Monthly Archives: March 2011

Reaching the Unbanked: Thoughts from Pakistan

Posted on by
3

23 March 2011

(sorry for the typos in advance)

I’m up early in Dubai.. meeting with the UBL/Omni Pakistan team on their mobile money initiatives. I love visiting emerging markets to learn about successful projects. Pakistan is well on its way to becoming a leader in reaching the unbanked through mobile solutions, perhaps surpassing the Philippines, Brazil and Kenya. Beyond having a fantastic regulator, they also have 2 excellent teams:

#1 Abrar Mir of UBL/Omni and

#2 Nadeem Hussain, CEO of Tameer Bank, (ex Citi executive) Telenor/Tameer.

Make no mistake, their success to date has been 100% domestic.

In the US, we frequently get caught in a rather narrow “US centric” view of everything. Keeping a connection open to emerging markets is a great way to keep a fresh perspective and question “foundational” paradigms. New ventures in emerging markets are frequently challenged in attracting capital, even in high growth “BRIC” economies. Although many countries have worked hard to replicate the US venture model, few have succeeded. US/EU venture money normally focuses on investments which are geographically close to provide active management and reduce legal complexity (ex. control, investment, share holder rights, liability, intellectual property, …). Emerging market innovators are left with a much reduced set of options: “local” venture firms, banks, private investors and a small number of specialist US venture teams (Elevar, Omidyar, …etc).

Although Starpoint is 80% focused in OECD 20 countries, our emerging market activities are invaluable. My personal reasons for involvement are both philanthropic and aspirational. The opportunity to provide financial services for 600-800 million people over the next 6-10 years could be THE KEY event which drives global GDP growth (and hence poverty alleviation). Make no mistake the entire pyramid of consumers (affluent at top, poor at the base) will grow, but it is the base of the pyramid which will dominate the numbers.

For those of you that have followed my blog, I have been tracking several Indian projects over the last 2 years. I’m so frustrated by the bureaucracy and corruption in India, that I have given up on that country. There are a number of companies (ie Bharti, Vodafone, SKS…) that could deliver, but they are stymied by a regulator that cares more about control than progress ( MNOs Rule). It’s important to understand the political dynamics of emerging markets, particularly for well meaning investors that want to take part in the growth opportunity.

The last 7 years has been a time of much experimentation. Many mobile initiatives have been spun up by MNOs, Banks, Card Networks, NGOs, MFIs, MSBs, … etc. Within the unbanked world, MPESA stands out as the “model” unbanked success. It was started in 2004 by Vodafone after receiving ~2M GBP in grants (from UK’s DFID ). I’m highly appreciative of efforts by the World Bank, CGAP, USAid, UK’s DFID, NGOs… (Aid Groups). These teams are comprised of tremendous people driven to make a difference in the world. My trip to Dubai today was my first focused interaction with the Aid/NGO community, as most of my life has been spent in the private sector.  I have several observations which may be of benefit to start ups and investors in this area.

Objectives of Mobile: NGO/WorldBank/US Aid vs Private Sector

There are not many “new” ideas in banking. It is perhaps the world’s second oldest profession. Banking in emerging markets has several challenges: laws, consumer protections, consumer identification, literacy, bank infrastructure, regulatory infrastructure, … etc. This challenge is compounded by poor market profitability and network effects associated with existing money services providers (agents, money lenders,  foreign remittance, …).

For context, let me provide a very short primer. Poverty alleviation and financial inclusion is a primary focus of the world bank and many independent aid organizations. They come together in many areas, with CGAP serving as a key organization for collaboration. Micro Finance has been a key focus for this group over a number of years. A key “model” MFI is Grameen Bank, particularly after Muhammad Yunus won the Nobel Peace Prize in 2006 for his work there. There are 2 points I want to make on MFIs: they are “sustainable” at the margin and use very little technology (predominantly paper based in much of the world). For those interested in more detail I encourage a review of these 2 articles

As a banker and VC my immediate inclination is to recoil at any business which is not profitable. Profit is a sign of health of a business, if you don’t have it.. you die. However the objective of “aid” money is not profit, but rather to maximize the “impact” that every dollar of aid has. We all know the successful Aid examples of DDT, immunizations, pre-natal vitamins, .. etc. What happens when “aid” and NGO money floods into “banking” activities? Does it accelerate banking? Suppress margins? Create sustainable businesses or infinite dependencies? What is the right thing for Aid groups to invest in? Does Capitalism work in emerging markets?

