Category: Retail

Why can’t digital identity be easy, like payments?

Posted on by 1 Comment
Greyscale backing image

 

I have often seen payments (especially the card networks) used as an analogy for digital identity. In fact, I brought up the analogy myself at the fun OIX meeting in Amsterdam last Thursday. Certainly when you look at something like GOV.UK Verify there are some striking comparisons:

  • A central scheme with a brand, rule book, governance body and switching infrastructure (i.e. Verify itself),
  • Issuers (i.e. the private sector identity providers), and
  • Merchant acquirers (well merchants anyway, in the form of government relying parties).

We have to keep reminding ourselves that these card networks did not appear overnight. What we have today is a result of 60 or more years of evolution. Admittedly the pace of change has increased significantly but we need to recognise it often takes time to build scale and gain adoption. There are special cases of course. PayPal, for example, grew out of a significant pain point within eBay – which gave it immediate scale.

There is however one key difference between payments and identity. You cannot sell stuff online without a means to receive payment and normally that means integrating with a payments scheme that works for your customers. You can however sell stuff without leveraging an external identity scheme – you just give the user an ID and password specific to the service. This is however bad news for users – resulting in the fragmented personal data and password mess we find ourselves in today. There needs to be an incentive for merchants to do something different to this. Perhaps merchants need a big stick? Like GDPR for example. Merchants are going to have to be a lot more careful with personally identifiable information in the future. One thing they could do is use an identity provider to hold that data and in the process reduce their risk.

Individuals also need to realise that their personal data is valuable, just like their money. That is going to require some education because so far they’ve been taught to share data without considering the consequences.

In the UK, arguably the most significant digital identity initiative over the past 5 years has been the GOV.UK Verify programme. They are at the stage where they need to grow. The scheme is up and running and so they are now busily signing up citizens and services. It is a critical point in its development. We are very pleased that David Rennie who leads industry engagement on the programme will be taking time out of his busy schedule to join us at Tomorrow’s Transactions. Come along and find out how it is going.

You can also get added to our mailing list here.

Quite an ecosystem

Posted on by 3 Comments
Greyscale backing image

A funny thing happened on the way to Merchant Payment Ecosystem in Berlin. Three funny things, actually. I tried to use an app to buy something on the way and I got a message saying “transaction failed”. It didn’t tell me why. I’m sure the service provider didn’t know either, as they just got a decline from the issuer. Some forensic work on my behalf later determined the cause of failure was that the card I’d given the app a couple of years ago had expired. The new card was on my kitchen counter back home, but of course it was my problem to have to go around all the stupid apps on my phone that didn’t use Apple Pay and update update each of them individually.

 new BA POS sighted

Then on the plane on the way to Berlin the British Airways cabin crew said that the on-board POS had a problem because it would accept AMEX and Visa cards but not MasterCards. No one knew why. I was desperately hoping that they would put out an emergency call over the public address system “is there a merchant acquiring expert on the plane” (there were about 200 of them by my estimate) but, sadly, they didn’t and so those people prepared to cave into BA’s new policy of making passengers pay for coffee had to struggle by as best they could.

When I got to Berlin I jumped in a taxi at the airport and set off for the hotel where we were going to be discussing all the new stuff going on in the world of merchant payments. We got to the hotel, I took out my card and was actually stunned to hear the driver tell me “I don’t take cards”! Seriously! In a supposedly civilised country and a city that wants to challenge London’s position as fintech hub! So the driver had come into the hotel with me and wait until I checked in so that I could get hold of some cash in order to help him to evade tax.

I drew on these experiences in my opening address to make three main points to the delegates:

  1. Electronic payments are not ubiquitous, but that’s not because of the technology. The taxi driver could perfectly well have taken electronic payments if he wanted to, but he didn’t want to. When I went to dinner the following night, I of course used an app

  2. Evolution in our sector isn’t really about payments, it’s about identity. Since BA know who I am, and since I had to show a passport to get on board, and I have British Airways Amex card and a BA app on my phone, why are BA messing about with chip and PIN at all? Why not just use my BA app to charge to a token on file?

  3. We’re on the edge of the thingternet. Look at IBM’s recent announcement of a partnership with Visa. Everything is becoming a card, everything is becoming a POS. So what happens when I’m driving down the motorway and my card expires and a new one is issued? Does my car stop dead in the business class motorway lane while I have to send a motorcycle courier to fetch the new card from my house so I can type in the new expiry date and the CVV? We’re shoehorning systems into environments they were never designed for so maybe it’s time to rethink and construct a new kind of infrastructure (based on identity, obviously).

