European Payments: Breathing a Sigh of Relief (For Now)

European Payments: Breathing a Sigh of Relief (For Now)

In our recently published report on Top Trends in Retail Payments we quoted a European payments professional:

“If the publication of PSD2 gave the industry a headache, then the publication of draft RTS gave it a heart attack.”

Of course, he was talking about the draft regulatory technical standards (RTS) that the European Banking Authority (EBA) has been tasked to develop for how the industry should implement Payment Serivces Directive's (PSD2) requirements for strong customer authentication and secure communicationThe draft RTS published in a consultation paper last August was indeed rather draconian. One of the key proposals was "not to propose exemptions based on a transaction risk analysis performed by the PSP” and to keep “the authentication procedure […] fully in the sphere of competence of the ASPSP [Account Servicing Payment Service Providers, i.e. banks].” The draft RTS has united the industry to an extent rarely seen before – representatives from payments, cards, e-commerce, small merchants, digital technology, telecoms, travel and industries have expressed concerns that the EBA’s standards implemented in their current form would “make online shopping much more onerous than it is today and have a wider and chilling effect on the Digital Single Market.”

Thankfully, it appears that the EBA has been listening. The final standards have not yet been published, but yesterday, Andrea Enria, Chairperson of the EBA gave a speech at the Westminster Forum, and has given the clearest indication yet that the EBA is open to changing the RTS. Specifically, according to the speech, the RTS when published will:

  • Introduce two new exemptions, one based on "transaction risk analysis" and the other for payments at so-called "unattended terminals" for transport or parking fares. Transaction risk analysis exemption will be linked to maintaining predefined fraud levels and will be reviewed after 18 months.
  • Contain some changes to the existing exemptions, such as increasing from EUR 10 to EUR 30 the threshold for remote payment transactions. However, there will be no further exemptions for e.g. corporate payments.
  • Outlaw the current practice of third party access without identification (e.g. ‘screen scraping’) once the transition period under the PSD2 has elapsed and the RTS applies.
  • Maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. A requirement has been added requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability.
  • Remove references to ISO 27001 and other specific, technological characteristics, to ensure technology-neutrality and allow for future innovations.

It will be important to review the details when the final RTS is published, and of course, much work will still have to be done by the industry to ensure compliance. Yet, it seems that the payments professionals in Europe may breathe a sign of relief – the heart attack may have just been averted, at least for now.

“Transforming the Landscape” – My learnings from SIBOS 2016

“Transforming the Landscape” – My learnings from SIBOS 2016

The fall conference season is a business time for us in the industry research business. I’ve finally recovered from a hectic week in Geneva, where I met with over 40 banks, technology companies, and consulting firms to discuss what’s happening in global transaction banking. This year’s Sibos theme was “Transforming the Landscape”, organized around four themes: Banking, Compliance, Culture, and Securities. A selection of Sibos session recordings is available on the Sibos website.

With my research focus of Corporate Banking, my discussions focused on three key topics.

  • SWIFT’s global payments innovation (gpi) initiative:  SWIFT announced that it had successfully completed the first phase of the gpi pilot, surprising some bankers with SWIFT’s ability to meet the first milestone so quickly. The initial objective of gpi is to improve the speed of cross-border payments (starting with same-day) and improve transparency with new end-to-end payment tracking. SWIFT staffers roamed the exhibition hall with iPads demonstrating the gpi’s new payment tracker. It remains for banks to integrate the new payment type into their corporate digital channels and to determine product pricing.​

SWIFT GPI

  • PSD2 and UK Open Banking:  Technology providers, especially those that offer core banking systems along with payments technology, are working closely with regulators and industry groups to enhance their product offerings to accommodate the third-party account information access and payment initiation provisions of PSD2, along with the UK’s Open Banking API Framework. Looking beyond mere compliance, both providers and banks are developing value-added services to capitalize on the significant disruption arising from opening traditional banking capabilities to third-parties.
  • Blockchain in Corporate Banking:  After publishing a Celent report on use cases for blockchain in corporate banking earlier this year, I was heartened to hear “real world” blockchain announcements from the big tech companies, touting their banking collaborations. Swiss bank UBS is working with IBM on a project to replicate the entire lifecycle of an international trade transaction. The FX settlement service, CLS, is building a payments netting service that will enable cash trades on IBM’s Fabric blockchain. Bank of America and Microsoft announced their intent to build and test blockchain applications for trade finance.   Although much progress is being made by blockchain consortia, banks, and technology providers, most people I talked to believe that significant adoption of blockchain for corporate banking use cases is still a few years in the future.

I’m off next week to attend the Annual Association for Financial Professionals (AFP) conference, hoping to bring back developments in the world of corporate treasury and treasury management.

