Post image for Episode 50 – Internet identity, privacy, and a blockchain – SecureKey

The term identity gets used a lot whenever internet payments and security are discussed. Knowing who we transact with is still the knotty problem. Strong authentication is required. Identity verification is required, too. A means of sharing the fruits of that work among the parties involved, especially those taking on risk, could save everyone a lot of cost and effort. That’s the notion behind federated identity and other means of securely sharing identity attributes without undermining privacy.

That tall order is the subject of this podcast with Andre Boysen, Chief Identity Officer of SecureKey. Join George and Andre as they talk about trust on the internet, SecureKey’s approach, and the company’s use of blockchain technology via a partnership with IBM.

{ 0 comments }

I had the good fortune last week to be part of the Glenbrook team attending the FinTechStage Inclusion Forum in Jakarta. Happily, among the attendees were two women I have known for several years: Maha Bahou of the Central Bank of Jordan and Carolina Trivelli of Pagos Digitales Peruanos.

Peru and Jordan are two of several countries around the world that are aggressively moving to establish market-wide digital payments platforms designed to increase financial inclusion.

We were in Jakarta in connection with Glenbrook’s work with the Bill & Melinda Gates Foundation’s Financial Services for the Poor group – and in particular the foundation’s Level One Project, a vision and a blueprint for how such national systems might best work.  I’m pleased to report that both the Jordan and the Peru platforms embody many of the key design principles of Level One.

That’s good news.  But what I want to emphasize is how strong leadership shaped the development of these systems.  Maha and Carolina, each in her own way, were highly effective generals of their armies.  They drove their projects ahead, dealing with untold complexities, multiple constituents, conflicting priorities, and ambiguous business models.  And they succeeded.  I think it is safe to say that neither “JoMoPay” in Jordan nor “BIM” in Peru would be where they are today without the leadership of these women.

Maha Bahou and JoMoPay

In Jordan, Maha was a career central bank officer running the payments division when, in 2013, she became increasingly aware of financial exclusion and its consequences for the lives of poor people in Jordan. This concern dramatically escalated as Jordan began to experience a flood of refugees, many from Syria.  Maha brought her concerns, and her initial thoughts on a digital payments platform accessible to all, to the management of the central bank and then later to the “national payments council”, a group including the major commercial banks in Jordan.

I wish I could have been there to hear those early discussions.  I’ve heard Maha speak many times since then, and have been impressed by the breadth of her vision, her ability to intelligently marshal arguments in support of her points, and the passion of her delivery.  I’m not surprised to hear that the bank and council approved – relatively quickly – her plans to develop and operate JoMoPay in the safe environment of the central bank.

Maha put together a working group of interested banks and other participants, and consulted to them throughout the project.  But there is no question that the central bank was in charge; the solution was not built by consensus.  This approach had the advantage, of course, of enabling faster action, but it had the risk of alienating players (particularly the banks) whose long-term participation would be necessary for the success of the project.  Maha successfully “threaded the needle” through an ongoing, and no doubt exhausting, process of consultation and convincing.

What did they build?  A real-time, credit-push switch that connects all institutions holding transaction accounts for customers.  This includes both banks and licensed non-banks. There is no notion in Jordan that the non-banks issue “eMoney” (as opposed to “real money”). As a result transfers can freely flow between and among all institutions.

Maha started in 2013, with 40 institutions participating in the working group.  The first pilot went live in April 2014 with two institutions connected.  The full launch began in October 2016 with six institutions; more are coming on board steadily.  The switch is also connected to other payments services providers, to the national ATM switch, and to various processors.

JoMoPay has several features that merit notice.  One is a focus on fraud management capabilities at the “hub”.  This reduces the need for duplicated investment at the “edge” (by banks and other providers). The banks retain the compliance obligation but can use a utility for many fraud detection tasks. Interestingly, one enabling component here is a requirement that “on us” transactions be routed through the switch.  The second feature is a system wide brand – “JoMoPay” – so that payers and payees have a common vocabulary, regardless of their financial institution.

JoMoPay went live with multiple use cases supported – not only P2P (the typical starting point for such systems) but also merchant payments, bill payments (including all government fees and tax payments, school payments, and medical payments), business-to-business payments, and eCommerce payments.  I’m particularly interested in this, as around the world there is a demonstrable problem with dormant or infrequently used mobile wallets: people receive a G2P payment or a personal transfer, and them immediately “cash out” as they can’t spend the money anywhere.  JoMoPay tackles that problem at the outset.

When Maha talks about the challenges of getting JoMoPay launched, the primary issues were interoperability (at all levels) and the interconnected topics of issuer economics and agent sharing.  This is, arguably, the toughest problem in getting payments systems for financial inclusion going: you need institutions to invest and to commit to participate, but you need low prices (and the easy access to agents) to serve the poor.  Maha convinced participating institutions of the merits of low fees to achieve financial inclusion. She matched that with a subsidization of the switch fees for the early years of the initiative.

Volume is low in these early months, but there are encouraging signs of growth.  Significantly, Maha just led the effort to transfer control of the system from the Central Bank to Jo-PACC (Jordan Payments & Clearing Company), to ensure that ongoing stewardship of the system is in the hands of the participating banks and later, the non-bank providers as well.

I’ll be interested to watch the evolution of the system. I’m convinced it wouldn’t have happened as it did, or as quickly as it did, without Maha and the support of the Central Bank Governor and Deputy Governor who provided political capital this make this happen.  I’m not alone in that view. In 2016, the King Abdullah of Jordan gave Maha an Award for Excellence in leadership.

Carolina Trivelli and Peru’s BIM

Peru had a different starting point.  The government took strong and early steps, not only in financial inclusion, but on broadly defined social inclusion – establishing a cabinet-level department, the Ministry of Development and Social Inclusion, in 2011. Carolina Trivelli, an economist and researcher, was instrumental in the creation of the Ministry and its strategy (“Incluir para Crecer” – “Include to Grow”) and became the first Minister. She was active and visible on many fronts during her three years at the Ministry. When I visited her in Lima in 2014, I witnessed two separate occasions when a stranger approached her on the street to thank her for her service to the country!

