Two Holy Grails For Cross-border Payments: Access and Interoperability

A new international banking report admits to continuing problems in making payments from one country to another, but points to improvements. The report is based on a detailed analysis of the market, a survey of about 100 service providers and workshops with stakeholders from the supply side and the demand side (end users). Efforts to widen access to online payment accounts and prepare the way for the interoperability of payment systems/networks, closed-loop systems and crypto-currencies would seem the most fertile ground for achieving quicker, cheaper and more transparent cross-border retail payments.

Findings include:

• Cross-border retail payments are generally slower, less transparent and more expensive than payments within the same country. 

• Even large corporate users making high-value and/or frequent payments experience a lack of transparency and uncertainty over settlement timing and exchange rates. 

• Smaller businesses and individuals who typically make smaller, less frequent payments are more concerned about access to services and high costs.

• Users' priorities depend on their particular circumstances and requirements, so choice of different options and features is critical.

• Most users have choice as to who provides their payment services but individuals without access to transaction accounts lack access to many initiatives that have improved convenience and speed for other users. So, progress towards providing universal access to (online) transaction accounts is likely to provide more options to those who currently rely on cash.

• Back-end service providers themselves have problems with messaging, clearing and settlement of cross-border retail payments. There is little choice among back-end clearing and settlement methods, with the only feasible option often being correspondent banking rather than, say, ensuring the linking or interoperability of payment systems/networks, closed-loop systems and peer-to-peer distributed ledger technologies (e.g. crypto-currencies). So, progress towards harmonised messaging standards and simultaneous trading and settlement of different currencies will help solve problems here and could result in quicker, cheaper and more transparent cross-border retail payments. 

Are Retailers Prepared For Financial Regulation From 13 January 2018?

Three years after being announced in the UK and I suspect many retailers are still yet to realise that their loyalty/store card programmes will be regulated by the Financial Conduct Authority from 13 January 2018 - likewise across the European Economic Area. 

As the FCA now also explains, retailers who offer such programmes anywhere in the EEA will need to track the annual transaction volumes very carefully, starting with the completely arbitrary and inconvenient date of 13 January 2018. 

If the volume meets or exceeds €1 million (or the GBP or local currency equivalent) in any 12 month period (the first ending on 12 January 2019), the retailer must notify the FCA (or local regulator) within 28 days (by 10 February 2019).  Firms may also choose to register at any time from 13 October 2017.

But be sure of the outcome before you decide whether or not to register!

The regulator must then decide whether the programme is exempt from regulation as an e-money/payment service.  

If the firm fails to notify, it commits an offence under the Payment Services Regulations 2017 (or local equivalent implementing the second Payment Services Directive (PSD2)). 

If the FCA decides the programme is exempt, then it must include the retailer on the FCA's register of 'limited networks', and the name will be added to a central register of all such firms across the EEA.

If the FCA decides the programme is not exempt from regulation the retailer can appeal, but basically this means the firm will have been found to be violating the Electronic Money Regulations 2011 and/or Payment Services Regulations 2017 by issuing e-money and/or offering a payment service without being duly authorised/registered to do so. Major problem!

So retailers really have to decide now whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

Of course, the mere fact that retailers with loyalty schemes have to be mindful of these requirements and go through the process means they are in effect regulated by the FCA. Ignorance, as they say, is no defence.

All Hands On Deck: UK Sailing Close To #PSD2 Deadline

The UK government has just announced its final approach to implementing the new Payment Services Directive (PSD2), along with the final version of the Payment Services Regulations 2017 that will apply from 13 January 2018. So firms don't have long to figure out whether they fall within the definitions and, if so, how to apply and comply. 

The FCA is expected to finalise its guidance and application forms by September, and can only begin accepting applications for authorisation/registration from 13 October 2017. That only leaves 3 months for the FCA to authorise/register firms who offer the newly regulated 'account information services' and 'payment initiation services' or who are losing their exemptions, as briefly explained below.

Payment initiation services

What constitutes a PIS is quite complex, but firms who are broadly in that space (including payment gateway providers) are perhaps more aware of the scope of their activities and the challenge ahead - although those relying on an exemption need to check their assumptions.  

Account information services

The new “account information service” basically involves providing information from one or more payment accounts held by the user with one or more other payment service providers. Initially, the list of services the government said might constitute account information services included some services of a much broader nature:

"• price comparison and product identification services;

• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments...

[and] might include accountancy or legal services, for example”.

The government says it has heard the concerns that its interpretation was too broad and overlooked the requirement that a service must be conducted 'by way of business' in its own right, rather than merely as an ancillary part of a wider service. Examples of services that the government says that respondents were concerned about include:

"banks’ corporate functions; price comparison websites; accountants; financial advisors; legal firms; and Credit Reference Agencies (CRAs). Many of these services are currently provided via a contractual relationship between service providers, users, and ASPSPs, often referred to as Third Party Mandates (TPMs)."

The government now confirms, however, that:

"many uses of these mandates are likely to be outside of the scope of the PSDII. Examples could include power of attorney, where the services are unlikely to be undertaken ‘in the course of business’."

In addition, the FCA has already suggested this narrower view, based on the 'business test' in its own consultation on how it proposes to supervise PSD2.

Some narrower exemptions

Commercial agents can no longer act for both payer and payee. 

Firms operating gift card and other loyalty schemes not only face a stricter test of 'limited network', but must also notify the FCA if the total value of transactions executed over the preceding 12 months exceeds the amount of 1 million euros, and the FCA must then decide whether the exemption criteria. There is no allowance for transition if the service does not meet the exemption.

