Will Brexit make stealing bank cards attractive again?

black payment terminal

A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’

The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.

Travel Broke and Broken

The ongoing COVID-19 crisis has been ruthlessly exposing fragile business models and weak balance sheets across a whole range of industries but perhaps never more so than in the travel business. In fairness, no one could have anticipated a global, government dictated total shutdown and no business models could ever be flexible enough to support such an improbable scenario. Still, it’s become clear that many travel industry companies are effectively broke and that the payments model they rely on is broken. Going forward we need a better and more sustainable approach to payments in the industry.

Most travel industry payments rely on payments cards so it’s worth starting by recapping on how most card payment models work. When a cardholder makes a payment to a merchant – either in store or, increasingly, on-line, this is routed to the merchant’s card acquirer. The acquirer has a direct relationship with the merchant in the same way that a card issuer has a direct relationship with cardholders and the acquirer will route the payment request to the relevant issuer – usually by sending the request to a payment scheme who uses the card number to identify the correct issuer. If the issuer approves the transaction then the response is routed back through the same path and the purchase completed. This is no different from any other card payment, although there are hidden complexities where the merchant is an online travel agent sourcing flights, hotels, etc from multiple underlying vendors. However, that’s a detail.

Rearranging the banks

In his new book “Digital Human“, Chris Skinner sets out a straightforward vision of the bank of the future. He says (I paraphrase slightly) that the back office is about analytics, the middle office is about APIs and the front office is moving to smart apps on smart devices. I was thinking about this in an open banking context, and it gave me an idea for a useful way to help people think about the impending change in retail financial services in general and retail banking in particular. Let’s start from the traditional manufacturing/distribution model of retail banking that we are all familiar with and remember the broad economics of that model. On a global basis (these are the McKinsey version of the figures, but others are similar), it is distribution that takes the lion’s share of the profits and makes the better return on equity (ROE).

Dynamics of Open Banking

So now let’s rebuild that model for an open banking world using Chris’ back, middle and front office structure and think about the key technologies that will be transforming the businesses. I’ve invented the word “packaging” to describe the additional essential process that is needed to complete what we call the “Amazonisation” of banking, whereby products are manufactured as API services and distributed throughout the consumption of API services. This gives the three part model that Chris describes a practical technological backbone to make it work. 

Front, Middle and Back Office

What we don’t know, of course, is how this model will redistribute ROE. How will banks and “challenger banks” (we prefer the term “niche banks”), non-banks and neo-banks respond to the split of manufacturing and distribution that the new “packaging” layer (again, not sure if that’s the right term, I just couldn’t think of a better one) brings? That’s obviously a key question and one that is pretty important for organisations who are planning any kind of strategy around financial services in general or payments in particular. Since this includes many of our clients, we spend a lot of time thinking about this and the connection between technological choices that are being made now and the long-term strategic options for organisations.

Consult Hyperion took part in a recent American Banker Open Banking “Bootcamp” (a two-part webinar) on the topic. My colleague Tim Richards and I were able to explore some of our ideas and draw on some of our practical experiences with bankers, suppliers and other practitioners. It was fun to take part in it and we really enjoyed it because we were able to learn as well as to share. I mention that webinar here because as part of the bootcamp, Mark Curran from CYBG (The Clydesdale Bank, Yorkshire Bank, “B” Bank Group and now also Virgin Money) set out a very clear high level view of the three strategic options available to retail. We think it’s useful to share them here: the “traditional” bank, the banks as a platform (think Starling) and the bank as an aggregator (think HSBC and Citi).

Basic Bank Responses to Open Banking

If, as many people think, it turns out that ROE will remain higher in distribution then the commoditisation of the manufacturing function (as it turns into a “utility”) may well threaten some of the incumbents, because they will not be able to adjust the economics of their manufacturing operation quickly enough to stay in business! This may sound like a radical prediction, but it really is not.

