Political, legal and regulatory - Consult Hyperion

Immobile

8th June 2011by Consult Hyperion2 Comments

There’s something odd about a conference on Mobile Money & Migrant Remittances held in a hotel with no mobile coverage and a $25/day charge for wifi, but despite that I thoroughly enjoyed popping along and meeting up with friends from around the world there. I was on the Strategy Panel covering financial inclusion, and this coincidentally, the day after I had been quoted in Warren’s “Washington Internet Daily“:

Mobile payment systems are often treated with a lighter regulatory touch than mobile banking, to reach as many users as possible, Birch said. The need to integrate the “unbanked” into society should “tip the value” toward less regulation of low-value transactions, he said.

An entirely accurate representation of my views. A correspondent wrote in response:

Very sensible words! Not sure if you have actually read FATF’s NPM report from October 2010, but it is actually pretty good, and recommends the right thing: a light KYC regime (including no verification) for specific low risk accounts, praising the power of transactions limits and monitoring.

As it happens, I hadn’t read the FATF New Payment Methods report, so I downloaded it to take a look and discovered some surprisingly sensible conclusions. By “New Payment Methods”, or NPM, the FATF means specifically internet payment systems, mobile payment systems and prepaid card products. My correspondent had noted, to my surprise, that some of their conclusions echo my own ranting on the topic: that is, a light-touch KYC regime (including no verification for specific low risk accounts), with attention paid to setting the right transaction limits and appropriate monitoring and reporting requirements. The report is based on a number of case studies, so the conclusions are based in practical analysis, however it must be said that they are probably not statistically utterly sound.

The project team analysed 33 case studies, which mainly involved prepaid cards or internet payment systems. Only three cases were submitted for mobile payment systems, but these involved only small amounts.

Personally, I found many of the case studies in chapter four of the report uninteresting. Yes, in some cases prepaid cards, or whatever, were used as a part of a crime, but in many of the frauds so were cash and bank accounts. One of the case studies concerned the use of multiple prepaid cards by an individual found to have 12 legally-obtained driving licences in different names (and $145,000 in cash). I’d suggest that cracking down on the driving licence issuing process ought to be more of a priority! The issue of access to transaction record is, I think, much more complicated than many imagine. You could, for example, imagine transaction records that are encrypted with two keys — your key and the system key — so that you can go back and decrypt your records whenever you want, but the forces of law and order would need to obtain a warrant to get the system key. Sounds good. But I might not want a foreign, potentially corrupt, government department to obtain my transactions for perfectly good reasons (like it’s none of their business).

The report says very clearly that the overall threat is “difficult” to assess (so some of the rest of it, I think, is necessarily a trifle fuzzy) but also that the anti-money laundering (AML) and counter terrorist financing (CTF), henceforth AML/CTF, risks posed by anonymous products can be effectively mitigated. I agree. And I also strongly agree with chapter three of the report notes that electronic records give law enforcement something to go on where cash does not. This is something that I’ve mentioned previously, both on this blog and in a variety of other fora, because I think it’s a very important point.

I said that I was not sure that keeping people out of the “system” was the best strategy (because if the terrorists, drug dealers and bank robbers on the run stay in the cash economy, then they can’t be tracked, traced or monitored in any way)
[From Digital Money: Anti-anti money laundering]

The report goes on to expand on the issue of mitigation and, to my mind, deals with it very well. It says that:

Obviously, anonymity as a risk factor could be mitigated by implementing robust identification and verification procedures. But even in the absence of such procedures, the risk posed by an anonymous product can be effectively mitigated by other measures such as imposing value limits (i.e., limits on transaction amounts or frequency) or implementing strict monitoring systems.

Why is this so important? As well as keeping costs down for industry and stimulating the introduction of competitive products, the need for identification is a barrier to inclusion. This link between identification and inclusion is clear, whatever you think about the identification system itself. India is turning out to be a fascinating case study in that respect.