Given that the US and UK dominate the Aid organizations, you would think that the last question would have an obvious answer. However, imagine yourself working in an Aid organization for 20 years, with very little time in the private sector. Everyone is biased by their life experience and in this case it is no different. Suffice it to say that there are tremendous differences in views and experience when compared to the private sector. These differences could become strengths if there was effective interaction between sectors (ex. CGAP’s market knowledge and Citi’s G2P Payments capabilities).

In my view there is much room for improving public/private collaboration, and many current Aid based efforts are at risk of negatively impacting market growth and adoption of sustainable commercial enterprises. One of the primary negative effects is subsidization of poor ideas. There are very limited market forces driving Aid based projects. Aid/NGO subsidies (note this is not investment) in commercial activities influence both price of services/products, the entities that deliver them, and consumer adoption. While the goal of Aid is to maximize “impact” the goal of investment capital is to provide a return, and hence sustainability. At a minimum, Aid groups must ensure that they have a team with experience in the private sector.

As I stated in MNOs will Rule in Emerging Markets, mobile operators are the first commercial organization to develop a sustainable model that serves the worlds poor. MNOs are clearly not philanthropists, they are focused on profitably serving their customers. MNOs have built both a physical communications network, and an agent distribution network that has driven their explosive growth. So while banking is the world’s second oldest profession, mobile operators are perhaps the newest. What happens when the 2 get married?

There are many, many groups seeking to take advantage of both of the MNO assets above. Both of these assets are networks and, as with any network, they are aligned to deliver value along well defined value proposition(s).  In my previous blog Will RBI Disintermediate Agents, I detailed the implications of hijacking the agent network for payments. The communications network is also an asset that can to deliver other services, it is a tool for “inclusion” as well as communication.

Mobile presents 2 primary “disruptive innovations” to the world’s second oldest profession: 1) Access/Cost to Serve and 2) Acquisition. Let me emphasize, mobile does NOT present a “silver bullet” solution to banking. Bank products must still be profitable. In emerging markets, banks have a very poor reputation at the base of the pyramid. Banks are limited in their ability to develop products which can be priced and distributed at the base of the pyramid, not just in emerging markets, but here in the US as well. Mobile banking will not solve this problem, but only allow poorly suited banking products to reach more people at a slightly lower cost. Although mobile does not significantly impact existing banking models, it may allow for the development of a “new products”, one of which is payments.

As I stated in Banks will Win in Payments, retail banks historically focused investment in credit related payments and treated DDA payments as a cost to retain the deposit account. Future mobile payments plays (bank driven) would center around a simplified transactional account to allow for cash in/out, domestic remittance and bill payment. This is not a savings account, nor is it a typical DDA. The closest existing product is a pre-paid card.. and there is a bank behind every pre-paid card in the world. Bank PPC revenue is driven by net interest margin (NIM) on non-interest bearing balance as well as transaction and account fees. A cardless mobile payment product has the opportunity to bring down cost to serve by eliminating plastic issuance, customer communication and account opening (ex. KYC at Agent). The world wide explosion of pre-paid cards should correlate well to the future explosion of mobile payment accounts.

In Pakistan, UBL/Omni is pursuing a bank led approach to this opportunity while Telenor purchased Tameer Bank to pursue an MNO led approach. I’m somewhat biased here, but the reasons I like Omni: it is “open” and can support multiple MNOs, interoperates with existing bank controls, full regulatory support, path to growth into more complex account types.

Conflicting priorities

I have never met an Aid organization or NGO that likes pre-paid cards. It seems their perspective has not changed in this new mobile account type. While I don’t fully appreciate their definition of financial inclusion, a non-interest bearing payment only account does not seem to qualify. CGAP/NGO needs and priorities would be irrelevant if their grants did not invest in competing models. One of their core issues is “closed” networks: Aid organizations hate them.  But as stated previously, every network begins with delivering commercial value to at least 2 parties.

History has shown that closed networks form prior to open networks (in almost every circumstance) as closed networks are uniquely capable of managing end-end quality of service and pricing. This enables the single “network owner” to manage risk and investment. How can any company make investment in a network that does not exist, it cannot control, at a price consumers will not pay, with a group that can not make decisions or execute? Answer: Companies cannot, it is the domain of academics, governments,  NGOs and Philanthropic organizations.