While I’m on the topic, by the way, this was my first visit to Merchant Payment Ecosystem despite a number of recommendations from our guys and others, and I have to say that it’s an excellent event. I was genuinely flattered to be asked to chair the first morning and the key panels. The first was with the panel about digital commerce and omnichannel payments with:

The discussion was absolutely first-class. Sometimes it can be difficult to get the conversation going on the first panel of a major event but we hit the ground running on this one. As I explained the audience at the time there were no rehearsed questions and no PR scripts to follow. We had a genuine conversation about a wide range of topics and I can see from the feedback that the delegates greatly appreciated hearing smart people speak their minds. I really hate to paraphrase such a fascinating discussion, but if forced to I would say that there is a shift underway from the POS as a device to the POS as a platform and there is a convergence under way but that convergence is towards the virtual rather than the real. In other words, the checkout and payment experience is converging to the app, not the tap (okay, that’s my bumper sticker and not exactly what the participants said but I think it conveys the sense of the discussion!) and the payment experience will be the same whether in-store, on the phone or at a web site.

With thanks to @KSthankiya

 

The second panel  was great too. The organisers did me the great honour of allowing me to cross-examine some of the industry’s most senior people on behalf of the wider audience. The panel was:

The panellists allowed me to push them on some of the tough issues facing the acquiring and processing parts of the industry. I made the point that in an environment moving towards instant, push payments the role of acquirers and processors will change substantially. Naturally, since everyone on the panel knew more about this than I did and had already thought of it, they had some great perspectives.  I was particularly interested by their views on future value-added services which, it seemed to me, had a lot to do with data. Hence I was left with the impression that some of the big plays coming in this space are no longer about devices or charging bundles or apps but about big data, analytics and machine learning. I also rather liked the suggestion that emerged from the panel that we need to begin to reframe the acquirer as a merchant service provider (MSP).

mpe-from-aci

All things considered it was a terrific event. My colleague Gary Munro (Consult Hyperion’s principal consultant on the acquiring side), who chaired a couple of excellent sessions at the event, has attended for the last couple of years and he knows a fantastic amount about this business and he always recommended it highly.

Gary Munro at MPE

 

This will definitely be a fixture in my calendar from now on – a couple of days very well spent and the whole experience was only slightly undermined by the Berlin airport baggage handlers strike on the final day.

Fintech “banks” are coming to the USA

Posted on by
Greyscale backing image

A few years ago, I wrote that when it came to the regulation of payments, America could do worse than adopt something along European lines. By “European lines”, I meant that a regulatory framework which separated systemically risky operations such as lending people money from systemically unrisky operations such as low-value payments would benefit all concerned.

The US has no equivalent of the EU’s Payment Institution (PI) licence, but this would be a practical way to allow new entrants access to the infrastructure needed to deliver great new products and services.

From In payments, the US is an emerging market | Consult Hyperion

Hence it was rather exciting to read the news that the US regulatory environment is about to change, and about to change significantly. This announcement is, I think, really important.

The Office of the Comptroller of the Currency will start granting limited-purpose bank charters to fintech companies,

From OCC Grants New Charter to Fintech Firms — with Strings Attached | American Banker

These special limited-purpose national bank charters (I can’t think of a snappy name for them yet  – I want to call them “near-banking” licences because they allow you to do some of things that banks do) mean that fintech companies can apply for a national licence instead of having to apply for licenses in every state. So if you want to offer some form of payment service, you will no longer have to apply for 50 (different) state money transmission licences.

Fintech firms that can apply for an OCC charter must offer at least one of three financial services: make loans, pay checks or receive deposits. The OCC is currently developing guidelines for a fintech bank charter that will be based on the comments received from the proposed paper.

From Regulator will start issuing bank charters for fintech firms

Were I to comment on the proposed paper, I would focus on the first of these financial services. It is the provision of credit that is the systemically risky service and it is this service that requires strict regulation. I make no comment on the issue of whether this should be dealt with at the federal level or state-by-state, but it does seem to me that if the proposed special fintech banking charter were to exclude this activity then it would create a regulatory category that is much more like the European Union “payment institution” or the Indian “payment bank”. I don’t know what other people think about this but I think that the European Commission’s general drive to separate regulation of payments from the regulation of banking makes a lot of sense and is founded both in sound regulatory strategy and economic theory. It’s the right way to go.

we can see a “back to the future” roadmap where banks go back to savings and loans and the “pooling” functions needed to support a modern economy, non-state actors provide money and — and most importantly in the short term — third-parties provide payment systems. In Europe, the regulatory wind is already in these sails.

From Why do banks run retail payment systems? | Consult Hyperion

To begin with an obvious example, Facebook recently obtained licences in Europe to operate as a Payment Institution (PI) and as an electronic money institution (ELMI). The regulatory burden of complying with these licenses is very limited compared to complying with a full banking licence, which is good for both Facebook and its customers who will be offered innovative new services through the platform (sending people money using Facebook as a front-end to national and international payment networks, allowing people to carry stored value accounts in Whatsapp and who knows what else).

