Tag: featured

The Evolving Role of Digital Wallets and Consult Hyperion’s Expertise in Driving Innovation.

24th January 202518th November 2025by Steve PanniferLeave a comment

Digital wallets are transforming how we pay, interact, and secure our digital identities. As smartphones become indispensable, consumers worldwide are using digital wallets for transactions, peer-to-peer payments, and even managing digital identities like driver’s licenses and health credentials. However, behind the convenience of digital wallets lies a complex network of technology, security, and regulatory challenges.

At Consult Hyperion, we specialize in navigating these challenges, using our expertise at the intersection of identity, payments, and cybersecurity to help clients innovate securely and effectively in the digital wallet space.

Digital Wallets: Expanding Beyond Payments

While digital wallets initially gained traction as payment tools, they have evolved into multi-functional platforms that can store not only debit and credit cards but also digital identities, health passes, travel documents, loyalty cards, and more. Wallets are increasingly integral to the digital identity ecosystem, empowering people to prove who they are, access services seamlessly, and control their personal data with security and transparency.

One emerging trend is the integration of mobile driver’s licenses (mDLs) into digital wallets. As mDLs gain adoption, digital wallets can provide a secure, portable means of identity verification, allowing users to authenticate their identities for various purposes while retaining control over their personal information.

Regional Approaches: United States, Europe and Australia

The adoption of mDLs into digital wallets varies significantly across regions, influenced by differing regulatory environments, market demand, and technological infrastructure. Here’s how digital wallet innovation and mDL adoption is evolving across North America, Europe, and Australia.

United States

The U.S. has been at the forefront of mDL adoption with several state DMVs already rolling out mDLs and several others with programs underway. These digital credentials are starting to be accepted for in-person use cases such as domestic air travel and liquor purchases. And going forwards, they will also be accepted online. Like physical driver’s licences, mDLs will have a lot of utility.

Many states are choosing to work with the large platform wallets, like Apple Wallet and Google Wallet, issuing mDL credentials into the wallets consumers already have. Those wallets are increasingly becoming “digital hubs” where users can store a variety of credentials. But this is not the only solution. Some states have also launched mDL specific apps. These provide consumers with the option of a standalone mobile driver’s licence.

In the middle of all this progress is the American Association of Motor Vehicle Administrators (AAMVA) which is playing an important role coordinating stakeholders and promoting standardized and interoperable approaches.

Europe

Some European countries have local proprietary mobile driving licences…

In the EU, the eIDAS 2.0 regulation requires each country in the EU to provide at least one digital wallet to its citizens, residents and businesses. Those wallets will be required to support for the ISO 18013 standard that underpins mDLs. In parallel, the EU plans to make driving licences mobile by default.

The situation is however complex.

• The EU is developing a rich but complex wallet architecture, of which support for mDL is just one part.
• Many wallets – which will require robust certification processes if interoperability is to be achieved
• Role of OEMs unclear – providing wallets or providing the secure technology to support wallets over the top

The EU wants all of this to come together over the next couple of years, which seems very ambitious.

So whilst wallets look set to play an important role in the EU digital economy, it will be some time before they provide the straightforward utility of US mDLs.

Australia

Australia has also been a leader in mobile drivers licences, several states issuing them.
Austroads, an intergovernmental organization, is driving the development and standardization of mDLs in Australia. They are working with state and territory governments to develop a consistent framework for mDLs, ensuring interoperability and security. This includes alignment with both ISO 18013 (mDL) and the more generic ISO 23220 (mDoc). This should allow the mDL apps issued in Australia to hold other digital credentials in the future. So instead of issuing mDLs into wallets, the mDL will become the wallet.
Austroads is going one step further by building a “Digital Trust Service” – providing the means to check the authenticity of the issuers of digital credentials held in those “mDL wallets”.

The Core Elements of Digital Wallet Success

Digital wallets that can hold both payment credentials and other digital credentials will have huge utility. They will increase convenience, reduce fraud and improve privacy.

Successfully implementing and scaling digital wallets requires expertise in several key areas:

Security: Security is crucial when handling sensitive information such as cryptographic keys, payment details or digital identity credentials. Consult Hyperion has decades of experience of building and testing secure payments services with expertise in strong cryptography, mobile application security and tokenization.
Identity: Digital wallets often serve as digital IDs. Users can store verifiable credentials, such as mDLs or health passes, giving them control over personal data. Integrating these digital identity solutions requires navigating regulatory frameworks and ensuring interoperability with existing systems. At Consult Hyperion, we leverage our deep knowledge of standards like Decentralized Identifiers (DIDs) and Verifiable Credentials to design privacy-protective and compliant solutions.
Payments: Wallets gained popularity as payment solutions, and understanding payment intricacies is essential. This includes managing multiple payment types and adhering to regional regulations. Our expertise spans EMV, contactless, and real-time payment systems, enabling us to help clients integrate and scale secure wallet-based payments globally.

Why Consult Hyperion?