Technology service providers are no longer exempt if they also offer the newly regulated account information services or payment initiation services.   

The Cat Is Out Of The Bag: The EU Bars UK Financial Outsourcing

A key EU financial authority has asked EU regulators to be strict on UK firms seeking to escape the impact of Brexit. The concern is that having lost their EU passporting rights, desperate Brits will try to get authorised in Europe but continue to rely on UK managers and operations. 

"UK-based market participants may seek to relocate entities, activities or functions to the EU27 in order to maintain access to EU financial markets. In this context, these market participants may seek to minimise the transfer of the effective performance of those activities or functions in the EU27, i.e. by relying on the outsourcing or delegation of certain activities or functions to UK-based entities, including affiliates. It is therefore necessary to ensure that the conditions for authorisation as well as for outsourcing and delegation do not generate supervisory arbitrage risks."

ESMA even proposes a Cat o' nine tails set of 9 "principles" to prevent UK firms making the best of Brexit: 

1. No automatic recognition of existing financial firm authorisations;
2. Authorisation processes by the EU27 should be "rigorous and efficient";
3. Regulators must verify the objective reasons for relocation;
4. Regulators should avoid "letterbox" entities in the EU27 - the EU firm must perform substantial activities;
5. Outsourcing and delegation to third countries (like the UK) is only possible under strict conditions;
6. Substantive decision-making must occur in the EU, especially over outsourced activities;
7. There must be sound local governance of EU entities, by resident directors/senior managers;
8. Regulators must have the resources and data to effectively supervise and enforce EU law. 
9. ESMA is watching and will co-ordinate to ensure adequate and consistent supervision. 

Of course, the UK could retaliate with red tape of its own. Brexit is also a challenge for 8,008 EEA firms that hold 23,532 passports (about 3 each) to cover their UK offerings.

What (The Hell) Is A Smart Contract?

Another good meeting of the BitcoinBlockchain Leadership Forum today, with the focus on practical use-cases for distributed ledgers and grasping at the nebulous concept of 'smart contracts' (links are to my own recent posts on these topics). 

In particular, we saw good, productive tension between Bitcoin blockchain purists who are intent on coding pretty much every element of a transaction into the blockchain; and those who see distributed ledgers as (also) playing a more limited role as just one layer or component in a broader array of gadgetry involved in any contractual scenario.

In my view, both approaches are valid but which 'wins' will depend on the use-case. And the development of the Internet demonstrates the technology will be used in ways no one intended anyway.

So, for my money, the definition of a 'smart contract' needs to be very broad, and I've suggested:

"an agreement performed via any number of applications, devices, networks and messages, which may involve entries in a distributed ledger."

This definition flows partly from a great discussion I had with Alex Amsel of Bitshake recently. I made the point that distributed ledgers seem most useful where a specific item is somehow dealt with or used very frequently and by many people or entities. Alex added a third condition: the participants are running different proprietary software, operating systems and/or devices - in other words they have an expensive interoperability challenge.

So a 'smart contract' might just be written in Word format, or html, and not embedded in a distributed ledger at all. But the subject matter of the contract - the rights to play a song, or rent a shipping container or space on a truck - might be 'hashed' into the ledger, and users' machines could interact using that hash, triggering instructions to pay the contractual amount to a certain account. Multi-factor authentication as one step in the contractual process (e.g. identify checks for anti-money laundering) is another example.

At the forum, there was mention of locating, booking and paying for a car space as another example. This was dismissed by lots of people who said you can already do this without a distributed ledger - the parking space is already entered in the systems of the council's chosen payment service provider. But that means I need to know which municipality I'm in to find the right payment app, download it and register a payment method before paying (I changed cars recently, so I have to re-do all that). And that inaccessibility is partly a function of having to cover the cost of expensive proprietary systems. But if parking spaces were 'hashed' in an openly accessible public ledger, couldn't our smartphones find and pay for them using that code and our own chosen payment method?

Anyhow, the point is not that we necessarily need distributed ledgers to pay for parking or any other specific use-case, but that once people begin using distributed ledgers more widely, tons of other apparently trivial uses become feasible and worthwhile. Conversely, a comparatively trivial but widely shared use-case might unleash more widespread adoption, as happened with text messaging (I'm not suggesting that parking will do it, by the way).

Of course, Bitcoin users will be screaming at their screens by now, if they've got this far. They'll be shouting that Bitcoin has already unleashed distributed ledgers. 

They're probably right.

Who Is Late In Paying Our #SMEs £41bn?!

In an attempt to eradicate late payments to small businesses of approximately £41bn, the government has proposed that, from April 2016, large listed companies will have to report twice-yearly on: 

• their standard payment terms;
• average time taken to pay; 
• the proportion of invoices paid within 30 days, 31-60 days and beyond agreed terms; 
• amount of late payment interest owed/paid; 
• incentives charged to join/remain on preferred supplier lists; 
• dispute resolution processes; 
• the availability of e-invoicing, supply chain finance and preferred supplier lists; and 
• membership of a Payment Code.

A copy of the simple but effective sample report is attached to the government's announcement.

Not only should this data result in the naming and shaming of late payers, but it should also further define and foster growth in the market for discounting these invoices, to help fund the growth of the affected SMEs.

Do The EBA Security Guidelines Ensure Card Scheme Control Over Retail Transactions?