In 2013, the government issued a new law defining eMoney issuance, allowing both banks and licensed non-banks as issuers, and calling for interoperability among participating institutions.  Policy makers left it to the financial community to figure out how to do this. The banks decided on a new entity, which ultimately became Pagos Digitales Peruanos (PDP).  Carolina was tapped to run this in 2014, a complete “newbie” in payments, but someone with a passion for the cause of financial inclusion.

Carolina had the opposite situation to the one that Maha had faced in Jordan.  Instead of a central bank designing the system, she needed instead to build a system from the ground up – by consensus from the participating institutions – 35 at last count.  As one can imagine, there were endless issues to think through – from the technical architecture, to ownership and governance structures, to use case support, economics, and brand.   I spoke from time to time with Carolina during this “build” phase – and it was clear that it was at times difficult (to put it mildly).  But her perseverance (and that of the bankers working with her) and her persuasive capabilities paid off.  BIM piloted in August 2015 and launched in February 2016, with initially 9 institutions connected and 28 connected now.

One of the unusual choices made by the Peruvian group was the handling of customer accounts.  As the law required banks to have separate eMoney accounts for customers (a banked customer can transfer money from their “real” bank account into their “eMoney” account), all institutions needed to find a way to support wallets, as well as interoperability.  An RFP process resulted in one vendor (Ericsson) being chosen to provide wallet services for issuers as well the “switch”.  This meant that from a technical point of view, transfers among wallets are similar to “on-us” transactions: a simplifying solution for the beginning of the service.  It also enabled a common experience for consumers across providers – the user interface/USSD screens are common for all BIM wallets.  (The agreement with Ericsson does specify that an issuer may opt to use another wallet, and still interconnect on the platform).

What were the toughest parts in bringing the service to market?  Carolina mentioned several: persuading financial institutions to use a common brand (“BIM”), getting agreement on a common fee structure (low!) to consumers until the service reaches break-even, convincing the telecom regulator to allow the MNO’s to negotiate with PDP as a single institution rather than individually with each financial institution (for USSD access fees), and, not the least, the issues of how to write operating rules cooperatively with that many institutions participating.

BIM’s biggest ongoing challenge has been agent interoperability, the economics surrounding that, and the management of “cash-in” and “cash-out” functions.  Although Carolina has left the active management of PDP (she remains the chair of the board), she continues to work on this issue, among others.  The latest initiative is the establishment of what she refers to as “BIMers” (“beemers”); individuals who work sort of like mobile ATM’s, in partnership with a fixed-location agent.  Think of it as the “Uber of cash-in/cash-out”.

Looking Ahead

Both JoMoPay and BIM are in their infancy, facing the challenge of getting consumers signed up and then ensuring that consumers use their wallets.  The latter, as both Maha and Carolina well understand, requires enabling merchant acceptance – making money “spendable”.  In both countries, there are multiple efforts underway to achieve this.

Only time, of course, will tell the story of the eventual success (or not) of these services.  But I’m clear that the very fast track of these programs – from concept to reality – can be attributed to the characters, capabilities and convictions of their leaders. I understand there is a “great man” theory in history – that certain highly influential individuals, due to either their personal charisma, intelligence, wisdom, or political skill, have been able to make a decisive impact on history.  Here we have two “great women” who have clearly made a difference in their countries.

{ 0 comments }

Post image for Demonetization Roulette: India’s unusual approach to creating a cashless economy

On November 8, 2016, India cancelled 86% of its currency in circulation with a four-hour notice and the move pushed India into a severe currency shortage. In a country where 98% of all consumer payments are in cash, this prolonged currency shortage carries risks: economic destabilization in the short term and irrevocable damages to the vibrant informal sector in the long run. Policy analysts describe the situation as the greatest gamble undertaken by modern India.

The initial motivation behind the move was to weed out fake currency in circulation and illicit funds, called black money in India, stored in the form of cash. But within weeks, the demonetization pitch changed from eradicating black money and fake currency to accelerating India’s journey towards a cashless economy. After all, if you don’t have access to cash, it’s likely that you will at least consider using an alternative.

In addition to enacting several policies to ease the currency shortage, the Government of India has implemented several measures to encourage consumers and merchants to adopt digital payment methods. These measures include:

Not the First

India is not the first country to demonetize its currency in order to combat black economy and fake currency. However, using demonetization to create a cashless economy is unprecedented.

Of course, demonetization is not the only thing the Indian government is doing to encourage the digitization of payments. Starting in 2006, the government has taken several pioneering steps to encourage digital payments. These include:

  • Launching Jan Dhan Yojana, a national program to provide every household with basic banking services
  • Creating a new class of chartered banks, called “Payments Banks”, that can accept deposits but are restricted from offering loans
  • Designing Aadhaar, a biometric national identity system which has completed a massive task of enrolling 1.1 billion people, and enabling Aadhaar to be used by the payments industry in a variety of ways to make payments seamless, secure, inclusive and cost effective
  • Introducing the Unified Payments Interface (UPI), a set of API’s to the core payments platforms within the NPCI (National Payments Corporation of India). UPI is particularly aimed at accelerating retail electronic payments with advanced features including a single interface to access any bank, access to credit-push immediate payments, a merchant “request to pay” capability, and support for virtual payment addresses.

It is quite evident that the Indian government is investing heavily not only in building out a digital payment infrastructure but is also willing to push its citizens to use it – this is the unusual aspect.

It is interesting to note that historically, governments play a direct role in managing systemically important payment systems such as financial market infrastructure, RTGS’s (real-time gross settlement systems), and, in some countries, check clearing systems and/or ACH’s (automated clearing houses). However, governments tend to let the private sector tackle payments systems that are meant to support small value retail digital payments. International card networks such as VISA or Mastercard, online payment services such as PayPal or mobile payment services such as Apple Pay or M-Pesa are all examples of the private sector “leading the show”.