Our ability to bridge the gap between theory and real-world application makes us a trusted advisor for organizations building digital wallets. Our expertise encompasses:

Strategic Partnerships and Innovation: Trusted by financial institutions, tech companies, and governments, we’ve helped design systems that meet stringent security, usability, and regulatory standards. We understand the strategic goals behind digital wallet projects, allowing us to guide clients in creating solutions aligned with long-term objectives.
Deep Technical Knowledge: Our technical expertise across identity, payments, and cybersecurity enables us to develop robust solutions, from designing secure protocols to implementing advanced authentication methods.
Proven Track Record: Our history of delivering projects in both private and public sectors demonstrates our ability to execute at scale. Clients rely on us for our technical capabilities, dedication to quality, and innovative approach.

The Future of Digital Wallets: Shaping the Next Generation

Digital wallets are evolving with advances in biometric security, decentralized identity, and blockchain technology. As wallets move beyond payments, businesses must adapt to new standards for security, privacy, and user experience. Apple, Google, and government-led solutions worldwide are positioning themselves as leaders in the wallet space, each bringing unique strengths to the ecosystem.
Consult Hyperion remains at the cutting edge, helping organizations navigate this dynamic landscape. Whether you’re looking to launch a new digital wallet, expand an existing platform, or secure sensitive data, we offer the expertise and insight needed to support your goals.

Final Thoughts

Digital wallets are becoming vital gateways to secure payments and digital identities across the world. At Consult Hyperion, we’re excited to help shape this future, enabling our clients to create secure, compliant, and user-centric solutions. With our expertise in identity, payments, and cybersecurity, we look forward to partnering with organizations worldwide that share our vision for a secure, interconnected digital world.

Driving the Future of Fintech

5th November 20245th November 2024by Consult HyperionLeave a comment

Insights from Money20/20 USA 2024 and Consult Hyperion’s Legacy

The fintech landscape has undergone remarkable transformations over the past decade, with Money20/20 USA serving as a pivotal platform for showcasing industry innovations and setting trends. Each year, this premier conference gathers leaders, innovators, and thinkers to discuss the future of financial services. Reflecting on past themes such as cloud computing and blockchain, the 2024 event embraced Artificial Intelligence (AI) as the defining technology of the year.

A Look Back: Cloud, Blockchain, and Consult Hyperion’s Journey at Money20/20

Over the years, Money20/20 has highlighted significant trends that have shaped financial services. Cloud computing allowed institutions to scale operations, enhance customer experiences, and improve efficiency. Blockchain soon followed, presenting decentralized ledger systems that promised more transparency, security, and trust in financial transactions.

For Consult Hyperion, these advancements provided a natural landscape to showcase our expertise. Since our first year at Money20/20, we’ve been committed to the industry’s growth, contributing thought leadership and insights on technological evolution. Our journey at Money20/20 has been one of active participation, attendance and thought leadership. Year after year, we’ve witnessed—and contributed to—the shift in how technology redefines our industry.

2024: The AI-Driven Future of Fintech

This year, AI emerged as the main theme, emphasizing the next evolution in payments technology. Money20/20 USA 2024 was all about exploring AI’s current and future impact. From machine learning to natural language processing, the event demonstrated AI’s ability to drive personalized financial products, enhance security, and transform customer engagement.

Key highlights from this year’s conference included:

AI-Powered Customer Engagement: Many exhibitors showcased AI-driven chatbots and virtual assistants designed to streamline customer support and provide tailored advice. This shift towards personalized experiences is already making a significant impact, with AI enabling real-time, intelligent responses.
Enhanced Fraud Detection: Fraud prevention was another focal point, with sessions exploring how AI-driven models are detecting and mitigating fraud more effectively than ever. These solutions promise a safer environment for both financial institutions and consumers.
Personalized Financial Services: As AI grows more sophisticated, it allows for finely-tuned, data-driven offerings that meet individual needs. Financial products are now being tailored with unprecedented accuracy, improving customer satisfaction and loyalty.

Consult Hyperion’s Continued Commitment to Innovation

Consult Hyperion’s ongoing involvement at Money20/20 reflects our commitment to staying at the forefront of fintech. This year, we’re particularly excited about the potential AI brings to financial services and how it intersects with our expertise in secure payments and identity. As a key player in bridging technology with strategy, Consult Hyperion remains dedicated to guiding the industry through its next stages of digital transformation.

Dave Birch’s Panels on AI, Digital Identity, and Payments

Consult Hyperion’s own Dave Birch, known globally for his thought leadership in secure payment and identity systems, moderated two thought-provoking panels. Each session, focused on AI’s transformative potential in finance, illustrated how we can expect profound changes in secure identity, payments, and customer engagement.