The success of MPESA, GCASH, UBL/Omni, Oi Paggo, .. clearly indicates that payments is a valuable service to the base of the pyramid. These are successful networks that have developed a specific value proposition. Aid groups have “impact” objectives which do not necessarily align to profit objectives of these networks. Opening a network in order to deliver a non-commercial value proposition is not an easy task.

As stated in Cash is King, I’m a pragmatist who firmly believes that the best approach to serving the unbanked is supporting a model where at least one entity has an economic incentive to invest. This is the definition of sustainability. The alternative to economic sustainability is unprofitable zombie shells that require continued aid and investment.

As I have stated previously (see Mobile Money: MNOs will Rule in Emerging Markets and Mobile Money: Emerging Markets/Emerging Models) MNOs operating in closed systems appear to be best positioned for creating a sustainable value proposition to the unbanked in next 2-3 years. My trip to Dubai also shows that a fantastic regulator and bank team can create a new bank product as well (UBL/Omni). 

Items for CGAP/NGOs

  • Investment in commercial efforts amounts to subsidization and “picking winners”. Are you operating as a VC? Be cautious of destroying a valuable service to the poor by compressing margins for entities that do not receive your grants.
  • Stop with the “openness” requirement. Closed systems must develop first… the biggest failure will be India’s common platform initiative. Who wants to invest in that?
  • Policy advocacy and best practice are win/wins
  • Don’t force the consumers into MFI deposits through mobile money. Help with marketing.. yes.. but be careful what you advocate. There is very little market data to support unbanked demand for savings.. it would seem they would rather buy a goat.
  • Don’t belittle or begrudge commercial efforts. What you want to encourage is sustainability and investment … the elimination of grants.
  • Every now and then.. perhaps you should get at least one person on your team with a private sector background. 

Collaboration Needed

The UK’s DFID was an excellent model for Aid, channeling it through a group (Vodafone) that could deliver a “prospective” solution for MFI interoperability. What really makes this model a success is that DFID provided flexibility in “impact” and allowed a commercial organization (Safaricom) to refocus MPESA based upon market needs and adoption. Remember neither DFID nor Vodafone ever anticipated the “payments” use until after the solution was implemented and in the market. DFID acted like a VC.. chartering a COMMERCIAL team to make it work.

There are several conversations which prompted this blog, which I can’t detail as my goal is not to deride the AID groups.. but rather highlight the challenge in investing in mobile money within emerging markets. Quite frankly I was shocked at the attitude of Aid/NGO organizations with respect to commercial initiatives focusing on unbanked needs (ex. SKS Microfinance). The idea of private money creating businesses that serves the poor at a profit was an anathema. The theme of Aid groups view on SKS’s efforts was “greedy capitalists, they just don’t understand microfinance”. Knowing SKS and their investors, this view could not be further from the truth.

As an independent 3rd party the NGO/Aid view may have been driven by a lack of experience and respect for the private sector. While I greatly appreciate their service to a worthy cause, they have a very biased view of solutions, business and economics. Differences in approach are frequently driven by differences in goals: Aid groups want to maximize impact, SKS wanted to build a sustainable business. The real issue is not the divergent views, but the divergent goals and the money being spent to pursue them.

Visa and Cashedge

Posted on by
1

16 March (updated 17 March)

http://www.prnewswire.com/news-releases/cashedge-and-visa-to-expand-network-offerings-118071239.html

Visa has been chasing after any party with direct links to DDA accounts. This in an attempt to “end run” around poor OCT adoption (see previous blog).  I understand that Obopay is also set to announce support of VMT. What a change from their MasterCard approach!

Visa is getting decent traction in Asia/ME in receiving VMT, problem is that there are no send capabilities, and the majority of banks are telling Visa to “pound sand” with their OCT transaction set mandate (see previous). I was told yesterday that the OCC is looking into both the mandatory nature of Visa’s OCT and the AML controls.

It will be interesting to see how Visa explains the loss of international wire fee revenue to their member banks. Why pay $40 for an international wire when you can use CashEdge to send to Visa, then VMT to send to India/Mexico, …? As I ran Citi’s online properties I can tell you this completely overlaps with my Citi Global Transfer service and I would not be happy at all.

As a banker, I’m mad as hell at Visa. Why don’t I like this VMT?

