Is There Really A Single EU Market?

Some sobering figures from the European Commission for single market fantasists enthusiasts (as if Greece wasn't sobering enough).

EU cross-border services account for 4% of all online services, as opposed to national services within the US (57%) and in each of the EU member states (39%). 

15% of EU consumers bought online from other member states, compared to 44% who bought online nationally, with online content seeing double-digit growth.

Only 7% of SMEs sell online across EU borders - and it costs an average of €9,000 to adapt their processes to local law in order to do so. 

The cost/price of delivery is (obviously) cited as a major problem, as well as differing VAT arrangements. But suggested solutions seem to ignore these and other key barriers to cross-border retail that have been cited in previous market studies, such as lack of marketing strategy, preference for national brands, language barriers and local employment law challenges. Presumably, that's because the Commission can do little to address such fundamental practicalities. Instead, they want to focus on:

• stronger data protection rules;
• broadband/4G roll-out;
• use of 'Big Data' analytics; and
• better digital skills amongst citizens and e-government by default.

The sense of futility that permeates such reports by Eurocrats only emphasises the fact that the law follows commerce; it doesn't catalyse markets.  

Yet, ironically, in areas where commercial and consumer pressure to enable cross-border activity is emerging, such as crowdfunding and crypto-technology, we find European institutions taking an unduly restrictive approach.

When will they simply get out of the way?

Who Is Late In Paying Our #SMEs £41bn?!

In an attempt to eradicate late payments to small businesses of approximately £41bn, the government has proposed that, from April 2016, large listed companies will have to report twice-yearly on: 

• their standard payment terms;
• average time taken to pay; 
• the proportion of invoices paid within 30 days, 31-60 days and beyond agreed terms; 
• amount of late payment interest owed/paid; 
• incentives charged to join/remain on preferred supplier lists; 
• dispute resolution processes; 
• the availability of e-invoicing, supply chain finance and preferred supplier lists; and 
• membership of a Payment Code.

A copy of the simple but effective sample report is attached to the government's announcement.

Not only should this data result in the naming and shaming of late payers, but it should also further define and foster growth in the market for discounting these invoices, to help fund the growth of the affected SMEs.

8 Financial Services Policy Requests - Election Edition

If you've been lumped with the job of writing your party's General Election Manifesto, here are 8 financial policies to simply drag and drop:

1. Remove the need for FCA credit-broking authorisation just to introduce borrowers whose finance arrangements will be 'exempt agreements' anyway - it makes no sense at all;

2. Remove the need for businesses who lend to consumers or small businesses on peer-to-peer lending platforms to be authorised by the FCA - again, it makes no sense, because the platform operator already has the responsibility to ensure the borrower gets the right documentation and so on; an alternative would be to allow such lenders to go through a quick and simple registration process;

3. Remove the requirement for individuals who wish to invest on crowd-investment platforms to certify that they are only investing 10% of their 'net investible portfolio' and to either pass an 'appropriateness test' or are receiving advice - it's a disproportionately complex series of hoops compared to the simplicity of the investment opportunities and the typical amounts at stake;

4. Focus on the issues raised in this submission to the Competition and Markets Authority on competition in retail banking, particularly around encouraging a more diverse range of financial business models;

5. Re-classify P2P loans as a standard pension product, rather than a non-standard product - the administrative burden related to non-standard products is disproportionately high for such a simple instrument as a loan;

6.  Reduce the processing time for EIS/SEIS approvals to 2 to 3 weeks, rather than months - investors won't wait forever;

7.  Reduce the approval time for FCA authorisation for FinTech businesses from 6 months to 6 weeks; alternatively, introduce a 'small firms registration' option with a process for moving to full authorisation over time, so that firms can begin trading within 6 weeks of application, rather than having to spend 3 months fully documenting their business plans, only to then wait 6 to 12 months before being able to trade - others entrepreneurs and investors will stop entering this space;

8. Proportionately regulate invoice discounting to confirm the basis on which multiple ordinary retail investors can fund the discounting of a single invoice - it's a rapidly growing source of SME funding, simple for investors to understand and their money is only at risk for short periods of time.

Artificial Intelligence: The Control Dichotomy

Professor Nick Bostrom delivered an inspirational speech for the SCL last night on "Superintelligence: a godsend or a doomsday device", although few would have found it reassuring - it is certainly conceivable that machines could become more intelligent than humans and that humans might not be able to control them. But these are still early days, he stresses. Regulating the development of artificial intelligence at this point risks halting progress. There's a lot more work to do to really understand how artificial intelligence will develop beyond playing old video games better than humans or recognising an image as the picture of a cat. We need to consider how the technology could help avert our extinction, as well as how it might wipe us out. Yet Nick also warns that it will take far less time for computers to exceed human level machine intelligence than to reach it in the first place. So we need to start work on the control mechanisms for the development and use of artifical intelligence, without regulating the industry out of existence: the control dichotomy.

Nick suggests that the guiding principle should be that of "differential technological development" - diverting resources away from technologies and their application which could cause human extinction while focusing on those which will either help prevent our demise or will facilitate the expansion of the human race throughout the cosmos.

But how do we distinguish between helpful and harmful technologies and their application? 

As Nick points out, it's tough to think of any human invention that is inherently 'good'. He mentions many things, from gun powder to genetic engineering, and I think we can throw in the wheel and the Internet for good measure. All these things are used by humans in bad ways as well as for the greater good. But I think what horrifies us especially about the idea of Superintelligence or 'The Singularity' is that it will be machines, not bad humans, who will be using other machines against us. And while we have lots of experience in dealing with evil humans, even our top minds admit we still don't know much about how machines might act in this way or how to stop them - and what we humans fear most is the unknown. 

You'll notice I haven't said 'evil' machines, since they might not be operating with any evil 'intent' at all. Human extinction might just be a mistake - 'collateral damage' arising from some other mission. For instance, Nick suggests that a particular machine left to itself in a given situation might decide to devote itself entirely to making paperclips. So, presumably, it would not bother to put out a fire, for example, or free a human (or itself) from a burning building. It might leave that to other machines, who might in turn have chosen their own narrow objective that involves ignoring people's screams.

Here's where I struggle with the notion of Superintelligence. In fact, as someone who hates being pigeon-holed into any single role, I think a machine's decision to only ever make paperclips might be fabulously logical and a brilliant choice for that machine in the circumstances, but it makes the machine as dumb as a post. For me, Superintelligence should involve a machine being able to do everything a human can and more. 

But that's beside the point. Knowing what we know already, it would be insane to ignore the paperclip droid and wait for artificial intelligence to develop a machine more capable than humans before figuring out how we might control it. Nick is right to point out that we must figure that out in parallel. In other words, the concept of human control has to be part of the artificial intelligence programme. But it won't be as simple as coding machines to behave protectively, since machines will be able to programme each other. For instance, Nick suggests we could put the machines to work on the control problem, as well as on the problem of how to ensure the survival of our species. AI labs might also pay insurance premiums to cover the damage caused by what they develop. He was less certain about what we might do to constrain developments that occur in the context of secret defence programmes or intelligence gathering, but he seemed confident that we could at least infer the pace of development from the results, and be able to consider how to control the wider application of those developments. Mmmm.

At any rate, Nick also warns that we need to be careful what we wish for. Mandating human survival in a prescriptive way - even a specific biological form - would be a bad move, since we should not assume we are in a position to foster positive human development any more than the Holy Office of the Spanish Inquisition. Better to embed positive human values and emotions or, say, entertainment as a feature of intelligent machines (although I'm guessing that might not go down well with the jihadis). From a phyiscal standpoint, we already know that the human body won't do so well for long periods in space or on Mars, so some other version might need to evolve (okay, now I'm freaking myself out).

To retain a sense of pragmatism, at the end of the speech I asked Nick what he would recommend for our focus on 'Keeping Humans at the Heart of Technology' at the SCL conference in June. His tip was to consider which of the various types of control mechanism might work best, recognising the need to avoid constraining the positive development of artificial intelligence, while ensuring that we will be able to keep the machines in check if and when they become smarter than us.

No pressure then...

Will Machines Out-Compete Humans To The Point of Extinction?

I've been a bit absent from these pages of late, partly pulling together SCL's Technology Law Futures Conference in June on 'how to keep humans at the heart of technology'. As I've explained on the SCL site, the conference is part of SCL's effort to focus attention on that question all year, starting with a speech by Oxford University's Professor Nick Bostrom on 2 March: "Superintelligence: a godsend or doomsday device? 

In other words, last year was when the threat of "The Singularity" really broke into the mainstream, while this year we are trying to shift the focus onto how we avert that outcome in practical terms. 

My own book on how we can achieve control over our own data is still ping-ponging between agent and publishers, but will hopefully find a home before another year is out - unless, of course, the machines have other ideas... 

Humans, Not Big Data, Must Benefit From Opening Up The Banks

One of the 'good news' items in last year's Autumn Statement was the endorsement of an Open Data Institute report on how innovators could make better use of bank data on our behalf (instead of on the banks' behalf). Last week, the Treasury followed up with a call for evidence "on how best to deliver an open standard for application programming interfaces (APIs) in UK banking and... whether more open data in banking could benefit consumers."

This is important, because enabling our own machines to start crunching our financial data on our behalf is key to humans winning the race against Big Data.

'Open data' involves enabling public access to data by connecting data sets using uniform resource identifiers ('Linked Data') and publishing data about them in machine-readable formats. While the government and other public institutions have done a good job of opening up public data sets so far, our private institutions are lagging behind, as discussed here. That's because they benefit from making sure we know less than them about our own requirements - 'information asymmetry'.

The Midata initiative was the first to aim at restoring the balance in favour of consumers, by taking aim at energy utilities, telecoms providers and banks. Now the energy companies face being opened up like so many tin cans by smart metering, while the telecoms market looks like it will go from bad to worse. Banks have also proved a tougher nut to crack. Yes, some people can download their current account data via internet banking. But in addition to consumers, there are 4.5 million small businesses out there that need a hell of a lot more than that. So far, it's taken regulatory action just to start the process of improving access to small business credit data and making a market in rejected small business loan applications. Now the Treasury is trying to force the pace on the technology necessary to support all that.

The ODI's recommendations for opening up banking are: 

• banks should agree an open API standard to support third party access to bank data - basically firms that can help you make sense of the data (but Big Data firms will try to persuade you to share it with them too);
• independent guidance should be provided on technology, security and data protection standards that banks can adopt to ensure data sharing meets all legal requirements; 
• an industry wide approach should be established to vet third party software applications and publish a list of vetted applications as open data - this would allow visibility of firms that are acting on consumers' behalf and those who are not;
• standard data on Personal Current Account terms and conditions should be published by banks as open data; and 
• credit data should be made available as open data.

My main concern is that requiring agreement on 'standards' as a precondition for opening up banking will enable the banks to delay the whole process by a decade - as they did with Faster Payments. As was recommended by the security working group in the Midata initiative, I would prefer to see banks required to immediately make their data available to each consumer/SME in whatever open format the banks choose, while adhering to common data security protocols, and leave it to the open data community to figure out how to re-format and display whatever rubbish they dish up.

Apart from complaints by the banks, Treasury officials expect to hear positive contributions from consumer groups, other financial services providers, financial technology firms and app and software designers.

Let's not disappoint them. This is a good opportunity to ensure the government clears the way for innovation that puts you and me at the heart of financial services, without mistakenly creating further barriers in the process.

The P2P Jobs Market

The UK has an army of 4.6 million self-employed people, according to the Office of National Statistics - the largest it's been since we began recording such figures 40 years ago. That's 15% of the UK workforce. Even more significant is that 732,000 of the 1.1m people who have found work since early 2008 are self-employed. Fewer people have been leaving self-employment for employee roles over the past five years than used to be the case. Perhaps that's because of the recession. But over that period numerous services have emerged to support self-employment, and it seems possible that we'll see an even greater shift towards that way of working in the future.

So, who are the self-employed, and how do they find work?

The largest increase in self-employment since 2008 has been among 'managers, directors and senior officials'. But, hey, every self-employed person might claim to be a manager. So it's more noteworthy that the top 3 self-employed roles of 2014 have been building trades, cab drivers/chauffeurs and carpenters. The figures also show that professional and technical occupations are heavily represented.

How do these people find work?

No doubt word of mouth has a lot to do with it. But we've also seen a rise in the number of online marketplaces that match self-employed people with those who need work done. Indeed, TaskRabbit, a leading US marketplace, chose London as testing ground for a more automated model that it later rolled out in the US to replace its initial manual auction service. While TaskRabbit currently seems to cover the broadest range of services, there are many other such marketplaces in the UK, such as RatedPeople, Trustatrader, MyHammer, MyBuilder, TradeAdvisor, Checkatrade and so on. Note that Amazon has launched a 'local services' offering in the US, which suggests it may one day do so here.

The prevalence of cab drivers amongst the self-employed may help explain the growing number of taxi apps and car-share services.

Meanwhile, SchoolofEverything (a client of mine from 2007, on the back of my experience of P2P lending), enables anyone to make money from giving lessons in almost anything you could think of (...no, not that).

At any rate, the growth in both the number of self-employed people and the services that help them find work, suggests that self-employment could be an even more popular model in the future. The rise of the P2P economy?

Another Hung Parliament, Please

With the UK general election looming in May, I thought I'd declare my apolitical hand: I'm hoping for another 'hung' Parliament and a coalition government.

I've been a fan of the idea since the opportunity presented itself in the last general election. I think the beast has worked pretty well for the pragmatic amongst us, and is well suited to dealing with the nasty challenges ahead. As I hoped in April 2010, politicians on both sides of the coalition have had to behave much more reasonably and responsibly in seeking solutions to the root causes of our problems than their party-political dogma would have otherwise dictated. This has spiked the guns of an extremely dogmatic opposition. And even the media's doom-mongering about instability and chaos has proved groundless. Sure there have been U-turns and major disagreements between the coalition parties, but the democratic progress should be dynamic, open and messy - not engineered, top-down, by a party leader with a Whip.

The same form of government is needed over the next five years because the long journey out of the tunnel has barely begun. That light up ahead is not looming economic recovery, it's an on-coming train laden with vast public sector debt, slowing Chinese growth, savagely low oil prices that might rebound higher than before, the Russian Problem, insanity in Greece, negative real interest rates and a stagnant Eurozone. Oh, and a new global financial crisis, as Hank Paulson infamously forecast in 2010:

"...We'll have another financial crisis sometime in the next 10 years because we always do.""

The public finances are still in a parlous state. So all the UK political parties face the need to cut public spending, whether they like it or not. Raising expenditure is out of the question, because it would mean borrowing more - and higher taxes won't bring in any more money. The total UK tax receipts have hovered at or below 40% of GDP for over 40 years. We're bumping along the ceiling, people! Raise taxes, the economy grinds to a halt and the best you'll get is 40% of a smaller pie. Cut taxes to around 35% of GDP,  the economy roars into life and you get a smaller slice, but of a much bigger pie.

But, hey, if you think the UK should drift into the next financial crisis with even higher debt and taxes, why not simply move to Greece?

What's left to cut? There's no end to it: we need our politicians and civil servants to remain focused on making the public sector more efficient, by removing waste and insisting that services be designed to operate more efficiently in future, particularly in the major spending areas. The defence budget, for example, is a rounding error on a more efficient tax and benefits system and a leaner, better co-ordinated public health and social care sector (20% of hospital beds are occupied by people who aren't even sick!). Money could also be saved by addressing root causes instead of their many symptoms. For instance, would more social housing have helped ease the pressure on first-time buyers, avoiding government subsidies to them and pre-empted the policy battle over immigration levels? Similarly, we must continue financial reforms to increase the sources of funding and the range of payment services for consumers and small businesses (who create half of all new jobs) because the economy is still too dependent on a few major banking groups who remain a millstone around the country's neck.

Some people will say this is dry, boring and unimaginative. But if you want entertainment, head to the movies. 

Others want something to believe in. For instance, they accuse David Cameron of lacking political ideology or a 'pattern of belief', an '-ism'. Yet they claim that his "legacy will be a collection of tactical manoeuvres, with as many prominent surrenders as victories." Apparently these people have never heard of pragmatism. But they've also unwittingly hit on the benefit of the hung Parliament in restraining coalition parties from implementing their more extreme policies. By contrast, the 'believers' expect us to cling to the idea that Ed Miliband is "in politics for the right reason" (just the one?) or "propelled by something more noble than the salvation of his own skin", which you could choose to mean anything that gets you through the day. But beware words like 'right' and 'noble'. They are the cloaks of dogma and moral panic - rallying cries for the likes of Tony Bliar's weird crusade or Gordo's crash, in which Miliband (and Balls) played key roles - not to mention the ballooning cost of the Security State. So, actually, if we believe anything in this vein, then it's surely that such 'noble' ambitions make Labour governments the kind of luxury that only a much wealthier country could afford. 

But, who knows, maybe being trapped in a coalition would even convert Ed to pragmatism.

Whichever way you look at it, we need a government that's forced to focus on resolving the root causes of society's actual problems - not one driven to distort the facts to suit its own dogmatic solutions. And my sense is that only another hung Parliament will ensure we get it.

Feeling Down? Try #FoxNewsFacts

Source: Bipartisan Report

By now you probably know that Fox News broadcast claims by a so-called 'terror expert' that - among other bizarre claims - the UK city of Birmingham is 'totally Muslim' and non-Muslims 'don't go there', when Muslims only represent a quarter of the population, according to the BBC. Clearly an idiot. Fox actually had several goes at this - note the 'expert' is wearing a different shirt/tie combination in the two clips below. The 'expert' has since apologised and admitted to being completely wrong, though I'm not sure the anchors have apologised for their part in it. Sky News tried to clean up the mess for the Murdoch Empire by interviewing the 'expert' afresh, but it just got worse as he likened listening to his own erroneous comments to "being waterboarded". 

Of course, this isn't the only instance of bizarrely ignorant claims, opinion or commentary on Fox News, and I can't work out who's worse - the Fox News anchors or the so-called experts they interview.  You can judge for yourself by following the #FoxNewsFacts hashtag on Twitter. It's hilarious, if you can fight the urge to panic over how many stupid people might actually believe this crap. I do wonder whether US foreign policy - amongst other things - might be rather different if Fox News viewers were given the actual facts, rather than this trash.

One day, we might even find out.

Do The EBA Security Guidelines Ensure Card Scheme Control Over Retail Transactions?

The European Banking Authority recently issued payment security guidelines, as part of its security remit under PSD2. The guidelines take effect in August 2015 and will  require subtantial work on the part of payment service providers and merchants. They will be followed by 'stronger’ guidelines under PSD2 that will take effect in 2017/18. As anticipated, the guidelines could well present a significant obstacle to the evolution of payments services and competition from new entrants. At the same time, even if they reflect best practice today, the guidelines do not really overcome inherently unsecure features of legacy payment methods - like cards.

To be fair, the authorities have a difficult balancing act here. They have a responsibility for ensuring that PSPs implement appropriate security measures - and should at least point to best practice in the area - yet the authorities cannot afford to be so prescriptive as to delay implementation of those measures and/or prevent PSPs keeping pace with wider technological developments, the development of new payment services and the efforts of hackers. Unfortunately, the EBA appears to have struck a balance in favour of banks and card schemes, rather consumers, merchants and alternative payment service providers, as discussed below.

The guidelines cite card fraud as the main driver of this initiative, rather than fraud in relation to other types of payment service that do not involve card payments. Yet payment cards and the related IT systems have not really evolved fundamentally since they were introduced in the 1960s, which means that 'legacy' systems are effectively dictating the approach to payment security. True, there are many payment methods that are exempt from the guidelines. But the prevalence of card payments means that PSPs and merchants are being forced to divert resources to shoring up security on that front, rather than investing in more advanced payment methods.

At the heart of the guidelines is the concept of 'strong customer authentication', which is quite prescriptively defined. Yet this form of authentication would seem likely to evolve, and it is conceivable that customer authentication in the payment step of a transaction process might not remain relevant over time, particularly where the payment is being made in the course of a wider customer activity within a secure environment.

Many of the guidelines also go beyond the realms of payment security. While these may reflect obligations under other regulations, such as Money Laundering Regulations, Payment Services Regulations and the Data Protection Act, they are quite prescriptive and therefore will require additional legal and compliance time to review, implement and monitor changes to those other compliance procedures, as well as extra IT and operational resources.

The need for "customer education and awareness programmes" are also likely to require the involvement of marketing teams and their support staff. The concern here must be that customers who deal with multiple PSPs (as competition authorities should hope!) will begin to ignore the educational materials as just so much clutter or junk mail. The adverse customer experience may also drive consumers to prefer less secure payment options (e.g. cash).

Requirements for merchant co-operation, through enforcement of their contracts with PSPs, are also very concerning. For example, PSPs are asked to require merchants to "clearly separate payment-related processes from the online shop" and to enable customers to sign a dedicated payment contract with the PSP rather than having those terms included in a wider service contract. Yet merchants are not directly bound by Payment Services Regulations (except in very limited respects), so the EBA is arguably exceeding its authority in requiring merchant compliance with broader security requirements. In addition, we have already seen significant data security costs imposed by card schemes on merchants who must comply with the PCIDSS requirements. These resulted in most merchants choosing not to hold payments data at all. Indeed, many chose to deal through payment aggregators who accept and process payments on their behalf. However, PSD2 will require technology service providers to contract directly with PSPs under PSD2, rather than merchants if they wish to remain exempt from regulation, which must be likely to reduce the number of independent service providers. Such requirements seem to be aimed at large retailers and e-commerce marketplace operators who may otherwise legitimately offer a seamless consumer experience under current regulations. So it may be that the EBA guidelines will help drive control of e-commerce transactions to financial institutions – particularly banks and card schemes - rather than opening up competition for transaction processing from large merchants and others who have developed competing payment functionality.

As a result, the EBA's security guidelines deserve careful consideration by the competition authorities.

Credit Where It's Due

Having spent the past seven years banging on about the changes needed to democratise the financial system, it's only fitting that my last post for 2014 should give a little credit to the authorities for making some very significant changes this year.

The FCA published its rules to specifically regulate peer-to-peer lending in February, and its rules on crowd-investment in March. At the same time, the Chancellor announced the expansion of the ISA scheme to include peer-to-peer loans. In the Autumn Statement, he announced that consumers who lend to other consumers and sole traders through P2P platforms will be able to offset any losses against interest received. And there will be a consultation on expanding the ISA scheme to encourage crowd-investing in bonds and other debt securities.

We are still at the start of a long journey. The rules could be simpler and the EU could yet muddy the waters if the UK position is not well represented. But if you'd asked me in 2007 whether so much would be achieved by 2014 - particularly on the ISA front - I'd have been optimistic (naturally) but expecting the worst. Yet in 2015 we'll have both the regulatory 'blessing' and the incentives necessary to enable people with surplus cash to get it directly to creditworthy consumers and small businesses who needed it, instead of leaving the money tied up in low yield bank deposits or having it eaten away by fees in managed investment funds. 

Perhaps this is partly why 2014 also saw the bank bosses' swagger and bravado turn to panic. The trends which are combining to democratise the financial system have not only revealed that the stuffed shirts are powerless to stem the flow of fines for corrupt practices on virtually every front, but those trends have also produced competition from the banks' very own customers. 

Hell, even their auditors are finally coming under scrutiny!

But let's not get carried away. While crowdfunding is growing at over 150% a year, the crowd will probably produce 'only' about £5bn of funding in 2015, based on Nesta figures and assuming a boost from the ISA changes. 

So, while we've come along way since Bobby "Dazzler" Diamond infamously suggested that the time for bankers' remorse was over if the UK was to recover, we will still have a small business funding gap next year - eight years after the financial meltdown. In fact, in many ways the financial system is in worse shape now than in 2007, with less competition and appalling inefficiency in banking, vast public sector debt, a larger 'shadow banking' sector than every before (depending on how you measure it), and many key economies around the world suffering low/no growth. Events such as those in Russia, Greece and the Eurozone are applying further pressure to a system that is still broken. In these circumstances we remain terribly vulnerable to financial shocks. 

Still, the UK government deserves plenty of credit for the changes announced to date. Whether they have come early enough to help us through the next storm remains to be seen, but at least the national funding solution now lies substantially in our own hands. 

If we don't take the opportunity to crowdfund the recovery, we will only have ourselves to blame.

Good News For #FinTech And #Crowdfunding in Autumn Statement

The government has announced bad debt relief for lending through P2P platforms; a consultation on whether to extend ISA eligibility to crowd-investing in debt securities and an intention to review some rules that add unnecessary costs for institutional lending through P2P platforms.

Individuals lending through P2P platforms to offset any losses from loans which go bad against other P2P income. It will be effective from April 2016 and will allow individuals to make a self-assessment claim for relief on losses incurred from April 2015.

The government will also consult on the introduction of a withholding regime for personal income tax to apply across all P2P lending platforms from April 2017. This will help many individuals to resolve their tax liability without them having to file for Self Assessment.

The government will call for evidence on how APIs could be used in banking to enable financial technology companies to develop innovative solutions to allow customers compare banks and financial products.

From January 2015, the majority of card acquirers will offer a new service for small businesses to receive the funds from debit and credit card transactions much more quickly. Two acquirers will not meet this commitment, and the government will ask the Payment Systems Regulator (PSR) to examine whether small businesses are being disadvantaged as a result.

The government will allow gains that are eligible for Entrepreneurs’ Relief (ER) and deferred into investment under the Enterprise Investment Scheme (EIS) or Social Investment Tax Relief (SITR) to benefit from ER when the gain is realised. The government will also increase the annual investment limit for SITR to £5 million per annum, up to a total of £15 million per organisation, from April 2015 and will also consult further on a new relief for indirect investment in social enterprises.

To better target the tax reliefs, the government will exclude all companies substantially benefiting from other government support for the generation of renewable energy from also benefiting from tax-advantaged venture capital schemes, with the exception of community energy generation undertaken by qualifying organisations. The government will also make it easier for qualifying investors and companies to use the tax-advantaged venture capital schemes by launching a new digital process in 2016.

Officials Alarmed By PSD2 And Barriers To Innovation In Payments

In a joint study, Ofcom and the UK's new Payment Systems Regulator have explored the reasons for limited innovation in the UK payment services market, sounding the alarm over the potential impact of PSD2. But the study does not thoroughly explore the most recent proposals, which would make the situation worse than officials seem to appreciate.

The study confirms that most of the innovation is facing retail customers and relies on the existing payments infrastructure.

Various factors act as a barrier to the scale and pace of innovation seen in other technology sectors. There is a low tolerance for system failures, naturally, but the resulting high security and resilience requirements make systems more rigid and less open to the usual market forces of present in other IT sectors. New entrants also find it hard to break through the network effects that support existing payment methods (e.g. cards). Investment is further constrained by significant uncertainty around regulation and technological standards. Finally, the interests of consumers, merchants, telcos and financial institutions are not aligned in the types of services being offered - in essence we're seeing an attempted 'land grab' by competing institutions at customers' expense.

It is critical that the European Council considers this report as it finalises the proposals for PSD2, which would make this situation worse. Equally, however, it is a pity that this study was not able to more thoroughly explore the potential impact of those proposals.

Let's hope for some more joined up thinking in the weeks to come!

The End Of Merchant-hosted Checkouts?

Source: LoudMouth Media

You may have noticed that I'm madly trying to keep up with the blast of confetti from Brussels known as "PSD2". It's very fortunate that the SCL's editor is blessed with a good sense of humour, not to mention the readership. In advance of my latest update, here's a warning of a fairly brutal provision for e-commerce merchants in the latest version of PSD2.

Not satisfied with forcing 'gateway' service providers to supply their services directly to regulated institutions rather than merchants, if they wish to remain exempt, it seems the EU Council also considers that e-commerce checkout pages on merchant sites are "payment instruments" in their own right (not just the payment methods displayed on them).

A new information requirement seems to mean that where customers are shown a range of different card-scheme brands as payment options prior to checkout (itself referred to as “the issuance of a payment instrument”), they should be informed that they have the right to select a particular brand and to change their selection at point of sale.

On the surface, this requirement adds nothing. It's how checkout processes already work. If you want to pay by card, you click on the card scheme logos, and up comes a page that asks you to enter a card number from any of the brands displayed. But describing a checkout process as a “payment instrument” (rather than merely the payment methods available on it), suggests that the entity which serves up the web page that enables checkout is itself the issuer of a payment instrument and should be authorised accordingly.

It's likely that many e-commerce merchants will host their own checkout page or process, and the transaction only moves to the acquirer’s servers either once the customer has selected which type of payment instrument she wishes to use, or (if the merchant is PCI compliant) once the transaction is captured and sent to the acquirer.

So this provision would actually require such a merchant to either cease hosting any aspect of the checkout process or become authorised as a payment instrument issuer (or the agent of an authorised firm). It also raises the question whether such a merchant is also 'initiating payment transactions', with the same consequences.

This is revolutionary stuff. If passed in this form, PSD2 could drive the need for significant website re-development work. Of course, it could also mean good business for e-commerce marketplaces, or regulatory specialists who help firms apply for authorisation (pick me!). But it's really just overkill.

In their quest for 'the highest standards of consumer protection', the European authorities seem oblivious to the adverse impact on competition and innovation in the payments sector that will come from delivering control over key aspects of e-commerce infrastructure to the comparatively few firms who will bother becoming authorised. Ironically, it was this sort of concentration that drove the need for the current PSD - to open up the banking/card scheme monopoly. Perhaps the banks and their schemes are winning the battle to retain their dominance after all...

The Cost Of Leaving Payment Security To The Beurocrats: #PSD2

The more I study the latest proposal for a new Payment Services Directive (PSD2), the more I'm concerned that it will reduce innovation and competition. Not only does it hand control of wider transaction technology to regulated payment service providers (PSPs), but security standards will also be centrally controlled by the European Banking Authority, as explained below. It seems the authorities are busy creating a new version of the banking monopoly that the PSD was designed to break down. But maybe the idea is to create work for the new Payment Systems Regulator...

Putting aside the ability for PSPs to control the wider transaction infrastructure, PSD2 empowers the EBA to set technical standards governing 'strong customer authentication', as well as how PSPs communicate among themselves and with customers.

These standards are very far-reaching.

Subject to any exemptions the EBA may grant (based on risk, amount/recurrence of a transaction and the channel), all PSPs will have to apply strong authentication when a customer who wishes to make a payment (the 'payer'):

• accesses a payment account online;
• initiates an electronic payment transaction; and/or
• "carries out any action through a remote channel which may imply a risk of fraud or other abuses".

In the case of an electronic payment transaction that is initiated via the Internet or 'other at-a-distance channel' (a "remote payment transaction"), the authentication must “include elements dynamically linking the transaction to a specific amount and a specific payee”).

In addition, PSD2 proposes numerous different security requirements for different types of PSP depending on whether they initiate payments, issue a payment instrument or provide account information services. PSPs will also have a 'framework' to manage operational risk and provide the regulator with their assessment of the risks and the adequacy of their controls. They must classify “major incidents” and report them to their regulator without undue delay. The regulator must then report the incident to the EBA and the European Central Bank. If the incident affects the financial interests of users, the PSP must also inform them without undue delay, along with possible measures they can take to mitigate the problem.

While we should acknowledge the challenge at the heart of all European law, that an Englishman's red tape is a Frenchman's business manual, everyone should question the wisdom of tying the development of payments security to the speed of European bureaucracy. PSD2 provides that the first draft of the EBA’s technical standards will only be available 12 months after PSD2 is approved, and there is no explicit deadline for the standards to be finalised (although the EBA is consulting on 'guidelines' here). Beyond the initial drafting, the EBA is merely tasked with reviewing and, if appropriate, updating the standards “on a regular basis” - but neither the frequency nor regularity of those reviews is specified. Surely, the EBA's role should be limited to reviewing standards (if any) as the market develops them - hopefully a step ahead of the fraudsters? How many business plans will otherwise stall in anticipation of the EBA's pronouncement and the resulting talkfest?

Conspiracy theorists will be pleased to see restrictions on the extent to which payment account service provider (ASPs) can use the security measures to discriminate against any third party PSP (TPP) who wishes to access their payment accounts. But there do not seem to be any such restrictions on discrimination the other way around. So PSD2 would hard-wire the current (mistaken) assumption that the ASP is 'king' in the context of its customers' day-to-day activities, while the dominant customer relationship increasingly lies elsewhere. Indeed, in the digital world, large TPPs could end up dictating the number and type of ASPs we all use, as well as the payment services those ASPs provide. Perhaps the new Payment Systems Regulator could address this by designating such a powerful TPP as a 'payment system' (which is very loosely defined), but it would be preferable to avoid creating the potential for such power in the first place.

FCA #Innovation Hub

The FCA has launched an Innovation Hub as part of its plans to support innovation in financial services.

Innovators can submit a request for support from the Innovation Hub, which the FCA will assess against certain criteria and then decide on the type of support it might be able to offer. The assessment criteria are:

• whether the innovation is genuine - ground-breaking or significantly different;


• whether the innovation offers a good prospect of identifiable benefit to consumers (either directly or through greater competition);


• whether the business has invested appropriate resources in understanding the regulations in relation to its own position;


• whether the business have a genuine need for support through the Innovation Hub?

In addition, the FCA has published a Feedback Statement, responding to input received as part of Project Innovate.

Of Primordial Soup, New Payment Services And #PSD2

Source: Shirtigo

Figuring out the impact of the proposed changes to European payments law (PSD2), is like watching primordial soup, with new types of regulated creature emerging all over the place. Previous posts have considered the impact on loyalty schemes and technical service providers, while this post looks at the new “payment initiation” and “account information” services. The scope of these new services could introduce many new software and service providers to the regulated world, increasing costs as well as potentially limiting competition and innovation.

A “payment initiation service” is one where you can ask the service provider to pay your energy bill, for example, or make batch payments to staff and suppliers, using one or more payment methods provided by other service providers. It is conceivable that an e-commerce checkout feature, for example, might also qualify. Member States must ensure that payers have the right to use a payment initiation service in relation to payment accounts that are accessible online. A payment initiation service provider must not handle the payer’s funds in connection with the provision of the payment initiation service.

An “account information service” is one that allows a single view of all your transactions on one or more payment accounts held at one or more payment providers. Account information service providers will be exempt from certain authorisation, information and contractual requirements, but will be treated as payment institutions - so they will be allowed to passport to other EEA states, for instance.

PSD2 assumes that both these new services will provided by “third party” payment service providers, i.e. those who do not also offer payment accounts or handle funds themselves. Let's call them “TPPs” for short, as opposed to firms that provide or maintain payment accounts, which is the job of “account servicing payment service providers” or “ASPs”.

TPPs will need to become authorised or registered financial institutions, or become appointed as agents of authorised firms. Those initiating payments will need at least €50,000 of working capital and (along with account information service providers) will have to hold professional indemnity insurance. TPPs will also have to provide information about themselves to customers, as well as have quite a lengthy contract with each of them (unless they are exempt account information service providers). If a payment goes wrong, the TPP who initiated the payment must be prepared to prove that nothing went wrong in its own systems when it sent the payment to the ASP. The TPP will also have to give information about the payment to the intended recipient(s) and meet certain security requirements (see my article for the SCL).

Regardless of the customer benefits, it seems certain that these requirements will add to the cost of providing payment initiation and account information services to consumers and small businesses.

The regulations would also seem likely to limit competition and innovation in the event that firms structure their services to avoid regulatory overhead.

Specifically, it's not clear whether firms wishing to avoid increased costs could qualify for the technical service provider exemption by supplying their services directly to ASPs instead of customers. But even if that were possible, or if ASPs were prepared to appoint TPPs as their agents, it's likely that each ASP would only involve the services of a limited number of TPPs, and would add its own margin to their charges in any event. In other words, the number of potential TPPs and related services could just become a function of the number (and type) of existing ASPs.

So it seems the adverse consequences of regulating these services may well outweigh any benefits.

The End Of Third Party Payment Gateways?

Source: paymentsgateway.com.au

Changes are being proposed to European payments law that will affect service providers who send payments data from retailers to financial institutions. This post explains how they may be affected, and what they may be able to do about it.

Most retailers rely on an external service provider to send their payments data to a financial institution for processing. Sometimes the financial institution itself handles the data transfer as part of its acquiring service. But often a third party agrees to do that on the retailer's behalf, particularly for online payments. The financial institutions call such service providers "third party gateways" because the institution typically has no contract with them and it's up to the retailer to ensure the data gets to the financial institution. From a regulatory standpoint, the gateway provider doesn't handle any funds, so they are currently also exempt from payments regulation as 'technical service providers'.

But under proposals for a new Payment Services Directive (PSD2), such service providers will only be exempt if they contract with financial institutions (e.g. merchant acquirers), rather than retailers or other payment service users. That may help the financial institutions control the quality of the data that flows their way, but it also potentially undermines the ability for large retailers to control the processing of their transactions.

In addition, “acquiring of payment transactions” will be regulated where the service provider contracts with the retailer to accept and process payment transactions, and this 'results' in a transfer of funds to the retailer. Not only is this aimed at certain merchant acquirers and bill payment operators who believe they are outside the scope of the current PSD, but it could also catch third party gateways, since it appears that the service provider does not have to be the one actually transferring the funds.

It is also possible that the activities of technical service providers may fall within the scope of other regulated activities, particularly 'payment initiation services', 'account information' services, or perhaps even 'issuing payment instruments' (see my longer article for the SCL).

At any rate, technical service providers may find that it isn't commercially feasible to remain exempt as a result of one or more of these changes. In that case, the options are to either get authorised as an e-money institution or payment institution (or perhaps a registered as a small EMI or PI), or operate as an agent of someone who else or is.

Whether or not they are exempt, however, anyone providing technical services will need to be familiar with the proposed new security requirements, and the related standards that will eventually be issued by the European Banking Authority (see my longer article for the SCL).

A Developer's Guide to Privacy and Fairness?

Over the past few months I've noticed a range of different articles expressing privacy concerns about mobile apps, wearable devices and internet-enabled things, like smart TVs and bathroom scales ("the Internet of Things") on the one hand; and initiatives like 'Midata' to help you create your own 'personal data ecosystem', on the other. But regulation aimed at unfair trading is also relevant in this context, as are the various security requirements being proposed at EU level in relation to payments and 'cybersecurity' more generally. Official guidance in these areas is often broad but not comprehensive, as in the summary of privacy rules given in the context of Midata. It would be great to see a more concerted effort to draw all the guidance together. I have suggested this to the SCL. In the meantime, this overview explains briefly where to find guidance on meeting privacy and fairness requirements when using apps and other devices for consumer marketing purposes.

Note: as a developer, it's worth reading such guidance as if you were a consumer, to understand the regulatory intent. As a consumer it's worth reading guidance aimed at firms, since that gives you a better insight into how things actually work 'behind the scenes'.

The Information Commissioner has plenty of practical guidance on privacy in the context of cookies, mobile applications and data sharing (and a other guidance by sector or activity).

The Advertising Codes are important sources of information on how systems are supposed to behave in a marketing context.

PhonepayPlus has issued guidance on the use of premium rate numbers.

The Office of Fair Trading had plenty of guidance on how to comply with consumer protection regulation, which is now hosted by the Competition and Markets Authority, including principles for online and app-based games.

The OFT's guidance on what's appropriate in a consumer credit context, such as debt collection, is now in the FCA's consumer credit rules, and the FCA also recently consulted on updates to its guidance on financial promotions in the social media.

Firms seeking FCA authorisation often have to provide a lot of detail on their IT systems and governance in the process. The proposed new EU directive on payment services will broaden the range of regulated services and go into considerable detail on data security. In fact, security standards will be produced by the European Banking Authority, just to add to the confusion.

Knowing where consumers can complain is a guide to other regulators who may be interested in how your application works. There is an overview of UK consumer complaints channels here. There are specific complaints bodies for sectors, such as energy, financial services and telecoms, as well as for activities, like advertising and processing personal data.

However, it's you should be aware that the Data Protection Act gives businesses separate rights to process your personal data in the following circumstances:

• for the performance of a contract to which you are a party, or for taking of steps at your request with a view to entering into a contract;
• for compliance with any legal obligation, other than an obligation imposed by contract;
• in order to protect your vital interests;
• either for the exercise of a function conferred on a business by law or for the exercise of any other functions of a public nature exercised in the public interest;
• for the purposes of legitimate interests pursued by a business or by someone else to whom the data are disclosed, except where that processing is unwarranted by reason of prejudice to your rights and freedoms or legitimate interests.

Public sector bodies also have certain rights to use your data which I haven't covered here. However, it's important to mention the ID Assurance Programme run by the Government Digital Service team, which has issued useful guidance on ID assurance. And the Connected Digital Economy Catapult that builds platforms for SMEs is due to develop a code of practice on consumer protection.

The Beginning of The End of Consumer "Banking"

Funny to see a story from John Gapper in the FT this morning, saying technology will hurt retail banks but not kill them, only a few pages before First Direct admits it mis-sold complex investment products to consumers.  While I agree that innovation doesn't 'kill' anything, and must co-exist with what it is replacing, John seems to have a misplaced faith in retail banks' ability to maintain their direct relationships with consumers.  Banks are steadily being relegated to the back-office of retail finance.

 

John may be right to point out that banks lose money on the limited activity of offering current accounts, and possibly even savings account functionality, so that these are not attractive areas in themselves for technology businesses to enter. But of course you can't view those 'products' in isolation. They are just part of the 'bait and switch' routine that banks operate to persuade people to part with their money so the banks can earn far more from using those funds for their own ends.

To understand what the tech companies are doing, you have to consider how much money the banks make out of the end-to-end activity of robbing investors/depositors of yield while fleecing borrowers with expensive loans - and making everyone pay a lot for slow-cycle payment processing. 

 

It is wrong to say that technology companies are merely playing at the edges of 'banking' by offering payment services and person-to-person loans. This is all part of the strategy for disrupting the 'banking' sleight of hand.

 

Tech companies know that if they can provide a decent, transparent consumer experience to savers/investors on the one hand, and those who need the funds on the other, then they are in a position to cut the cost of moving money between the two. In fact, the money may not even have to move at all: the important issue is who is entitled to it, and whether it is available. 

 

You don't need a bank to keep the data and transaction records that tells you who owns the funds. It's all just data, as Marc Andreessen is quoted as saying. 

 

And it's far safer to separate the transaction processing and record-keeping function from the cash, which should be held separately from the processor's own funds. That's how e-money institutions, payment institutions, P2P lending and crowd-investment firms are set up...  They may rely on segregated commercial bank accounts for holding that cash, but the banks who provide those accounts have no control at all over which consumers own the money in them, or what those consumers choose to do with it amongst themselves.

 

In the EU, the regulatory support for such new business models began in earnest in Europe in 2000, with the advent of the first E-money Directive, and has snowballed with the Payment Services Directive in 2007, a new EMD in 2009 and the proposed revamp of the PSD. There are now hundreds of these payment institutions in the UK alone. And it's no coincidence that the UK has led the way in both creating and regulating P2P lending and crowd-investment platforms.

 

All of this spells the beginning of the end for consumer 'banking'.