I’ve just given a talk on Risk and privacy implications of consumer payment innovation (slides) at the Federal Reserve Bank’s payments conference. There are many more attendees this year; who’d have believed that payment systems would ever become sexy? Yet there’s a lot of innovation, and regulators are starting to wonder. Payment systems now contain many non-bank players, from insiders like First Data, FICO and Experian to service firms like PayPal and Google. I describe a number of competitive developments and argue that although fraud may increase, so will welfare, so there’s no reason to panic. For now, bank supervisors should work on collecting better fraud statistics, so that if there ever is a crisis the response can be well-informed.
5 thoughts on “Risk and privacy in payment systems”
Here are my notes of the talks in the first day’s sessions.
Esther George, president: the Fed fixed check clearing, which used to take weeks and be done at a discount – it offered cheque clearing at par and brought in electronic systems. Also was midwife of the ACH which does 18% of payments, and provided stability in the days after 9/11 and after Lehman. Mandate under the Monetary Control Act allows it to price services competitively with the private sector. Fed must be prepared for crisis, as after 9/11 and Lehman. Must ensure people can still pay – perhaps offering a P2P payment system.
Michael Katz: expects evolutionary change in payments, but revolution in business marketing services (with telcos the most disappointed). Consumers want convenience etc and merchants lower costs; there will be low-visibility stuff like new POS devices. Doesn’t think mobile will be that different because swiping a phone is the same as swiping a card (unless you’re an iPhone user when you think that mobile world = world). May be used for screening: one CEO says “we feel that all data is credit data – we just don’t know how to use it yet”. Social network, ad/deal network, and payment network, might be 1 company or 2 or 3. What a phone can do is to search near as well as far for deals; so far-field will be a bigger deal than near-field. Telcos? Will your ISP be part of all this? Only generically. AT&T thought it could do credit cards; its card is now operated by Citi (it’s not about processing complex transactions auditably but about understanding users & their behaviour). Other cross-platform plays? There will be interesting questions about who shares the information, and at what price. Apple might become a new type of VMNO; will merchants see them coming? Convergence of payments, MNOs and web services will bring together their regulators. Predict: a web services company will collect all your transaction information after promising not to; but people will sell the anyway for 50c off a Big Mac.
Dan Kingsborough: was president of Atari 30y ago and sold Pong as the core of a new gaming ecosystem; in 1990s he did Teddy Ruxman which changed the way kids interact with toys; in early 2000s, he did branded gift cards. Now: he works for PayPal and the revolution is at hand. Multichannel retail is up from 30% in 2006 to 45% now. Shows a video on Paypal bump payments. Commerce now not about “location location location” but access to the consumer. “Cloud gives consumers control.” The near future will see 50 billion devices online, with differing payment mechanisms, but using existing infrastructure.
Hal: The hot company in the Valley has 12% of its revenues from Zynga, via a payment mechanism (used by other complementers too) and is also an identification business. Also Amazon marketplace, Apple iTunes (150 credit cards on file). Special-purpose payment systems give huge competitive advantage; open ones dissipate it. Don’t want to be on 15–20 private payment systems but a handful can coexist. For a new system, you want to avoid barriers like new cards or tokens/terminals/comms networks (NFC)/payment networks; square is a nice idea as is their cardcase. Go into a coffee shop, tell the phone “open a tab” and the girl “Charge it to Hal”. She looks up his name, checks his picture. Like Downton Abbey where everyone kept a tab at local merchants. And who is the biggest wireless carrier? Wi-fi.
Discussion. John Rechny of Walmart: consumers don’t want more offers but simplification, as a little company in Arkansas found. Michael: I also don’t like deals but many consumers live for them. Hal: can’t make clipping coupons too easy or you lose the signal that the shopper is price-sensitive; you might as well give lower price. On fraud, Michael Katz: “I know nothing about this, I’ll just make something up.” Hal: important to look at where liability lies in exceptional cases. Intermediaries may take on liability to get their tech adopted, and that could even give rise to stability problems. What patterns of search do you see in mobile? Much the same; a bit more adult queries, more location, and the “immobile” users who make mobile queries while in front of the TV. Michael: could have a multi-store loyalty card instead of 40 different apps on phone. Ross: multifunction smartcards didn’t work for reasons like branding. Michael: with a phone, the branding follows the store. Jonathan Williams: pocket stuff like credit cards are basically authentication, and governments do stuff like NSTIC; Pingit launched at Barclays; but what about anonymity? Hal: do you mean anonymous to the merchant, or to the payment system, or to the government, or what? There are demands for anonymous payment from some sectors of the economy but are these really sectors we want to support? Michael: yes, we need a currency for drug dealers. (Laughs.) How do I show off my high-status black card? Hal: you need PayPrince rather than PayPal. What’s new that needs to be regulated? Hal: somewhat hypothetical but given strong complementarities and network effects it’s possible that one player could lock in a privileged position – then everyone else would holler for regulation. Don: this is the first time ever that payment services have been really sexy; there’s a tremendous amount of innovation going on.