The reality for many banks will, of course, be more of a mixture of these approaches, but you can see the point. The decoupling of the manufacturing and distribution means that banks will have to make some important decisions about where to play, and soon. We’ve already seen how some banks (eg, HSBC) have moved to exploit the aggregator strategy and how some banks (eg, Starling) have moved to become platforms with rich app stores. But what we think may be under-appreciated is the extent to which the traditional bank can develop the packaging process not to shift to one of these strategies but to make itself more efficient and to improve the time-to-market for new products and services while keeping the costs of IT infrastructure under control.

In other words, it makes sense for banks to amazonise themselves.

Open (but asymmetric) warfare

You’ve probably noticed that something big is going on in the UK. It’s called “open banking” and although it hasn’t made much difference to the man at the Clapham ATM just yet, it will. In computer terms, it’s rather as if the banks are being obliged to install sockets in customer accounts that anyone can plug in to access those account (with the customers’ permission, of course). So, you can tell your bank to let (eg) Amazon access your bank account and there’s nothing they can do about it. In a recent speech Karina McTeague, director of retail banking supervision at the Financial Conduct Authority (FCA), said that while banks must be “aware of their legal obligations in respect of data protection and consumer protection”, they should allow their customers to make use of [third-party services] in relation to those payment accounts without penalty, including allowing their customers to share their credentials”

So, basically, it’s on. Third parties can have access to bank customer data and there’s nothing that banks do about it. Who will benefit from this? We have long advised our clients that the competition to incumbent financial services providers will not be fintechs. I wrote last year that the major beneficiaries of the regulators pressure to open up the banks will be the internet giantswho already have the customer relationships. Of course, when I say it, no listens. But when the woman at the top of Europe’s biggest retail bank weighs in, I suspect one or two people may sit up and pay attention.

Ana Botín, executive chairman of Santander, told the Financial Times that the EU’s Second Payments Services Directive “needs to be reviewed for the digital age. The theory is good but it needs to be fair — at the moment it’s not symmetrical.”

From Santander chair calls EU rules on payments unfair.

Her point is that by creating the asymmetry described above, regulators may well have created the conditions to replace an uncompetitive oligarchy (as they it) of banks with an uncontrollable oligarchy of internet giants. This is not, as my colleague Tim Richards wrote last month, a theoretical issue. He used the example of UK insurer Admiral, which created a scheme to allow people with limited credit histories access to insurance products using social media data. The idea was that if people were willing to grant Admiral access to this data they could perform a form of social identification and verification with an element of personality checking to identify people with traits conducive to good driving. It’s didn’t last. Facebook blocked Admiral from getting access to the data:

Is this, as Ms. Botin asks, really fair?

If it isn’t, what should be done about it?

Earlier this year, I had the honour of chairing Scott Galloway at the KnowID conference in Washington. Scott is the author of “The Four”, a book about the power of internet giants (specifically Google, Apple, Facebook and Amazon). In his speech, and his book, he sets out a convincing case for intervention. Just as the government had to step in with anti-trust acts of the early 20th century in recognition of the fascist nature of monopoly capitalism, so Scott argues that they will have to step in a century on and, again, not to subvert capitalism but to save it. His argument centres on the breaking up of the internet giants, but I wonder if the issue of APIs might provide an alternative and eminently practical way forward?

Two and The Four

With Scott Galloway at KnowID

Ana suggested that organisations holding the accounts of more than (for example) 50,000 people ought to be subject to some regulation to give API access to the consumer data and it seems to me that this might kill two birds with one stone: it would make it easier for competitors to the internet giants to emerge and might lead to a creative rebalancing of the relationship between the financial sector and the internet sector.

This gives us the obvious regulatory response to the need to create a level playing field: let us put in place a set of reciprocal rights and responsibilities. Forum friend Simon Lelieveldt, who I always listen to on these matters, also suggests this as the way forward. He says that if the European Commission wants a “balanced” market with effective competition then it should “redress the design errors in the PSD-2 and allow banks to ask fees and allow them reciprocal access to the customer data”. I think this gives us a sensible outline manifesto for the next generation of PSD2/GDPR and such like: open, transparent and non-discriminatory pricing for API access to customer data (with the customer’s consent) irrespective of the nature of the organisation: bank, media, telecoms whatever.