The process would benefit beneficiaries of welfare schemes like old-age pension and NREGA, enabling them to draw money from anywhere as several blocks in Jharkhand have no branches of any bank and would save them from travelling to distant places for collecting money.
[From Unique numbers will save duplication in financial transactions – Ranchi – City – The Times of India]

But I can’t help cautioning that while customer identification is difficult where no national identity scheme exists, but there is a scheme it may give a false sense of security because obtaining fraudulent identities might be easier than obtaining fraudulent payment services in some jurisdictions or where officials from dodgy regimes (like the UK) are at work…

Prosecutor Simon Wild told the court Griffith abused his position by rubber stamping work permit applications that were obviously fake or forged using false names and references.
[From British embassy official ‘nodded through scores of visa applications’ | Mail Online]

For low risk products, then, the way forward is absolutely clear: no identification requirements, potentially strong authentication requirements and controlled access to transactions records. One small problem, though, that the report itself highlights: there are no uniform, international, cross-border standards for what constitutes a “low risk” product. But that’s for another day.

Finally, I couldn’t help but notice that the payment mechanisms that scored worst in the high-level risk table (on page 23) and therefore the one that FATF should be working hardest to crack down on is cash.

P.S. I apologise to the conference organisers for my radio silence during the event, but I belong to the #canpaywontpay tendency: I can afford $25/day for wifi (since I’m not paying, I just expense it to the compnay) but I won’t pay it, because it’s outrageous. No wifi means no twitter, no blog, no buzz. That’s not how conferences should be in 2011.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Do we really want a panic button?

2nd April 2011by Consult HyperionLeave a comment

The relationship between identity and privacy is deep: privacy (in the sense of control over data associated with an identity) ought to be facilitated by the identity infrastructure. But that control cannot be absolute: society needs a balance in order to function, so the infrastructure ought to include a mechanism for making that balance explicit. It is very easy to set the balance in the wrong place even with the best of intentions. And once the balance is set in the wrong place, it may have most undesirable consequences.

An obsession with child protection in the UK and throughout the EU is encouraging a cavalier approach to law-making, which less democratic regimes are using to justify much broader repression on any speech seen as extreme or dangerous…. “The UK and EU are supporting measures that allow for websites to be censored on the basis of purely administrative processes, without need for judicial oversight.”
[From Net censors use UK’s kid-safety frenzy to justify clampdown • The Register]

So a politician in one country decides, say, that we should all be able to read out neighbour’s emails just in case our neighbour is a pervert or serial killer or terrorist and the next thing we know is that Iranian government supporters in the UK are reading their neighbours emails and passing on their details to a hit squad if the emails contain any anti-regime comments.

By requiring law enforcement backdoors, we open ourselves to surveillance by hackers and foreign intelligence agencies
[From slight paranoia: Web 2.0 FBI backdoors are bad for national security]

This is, of course, absolutely correct, and it was shown in relief today when I read that…

Some day soon, when pro-democracy campaigners have their cellphones confiscated by police, they’ll be able to hit the “panic button”—a special app that will both wipe out the phone’s address book and emit emergency alerts to other activists… one of the new technologies the U.S. State Department is promoting to equip pro-democracy activists in countries ranging from the Middle East to China with the tools to fight back against repressive governments.
[From U.S. develops panic button for democracy activists | Reuters]

Surely this also means that terrorists about to execute a dastardly plot in the US will be able to wipe their mobile phones and alert their co-conspirators when the FBI knock on the door and, to use the emotive example, that child pornographers will be able to wipe their phones and alert fellow abusers when the police come calling. Tough choices indeed. We want to protect individual freedom so we must create private space. And yet we still need some kind of “smash the glass” option, because criminals do use the interweb tubes and there are legitimate law enforcement and national security interests here. Perhaps, however, the way forward to move away from the idea of balance completely.