The European Banking Authority recently issued payment security guidelines, as part of its security remit under PSD2. The guidelines take effect in August 2015 and will  require subtantial work on the part of payment service providers and merchants. They will be followed by 'stronger’ guidelines under PSD2 that will take effect in 2017/18. As anticipated, the guidelines could well present a significant obstacle to the evolution of payments services and competition from new entrants. At the same time, even if they reflect best practice today, the guidelines do not really overcome inherently unsecure features of legacy payment methods - like cards.

To be fair, the authorities have a difficult balancing act here. They have a responsibility for ensuring that PSPs implement appropriate security measures - and should at least point to best practice in the area - yet the authorities cannot afford to be so prescriptive as to delay implementation of those measures and/or prevent PSPs keeping pace with wider technological developments, the development of new payment services and the efforts of hackers. Unfortunately, the EBA appears to have struck a balance in favour of banks and card schemes, rather consumers, merchants and alternative payment service providers, as discussed below.

The guidelines cite card fraud as the main driver of this initiative, rather than fraud in relation to other types of payment service that do not involve card payments. Yet payment cards and the related IT systems have not really evolved fundamentally since they were introduced in the 1960s, which means that 'legacy' systems are effectively dictating the approach to payment security. True, there are many payment methods that are exempt from the guidelines. But the prevalence of card payments means that PSPs and merchants are being forced to divert resources to shoring up security on that front, rather than investing in more advanced payment methods.

At the heart of the guidelines is the concept of 'strong customer authentication', which is quite prescriptively defined. Yet this form of authentication would seem likely to evolve, and it is conceivable that customer authentication in the payment step of a transaction process might not remain relevant over time, particularly where the payment is being made in the course of a wider customer activity within a secure environment.

Many of the guidelines also go beyond the realms of payment security. While these may reflect obligations under other regulations, such as Money Laundering Regulations, Payment Services Regulations and the Data Protection Act, they are quite prescriptive and therefore will require additional legal and compliance time to review, implement and monitor changes to those other compliance procedures, as well as extra IT and operational resources.

The need for "customer education and awareness programmes" are also likely to require the involvement of marketing teams and their support staff. The concern here must be that customers who deal with multiple PSPs (as competition authorities should hope!) will begin to ignore the educational materials as just so much clutter or junk mail. The adverse customer experience may also drive consumers to prefer less secure payment options (e.g. cash).

Requirements for merchant co-operation, through enforcement of their contracts with PSPs, are also very concerning. For example, PSPs are asked to require merchants to "clearly separate payment-related processes from the online shop" and to enable customers to sign a dedicated payment contract with the PSP rather than having those terms included in a wider service contract. Yet merchants are not directly bound by Payment Services Regulations (except in very limited respects), so the EBA is arguably exceeding its authority in requiring merchant compliance with broader security requirements. In addition, we have already seen significant data security costs imposed by card schemes on merchants who must comply with the PCIDSS requirements. These resulted in most merchants choosing not to hold payments data at all. Indeed, many chose to deal through payment aggregators who accept and process payments on their behalf. However, PSD2 will require technology service providers to contract directly with PSPs under PSD2, rather than merchants if they wish to remain exempt from regulation, which must be likely to reduce the number of independent service providers. Such requirements seem to be aimed at large retailers and e-commerce marketplace operators who may otherwise legitimately offer a seamless consumer experience under current regulations. So it may be that the EBA guidelines will help drive control of e-commerce transactions to financial institutions – particularly banks and card schemes - rather than opening up competition for transaction processing from large merchants and others who have developed competing payment functionality.

As a result, the EBA's security guidelines deserve careful consideration by the competition authorities.

Officials Alarmed By PSD2 And Barriers To Innovation In Payments

In a joint study, Ofcom and the UK's new Payment Systems Regulator have explored the reasons for limited innovation in the UK payment services market, sounding the alarm over the potential impact of PSD2. But the study does not thoroughly explore the most recent proposals, which would make the situation worse than officials seem to appreciate.

The study confirms that most of the innovation is facing retail customers and relies on the existing payments infrastructure.

Various factors act as a barrier to the scale and pace of innovation seen in other technology sectors. There is a low tolerance for system failures, naturally, but the resulting high security and resilience requirements make systems more rigid and less open to the usual market forces of present in other IT sectors. New entrants also find it hard to break through the network effects that support existing payment methods (e.g. cards). Investment is further constrained by significant uncertainty around regulation and technological standards. Finally, the interests of consumers, merchants, telcos and financial institutions are not aligned in the types of services being offered - in essence we're seeing an attempted 'land grab' by competing institutions at customers' expense.

It is critical that the European Council considers this report as it finalises the proposals for PSD2, which would make this situation worse. Equally, however, it is a pity that this study was not able to more thoroughly explore the potential impact of those proposals.

Let's hope for some more joined up thinking in the weeks to come!

The End Of Merchant-hosted Checkouts?

Source: LoudMouth Media

You may have noticed that I'm madly trying to keep up with the blast of confetti from Brussels known as "PSD2". It's very fortunate that the SCL's editor is blessed with a good sense of humour, not to mention the readership. In advance of my latest update, here's a warning of a fairly brutal provision for e-commerce merchants in the latest version of PSD2.

Not satisfied with forcing 'gateway' service providers to supply their services directly to regulated institutions rather than merchants, if they wish to remain exempt, it seems the EU Council also considers that e-commerce checkout pages on merchant sites are "payment instruments" in their own right (not just the payment methods displayed on them).