Tim Richards and I will be running a workshop session on open banking and the strategies for incumbents, fintechs and competitors on Wednesday June 6th at Money 2020 in Amsterdam just a couple of weeks from now. Please do come along and join in the discussion and debate around this crucial topic. We look forward to seeing you there.

Strong Consumer Authentication with Gloria Hunniford, Gold Membership and Gary Munro

I was relaxing watching the marvellous BBC programme “Rip Off Britain” the other day. It was a live episode [online here] featuring the noted and venerable British television celebrity Gloria Hunniford. The subject of the programme was bank security and it featured Gloria herself investigating how she was ripped off by bank fraudsters. Basically, a woman who looked nothing like her used a fake driving licence to withdraw more than a hundred grand from her Santander account.

‘It was easier for four strangers to access my money than it is for me!’ Rip Off Britain’s Gloria Hunniford slams bank security after frauds stole £120,000 from her account 

From Rip Off Britain’s Gloria Hunniford slams bank security after frauds stole from her

The bank teller involved was initially suspected of being part of the fraud and was prosecuted but acquitted on the grounds that she hadn’t the slightest idea who Gloria Hunniford was. Fair enough. It would be like prosecuting me for being unable to pick Kim Kardashian out of a police line up.

It’s easy to make fun of bank security (as I have) but there is a real problem behind this story. A bank doesn’t want to annoy good customers but it has to have security in place to at least mildly inconvenience fraudsters if nothing more. And the bank security has to cope with all sorts of circumstances. What if you drop your smartphone down the toilet? I’ve done that. And here’s another good example.I once ran out of petrol in my car. So I called the AA (I’m a Gold Member of that, too) and

they told me that they couldn’t bring petrol because it’s against health and safety regulations, so they towed me to a garage. I filled up the car, wandered in to pay and… discovered I’d left my wallet at home. (Not the first time I’ve done this.). Having thought about it, and left the car keys with the clerk at the filling station, I phoned my bank. It turned out that there was a branch a few minutes walk away, so I set off to find it. On the phone, I answered some security questions, and when I got to the branch there was (if memory serves) £30 waiting for me. Hats off to Barclays.

From Taxis, Boris Johnson and another step closer to VC Day | Consult Hyperion

Now, I don’t remember what those security questions were, but I’m pretty sure that a determined fraudster would know the answers or know how to talk themselves round them. But I do want to live in a world where when I forget my wallet I can till get some cash out the bank!

One problem, in the Gloria Hunniford case, is that asking a customer to present a driving licence as proof of identity is the kind of “security theatre” that I was talking about in Sydney this week as a guest of the lovely people at Australia Post.

The bank clerk has no way to know whether the driving licence is real or not, so asking for it and looking at it is like taking part in a play about security where everyone is an actor who knows their lines but there is no actually security involved at any point. Surely this is one of the crucial differences between old identity and new identity, between dumb identity and smart identity, between analog identity and digital identity.

Had the bank digital identity interacted with the customer digital identity rather than the clerk interacting with the bogus Gloria, then there would have been mutual verification and real security. Imagine what the conversation at the counter could be…

Bogus Gloria Hunniford (BGH): “Hello, I’m Gloria Hunniford and I’d like to withdraw £150,000 from my account”.

Santander Bank Clerk of the Future (SCF): “Certainly Madam, let me check your Financial Services Passport.”

At this point, she pulls up the details of Gloria Hunniford’s account on her screen and the system sends a message encrypted using Gloria Hunnford’s public key. This is sent to the Santander app on Gloria Hunniford’s mobile phone.

BGH: “Sorry my phone was carried away be a seagull on the way to the bank so I don’t have my Financial Services Passport”.

SCF: “No problem Madam, we have a spare phone here.”

The bank clerk picks up the branches’ spare Samsung S7 and runs the Santander app. She puts in the Gloria Hunnford’s sort code and account number and when the app asks for verification, she holds it up and asks “Gloria” to log in using face verification (or voice or iris or whatever).

BGH: “Ah, unfortunately, I tripped over a paving stone yesterday and smashed my face into a Ford Focus. Due to my emergency plastic surgery, I’m afraid I will fail the face verification process”.

SCF: “That’s no problem Madam, we can re-enroll you. Please come back with your fingerprints, your voice and a barely legible photocopy of a gas bill from six months ago”.

