The risk of moving money.

Once, there was cash, and then there were cheques, and then there were charge cards and credit cards. Cash has always provided the ability to transfer value in real-time, cheques provide a means of transferring value in near real-time whilst avoiding the need to carry cash. In both cases, the value is transferred from the buyer to the seller directly. Charge cards and credit cards introduced the notion of authorisation and settlement to retail transactions, adding an intermediary and disassociating purchase from payment.

Now that we are living at the dawning of the age of the real-time account-to-account value transfer, do we think that we have come full circle? Is the global real-time payment grail, holy? Or is this just another example of doing stuff simply because stuff can be done?

The financial advantage to merchants of receiving payments in real-time rather than a day or so later in the settlement is essentially a one-time benefit. Large organisations with high turnovers may be able to maximise the impact, but even this is questionable since many acquirers already provide large merchants with early settlement. Ironically, the merchants most likely to benefit from real-time payments are those who are currently considered to be of a higher risk, where acquirers tend to hold on to settlements for an extended period in order to reduce their exposure. If these high-risk merchants were to benefit from real-time payments, would that benefit not be derived from the transaction risk being passed from the acquiring bank to the consumer?

The global expansion of cards and card payments brought with it a global acceptance of card payment principles that ultimately served to protect the cardholder. The reality is that consumers making payments by card are generally protected.

How much consumer protection exists in the world of account to account transfers? Card fraud may be the criminals first choice but the industry picks up the tab, which is usually passed to the merchant, or to the acquirer or the issuing bank. Again, the reality is that card transactions were never designed for the internet. [There is, I believe, a solution but that is the subject of another discussion.]

So, whilst the fraud is easy, the cardholder is rarely at risk. We should be asking the question: will consumer rights be maintained in an Open Banking environment where the money has already moved, and where there are no mechanisms for moving it back?

The future consumer value for real-time payments lies in the ability to move it back.

Solutions Architect?

From first principles, a business solution (assuming that one does exist) should look like it is the answer to the original business problem, although it may not be the only possible answer.  The role of the Solutions Architect, hired by an organisation with a business problem, is to develop a solution, or set of alternative solutions, to solve that business problem.  However, before developing any solution, it is imperative that the problem be understood, and so the first and arguably the most important prerequisite to developing the solution is for the Solutions Architect to adopt a business analyst perspective and apply systematic deconstruction techniques to the problem as presented.

Once analysed, the business problem is made available to the scrutiny of the stakeholders and can then be agreed by all.  This stage in the development of a solution is of utmost importance because there is always room for misunderstanding … and it’s possible that the analysis shows that there may not be a problem at all.

The problem definition provides the outline framework for managing the solution.  In a predominantly waterfall environment, where the cost of errors and misunderstandings increase with time, it is crucial for the problem to be understood at the outset.  Whilst an agile approach can reduce this risk, it is still vital that there is a clear direction.  Agile can provide a development framework capable of responding to the changing needs of an organisation but without an architectural vision, its direction is not guaranteed.  

There are many approaches to “getting it right”, and an even wider array of qualifications attesting to the fact that one can indeed “get it right” when demanded by the situation but do the plethora of specialities and qualifications relating to those specialities imply a change in the underlying technical processes or in the mindset of the practitioner?

The solution architect function – taking ideas, operational needs and specific requirements and turning them into specifications of features and services that can then be developed and delivered – has existed in one form or another for many a year whilst the “Solution Architect” as a job title has not!  The question is: does the appearance of “Solution Architect” as a role imply that the responsibilities of the modern “Solution Architect” are broader than that of the pre-dating solution architect function?  There are certainly more certificates to be had, but does the expansion of the qualification landscape necessarily indicate an equivalent expansion within the related technical knowledge base?

The Problem with Fraud

There is a misconception about the challenges we are facing in payments. Whilst it is well recognised that there is a significant global fraud problem across the payments landscape, payment fraud is not equally distributed. Payment card fraud has migrated to the internet.