A new information requirement seems to mean that where customers are shown a range of different card-scheme brands as payment options prior to checkout (itself referred to as “the issuance of a payment instrument”), they should be informed that they have the right to select a particular brand and to change their selection at point of sale.

On the surface, this requirement adds nothing. It's how checkout processes already work. If you want to pay by card, you click on the card scheme logos, and up comes a page that asks you to enter a card number from any of the brands displayed. But describing a checkout process as a “payment instrument” (rather than merely the payment methods available on it), suggests that the entity which serves up the web page that enables checkout is itself the issuer of a payment instrument and should be authorised accordingly.

It's likely that many e-commerce merchants will host their own checkout page or process, and the transaction only moves to the acquirer’s servers either once the customer has selected which type of payment instrument she wishes to use, or (if the merchant is PCI compliant) once the transaction is captured and sent to the acquirer.

So this provision would actually require such a merchant to either cease hosting any aspect of the checkout process or become authorised as a payment instrument issuer (or the agent of an authorised firm). It also raises the question whether such a merchant is also 'initiating payment transactions', with the same consequences.

This is revolutionary stuff. If passed in this form, PSD2 could drive the need for significant website re-development work. Of course, it could also mean good business for e-commerce marketplaces, or regulatory specialists who help firms apply for authorisation (pick me!). But it's really just overkill.

In their quest for 'the highest standards of consumer protection', the European authorities seem oblivious to the adverse impact on competition and innovation in the payments sector that will come from delivering control over key aspects of e-commerce infrastructure to the comparatively few firms who will bother becoming authorised. Ironically, it was this sort of concentration that drove the need for the current PSD - to open up the banking/card scheme monopoly. Perhaps the banks and their schemes are winning the battle to retain their dominance after all...

The Cost Of Leaving Payment Security To The Beurocrats: #PSD2

The more I study the latest proposal for a new Payment Services Directive (PSD2), the more I'm concerned that it will reduce innovation and competition. Not only does it hand control of wider transaction technology to regulated payment service providers (PSPs), but security standards will also be centrally controlled by the European Banking Authority, as explained below. It seems the authorities are busy creating a new version of the banking monopoly that the PSD was designed to break down. But maybe the idea is to create work for the new Payment Systems Regulator...

Putting aside the ability for PSPs to control the wider transaction infrastructure, PSD2 empowers the EBA to set technical standards governing 'strong customer authentication', as well as how PSPs communicate among themselves and with customers.

These standards are very far-reaching.

Subject to any exemptions the EBA may grant (based on risk, amount/recurrence of a transaction and the channel), all PSPs will have to apply strong authentication when a customer who wishes to make a payment (the 'payer'):

• accesses a payment account online;
• initiates an electronic payment transaction; and/or
• "carries out any action through a remote channel which may imply a risk of fraud or other abuses".

In the case of an electronic payment transaction that is initiated via the Internet or 'other at-a-distance channel' (a "remote payment transaction"), the authentication must “include elements dynamically linking the transaction to a specific amount and a specific payee”).

In addition, PSD2 proposes numerous different security requirements for different types of PSP depending on whether they initiate payments, issue a payment instrument or provide account information services. PSPs will also have a 'framework' to manage operational risk and provide the regulator with their assessment of the risks and the adequacy of their controls. They must classify “major incidents” and report them to their regulator without undue delay. The regulator must then report the incident to the EBA and the European Central Bank. If the incident affects the financial interests of users, the PSP must also inform them without undue delay, along with possible measures they can take to mitigate the problem.

While we should acknowledge the challenge at the heart of all European law, that an Englishman's red tape is a Frenchman's business manual, everyone should question the wisdom of tying the development of payments security to the speed of European bureaucracy. PSD2 provides that the first draft of the EBA’s technical standards will only be available 12 months after PSD2 is approved, and there is no explicit deadline for the standards to be finalised (although the EBA is consulting on 'guidelines' here). Beyond the initial drafting, the EBA is merely tasked with reviewing and, if appropriate, updating the standards “on a regular basis” - but neither the frequency nor regularity of those reviews is specified. Surely, the EBA's role should be limited to reviewing standards (if any) as the market develops them - hopefully a step ahead of the fraudsters? How many business plans will otherwise stall in anticipation of the EBA's pronouncement and the resulting talkfest?

Conspiracy theorists will be pleased to see restrictions on the extent to which payment account service provider (ASPs) can use the security measures to discriminate against any third party PSP (TPP) who wishes to access their payment accounts. But there do not seem to be any such restrictions on discrimination the other way around. So PSD2 would hard-wire the current (mistaken) assumption that the ASP is 'king' in the context of its customers' day-to-day activities, while the dominant customer relationship increasingly lies elsewhere. Indeed, in the digital world, large TPPs could end up dictating the number and type of ASPs we all use, as well as the payment services those ASPs provide. Perhaps the new Payment Systems Regulator could address this by designating such a powerful TPP as a 'payment system' (which is very loosely defined), but it would be preferable to avoid creating the potential for such power in the first place.

Of Primordial Soup, New Payment Services And #PSD2

Source: Shirtigo

Figuring out the impact of the proposed changes to European payments law (PSD2), is like watching primordial soup, with new types of regulated creature emerging all over the place. Previous posts have considered the impact on loyalty schemes and technical service providers, while this post looks at the new “payment initiation” and “account information” services. The scope of these new services could introduce many new software and service providers to the regulated world, increasing costs as well as potentially limiting competition and innovation.