Now, there is some actual security, because the real Gloria Hunniford will see a message pop up on her phone about authorising a withdrawal at the Santander branch and she will either hit the “no” button or the “no, and please connect me to the  whitehall1212.police.org.uk emergency fraud chatbot so that I can alert the plod to a crime in progress”.

Look, the banks in Europe have to implement Strong Consumer Authentication (SCA) anyway, so why not implement properly so that you can authenticate yourself the same way whether on the phone, in the branch, browsing the web or mucking about with your phone? I imagine this is the sort of thing that my colleague Gary Munro will be talking about on 9th November 2016 as he is one of the experts taking part in the techUK seminar on strong authentication in PSD2. You’d be mad to miss it.

“Knowing Me Knowing You, Ah–Ha !” – Strong Authentication in PSD2

From TechUK

The fact is that if we really want to replace security theatre with some actual security, we have the technology. 


Me, Vanessa and crossing the streams

The UK’s Competition and Markets Authority (CMA) has published its report on the retail banking market. It says, that “the timely development and implementation of an open API banking standard has the greatest potential to transform competition in retail banking markets”. I can’t say that I read all 766 pages, but given that I think that account switching is waste of time and money, this did strike me as the most important “remedy” (as they call it) in the report.

One of the CMA’s key measures is to make high-street banks adopt a digital standard called “open banking” by 2018.

From Competition watchdog’s high-street banking probe disappoints — FT.com

By 2018? I can hear your jaws hitting the floor from here. That’s 15 months from now, which is a dog decade but a core banking weekend. 2018?? This is correct. I heard the chap from the CMA talk about this on Radio 4. I got to talk about it on Radio 2 because I’m all about the mass market and the man using the Clapham ISP.

Vanessa discusses the Open Banking Programme, witnessing the birth of a sibling, life after the London riots and the man who buried himself underground for three days.

From BBC Radio 2 – Jeremy Vine, Open Banking and London Riots

I was in the first segment, about Open Banking. The second segment, about a celebrity chef’s wife giving birth made me feel sick and so I didn’t listen to the last segment about riots. Anyway, on Radio 4, the head of the CMA was saying (and I’m paraphrasing from memory) that consumers will be able to use a currently non-existent mobile phone app to connect with a currently non-existent interface at their bank according to some currently non-existent standards in order to get recommendations from some currently non-existent big data cloud thingies that will slurp up currently non-existent standard format bank transaction data and analyse it to suggest a more cost-effective current account. By 2018.

I think that in order to understand what might actually happen on the ground in the UK, you need to imagine what will happen at the crossing of three streams.

The first stream is the PSD2 provisions for APIs access to payment accounts. As you may recall, these include a set of proposals that are due to come into force in 2018. A group of those proposals are what we in the business call “XS2A”, the proposals which force banks to open up the aforementioned APIs to permit the initiation of credit transfer (“push payments”) and account information queries. Even at a pure compliance level these PSD2 regulations pose significant questions for the structure of the existing payments industry. Straight off, an open payment API allows a third-party – let’s say a giant internet retailer at a browser near you – to ask consumers if they’d mind permitting direct account access for payment. It won’t be too hard for these organisations to find some incentive for customers to do this and once permission is granted then the third-parties can bypass existing card schemes and push payments directly to their own accounts. Meanwhile the account information API allows third-parties to aggregate consumer financial data and provide consumers with direct money management services. It’s not hard to imagine that these services will be able to disintermediate existing financial services providers to identify consumer requirements and directly offer them additional products such as loans and mortgages.

This, you might think, could be a bit worrying for banks and payment schemes – and you’d be correct. Unless they take action the banks will see their customers intercepted and a great deal of their cross-selling opportunities will disappear. End of the world stuff? No. Generally speaking these changes (which are all about more competition) are good for the banking industry and for end consumers, and it doesn’t have to be carnage among the existing incumbents, if they’re smart enough to embrace the opportunity. One way of thinking about this change is that it breaks up existing payment workflows. No longer is a payment simply a request in and a response out; now bits of the internal payment workflow – authentication, risk management, authorisation, tokenisation, rewards programs, key management, etc, etc – can be externalised through APIs. And one thing we know about APIs is that when they’re made available the generations of smart developers out there can do things we can’t even imagine, let alone build. The roadmap to the PSD2 APIs is in the hands of the European Banking Association (EBA) which has been tasked with developing the Regulatory Technical Standards (RTSs) for that access. They have just published the RTS on strong authentication, which you might see as a prerequisite to practical API use.