  • Visa will keep the directory of cards, mobile numbers, and DDAs. The last 2 really really make me mad. Who says they can hold my customer information?
  • Visa runs it..Continues to build Visa brand on your ACH
  • You own the risk, Visa develops new services
  • Circumvents all of the industry controls on ACH (ex. Early Warning)
  • Unfunded Reg E research burden and consumer support reqs.
  • Confusion in online services
  • Cannibalizes existing bank products (wire transfers)
  • Customer service/research nightmare .. all unfunded
  • Visa may have a much smaller role to play in debit.. why would I want to add new services to their group?
  • it will be very, very hard to shut down once it gets moving.

Fortunately for banks, CashEdge is a bank friendly vendor. Actually, it wins the prize for  best bank vendor (I signed 2 contracts w/ them).  Visa will not do enrollment, nor will they have directory of DDA/Debit. CashEdge is providing multiple service/pricing  options t0 participating banks:
– Send to DDA
– Send to phone
– Send to e-mail
– and new option.. send to Visa Debit Card (w/ fee)

Each bank has flexibility in determining IF they want these services and how to price them. As you can tell.. I would never let the Visa option happen.. but then again I don’t run the online bank anymore.

I’m beginning to wonder if I’m just a pessimistic nag. I’m tired of being negative on things… What do I like this quarter? Google and NFC, the Chase QuikDeposit app, PayPal at the POS, .. oh and I loved (past tense) ISIS until they fell on their own sword.

No blogs next week.. will be out of pocket…

Square “Violations”

Posted on by
2

16 March 2011 (Updated 17 Mar)

My top issue w/ mobile swipe is clearly customer behavior and potential data loss.  I’ve been asked to provide a basis to decline Square transactions (debit particularly) so, rather than sending out multiple e-mail responses, I thought I would share. Issuer Top 4 reasons to decline Square

  • PABP/PCI compliance
  • Collection and use of ancillary customer information
  • Paper Signature requirement
  • Chase has all of the equity upside

Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data.

http://usa.visa.com/download/merchants/validated_payment_applications.pdf

 

Phase V of PABP went into effect on July 1, 2010. This phase required all Acquirers to ensure that their merchants and agents use only PABP-compliant applications. A list of payment applications that have been validated against Visa’s PABP /PCI DSS is available at www.visa.com/pabp. Note Square is missing, how can Chase acquire for merchant/aggregator that is in clear violation?

UPDATE 17 Mar (Thanks Bob Egan) Evidently PCI has revoked certification of all mobile swipes until new rules have been created. See related post  http://storefrontbacktalk.com/securityfraud/pci-council-confirms-multiple-mobile-applications-delisted/2/

From the Visa Operating Reg, (pg 428)

While Square does not “require” mobile number or e-mail address, it is collecting it at time of transaction (plus your location). As this information is associated with the transaction, it must be managed within PCI. The business risk here is that Square will use address and location information for something else.. or Chase gets the e-mail address of all of your card customers. This is why the rules were created.. so this does not happen.

Last is Visa requirement for paper receipts. From Visa’s Transaction Acceptance Device Guide

Chase bears all of the burden here, I hope they have taken a holistic view of the fraud and data compromise risk.. not just approving their own cards… but for every card ever swiped by Square.  Advanced fraud schemes take 18mo-2 years to develop.. so it may take some time for risk to materialize.. and for them to pull back.  Chase.. these future losses will easily wipe out the 15% of Square equity that you hold.  Perhaps they are moving so aggressively here because one of their key partners (ie Apple) is falling down in NFC.  Which brings to mind the larger question: Is Chase Anti NFC? 

Remember just 4 weeks ago that all of the US banks were looking at a future where ISIS would control NFC on the handset. Perhaps this is Chase’s way of developing an alternate strategy to address NFC’s biggest weakness: infrastructure.  If this is true.. then Chase I apologize.. your strategic play here was indeed valid. As of this month, we are looking at a ISIS crash and burn and NFC control with RIM, Google and Nokia. My hope is that Chase will abandon Square once the threat, of MNO control over payments, has been eliminated. 