In my own area of study, the familiar trope of “balancing privacy and security” is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of “balancing” leads people to view them as always in conflict. This is, I suspect, the source of much of the psychological appeal of “security theater”: If we implicitly think of privacy and security as balanced on a scale, a loss of privacy is ipso facto a gain in security. It sounds silly when stated explicitly, but the power of frames is precisely that they shape our thinking without being stated explicitly.
[From The Trouble With “Balance” Metaphors]

This is a great point, and when I read it it immediately helped me to think more clearly. There is no evidence that taking away privacy improves security, so it’s purely a matter of security theatre.

Retaining telecommunications data is no help in fighting crime, according to a study of German police statistics, released Thursday. Indeed, it could even make matters worse… This is because users began to employ avoidance techniques, says AK Vorrat.
[From Retaining Data Does Not Help Fight Crime, Says Group – PCWorld]

This is precisely the trajectory that we will all be following. The twin pressures from Big Content and law enforcement mean that the monitoring, recording and analysis of internet traffic is inevitable. But it will also be largely pointless, as my own recent experiences have proven. When I was in China, I wanted to use Twitter but it was blocked. So I logged in to a VPN back in the UK and twittered away. When I wanted to listen to the football on Radio 5 while in Spain, the BBC told me that I couldn’t, so I logged back in to my VPN and cheered the Blues. When I want to watch “The Daily Show” from the UK or when I want to watch “The Killing” via iPlayer in the US, I just go via VPN.

I’m surprised more ISPs don’t offer this as value-added service themselves. I already pay £100 per month for my Virgin triple-play (50Mb/s broadband, digital TV and telephone, so another £5 per month for OpenVPN would suit me fine).

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Does mass market eID need a liability model or not?

14th March 2011by Consult HyperionLeave a comment

I posted about the silo-style identity and authentication schemes we have in place at the moment and complained that we are making no progress on federation. Steve Wilson posted a thoughtful reply and picked me up on a few points, such as my “idea” (that’s a bit strong – more of a notion, really) of developing an equivalent of creative commons licences, a sort of open source framework. He says

CC licenses wouldn’t ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts—brand new contracts of an unusual form—struck between all the parties.
[From comment on Digital Identity: The sorry state of id and authentication]

But isn’t that what CC licences solve?

It’s complicated by the fact that banks & telcos don’t naturally see themselves as “identity providers”, not in the open anyway
[From comment on Digital Identity: The sorry state of id and authentication]

Well, I’m doing what I can to change that (see, for example, the Visa/CSFI Research Fellowship), but on the main point I happened to be reading the notes from the EURIM Identity Governance Subgroup meeting on 23 February 2011, talking about business cases for population scale identity management systems. The notes say that

It is alleged that the only body with the remit, power and capability needed for assuring and recording a root identity through a secure and reliable registration process is Government.

The notes then go on to talk about case studies such as the Nordic bank-issued eIDs though. These arguments are to some extent circular, of course, because the e-government applications in the Nordics are using bank-issued eIDs, but the only reason that the banks can issue these eIDs is because they are using government ID as the basis for KYC. In the discussion about this at a recent roundtable in that Visa/CSFI “Identity and Financial Services” series, someone made a comment in passing (and I’m embarrassed to say that I can’t remember who said this, because I noted the comment but forgot the commenter) that all of this takes places in a model absent liability. That is, as far as I understand what was said, the government accepts no liability from the banks, and vice versa. So if the bank opens an account for me Sven Birch, using a government “Sven Birch” identity, but it subsequently transpires that I am actually Theogenes de Montford, then the bank cannot claim against the government. Similarly, if I used my bank eID “Sven Birch” to access government services, but it subsequently transpires that I am actually Theogenes, then the government has no claim against the bank. (If this isn’t true, by the way, I would appreciate clarification from a knowledgeable correspondent.)

So what is the situation? Must we have a liability model, or can we all agree to get along without one. Or do you have to a have a more consensual society, or perhaps one with fewer lawyers per head of population?