As expected, the RTS do not provide us with technical specifications that one can actually implement. Additional work by ‘the industry’ is required

From EBA RTS: Three key business implications for bank decision makers

So, as our good friends at Innopay note here, RTSs are not really technical, and for that matter they’re not really standards in the sense that I would mean either, but suffice to say that there is a framework for open banking coming together at the European level.

DCSI Schematic v2

The second stream is Her Majesty’s Treasury’s push for more competition in retail banking. This led to the creation of the Open Banking Working Group (OBWG), which published its report earlier this year.  Right underneath the heading “Open Banking Standard”, the document says that its goal “in publishing this Framework today is to enable the accelerated building of an Open Banking Standard in the UK”. So it’s not really standard either. I thought the document might set out some actual APIs (preferably in line with the EBA RTS) so that that both banks, fintechs, regulators and entrepreneurs could plan new products and services but the truth is it reflects the political realities of the pending complex “settlement” between banks, the regulators and others.

I’m not that interested in open data (e.g., ATM locations) and not that excited by being able to download my bank account as a spreadsheet that I can upload it to Money Supermarket . What I’m interested in is transactions and transaction data, especially through the more transactional APIs envisaged under PSD2. It would be crazy for banks to have to implement multiple infrastructures, so it’s logical to create an infrastructure for OBWG access to customer transaction data that can also be used for XS2A transaction initiation and account information services. Despite the title, then, the OBWG report is a holding document, setting us on a path to allowing access to the open data held by banks while leaving proprietary data alone. Now, let me stress that I was not party to any of the discussions, and I am not breaking any confidences by saying this, but I imagine the discussions about what data the banks consider “proprietary” and what data the banks consider “open” must have been rather convoluted. But let’s move on and assume that my transactions are considered open data and that I want to share them with third-party service providers. Since the report did contain any APIs or even a framework for APIs, we can’t use it to start planning services right now, but we can focus on the positives and look at what the document did.. What it did set out was a four part framework, comprising:

  • A data model (so that everyone knows what “account”, “amount”, “account holder” etc means);
  • An API standard.
  • A security standard.
  • A governance model.

None of these currently exist, so they need to be created. If we focus on the APIs, the document does say that, as I have noted, that because of PSD2 (and the General Data Protection Regulation, GDPR), many of the APIs will need to be built anyway. Hence co-ordinating the APIs will be a near-term priority. 

The third stream is the CMA report that triggered this blog post. This envisages APIs to improve competition in retail banking by focusing on the use of APIs to obtain access to personal data that can be shared with third-parties to obtain better, more cost-effective services. Hence the comments about the mobile app that will get you a better current account. Now, I identity these APIs as being congruent with, if not actually being the same as, the PSD2 AISPs. So if we gather to together these streams and try to integrate a picture of where we might go next, and we draw the mandatory consultant’s 2×2 matrix to hep us think through the possibilities, I think we end up with a rather interesting and useful way of thinking about the cross of the three streams. I’m particularly drawn to it because it gives me a way to locate the digital identity APIs that I think are so crucial to the future of banking.


I think this is a useful diagram. The Digital Identity APIs will not be mandatory, but they may be the key way for banks to stay in the loop in the new economy as the mandatory APIs allow banking services to be provided by third parties. Interesting, and I’d appreciate your view on this. Anyway, there’s one obvious point to mention here and that’s security. Since banks do not currently offer these APIs and they are going to have to knock them up pronto, the potential for error is vast. Yet banks simply cannot take any risks with these interfaces.

APIs (application protocol interfaces), which are a major cornerstone of the CMA’s plan for banks to share consumer data, can also provide an easy route for attackers if not properly secure.