“Have My AI Call Your AI and Let’s Do Lunch” This forward-looking session explored the transformative potential of AI-driven B2B interactions within finance. Birch and his panelists, including Sophia Bantazidis from Citi, discussed how autonomous, AI-driven systems could negotiate and streamline transactions between organizations. Panelists noted that as AI continues to advance, it presents opportunities for improving efficiency in business interactions. However, the potential for AI-to-AI interactions also brings the need for a secure, reliable framework, particularly in digital identity, to ensure all parties’ integrity and security. Bantazidis highlighted the importance of ethical AI in finance and the role of digital identity frameworks to support responsible, trustworthy AI interactions. The discussion underscored that digital identity isn’t just a safeguard but a necessity for enabling safe, efficient AI-driven financial communications, allowing AI systems to engage securely in a trust-based environment.
“The Real Disruption in Retail Financial Services: Customers Getting AI” Hosted on the exclusive “Off The Record” stage, which featured Chatham House rules and a locked-phone policy to encourage open dialogue, this session delved into a critical, often under-discussed topic: the growing role of AI in empowering consumers rather than just enhancing banks’ internal efficiencies. Birch set the stage for a candid conversation, highlighting that while it’s intriguing to explore how banks might use AI to streamline call centers or make marginally better credit decisions, the real disruption lies in customers having direct access to AI tools themselves. This shift represents a fundamental threat to the traditional retail banking model, with the increased intelligence of customers challenging financial institutions to adapt. Joining Birch in this conversation were Matt Harris from Bain Capital and Kirsty Rutter from Lloyds Banking Group, both bringing deep insights into how AI is empowering consumers with data and control previously inaccessible in the standard banking setup. Harris discussed how consumer-facing AI tools are pushing banks to refine their approach to customer engagement, while Rutter highlighted the role of secure, personalized digital identity in offering these AI-driven experiences safely and effectively. Together, the panelists concluded that financial institutions must develop robust strategies to stay relevant and competitive in the face of this new AI-enabled consumer intelligence.

Howard Hall’s Podcast with Lou Carlozo: A Legacy of Leadership in Payments and Digital Identity

In addition to these panel discussions, Consult Hyperion’s Howard Hall, was featured in a podcast with respected financial journalist Lou Carlozo. Hall shared how Consult Hyperion has been pioneering secure digital identity and payment solutions for decades, dating back to projects like the groundbreaking Hong Kong ID card. Hall discussed how this legacy of innovation continues to drive the company’s work in secure digital payments and identity, underscoring our commitment to building resilient infrastructures that adapt to changing regulatory landscapes and technology demands. Hall’s conversation with Carlozo highlighted that Consult Hyperion’s expertise in secure payments and identity frameworks isn’t simply a reaction to industry shifts; it’s a proactive approach that has evolved alongside the fintech ecosystem.

Charting the Path Forward

Money20/20 USA 2024 was a testament to the ongoing evolution within fintech, with AI taking center stage. As the industry advances, Consult Hyperion remains dedicated to contributing expertise in payments, secure digital identity, and emerging technologies that will shape the future. Our commitment to innovation and the fintech community continues, with a focus on building a safer, smarter, and more inclusive financial ecosystem.

Slower Payments?

11th October 202411th October 2024by Margaret Ford1 Comment

I’ve just received a cheery email from my credit card provider entitled, “We’re improving your fraud protection.” I assume it is from them: it arrived amongst a barrage of emails telling me not believe what I read in emails. When online scamming was in its infancy, you could spot the difference but, as fraudsters’ skills, use of AI and sophistication has developed, nobody really can any more.

It is important to remember that this is an equal opportunities form of fraud. You don’t have to be online. You don’t even need a mobile phone. If you have a UK bank account and a phone number, the scammers will delight in using their social engineering skills to extract your life’s savings.

In the communication I’ve received, beyond all the good news about the generosity of the bank, there is a brief mention of the Payment Systems Regulator (PSR) [1 ]. Apparently, they require all Authorised Push Payment (APP) transactions to be subject to a refund within 5 workings days if they are found to be fraudulent. This applies to payments over both Faster Payments and CHAPS. There are exceptions to this, for example where the customer is grossly negligent and not considered vulnerable [2 ].

There is also a ceiling set on the amount. This was initially announced as £415k but, due to strong resistance from the banks, is now set at £85k. The PSR state that this will cover 99% of APP claims. It happens to be the same amount as individuals can claim for lost savings under the Financial Services Compensation Scheme [3 ], should their bank become insolvent.

In the early days, Faster Payments was a rather unpredictable experience but, as it has scaled, many of the creases have been ironed out. Confirmation of Payee has helped to ensure that the payment reaches the intended beneficiary. It can take a couple of attempts to get it right. e.g. for dog walkers, they may appear as Wendy’s Walkies, under the name of the owner Wendy Walker and as a business account or a personal account. Still, if you have the correct sort code and account number, things tend to fall into place.

My bank has sent me a similar email, telling me to be wary around One Time Passwords (OTPs) and referring me to the Take Five To Stop Fraud [4 ] website. Again, it looks plausible and the advice is not unreasonable. It is, however, disappointing that there seems to be very little discussion of mutual authentication these days.

One aspect of the new regime is that all Payment Service Providers (PSPs) must be registered with Pay.UK. Both receiving PSPs and sending PSPs can be liable for any APP fraud. This is a significant departure from the existing regime, where the burden tends to fall on the sending PSP.

Losses due to APP scams are estimated at nearly £500m [5 ] annually. UK Finance [6] has identified factors which contribute to APP fraud, one of which is perceived urgency in dealing with a situation. While Faster Payments provides real convenience, the transactions are not reversible and so it has become a honey pot for thieves. Once money is transferred to a fraudulent account, it can be sent on to multiple accounts, sometimes with the assistance of money mules, either in the UK or overseas.