Governments Manage Cash, Why Not Payments?

The one exception to this?  Governments provide cash, one of the most popular payments system used in retail transactions. They do this by paying for the creation and management of cash.  Although cash is introduced to the economy through private sector banks, once it is out in the economy it can circulate without banks. This is dramatically the case in countries, such as India, where there are many more unbanked than banked people.

So why do governments coldly hand over the responsibility to the private sector the moment these retail payments change in form from cash to eMoney? As Glenbrook’s Partner Carol Coye Benson observes: “Governments pay for cash, the payments system that people use. If we want to move people away from cash, why are we suddenly determined that this has to be done on a commercially viable basis?” Another problem with reliance on the private sector for digital payment solutions is that private firms may not feel the necessity to serve everyone, and as profit-maximizing entities they are bound to be selective in designing products for only profitable segments.

While unusual, India is not alone in its journey towards a cashless society. There is an emerging trend of governments becoming active sponsors of their countries’ retail payment infrastructure. Last year, Bank of Thailand launched PromptPay, a real-time instant payments service that allows fund transfer using a National ID number or mobile phone number without needing to provide a bank account number. Similarly, the Central Bank of Jordan launched JoMoPay, the country’s mobile payment platform to encourage interoperable mobile payments in the economy. Ecuador even launched the world’s first public digital cash system called efectivo.

Some may not feel comfortable with governments dominating the retail payments domain for fear of lack of innovation, destabilizing market forces or upsetting the balance of economic interest of all stakeholders. But consider that these concerns don’t bother us when governments are involved in the delivery of essential services such as health, education and clean drinking water. Perhaps, the time has come for us to deliberate whether the most basic financial and payment services that are not affordably available in the market today are indeed public goods? Should it be the government’s responsibility to deliver it in the free market without a profit motive?

The world is watching India and its dramatic attempts to tackle financial services problems through active government involvement.  Will the gamble pay off?  2017 will be a fascinating year for watching.

{ 3 comments }

Post image for Episode 49 – How to Get, and Stay, Smart in Payments

Want to know what it takes to stay smart in payments? Take a listen to Russ Jones, the Partner in Charge of Glenbrook’s Payments Boot Camp program. Russ gives a look behind the scenes, talks over the boot camp’s evolution, and how it stays forward looking in what’s become a fast changing industry. Over 13,000 payments professionals have experienced the Payments Boot Camp Russ talks about in this Payments on Fire podcast.

 

{ 0 comments }

Post image for Demystifying India’s Digital Payment Infrastructure

There is a growing curiosity about India’s payments systems. These systems, and their role in the “India stack”, have been the subject of many articles speculating their importance in shaping India’s future.

Despite this attention, there is still considerable confusion about what these initiatives are, and how they interact with each other. This led me to write this piece, a simple explanation of the basic pieces of India’s digital payment infrastructure. A follow-on piece will analyze the Government of India’s unique approach in developing this payments infrastructure, focusing on the recent demonetization of major currency bills in the country.

India Stack [Source: ispirit]

Aadhaar – National Identity Platform

There are a multiple key initiatives that combine to make India a leader in payments. First is Aadhaar, India’s 12-digit national identity number with biometric information. A lot of countries today have national IDs with biometric information but what makes Aadhaar unique is its federated architecture. The Aadhaar database can be queried by any entity that needs to verify an Aadhaar number and biometric information against the information available in the database through the Aadhaar Auth API. No personal or biometric information is shared with the parties; the query will only respond with a “Yes” if there’s a match between the information sent and the central Aadhaar database. This feature has enormous potential to drive “presence-less” and “paper-less” authentication of transactions in multiple industries particularly in banking and payments, across public and private sectors.

Aadhaar is like a new fuel that is accelerating the usability and performance of India’s payment systems.

Building the Cashless Layer of India Stack

India has developed a set of highly advanced retail payment systems over the past decade, all under the auspices of the National Payments Corporation of India (NPCI), the umbrella organization promoted by the Reserve Bank of India and major banks. NPCI is responsible for building and managing these payment systems and is the most important player in the ecosystem.

Today, NPCI is managing four important payment schemes:

  1. National Financial Switch (NFS) – the largest network of ATMs in India, which also functions as the switch for many other payment schemes including IMPS.
  1. Immediate Payments Service (IMPS) – an interoperable push payment scheme that allows banks and wallet providers across India to transfer funds in real-time 24×7. An immediate funds transfer system, IMPS transactions can be carried out using ATM, mobile, and web interfaces. IMPS is an important payment system as it is used as a foundation for building several other payments services including Unified Payments Interface (UPI), and the recently launched interoperable Bharat QR Code.
  1. Unified Payments Interface (UPI) – an interoperable mobile push payment service that works real-time, 24×7 across banks in India. UPI is built on the IMPS platform, and comes with some really interesting features:- Payees can send ‘request to pay’ notifications to payers- Customers can link ‘virtual payment addresses’ (e.g. payshiv@abcbank) to their bank account that they can get paid without having to disclose their account number.These features are expected to make digital payments seamless and increase small-value merchant transactions. UPI is made available via a set of APIs, which banks and Fintech companies can use to build mobile applications. NPCI also built its own UPI App called BHIM (Bharat Interface for Money) which participating banks can use. The standardized APIs allow customers to make UPI transactions from their bank account using any UPI-based app.  This is quite remarkable: you can use “Bank A’s” app to access your account at “Bank B”!
  1. Aadhaar based payment systems – the NPCI, working with the Unique Identification Authority of India (UIDAI), created the Aadhaar Payments Bridge (APB) to channel Government to Person (G2P) payments directly into beneficiaries’ bank accounts using the Aadhaar number as the payment address. APB uses National Automated Clearing House (NACH) to affect the fund transfer. There’s no need to know the beneficiaries’ account number. Additionally, the Aadhaar-enabled Payment System (AePS) allows customers to use their biometric information to authenticate and perform cash-in and cash-out transactions at any bank agent who has a biometrically-enabled POS device. These schemes require customers to link their bank account to their Aadhaar number. The “Bank’s Issuer Identification# to Aadhaar#” mapping information is held in a Mapper Unit managed by NPCI. The NPCI Mapper Unit is also the engine that allows customers to use their Aadhaar number as the payment address (instead of account numbers) while making IMPS or UPI transactions. Recently, Aadhaar Payment App was launched using AePS which allows consumers to pay merchants by entering their Aadhaar# and authenticating with their biometric information. Merchants have to download the App and connect their smart phone to a biometric reader.

