Wednesday, 31 December 2014

Credit Where It's Due

Having spent the past seven years banging on about the changes needed to democratise the financial system, it's only fitting that my last post for 2014 should give a little credit to the authorities for making some very significant changes this year.

The FCA published its rules to specifically regulate peer-to-peer lending in February, and its rules on crowd-investment in March. At the same time, the Chancellor announced the expansion of the ISA scheme to include peer-to-peer loans. In the Autumn Statement, he announced that consumers who lend to other consumers and sole traders through P2P platforms will be able to offset any losses against interest received. And there will be a consultation on expanding the ISA scheme to encourage crowd-investing in bonds and other debt securities.

We are still at the start of a long journey. The rules could be simpler and the EU could yet muddy the waters if the UK position is not well represented. But if you'd asked me in 2007 whether so much would be achieved by 2014 - particularly on the ISA front - I'd have been optimistic (naturally) but expecting the worst. Yet in 2015 we'll have both the regulatory 'blessing' and the incentives necessary to enable people with surplus cash to get it directly to creditworthy consumers and small businesses who needed it, instead of leaving the money tied up in low yield bank deposits or having it eaten away by fees in managed investment funds. 

Perhaps this is partly why 2014 also saw the bank bosses' swagger and bravado turn to panic. The trends which are combining to democratise the financial system have not only revealed that the stuffed shirts are powerless to stem the flow of fines for corrupt practices on virtually every front, but those trends have also produced competition from the banks' very own customers. 

But let's not get carried away. While crowdfunding is growing at over 150% a year, the crowd will probably produce 'only' about £5bn of funding in 2015, based on Nesta figures and assuming a boost from the ISA changes. 

So, while we've come along way since Bobby "Dazzler" Diamond infamously suggested that the time for bankers' remorse was over if the UK was to recover, we will still have a small business funding gap next year - eight years after the financial meltdown. In fact, in many ways the financial system is in worse shape now than in 2007, with less competition and appalling inefficiency in banking, vast public sector debt, a larger 'shadow banking' sector than every before (depending on how you measure it), and many key economies around the world suffering low/no growth. Events such as those in Russia, Greece and the Eurozone are applying further pressure to a system that is still broken. In these circumstances we remain terribly vulnerable to financial shocks. 

Still, the UK government deserves plenty of credit for the changes announced to date. Whether they have come early enough to help us through the next storm remains to be seen, but at least the national funding solution now lies substantially in our own hands. 

If we don't take the opportunity to crowdfund the recovery, we will only have ourselves to blame.

Wednesday, 3 December 2014

Good News For #FinTech And #Crowdfunding in Autumn Statement

The government has announced bad debt relief for lending through P2P platforms; a consultation on whether to extend ISA eligibility to crowd-investing in debt securities and an intention to review some rules that add unnecessary costs for institutional lending through P2P platforms.

Individuals lending through P2P platforms to offset any losses from loans which go bad against other P2P income. It will be effective from April 2016 and will allow individuals to make a self-assessment claim for relief on losses incurred from April 2015.

The government will also consult on the introduction of a withholding regime for personal income tax to apply across all P2P lending platforms from April 2017. This will help many individuals to resolve their tax liability without them having to file for Self Assessment.

The government will call for evidence on how APIs could be used in banking to enable financial technology companies to develop innovative solutions to allow customers compare banks and financial products.

From January 2015, the majority of card acquirers will offer a new service for small businesses to receive the funds from debit and credit card transactions much more quickly. Two acquirers will not meet this commitment, and the government will ask the Payment Systems Regulator (PSR) to examine whether small businesses are being disadvantaged as a result.

The government will allow gains that are eligible for Entrepreneurs’ Relief (ER) and deferred into investment under the Enterprise Investment Scheme (EIS) or Social Investment Tax Relief (SITR) to benefit from ER when the gain is realised. The government will also increase the annual investment limit for SITR to £5 million per annum, up to a total of £15 million per organisation, from April 2015 and will also consult further on a new relief for indirect investment in social enterprises.

To better target the tax reliefs, the government will exclude all companies substantially benefiting from other government support for the generation of renewable energy from also benefiting from tax-advantaged venture capital schemes, with the exception of community energy generation undertaken by qualifying organisations. The government will also make it easier for qualifying investors and companies to use the tax-advantaged venture capital schemes by launching a new digital process in 2016.

Friday, 14 November 2014

Officials Alarmed By PSD2 And Barriers To Innovation In Payments

In a joint study, Ofcom and the UK's new Payment Systems Regulator have explored the reasons for limited innovation in the UK payment services market, sounding the alarm over the potential impact of PSD2. But the study does not thoroughly explore the most recent proposals, which would make the situation worse than officials seem to appreciate.

The study confirms that most of the innovation is facing retail customers and relies on the existing payments infrastructure.

Various factors act as a barrier to the scale and pace of innovation seen in other technology sectors. There is a low tolerance for system failures, naturally, but the resulting high security and resilience requirements make systems more rigid and less open to the usual market forces of present in other IT sectors. New entrants also find it hard to break through the network effects that support existing payment methods (e.g. cards). Investment is further constrained by significant uncertainty around regulation and technological standards. Finally, the interests of consumers, merchants, telcos and financial institutions are not aligned in the types of services being offered - in essence we're seeing an attempted 'land grab' by competing institutions at customers' expense.

It is critical that the European Council considers this report as it finalises the proposals for PSD2, which would make this situation worse. Equally, however, it is a pity that this study was not able to more thoroughly explore the potential impact of those proposals.

Let's hope for some more joined up thinking in the weeks to come!

Friday, 7 November 2014

The End Of Merchant-hosted Checkouts?

Source: LoudMouth Media
You may have noticed that I'm madly trying to keep up with the blast of confetti from Brussels known as "PSD2". It's very fortunate that the SCL's editor is blessed with a good sense of humour, not to mention the readership. In advance of my latest update, here's a warning of a fairly brutal provision for e-commerce merchants in the latest version of PSD2.