Frequently, by the time the fraud is investigated, the money is long gone. In response to this, PSPs are permitted to introduce a delay into the processing of payments. In principle, where a payment appears suspicious, they can put in place a pause of up to four days [7]. Clearly, this has serious implications for transactions such as conveyancing, where a housing chain requires everyone to complete on the same day. Even in simple situations, like paying a credit card bill, delays can result in the cardholder having to pay additional charges and interest.

While it is positive to see the challenges of APP fraud being addressed, it will be interesting to see how these significant changes to the payments landscape play out over the coming months. Activities such as intelligence sharing, risk-scoring and real-time screening [8] will remain central to tackling fraud.

It is interesting to note that in other countries where approaches to Open Banking are being explored, the focus tends to be on data sharing rather than payment initiation. For example, in the US, the Consumer Financial Protection Bureau [9] (CFPB) is working to open up data sharing, to promote innovation in financial services.

References

[1] https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-its-decision-on-app-scams-reimbursement/

[2] https://www.psr.org.uk/media/tbbdhkcx/sr1-consumer-standard-of-caution-exception-dec-2023.pdf

[3] https://www.fscs.org.uk/what-we-cover/banks-building-societies-credit-unions/

[4] https://www.takefive-stopfraud.org.uk/

[5] https://www.psr.org.uk/our-work/app-scams/#:~:text=Every%20year%20thousands%20of%20individuals,to%20APP%20scams%20in%202023.

[6] https://www.ukfinance.org.uk/news-and-insight/blog/how-understanding-human-behaviour-key-effective-prevention-app-fraud

[7] https://www.bbc.co.uk/news/articles/cn7yel28rx6o

[8] https://www.synectics-solutions.com/our-thinking/why-your-app-scam-strategy-must-not-be-swayed-by-the-reimbursement-limit-update

[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-process-to-recognize-open-banking-standards/

How Consult Hyperion Can Help Financial Institutions Comply with DORA

20th September 202420th September 2024by Consult HyperionLeave a comment

The financial services landscape is evolving rapidly, with new regulations emerging every day. One of the most recent and significant developments for financial institutions in the European Union is the Digital Operational Resilience Act (DORA). Designed to ensure that financial entities are better prepared for technological disruptions and cyber threats, DORA aims to build resilience in the face of growing digital risks.

At Consult Hyperion, we specialize in payment and cybersecurity, structured risk analysis, and technical due diligence. I’d like to share how our expertise in these areas can help your organization navigate the complex requirements of DORA and achieve full compliance.

Understanding the Impact of DORA on Financial Institutions

DORA sets out to harmonize the requirements for operational resilience in the financial sector across the EU. This means that financial institutions, from large banks to small fintech firms, are now required to have comprehensive risk management frameworks that can withstand a wide range of cyber incidents and operational disruptions. The regulation focuses on ICT risk management, incident reporting, operational resilience testing, and managing third-party risk, among other things.

For any financial institution, ensuring compliance with DORA is a multi-faceted challenge. The regulation is comprehensive, and failure to comply could lead to penalties, legal liabilities, and reputational damage. But this is where Consult Hyperion comes in.

How Consult Hyperion Can Help You Comply with DORA

Our team at Consult Hyperion has over 30 years of experience working with financial institutions across the globe, helping them address their cybersecurity needs, performing structured risk analyses, and providing technical due diligence on third-party vendors and systems. Here’s how we can assist you:

1. Structured Risk Analysis

Risk analysis is at the heart of DORA. Financial institutions must identify, evaluate, and mitigate a variety of risks, from cyber-attacks to system failures. At Consult Hyperion, we’ve developed a proprietary structured risk analysis (SRA) approach that not only identifies potential vulnerabilities in your organization but also assesses the likelihood and impact of those risks. We provide a clear roadmap on how to mitigate those risks to stay compliant with DORA.

We help you map out your entire digital infrastructure, identify key points of failure, and assess your operational resilience. Our team works closely with your IT, risk management, and compliance departments to ensure that you have the right systems in place to manage risks effectively.

2. Technical Due Diligence

One of the key components of DORA is ensuring that your third-party vendors and ICT service providers are compliant with the regulation. This means conducting thorough technical due diligence on all your partners, ensuring they meet the necessary standards and are not introducing any undue risks to your operations.

At Consult Hyperion, we have a wealth of experience in conducting technical due diligence across a wide range of vendors and technologies. Our assessments are thorough, covering everything from security and privacy to operational resilience and regulatory compliance. With our help, you can have confidence that your third-party relationships are solid and that they meet DORA’s stringent requirements.

3. Cybersecurity Expertise

Our expertise in cybersecurity is another critical asset for financial institutions looking to comply with DORA. We understand the intricacies of securing complex digital infrastructures, particularly in highly regulated environments like banking and financial services.

We can help you design and implement security frameworks that protect your systems and ensure the integrity of your data. Our team works closely with you, making sure that your institution remains resilient to emerging threats. Leveraging our SRA process, we ensure that your organization meets DORA’s mandated security requirements.

4. Operational Resilience Testing

Under DORA, financial institutions are required to perform regular operational resilience testing to ensure that they can withstand and recover from significant operational disruptions. Consult Hyperion’s team can help you develop and execute comprehensive testing scenarios that assess your organization’s ability to respond to various disruptions, from cyber-attacks to natural disasters.