Nicolas Economides (no paper) – Visa 42% MC 29% Amex 24% Discover 5%, fees $30-48bn pa and costs 13–15%. Innovation in short-range can mean replacing the card and reader with other stuff, such as a phone. The intervening party can create a relationship and start selling. Existing networks have weak incentives but mobile carriers and others could have stronger ones. Consumer benefits higher with new entrants while antitrust concerns greatest with a telco. Big fight is customer relationships and real-time customer data; there are big players and no-one knows who’ll win.
David Evans, Market Platform Dynamics: this is a period of creative destruction! But a lot of things people call “innovation” don’t make consumers or merchants any better off. There are market obstacles but no market failures: governments should stay out
Alan Frankel, Coherent Economics: not so! Paper cheques were turned into a “superior” product, debit cards, which cost merchants an order of magnitude more – so there is a market failure! Banks drive people to use signatures rather than more secure PINs to make higher fees. Providers can tax not just their own retail sales, but rival sales too. A new credit card run through the ACH rails would be against current rules. Litigation can set some rules aside and the DoJ can do some stuff but many failures remain.
Bob Lee, CTO, Square: their ability to innovate is limited by resources not by markets. Existing merchant onboarding is a nightmare with weeks to set up a merchant account: credit check then a bundle of signup fees, and processing fees so opaque that most merchants don’t know if a visa card being offered will cost more than amex. Square cut merchant signup from 3-4 weeks to 2 minutes (plus you wait a day to get a reader in the post); the fee is always 2.75% and there’s no contract. Had to work with acquirers to reinvent the process, and supplant the checks with different ones. Paywithsquare, formerly cardcase, tackles the payer end now: you only need to take the phone out of your pocket on the first visit! After that you just wander in, get your latte and wander out: the girl knows who you are. If your phone is stolen, call and reset password.
Questions: FICO guy: rumours of merchants working on a payment system? Alan: interesting, but consumers are bribed to use higher-cost systems, so merchants would have to offer point-of-sale incentives. Getting merchants to collaborate could be harder than bankers – try for an open system rather than trying to own it. Consumers feel secure because of regulation – what happens if a startup fails? Surcharges? Alex: people adapt, as they did in the USA to ATM fees. Why did it take so long to cut small merchant discount from 5-6% to 2.75% – it involved cutting out layers of intermediaries. John Rechny: issue is transparency, as consumers don’t see the price signals. People don’t know what gas tax is, and they love getting 100,000 free miles. Courts determined that Visa and MC did have market power; where else can people increase their fees by 30% and not lose a single customer? David: Restaurants loved opentable.com when it was set up, but now whinge about the $1 they have to pay per booking. Nick: uses the credit card that pays 2% cashback even though it’s worst for the merchant. Jonathan Williams, Experian: German merchants got together and set up DLV to avoid credit card fees – why not elsewhere? Alex: US retail is fragmented and it would have been great for merchants to have done this 20 years ago
Joe Farrell, FTC: transaction costs can be high, like those of a mosquito bite (1/40,000 of a blood donation but you get malaria). Example: supermarket line held up by some idiot fumbling with a coupon. Shouldn’t the supermarket internalise all this? Asks whether a micropayment system might solve the mosquito problem – where the issue is that the payment is small the answer will be “not always”. One solution is bundling – iTunes spreads payment cost over many songs, unlike NJ Turnpike which used to ask you for a nickel every couple of miles. But then we always had LPs, newspapers etc as bundles. Segue into phone cards. And ads – one page view of a newspaper isn’t thought of as a micropayment, but a click on google? And are six radio ad breaks an hour an efficient way for you to pay a nickel for the content? Once you have a relationship, you should move from relative bargaining power as a basis of negotiation to joint surplus maximisation. Hence ad financing got supplanted / supplemented by subscription, and we have reasonable market tests.
