Search This Blog

Saturday, 18 February 2012

An Integrated EU Market For Payments?

A Dog's Breakfast
We have until 11 April to weigh in on the European Commission's dream for "an integrated European market for card, internet and mobile payments."

Tedious as the EC's role and processes are, we mustn't forego these opportunities to feed into the EU's 'social dialogue'. If we don't participate we'll get legislation that's more reflective of canine culinary expertise rather than how various markets actually work (like the Payment Services Directive).

Some key issues in the current green paper are:
  • whether it's overkill to make a retailer show on your receipt how much it costs to use your chosen payment method;
  • whether non-financial service providers should be able to directly access clearing and settlement systems;
  • whether you should be allowed to permit any service provider you like to show you your bank balance, rather than only your bank; and
  • whether competition is being inhibited by the process of 'standardisation' and demands for "full interoperability".
My own personal view is that the short answer to all of the above is, "Yes."

The challenge to regulating payments is that service providers and regulators alike tend to view "paying" and "banking" as consumer activities in their own right. Whereas consumers don't actually "pay" - and retailers don't even "accept payment" - as distinct activities. The man from Visa who thinks the brand on my payment card is the most important brand in the context of me buying a gift for a friend on my way to a party is institutionally deluded. Actually paying for the gift is a barely considered sub-process in the course of getting to the party, and I might pay in cash.

Not only must we remember that payment occurs in the context of wider consumer activities, but we must also acknowledge that payment details are a subset of all the personal and transaction data used in retail services that are subject to broader market forces and other regulation. In particular, the impact of the EC's proposal for more comprehensive regulation of personal data processing cannot be underestimated. There seems little point in dealing with access to bank balance information in the context of payments regulation when the wider data protection regime would enable the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing; not to mention enhanced internal controls, enforcement and compliance burdens, including the appointment of a data protection officer.

But let's glance away from the data protection elephant for a moment.

On the question of interchange, it's clear from Annex 2 of the green paper that the EC doesn't understand the lack of a direct contractual/settlement relationship between issuers and acquirers in four-party card schemes like Visa/MasterCard, even where a banking group has both an issuing business and an acquring business. Each acquirer and issuer contracts directly with the card scheme, and the card scheme settles independently with each of them. Besides, the issuing arm's cardholders won't always be making payments to the aquiring arm's merchant customers. Not only does this add an important nuance to the interchange debate, but it also has far wider implications for payment services regulation than there's time to cover here.

As consumers, of course we want retailers to keep a lid on their interchange costs (like any other overhead). That would enable them to improve their services, increase product selection or maybe reduce their prices. But unless the retailer has its own specific surcharge, I don't need the receipt to tell me the cost of using my chosen payment method, any more than I'd need to know what it cost to get the item from the warehouse to the shop. The underlying cost might be fascinating to EC officials and payments geeks, but the all-in price of the item should be enough for me to compare the efficiency of retailers' operational processes. Whether those retailers are competing properly in their own markets is a separate issue to the cost of payments in any event.  

I can also see that the cost of payments might be reduced by enabling sophisticated businesses to directly accessing clearing and settlements systems, rather than relying on financial institutions whose systems are geared to servicing the broader market. And such businesses shouldn't need to become regulated financial institutions or to join cosy industry bodies for that privilege. However, I should point out that developing an internal acquiring and settlement capability is very likely to prove an unwelcome distraction for non-financial corporate groups.

Similarly, as a consumer, I should be able to appoint a single service provider to enable access to my various bank, card and other payment accounts, without being in breach of the obligation to keep my account access details confidential. It's not beyond the wit of man to work out which provider is liable for any security breaches that might occur in that data sharing process.

Finally, we need to be really careful about requiring "standardisation" and "full interoperability" rather than merely enabling the market to develop this naturally, free of anti-competitive activity. Entrepreneurs don't have the time or resources to sit around in policy and standards meetings. Nor do they wish to telegraph to incumbents their disruptive plans. Yet there is also little meaningful distinction between "technologicial interoperability" and "commercial interoperability" in a digital world where business models are automated or 'hard coded'. I'm struggling to understand the EC's intention here. On the one hand the EC wants to see competition (which generally means less consolidation and more fragmentation - plenty of new players and competing, disruptive solutions), and on the other hand it wants to "avoid fragmentation of the market". So these aims seem incompatible. 