A “payment initiation service” is one where you can ask the service provider to pay your energy bill, for example, or make batch payments to staff and suppliers, using one or more payment methods provided by other service providers. It is conceivable that an e-commerce checkout feature, for example, might also qualify. Member States must ensure that payers have the right to use a payment initiation service in relation to payment accounts that are accessible online. A payment initiation service provider must not handle the payer’s funds in connection with the provision of the payment initiation service.

An “account information service” is one that allows a single view of all your transactions on one or more payment accounts held at one or more payment providers. Account information service providers will be exempt from certain authorisation, information and contractual requirements, but will be treated as payment institutions - so they will be allowed to passport to other EEA states, for instance.

PSD2 assumes that both these new services will provided by “third party” payment service providers, i.e. those who do not also offer payment accounts or handle funds themselves. Let's call them “TPPs” for short, as opposed to firms that provide or maintain payment accounts, which is the job of “account servicing payment service providers” or “ASPs”.

TPPs will need to become authorised or registered financial institutions, or become appointed as agents of authorised firms. Those initiating payments will need at least €50,000 of working capital and (along with account information service providers) will have to hold professional indemnity insurance. TPPs will also have to provide information about themselves to customers, as well as have quite a lengthy contract with each of them (unless they are exempt account information service providers). If a payment goes wrong, the TPP who initiated the payment must be prepared to prove that nothing went wrong in its own systems when it sent the payment to the ASP. The TPP will also have to give information about the payment to the intended recipient(s) and meet certain security requirements (see my article for the SCL).

Regardless of the customer benefits, it seems certain that these requirements will add to the cost of providing payment initiation and account information services to consumers and small businesses.

The regulations would also seem likely to limit competition and innovation in the event that firms structure their services to avoid regulatory overhead.

Specifically, it's not clear whether firms wishing to avoid increased costs could qualify for the technical service provider exemption by supplying their services directly to ASPs instead of customers. But even if that were possible, or if ASPs were prepared to appoint TPPs as their agents, it's likely that each ASP would only involve the services of a limited number of TPPs, and would add its own margin to their charges in any event. In other words, the number of potential TPPs and related services could just become a function of the number (and type) of existing ASPs.

So it seems the adverse consequences of regulating these services may well outweigh any benefits.

The End Of Third Party Payment Gateways?

Source: paymentsgateway.com.au

Changes are being proposed to European payments law that will affect service providers who send payments data from retailers to financial institutions. This post explains how they may be affected, and what they may be able to do about it.

Most retailers rely on an external service provider to send their payments data to a financial institution for processing. Sometimes the financial institution itself handles the data transfer as part of its acquiring service. But often a third party agrees to do that on the retailer's behalf, particularly for online payments. The financial institutions call such service providers "third party gateways" because the institution typically has no contract with them and it's up to the retailer to ensure the data gets to the financial institution. From a regulatory standpoint, the gateway provider doesn't handle any funds, so they are currently also exempt from payments regulation as 'technical service providers'.

But under proposals for a new Payment Services Directive (PSD2), such service providers will only be exempt if they contract with financial institutions (e.g. merchant acquirers), rather than retailers or other payment service users. That may help the financial institutions control the quality of the data that flows their way, but it also potentially undermines the ability for large retailers to control the processing of their transactions.

In addition, “acquiring of payment transactions” will be regulated where the service provider contracts with the retailer to accept and process payment transactions, and this 'results' in a transfer of funds to the retailer. Not only is this aimed at certain merchant acquirers and bill payment operators who believe they are outside the scope of the current PSD, but it could also catch third party gateways, since it appears that the service provider does not have to be the one actually transferring the funds.

It is also possible that the activities of technical service providers may fall within the scope of other regulated activities, particularly 'payment initiation services', 'account information' services, or perhaps even 'issuing payment instruments' (see my longer article for the SCL).

At any rate, technical service providers may find that it isn't commercially feasible to remain exempt as a result of one or more of these changes. In that case, the options are to either get authorised as an e-money institution or payment institution (or perhaps a registered as a small EMI or PI), or operate as an agent of someone who else or is.

Whether or not they are exempt, however, anyone providing technical services will need to be familiar with the proposed new security requirements, and the related standards that will eventually be issued by the European Banking Authority (see my longer article for the SCL).

Virtual Currencies Get Real

The Establishment has finally woken up to the reality of virtual currencies, but official responses are all over the place. Let's hope the industry can help forge some international consensus on how to proceed towards a supportive mix of proportionate regulation and self-regulation in the months ahead.

So far, UK officials seem to be the most openly supportive of innovation in this space. The Cabinet Office included virtual currencies in an open workshop in October 2013 (video here) and the Revenue issued a statement clarifying their tax treatment earlier this year.

In the meantime, the industry formed its own body in November 2013 - the Digital Asset Transfer Authority - to participate in the policy making process. Over 30 firms worldwide are represented, and many US Federal and State regulators attened the AGM in April 2014.

That wasn't enough for the Canadians, however. In late June they drew a line in the sand with specific regulatory measures aimed at "dealing in virtual currencies" (undefined), including restricting banking services to registered dealers.

Uncertainty as to what is meant by "virtual currencies" and "dealing" may explain why most other authorities have been careful not to rush. For instance, the Financial Action Taskforce (FATF) released a report at the end of June that was designed to “stimulate a discussion” on appropriate definitions and how best to introduce risk-based controls. That seems to be an initiative that it would be worthwhile for the industry to engage with.