Questions: jingit pays people to watch ads, and some banks let people watch an ad at an ATM rather than paying an ATM fee. – an experimental business model; recall free long-distance calls in return for listening to an ad. Sarah Jane Hughes: views on ‘not tracking’ as in EU and as in Monday’s FTC report? – we tried to not include tracking mechanisms needed for functionality, but to make the default that tracking people round the internet to send more targeted ads would need consent in the commercial context. Reuters: have transaction costs been going up or down over the past years or decade, and where next? – they seem to have come down but little hard data. Typing data into a browser is less hassle than getting to a brick and mortar store. C&P? You’d think that if the industry were bearing the costs of fraud they’d introduce a prevention tech if it made sense.
My talk, 1405–35
Alessandro Acquisti summary: dominant systems not without challengers; fraud may increase but welfare too; best action for Fed is to watch and wait. There’s a nascent academic literature on security warnings starting with Alma’s paper, then usability/privacy of mobile devices. Wikipedia has 299 pages of payment systems in 20 categories. A possible future for mobile would be less complexity and less fraud. Anonymity is rapidly getting harder; newspapers use facebook which wants you to use your real name. Mobile payments are products of, and will be drivers of, accelerating economic and social changes we cannot predict.
Sarah Jane Hughes: people are innovating away from regulatory silos as fast as they can. What if there’s a catastrophic attack, or a pervasive loss of confidence? People won’t race right to cheques, but maybe to credit cards. The basic issues don’t depend on the payment channel, though some of the answers may. Most of us care about being able to prove that we discharged our obligations. Also, how easy is it to complain, and how long does it take (or is it possible) to get money back? What about government access issues?
Response: Systems engineering is about managing complexity. Odlyzko’s law says stuff gets ever more complex until it’s unusable. At other end, computer lab access control, or Downton Abbey. In between we want to prove that we discharged our obligation. Also in the middle, there are trade-offs such as fraud vs privacy (riddled with externality) and speed versus resilience to abuse (not widely understood). What is the evolutionary environment of the mobile payment system?
Discussion. Bring your own device? Diversity can help but cheap devices mean you can keep a special iPad for payment only. Cracking down can cause all sorts of employee and behaviour monitoring issues. Heartland Payment Systems: registry of payment data in the UK, so why not here? Sarah: SEC guidance on disclosure of cybersecurity events: see corporate finance division’s staff guidance (you have to describe what went wrong and what you’re doing about it). Worried about roadmapping the next shareholder suit. Rick: can we protect privacy by approving payments without background/location etc, and is there a hardware solution? Design not just implementation, and governance too (certification); and for security you can go the route of more and more techie stuff like crypto and chips, or you can have more and more data. Chico, JP Morgan: Faster Payments a concern or is there evidence yet? And same-day settlement in ACH?
Rachel Schneider: worried about the unbanked, who are not just the < $30K but also the $30-50K. They send lots on prepaid etc. But often cash is short and has high opportunity costs; they keep liquid as they don't know what kind of bill will come in next Kevin Morrison: the unbanked often use smartphones but use prepaid cashcards for groceries Steve Streit: Greendot has a prepaid card system that reloads 120m cards Louise Quittman, Treasury: doing education work around cards, especially for welfare recipients; has piloted low-cost card for tax refunds for the poor. Need it to be simple and accountable; also people need to send money both domestically and internationally, so need fair, transparent and reasonably priced remittance products. Paul Beloff: worked with 60 institutions in 30 countries on microfinance and has a seed fund for investment under $0.5m for financial inclusion projects, from niche credit to analytics. Kenya's killer app is P2P transfers because of a huge problem with split families. Other places are different; showstoppers can include lack of trust or lack of an agent network or uncertainty about regulation. Kenya's a regulatory vacuum: do what you want. In India, the reserve bank said no – MNOs can drive it but everyone must have a bank account. Pakistan the same, so Telenor bought a microfinance bank. One business just gives people money if they want, up to $20; if they pay some back they can have some more. Initial losses and 12% but it's a cheap way to get customers. Microfinance solar introduces PAYG solar power. Discussion: baby boomers are retiring, so now we have retired people with very different attitudes, but we still have many excluded populations with deep distrust of financial institutions. And there are landlords who won't take a cheque, just a money order. Reload fees? US bank has 75% reload, as it has a branch network. Public policy in the payments space is complex. Does it make sense to talk of people "graduating" from prepaid to DDA if the fees are five times? Kevin: generational thing going in that his 15-yo daughter will never write a check, just use cards and then phones.