Interoperability and standards may be important to enable efficient, straight-through processing between participants at either end of an overall business process or system. But the more tightly that process is bound together - or the narrower the group of entities involved in the development of standards/interoperation - the harder it is for new entrants to compete by disintermediating or improving any one element of that process. This is a key reason we have been trying to avoid any preoccupation with mandating standards in relation to data release formats in the context of the 'midata' initiative, for example (formerly 'mydata'). This avoids creating an extra hurdle to the release of the data, while opening up a market for the supply of data transformation applications that collect such data in multiple formats and display or transfer it in another format. 

Paradoxically, the EC's own concerns on this front are reflected in the green paper questions as to whether card scheme management should be separated from control over card payment processing (Q's 9 and 10), as well as the competition challenge to standards-setting by the European Payments Council:
"JoaquĆ­n Almunia Commission, Vice President in charge of Competition Policy, said: "Use of the internet is increasing rapidly making the need for secure and efficient online payment solutions in the whole Single Euro Payments Area all the more pressing. I therefore welcome the work of the European Payments Council to develop standards in this area. In principle, standards promote inter-operability and competition, but we need to ensure that the standardisation process does not unnecessarily restrict opportunities for non-participants."
I rest my case.

Thursday, 2 February 2012

Travelling With The ID Pioneers

Seeking a New State of Identity
If the penultimate CSFI roundtable on Identity in Financial Services was anything to go by, the final one should be a proper knock-down, drag-out affair worthy of past pioneering epics ;-) In fact, the Innholders should replace it's sign for the day, to read:

The issue that sparked the most heat (again) was whether banks might somehow be suited to be the guardians of the so-called 'hard' element our identities - the proof currently required to move our money, access our government records and so on - rather than 'soft' credentials necessary to access, say, your social media accounts. 

Spotted the flaws already? 

We shouldn't bother picking on the banks anymore (though it is fun). I mean, I seriously doubt they want to be cast in this role at all. And as Richard Martin pointed out, the banks are each wedded to different identity solutions, chosen for fairly mundane IT procurement reasons rather than any attempt to use ID services as a source of competitive advantage (banks compete?!) in offering secure access to your money their services. At any rate, to the extent that any banks are availing themselves of the latest e-ID tools to more efficiently KYC their customers, they are merely using the credit reference agency databases. So if one were to look only at the development of 'hard' identity services, one should cut through the banking platforms to the credit reference agency roadmaps and how they plan to enable access to those services in ways that are much more useful and empowering for consumers.

And while the Money Laundering Regulations do erect a reasonably heavy barricade to the usability of financial services, it's unduly trusting to pretend they amount to best practice in establishing a person's identity. Real danger lurks in this idea that social media identity is somehow 'soft'. The premise for this seemed to be that Facebook, Google, Amazon, eBay and so on don't offer any services that attract the need for 'bank-standard' ID checks and personal data protection, and couldn't operate to such high standards. Yet, many of them already operate financial institutions. And I suggest that there is more real value to the use of your identity to personalise products and pricing than in simply accessing your bank records. Even the Eurocrats are onto this. It's ironic that the person who was most pressing in his demand to know 'who owns my identity data' in a social network setting also admitted to entering a joke date of birth in a leading social media service. I guess he'd also be the first to complain if that service provider and those in its network were to hold the 'lie' against him...

But, of course, identity verification is developing in ways that mean your joke date of birth in one or more databases - and even your passport, driving licence and energy bill - won't necessarily matter amidst a far wider set of identity factors. As I've explained after the previous roundtable on this topic, what makes us unique is our collection of behaviours and the data they generate. So I'll end this post in a similar way to the last.

There are two key identity problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities.  And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.

Given those key problems, the solution cannot possibly comprise a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by a user's own activity,  which is then immediately useless and can be safely discarded.