Recommendation for banks

  1. Educate your customers. DO NOT give your personal information out when you use your card
  2. Start to educate your customers on mobile payments in general.. how will it work?
  3. Encourage use of credit over debit.. greater consumer protection and better margin for you
  4. Set some common sense rules .. use your card with trusted vendors (Apple, Grocery, … )
  5. Educate your customer facing employees from branch to call center..
  6. Think about your small business value proposition, how can you help small businesses accept cards?
  7. Issuers, think about declining Square transactions.. particularly for debit

Google wins in NFC! No NFC for Apple’s iPhone 5

Posted on by
1

14 March 2011

From UK’s Independent

No NFC for iPhone 5. Too many architecture considerations.. (previous post iPhone Twist) So while their patents clearly indicate NFC is in their plans.. they have not been able to coordinate all of the design into their iPhone 5 program (from hardware through software and apps).

 Brian White of Ticonderoga Securities  and I have both been predicting NFC, but we are obviously wrong.  The coordination necessary to bring about this change is tremendous. Vertical integration has its advantages in quality and control, but centralized control also prohibits distributed decision making. This is where closed platforms fail (Apple).

Just take a look at the NFC patent portfolios of some of the companies aligned to Google/Andoid (previous post). The Android platform is much more loosely controlled, which provides for distributed innovation and investment.

Make no doubt that NFC will come to iPhone, it just didn’t make the iPhone 5. This is good news for device fidelity.. and great news for Google. Apple may not be able to recover from this one. The iPhone provides tremendous consumer value as a handset and media player. But NFC will be the driving force behind many new value propositions, and investments are being made today.

More to come tomorrow.

Apple’s P2P: Visa Money Transfer

Posted on by
2

Update 13 March 2011

It would seem that there is some amount of disconnect between the bank eCommerce, debit and inter bank teams. The banks are working on a new interbank P2P service. This service will be based on ACH and follows on to what was pulled from the BAC/WFC Pariter scope last year. My guess is that JPM is also a “partner” and is committing to directory integration just as it is with CashEdge (Citi, 5th 3rd and 200 odd banks).

The Visa Money Transfer commitment may be an “accident”, and the banks may not know that Visa is working with Apple. This Visa service would clearly compete with the new bank owned service.  

11 March 2011

In previous blog I spoke about Apple and NFC, although I still don’t know if Apple’s wallet will be ready for the iPhone 5.. it does seem that they plan to launch with a P2P transfer system powered by Visa (See previous blog on Visa Money Transfer). Apple’s iTunes wallet does not “store” funds like PayPal nor Apple does have money transfer licenses. It was therefore searching for a way to allow consumers to pay each other. News I have is that they have selected Visa Money Transfers for this. Is it the only way? perhaps not… but I give it 90% confidence of being in scope for wallet launch.  (Sorry for the confidence thing.. it was Gartner Group’s way of making shit up)

I just can’t believe that bank payment heads are allowing this. I was on the phone with the head of debit for 2 of the top 5 banks..  their eCommerce teams love the idea of partnering with Apple.. but the debit cards head have said “no way”.  It is just a terrible idea for banks to give Visa a way to circumvent ACH.. and it will be very, very hard to shut down once it gets moving. Reasons:

  • – Visa runs it.. Continues to build Visa brand on your ACH
  • – You own the risk, Visa develops new services
  • – Circumvents all of the industry controls on ACH (ex. TCH, Early Warning)
  • – Unfunded Reg E research burden and consumer support reqs.

The big banks that have taken the plunge are JPM and BAC. Not sure if both have committed on debit AND credit.. or just credit. The business case for credit is pretty solid and I don’t have any issues here, but allowing Visa to control transfers on debit is not in the best interest of banks. Why would banks want to allow Visa to develop a consumer directory and a new service that directly competes with ACH (see blog)?

Bankers, my recommendation is to buy Interlink or Star and put it in TCH… then run the this debit service there.

Start ups.. I would not focus on payments in Apple’s platform. Think there would be new opportunities in intgrating POS to Apple’s payment mechanism, or even a “billtomobile” kind of function where you can pay online with your apple ID.  My head is spinning at the chaos this will cause within ISIS AND each carriers own billtomobile efforts. Apple is near a tipping point with the carriers. I would expect them to start aggressively pushing a much more friendly Android model.

Mobile Swipe: Risk is Behavior … not Security

Posted on by
6

11 March 2011

I’ve been rather unambiguous in my views on Square. Yesterday I received a number of calls from my card friends, with over 50% in support of Square. After pondering their feedback, my bigger concern is customer behavior… a concern that expands beyond Square to all swipe based mobile payments (although I still feel quite strongly that they are not playing by the rules that everyone else agreed to).