Here are my notes of the sessions on the second day.
Bruce Summers, Former Director, Federal Reserve Information Technology: what are the barriers to disruptive innovation in the U.S. payments system? The US banking system isn’t keeping up with changes in the digital world; consumers can’t get access to immediate payments at a reasonable cost. Issues include the return to nonpar banking, balkanisation, and the loss of important capability (e.g. versatility and universal acceptance of cheques). He assumes that consumers (persons, firms and governments) want a versatile and universal method of payment (as with cheques) with immediate completion (as with electronic payments). Four criteria for policy are financial stability, operational reliability and security, effectiveness and efficiency. A report 35 years ago recommended pursuing a giro-like credit transfer system for US consumers coupled with standardised invoicing and billing system; the commission said that with appropriate regulation, competition should provide this. Yet the USA is not even close to implementing an immediate funds transfer system. His paper recommends (1) the Fed should update its policy statement on consumer payments, which was last rewritten in 1990 (2) the Fed plus Congress should set up a national commission on payment system innovation, aimed at improving governance structures (3) the Fed should do a benchmark technical and cost assessment of implementing IFT-like payments (4) the Federal Reserve Board should develop a special-purpose bank charter for nonbank payment services providers.
Dick Mabbutt, UK program director overseeing build and implementation, at Faster Payment Scheme Ltd: what Bruce envisions is doable as Britain built one in 2006-7 and it’s run since 2008. History: the Cruickshank report in 2000 on competition in UK banking said that payment systems were a cozy cartel that never innovated unless it was made to, and that the regulator was part of the problem. He wanted an Office of Payment Control but the Treasury put it with the OFT. In May 2005 OFT announced agreement; payments industry told to report back in November 2005 with a plan to run it live by 2007. Two options: ELLE or “early for late or late for early” (faster batch processing – speeding up BACS, who proposed it) and near-real-time (where payer knows within seconds whether their payment was received or accepted). So private sector asked: do we do the minimum the regulator will let us get away with, or do it better. Live 27 may 2008; since then 1.48bn payments for £623bn. 20m per month in mid-2011; expect 30m mid-2012. Payments free for personal customers if in credit; banks had anticipated charge of £1 – £2.50 but building societies made it free so everyone had to. Commercial customers now paying £2.50 – £5. Went live with 13 customers who had to build sending and receiving systems. Now a third tier is for utilities and credit card firms (who used to make the due date a Saturday – now you can pay them on a Saturday). Net settlement via CHAPS at 0715, 1300 and 1545. Reused components: switch based on ATM switch and settlement similar, so went for deferred multilateral net settlement, net sender caps and liquidity and loss sharing agreements rather than RTGS; if we were doing it again we might to RTGS.
Neil Platt, GM payments at Cashedge, part of Fiserv; operates popmoney (took over zashpay and took last six months integrating them). Lets consumers and SMEs pay by entering ACH or email or mobile phone number. Piloting debit cards and Facebook IDs as tokens. Relies on ACH backbone with settlement overnight, or 2–3 days depending on risk and pricing. Volumes in single millions, links to institutions with 40m online banking customers, and should be available to 805 of the banked within 2-3 years. Most common use case is rent; also intra-family payments; average payment $300-400 (more a cheque substitute than a cash substitute). The case for a cheque replacement is based on its failure to meet digital society expectations, with frictions from physical mail to possible cheque bouncing – there’s much to fix but “immediate” settlement isn’t vital (and the term is loaded – try pricing $5 for immediate and 50c for next day to peel the onion). Popmoney is trying to make payment faster by moving stuff from ACH network to debit transfer. Their role is to be the intermediary/tech provider. Been trying to do fast payments for a long time but have never seen government involvement as a useful lever; timelines are too tight and they need to introduce real-time payments into the market this year.