We can help to ensure that your testing protocols are robust and aligned with the DORA guidelines.

Moving Forward with Confidence

Complying with DORA is no small task, but with the right expertise and support, your financial institution can not only meet the regulatory requirements but also enhance its overall resilience. At Consult Hyperion, we are passionate about helping our clients strengthen their digital infrastructures, mitigate risks, and build a secure foundation for future growth.

If you’re looking for expert guidance to navigate the complexities of DORA, we’re here to help. With our proven track record in security, risk analysis, and technical due diligence, we can provide the support your organization needs to stay compliant and resilient.

To learn more about how Consult Hyperion can support your DORA compliance journey please contact us at: https://consulthyperion.wpcomstaging.com/contact/

What’s Really Holding You Back?

15th September 202416th September 2024by Consult HyperionLeave a comment

In conversation with Consult Hyperion – What’s holding you back? Your system or your mindset?

For years, industry experts have predicted the downfall of legacy systems, warning financial institutions (FIs) that clinging to outdated technology would ultimately lead to obsolescence. Yet, despite these warnings, legacy systems continue to play a central role in payments ecosystems of many FIs. So, what’s really holding the industry back? Is it the technology itself, or the mindset surrounding system modernisation?

Join our expert panel, including Gary Munro (Consult Hyperion – Technical Director), Maria Nottingham (Managing Director), Bethan Cowper (VP, Business & Market Development), and Eyad Almaaitah (VP, Global Product Management), for an in-depth discussion on the state of payments ecosystems. Together they explore how legacy systems continue to fit into today’s complex payment architecture, and why, despite the rise of fintech and digital innovation, true transformation remains elusive. This webinar is essential for payments professionals, C-level executives, and anyone responsible for ensuring their institution remains competitive in an rapidly evolving financial landscape.

Fime acquires Consult Hyperion, creating a global consulting leader

3rd September 20243rd September 2024by Consult HyperionLeave a comment

Fime, a global leader in consulting, testing, and certification services, is excited to announce the acquisition of Consult Hyperion, a renowned consultancy firm with expertise across payments, smart mobility and digital identity. The acquisition augments and cements Fime’s ability to deliver comprehensive consulting and advisory services—from ideation to implementation and testing—across these key sectors.

Fime’s global reach coupled with Consult Hyperion’s specialized consulting and advisory expertise, creates a uniquely positioned offering to serve clients ranging from startups to established market leaders, with the ability to adapt to the needs of local markets worldwide.

This acquisition marks a significant milestone for Fime. Together with Consult Hyperion, Fime will continue to offer unmatched value to clients, guiding projects from concept to deployment with a focus on innovation, security, and compliance. We are positioned to drive the future of payments, smart mobility, and digital identity.

Lionel Grosclaude
CEO at Fime

We have worked alongside Fime for a number of years, and are delighted to join forces with an organization sharing our values, including creativity, collaboration and deep expertise. Joining Fime enhances our ability to support clients worldwide in navigating the rapidly evolving landscape of our industries. Our combined strengths will deliver innovative, scalable, and more locally relevant consulting and advisory services.

Stuart Fiske & Neil McEvoy
Consult Hyperion Founders

About Fime
Fime enables its clients to create and launch trusted and secure solutions through its consulting and testing services in payments, smart mobility, and digital identity. It offers a global cross-industry perspective, local insights, and a unique heritage in testing and certification. Fime’s consultants provide transformative business expertise, partnering with organizations worldwide to define, design, deliver, and test their products and services.

For further Fime media information, please contact:
Yash Raveendra yash@iseepr.co.uk at iseepr + 44 (0) 113 350 1922
Stéphanie Pietri stephanie.pietri@fime.com at Fime.

With over 800 experts and employees around the world, Fime strategically works to help its clients turn ideas into reality, swiftly bring products to market, and achieve a competitive advantage. By working together, Fime transforms powerful innovations into the future of trusted transactions.

About Consult Hyperion
Consult Hyperion is a globally recognized independent consultancy, providing thought leadership and expertise in the fields of payments, mobility and identity. For over 30 years we have helped clients explore the opportunities created by advances in technology, regulation and consumer behaviour. We provide expert advisory, technical consulting and software development services helping our clients solve problems, understand opportunities and future proof their ideas while maintaining robust security. Everything we deliver operates at scale, enabling billions of transactions, all over the world.

Coining Connections in India and US Payment Systems

15th May 202415th May 2024by Sruti Jain1 Comment

In the dynamic realm of digital transactions, India and the United States stand out as two distinct landscapes, each with its own set of challenges, triumphs, and innovative solutions. As someone who has witnessed the evolution of payment systems in both countries, the contrasts between my birthplace, India, and my current residence, the US, are stark yet revealing of the shared pursuit of efficiency, security, digitalization, innovation and convenience.

Cash was king in India

Growing up in India, cash was king. Whether hailing a taxi or indulging in street delicacies, or dining at a restaurant, cash was ubiquitous, rendering cards virtually irrelevant. In fact, cash accounted for 95% of all transactions in 2016, with approximately 90% of vendors lacking card readers. However, since my move to the US in 2016, I’ve observed a seismic shift towards digital payments back home.