The impact of these initiatives increases as the number of Indians with a mobile phone and bank account continues to grow swiftly, and the benefits will percolate to the “bottom of the pyramid”.

You’ll be surprised to know that a smart phone is not mandatory to enjoy many of the above-mentioned services. NPCI’s National Unified USSD Platform (NUUP) allows any feature phone user to dial *99# regardless of their mobile carrier or bank to make IMPS enabled transactions.

India’s Payment Systems and Services

 

These payment systems and services are not standalone setups but rather layers of infrastructure laid one over the other. NFS is used to provide IMPS. UPI is built over IMPS. When layered with Aadhaar (using the Mapper Unit), Aadhaar based payment systems are created. The use of layers in an infrastructure stack—as opposed to a value chain based approach—is what makes India’s payment ecosystem quite incredible!

There are other, less tangible but all-important ingredients that have contributed to the India stack’s success. The first is strong government commitment to the program.  The second is the trust that the government enjoys among its citizens. Indian citizens are quite willing to share their biometric information with the government, a situation hard to imagine in most developed countries. Last, the government has endorsed and evangelized this payments infrastructure and continues to play a very important role in fostering quick, widespread adoption and usage.

Do you have more questions about India’s systems? Let me know. I’ll follow up this post with one addressing the Indian government’s unique approach of supporting the country’s payment infrastructure.

{ 6 comments }

Post image for MRC Las Vegas 2017:  It’s Not Just About Transaction Risk

This past week, over 1400 payments professionals convened in Las Vegas for the annual Merchant Risk Council (MRC) conference, an event that I’ve had the pleasure of attending for over a decade.  While merchant fraud detection and risk management continue to be the core theme of the conference, traditional payment service providers had a strong showing at the event, helping cultivate an environment including nearly every payments and fraud-related area that could ever interest a merchant.

Change is most definitely in the air as many new companies continue to enter the fraud prevention marketplace, existing providers expand their strategy, and traditional payment service providers work to offer more value beyond standard payment processing.   While there were tons of topics discussed throughout the week, we saw several prevailing themes:

Machine Learning Continues to be Red Hot

Back in November, my colleague, Russ Jones, wrote about Artificial Intelligence in Payments, stating that “it has never been a hotter topic than it is right now” and from the showing at this year’s MRC, it would be difficult to disagree. Whether you call it “machine learning”, call it “A.I.”, or go back to specific techniques that have been used for years, such as neural networks, machine learning was front and center at this year’s event.

The story, however, is one of old vs. new, as well as apples vs. oranges. Newer fraud prevention providers, including the likes of Signifyd, Forter, Riskified, Feedzai, Sift Science, NuData Security and Datavisor bring machine learning to the forefront of their solution. At the same time, established risk management platform players, such as ACI ReD, Kount and Cybersource tout machine learning capabilities that supplement their multi-dimensional systems.

One thing is for sure:  not all machine learning is the same.  For some providers, machine learning is part of their DNA, while others simply use it to augment the performance of other risk technologies. And, to be frank, many flog it because it’s a topical marketing buzzword, regardless of whether it’s integral to their solution or not.

This complex and fragmented market makes one other thing clear:  many merchants are confused about the different machine learning solutions that are out there.  Merchants will need to dig deep to understand the value that machine learning brings and how every provider’s implementation differs.

Guaranteed Providers Try to Find their Sweet Spot

In January, I wrote about the current wave of fraud prevention providers who offer a simple guarantee: they will take all risk and liability for chargebacks, fine and fees when they don’t identify a fraudulent transaction.  Forter, Signifyd, Clearsale, Riskified, Vesta, Radial and Appruvd are among the providers who offer this promise.  But as this market continues to mature, providers in this space have also realized that they need to tweak their strategy, value proposition, and pricing models.

I spoke with a number of providers who are supplementing their guaranteed service offering with non-guaranteed services, in order to appeal to a broader group of merchants.  Reaching merchants who may not be sold on the guaranteed value proposition could help expand these providers’ addressable markets, but also puts them squarely in competition with established non-guaranteed players in a market that is already flooded with fraud prevention solutions.

Several providers also spoke to me about implementing new pricing models, where their pricing would be structured such that it would never exceed a merchant’s current total cost of fraud operations, while still offering a fraud guarantee.  This type of pricing structure could be attractive to merchants who cannot take the hit on the 1%-plus fees that guaranteed providers often charge, but also challenges providers and merchants to determine accurate costs of fraud operations, which can be difficult to determine or agree upon.

Lastly, there was a clear sense among guaranteed providers that they are taking a “guaranteed works for everyone” approach – even very low risk merchants.  There is a case to be made that low-risk merchants can greatly benefit from guaranteed fraud solutions since they could quickly do away with significant operational costs or the management of multiple fraud technologies. Handing over all fraud operations to a vendor who offers a guarantee could potentially reduce overall costs while providing CFOs with an absolute, predictable cost of fraud management.

Payment Service Providers Fight to Get a Greater Share of the Market

One of the great things about MRC is that its scope isn’t just limited to fraud. Major players in the payment processing and acquiring space are typically well-represented.  This year was no different and payment service providers did their best to show a fraud-minded crowd that they were more than just about switching card transactions.