For background, beyond my role as alternate channels head for Citi (Outside of the US), I also led sales and marketing for a little start up backed by Kleiner Perkins (41st Parameter) that focused on fraud. Through this role, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. Truly fantastic people… think of them as a mixture of James Bond, CSI, and Elliott Ness (Famous FBI guy). To be honest, I never saw these fraud teams during my time as a banker, and never really appreciated their role in keeping the banking system safe.

Frank Abagnale (of Catch me if you can) was on 41st’s Advisory Board. 40 years ago, this was the kind of fraudster that the bank’s team had to track down.. one guy in a garage with a printing press (magnetic ink). Today, the nature of fraud has changed tremendously. Well organized rings are flourishing, one of which has over 500 employees with product, engineering, marketing, sales…. a specialization of labor. Phishing was a great success, as customers responded to e-mails looking legit. Banks responded with improved online security. Fraud rings responded with malware and “man in the middle” attacks.. point is that this is a dynamic war taking place and bank fraud teams are the “special forces” that crack the code.  The online fraud environment is the most complex battlefield of all. 

It takes resources to win any battle. To give you an idea of the size of risk, gross fraud (attempted) at PayPal was around $500M dollars last year. Through technology and people, PayPal reduced that number to under $50. Bank margin is driven by the ability to manage risk; this is the nature of banking. The top banks, Paypal, Amazon and Apple all have world class teams and resources in this area… thus they seek both higher margin (ie risk) and volume. In essence they “compete” by managing risk more effectively than their peers. A well known axiom applies: If a hungry bear comes into your campsite, you don’t have to be faster than the bear.. just faster than all of the other campers.

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

Example story from yesterday.

Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars..

These fraudsters were successful with just magstripe. What if they had your name, e-mail, phone number, … ? If you went to the grocery store, and the clerk asked you for name and phone number and put it in her phone prior to authorizing your transaction would you provide it? This is exactly what Square is doing. Read Dorsey’s response to Verifone’s security concerns. Giving merchants additional data will not decrease fraud, but establish new patterns of customer behavior which will increase it for all. We have a “battle” within the banks today: The card business want to grow transaction volume. The fraud organizations want to protect customer information and ensure customers don’t give their data out to just any hot dog vendor on the street.

Future Scenario

A good crook would probably spend a few days developing an iPhone app that swiped your card, asked for your PIN, took a picture of the back of your card (w/ CVV), obtain phone number and e-mail address. A fraud ring sets up hot dog or ice cream stands (that only take cards) with $0.50 ice cream… they would never even use Square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.  Once I have this data, I could send within seconds to my HQ to commit ATM, online or even POS fraud in any number of countries.

Was Square’s technology any part of this? Nope.. people could do this today. Is Square encouraging a sustainable consumer behavior? Nope. Smart merchants (Apple, PayPal, …) are choosing Verifone PayWare Mobile because the device is secure.. your employees can’t put on a skimming app because the data is encrypted when it enters the phone. But do I want my bank customers examining the make and model of the card reader before they turn over there card? Heck no! So what do I tell my bank customers? Only give your cards out to merchants you can trust? Do banks incent proper consumer behavior on card use? No.  You get the picture… life just got much more difficult for the fraud and customer experience teams.

Individual issuers have the power to decline square transactions. My guess is that at least 2 major banks will begin to decline all square transactions within next month. Beyond the fraud risk, it also competes with their own mobile initiatives (Barclays/ISIS, Mastercard/RIM, …).

NFC is a step beyond EMV in security… subject for another blog.

Comments appreciated.

Verifone Builds Square Fraud App in 1 hour

Posted on by

I took a look at my blog stats today… and they went through the roof.

Verifone’s CEO (Doug Bergeron) published an open letter to the industry on Square’s flaw. The Square doggle is not PCI compliant (see my blog from last year). Verifone is spot on… they built this skimming application in ONE HOUR.

YouTube Video just pulled.. . you can still view at http://www.sq-skim.com/

Chase Paymenttech is Square’s acquirer, and I spoke to them specifically about the Square risks last year. This is an industry issue.. as stolen cards and fraud generate both issuer losses (card present transaction) and a tremendous hassle for customers. I don’t understand why Chase supported this thing… Was told last week that Square’s fraud is off the charts. As I said back in 16 month ago in January 2010

The acquirer that takes this on will likely have a few headaches when the first major craigslist merchant starts using the device to skim and resell card information (among other things). There is a reason for PCI compliance and for my “securing” my physical card and CVV. I can’t wait to see Square’s Payment Services Agreement (PSA). Operationally, the issuer’s have control over card authorization through systems like HNC’s Falcon or SAS Raptor. This means that if SquareUp is found to have contributed to a data loss, or has a high number of fraudulent transactions (see link) customer would see their card transaction declined, or the network (Visa/MC) would shut SquareUp down.