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

A theory of privacy to help technologists

10th February 2011by Consult Hyperion1 Comment

The Institute for Advanced Legal Studies hosted an excellent seminar by Professor Michael Birnhack from the Faculty of Law at Tel Aviv University who was talking about “A Quest for a Theory of Privacy”.

He pointed out that while we’re all very worried about privacy, we’re not really sure what should be done. It might be better to pause and review the legal “mess” around privacy and then try to find an intellectually-consistent way forward. This seems like a reasonable course of action to me, so I listened with interest as Michael explained that for most people, privacy issues are becoming more noticeable with Facebook, Google Buzz, Airport “nudatrons”, Street View, CCTV everywhere (particularly in the UK) and so on. (I’m particularly curious about the intersection between new technologies—such as RFID tags and biometrics—and public perceptions of those technologies, so I found some of the discussion very interesting indeed.)

Michael is part of the EU PRACTIS research group that has been forecasting technologies that will have an impact on privacy (good and bad: PETs and threats, so to speak). They use a roadmapping technique that is similar to the one we use at Consult Hyperion to help our clients to plan their strategies for exploiting new transaction technologies and is reasonably accurate within a 20 year horizon. Note that for our work for commercial clients, we use a 1-2 year, 2-5 year, and 5+ year roadmap. No-one in a bank or a telco cares about the 20 year view, even if we could predict it with any accuracy—and given that I’ve just read the BBC correspondents informed predictions for 2011 and they don’t mention, for example, what’s been going on in Tunisia and Egypt, I’d say that’s pretty difficult.

One key focus that Michael rather scarily picked out is omnipresent surveillance, particularly of the body (data about ourselves, that is, rather than data about our activities), with data acted upon immediately, but perhaps it’s best not go into that sort of thing right now!

He struck a definite chord when he said that it might be the new business models enabled by new technologies that are the real threat to privacy, not the technologies themselves. These mean that we need to approach a number of balances in new ways: privacy versus law enforcement, privacy versus efficiency, privacy versus freedom of expression. Moving to try and set these balances, via the courts, without first trying to understand what privacy is may take us in the wrong direction.

His idea for working towards a solution was plausible and understandable. Noting that privacy is a vague, elusive and contingent concept, but nevertheless a fundamental human right, he said that we need a useful model to start with. We can make a simple model by bounding a triangle with technology, law and values: this gives three sets of tensions to explore.

Law-Technology. It isn’t a simple as saying that law lags technology. In some cases, law attempts to regulate technology directly, sometimes indirectly. Sometimes technology responds against the law (eg, anonymity tools) and sometimes it co-operates (eg, PETs—a point that I thought I might disagree with Michael about until I realised that he doesn’t quite mean the same thing as I do by PETs).

Technology-Values. Technological determinism is wrong, because technology embodies certain values. (with reference to Social Construction of Technology, SCOT). Thus (as I think repressive regimes around the world are showing) it’s not enough to just have a network.

Law-Values, or in other words, jurisprudence, finds courts choosing between different interpretations. This is where Michael got into the interesting stuff from my point of view, because I’m not a lawyer and so I don’t know the background of previous efforts to resolve tensions on this line.

Focusing on that third set of tensions, then, in summary: From Warren and Brandeis’ 1890 definition of privacy as the right to be let alone, there have been more attempts to pick out a particular bundle of rights and call them privacy. Alan Westin‘s 1967 definition was privacy as control: the claims of individuals or groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

This is a much better approach than the property right approach, where disclosing or not disclosing, “private” and “public” are the states of data. Think about the example of smart meters, where data outside the home provides information about how many people are in the home, what time they are there and so on. This shows that the public/private, in/out, home/work barriers are not useful for formulating a theory. The alternative that he put forward considers the person, their relationships, their community and their state. I’m not a lawyer so I probably didn’t understand the nuances, but this didn’t seem quite right to me, because there are other dimensions around context, persona, transaction and so on.