Questions: one value of cheques is that you can pay people without knowing their bank details. With consumer payments you can use mobile number, but what about bill payments? – in UK most utility bills have a credit voucher while most banking websites have pulldown menus, so the grey area is where you want to be paid without disclosing your bank details. UK Payments Council proposes to have a database which on input a mobile phone number will output the corresponding account number and sort code to the payer’s bank (though not to the payer). Mark, FICO: better to centralise as with Faster Payments (= Faster Fraud?) or decentralise, in view of this morning’s security breach at Mastercard? – (Bruce) fraud is scalable, so how do you build confidence in centralisation? – (Dick) the sending bank has to have a strong front door; if it takes instructions from someone impersonating a customer that’s its look-out. Did try to mandate two-factor but only some banks do that (Neil) vuln is the banks’ front door. What can Congress do? – (Bruce) a commission here could do what Cruickshank did in the UK – (Neil) don’t believe he will see any government-initiated changes in his next two 18-month planning cycles. Ross: issue of malware and other stuff like stolen PCs, and in the USA, the SMEs ACH issue. Isn’t there a conflict between a regulator promoting a payment system and its role in defending the rights of less capable customers? – (Bruce) see the paper; he argues that immediate payments might improve security if the culture embraces that – (Dick) in the UK is was the competition authorities, not the banking supervisor, who motivated the system; if banks take incorrect instructions that’s outside the concerns of the Faster Payments system.
Ricardo Medina, director of payment systems, Bank of Mexico: their SPEI is a hybrid system that does netting whenever 300 payments have arrived or 20 seconds have passed since last settlement (typical settlement cycle is 6-7 seconds). Open 23h per day, 7pm – 6pm; members are 47 banks and 41 others. Fees are low, typically under 5 pesos (40c) and independent of value, while the beneficiary isn’t charged. Policy is to move a lot of cash and cheque payments to SPEI, and they’re moving all government payments to it.
Gerard Hartsink, European Payments Council: their mandate from Trichet in 2005 was to deliver SEPA credit transfer and direct debit; the Payment Services Directive also set out to sort out banks’ relations with their customers (though it’s a directive not a regulation and works through national laws). SEPA regulation published today: deadline 1 Feb 2014 for Euro area and 31 Oct for others. Model is competitive processing layer, then a cooperative scheme layer with rules and standards, then a payment services layer from banks to customers which is competitive. See website at
http://www.europeanpaymentscouncil.eu/index.cfm for details. Creates also the SEPA card framework to ensure that cards could be used as easily overseas, rather than creating a new SEPA card. Also working on functional standards end-to-end, including security and certification. Decided in the end not to create an e-payment scheme for merchant websites, but to go for interoperability instead, following an intervention from DG Comp – and he doesn’t know what the outcome will be. As for mobile, how do you organise the mobile phone chip: has various publications on UICC, mobile contactless SEPA, White Paper on Mobile Payments Feb 7 2012 (leaves users free in choice of MNO, bank and handset, via bank-programmable space in SIM). Not just private sector failure, but failure of public sector to have consistent policies.
Malcolm Edey, Assistant Governor, Reserve Bank of Australia: proprietary and system-wide innovation are different. The latter may require collective action by participants in a network; faster payments cost money, but may give no competitive advantage as everyone else does it too (it may even cannibalise existing and profitable proprietary systems). So a firm will underinvest in cooperative ventures, and heterogeneity (of customers, costs and investment cycles) makes this worse. Some routine stuff might work such as routine upgrading of technical standards, but where there’s any conflict it may need the regulator. Gaps, governance and hubs are the focus of their recent review. Coordination failures leave four gaps – faster consumer payments, payments outside banking hours, capacity to send extra information with payments, and greater ease of addressing payments. So what is the governance process for assessing costs and benefits, and deciding on interventions? Specifically they are wondering whether they need to create a new hub – a centralised architecture in place of the current bilateral arrangements, which might be efficient and facilitate innovation, but might end up being expensive. Central banks operate a number of payment hubs but the technical expertise resides in the industry and the banks.