Key Takeaways from Sibos 2016

Key Takeaways from Sibos 2016

Having just returned from the whirlwind that is Sibos, I (along with many other industry observers) feel compelled to contribute my two cents on the top takeaways from the event, along with one observation on the mood. Nothing about Sibos can be exhaustive, but three key areas stood out: Cyber, PSD2, and Open Banking / APIs.

Cyber was the first topic mentioned in the opening plenary address. Its seriousness brought into stark relief by the $81mm Bangladeshi incident (something my cab driver in Boston asked about on the way to the airport!), Cyber was a focus throughout the conference. While it has long been an important issue, it has catapulted to the top of the agenda of every member of SWIFT’s ecosystem given the recognition that the system is only as secure as its weakest node.

PSD 2 is often thought of in a retail banking context, but its implications will carry over to the corporate side as well. There are two critical points: 1) Banks must make their customers’ data accessible to any qualified third party, and 2) Third parties can initiate payments. These changes will have profound second-, third-, and even fourth-order effects that can scarcely be imagined today. Banks are thinking through what they need to do to comply, as well as what their strategies should be once they’ve implemented the necessary (and not inconsequential) technology changes. For a primer on the current state of PSD2, see Gareth Lodge’s recent report on the subject.

Open Banking is enabled by APIs. While PSD2 is certainly accelerating the concept, it would have been gaining momentum even without the external pressure. There are simply too many activities that can be done better by third parties than by banks, and the banks have realized that they need frictionless ways to tap into these providers. APIs are a critical mechanism to enable this interaction. Technology, of course, is a necessary but not sufficient condition for success; banks must be culturally able to integrate with new partners quickly and flexibly.

On a final note, the mood was pragmatic. The atmosphere wasn’t one of consternation, panic, or confusion. Instead, the buzz was focused, purposeful, and businesslike. Bankers and their service providers are ready to roll up their sleeves and get the job done instead of wringing their hands about all of the possible ill-fated futures that could arise. We at Celent look forward to the progress to come in 2017. What are your thoughts?

Brexit. Eventually. Possibly.

Brexit. Eventually. Possibly.

What did Britain say to its trade partners?

See EU later.

It’s been a funny week or two to say the least, so it seemed apposite to start with a joke (and we’re not talking about the England vs Iceland result! – the Icelandic commentator is worth a 30sec listen.)

The UK woke up to find that it was leaving Europe. Given the legendary British reserve, stiff upper lip, etc., it is quite incredible just how divided the country has become, and how everyone has an opinion. As a result, there has been a lot said before, during and after the campaign that needs to be sifted very carefully. This is a genuine attempt at a factual look at quite what this means as many of the facts are very definitely not facts.

What's actually going to happen? Frankly, the short answer is nobody actually knows. No country has ever left before. Greenland did but is both smaller and was leaving for other reasons. Nor did they invoke Article 50 (more of which in a second) which has never been used. Whilst there are some legal guidelines and processes, given that the European Union is an economic union governed by politicians, it’s fair to say that the process will be very political in nature. Particularly as Article 50 is not very precise.

The first step is for the UK to activate Article 50 which effectively formally starts the process. The UK has two years from informing the European Parliament that it intends to leave and actually signing article 50. Given other European elections, and despite some public calls from Europe to get on with it, some believe that it is likely to be later rather than sooner.

Until Article 50 is signed, the UK is still in Europe, and everything continues as they do today. What is less clear is when Article 50 is signed, what happens next, and how long the process will take. UK Government analyst suggests 5 years, yet others say at least a decade.

Nor is it yet clear what the UK will choose to negotiate on. For example, it may choose, voluntarily to adopt regulation such as PSD2. We (or, to be clear, Gareth) believe that the UK will push ahead with the PSD2, as many of the rules are either in place in the UK already, or reflect the way the Government is thinking e.g. the Open Data Initiative arguably is far wider reaching that the Access to Accounts element of the PSD2.

It’s not clear quite what is or isn’t the European Union necessarily. For example, passporting, the rule that allows financial services firms to be licenced in one country and operate in another, is actually (according to the Bank of England website at leastother reputable sites even disagree on this!), an European Economic Area (EEA) initiative, and even countries outside of the EEA, such as Switzerland, have negotiated deals. This is particularly key for card acquirers, many of whom use their UK licence to negate the need for local ones across Europe.

So, as they saying goes, the devil will be in the detail. And that’s going to take time to unravel, and to negotiate even on the things that need negotiating.

Over the coming months, banks will need to scenario plan on multiple dimensions. They will need to identify key regulations that impact their business, how that might be regulated, and how long it would take the bank to respond. Yet many, if not most banks, will have done some of this risk profiling before the vote took place.

Until there is clarity, the reality is that it’s the political fall-out is going to have the most impact in the short-term, itself creating a degree of additional economic turmoil.