The idea of managing the decontextualisation of self seemed solid to my untrained ear and eye and I could see how this fitted with the Westin definition of control, taking on board the point that privacy isn’t property and it isn’t static (because it is technology-dependent). I do think that choices about identity ought, in principle, to be made on a transaction-by-transaction basis even if we set defaults and delegate some of the decisions to our technology and the idea that different persona, or avatars, might bundle some of these choices seems practical.

Michael’s essential point is, then, that a theory of privacy that is formulated by examining definitions, classsifications, threats, descriptions, justifications and concepts around privacy from scratch will be based on the central notion of privacy as control rather than secrecy or obscurity. As a technologist, I’m used to the idea that privacy isn’t about hiding data or not hiding it, but about controlling who can use it. Therefore Michael’s conclusions from jurisprudence connect nicely connect with my observations from technology.

An argument that I introduced in support of his position during the questions draws on previous discussions around the real and virtual boundary, noting that the lack of control in physical space means the end of privacy there, whereas in virtual space it may thrive. If I’m walking down the street, I have no control over whether I am captured by CCTV or not. But in virtual space, I can choose which persona to launch into which environment, which set of relationships and which business deals. I found Michael’s thoughts on the theory behind this fascinating, and I’m sure I’l be returning to them in the future.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

Positive changes in e-money regulation

8th February 2011by Consult HyperionLeave a comment

William Long and Kai Zhang, from our friends at Sidley & Austin, present a typically good summary of the main issues raised in the consultations preceding the implementation of the new E-Money Directive (EMD) in the UK in the recent issue of E-Finance & Payments Law & Policy (December 2010).

Generally speaking, things look very positive. The capital requirements are being relaxed so that anyone who wants to provide e-money services probably can do with too much trouble, so I predict that you’ll see some major companies moving in now. The prime candidates to offer services are probably telecommunications operators and retailers, but transit operators, event managers, corporate “campus” suppliers and others will surely seize the opportunity. Some have already declared their intentions.

O2 will apply for an e-money licence this year, signalling its commitment to support contactless payments in the UK in the near future.
[From O2 to apply for e-money licence to support NFC payments – 2/2/2011 – Computer Weekly]

The French operators announced a similar move this week. I can’t resist noting that this is precisely the strategy that we recommended to mobile operators a couple of years ago (that is, use the upcoming PSD/ELMI changes to start their own payment businesses). Competition is good for innovation, and bringing these new players into the payments business will be very positive for all of us.

The interest of mobile operators is natural, and they have to move quickly to avoid being cut out of the loop by handset-based secure element providers (eg, Apple) who may move quicker than the UICC-based secure element providers (eg, mobile operators). The interest of the transit operators is also natural, since they have the cards out there in peoples’ pockets. I still think that we’ve yet to see the really big plays yet: these will come from the retailers, just as they are in the US.

Kmart has begun testing check cashing, money transfers and prepaid cards in stores in Illinois, California and Puerto Rico, with plans to roll out the services nationally later this year. Best Buy has installed kiosks in its stores for shoppers to pay utility, cable and phone bills. Wal-Mart has opened roughly 1,500 MoneyCenters that process as many as 5 million transactions each week.
[From Retailers offer financial services to ‘unbanked’]

The use of retailer-issued e-money pre-paid products as a low-cost alternative to bank accounts for the excluded is a win-win. It takes unprofitable customers away from the banks and gives those customers more convenient services. And the retailers could steer customers to use these products at POS, thus saving on their payment processing costs. Personally, I think the prepaid market is not competitive enough (the charges are still too high) but new entrants enabled by the ELMI, new entrants with economies of scale (such as high street retailers), could open up the market and drive down costs very quickly.