Cybersource, for example, strongly pushed its enterprise tokenization service, while firmly reminding merchants that sensitive data is stored in rock-solid Visa-run data centers.  Sister company Cardinal Commerce had a strong presence in what was essentially its coming out party since its acquisition by Visa, in an important year where we will most likely see the advent of 3DSecure 2.0 and stronger authentication requirements dictated by the European Union’s PSD2.

One of the most interesting announcements of the show was First Data’s acquisition of Acculynk, the online PIN and PINless debit processor.  While Acculynk has been around for quite some time now, it’s PIN-based online debit system hasn’t exactly hit mainstream.  Perhaps First Data feel that they have the sales power and greater platform to make it successful, but I’m sure that they also saw value in Acculynk’s debit gateway product, which can neatly bolt on to First Data’s existing set of platforms.

Fraud Just Doesn’t Occur at the Payment Transaction

For decades now, e-commerce fraud solutions have had an intense focus on payments transaction fraud.  However, merchants have seen massive growth in account-related fraud, including login fraud, account takeover, false account creation, account abuse, and collusion.  Many are thirsty for solutions that help them address these complex problems.  It’s easy to see how account fraud can lead to payments fraud, with illegitimate purchases coming from a legitimate account or by using a good account to make purchases with stolen card data.  Nothing good comes out of letting bad actors into a system.

At this year’s conference, there was a renewed focus on account-related fraud, both in topics presented by attendees and in solutions offered by service providers.   We saw Western Union speak about out-of-band authentication methods used to mitigate social engineering attacks, as well as trends related to account takeover fraud. TSYS and Featurespace also joined up to talk about the challenges associated with social engineering risk, while Ria Financial spoke about the importance of reducing risk during customer onboarding to mitigate transactional fraud.   Etsy spoke about machine learning-based approaches used to mitigate account abuse in its global marketplace.

On the provider front, Sift Science teamed up with Patreon to speak about account takeover fraud, conveniently on the heels of Sift introducing a new account takeover product to complement their existing suite of fraud and abuse tools.  And long-time purveyors of device identification technologies, iovation, heavily pitched identity management and device-based authentication solutions alongside their newly-acquired LaunchKey multifactor authentication product.

MRC Goes Global

If you missed MRC Las Vegas this year or want a more international taste of what’s going on in the world of risk and fraud, MRC hosts its annual European conference in London on April 24, followed by a European Platinum meeting in September.  Its US roadshow will pick up again with its fall Platinum Meeting in San Diego this October.

And if you need help understanding the ever-evolving fraud prevention market, Glenbrook has assisted many merchants and service providers navigate this complex landscape.   Please reach out to explore how we may be able to help you.

 

{ 0 comments }

Post image for Episode 48 – APIs, ACH, and Faster Money – Dwolla

Sometimes a change in direction is the way forward. Network aspirant Dwolla has recently pivoted its work toward the product and development teams inside financial institutions. Instead of being a system operator, Dwolla now offers a broad set of APIs designed for those FIs to take advantage of the ACH’s overnight and Same Day ACH services. Dwolla’s shift also comes as the company and the US anticipates the impact of new immediate funds transfer systems Zelle, The Clearing House, and likely others.

Take a listen to this conversation with Jordan Lampe, Dwolla’s Director of Communications and Policy Affairs, and Glenbrook’s George Peabody as they discuss the Federal Reserve Faster Payments Payments Task Force Steering Committee, use cases for Same Day ACH, and more.

 

{ 0 comments }

Post image for Payments in Real Time

As the U.S. payments industry is preparing to enter another exciting phase as immediate funds transfer options come online, I’m thinking back to my interaction in the Fall of 2013 with the inquisitive team at Planet Money. Perplexed about why it took so long for the monies from their Kickstarter fundraising campaign to make the electronic journey to their bank account, the team dug into this issue and created one of their podcasts called The Invisible Plumbing of our Economy.

All told, it took five days for the funds to reach them. Keen to understand why the transfer was so slow, Planet Money reached out to a few payments experts to try and make sense of it.  Naturally I had hoped to communicate the complexity and competitiveness of the U.S. banking and payment systems, the fact that our low-cost ACH was designed in the 1970s and the daunting economics of upgrading or implementing a system that reaches thousands of financial institutions serving some 300 million consumers. Alas, in the end, I think my most effective explanation for this admittedly outdated situation was, simply, “The ACH keeps bankers’ hours.”

It’s taken another three and a half years but in 2017, new payment systems are coming on line that will totally transform how many payments are made. Zelle and the new Real Time Payments rail from The Clearing House are joining contenders like PayPal.

Just for fun, let’s imagine that the Planet Money transaction was being kicked off today and see how different the experience would be:

  • End to end time – Rather than 5 days, the transfer should take no longer than a few seconds to register in the receiving account.
  • Batches – The transfer would be a single, credit transfer instruction and wouldn’t have to wait until the next payment batch is scheduled.
  • Business hours – These will be all day, every day.
  • Business days — Every day is a business day for real time payments, including weekends and holidays.
  • Funds availability – Funds will be available to be withdrawn immediately by the receiver, no more waiting for good funds. Funds will also be taken out of the sender’s account immediately before the transfer is made.
  • Confirmation – The Planet Money team would also get an email or text confirmation that the funds are available in their account. No more guessing. The sender would also be notified when the transfer is complete.

In this sense, payments will work a lot like email – always available and instant. Well, okay, it’s not quite like email just yet:

  • Transfers initiated in the Zelle, Real Time Payments, or PayPal rails don’t interoperate in the same way AOL does with Gmail (or ATT with Verizon), and
  • These transfers don’t work internationally (unless you’re a PayPal user sending to another PayPal user and even then a few caveats apply).

