alliance. This will, it seems, include financial services.

A deal to reduce barriers between American and British banks through a new “passporting” system was being considered by Mr Trump’s team

From Donald Trump plans new deal for Britain as Theresa May becomes first foreign leader to meet new president since inauguration

Now what this passporting might mean is anyone’s guess, since this is just a newspaper story based on gossip, but I think it might be a little more complex to arrange than it seems at first because of the nature of banking regulation in the United States. If a British bank were to get a US banking passport this would presumably be equivalent to the implicit granting of a national bank charter and state regulators do not seem enthusiastic about the granting of more national bank charters. We know this, because at the end of 2016 the US Office of the Comptroller of the Currency (OCC) said that it was going provide a new national bank charter for fintech companies.

“The OCC will move forward with chartering financial technology companies that offer bank products and services and meet our high standards and chartering requirements,” said Comptroller of the Currency Thomas Curry

From OCC Grants New Charter to Fintech Firms — with Strings Attached | American Banker

The reason for wanting to do this is obvious: right now, if I want to create a competitor to Venmo or Zelle, I have to either have to be regulated as a payment processor and have regulated banks involved or go and get regulated by 50 different state regulators under 50 different regulatory regimes, most of which remain rooted in a previous, pre-internet age. This seems anachronistic. Surely an American company should be able to a get a licence and get going. Well, the OCC’s proposal is attracting a lot of negative comment.

A turf war is brewing between US state and federal regulators over oversight of the financial technology sector after New York’s top watchdog sent a stinging letter to the Office of the Comptroller of the Currency (OCC), telling it to back off plans for a national bank charter for fintech firms.

From New York regulator blasts OCC over bank charter plan for fintech fi…

Now I saw a few comments about this and other responses from state regulators that cast them in the role of Luddites standing in the way of progress but I have to say I agree with them. I mean, I am not a lawyer or anything, I don’t really understand US banking regulation and I couldn’t make any sensible comments on the proposals myself, but I think that the US regulatory environment is broadly speaking unfit for purpose and might benefit from at least a cursory examination of the direction of regulation in one or two other jurisdictions including Europe, for example and India.

The fundamental problem with the OCC proposals to my mind is that they are about a national charter for banking as a whole. They do not distinguish between the payments business and other parts of the banking business. Hence the charter means extending systemically risky credit creation activities in new directions. I don’t see any immediate problem that this solves. And the state regulators may well be right that it potentially makes the problems associated with banking regulation much worse.

Connected to this is the worry that a national charter would encourage large ‘too big to fail’ institutions – a small number of tech-savvy firms that dominate different types of financial services simply because they are able to get a national charter.

From New York regulator blasts OCC over bank charter plan for fintech fi…

Whatever you think about Facebook they are not too big to fail. If Facebook screw up and lose a ton of money and go out of business then that is tough luck on their employees and their shareholders but it’s nobody else’s problem. That’s how capitalism is supposed to work. But if Facebook obtained a national banking charter they would immediately become too big to fail and no matter the greed or incompetence of their management, the government will be on the hook to bail them out just as the Roman senate was forced to bail out the banks there two millennia hence.

(In case you are curious, in 33BCE the emperor had to create 100 million sesterces of credit (a trifling couple of billion dollars in today’s money) through the banks to save them from collapse. Plus ca change, as they didn’t say in Ancient Rome).

If you look at what is happening in other jurisdictions, what you see is a separation of payments and banking so that the systemically less risky payment activities, which many people see as somewhat less than optimal in the world’s largest economy, can be reinvigorated while the systemically more risky credit business and investment banking business are left alone. In the European Union there is the regulatory category of the payment institution (PI). In Europe, Facebook is therefore a payment institution and not a bank. They don’t want to lend people money, they want to facilitate buying and selling and for that they need access to core payment systems and that’s all to the well and good. Similarly, in India, the regulator created the new category of payment bank (PB) so that mobile operators and others could start providing electronic payment services to what will soon be the world’s most populous nation.

The reasons for going down this path are entirely logical. If you leave innovation to the banking system then you end up in the situation of India as was or Nigeria as it is. A huge population, phones everywhere, talented and entrepreneurial people, huge and unfulfilled demand and… Nothing happening. I’m sure you’re all utterly bored with me reminding you, but the key innovations in technology in banking do not originate in banks. That’s the nature of the beast. The four digit PIN code was invented by a Scottish engineer. The payment card was invented by New York lawyer. M-PESA was invented by a telco. Bitcoin was invented by… Well, for all I know, it may well have been the head of Citibank or programmer number 2216 in the North Korean army, but you get my point.

This is why I think that the OCC should leave the regulation of credit institutions where it is now and propose instead a new national charter for payment institutions amalgamating the European PI and Electronic Money Institution (ELMI). Allow these American Payment Institutions (let’s shorten this to APIs to avoid confusion) to issue electronic money but not to provide credit, allow membership of payment schemes (e.g., the UK’s Faster Payment Service, Visa and so on), ensure customer balances are held in Tier 1 capital and so on. This way, Apple and Verizon can apply for a national charter and start providing competitive payment services that will benefit businesses and consumers and the existing banks will just have to suck up the loss of payment revenues for the greater good.

The passporting of such institutions should be much less controversial than the passporting of credit institutions. Surely it will be to everyone’s benefit if the “fintech” passporting agreements give UK and EU payment institutions the right to operate nationally in the United States, in return giving recipients of my proposed American Payment Institution charter the right to operate in the UK and EU? This would allow innovation and competition in the fintech space without creating yet another financial time bomb that bankers will inevitably trigger.

The new PSR’s priorities

7th April 2015by Consult HyperionLeave a comment

The UK’s new Payment Systems Regulator is now open for business. I imagine that their highest priority work stream will be around access to payment systems, because this is what “challenger” banks need in order to create the more competitive environment that the UK Treasury wants.

Continue reading “The new PSR’s priorities”

What is “appropriate” AML?

1st December 2014by Consult Hyperion2 Comments

I’m not smart enough to know what the most appropriate AML rules are, but I think I am smart enough to know that the current rules are not.

Continue reading “What is “appropriate” AML?”

Regulation is more important than technology when it comes to strategy

11th November 2014by Consult HyperionLeave a comment

The biggest factor shaping the strategic plans of players in the European payments sector is regulation and right now understanding the impact of new regulation is far more important than understanding the impact of new technology.

Continue reading “Regulation is more important than technology when it comes to strategy”

Who does AML hurt?

5th November 2014by Consult HyperionLeave a comment

I’m hoping somebody can send me a plausible and documented cost-benefit analysis for anti-money laundering legislation but it’s proving difficult to find one. I’m not saying it’s a waste of money, I’m just saying that I don’t know whether it’s a waste of money or not. Please note this is a repost as the original was lost through a tear in the spacetime continuum.

Continue reading “Who does AML hurt?”

Special Report: Didn’t we have a lovely day, the day we went to the Italian Parliament

29th July 2014by Consult HyperionLeave a comment

Life is never boring at Consult Hyperion. If you’re not marvelling at a totally cool working prototype of HCE running over BLE on an unmodified iPhone, you’re in the Italian Parliament at their hearing on Bitcoin.

Continue reading “Special Report: Didn’t we have a lovely day, the day we went to the Italian Parliament”