Finally, I was also very excited to note in the article that the Treasury is considering my idea of making the balance limit for simplified due diligence (under the Third Anti-Money Laundering Directive) for low-value electronic money “accounts” the same as the value of the largest banknote: in this case, €500. Although they are only looking at this for non-reloadable devices, I think this should be the guiding principle for reloadable devices as well. The link between the two, the “magic number”, is entirely symbolic: it doesn’t mean anything at all, but it’s a good way to focus debate and discussion about the regulatory balance between cash and cash alternatives.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

The magic number

8th February 2011by Consult Hyperion3 Comments

William Long and Kai Zhang, from our friends at Sidley & Austin, present a typically good summary of the main issues raised in the consultations preceding the implementation of the new E-Money Directive (EMD) in the UK in the recent issue of E-Finance & Payments Law & Policy (December 2010).

Generally speaking, things look very positive. The capital requirements are being relaxed so that anyone who wants to provide e-money services probably can do with too much trouble, so I predict that you’ll see some major companies moving in now. The prime candidates to offer services are probably telecommunications operators and retailers, but transit operators, event managers, corporate “campus” suppliers and others will surely seize the opportunity. Some have already declared their intentions.

O2 will apply for an e-money licence this year, signalling its commitment to support contactless payments in the UK in the near future.
[From O2 to apply for e-money licence to support NFC payments – 2/2/2011 – Computer Weekly]

The French operators announced a similar move this week. I can’t resist noting that this is precisely the strategy that we recommended to mobile operators a couple of years ago (that is, use the upcoming PSD/ELMI changes to start their own payment businesses). Competition is good for innovation, and bringing these new players into the payments business will be very positive for all of us.

The interest of mobile operators is natural, and they have to move quickly to avoid being cut out of the loop by handset-based secure element providers (eg, Apple) who may move quicker than the UICC-based secure element providers (eg, mobile operators). The interest of the transit operators is also natural, since they have the cards out there in peoples’ pockets. I still think that we’ve yet to see the really big plays yet: these will come from the retailers, just as they are in the US.

Kmart has begun testing check cashing, money transfers and prepaid cards in stores in Illinois, California and Puerto Rico, with plans to roll out the services nationally later this year. Best Buy has installed kiosks in its stores for shoppers to pay utility, cable and phone bills. Wal-Mart has opened roughly 1,500 MoneyCenters that process as many as 5 million transactions each week.
[From Retailers offer financial services to ‘unbanked’]

The use of retailer-issued e-money pre-paid products as a low-cost alternative to bank accounts for the excluded is a win-win. It takes unprofitable customers away from the banks and gives those customers more convenient services. And the retailers could steer customers to use these products at POS, thus saving on their payment processing costs. Personally, I think the prepaid market is not competitive enough (the charges are still too high) but new entrants enabled by the ELMI, new entrants with economies of scale (such as high street retailers), could open up the market and drive down costs very quickly.

Finally, I was also very excited to note in the article that the Treasury is considering my idea of making the balance limit for simplified due diligence (under the Third Anti-Money Laundering Directive) for low-value electronic money “accounts” the same as the value of the largest banknote: in this case, €500. Although they are only looking at this for non-reloadable devices, I think this should be the guiding principle for reloadable devices as well. The link between the two, the “magic number”, is entirely symbolic: it doesn’t mean anything at all, but it’s a good focus for debate.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Russian regulation

13th November 2010by Consult HyperionLeave a comment

[Dave Birch] As many people have noted, the Russia e-payments landscape is really

According to Victor Dostov

There are 25 million active “e-purses” (web wallets containing pre-paid value) and the market is growing at 20%.

The market is now going to be shaped by regulation. It’s a difficult problem for regulators, to take a rapidly growing market and add prudent regulation without disrupting

The government has approved a bill to regulate e-payments, a market that is growing at 40% per annum.

Viktor Dostov, the chairman of the Russian E-Money Association, says that the bill is a reasonable compromise, requiring operators such as WebMoney and Yandex.Dengi to obtain a Central Bank licence for “non-banking credit organisations”. The law requires such organisations to have a minimum equity of 18m roubles ($600,000), which may be a little high for innovative startups.