Ms MJ Moltenbrey: an antitrust enforcer who spent much of her career working on the case against Visa and Mastercard. US enforcement is case-specific and focuses on narrow issues. The first tussle was over exclusivity of acquiring relationships, where Visa backed down and let member banks join MC too; then it turned to interchange fees in 1986 National Bancard Corp case, with an inconclusive outcome. In 2004 US v Visa succesfully challenged rule that Visa/MV banks couldn’t issue Amex/Discover. A private lawsuit overturned the “honor-all-cards” rule that merchants couldn’t take debit but turn away credit. A currency conversion fee case she worked on may have largely helped rich cardholders, but competition should drive the market where it will. More generally, collective action is required sometimes, e.g. to get standards, scale and infrastructure; so need clear principles to figure out when to challenge them – and bringing an antitrust case against coordinated behaviour is much harder than against a single monopolist.
Discussion: why should European banks invest in an inferior payment network rather than encouraging existing networks like Amex to expand, or expansion of existing national networks? – European Commission decision after 3 years of debate, but then intervention of DG Comp and now regs published today. So in France, Portugal and Italy the consumer banks end up charging more. One national card association has challenged DG Comp in the European Court. His view is that interchange fees will go down though following market trends. 20% of payments are public sector, but no strong pressure from them to avoid fees as you have from merchants and consumers. And everyone ignores the costs of cash, even the central banks who bear a lot of these costs! And some member states are reluctant to give data to ECB. In summary, a lot of the costs fall on SMEs. Me: No-PIN failure of EMV protocols notified in 2009 and published in 2010: will EPC fix this? – won’t comment on EMV which the industry decided to implement. ECB policy says no mag stripe any more; cards should be chip-only. However banks were reluctant to accede in a meeting in December. US consumer bodies worried about acquiring side; will US tourists be unable in future to use their cards here? At present there’s no policy on the acquiring side but there may be a paper within 1-2 months on CNP fraud. And perhaps eventually we won’t need plastic any more but will use mobile.
1) I think Stearns’ history of Visa (see my review here:
is a better account to what you are making reference than Evans & Schmalense. Stricktly, E&S is not very good history as far as the trade goes. Their value undoubtedly is to be the first to explore double sided markets. But they are economical with some important dynamics (which Stearns took the trouble of documenting through interviews and triangulating with public and private documents).
2) It is not always clear where your estimates are coming from. But I guess some need to be updated as you come along.
3) On the possibilities of substitution you might want to see a recent paper by Santiago Carbo-Valderde:
4) You touch on the issue of dematerialization of money. This is part of the reason why we launched the cashless society project:
Economists have primarily dealt with value exchange properties of money. But the likes of Simmel, Sargent & Velde or Zelitzer have discussed it more broadly. Long way to say, that I think dematerialization involves a greater tradeoff than costs but, admittedly, something I am just getting my head around.
5) Further to the above, you note in the piece that dematerlization using mobile payments dates to 2002. Our cashless society piece (I mean the formal
not the waterdown version in Bloomberg:
dates it to 1954. This could give you a longer term perspective of how demateriaization has been promised for at least 60 years, yet it has not happened. It would strengthen your recurring argument that it has been promised for long time but not delivered. Actually, I am getting snifs that the idea could trace back to 19th century France.
6) Loved the ref to Gladstone and the 1882 Act.
7) I found the idea of a “social objective of payment system
regulation” quite interesting. It could be expanded on its own. Not sure to have come across anyone dealing with it in detail. I mean more than social welfare or in an economicist reductionist way. But perhaps I am not well read.
8) You could make a bit more that one of the reasons why M-PESA (or Octopus in Hong Kong) are successful is because the low value of what is at stake. I need to check my notes but I think the max reload for Octopus is aprox. US$200, where as other systems, as you rightly point out, the potential at stake is much bigger. That could be limited with pre-paid cards or something similar. But something regulators want to thing about.
Hope this helps
This was all an excellent read. Thanks for posting it, Ross. I might be shallow about these things but I think a secure, near-real time payment system is doable using today’s tech and at a relatively low cost. Clustered databases, hot standby site, OS’s like INTEGRITY, and security-critical parts made medium to high robustness. Maybe POWER7 and hardware acceleration for crypto to ensure performance.
We have the tech. Let’s just build it already. 😉
Great read, we think new pos integration, cloud and clustered databases will add a huge change to the market place for the vendor and consumer alike. We also can deliver near-real time payment system and we (Brauneck) actually do have the tech today….
Well done Ross a great read as ever.