Last Friday, however, the EBA steered a strange path between the Canadians and FATF, requesting the EU's national financial regulators to 'discourage' their financial institutions from buying, holding or selling virtual currencies.  I've reviewed the shortcomings of that approach in an article for Society for Computers and Law. Let's hope wiser heads prevail - it can't be help anyone's cause for the regulated financial sector to completely lose touch with such an important area of innovation.

What the industry makes of all this sudden activity is not yet clear, but I'm sure it's all been much discussed at CoinSummit over the past few days and no doubt we'll hear something from DATA soon. Perhaps from a new Brussels office...

Unload The "Digital Wallet" Before Someone Gets Hurt

And that's not all...

The term "e-wallet" or "digital wallet" has always caused a physical reaction. But what started as a small twitch over my left eye in November 1999 now involves diving under a table. The term has become so loaded with giant concepts like 'identity', 'privacy', 'authentication', 'security', 'payment' and 'funds' that it's simply too dangerous to wave around in meetings.

We need to focus on more of the detail if business presentations are to have any meaning and projects are to deliver anything.

The term 'digital wallet' is impossible to define, anyway. The Oxford English Dictionary has no home for it, and it's wise to ignore suppliers' self-serving, product-specific definitions. Th'internet merely yields a confusing mish-mash: [my emphasis] "a system that securely stores users' payment information and passwords..." (investopedia) and "encryption software that works like a physical wallet during electronic commerce transactions." (webopedia). Unhelpfully, the Free dictionary explains "the wallet data may reside in the user's machine or on the servers of the wallet service. When stored in the client machine, the wallet may use a digital certificate that identifies the authorized card holder." 

Such definitions are confusing because they keep jumping the rails from party to party, feature to feature and function to function, each of which has different implications for transaction flows, data flows and funds flows (to the extent payment is even involved). 

Perhaps the only consistent aspect in the use of the term 'digital wallet' is the sense that it refers to a specific individual, or at least it should be capable of doing so. Otherwise, the term means so many different things that it's useless. FinVentures defined it to mean, "A consumer owned and controlled account that can store any electronic form of what is normally held in a physical wallet, including: payment, ID, coupons, loyalty, access cards, business cards, receipts, keys, passwords, shopping lists, …etc." Indeed, a 'digital wallet' could be a feature within an application or service, or an entire application or service, a database, a set of permissions and so on. It could reside on virtually any digital device, including a smart card or just a microchip. It could enable a specific person to initiate or conclude any kind of transaction, or merely be used in the course of intiating or concluding such a transaction.

So when you next hear the term 'digital wallet', seek cover behind a large, heavy object and try to defuse the situation by asking: 

• which parties are involved;

• which party is agreeing to do what, how do they agree, what actions are taken as a result and by whom;

• where the related data is stored and where it flows; and

• where any related funds are and where they flow.

It could save a lot of time and money.

Image from Tenets in DM.

Utility Accounts In Credit

This is an age old complaint, but worth repeating in these troubled times.

My gas and electricity supplier does not allow payment of its bills by variable direct debit, like the telecoms providers do. Instead, it insists on a direct debit of the same amount throughout the year, regardless of my creditworthiness. In this way, the supplier ensures that it builds up a nice credit ahead of the main winter bills in October, January and April. In my case, that's a credit of over £500 in June, and over £1,000 by the end of August. 

That credit arrangement has nothing to do with supplying energy to me directly, because it hasn't supplied me with the energy yet - hence my 'account' is in credit. In fact, if I was paying by credit card or debit card, they wouldn't be able to charge me because they haven't yet performed the service. But they would sure find a way to recoup the 'lost' value of the credit arrangement in the prices they charged me for paying as the energy is used.

Meanwhile, the need to provide 0% up-front finance for energy companies operates as a steady drag on consumers' cashflow - particularly for those in the 'squeezed middle', who can afford the bills when they come around, but need to minimise interest on credit cards etc in the meantime.

So why should the supplier be allowed to build up so much credit? 

Why can't they be obliged to use variable direct debits, except perhaps where missed payments have occurred?

And if it is allowed to build up credit, why shouldn't the supplier be obliged to segregate the funds it is holding against my future bills from its own money, and account to me for interest received? 

Of course, the same can be said for the funds taken on direct debit by the TV licensing authority.

The government needs to start thinking like a citizen rather than a supplier.

The Politics of Cash

Over on Tomorrow's Transactions, Dave Birch quite rightly questions the assertion in the NY Times that cash is somehow important to "protect our civil liberties by preserving some untraceable payment method." Few people are obsessed with anonymity. But at the same time Dave applauds the notion that "Cash-based economies harm the poor by heightening the risks they face when carrying money and fueling government corruption and inefficiency."

I should declare at the outset that I'm a great fan of electronic money and online financial services, and I advise various clients in the payments and online peer-to-peer finance space.  But I also believe that innovation doesn't 'kill' anything - the new must coexist with the old. Calling for the abolition of old services brings the laggards out in force, sometimes to comic effect. That's one reason you won't hear me calling for the end of fractional reserve banking.

But the 'death of cash' is not a question of civil liberties or somehow liberating the poor from a cash economy. Many people - the so-called 'unbanked' in particular - still see cash as the best mechanism for maintaining control over their finances. What some people see as higher prices for not paying online or by direct debit etc, others see as a wise investment in a payment method that prevents them spending money they don't have.