It is very tempting for regulators to demand rigorous identification Here’s an example. The current “Draft law on the National Payment System” has the concept of “proportionate identification” which is important.. The law also contains a sensible balance on KYC, so no identification is needed for payment accounts with a maximum balance of 15,000 roubles.

Under current framework, there is no equivalent of the European “Payment Institution” or “Electronic Money Institution”. One of the key aspects of European regulation is that it has allowed non-banks to bring innovation to the sector

khjkh.

Yota, Russia’s leading 4G networks operator (offering WiMax, battling for LTE frequencies and thinking about brand-name handset), launched a partnership with Mobi. Dengi (a mobile money transfer scheme working closely with Beeline, a Russian MNO) and Tavrichesky Bank – to allow its subscribers to use the money they have topped up to their prepaid account – to pay for other services like utility bills, TV, mobile top-up.
[From Retail Banking in Russia: Innovation Unfolded: Each decent Internet service provider strives to create its own payments wallet]

lkjljljlkj

Continue reading “Russian regulation”

SEPAarate development

4th October 2010by Consult Hyperion1 Comment

[Dave Birch] There is a looming deadline for SEPA compliance in the cards business: by 31st December 2010, all payments cards and ATM cards in the EU27 plus Norway, Switzerland, Iceland, Liechtenstein and Monaco must be EMV-compliant and all POS and ATM terminals in those countries must support EMV applications. This is extremely unlikely to happen as far as I (and other observers) can see. Currently Germany, Portugal, Italy and Slovenia have less than 80% of their cards converted and Romania, Greece, Bulgaria, Hungary, Spain, Portugal and Malta have less than 40% (according to Banking Automation Bulletin for September 2010). Apart from the UK & Ireland, France and Luxembourg, no countries have 100% POS compliance (in Germany it's not even 10%). Additionally, many countries do not have ATM compliance, including Germany, Belgium, Italy and Portugal.

Why the slow progress? And what does it mean for the future? Well, I was invited along to a meeting of experts to discuss the progress towards SEPA and eSEPA (SEPA for the internet and mobile payments), but unfortunately I've been told by the Commission that the discussions were confidential and so I can't comment on them here.

Continue reading “SEPAarate development”

Cleaning up

30th July 2010by Consult Hyperion1 Comment

[Dave Birch] I opened my first bank account, with Bank X, when I went to university. I walked in to my local branch on the second or third day after arriving in Southampton and opened an account. When I started work, I transferred that account to Cobham in Surrey, near where I was working. A couple of decades ago, that branch was closed and the accounts transferred to Walton-on-Thames, which is where my relationship banker was based when they were first invented about 15 years ago. I’ve probably been to that branch three times since then, about once every five years. I’m a premium customer and pay a few quid per month for my account, so my personal banker would periodically ring up me to see if they could sell me insurance or whatever. I quite liked my first personal banker and probably met him three or four times over the decade. A few days ago I got a letter from my new personal banker, who is based in Leicester. (A note for foreign readers: I live in the south of England, southwest of London, and Leicester is in the midlands, about 150 miles away.)

I’m note sure how “personal” this relationship will be. In any case, the last time I called (in order to get a bank loan to cover some building work we were having done) I had to go through half an hour of questions about name, address, salary, monthly outgoings etc, so having a personal banker (and having had the account for 33 years) didn’t really seem to help. They still wanted to know (as my mother would always say) “the ins and outs of a cows behind” before giving me the money. To be fair to the banks, in this case, they don’t want to annoy and inconvenience customers in this way, they are being made to by the government, because they have to comply with “Know Your Customer” (KYC) and “Anti Money Laundering” (AML) rules. Generally speaking, the banks do not suffer too greatly because of this as everyone has to just grin and bear it. Had I hung up in annoyance and called Bank Y (who don’t know me from Adam) instead, I would still have had to answer the same questions. But there are cases where the implementation of KYC and AML rules may end up costing banks more than customers’ opprobrium.