Not satisfied with forcing 'gateway' service providers to supply their services directly to regulated institutions rather than merchants, if they wish to remain exempt, it seems the EU Council also considers that e-commerce checkout pages on merchant sites are "payment instruments" in their own right (not just the payment methods displayed on them).

A new information requirement seems to mean that where customers are shown a range of different card-scheme brands as payment options prior to checkout (itself referred to as “the issuance of a payment instrument”), they should be informed that they have the right to select a particular brand and to change their selection at point of sale.

On the surface, this requirement adds nothing. It's how checkout processes already work. If you want to pay by card, you click on the card scheme logos, and up comes a page that asks you to enter a card number from any of the brands displayed. But describing a checkout process as a “payment instrument” (rather than merely the payment methods available on it), suggests that the entity which serves up the web page that enables checkout is itself the issuer of a payment instrument and should be authorised accordingly.

It's likely that many e-commerce merchants will host their own checkout page or process, and the transaction only moves to the acquirer’s servers either once the customer has selected which type of payment instrument she wishes to use, or (if the merchant is PCI compliant) once the transaction is captured and sent to the acquirer.

So this provision would actually require such a merchant to either cease hosting any aspect of the checkout process or become authorised as a payment instrument issuer (or the agent of an authorised firm). It also raises the question whether such a merchant is also 'initiating payment transactions', with the same consequences.

This is revolutionary stuff. If passed in this form, PSD2 could drive the need for significant website re-development work. Of course, it could also mean good business for e-commerce marketplaces, or regulatory specialists who help firms apply for authorisation (pick me!). But it's really just overkill.

In their quest for 'the highest standards of consumer protection', the European authorities seem oblivious to the adverse impact on competition and innovation in the payments sector that will come from delivering control over key aspects of e-commerce infrastructure to the comparatively few firms who will bother becoming authorised. Ironically, it was this sort of concentration that drove the need for the current PSD - to open up the banking/card scheme monopoly. Perhaps the banks and their schemes are winning the battle to retain their dominance after all...

Wednesday, 29 October 2014

The Cost Of Leaving Payment Security To The Beurocrats: #PSD2

The more I study the latest proposal for a new Payment Services Directive (PSD2), the more I'm concerned that it will reduce innovation and competition. Not only does it hand control of wider transaction technology to regulated payment service providers (PSPs), but security standards will also be centrally controlled by the European Banking Authority, as explained below. It seems the authorities are busy creating a new version of the banking monopoly that the PSD was designed to break down. But maybe the idea is to create work for the new Payment Systems Regulator...

Putting aside the ability for PSPs to control the wider transaction infrastructure, PSD2 empowers the EBA to set technical standards governing 'strong customer authentication', as well as how PSPs communicate among themselves and with customers.

These standards are very far-reaching.

Subject to any exemptions the EBA may grant (based on risk, amount/recurrence of a transaction and the channel), all PSPs will have to apply strong authentication when a customer who wishes to make a payment (the 'payer'):
  • accesses a payment account online;
  • initiates an electronic payment transaction; and/or
  • "carries out any action through a remote channel which may imply a risk of fraud or other abuses".
In the case of an electronic payment transaction that is initiated via the Internet or 'other at-a-distance channel' (a "remote payment transaction"), the authentication must “include elements dynamically linking the transaction to a specific amount and a specific payee”).

In addition, PSD2 proposes numerous different security requirements for different types of PSP depending on whether they initiate payments, issue a payment instrument or provide account information services. PSPs will also have a 'framework' to manage operational risk and provide the regulator with their assessment of the risks and the adequacy of their controls. They must classify “major incidents” and report them to their regulator without undue delay. The regulator must then report the incident to the EBA and the European Central Bank. If the incident affects the financial interests of users, the PSP must also inform them without undue delay, along with possible measures they can take to mitigate the problem.

While we should acknowledge the challenge at the heart of all European law, that an Englishman's red tape is a Frenchman's business manual, everyone should question the wisdom of tying the development of payments security to the speed of European bureaucracy. PSD2 provides that the first draft of the EBA’s technical standards will only be available 12 months after PSD2 is approved, and there is no explicit deadline for the standards to be finalised (although the EBA is consulting on 'guidelines' here). Beyond the initial drafting, the EBA is merely tasked with reviewing and, if appropriate, updating the standards “on a regular basis” - but neither the frequency nor regularity of those reviews is specified. Surely, the EBA's role should be limited to reviewing standards (if any) as the market develops them - hopefully a step ahead of the fraudsters? How many business plans will otherwise stall in anticipation of the EBA's pronouncement and the resulting talkfest?

Conspiracy theorists will be pleased to see restrictions on the extent to which payment account service provider (ASPs) can use the security measures to discriminate against any third party PSP (TPP) who wishes to access their payment accounts. But there do not seem to be any such restrictions on discrimination the other way around. So PSD2 would hard-wire the current (mistaken) assumption that the ASP is 'king' in the context of its customers' day-to-day activities, while the dominant customer relationship increasingly lies elsewhere. Indeed, in the digital world, large TPPs could end up dictating the number and type of ASPs we all use, as well as the payment services those ASPs provide. Perhaps the new Payment Systems Regulator could address this by designating such a powerful TPP as a 'payment system' (which is very loosely defined), but it would be preferable to avoid creating the potential for such power in the first place.

Tuesday, 28 October 2014

FCA #Innovation Hub

The FCA has launched an Innovation Hub as part of its plans to support innovation in financial services.

Innovators can submit a request for support from the Innovation Hub, which the FCA will assess against certain criteria and then decide on the type of support it might be able to offer. The assessment criteria are:
  • whether the innovation is genuine - ground-breaking or significantly different;

  • whether the innovation offers a good prospect of identifiable benefit to consumers (either directly or through greater competition);

  • whether the business has invested appropriate resources in understanding the regulations in relation to its own position;

  • whether the business have a genuine need for support through the Innovation Hub?