The notion of a special-purpose charter has also drawn concerns from some consumer groups who want to ensure all of the banking and fair-lending laws apply to fintech firms and banks that fear they would lose business to fintech if they had to compete within the same banking system.

From Regulator will start issuing bank charters for fintech firms

 I am not an expert on consumer lending but I would have thought that the concerns of consumer groups in this area are perfectly reasonable and that the simplest way to satisfy those concerns is to keep the provision of credit with existing institutions that are tightly regulated in that regard. Therefore I would comment to the OCC that if they want to encourage more competition in lending it should be through a separate kind of special charter.

But back to the rest of the special-purpose charter. As to the concerns of the banks that they will lose business, well, tough. The purpose of the financial services regulatory environment is not to maintain the status quo and to defend incumbents against competition of all kinds across time. If some banks are concerned that the new special-purpose charter “banks” will be able to deliver payment services at a much lower cost (which I sincerely hope will be the case) then the rather obvious strategy is for these banks to form a subsidiary to handle payments and to have that subsidiary regulated through the same special-purpose charter as their competitors. 

This may not be enough to save them, by the way. Thomas Watson Jr is often quoted as saying in 1943 (*) that there was a world market for five computers. It turns out that he was right: they are Apple, Amazon, Facebook, Google & Microsoft and everything else is just a window into those. (I think Thomas was wrong – he didn’t forsee WeChat or Alipay – but you get the drift.) When these “internet giants” get their special-purpose charters, they will control both the customer interface and the financial system interface. Why will I ever come out of Facebook and run my bank app ever again? If my Mac’s “Messages” application can send money to your WeChat, what will happen to Transferwise? If I google “PayDay Loan” and the money arrives in my gmail account before you can say “where is the 21st century anti-trust legislation” what will happen to competition in the lending space? What happens why Microsoft asks you add to your bank account to LinkedIn and can then offer both “request to pay” and  instant payments on the platform? 

On final note, most of the commentary I read about this over the weekend focused on the ability of these “Internet giants” to obtain these charters and deliver payment services. There are, however, plenty of other types of organisations that might want to obtain one of these charters in order to provide financial services that either compete with lazy and fat incumbents or deliver innovation into new or underserved niches. AT&T could get a licence and launch USA-PESA. NetFlix could get a licence, join Visa and then issue its own credit cards. But if I were to grab my crystal balls and get all Nostradamus on your asses, I’d say keep an eye out for the retailers. If I was Walmart, I’d be thinking about getting me one of those special-purpose charters myself so that I could operate my own payment services without having to have a joint venture with banks (e.g., its partnership with GreenDot) or go through the expensive process of getting a subsidiary regulated as a bank.

In the late ’90s and early ’00s the company made numerous attempts to get into banking after it argued that the 1999 Financial Services Modernization Act allowed nonbank commercial operations to acquire financial services companies and operate their own banking operations. It failed to acquire a bank in Broken Arrow, Okla., in 1999, and its attempt to acquire a bank in California led to the state legislature to pass a bill specifically outlawing what is arguably permitted by the controversial banking deregulation bill signed into law by then-President Bill Clinton.

From Wal-Mart Would Love To Have A Banking License, But It Doesn’t Necessarily Need One

As I said back in 2011 when someone asked me who might become the Walmart of payments, I said Walmart. The OCC move brings this one step closer! My reasoning was obvious: the customer interface. Retailers are where the customers are and is where they make their payments. Right now if you want to use Walmart Pay you have to register a card, but there’s no reason why Walmart Pay couldn’t, as a bank, instruct the transfer of funds directly from your bank account.

Who knows what the result of the OCC consultation process will be, but on the whole I think that the notion of the special-purpose charter that makes it easier for non-banks to come into the space and compete is a good one. With Venmo up and running, the big banks launching Zelle, NACHA going to same day, The Clearing House launching instant payments and others, I’m sure, just around the corner with their blockchains and cybercurrencies and so forth, we are about to see the US landscape transform, much to the benefit of the users of the payment system.

(*) He never said this, but let’s not spoil it for all of the management consultants who like to put this on a slide about innovation.

Secure-enough transit mobile ticketing

Posted on by 1 Comment
Greyscale backing image

ITSO with HCE app and Handy

This year, I’ve been mostly working on ITSO ticketing in NFC mobiles devices with HCE and without secure elements. ITSO is the e-ticketing specification supported by the Department for Transport in the UK.

So far, high level design, risk analysis and proof of concept have been carried out by our team. Suitable controls are being developed. We are heading towards a trial this year on live schemes. More details to follow in next few weeks. But for now, see page 10 of the latest ITSO News.