India embarked on a digital transformation with the introduction of the Unified Payments Interface (UPI) and the bold move of banknote demonetization in 2016. With UPI, customers can now pay by scanning a QR code using a payment wallet, while merchants can accept payments in real-time without the need for extensive payment infrastructure or interchange fees, simplifying the overall process. This has contributed to UPI’s widespread adoption, with a staggering 83 billion transactions recorded last year. From street vendors to shopping malls, the UPI real-time payment initiative has democratized financial transactions, permeating every corner of society and largely reshaping India’s payment ecosystem since its launch.

Furthermore, India’s vision extends beyond its borders, with initiatives underway to facilitate cross-border real-time money transfers through UPI. Collaborations with countries like Sri Lanka, Mauritius, France, Singapore, Nepal and the UAE highlight India’s ambition to foster global interoperability, allowing travelers to utilize UPI for purchases abroad. It is a personal delight to have the option to pay for the ticket to the Eiffel Tower using UPI, and I’m sure to try it when I visit.

Cards are king in the US

In contrast to India’s cash-dominated landscape, debit and credit cards were widely accepted in the United States when I moved in 2016, gradually replacing cash as the preferred mode of transaction. Apple Pay, now accepted at 85% of retailers, along with other digital wallet options such as PayPal and Venmo, offered users convenient alternatives to traditional payment methods.

In 2017, Zelle’s launch marked a milestone in peer-to-peer payments, alongside The Clearing House’s introduction of the Real-Time Payments (RTP) network, offering instant payment options. The subsequent integration of Zelle with RTP in 2021 further enhanced the ecosystem, enabling instant clearing and settlement over the RTP network. Adding another dimension to the US payment infrastructure, FedNow was introduced last year, promising to complement existing systems and expand the horizons of real-time payments. While both FedNow and TCH’s RTP represent incremental improvements to the US payment infrastructure, their coexistence and interoperability remain to be seen. In a nation where competitiveness fosters innovation and offers consumers and organizations choices, the synergy between these services will likely shape the way we transact in future.

Charting the course: Embracing opportunities, mitigating risks

With the rapid evolution of payment systems, we are witnessing a simultaneous rise in fraud patterns and cases, driven by advancements in AI and processing power. Fraudsters are leveraging advanced technologies to exploit vulnerabilities in emerging payment systems, highlighting the critical need for resilience and security. Digital identity initiatives like Aadhaar in India and mobile driver’s licenses (mDLs) in the US offer promising avenues to address some of the existing flaws in the system and mitigate risks. At Consult Hyperion, we recognize the importance of these initiatives and stand ready to assist in their implementation and enhancement.

In the journey towards a cashless and digital future, collaboration, competitiveness, and innovation are serving as guiding beacons. By leveraging the synergies between different ecosystems and understanding the nuances of each, India and the US are paving the way towards financial inclusivity and empowerment on a global scale. It is not about a one-size-fits-all solution; instead, we must craft tailored solutions that meet the diverse needs of each nation and its citizens. Through Consult Hyperion’s expertise, you can navigate these complexities and build payment systems that are resilient, secure, and user-centric, ensuring a secure transition towards a digitally empowered future.

Digital Mobility with Mobile Driver’s Licenses

15th March 202414th May 2024by Aaron BirchLeave a comment

Most people reading this will already know what an mDL is (a Mobile Driver’s License of course). That’s because it isn’t a new idea; it has been in development for roughly eight years now. What is new this year however is the development of the existing mDL standard to include remote presentation, an add-on functionality which could do to plastic identity cards what plastic bank cards did to cash.

Along with 1.5 million participants in the state of California, I’m fortunate to be eligible to join the free pilot program offered by the CA DMV to secure myself an mDL. All I have to do is download the “CA DMV Wallet” app on my iPhone and take a front and back picture of my Real ID – it’s that simple. To demonstrate just how easy it is to use, I thought my colleague here at CHYP, Hayden Evans, could share his experience of using an mDL in an airport on the opposite coast:

“From my experience, the overall process of using the mDL provided by Georgia was very simple. There was no need to download any additional applications. All that was required was to follow the instructions laid out in my Apple Wallet. After submitting the required info to and receiving the corresponding approval back from the DDS (Department of Driver Services), I was ready to try it out at my earliest convenience. At Hartsfield-Jackson Atlanta International Airport, tapping my mDL was very reminiscent of tapping to pay for transit rides with OMNY in New York (minus the Express Transit settings). The only potential confusion was the option for flyers to use what’s referred to as their ‘digital ID’, which showed up as an option on my Delta boarding pass (top-left corner above the QR code). This involved the TSA agent taking my photo and presumably verifying it against some stored credential. To the average flyer having a Digital ID vs. an mDL may be confusing or unclear.”

So it may not be completely frictionless yet, but few digital experiences are, and this is only the beginning. There are currently over 25 participating airports accepting mDL’s all over the country, including three here in California. While the DMV makes it clear that this is not a full replacement of the Real ID, it can now be used in stores and restaurants for proof of age. In Utah for example, your mDL can be used in a variety of use cases with Credit Unions, Liquor Stores and Health Centres all accepting your digital identity as an officially recognized ID. Utah isn’t alone; there are dozens of other states already issuing mDLs or following closely behind them in the development stage.