Not long after squashing the millennium bug, the UK sailed away into the uncharted waters of Chip and PIN. Whilst it was certainly and exciting time in the evolution of payments – for some of us at least – the adoption of EMV went a long way towards solving the growing problem of face-to-face plastic card fraud. As a result of chips and PINs, plastic card fraud in the UK plummeted and this effect was subsequently replicated abroad. Payments on the internet at that time, compared to current transaction volumes, were few and far between. The cost of internet fraud was very low and therefore not considered worthy of any particular attention.

The problem was, and is, that the 16-digit PAN and the 3-digit CVC (when it is used) is not fit for the transaction processing world of the 21st Century.

Underlying payment fraud problems relate primarily to the weakness of the e-commerce payments transaction structure, and whilst many of the so-called clever, alternative solutions may indeed look clever and alternative at the front-end, they generally rely on the same old “card on file” processes at the back-end. Ultimately, this is all smoke and mirrors … tweaking the front-end does not make the underlying problem go away!

Card payments and card technologies are not going anywhere, anytime soon, so the problem needs to be addressed. The solution to rising card fraud needs to focus on the card fraud problem directly, and not simply obscure it by introducing alternative payment options to the consumer and the merchant.

In the late 20th Century, the growing card fraud challenges in the bricks and mortar world were limited by the introduction of EMV, and it works everywhere – nearly! In the 21st Century the same growing fraud
challenges in the digital world could be resolved using that same tried and tested approach.

It’s time to introduce the power of EMV into the world of e-commerce. The technology exists to support this and history has shown that it works.

I have a plan!

Banking Bells and Whistles

Do consumers of banking services want bells and whistles?  Do the Millennials and Generation Z want feature-rich banking services, or do they just want to move money from one place to another, quickly and conveniently?  The propositions adopted by the early challenger banks fit the bill perfectly, they provide a convenient means of receiving and storing salaries and other payments, and then a set of easy options for passing it on in the form of card payments, faster payments, direct debit payments and Paym.  

This isn’t to say that as people get older, their interaction with the financial world doesn’t become more complex, but loans and mortgages and investments and insurance and so on, all exist outside of the basic necessity of the money in – money out requirement.

The bolt-on bells and whistles do not add any value to our basic need to send and receive value.  People of all ages operate current accounts, and they do so to allow them to fulfil that basic need.  In a society with essentially free banking, where all banks offer the same fundamental service, there is no real incentive to move from on organisation to another.

People don’t go shopping to enjoy the payment experience, but there are loads of payment “professionals” out there who think they do.  Oh dear!

People don’t open bank accounts to enjoy the magic of faster payments.

The challenger banks responded to an opportunity: niche mobile-only services that were not restricted by vast legacy systems that could offer basic banking services at low cost.  The services were simple, and their take-up has so far been promising, but now we are adding the bells and whistles.  Why?

Bells and whistles give bankers the opportunity to excite other bankers and show them how clever they are, thereby justifying their existence.  Most consumers never asked for bells and whistles and the vast majority of consumers won’t use them. 

Consumers don’t necessarily want bells and whistles, but they do want services that don’t go wrong and that are available all the time.  Perhaps we should pay more attention to that.

The end of the LINK TSG

Just heard that the LINK TSG is no more.  

I was never sure why the Competition and Markets Authority (CMA) allowed the UK’s shared ATM network to be sold to Mastercard.  To me, it looked very much like Mastercard was being allowed to gain significant advantage over its rival card schemes.  How can the CMA look at the relative situations of Visa and Mastercard in the transaction processing world and not conclude that there was a significant difference?  

It’s not like it was just the LINK ATM network.  They were given control over the account to account transfer services in the UK too: key financial infrastructure services that, in my opinion, should be managed centrally for the benefit of all.  