I’ll dive more deeply into these issues this week—and what they mean for consumers and businesses—with great panelists from ACI, Fiserv, NACHA (yes, Same Day ACH is in the mix as well) and SunTrust Bank at the Technology Association of Georgia FinTech 2017 event in Atlanta on 9 February. I hope you can join the discussion!

{ 0 comments }

Post image for Payments 2017 – One Month In

Business evolution—whether it’s automotive, bioscience, or in the payments industry—proceeds along a predictable path of incremental improvements and optimization. Until it doesn’t and a step function takes effect.

Last year was sleepy compared to what we can expect during the next eleven months. 2016 was characterized by the more familiar path, through themes set in motion in prior years. EMV. Bitcoin and blockchain. The “pays” from Apple, Google, Samsung, and leading merchants. In 2016, these elements grew and evolved along predictable lines. Yes, they’ve made an impact but none represent anything resembling a tectonic shift.

Now that 2017 is underway, it’s clearer that prospects for 2017 include increasing tectonic activity that will be rough or smooth depending upon which side of the tectonic plate you are standing on.

Let’s examine the shifts we know about. If you’re all about politics, skip to the end.

Immediate Funds Transfer, Finally

2017 will see the addition of several sets of payment rails to the US. It’s been decades since new bank-based payment systems have been introduced so this is significant. The Clearing House will turn up its Real Time Payments (RTP) system for account-to-account push payments. Zelle, the consumer-facing brand of Early Warning’s P2P payment system, will begin its marketing effort to convert the word Zelle into a verb. And while not new rails, even NACHA’s Same Day ACH service will be in the mix, competing for business.

This is a global phenomenon with over 20 countries at various stages of deployment, from planning to full production. In the EU, SEPA (Single European Payment Area) rule makers have released the specification for SEPA Inst, an immediate funds transfer, push payment system scheduled for a 2018 deployment. With the global axis tilting toward this credit push model, these new payment rails will pull share from their predecessors.

In the U.S., system economics will get clearer in 2017 as these schemes compete for volume across P2P, bill pay, income payments, and other use cases. We will continue to track these changes closely because new payment systems are so rare and potentially so disruptive.

One area we will be watching is the security of these immediate funds transfer systems compared to pull-based systems. The UK’s Faster Payments scheme experienced higher fraud rates than expected until bank authentication was strengthened. No surprise there; new payment systems of any kind are catnip for hackers and what could be more appealing than a new system that pushes money in near real-time?

Online Security

Bad as it was in 2016 (remember the SWIFT breaches?), the crisis that is internet security will worsen in 2017. While defensive barriers and intrusion detection improve, the attackers enjoy the broad availability of personally identifiable information (PII), an ever-expanding set of attack surfaces, and the realities of human nature that make phishing so effective and security maintenance so difficult. Because of the broad availability of personally identifiable information, the hackers can have more current information than the accountholder. Account takeover will get more severe.

Effective payment defenses are being erected but there’s no hockey stick increase in their usage for this year. Issuer tokenization of payment card data is hugely effective but its use will remain well below 15% of CNP transactions. It is going to be 18 months before we start to see 3D Secure 2.0 (3DS2)—the more risk-based approach to merchant and issuer payment authorization messaging—move into broad production. That means issuers and merchants must continue to rely on defenses built internally or by others to manage fraud.

The Internet of Things (IoT) will expand even faster in 2017 but its security will continue to be deplorable. Manufacturers are focused on low cost and functionality. Buyers pay for the same attributes and are not paying for security features like secure elements or even basic crypto processing. That leaves whole fleets of IoT devices susceptible to botnet recruitment. Many IoT devices can barely be upgraded with new software to improve security, all while many are or will be payments-capable. This may only be solved by regulation unless all IoT players up their security game.

How Far do the “Pays” Go?

While their creators expanded the geographic coverage of these services, Apple Pay, Android Pay and Samsung Pay saw modest growth in 2016, still accounting for low single digit volumes at the point of sale. 2017 should see that steady, modest growth continue (changes Glenbrook is tracking closely). Two things must happen. First, consumers have to understand that these mobile payments methods are more secure rather than less. But no one really looks forward to educating consumers on new, improved security methods because it raises questions in everyone’s mind about the current system. Second, these “platform” Pays have to benefit consumers with loyalty points, rewards, and couponing. And that’s tough.

At Glenbrook, we believe the “pays” coming from large merchants that are able to combine both payment convenience and incentives in one package have more magic to offer. If you can get your discount, loyalty points, an improved buying and checkout experience from an app provided by a favorite merchant, you’re going to use it. Starbucks is proof. 2017 will be the year we see how successful other merchants—particularly retailers like Target who don’t sell hot, somewhat addictive products—fare with their in-store apps.

Blockchains Move into the Real World, Slowly

If 2016 was the year of the pivot from bitcoin to blockchain, 2017 will be the year when a handful of blockchain-based applications prove themselves, or not, in limited production. Use cases requiring the fewest participants and simpler data sharing requirements may well succeed from a technical point of view. Exposure of these use cases to the stubborn facts of economics (is a blockchain cheaper than a traditional database?) and rule making (can all participants benefit from the same set of rules?) will be the next hurdle for blockchain implementations.

Ripple is an example. While its technology is in place, the company has recognized the need to develop common rules for its participants. It has formed the Global Payments Steering Group with an interbank group composed of Bank of America Merrill Lynch, Santander, UniCredit, Standard Chartered, Westpac Banking Corporation, Royal Bank of Canada and CIBC to steer that rule making process for cross-border transactions. Once up and running under those rules, this will be a visible test case for blockchain payments.

Payments by Ear, and Voice

My partner Russ Jones has been calling this one for years. We expect the use of audio interfaces to blossom in 2017. The Amazon Echo, Cortana, Siri, and Android are teaching us to speak to our devices and now they’re getting better at both listening and doing useful work. Amazon’s Alexa has a “skill” to let Capital One accountholders make inquiries and payments. Before long, a Starbucks order-ahead skill will be added to Alexa. We’ll be watching for many more audio implementations this year.