In October of last year I was fortunate to attend the 37th Bi-Annual Internet Identity Workshop in Mountain View CA. This was my third time attending and in one of the very first sessions we received an update on the progress of the ISO/IEC 18013-5 mDL standard; originally conceived in 2016 by NIST but published in 2021. The standard specifically focuses on secure Local Presentation, including via QR Code, NFC and BLE mechanisms.

However, ISO/IEC 18013-7 as I mentioned earlier outlines specifications for the remote presentation of mDLs. Despite there being various transportation methods for credentials, the formatting of those credentials remains quite consistent amongst them. The standard proposes utilizing a Rest API to initiate a request for the mDL credential, prompting the application to respond with either a redacted or complete credential (thereby incorporating selective disclosure capabilities). Selective disclosure is the mechanism by which users can ‘hide’ certain elements of the credential that were disclosed This is privacy-by-design in action.

The plan is to use the OpenID4VP standard for presentation of the credential, and at the end of 2023 SpruceID announced impressive success rates for the first fully remote interoperability tests for mDL implementations. Expected to be published in full later this year, the standard aims to address a current technological gap: not all web pages have the capability to request a credential from a user-chosen wallet. In short, the standard addresses the complexities of specifically remote mDL presentation and will enable users to have a truly portable digital identity.

Issues like standardization still remain; and it will be interesting to see how the big players approach the issues of interoperability between wallets. Android and Apple both now support the ISO 18013-5 standard in the JetPack suite and iOS 15 respectively. If widespread acceptance of the mDL is the goal, we’ll need to see continued co-operation between wallet issuers, regulators and digital credential providers. Kantara’s “Privacy & Identity Protection in mDL ecosystems Discussion Group” is a great example of the kind of collaboration needed to support mDL adoption.

Changing consumer behaviour takes time. There are those in California who aren’t fans of the DMV’s pilot program, but still believe “that’s where we’re going with technology.” I’m willing to bet that underneath this skepticism is a person who was also hesitant about using contactless payments in shops and having their face scanned at ePassport gates at airports – until they became mainstream. They might have doubts at first, but in the case of mDLs and selective disclosure, I believe that people will soon appreciate being given more control over their digital identity. And all at the press of a button on their phone.

In our experience, people always prefer convenience. Privacy and Security therefore need to be convenient as well.

The Missing Cryptoqueen

9th January 202410th January 2024by David G.W. BirchLeave a comment

You’ve probably heard about The Missing Cryptoqueen. It was one of the best podcasts of all time, a BBC series that explored the story of Dr Ruja Ignatova, a Bulgarian-born German entrepreneur who founded a fraudulent cryptocurrency scheme known as OneCoin, which The Times has described as “one of the biggest scams in history”. Since 2017 she has been on the run and in 2019 she was charged in absentia by U.S. authorities for wire fraud, securities fraud and money laundering. Currently one of the FBI’s “Ten Most Wanted”, she is also subject to an international Interpol warrant from the German authorities. In that podcast, Jamie Bartlett presents a story of “greed, deceit and herd madness” that is fascinating funny and frightening. I cannot recommend both the podcast series and his book highly enough.

Jamie has written about how Dr Ruja was a genius at brand association. Knowing credibility was critical to her scam, she made sure to place herself next to trusted brands. She famously gave a speech hosted by The Economist in 2015, for example, where she gave a platitude filled “keynote” that you can watch online here. Well, as it transpires, there was another trusted brand that OneCoin was, as Jamie puts it, “looking to snag”: Consult Hyperion!

Jamie writes that

In early 2017 OneCoin appointed someone to figure out what OneCoin needed to do to fix its growing technology mess. He asked Ruja’s London office, RavenR Capital, to come up with names. And the name suggested? ‘I would go for Consult Hyperion’ emailed one staffer, attaching a summary of the company.

When Jamie, an old friend, told me this, I was very pleased, as you can imagine. As one of the founders of Consult Hyperion, I have always been very proud of the culture of integrity that we built around our core deep subject matter expertise. We have such great people here and they have helped us to build a global reputation for being the best when it comes to helping scale players exploit new technology around secure electronic transactions.

(To be honest, even after all these years to still feels pretty good every time I see it confirmed and when I get a message on LinkedIn saying “hey , your team did a great job”, or someone says at a conference “those guys got us out of hole”, or a stranger in an airport lounge tells me what a superb analysis one of team delivered for them, I still get the same strange mixture of pleasure and pride that I did all those years ago!)

Jamie asked me what Consult Hyperion could have done for OneCoin, and I told him. We do due diligence on behalf of investors, we provide expert witnesses in lawsuits, we do risk analysis and penetration testing for some of the biggest names in financial services around the world. Having provided expertise in “crypto” to organisations ranging from Euroclear to the Department of Defense, there are all sorts of ways that we could have helped them prove that their scheme was awesome, their teams was great and they would storm the market.

But Dr. Ruja never called.

She never called for the obvious reason that we have some of the best electronic transactions consultants on the planet. It would have taken them at most around five minutes to discover that the supposed claimant to Bitcoin’s crown was nothing of the sort. As Global Ambassador for Consult Hyperion, it is henceforth my proudest claim that the cryptoqueen never called us and if we ever get a coat of arms, I intend to suggest “regina non vocavit” as our motto!

Here I am with Jamie and Erica Stanford (author of “Crypto Wars”, another great book!)

How do we regulate and ensure AI Machines pay fairly?

12th December 202313th December 2023by Gary Munro4 Comments

I was extremely fortunate to be invited to the recent BIS Securing The Future Monetary System conference in Basel. This was a terrific event, bringing together some of the cleverest people in security from the worlds of banking; academia and industry to discuss the issues faced in securing our future CBDC based monetary systems.

I was there to speak about the technical considerations in Offline CBDCs, however I was also fortunate enough to take part in a roundtable on CBDCs and machine-to-machine payments, which was utterly fascinating, and produced some great insight and thinking that I thought I’d share, within the bounds of the Chatham House Rules. First, some background.

The call for Machine-to-Machine CBDCs

The GBIC model of three distinct types of CBDC is one that has always appealed to me. The GBIC is the voice of the main German banking associations: the National Association of German Cooperative Banks (BVR), the Association of German Banks (BdB), the Association of German Public Banks (VÖB), the German Savings Banks Association (DSGV), and the Association of German Pfandbrief Banks (vdp). It was fascinating to have such a conservative organisation discussing not two but three kinds of digital currency in their digital euro policy paper. They call for a digital currency ecosystem encompassing:

A Wholesale CBDC, issued by the central bank but for use in capital markets and interbank transfers. The GBIC’s experts are calling for this form of the digital euro partly because, by adopting this approach, the ECB would be able to include further digitalisation of central bank accounts in its project. The ultimate aim is to achieve improvements which can benefit consumers, enterprises and also the banking sector.
A Retail CBDC, again issued by the central bank to be used by private individuals in the euro area in the same way as cash for everyday payments, e.g. to retailers or government agencies. It should be possible to use the digital euro like cash, anonymously and offline. They assume that credit institutions will provide consumers in Europe with the necessary smart wallets.
An Industry CBDC. What the GBIC call “tokenised commercial bank money” which will be made available by commercial banks to meet a corporate demand arising from Industry 4.0 and the Internet of Things. Tokenised commercial bank money could facilitate transactions based on “smart” – i.e. automated – contracts and thus increase process efficiency.

In other words, in addition to wholesale CBDC for institutions and retail CBDC for people, they want industrial CBDC designed for Machine-to-Machine payments to satisfy the demand that will arise from the Internet of Things (IoT). Therefore a roundtable session considering Machine-to-Machine CBDCs was going to be interesting. The round table had a great flow, considering three aspects of Machine-to-Machine CBDCs starting with:

What do we mean by CBDC M2M Payments?

Do we mean human induced CBDC Machine-to-Machine payments, or do we mean a fully autonomous exchange of assets? i.e. me pressing a button on my car user interface to allow it to pay the fuel dispenser for my electricity / diesel / petrol or a machine doing it’s own thing, buying and selling as it goes. Of course we went for the second one, much more interesting. As an example, the group considered a set of solar cells generating and putting electricity into the network, and an electric vehicle consuming that energy and paying for it. Where is the human here? Are they explicitly involved in the payment process, well no, so do we have humans at the edge, disintermediated by the system, only involved at set up? Just what are the implications here?

We then consider whether these payments are open loop or closed loop CBDC payments. For Machine-to-Machine, a closed loop CBDC ecosystem could bring benefits, where micro-payments can take place between machines, predominantly offline, only going online occasionally, effectively enabling the machines to cash in and cash out. What if we go further and consider a fully autonomous AI machine, providing services, consuming resources, making and receiving payments as it goes, can this legally be the case, or is there always liability with humans accountable? Something that needs serious consideration.

How does regulation fit in?

How do we regulate for machine-to-machine CBDC payments? Indeed is regulation required? Of course it is, but not we cannot wait for this to appear retrospectively, too often in payments the regulator is playing catch up. For machine-to-machine CBDC payments, visionary regulation is required.

Regulators need to work together with the industry in order to understand machine-to-machine use cases, liabilities and put regulation in place ahead of machine-to-machine CBDC payments taking place. It was the view of the table that proactive, visionary regulation won’t be perfect, but principals-based regulation is needed in order to provide standards and trust. The table postulated that this could be implemented by smart contracts, with regulation at the edge where it can make use of the standard / regulation in place at that time, allowing change to quickly propagate. For example, we can imagine a tax compliant CBDC system for machine-to-machine CBDCs, updating to the latest tax regime. This may bring us to a place where technology, regulation and governance are intertwined, boundaries are not clear, where we have rails and assets. Good, well considered, clear regulation is essential to manage this.

What can we learn from the systems we have in play today?

Today we have bad actors in the system, using their own AI engines to feed their rules into the system. So how do we apply the brakes? If / when things do go wrong where is the liability at the end of the chain? Is it even possible to find who is responsible in such an autonomous AI system with many interactions and components?

We concluded that to does this effectively we need to build the system with ethics embedded in the system, and perhaps for visionary regulation for machine-to-machine, or robot to robot, CBDC payments Asimov’s laws are not a bad place to start.

It was a fascinating event, with great conversations on all aspects of CBDC solution security. If you want to know more about CBDCs then please get in touch.