If it is correct that the LINK TSG is being wound up, then it is clear that the management and control of the shared network is being transferred from the members to the “owner”.  The implication is that the service provided to the members will then be that which the “owner” wants to deliver, rather than that requested by the members.  

If we follow the bunny of conspiracy down the rabbit hole of destiny, as our eyes become accustomed to the darkness, will we see a future where the LINK ATM network has been mothballed, and all LINK ATM transactions are processed through the Mastercard network?  

How can LINK commit to delivering ATM services in areas where ATM profitability is low, if LINK is not going to exist? 

Is the loss of the LINK TSG the first step in losing LINK ATMs?  

Bank Fraud is Taxing

Banking lobby UK Finance is proposing a universal tax on bank transfers to build a fund that could be used by banks to compensate victims of account transfer fraud.

One wonders what is driving such an approach.

If the victims were defrauded out of cash in their wallets – by scams of a similar nature – it would certainly not fall to the banks to provide a refund.  Handing over current account login details may not be the same as handing over a wallet-full of cash, but the interactions between fraudster and victim that lead up to the deed are.  It is the social engineering processes that precede the fraudulent activity that we should be focussing on, not the act of transfer itself.

Is this really a problem for the banks?

If this is not a direct banking problem, the problem lies in the gullibility and therefore the vulnerability of bank customers.  However, the problem is exacerbated by the speed at which bank balances can be expropriated and transferred.

The development of real-time banking services has fueled the development of fraud vectors focussed on social engineering mechanisms.  

A victims fund finaced by a payment tax is not the answer.  The answer must lie in modifications to the ecosystem to reduce the opportunities for fraud, but this has a cost.  

There are solutions but fraud prevention has never been a headline grabber.

Card fraud lowest for 13 years

And the good news is that card fraud losses at terminals in the EU are at their lowest level since 2005.  It looks like much of it is down to EMV, which limits the effectiveness of card skimming strategies, although the excitable clever people are telling us that it’s down to geo-blocking, fraud monitoring and fraud detection.  I am not sure how true this is as I would think that these techniques are more suited to preventing fraud on non-EMV transactions.  

Since the ability to clone and create a usable EMV card is non-existent, the opportunities for fraud using EMV cards are seriously limited.  It is well established that there can be no duplicate EMV cards.  If this is the case, then an EMV card must either be in the hands of its rightful owner, or it must be lost or stolen.  If it is in the hands of its rightful owner, then there is no fraud, and if it is lost or stolen, there is essentially a four hour window of opportunity for any would-be criminal.  Adding geo-blocking, fraud monitoring and fraud detection is not going to identify lost and stolen EMV chip cards.      

Geo-blocking, fraud monitoring and fraud detection are more suited to payment ecosystems that rely more on mag stripe, and can be effective in the e-commerce world.  The reduction in fraud that we have seen over the years is due primarily to the introduction of EMV – in the UK – back in the early part of this century.  It is now spreading out and we are reaping the benefits.  If you want to see how much benefit we are reaping, look at the card fraud levels in the US.  

The impact of reducing the opportunity for fraud in one sector is to increase  its presence in others.  We are inevitably going to be seeing a growing number of social engineering attacks, as the vulnerability of people is now greater than the vulnerability of the card payment systems.  We need to be looking at finding ways of preventing the growing financial losses associated with current accounts.

Introducing the Payment Monkey

The Payment Monkey is now online, more or less, and the first blog post has been added.  At this point, I should say that much of the content has been generated by an infinite number of monkeys banging away on quite a lot of typewriters.  Spare monkeys not assigned to the less than infinite supply of typewriters are employed to proof read and sanity check, and because of this, most of the random noise has been eliminated.

Hi. I’m the Payment Monkey

Updates will be published as and when the Payment Monkey is inspired by activity in the transaction processing and card payment world.

The site is open for comments, hopefully for some lively debate, the Payment Monkey will respond.