AI and Machine Learning Everywhere

While these technologies have a certain “shiny new toy” glamor about them, there’s little doubt that 2017 will see an acceleration of machine learning and artificial intelligence applied to payments and commerce. We’ve already seen machine learning systems optimized for transaction risk management from firms like Feedzai and Sift Science. But even at the level of consumer interactions, AI-based bots are lowering the cost of customer service as well as guiding consumers through commerce flows. Last year’s bots were not all successful. And don’t expect your next bot encounter to pass the Turing test; it won’t “exhibit intelligent behavior equivalent to, or indistinguishable from, that of a human.” But it just might speed you through buying a new pair of shoes, including asking for the payment method of your choice.

International Inspiration?

Watching the international payments landscape finds nations and regions making profound decisions around money. India’s demonetization program and the EU’s PSD2 (Revised Payment Service Directive) are two.

The EU is retiring the 500 euro note out of concern for its potential role in illicit activities. This past November, India made 90% of its notes in circulation invalid to make money laundering, counterfeiting, and corruption more difficult.

Both regions are innovating beyond cash. India is linking via APIs its payment system building blocks – mobile, the Aadhaar identity management system, and financial institutions. Europe’s PSD2 directive is opening third party access to both bank account information and payment initiation services.

Could moves like this take place in the U.S.? Could the private sector do something along these lines with RTP and Zelle?  While there’s zero likelihood of a national effort backed by rulemaking, competition is already making some U.S. financial institutions to open and promote their API marketplaces. CBW in the wholesale banking area and BBVA with its API_Market are two examples.

Politics, Payments, Uncertainty, and Change

The foregoing shifts will take place against the background of global political and governmental changes. Here in the U.S. the big elephant in today’s payments room is Uncertainty. Tomorrow’s elephant will likely be named Change. The fast pace at which the new U.S. administration and Congress are executing, and evolving, their agenda suggests there are substantial shifts ahead.

Here are some of the key questions we’ll be asking during the rest of 2017:

  • What will happen to the Dodd-Frank legislation? With the broad Dodd-Frank bill up for revision, what will be the impact on the Durbin amendment’s debit interchange rate cap? Who will benefit from those changes: large or smaller financial institutions? How will the merchant community react to a presumed return of higher debit interchange costs and other fees? In 2016, regulations were introduced to revise or up-end Dodd-Frank. Given the power shift in Washington, DC, a favorable reception to those bills is now more likely than not.
  • Will the Consumer Finance Protection Bureau (CFPB) continue to exist in its current form? Will the CFPB’s governance model be changed, perhaps to a commission structure, or will the bureau be altered entirely? Born via Dodd-Frank, the CFPB, despite its increasing maturity, may have a very different future.
  • Similar questions abound elsewhere in the world. Looking at the UK and the EU, what will be the impact on payments, banking and privacy regulations of the long Brexit process, EU PSD2 regulations, Privacy Shield, etc.

After one month, we can already say that the rest of 2017 is going to shake up the payments industry more than last year. Hang on tight. Embrace the change.

The Glenbrook team is constantly evaluating the strategic impact of these and other trends. We look forward to engaging with you through our strategy consulting, our boot camp programs, our market scan services, and through your feedback here. Or just through a conversation. We welcome your thoughts!

{ 0 comments }

Post image for Guaranteed Fraud Prevention Solutions:  Maybe Some Things in Life Are Guaranteed?

I’ve had the pleasure of working in the e-commerce fraud prevention space since the late nineties and, just as e-commerce has significantly evolved over the better part of two decades, the way merchants battle fraud has changed substantially.  Fraudsters have kept merchants on their toes and the industry has responded. We now have a host of new tools, technologies and techniques to assist merchants with a growing fraud problem that always seems to be one step ahead of what the “good guys” can keep up with.

One thing that has remained largely the same, however, is the business model associated with e-commerce fraud prevention.  For the most part, service providers have charged merchants a per-transaction or flat-license fee to use their tools, whether they be comprehensive fraud platforms offered by providers like Accertify, Kount or Cybersource, or specialized fraud technologies offered by the likes of iovation, ThreatMetrix or Quova.   In this model, service providers don’t have direct “skin in the game” in regards to a merchant’s key fraud metrics, such as chargeback, false positive and manual review rates.  However, they are motived to evolve and innovate their services in order to retain customers and grow market share.

The Guaranteed Model

But over the past several years, we have seen a significant departure from the per-transaction model that incumbent fraud prevention providers have traditionally offered.  A host of new providers have entered the market with guaranteed fraud prevention solutions that offer a very simple and tempting value proposition:  If a fraud chargeback occurs, the provider will cover all costs associated with fraud, leaving the merchant with zero fraud liability.  At face value, this seems like a no-brainer for merchants, but, as we’ll explore in more detail, a fraud guarantee often comes with cost and complexities that many may not be ready to swallow.

If we take a look back, we’ll find the concept of an e-commerce fraud guarantee isn’t a new one.  PayPal, for example, has offered its “Seller Protection” model to physical goods merchants for many years.  Companies like Vesta have offered merchants in the telephony space indemnification from chargebacks for over a decade.  And at one point, even traditional insurance companies entered the market with policies to protect online merchants against large fraud losses, an option that most merchants found to be too expensive and riddled with complexities. What was missing from the market were generally-available, guaranteed solutions that could be used by any e-commerce retailer, regardless of what they sold or what payment types they accepted.  This is the gap that this new class of guaranteed service providers has filled.