You can lead a horse to water…

You can lead a horse to water…
A story on Finextra this week caught my eye. It’s a survey carried out by YouGov on behalf of ACI Worldwide, with these headline stats. Of 2000 UK adults, the survey found that:
  • 88% have no intention of switching bank accounts within the next 12 months.
  • 82% never use mobile payment services such as PayM or PingIT during an average month,
  • 59% never use mobile banking within this same time frame.
It struck me that you can lead a horse to water, but you can’t necessarily make it drink. Or rather, becoming digital doesn’t mean your clients will be. The first bullet has been extensively discussed in previous blogs. Consumers perceive no value in swapping, with a view that banks pretty much offer the same thing. The second bullet for me, is actually surprisingly high. PingIT is not yet 4 years old and PayM not even 3 years old, making an 18% “market share” pretty impressive. It’s also for one-off payments primarily, usually P2P, and given how (relatively) few transactions of those take place each month, it’s even more impressive. The last bullet to me is the most interesting, and perhaps is a reflection of the UK market as much as anything. Given my job, I suspect it’ll come as a surprise to some that I am in that 59% – I don’t use mobile banking, and nor do I necessarily have plans to. There are a few reasons. In the UK, Direct Debit rules. 71% of household bills are paid by Direct Debit, with an average household having 7 direct debits. Therefore, the same transactions happen the same way every month at the same time. This means I have to only actively make a few payments a month, which typically fall at the same time every month. The rest of my spending is primarily on my credit card – which isn’t issued by my bank. Another theme from previous blogs is that consumers typically hold their financial products across a range of banks – as a result, the mobile banking app will never tell me my financial position. I rarely even use my card providers app either – with the alerts I’ve set up, I get a text when I near the limits I set. As a result, there is little need then to check my spending on the app. But perhaps the most simple reason is that the UK has had mobile banking for over a decade. And whilst it is good to be cutting edge, equally consumers will give up quickly on something if it doesn’t work or value from day 1. And if you’d try using WAP banking back in the day, or the app of even a few years ago, you too would be thinking there is little point. The light at the end of the tunnel hopefully is PSD2 and the XS2A (access to account) proposal. Perhaps finally a good software designer will think through the customer experience differently, will have access to all my accounts and be able to deliver something that is truly revolutionary. It will be fascinating to track what impact the PSD2 has.

New banks, new names

New banks, new names
Dave Birch over at Consult Hyperion wrote a very interesting article today around the need to better name the stream of new non-traditional banking entrants. Have a read here. This is something we’ve talked about with Clients in a similar way, but in the context of traditional banks. When you run a brain storming sessions, particularly for innovation, it’s often useful to “blow up” the problem. That is, magnify the problem to its maximum so you look at truly radical solutions rather than incremental ones. One such example was a scenario where traditional banking ended up with two types of banks – 1) IT banks, providing products and services to others. Citi with its co-opertition model might be an example of this. I labelled these manufacturers. 2) The other extreme was banks focusing on the customer, and focusing on providing the best products and services, an agora of things built by the manufacturers. I called this ISO banking. Dave used iso to define one of his groups but in a very different way. He used iso from the Greek to mean equal. I wasn’t quite so clever – I used ISO as in the US group of card solution providers known as Independent Sales Organisations. Which leads to a broader thought. The PSD2 introduces the concept of XS2A – essentially any third party can access account level information of any financial institution in Europe and be able to initiate a payment from that account. That muddies the distinctions above even further. For example, Dave’s descriptions imply (I think!) two components – a front end (a mobile app) and a back end (a funding account). In the neo- and iso- flavours, it’s the back-end that distinguishes the two, with neo a traditional platform, and iso with a far simpler account platform (a pre-paid card). In PSD2, there are numerous variations. Three examples off the top of my head that illustrate what I mean:
  • No-back-end. PSD2 could create a third category where the “bank” provides the front end, but no back-end at all as it uses the platforms of one or more other FIs
  • Every end. This is in some ways an extension of the above, but with a slightly different spin. Bullet 1 reflects that consumers often have products spread across multiple institutions. At its simplest, XS2A allows true PFM for the first time in some countries. But this second point reflects that the lines are blurred already, particularly for a consumer. I suspect many would want to include all their money holding accounts – say your PayPal acount. Most consumers would think that as an non-FI, but, as they have a banking licence I assume they would be included as well under PSD2 (thoughts please!). But what about the true non-FI’s?
  • Front/back weighting. With XS2A, how many will be provider slick but simple skins, and how many will provide functionally rich front-end (and perhaps back-end too) that will far enhance the standard offerings. You can imagine this particularly in the wealth management space. These feel very different beasts, and need distinguishing.
The upshot is that Dave has hit the nail on the head in that we need more/better/different nomenclature. However I wonder if in Europe in particular we probably need a much more fundamental rethink. As the regulator explicitly seeks to disaggregate the payments value chain, this, coupled with technology advances, have much broader implications, and make traditional labels misleading at best. I’ve only just started really thinking about this – but the more I do, the more I realise the more I need to do.