In the case of Shah and another v HSBC Private Bank (UK) Ltd, the Court of Appeal has ruled that Jayesh Shah and Shaleetha Mahabeer have the right to challenge HSBC Private Bank for having delayed a $28 million transfer… the bank asserted that it had suspected that the transaction constituted money-laundering for the purposes of the Proceeds of Crime Act 2002, meaning that the transfer had to be delayed while reported to the Serious Organised Crime Agency.

Eventually, the transaction was completed and Mr Shah claimed the delay cost him over $300 million. The claimants subsequently challenged the grounds on which the bank’s suspicions were raised but a case brought by Mr Shah for compensation was thrown out at an earlier court hearing. However, last week’s Court of Appeal ruling means that Mr Shah can now pursue HSBC for his losses.
[From HSBC customer claims for anti money-laundering delay]

Interesting. As the article notes, the plaintiffs are questioning the basis on which the bank determined that the transfer was suspicious. But what I’m curious about is the cost/benefit analysis that underlays this whole raft of e-payment regulation.

According to an IFA I spoke to recently, there is not a single case of any would-be launderer being caught by this system. As you’d kinda guess, real launderers are quite capable of cobbling together the necessary fake docs, and ticking all the right boxes.
[From Burning our money: A Problem With The Laundry]

So inconveniencing everyone from billionaire businessmen to peasant farmers has not caught a single money launderer? This seems statistically unlikely, doesn’t it? Surely they would catch the odd one or two by accident given the enormous size of the money laundering market. The latest figure I could find (given only a quick Google, since I couldn’t be bothered to go downstairs to the bookcases) shows that it’s a huge and growing business.

The NCIS ‘United Kingdom Threat Assessment of Serious and Organized Crime’ in 2003 stated that the overall size of criminal proceeds in the country – and the amount that is laundered is unknown. However, customs authorities had estimated that the annual proceeds from crime in the UK were anywhere between £19 billion and £48 billion – with £25 billion being a realistic figure for the amount that is laundered each year.
[From : : Money Laundering Statistics : :]

£25 billion! This is certainly an underestimate and it comes despite all of the rules imposed on the industry.

Continue reading “Cleaning up”

Exclusion and the war on lunch

24th June 2010by Consult HyperionLeave a comment

[Dave Birch] Plans are afoot in the US to increase financial exclusion by making prepaid products more expensive and less available by forcing non-bank pre-paid card providers to comply with the same rules as banks, presumably treating a $100 pre-paid card to the same degree of scrutiny and reporting as multi-million dollar bank accounts.

FinCEN has applied a limited regulatory framework since 1999 to certain prepaid products as part of the money services businesses regulations applicable to sellers, issuers, and redeemers of stored value. Under FinCEN’s proposal, non-bank providers of prepaid access would be subject to comprehensive Bank Secrecy Act (BSA) regulations similar to depository institutions.
[From FinCen Proposes New Rules for Prepaid Card Programs]

Prepaid cards are already under attack from ill-thought through regulation of the payments industry anyway. This is a bad thing, because prepaid cards — or, more generally, pre-paid transaction accounts of one form or another — are a key tool for increasing participation in financial networks. We should be looking for ways to increase financial inclusion, not reduce it.

The Center for Financial Services Innovation (CFSI) has written to Rep. Barney Frank and Senator Chris Dodd asking that prepaid cards – including government benefits cards, general purpose prepaid cards, payroll cards – be exempt from the fee determination set by the Federal Reserve Board under pending legislation.
[From Center for Financial Services Innovation Asks for Prepaid Card Exclusions]

Encouraging people to remain the cash economy does not help in the “war on terror”, or the war on tax evasion, the war on corrupt politicians or anything else. There is a net social benefit to getting people to use cards instead of cash, and we should be making it is a simple and inexpensive as possible for the excluded to participate. We should be easing the regulatory burden on non-bank prepaid schemes with a maximum balance of, say under $500 or so.

Continue reading “Exclusion and the war on lunch”