But with a promise to eliminate the cost of fraud chargebacks, why aren’t all merchants flocking to these guaranteed solutions?   There are two key reasons:  cost and control.   The guarantee offered by these providers comes with a price premium that usually costs a merchant between 1% and 4% of the transaction value, in additional to payment processing costs.  Obviously, this equates to a significantly higher per-transaction fraud screening cost, potentially costing a merchant many dollars to screen even a good transaction, versus pennies per transaction in the historical models.  In addition, guaranteed service providers typically must assume ultimate control over the fraud strategy and decision process, which is something many merchants aren’t comfortable with.  Some merchants believe that only they can understand their business well enough to control fraud while ensuring that good customers are never insulted.  The notion of giving up control is something that many of these merchants simply will not entertain.

A Full ROI Analysis

The higher cost associated with guaranteed services, however, shouldn’t be looked at in a vacuum, but taken as part of a full ROI analysis.  When merchants look at total potential chargeback and operational savings, many will find that the guaranteed service proposition is attractive.  For example, merchants have the ability to greatly reduce operational costs by eliminating the need for fraud analysts and modelers, reducing the size of manual review teams and streamlining backend operations that process and fight fraud chargebacks.  Coupled with the elimination of chargeback losses, fees and fines, merchants may find that a 2% to 3% fraud screening cost still provides a healthy ROI when compared to managing all fraud support functions in-house.

Although many merchants may, at first glance, still have “sticker shock” over these costs, guaranteed service providers have demonstrated that they can be flexible with pricing, depending on the merchant’s industry, the types of goods sold and the perceived risk.  As part of their pricing assessment, providers may ask for historical chargeback data and example transaction data sets in order to ensure that they can manage fraud risk while offering the best possible price.  The bottom line is that this new type of model only works when there is a win/win for both the merchant and the provider.

And while cost may be the most compelling driver for some merchants, many also consider three key questions, regardless of the type of solution they are evaluating:

  • Do I wish to outsource all fraud functions or keep them in-house?
  • What is the cost of change?
  • What impact will this have on my customers?

Time will Tell

The answer to these questions, of course, will vary greatly from merchant to merchant.  And while the landscape of fraud prevention solutions that exists today is vast, the industry continues to evolve, offering many solutions that address a broad range of risk challenges.

So, will the guaranteed model become the de facto outsourced model when fighting fraud?  Time can only tell, but many in the industry are excited about the prospect of what these providers have to offer.  For example, in the past three years alone, equity investments in guaranteed service providers have exceeded $225 million.   But the cycle for merchants to change providers is often long, so it will most likely take some time before we fully understand how many merchants choose these new services and how effective they are in the long run.

We’d love to hear your thoughts about how this exciting sector is evolving!  I’m going to be in Atlanta on February 9th at the TAG Fintech 2017 event. I’d love to meet you there to discuss these and other concerns. I hope to see you there!

And if you need help understanding the ever-evolving fraud prevention market, Glenbrook has helped many merchants and service providers navigate this complex landscape.   Please reach out to see how we may be able to help you.

{ 4 comments }

Post image for Episode 47 – Blockchains and Moving Money on the Internet – Circle Internet Finance

Turning money movement into a core capability of the internet is the guiding principle of Circle Internet Financial. Not an easy task. While technical issues abound, regulatory and business hurdles pose larger challenges.

Join Payments on Fire host George Peabody and Circle’s co-founders Jeremy Allaire and Sean Neville for this discussion on Circle’s geographic expansion, its recent shift in bitcoin support, and its development of Spark, a blockchain-based open source smart contract platform optimized to share and store payments meta-data including exchange rates, KYC details, identity, etc.

{ 0 comments }

Post image for Episode 46 – 3D Secure, Visa, and CardinalCommerce

One of last year’s most anticipated advances in fraud management was the final release of EMVCo’s 3D Secure 2.0 protocol specification. Designed to take a risk-based approach to authorization and lower the checkout friction of its predecessor, 3DS2 will be a new tool in the growing anti-fraud arsenal.

One of its supporters and a service provider that’s been closely tied to 3D Secure is CardinalCommerce. Cardinal, now a new addition to Visa’s arsenal with its recent acquisition, has been working with the risk-based approach for quite awhile. Take a listen to Visa’s Mark Nelson and Mike Keresman and Tim Sherwin of CardinalCommerce in this discussion about 3DS2, card network mandates, Cardinal’s acquisition by Visa, and when the market will see 3DS2 solutions.

{ 0 comments }

Post image for Episode 45 – False Declines and Ethoca’s Role

In e-commerce and mobile commerce the problem of false declines is significant, especially during the holidays. Issuers decline transactions that online merchants approve. And vice versa. In other words, the necessary process of sorting out fraud from good transactions catches good transactions with the bad. This poor decision making means merchants lose the sale and the issuer its transaction fees.

In this Payments on Fire podcast, Glenbrook‘s George Peabody discusses the false decline issue with Ethoca’s CMO Keith Briscoe as well as the company’s program to encourage more merchants and issuers to take advantage of its shared data service.

{ 0 comments }

Last week in Geneva, the ITU wrapped up a two-year project – the “Focus Group on Digital Financial Services and Financial Inclusion”. Several hundred organizations and people participated in the Focus Group, which produced research papers and policy recommendations on a wide variety of topics. The papers are available on the Focus Group website.

Glenbrook’s Carol Coye Benson and Allen Weinberg were active members of the group: Carol ran the “Ecosystem Working Group” and Allen led a group of people on in-depth research and exploration of topics relating to merchant acceptance of payments in emerging economies. Glenbrook partner Elizabeth McQuerry was at the closing session, participating on a panel discussion of “New Frontiers in Regulation.”

Hear Carol’s perspective on the effort.

{ 0 comments }

Post image for Episode 44 – On Privacy, IoT, and Security – Online Trust Alliance

Multiple organizations have emerged to address different aspects of security, privacy, and identity. In this Payments on Fire Podcast, Glenbrook‘s George Peabody speaks with Craig Spiezle, Executive Director of the Online Trust Alliance, an organization bringing together privacy and security best practices for a range of industries, including payments. Take a listen to this conversation about the security challenges ahead, especially around the Internet of Things.

{ 0 comments }

Clicky Web Analytics