 

When is an acceptance mark not a mark of acceptance?

Posted on by 1 Comment
Greyscale backing image

As a consumer interested in obtaining goods or services, it is important to understand what the provider is prepared to accept in exchange.  It is a safe bet that (with the odd exception) cash will be one of your available options.  Other than cash, though, how can you find out which of the myriad methods of payment will be accepted without question?

Well, you could talk to someone, of course.  But this isn’t always possible, for instance due to language barriers.  Neither is it always practical to wait until you have filled your shopping basket only to find that you have no accepted method of payment.

bitcoin_accepted_in_Swindon

The solution, of course, is to display a recognised standard symbol, indicating to the consumer that they may use MasterCard, Visa, Amex, Discover, PayPal, bitcoin, or whatever other payment methods are on display.  The additional display of the EMVCo contactless symbol indicates that contactless payments should be possible with the payment card brands displayed alongside.

I say ‘should be possible’ because, unfortunately, this is not always the case.  For legacy reasons that we won’t go into here, it is not uncommon to find retailers who accept Amex payments, and contactless payments, but not Amex contactless payments.  Still – whilst not as convenient, the payment can still be completed via Chip & PIN.

But now adding to the mix we have a brand new acceptance mark for Apple Pay.  On the face of it, this seems a sensible decision.  After all, if you want to use Apple Pay then it’s good to know where you can use it.  But then again, you already do know where you can use it – everywhere that displays the EMVCo contactless symbol.  Apple Pay, after all, is not a payment scheme in its own right, but rather uses the existing card schemes’ contactless card payment infrastructure to perform NFC transactions.

apple_pay_at_tfl

What the Apple Pay decal does not tell me is whether or not the payment card loaded into Passbook is accepted at this retailer; for that I still look for that card scheme’s mark.  It also doesn’t tell me if that retailer who does accept my card scheme is able to perform that particular contactless transaction.  For instance, those retailers who accept Amex, but can’t yet perform Amex contactless transactions, will not be able to accept Amex Apple Pay transactions either, as the BBC’s Rory Cellan-Jones discovered on the morning of the UK launch when he was out and about in London. (Indeed, Apple Pay featured on the main evening news in the UK, as shown here!)

rorycj_at_pret

But more importantly for an aspiring acceptance mark, a retailer advertising their acceptance of Apple Pay may not actually accept the cards loaded into it at all.  Amex and Discover/Diners do not enjoy the same level of acceptance as MasterCard or Visa, but their cards are (or will be) available to be loaded into Apple Pay.  Should a consumer not expect that a retailer who advertises their acceptance of Apple Pay will actually accept Apple Pay, regardless of what they have loaded into it?

Incidentally, whilst the focus is currently on what “Apple Pay acceptance” actually means, there are similar potential implications for ‘four party payment card schemes’ (i.e. MasterCard and Visa) as a result of the recent EU Regulation 2015/751 on interchange fees.  As well as the headline-grabbing cap on the fees themselves, Article 10 of this regulation is concerned with the schemes’ “Honour All Cards” rules, which currently require merchants to accept any card from the accepted scheme.  This Article provides that:

Payment card schemes and payment service providers shall not apply any rule that obliges payees accepting a card-based payment instrument issued by one issuer also to accept other card-based payment instruments issued within the framework of the same payment card scheme.

In other words, payees (merchants) can choose which MasterCard or Visa cards they want to accept.  Merchants may, for instance, choose to accept only debit cards and not credit.  Or they may choose to accept everything except higher-fee rewards cards.  “Honour All Cards” will instead become “Honour All Issuers,” meaning that merchants cannot refuse to accept a card based only on the issuer of that card.

To achieve this, the cards will need to be both electronically and visibly identifiable, as long as the card is issued within the EU.  In deference to the second law of thermodynamics, merchants will be required to advertise which cards they do not accept, alongside the acceptance information.  It is not yet clear how a non EU-issued card would be treated by a merchant who is depending on being able to identify a card product; the expectation of a non-EU cardholder will be that they can use their card at a merchant displaying the appropriate symbol.

So, when is an acceptance mark not a mark of acceptance?  Well, when it cannot be relied upon to signify that the indicated payment method will actually be acceptable.

Porn is a serious issue, and so is identity

Posted on by 7 Comments
Greyscale backing image

Dgwb blog white border

We’d all, I’m sure, prefer a world in which children did not have access to corrosive and nauseating material that undermines our civilised society. But how can we stop children from seeing MTV and the Daily Mail? The government has given up on this, I’m afraid, and has instead decided to try to stop them from seeing porn.

Continue reading “Porn is a serious issue, and so is identity”

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.