In addition, the FCA has published a Feedback Statement, responding to input received as part of Project Innovate.

Monday, 27 October 2014

Of Primordial Soup, New Payment Services And #PSD2

Source: Shirtigo
Figuring out the impact of the proposed changes to European payments law (PSD2), is like watching primordial soup, with new types of regulated creature emerging all over the place. Previous posts have considered the impact on loyalty schemes and technical service providers, while this post looks at the new “payment initiation” and “account information” services. The scope of these new services could introduce many new software and service providers to the regulated world, increasing costs as well as potentially limiting competition and innovation.

A “payment initiation service” is one where you can ask the service provider to pay your energy bill, for example, or make batch payments to staff and suppliers, using one or more payment methods provided by other service providers. It is conceivable that an e-commerce checkout feature, for example, might also qualify. Member States must ensure that payers have the right to use a payment initiation service in relation to payment accounts that are accessible online. A payment initiation service provider must not handle the payer’s funds in connection with the provision of the payment initiation service.

An “account information service” is one that allows a single view of all your transactions on one or more payment accounts held at one or more payment providers. Account information service providers will be exempt from certain authorisation, information and contractual requirements, but will be treated as payment institutions - so they will be allowed to passport to other EEA states, for instance.

PSD2 assumes that both these new services will provided by “third party” payment service providers, i.e. those who do not also offer payment accounts or handle funds themselves. Let's call them “TPPs” for short, as opposed to firms that provide or maintain payment accounts, which is the job of “account servicing payment service providers” or “ASPs”.

TPPs will need to become authorised or registered financial institutions, or become appointed as agents of authorised firms. Those initiating payments will need at least €50,000 of working capital and (along with account information service providers) will have to hold professional indemnity insurance. TPPs will also have to provide information about themselves to customers, as well as have quite a lengthy contract with each of them (unless they are exempt account information service providers). If a payment goes wrong, the TPP who initiated the payment must be prepared to prove that nothing went wrong in its own systems when it sent the payment to the ASP. The TPP will also have to give information about the payment to the intended recipient(s) and meet certain security requirements (see my article for the SCL).

Regardless of the customer benefits, it seems certain that these requirements will add to the cost of providing payment initiation and account information services to consumers and small businesses.

The regulations would also seem likely to limit competition and innovation in the event that firms structure their services to avoid regulatory overhead.

Specifically, it's not clear whether firms wishing to avoid increased costs could qualify for the technical service provider exemption by supplying their services directly to ASPs instead of customers. But even if that were possible, or if ASPs were prepared to appoint TPPs as their agents, it's likely that each ASP would only involve the services of a limited number of TPPs, and would add its own margin to their charges in any event. In other words, the number of potential TPPs and related services could just become a function of the number (and type) of existing ASPs.

So it seems the adverse consequences of regulating these services may well outweigh any benefits.

Wednesday, 22 October 2014

The End Of Third Party Payment Gateways?

Changes are being proposed to European payments law that will affect service providers who send payments data from retailers to financial institutions. This post explains how they may be affected, and what they may be able to do about it.

Most retailers rely on an external service provider to send their payments data to a financial institution for processing. Sometimes the financial institution itself handles the data transfer as part of its acquiring service. But often a third party agrees to do that on the retailer's behalf, particularly for online payments. The financial institutions call such service providers "third party gateways" because the institution typically has no contract with them and it's up to the retailer to ensure the data gets to the financial institution. From a regulatory standpoint, the gateway provider doesn't handle any funds, so they are currently also exempt from payments regulation as 'technical service providers'.

But under proposals for a new Payment Services Directive (PSD2), such service providers will only be exempt if they contract with financial institutions (e.g. merchant acquirers), rather than retailers or other payment service users. That may help the financial institutions control the quality of the data that flows their way, but it also potentially undermines the ability for large retailers to control the processing of their transactions.

In addition, “acquiring of payment transactions” will be regulated where the service provider contracts with the retailer to accept and process payment transactions, and this 'results' in a transfer of funds to the retailer. Not only is this aimed at certain merchant acquirers and bill payment operators who believe they are outside the scope of the current PSD, but it could also catch third party gateways, since it appears that the service provider does not have to be the one actually transferring the funds.

It is also possible that the activities of technical service providers may fall within the scope of other regulated activities, particularly 'payment initiation services', 'account information' services, or perhaps even 'issuing payment instruments' (see my longer article for the SCL).

At any rate, technical service providers may find that it isn't commercially feasible to remain exempt as a result of one or more of these changes. In that case, the options are to either get authorised as an e-money institution or payment institution (or perhaps a registered as a small EMI or PI), or operate as an agent of someone who else or is.

Whether or not they are exempt, however, anyone providing technical services will need to be familiar with the proposed new security requirements, and the related standards that will eventually be issued by the European Banking Authority (see my longer article for the SCL).

Tuesday, 21 October 2014

A Developer's Guide to Privacy and Fairness?

Over the past few months I've noticed a range of different articles expressing privacy concerns about mobile apps, wearable devices and internet-enabled things, like smart TVs and bathroom scales ("the Internet of Things") on the one hand; and initiatives like 'Midata' to help you create your own 'personal data ecosystem', on the other. But regulation aimed at unfair trading is also relevant in this context, as are the various security requirements being proposed at EU level in relation to payments and 'cybersecurity' more generally. Official guidance in these areas is often broad but not comprehensive, as in the summary of privacy rules given in the context of Midata. It would be great to see a more concerted effort to draw all the guidance together. I have suggested this to the SCL. In the meantime, this overview explains briefly where to find guidance on meeting privacy and fairness requirements when using apps and other devices for consumer marketing purposes.

Note: as a developer, it's worth reading such guidance as if you were a consumer, to understand the regulatory intent. As a consumer it's worth reading guidance aimed at firms, since that gives you a better insight into how things actually work 'behind the scenes'.

The Information Commissioner has plenty of practical guidance on privacy in the context of cookies, mobile applications and data sharing (and a other guidance by sector or activity).

The Advertising Codes are important sources of information on how systems are supposed to behave in a marketing context.

PhonepayPlus has issued guidance on the use of premium rate numbers.

The Office of Fair Trading had plenty of guidance on how to comply with consumer protection regulation, which is now hosted by the Competition and Markets Authority, including principles for online and app-based games.

The OFT's guidance on what's appropriate in a consumer credit context, such as debt collection, is now in the FCA's consumer credit rules, and the FCA also recently consulted on updates to its guidance on financial promotions in the social media.

Firms seeking FCA authorisation often have to provide a lot of detail on their IT systems and governance in the process. The proposed new EU directive on payment services will broaden the range of regulated services and go into considerable detail on data security. In fact, security standards will be produced by the European Banking Authority, just to add to the confusion.

Knowing where consumers can complain is a guide to other regulators who may be interested in how your application works. There is an overview of UK consumer complaints channels here. There are specific complaints bodies for sectors, such as energy, financial services and telecoms, as well as for activities, like advertising and processing personal data.

However, it's you should be aware that the Data Protection Act gives businesses separate rights to process your personal data in the following circumstances:
  • for the performance of a contract to which you are a party, or for taking of steps at your request with a view to entering into a contract;
  • for compliance with any legal obligation, other than an obligation imposed by contract;
  • in order to protect your vital interests;
  • either for the exercise of a function conferred on a business by law or for the exercise of any other functions of a public nature exercised in the public interest;
  • for the purposes of legitimate interests pursued by a business or by someone else to whom the data are disclosed, except where that processing is unwarranted by reason of prejudice to your rights and freedoms or legitimate interests.
Public sector bodies also have certain rights to use your data which I haven't covered here. However, it's important to mention the ID Assurance Programme run by the Government Digital Service team, which has issued useful guidance on ID assurance. And the Connected Digital Economy Catapult that builds platforms for SMEs is due to develop a code of practice on consumer protection.

Thursday, 16 October 2014

The Beginning of The End of Consumer "Banking"

Funny to see a story from John Gapper in the FT this morning, saying technology will hurt retail banks but not kill them, only a few pages before First Direct admits it mis-sold complex investment products to consumers.  While I agree that innovation doesn't 'kill' anything, and must co-exist with what it is replacing, John seems to have a misplaced faith in retail banks' ability to maintain their direct relationships with consumers.  Banks are steadily being relegated to the back-office of retail finance.
John may be right to point out that banks lose money on the limited activity of offering current accounts, and possibly even savings account functionality, so that these are not attractive areas in themselves for technology businesses to enter. But of course you can't view those 'products' in isolation. They are just part of the 'bait and switch' routine that banks operate to persuade people to part with their money so the banks can earn far more from using those funds for their own ends.

To understand what the tech companies are doing, you have to consider how much money the banks make out of the end-to-end activity of robbing investors/depositors of yield while fleecing borrowers with expensive loans - and making everyone pay a lot for slow-cycle payment processing. 
It is wrong to say that technology companies are merely playing at the edges of 'banking' by offering payment services and person-to-person loans. This is all part of the strategy for disrupting the 'banking' sleight of hand.
Tech companies know that if they can provide a decent, transparent consumer experience to savers/investors on the one hand, and those who need the funds on the other, then they are in a position to cut the cost of moving money between the two. In fact, the money may not even have to move at all: the important issue is who is entitled to it, and whether it is available. 
You don't need a bank to keep the data and transaction records that tells you who owns the funds. It's all just data, as Marc Andreessen is quoted as saying. 
And it's far safer to separate the transaction processing and record-keeping function from the cash, which should be held separately from the processor's own funds. That's how e-money institutions, payment institutions, P2P lending and crowd-investment firms are set up...  They may rely on segregated commercial bank accounts for holding that cash, but the banks who provide those accounts have no control at all over which consumers own the money in them, or what those consumers choose to do with it amongst themselves.
In the EU, the regulatory support for such new business models began in earnest in Europe in 2000, with the advent of the first E-money Directive, and has snowballed with the Payment Services Directive in 2007, a new EMD in 2009 and the proposed revamp of the PSD. There are now hundreds of these payment institutions in the UK alone. And it's no coincidence that the UK has led the way in both creating and regulating P2P lending and crowd-investment platforms.
All of this spells the beginning of the end for consumer 'banking'.

Wednesday, 24 September 2014

Referral Process For UK Small Businesses The Banks Won't Fund

As mentioned briefly before, UK banks have been so hopeless in referring businesses they can't finance to alternative lenders that the government has decided to create a mandatory referral process.

Currently, the largest four banks account for over 80% of UK SMEs’ main banking relationships. Most SMEs only approach their main bank for finance, with around 40% giving up their search if they are unsuccessful.  A proportion of those rejected are viable businesses who simply don't satisfy the risk appetite of the largest banks. The result is that other providers of finance aren't able to help because they are not seeing the need among SMEs, and the SMEs are unaware of the alternatives to their bank.

So the government will use the Small Business, Enterprise and Employment Bill to require the larger UK business lenders to refer any SME whose finance application is rejected (with the SME's consent) to certain designated private sector platforms. Those platforms will then connect willing SMEs with participating alternative providers of finance (ranging from finance companies, to invoice discounting providers to peer-to-peer lending platforms to challenger banks). 

The platforms will need to comply with minimum standards to help ensure that SMEs are in control and properly protected throughout the process. All types of credit products offered by large banks to SMEs will be covered by the referral requirement, although there will be a low threshold below which it would be too costly to refer the funding application. Some businesses may also be excluded for various reasons that would include where the initial funding application was rejected for suspected money laundering. The proposals are also designed to complement and work in conjunction with the government policy to improve access to SME credit data, a process that is happening separately, but in parallel.

In summary, the SME funding referral programme should work as follows:
  • SMEs must consent to be referred, and will have their details anonymised. Alternative lenders will only be able to see key information that would allow them to make an initial assessment of whether an SME may be a potential lending opportunity.
  • If a lender wishes to explore a lending opportunity with a business, it would need to make contact through the platform and request consent to see that business’s contact details and begin a direct dialogue. Where a lender wishes to make a more detailed credit assessment, it will be able to obtain credit data from the business’s main bank via designated Credit Reference Agencies.
  • Platforms will be able to exercise discretion over whether they grant financial and business advisers and other intermediaries access, but the platform must clearly notify SMEs when it is an intermediary that wishes to contact them, and not a lender.
The minimum standards for the referral platforms will be stipulated by the Treasury on advice of the British Business Bank. Standards will include: 
  • data protection – to avoid excessive or misleading approaches or credit checks without consent;
  • fair access to all SME lenders that agree to terms and conditions regarding appropriate treatment of SMEs contacted through the platform; and
  • accountability for alternative lenders who fail to comply with the terms and conditions they sign up to when joining the platform. 
The Treasury will be able to de-designate platforms that fail to adhere to the standards. The FCA will oversee the obligation on banks to share information with platforms, and the platforms’ requirement to give fair access to lenders. Sole traders and micro businesses will be able to complain about platforms to the Financial Ombudsman Service when dealing with designated platforms. 

Further detailed regulation, including the designation criteria that potential platforms must meet, will be set out in secondary legislation following the passage of the Bill.

Tuesday, 23 September 2014

The FCA and Mobile Financial Services

The Financial Conduct Authority is going to great lengths to deepen its understanding of the retail financial services market. Project Innovate is a case in point, as is the recent (interim) report on how consumers use mobile devices. However, both initiatives underscore the need for non-banks to engage with the FCA far more than they have to date, and to provide a lot more information about how, why and when consumers need or want to use financial services.

It's a bit unfortunate that the FCA has used 'mobile banking' to describe consumers' mobile activities in the financial services context. We need to get away from such bank-centric language. After all, the FCA points out that consumers don't just use mobile devices to check the balance of a bank account, a bank statement or access internet banking web pages. There are many mobile services offered by payment institutions and electronic money institutions, not to mention the providers of credit, investment and insurance services. Each type of service provider is bound by different FCA-supervised rules and regulations when dealing with us, so it's also a little ironic that the FCA is concerned that "consumers may be unclear about their rights and obligations when using mobile banking products and services".

But terminology is a red herring. The starting should be to consider what activities consumers are engaged in when they need to rely on financial services - and whether the required services are sufficiently accessible or useful.

Here the banks' mobile offerings provide a helpful illustration of how financial services can be misaligned with consumer behaviour. The FCA found that consumers are using mobile devices to access major banks' systems far more frequently than the banks estimated they would (50 times more often than visiting a branch and 20 times more often than a web site). This has caused capacity issues and outages in bank IT systems, which the FCA is not happy with. But the FCA doesn't seem to have considered that this over-reliance on mobile channels might also demonstrate how awkward it is for consumers to use bank services through other channels. 

In fact I doubt whether we really need or want to contact our financial service providers' mobile sites at all, other than in an emergency. Nobody, except banks, engages in "banking". We may use a bank's services, but only in the context of a much wider activity, such as buying a house or a birthday present on the way to a party. "Banking" is what banks think consumers are doing, because banks only view the world through the lens of their own products and not consumers' day-to-day activities.

The FCA needs to avoid falling into the same trap. I mean, there are plenty of great examples of seamless online customer experiences out there which the FCA could use as a benchmark.

Indeed, what this report emphasises most is the need for non-banks to engage far more with the FCA, particularly in the context of Project Innovate.

Alas, it may be too late for them to help shape the second Payment Services Directive...

Tuesday, 16 September 2014

Google Switches To Defence In Its War On The Human Race

Nine months after Google's Chairman, Eric Schmidt, used his speech at Davos to declare war on the human race, he and the other  Big Data commanders find themselves very much on the defensive.

"I was suprised it turned this quickly," Mr Schmidt is quoted as saying of the political tide, after his European smarm offensive in June failed to avert calls for Google to be broken-up.

The trouble is that Big Data funds itself by selling the opportunity to find humans and present advertising to them. Even the craze in wearable devices is all about geolocating the wearer (and potentially their companion(s)) for advertising purposes. Ideally, you'll buy a watch or pair of glasses that will keep you reading ads and search results while on the move, but a wristband that tells your 'friends' what you're doing and where will do just nicely. Maybe one day you'll even go for the driverless car, so you can watch ads instead of the road.

As I mentioned in January, the advertising revenue that initially helped fund the transition from the analogue/paper world now dwarfs the value we actually get from Big Data and the Web. Mutuality - and humanity - is being sacrificed in the Big Data rush to sell you tat. Oh, and in the quest for The Singularity, when the high priests of SillyCon Valley believe that machines will achieve their own superintelligence and outcompete humans to extinction. Yes, really. 

In the same way that banks have grown from their mutual origins to suit themselves at our expense - keeping most of the 'spread' between savings and loans to suit themselves - Big Data platforms are primarily focused on how to leverage the data you generate ("Your Data") without rewarding you for the privilege.  GCHQ and the NHS are playing pretty much the same game.

But not all digital platforms finance themselves by using Your Data as bait for advertising revenue. Since eBay enabled the first person-to-person retail auction in 1995, that model has spread to create marketplaces in music, travel, communications, payments, donations, loans, investments and personal transport. The marketplace operators thrive by enabling many participants to use their own data to transact directly with each other in return for relatively small fees, leaving the lion's share of each transaction with the parties on either side. 

The marketplace model also reveals that most of daily transactions could be carried out between our machines. After all, they are much better at crunching all the data than we are. They are in the best position to combine our own transaction data, open public data and commercial product information to recommend the right car, mobile phone tariff or insurance products, without disclosing our identity to every advertiser in the process.  And why couldn't they arrange it so you switch to the cheapest phone or energy tariff each day, or switch car insurers depending on time of day or where your driving?

True, the platforms that enable you to leverage your own data more privately haven't yet attracted investors to the same extent as Big Data. eBay is solidly profitable and doesn't depend on substantial advertising revenues for its existence, yet it has a lower market capitalisation than Facebook or Google. It should come as no surprise to you that Wall Street and the world of high finance attaches a lower value to democratic and sustainable business models that don't suit a short term, institutional view of the world. But the financial news of 2014 must show institutional investors that we humans doubt whether Big Data has our best interests at heart. So the stock market value of marketplace operators may yet exceed that of the Big Data boys.

That's not to say that the whole Big Data movement has been a wasted experiment - it has just strayed from the path of simply digitising our daily experiences to trying to exploit them. Much of their technology could be re-aligned to empower you as an individual user, rather than treat you like a farm animal for the benefit of advertisers. 

Neither should we underestimate the Big Data giants' ability to reinvent themselves for the better. They are well-funded and more responsive to customers than banks and other institutions which have lost their way.

And it would be good to know they're working to sustain the human race, rather than kill it off.

Sunday, 14 September 2014

The Old Fake Collection Letter Scam

I've read with fascination the UK banks' attempts to justify their decades-old fake collection letter scam. The RBS letter is here. The HSBC letter is here. The Santander letter is here and the Barclays letter is here. Lloyds also admitted to using the same trick. Despite the attempted justifications, all the major banks have stopped the practice. But how much will it cost them, and what other scandalous conduct is lurking in their processes?

News of the banks' scam followed uproar over the admission by Wonga that it had used a similar practice four years ago (probably borrowed from the banks). Even the Student Loan Company had been in on the act. Wonga had confessed the issue to the Office of Fair Trading, and agreed to pay customers £50 each in compensation, presumably to avoid problems with its consumer credit licence during the transfer of consumer credit licensing responsibility to the more aggressive Financial Conduct Authority.

Basically, the banks and others played on the idea that debtors are more likely to pay up when a creditor hires someone else to recover their money. The letters from the CEOs of Barclays and Lloyds stated that their debtors tended to ignore chasing letters on bank letterhead (the banks seemed oblivious to the idea that everybody dreads a letter from the bank - especially ISA customers).

Of course, the banks were reluctant to actually pay anyone else to chase their debts. So, instead of hiring independent collections agencies and law firms, the banks simply created their own firms and called them something different to create the appearance that a genuinely independent third party had become asked to chase the debt. Whether they also charged the same recovery fees as independent firms remains the subject of investigation by the FCA.

The major banks also pretended to the authorities that they weren't responsible for collecting their own debts. When the Office of Fair Trading consulted with the industry on new debt collection guidance in 2002, the banks didn't respond under their own brand names, as creditors. The list of respondents in the Annex to the consultation response only included the banks' pet collection agencies and law firms.

But as the OFT's Debt Collection guidance made clear (in section 1.9), it's the creditor who is expected to "abide by the spirit as well as the letter" of the guidance, not just its collections agencies, and ignoring the guidance could affect the creditor's licence to lend in the first place. The guidance goes on to state:
"2.1 It is unfair to communicate, in whatever form, with consumers in an unclear, inaccurate or misleading manner.
2.3 Those contacting debtors must not be deceitful by misrepresenting their authority and/or the correct legal position.
2.5 Putting pressure on debtors or third parties is considered to be oppressive.
2.7 Dealings with debtors are not to be deceitful and/or unfair." 

The OFT's 2003 guidance was updated in 2011 and has since been enshrined in the FCA's new consumer credit rules. Hence, like Wonga, the banks have becone increasingly anxious to clean up their act.

The narrow question is whether the banks will need to compensate customers affected and, if so, how much. 

The bigger question is how many more examples of banks' systematic disregard for customers are lurking in their processes?

Thursday, 28 August 2014

Why Bankers Make Poor Managers

If UK banks ran our restaurants, we'd all be spending a lot more time in our smallest rooms.

In the latest example, the Financial Conduct Authority found that only 2 of the 164 RBS and NatWest mortgage sales reviewed actually met the required sales standard. Even the banks’ own tests confirmed the problem that borrowers were at grave risk of being sold the wrong type of mortgage. Yet it took the banks nearly a year to stop fiddling and begin taking proper steps to resolve the issues. Worst of all, this took place in 2011 and 2012 - long after the events of 2008 had alerted everyone to just how poorly these banks were managed generally; and after numerous specific failings had been detected in their retail operatons. The same banks had just been fined for failing to screen customers and handle complaints appropriately - and had even failed to enable customers to pay bills or access money

Of course, RBS and NatWest are not alone, and the banks' problems are not confined to their retail operations. Most of the major banks are embroiled in scandals arising from lack of operational controls of one kind or another.

Over at heavily-embattled HSBC, the Chairman and Chief Executive have been whingeing about the 'cost of compliance', as if it's a dead weight they're forced to bolt-on to the side of their sales process, rather than a set of largely common-sense business rules that should be embedded in their operations. 

They don't seem to realise what a sad indictment it is on the level of management skill in the financial services industry that successive regulators since 1986 have felt obliged to spell-out in minute detail how to operate a financial services business at every level and in every scenario. As a result, no human could possibly lift a printed version of the FCA's 'Handbook'. 

The same charge can be made for failings in longer term strategy. The government had to force the banks to invest in faster payment processing capabilities, for example, and it took an extensive series of court battles before banks were finally shamed into 'voluntarily' reducing overdraft charges. The most recent indictment on the levels of skill, enthusiasm, initiative, vision and energy at the top of the UK's banks is that the government will have to regulate to make them refer rejected business funding applications to alternative lenders

That's right, UK bank executives aren't even up to negotiating simple lead-referral arrangements.

Which begs the question: what do UK bank executives actually do all day?

Why, they fight regulation, of course, and all the operational rigour it seeks to impose.

Tuesday, 5 August 2014

HSBC Still Doesn't Get It

You would not expect a conglomerate under heavy regulatory fire to use its latest results announcement to campaign against regulation. But that's HSBC for you.

Yesterday, the CEO complained that the group now spends $800m a year on 'compliance and risk programme', an increase of $200m, with more to come next year. In other words, even after years of scandals and massive fines, HSBC remains under-invested in compliance and risk controls.

Even more alarmingly, the Chairman says that such resources would otherwise be spent on customer-facing staff, who he says are becoming too risk-averse. But that's exactly what regulators, customers and taxpayers are afraid of - the biggest banking group in Europe spending an extra $200m a year selling toxic crap without adequate controls over an aggressive salesforce. 

Bizarrely, HSBC's Chairman is also pushing for the ring-fencing of the retail bank to be deferred at the very same time as a major Portuguese bank goes under.

Not a great attitude to regulation from the leadership of a bank that has 3 years to go under the deferred prosecution agreement it signed with US authorities for money laundering and sanction breaches - ending HSBC's involvement in $100bn worth of businesses. That's in addition to claims for market rigging, mis-selling PPI and interest rate swaps, not to mention it's starring role in the 'Magic of Madoff'

I can't imagine that Res Publica's Virtuous Banking report went down terribly well at HSBC HQ.

At any rate, with revenues already down 9% and pre-tax profits down 12%, in the year to June, you can expect a lot more bad news from these bozos. 

Friday, 11 July 2014

Virtual Currencies Get Real

The Establishment has finally woken up to the reality of virtual currencies, but official responses are all over the place. Let's hope the industry can help forge some international consensus on how to proceed towards a supportive mix of proportionate regulation and self-regulation in the months ahead.

So far, UK officials seem to be the most openly supportive of innovation in this space. The Cabinet Office included virtual currencies in an open workshop in October 2013 (video here) and the Revenue issued a statement clarifying their tax treatment earlier this year.

In the meantime, the industry formed its own body in November 2013 - the Digital Asset Transfer Authority - to participate in the policy making process. Over 30 firms worldwide are represented, and many US Federal and State regulators attened the AGM in April 2014.

That wasn't enough for the Canadians, however. In late June they drew a line in the sand with specific regulatory measures aimed at "dealing in virtual currencies" (undefined), including restricting banking services to registered dealers.

Uncertainty as to what is meant by "virtual currencies" and "dealing" may explain why most other authorities have been careful not to rush. For instance, the Financial Action Taskforce (FATF) released a report at the end of June that was designed to “stimulate a discussion” on appropriate definitions and how best to introduce risk-based controls. That seems to be an initiative that it would be worthwhile for the industry to engage with.

Last Friday, however, the EBA steered a strange path between the Canadians and FATF, requesting the EU's national financial regulators to 'discourage' their financial institutions from buying, holding or selling virtual currencies.  I've reviewed the shortcomings of that approach in an article for Society for Computers and Law. Let's hope wiser heads prevail - it can't be help anyone's cause for the regulated financial sector to completely lose touch with such an important area of innovation.

What the industry makes of all this sudden activity is not yet clear, but I'm sure it's all been much discussed at CoinSummit over the past few days and no doubt we'll hear something from DATA soon. Perhaps from a new Brussels office...

Monday, 7 July 2014

Short Selling Hygiene

Good to see the short sellers doing the regulators' work for them again - not that the authorities like it. 

Last week, Spain's stock market regulator called on the SEC and the FCA to provide information about short seller Gotham City at the same time as its dodgy target, Gowex, was declaring GC's fraud allegations to be "categorically false". But yesterday, Gowex's founder admitted to falsifying accounts for past four years.

It defies belief that short sellers should be able to find such golden opportunities amongst listed companies. 

Friday, 4 July 2014

Eurocrats Need A Reality Check

The Society for Computers and Law was recently entertained on the topic of trust in Big Data and the Cloud, by Paul Nemitz, European Commission Director of Fundamental Rights and Union Citizenship (in the Directorate-General for Justice). Both immigration and data protection feature among the main responsibilities of his Directorate, so you can imagine Paul is a very busy man right now, and it was very kind of him to take the time to speak.

Right, so that's the polite bit out of the way ;-)

Paul was keen to challenge the Brits in the audience to be more pragmatic in their attitude to the European Union. He believes the UK is among those who engage with the EU irresponsibly on the basis that "everything that comes out of Brussels is shite". Instead, he says British officials, lawyers and academics should be focused pragmatically on how to engage positively to achieve better European policy and regulation.

Of course, it's an old rhetorical trick to characterise your opponent's views as overly simplistic, boorish and stupid. Paul knows that the UK's opposition to red tape is based on more serious and fundamental differences than simply declaring everthing from Brussels as 'shite', as discussed below. But as a Commission official, he's not able to enter into debates over the fundamental principles of the EU. It's his job to be a 'Believer' and get on with building the vision. He must take it on faith that the European Union is a single market, rather than a loose collection of disparate nations held together by red tape and political ambition. 

It suits some EU member states to accept that same article of faith, but not all, and the people in the streets certainly don't think that way - consumers have been worryingly slow to purchase across borders, for example. And the recent election results revealed that a huge proportion of the electorate remain to be convinced that EU governance is wholly worthwhile. 

In these circumstances, the UK's rather sceptical view of what comes out of Brussels is quite broadly representative, and the attempt to draw a line in the sand over the imposition of a fervent unionist as head of the Commission was completely understandable. It's also pragmatic. If the EUrophiles were humble enough to accept that the single market is still an ambition, they too would realise it's unwise to be seen to force the issue. People have to be brought along on the journey, and maybe the UK is a good indicator of how far they are being left behind.

To back his claim that the UK's attitude is simply boorish, Paul points to a 'typical' lack of empirical evidence for resisting provisions in the General Data Protection Regulation requring large firms to appoint a data protection officer and to facilitate fee-free 'data subject access requests'. He says these things work well in other EU member states already, and haven't driven anyone out of business. And against the UK's charge that the European Commission is needlessly committed to ever-increasing levels of privacy regulation, Paul points to surveys that show ever-increasing levels of concern amongst EU citizens about commercial and governmental intrusion into their private lives; as well as recent judgments from the European Court of Justice and the US Supreme Court curbing commercial and governmental intrusion into these areas (ironic, given that one of the ECJ's decisions was to declare Europe's own Data Retention Directive invalid).

Again, he's missing a sensible, pragmatic point. The UK's reaction is telling him is that when huge swathes of the population questionn the very existence of the EU, it's wiser to stick to the essential foundations and building blocks, rather than snowing people with confetti about day-to-day compliance issues.

However, I'm glad to say that Paul was able to explain how the European Commission is working on some important foundations, such as getting standing for foreigners to take action to protect themselves in the US courts; and preventing indiscriminate mass collection of the personal data of EU citizens by any government or corporation, inside or outside the EU. Those two things are very important to building trust in governments, as well as Big Data, and are the sort of fundamental constitutional changes that citizens would find extremely difficult to achieve solely through the democratic process - though the European Commission has climbed on the bandwagon of public opinion (or Merkel's personal outrage), rather than initiated pressure to achieve these outcomes in its own right.

I also think Paul is right to point out that businesses are wrong in the view that personal data is 'the currency of the future' or 'oil in the wheels of commerce'.  Money is fungible - we view one note as the same as another - and, similarly, oil is just a commodity. So the data related to money and oil are hardly very sensitive and can be dealt with through economic regulation. But people, and the data about them and their personal affairs, come with more fundamental rights that can't simply be dealt with in economic terms. It's important that citizens have a right of action against governments and corporations to protect their interests (though I think the Google Spain decision was wrong).

But Paul overstates the 'synergies' between EU regulation, trust and innovation. He is stretching too far when he says that vigorous regulatory protection is essential to the creation of trust between people and their governments and the corporations they deal with. As evidence for this, he claims that the UK's Financial Conduct Authority as doling out the largest fines in the EU for the abuse of people's personal data, and asserts that this has built trust in the UK financial services market. From there, Paul leaps to the conclusion that similarly vigorous regulatory attention is somehow one of the necessary pre-conditions to the creation of commercial trust generally. He then leaps again to the notion that commercial trust driven by regulation is a pre-condition for innovation because, "There is no trust in start-ups," he says.

This is all nonsense.

Here Paul seems to be looking at the world through the lens of his own area of responsibility rather than from a consumer standpoint. Very few of the FCA's fines have anything to do with abuse of customer data, and its fines are puny compared to US regulators in any event. And in survey after survey, we've also seen that the providers of retail financial services are generally among the least trusted retail organisations in the UK and Europe. Enforcement processes also tend to be slow, resulting in fines for activity that ceased years before, and depriving consumers of the opportunity to cease dealing with firms at the time of wrongdoing. So, relative to consumers' perception of other industries, complex financial regulation and allegedly vigorous enforcement action has been no help at all.

It's also strange for Paul to suggest that "there is no trust in start-ups" without the backing of regulation, given the vast number of start-ups that have achieved mass consumer adoption absent effective regulation - certainly across borders. Unless, of course, Paul still considers Google, Facebook, Twitter etc to be 'start-ups', which would be weird. This ignores the fact that, love 'em or hate 'em, such businesses have been far more responsive to consumer/citizen pressure in changing their terms and policies than the European Commission or national legislators have been in altering their own laws etc. Indeed such businesses have even been relied upon by governments to enforce their consumer agreements to shutdown activities that national governments have been powerless to stop.

Paul's view of start-ups appears to reflect the continental civil law notion that citizens cannot undertake an activity unless the law permits it; while in the common law world 'the law follows commerce' - in the UK and Ireland (and the US, Canada, Australia etc) we can act unless the law prevents it. The havoc that arises from these opposing viewpoints - and the differing approaches to interpreting legislation - cannot be underestimated. In fairness, the UK needlessly creates a rod for its own citizens by 'gold-plating' EU laws (transposing them more or less verbatim). The national version is then interpreted literally. We would be far better off adopting the purposive interpretation of EU laws and implementing them according to their intended effect. This may mean a bit more friction with the Commission on the detail of implementation, but the French don't seem to mind frequent trips to the European Court where the Commission objects, and meanwhile their citizens don't labour under unduly restrictive interpretation of EU laws.

None of this is to say that I disagree with Paul's claim that strong individual rights and regulation to protect them are not inconsistent with making money and healthy innovation. But I reach this conclusion by a different route, starting from the premise that retail goods and services must ultimately solve consumers' problems, rather than be designed to solve suppliers' problems at consumers' expense. Strong individual rights are only one feature of a consumer's legitimate day-to-day requirements, not all of which can be legislated for. Co-regulation, self-regulation and responsible, adaptable terms of service are all part of the mix.

Of course, regulation can be helpful in preserving or boosting trust where it is already present - as can be seen in the development of privacy law amidst the rise of social media services (and in the context of peer-to-peer lending and crowd-investment, for example). But regulation can't create trust from scratch, any more than Parliament can start businesses.

If only the Eurocrats would recognise these realities and limit their attention to areas where government action is essential, I'm sure they would find more favour with pragmatists everywhere.

Thursday, 5 June 2014

Will This Book Stop The Dogmatists Waving Their Fallacies Around?

As one who loathes the use of party-political dogma to muddy the waters of sensible debate, I was delighted to read Tim Worstall's list of the top "20 Economics Fallacies" that political types wave around to justify some of their weirder ideas, and exactly why they're false. Maybe this book will help focus debate on the real issues.

At any rate, with the next general election less than a year away, you'd do well to keep a copy by the armchair to guide you through the evening's political interviews. So long as you can resist the urge to throw it at the screen.

Related Posts with Thumbnails