 

Research commissioned by the Financial Inclusion Taskforce found that the 3 million British adults without a bank account (the 'unbanked') do not consider themselves as disadvantaged by not having bank accounts, cheque books and debit cards. They do not see much use in an ATM, cheque book, credit card or debit card because they don't tell you your balance until it's too late. A text message confirming a payment you just made is laughable.

And if you don't find your bank or its services trustworthy or useful in the first place, why would you give them all your personal details so they can text your bank balance to your phone?

Most importantly, the same research found that most of the so-called 'unbanked' are actually in control of their finances. They put cash in specific jars to cover certain expenses. They can readily see at any time how much is in the jar, so they 'always know where they are' in setting money aside for energy bills and so on. 

I agree that loan sharks and others may prey on this form of financial control. But it's not as if access to a bank branch, internet banking or direct debit has saved the rest of us from financial charlatans or the erosion of civil liberties...

Long live cash, I say.

Gasp! UK Bank Enables Mobile Money Transfers!

The comments under the Guardian's piece on Barclay's mobile money transfer app tell you everything you need to know about the pace of innovation amongst UK retail banks ;-)

Image from JISC infoNET.

How We All Pay For Card Payments

Few people are aware that when you pay using a credit or debit card, your 'issuing' bank charges the retailer's 'acquiring' bank an "interchange fee". The rate is either agreed directly between the banks, or is imposed via a card scheme, like Visa or MasterCard. Nobody outside the banks and card schemes really sees this fee. The retailer receives your money for the purchase price, less a service charge. A little bit of that service charge is kept by the retailer's bank as a payment processing fee, but most is kept by your bank as its interchange fee.

Like any other retail overhead, these charges need to be accounted for in retail pricing. So, even if you aren't paying by card, interchange fees are a significant drag on your personal economy. The European Retail Round Table, a network of large retailers, has found that "the average European household pays €139 per year on interchange fees". And, according to the European Commission, "in the EU, over 23 billion payments, exceeding a value of €1350 billion, are made every year with payment cards." In other words, retailers have no real choice but to accept payments by card.

But who benefits? The ERRT cites a 2006 report found that only 13% of the fees go toward your bank's processing cost, while 44% of interchange fees pay for cards reward programmes - which of course only benefit cardholders. That leaves a healthy profit for issuing banks. In their defence, Visa and MasterCard claim that interchange fees are essential to investment in systems, marketing and anti-fraud efforts. Which is what banks must do themselves, anyway, to meet their own anti-money laundering and prudential requirements. The schemes also suggest that interchange fees may be cost-neutral to retailers if savings on the acceptance of cash and reduced check-out times for card payments are factored in (which has not been accepted in Europe).

Looking at the situation from the consumers' standpoint, non-cardholders get no benefit from card loyalty schemes at all. And even cardholders themselves might prefer the equivalent of interchange fees being spent in ways that directly improve their retail experience.

The card schemes argue that because retailers say they have no choice but to pass on interchange costs to consumers, the measure of whether interchange fees are really too high is whether retailers would actually lower their prices - and they would not. That doesn't hold water. Firstly, all of a retailer's costs are ultimately accounted for in its prices. So it would be wrong of retailers to say that all consumers are not paying for interchange, unless the retailers specifically imposed a specific interchange-related fee only on those paying by card. Secondly, as I commented earlier on Digital Money, the card schemes' assertion rests on the assumption that the only way retailers should reasonably differentiate themselves from each other is in terms of price. So the card schemes would have it that every time a retailer cuts any of type of cost, including interchange fees, the retailer should take the ultimately suicidal step of always reducing prices to the consumer, rather than, say, investing in increased selection, improved customer experience or expansion to achieve economies of scale. That's an unrealistic position in itself, let alone one that would support the assertion that if retailers do not cut prices to consumers on the back of lower interchange fees, they are somehow behaving just as anti-competitively as the card schemes are alleged to be in imposing them. The retail markets are distinct from the market for payment services. Lack of competition in retail markets can be - and is frequently - addressed on its own merits and action taken accordingly.

So it's no surprise that competition regulators have given a lot attention to how interchange fees are set and imposed. The Reserve Bank of Australia has perhaps been the most progressive. It was the first to impose a standard rate for interchange fees in July 2003 and has maintained downward pressure ever since. In December 2007, the European Commission ruled as anti-competitive interchange fees on cross-border MasterCard and Maestro branded debit and consumer credit cards. The EC later accepted certain undertakings to settle proceedings for alleged breach of the ruling. European Commission action in relation to Visa Europe's interchange fees has culminated in a reduction of debit interchange fees. But importantly that decision "does not cover MIFs for consumer credit and deferred debit card transactions which the Commission will continue to investigate. The proposed commitments are also without prejudice to the right of the Commission to initiate or maintain proceedings against Visa Europe's network rules such as the "Honour All Cards Rule", the rules on cross-border acquiring, MIFs for commercial card transactions, and Inter-Regional MIFs."

The battle is also raging in the US, where three bills were put before Congress in 2009 to regulate interchange fees. The Federal Reserve is consulting on proposals to limit debit card fees from July 2011 "one that would base fees on each issuer’s costs, and one that would set a cap of 12 cents per transaction", as explained here by Jean Chatsky, and discussed on Digital Money. Potential implications for bank stocks are discussed here.

Ultimately, however, the outcome of all this depends on which payment services best facilitate the end-to-end activity in which a payment is being made. The winners will not be those who insist on viewing consumers' activities through the lens of their own payment product.


Image from GAO report on interchange.

Pay As You Go Financial Services

Thanks to Dave Birch, of Consult Hyperion, for the link to this fascinating paper by Ignacio Mas and Dan Ratcliffe on the success of M-PESA, the African payments system whose mission is to lower the cost of access to financial services. There are great insights for serving both the 'unbanked' as well as bank and other financial service customers. And given how grumpy we tend to be with our banks, it's revealing that the UK’s Department for International Development was instrumental in funding M-PESA's initial development by Vodafone and others.

As previous research for the UK's Financial Inclusion Taskforce (archived here) demonstrated, the challenge of financial inclusion is not how to draw low income earners into the existing banking system, but how to make financial services more useful, convenient, cost effective and faster. And that seems best encapsulated in 'pay as you go' models, since you 'know where you are' in terms of cost and usage/availability which is in itself convenient. M-PESA makes an interesting case study because virtually all M-PESA's 9 million pay as you go users rate the service better than the alternatives on these factors. And that's not only the view of low income earners. The Mas & Ratcliffe report says M-PESA users are more likely to have a bank account than non-users, as well as being wealthier, more literate, and better educated.

Here are some more stats from the report, as at January 2010:

• "16,900 retail stores at which M-PESA users can cash-in and cash-out, of which nearly half are located outside urban centers.
• US $320 million per month in person-to-person (P2P) transfers.
• still under two P2P transactions per month.
• US $650 million per month in cash deposits and withdrawal transactions at M-PESA stores.
• The average transaction size is around US $33, but Vodafone has stated that half the transactions are for a value of less than US $10.
• US $7 million in monthly revenue (based on the six months to September 2009).
• 27 companies use M-PESA for bulk distribution of payments. Safaricom itself used it to distribute dividends on Safaricom stock to 180,000 individual shareholders who opted to receive their dividends into their M-PESA accounts.
• Since March 2009, there are 75 companies using M-PESA to collect bill payments from their customers. About 20% of the electric utility's one million customers pay through M-PESA.
• two banks are using M-PESA as a mechanism for customers to either repay loans or withdraw funds from their banks accounts."

While M-PESA has been marketed very well, the report suggests the real key to its rapid, widespread adoption and frequent use is the decision to launch with a low cost mobile payment infrastructure, rather than a savings or credit product. This allowed the business to follow the usage-based pre-paid mobile airtime model, so that each transaction was profitable from day one, and no potential customer or transaction size was excluded as 'unprofitable'. It's free to register, pay money in, and there's no minimum balance. Now that so many people are on the system generating income, it's easier and more cost effective to respond to their demand for other suitable financial services and functionality.

Banks, on the other hand, "tend to distinguish between profitable and unprofitable customers based on the likely size of their account balances and their ability to absorb credit." I'd suggest that not only does this mean banks need to limit their customer base and rate of service adoption, but having made so many assumptions about the services to be provided and customers who might want them, it also becomes ingrained that banks must control the product rather than allow customers to shape the services they want. For example, MetroBank's launch strategy seems to assume you want the same type of banking services and delivery channels, but with merely longer branch opening hours, free coin-counting and immediate in-branch card delivery. Hardly the "revolution" it claims, compared to what's happening in Kenya, or even in the UK...

The success of M-PESA prompts comparisons with PayPoint, and how it's pragmatically solving parking payment problems using a mobile platform (see PayByPhone). And it's consistent with the adoption of pre-paid cards, amongst which the Oyster card and O2 payment card are interesting examples. Away from payments, and at the higher end of the market, the pay as you go approach is reflected in Zopa's person-to-person lending fee structure: borrowers pay a one-off upfront fee with no charge for early repayment, and Zopa lenders only pay a servicing fee based on the amount they have lent out at any one time.

There's definitely a future in pay-as-you-go financial services.

You Must Switch Cards To Pay For London Olympics

I see that finally the competition authorities are looking at Visa's exclusive arrangement for the Olympic Games. I can well imagine that neither the Canadian nor Chinese authorities were as concerned as the European Commission and the UK's Office of Fair Trading. Visa is far better known to European competition authorities.

The BBC reports that:

"Visa is the dominant debit card supplier in the [UK] with 53 million customers compared with 17.5 million for Mastercard.

In credit cards, Mastercard has more customers with 36 million holders, compared with 22 million for Visa."

Of course, "dominant" has its own technical meaning under competition law, but you can see that even allowing for overlap amongst customers with both kinds of cards (poor Amex, JCB etc don't even rate a mention by the BBC), a lot of people may be frustrated at not being able to use a card to buy tickets and items at the Games themselves.

I have no trouble with the general principle that the Olympic Committee can grant exclusive deals with the aim of raising more money to help stage the Games. After all, being forced to switch soft drinks, beers or hamburgers for the day is no great hardship. But I do have a problem when that has the effect of requiring consumers to alter something as fundamental as their banking and/or credit arrangements, which may prove impossible or impracticable for many. That is similar to granting the Olympic television rights exclusively to a subscription-only television network.

A step too far.

In marketing terms, the arrangement may provoke something of a backlash (watch this space, for example). It may appear insensitive to impose an exclusive payment arrangement that obliges financially-stretched consumers to alter their banking and credit arrangements in these troubled times. And you would have thought that an event so massively undewritten by public funds should welcome payment in any of the generally accepted ways that any person can access and afford.