From Funny story, this. UK.gov’s ‘open banking app revolution’. Security experts not a fan of it • The Register

Word. But since neither the APIs, nor the security architecture, nor the practices, procedures and audit mechanism have been defined, it is simply impossible to say whether the UK OBWG implementation is secure or not. Hence I suspect that the way forward for most banks will be to expose a limited set of APIs to begin with by focusing on a manageable customer segment (not the general public) and then get working on stress testing and penetration testing. In fact, some banks have already begun to experiment in this area.

Wells’ tiptoeing into open APIs by offering them to commercial customers is typical of banks, which see such clients as the test case. Consumer applications hold the greater opportunity, but also carry more risk given cybersecurity and data issues.

From The Drumbeat for Open APIs Is Getting Louder | American Banker

I can tell you from personal experience (Consult Hyperion runs a very big penetration testing programme for one of the world’s biggest banks) that it takes a fair amount of time and money to get these kind of interfaces to the point where they can be exposed to the public, hence I am somewhat sceptical that they will be ready for action a mere 15 months from now.

What will the new UK Payments Regulator change?

Dgwb blog white border

You may think payments regulation is a rather dull subject, but it isn’t. Angus McFayden from Pinsent Masons spoke about the changes to the regulation of the UK payment sector at the Westminster e-Forum on “Digital Payments in the UK” [PDF] that I spoke at last November. As I remember him pointing out, with characteristic accuracy, these changes are not going to drive down costs (there is nothing in the UK National Payment “Plan” about this anyway), which I would have thought to have been a reasonable goal. So what are they going to do? Well, they are supposed to improve competition while simultaneously ensuring stability and so forth.

How? You may remember that HMT (Her Majesty’s Treasury, the UK’s Ministry of Finance, essentially) had a public consultation on the options for UK regulation a while back, and…

So given it was what the government said they wanted, want the respondents said they wanted and, most importantly, what I said that I wanted… the government has decided to choose an alternative path and it now says it will create a new payment regulator

[From You searched for response to consultation – Tomorrow’s Transactions]

So we are going to have a new payments regulator, and this will improve competition and ensure stability. Angus explained that this regulator, expected to be operational in April 2015, will have a number of powers and that one of them will be to mandate access to payment systems. This means for schemes, rather than direct access to accounts, and is laudable. If more organisations have access, there will be more competition and therefore, hopefully, reduced costs. So far, so not particularly interesting.

However, under proposed reforms to PSD2 things might move a little further and, somewhere downstream, there may be changes following on from the European Commission’s consultation on third-party access to the bank account, known as “XS2A”. In this scenario, I would be able to grant a licensed third party (a Payments Institution or bank, essentially) access to my bank account so that they could get the balance, look at transactions and perhaps even trigger FPS payments. Now this is really interesting. The potential for new services here is obvious and by removing an intermediary layer there should be a reductions in costs. But, and this is a big but as far as I am concerned, without the right identity infrastructure, the right security and the right compliance regime, this could be another Chernobyl.

I imagine that this is the sort of thing that will be discussed in London in February at the forthcoming “Payments Intensive”, where you can listen to Consult Hyperion’s Anthony Pickup and Adrian Kamellard, the Chief Executive of the Payments Council, amongst others, talking about payments regulation in more detail.

Payments Intensive 2014: Future Development and Regulation, will bring together key figures from business, legal and regulatory backgrounds, to discuss the most pressing issues in the payments sector today.

[From Payments Intensive 2014: Future Development and Regulation | Cecile Park Conferences]

The magnificent group of gentlepersons and scholars at Cecile Park have very kindly given Tomorrow’s Transactions a complementary delegate place at this event to dispose of as we please, so we’re having one of our blog competitions. If you are going to be in London on 6th February and would like to attend the Payments Intensive, then all you have to do is be the first person to comment on this post with the name of the British record label that has just released a version of Bach’s Wurttemberg Sonatas performed by the Iranian-American harpsichordist, Mahan Esfahani, and you will be given entirely free a place at the event (worth an astonishing THREE HUNDRED AND FORTY FIVE of your English pounds).

As always, the judge’s decision is arbitrary and capricious.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights