PSD2: Where is the FCA?

On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.

Anyone know what ‘apply’ means in this context?

On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.

All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.

So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.

For example, the most pressing questions are:

  1. If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
    o
  2. What happens to ASPSPs if they aren’t ready? Are there penalties?
    o
  3. When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
    o
  4. Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
    o
  5. Does the FCA have final say in liability?

I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.

Of the 50 people I trained in those 3 days:

  1. PSD2 knowledge was very low;
  2. So far they have received little guidance from senior leadership;
  3. 85% were more scared than optimistic;
  4. Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
  5. Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;

Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?

No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.

All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.

Here’s what senior leadership at ASPSPs could be doing:

  1. Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
  2.  Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
  3. Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
  4. Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
  5. Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.

The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:

  1. Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
  2. Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
  3. Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.

The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.

[If you liked this article, please share! Want more like it, subscribe!]

National Retail Federation (NRF), Why They SHOULD Hate PCI

In a recent CSO Online article; “The National Retail Federation is dead wrong about PCI“, the author made, in my opinion, one the most reprehensible defences of PCI I’ve ever seen. Even the SSC have not been so bold as to make these kinds of off-the-mark and clearly self-serving assertions.

After an innocuous 2 paragraph preamble, the author(s) state;

Despite NRF assertions to the contrary, the payment card industry has asserted that their card security standards are voluntary. Merchants have a definite choice if they want to accept credit and debit cards or not. It’s quite safe to say if retail establishments couldn’t accept payment cards; most would see massive sales reductions, and a large number would simply go out of business.

How can he possibly say that merchants have a choice, when he says it himself that most would see “massive sales reductions”!? Call that a choice!? That’s right up there with ‘face or gut?’!

The fact remains that the card brands STILL have merchants by the short-and-curlies when it comes to non-cash payments. You only have to look at the anti-competition or unfair business practice suits that card brands have had to fight over the years to see how distastefully are their business practices perceived.

And quite frankly, this all shows a complete lack of understanding of the NRF’s main issue; They don’t CARE how they receive payment, payments are NOT core to their business. Being paid for their product / services is.

The author goes on to say;

Given the significance of payment cards, we would have expected the NRF to be at the forefront of PCI advocacy and compliance. Yet the reality is that they have an extremely disdainful view towards PCI.

Seriously? Ask me to pick up the cost of fixing your crappy service and I’ll be equally ‘disdainful’. Sod that, I’d be thoroughly pissed-off, but I still wouldn’t have a choice, not if I wanted to stay in business.

The NRF have every right to expect the card brands to do something more appropriate, THEY are the ones providing the service and THEY (and their associated middle-men) are the ones who’ve made billions through merchant transactions over the course of 50+ years.

But it’s the merchants who are the ones who are paying the interchange rates. And it’s the merchants who have to spend billions on infrastructures that do absolutely NOTHING to help them improve their customer’s shopping experience.

Guess who pays for this in the end? Yep, us, the consumers.

As I have written (or at least allude to) many times in the past, the very technology behind payment cards is past its usefulness. Anyone trying to prolong this ancient, inherently insecure, and zero-value-add technology clearly has a vested interest in doing so. Card Brands, Issuers, Acquirers, Payment Service Providers (PSPs), and Terminal Manufacturers are obvious stakeholders. However, QSA companies exist to a large degree on the budgets that PCI compliance extorts. Call them PCI War Profiteers if you wish, I’ve heard worse, and I have also benefited.

In the card brand’s defence, they have done a truly astonishing job over the course of 5 decades in bringing trust into non-cash payments. That’s what their logos are; a symbol of trust. The next generation of payment providers owe them an enormous debt of gratitude. That said, we didn’t keep horses around because we felt sorry for the ferriers, we jumped head first into the automobile.

Mobile phones are now more ubiquitous, and can be infinitely more secure and ‘value-add’ than branded plastic (even while tokenised in ‘[X] Pay’ services). All we need now are the banks to get their acts together and provide the trust and there will be little need for the innumerable middle-men.

Which brings me to my final point on the article; yes the NRF and all other retail associations have the right to be angry, but they have done next to nothing to help themselves. They played a game whose rules were set by the card brands and used none of their extraordinary power and influence to tip the balance in their favour.

For example, I have estimated that the Top 10 retailers in the US alone account for almost 1 TRILLION USD in branded transactions. If we assume an average of 1.75% interchange, that’s 1.75 BILLION in fees the retailers have paid to ‘middle-men’. How much influence would you exert over those middle-men if it was your business?

So in summary;

QSA Companies: Keep your opinions of retail to yourselves, your self-serving diatribes are inappropriate. Serve your clients, don’t brown-nose the brands.

Card Schemes/Issuers/Acquirers: Use your incredible knowledge and combined talent-pool to lead the way in the removal of plastic, and therefore the need for PCI. It’s time to move on.

Retailers: Put aside your differences, stop bitching to the wrong people in the wrong way, and do something useful with your power. Focus on what you WANT, not want you DON’T want.

All of this boils down to one thing; what do consumers want? Most have no idea, but I do, as do thousands of others like me. Ask us.

…and it had better not involve yet another piece of plastic.

What Will 2016 Be “The Year Of” In Payments?

I guess it’s quite prophetic that 2016 is the Chinese Year of the Monkey, though I suspect that the Year of the Headless Chicken will be a little more accurate.

Every year, someone either predicts a ‘Year of x‘, or claims that the previous year was ‘The Year of y‘, and usually it’s the very organisations with a direct vested interest in the technology in question. 2015 was the Year of Biometrics, 2014 was the Year of Encryption, and so on.

Thankfully the financial industry at large took a step back and put these, and many other technologies, into an appropriate perspective. Mostly. Especially biometrics, where numerous vendors were dribbling all over themselves when Apple Pay finally hit the mainstream. We heard cries of “The password is dead!” and “Biometrics is the future of authentication!”, all of which was utter nonsense in light of the Payment Services Directive 2 (PSD2).

Yes, many banks have invested significant sums in biometrics (usually to enhance their mobile banking app security), and no, these investments will not be wasted, but from what I’ve seen most of them have missed the point; that authentication is just a temporary means to an end.

The result is that those Hell bent on disruption will fail without collaboration, those with a single authentication technology will fail without partnerships in a multi-factor solution, and those interested only in keeping things the same will be left behind. The only hope of achieving a balance between all of these things is to ask the only stakeholders who have no idea what they want;

The consumer.

Even after a few years of dramatic changes and innovation in payments, what everyone seems to have missed – or at least underestimated – is that payments (or finance in general) is far too complex for the average consumer to understand. In my opinion it’s been made too complex to even be sustainable, especially when you consider that the concept of a payment is actually very simple; I have a value stored here, and I want to transfer it over there in exchange for a product or service. HOW that happens should not be the consumer’s concern, only the security and efficiency of that transaction should.

I have no problem paying my bank to protect my stored value (i.e. money), as long as it’s reasonable. I have no problem paying someone to protect (and accept liability for) the transfer of that money somewhere else, as long as it’s reasonable. What I DO object to is the numerous intermediaries in the current system who not only make the process expensive, but ridiculously slow and inefficient.

But what I really want is for payments to go away entirely, at least from my perspective as a consumer. I want the HOW of the payment to be handled in the background, and the decision made by a trusted third party who found the best all-round deal for the product/service of my choosing. Whether that’s finding a plumber, or shopping for groceries, the only innovations I care about are ones that take care of the things I hate doing; like filling out online payment forms, or lining up in Sainsbury’s to pay for a pint of milk.

So, in truth, 2016 will likely be the Year of Nothing Much Happened. Truly beneficial change will take a long time, and while the pieces necessary for innovation are already available, getting all of the stakeholders to agree on the way forward will extend way beyond this year, and likely next.

I’m hoping that 2016 will actually be the Year of Getting the Future-State Plan Right, but I somehow doubt it.

 

Froud on Fraud: Top 5 Predictions for 2016

If I was any good at predicting the future, I would be writing this from my yacht in the Caribbean, and not from my kitchen in Southwest London. That said, I do get to work mostly from home, so maybe I’m doing something right.

While my predictions for 2016 will necessarily be as narrow as my field of expertise, there is a lot going on that will eventually change we the way everyone performs many of their daily functions. Probably not this year, and maybe not within the next 5, but once they DO begin to change, there will be no looking back. This is a good thing, and well past its time.

Prediction 1: Identity Management will begin to replace single-factor authentication ANY single form of authentication is inadequate, and even multi-factor and multi-mode authentication is of limited use. For the Internet of Things, payments, or any other transaction to take place securely and accurately in the future, identities must be seamlessly and mutually introduced. Authentication only provides the what-of-you (and usually only in one direction), not the who-of-you, the full function of ‘distributed transactions’ (i.e. mobile based) requires both.

Prediction 2:Identity Management will be decentralised onto consumer mobile devices as a corollary of prediction 1, the control of identities and authentication will decentralise from individual credential stores (user databases) to APIs and/or block chain-esque distributed ledgers that create authentication and identity mechanisms on-the-fly. The level of information provided will be agreed and controlled by the consumer prior to any transaction taking place, and must be mutually assured. i.e. the receiver of the authentication must themselves authenticate, unlike almost all e-commerce today.

Prediction 3: HOW you pay will become increasingly irrelevant you have a value in the bank you want to spend, you should not have to care HOW you get to that value as long as you are getting the best deal to do so. Third Party ‘Money Management’ Services, APIs, and even regulations like the Payment Services Directive 2 (PSD2) here in the EU are forcing traditional financial institutions to open their books. You’ll open ONE application, regardless of which retail store you’re in, comparison shop against price and ratings, and your app wil choose not only the best price and rewards, but the best WAY to pay, all behind the scenes. Credit / debit / direct debit will mean little to you, nor should it, the only thing that matters is that we will eventually stop paying the price of plastic.

Prediction 4: Value-Add Services and Customer Service will be the only differentiators with the enormous competition available to the global economy, price and quality will have little impact on the purchase decisions you make, they will be much the same. Brand loyalty (even if this exists in the future) will instead be driven by the services provided around the products you want; from instant coupons, to ratings and reviews, to reward and loyalty choices, to availability and payment terms, these will be made available instantly in a multi-function app (much like, or even the same as, prediction 3) for consumers to make an educated choice of vendor. But the Customer Service provided throughout the entire consumer journey will be the ultimate differentiator, and any vendor not treating their customer like royalty will be out of the game, regardless of everything they may do well.

Incidentally, this is also why mobile payments have yet to reach anything like their true potential, they are no better than the plastic they will replace.

Prediction 5: Loyalty Programs will begin to centralise I think we can all agree that there are simply too many loyalty and reward programs out there. Every coffee shop, retailer, airline and hotel have their own points scheme, few of which are interchangeable. How many points would you say you have floating around out there that you will likely never use? It just makes sense that the single app provider (per predictions 3 and 4) will begin centralising and normalising any point scheme available. This will be very difficult, but will be their differentiator to which app provider consumers choose.

While these may seem very narrow in focus, perhaps even of little relevance to the ‘masses’, the payments industry alone is a multion-TRILLION £/$/€ industry and the opportunities for innovation and/or investment almost limitless. We already have the device upon which all of these future trends will rely, all we need now are the APIs and Third Party Providers to bring it all together.

Unfortunately we still equate our value with money, and have done for millenia. Money itself is irrelevant, and you work in order to obtain the things you need to survive / be happy, so HOW that transaction is effected should be irrelevant. The above predictions should get us back on track.

Technology and even regulation is pushing simplification down to the consumer, this can only be a good thing.

Done correctly…

PSD2: The Race to the Consumer

The following things have been clear for a while:

  1. The three and four party models represented by the card schemes are in real danger of being disintermediated as mobile technology advances;
  2. The use of plastic will only begin to fade when consumers have a compelling reason to move, mobile payments alone is insufficient;
  3. Retailers are desperate to engage consumers much earlier in the buying process, as well as for a long time after it;
  4. Identity Management and Authentication will take their rightful place in payments and beyond, and;
  5. The average consumer has no idea what they want

What has NOT been clear [to me anyway] is what will be the impetus for thing to actually change, and I never thought it would be a regulation.

But that is exactly what is happening here in the EU. Even a cursory examination of the Payment Services Directive 2 (PSD2) makes it clear that the established order is changing. It has already been adopted by the European Parliament, and adoption by the EU Council of Ministers is only a pending formality. Once published, each of the EU countries has just 2 years write the Directive into their laws.

If you had to distill the PSD2 into its major players, they would be;

  1. Account Servicing Payment Service Provider (ASPSP) – Usually the banks, these guys will need to open up account data once they have received permission to do so from the consumer.
  2. Account Information Service Providers (AISPs) – Aggregators of data received from ASPSPs
  3. Payment Initiation Service Providers (PISPs) – Can initiate a payment, but can only provide a ‘Yes’ or ‘No’ in terms of funds availability.

It’s the AISPs that are truly the new guys on the block. Imagine it; a non-bank Third Party Provider (TPP) can, once properly vetted / ‘licensed’ request all the information from all of your banks / financial institutions and display it to you in a single location! The possibilities to money management alone are enormous, but it’s retail that will be the big winners. Well, some retailers.

The reason that retail and TPPs alike should be dribbling at the thought of this is that these centralised ‘Money Managers’ (MMs) are the perfect location to begin the buying process.

You want to buy a TV, so you open your MM app which has already gone through the effort to combine feeds from all of the following:

  1. Retailers – If retailers do not provide feeds of stock, deals, locations, terms and so on, these will not be presented to the consumer as an option
  2. Ratings & Reviews – Few people realise what goers into those 5 stars you see on Amazon and the like, but you’d be surprised how much influence they have
  3. Your Finances – No point looking if you can’t afford it

Then, once you have gone through a nice friendly wizard to narrow down what you are looking for, your MM goes out and looks for the best deal, AND offers you the best payment terms from all of your lenders. And the WAY you pay? What do you care, the MM has already determined the best way and took care of the detail?!

Thos may not sound all that radical, but there are two incredibly important facts here; 1) the holder of your money has become far less relevant, so even the banks themselves are losing the Race to the Consumer, and 2) consumers will stop caring HOW they pay in terms of channel, making every other intermediary in the current payment ecosystem irrelevant.

This is what your money is, a stored value, why SHOULD you care if it’s direct debit, standing order, or branded card as long as it’s the best deal for you. It all comes back to you anyway.