The great thing about the PayPal model is that the customer funded the account after agreeing to terms. In Square’s model, consumers are unregistered, Square is acting as an agent of the merchant. For Square’s investors, there is atypical risk which they will see through “unique” bonding/insurance requirements from the acquirer.  Just as with any company, Square will face unlimited liability associated with loss of consumer information (think TJX). To get an idea for potential mis-use see you tube video below.. crooks invest quite a bit in technology here… will SquareUp make it easier for every iPhone owner to become a skimmer?

Update Thurs Mar 10

Networks are dependent upon everyone following the same rules. Rules are what make networks work, and are essential in “trusting” the transactions coming in. PCI rules were agreed to by all.. Square’s reader does not comply, nor does its iPhone app.  That said we have a very mixed bag of incentives within the current card networks. Banks and the networks want Square to succeed, as it will drive more transaction volume AND drive card use further down market with small merchants… see Visa’s blog

http://blog.visa.com/2011/02/14/emerging-payment-types-new-opportunities/

Bank margin is driven by the ability to manage risk. This is the nature of banking. Within credit card, Big banks like Chase have tremendous experience in fraud and risk.. they the seek both higher margin and volume.  Chase is comfortable with the risk it is enabling with square as both issuer and acquirer. However, their acquisition relationship with Square (through PaymentTech) enables fraud to enter the network, and other banks may have not updated their authorization rules to accomodate. For Example, Bank of America certainly wants increase transaction volume .. but is it willing to pay the price of  BOTH fraud loss AND of encouraging a change in customer behavior (give their cards to anyone with an iPhone and card reader)?

From my background at 41st Parameter, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. This will be an active discussion for them today. Bank decisions are caught up in the business dilemea of how to respond to Durbin, as well as their own mobile strategies and EMV perspective. Fraud usually develops once critical mass is reached, as fraudsters don’t want to waste their own resources developing a compromise unless there is volume.  My view is that Square’s reader and iPhone application are clearly not compliant with PCI rules and that Visa and Mastercard must shut them down. They have no choice.

Perhaps a story is in order to talk about potential impact. Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars.. and claim that we are responsible for their fraud (they have a decent case).  Verifone’s 1 hour fraud app (www.sq-skim.com) is not a technology issue as much as a behavior one. A good crook would probably spend a few days developing an iPhone app that asked for your PIN…. and took a picture of the back of your card w/ CVV, I noticed in Square’s response that they also ask customers for phone number and e-mail address (normally). This data is beyond the wildest dreams of fraud organizations.  I can just imagine a fraud ring setting up hot dog or ice cream stands that only take cards.. .and sell the ice cream for $.50… they would never even use square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.

As a side note Square is not winning against Verifone. Square has only 5k-10k active merchants (see blog) and $200k in revenue per MONTH… so lets stop this thing before it gets viral.

Payments Innovation in Europe

Posted on by
10

8 March 2011

Why do I like the Payments business? It is ubiquitous, sticky, with good margins and strong annuity revenue.

What do I hate about the payments business?

In the US, it is over regulated, concentrated, difficult to change and frustrating enigma driven by large FSIs with unlimited resources…. Within Europe the situation is little different.

After coming back from last week’s trip the Valley, I was attempting to develop an investment hypothesis on Europe, mobile, payments and innovation in general.

While Europe’s individual talent is second to none, and capital is plentiful, the European market is designed to resist change and thus impedes the development of early stage ideas and companies. Early stage companies can incubate within a single country but are challenged to expand beyond, due to complex regulatory and market dynamics. Navigating these dynamics causes early stage companies to develop more slowly, thus a requiring a higher risk premium on invested capital.

                   – Tom’s European Venture Capital Hypothesis

SEPA Overview 

(European colleagues can skip this section). 

SEPA and PSD (SEPA’s enabling legal framework) attempt to create harmonization of payment schemes across the EU (See SEPA Blog, and excellent PodCast). The result?  837 pages of detailed and contradictory EU law with no business incentive. SEPA has been plagued with delays and issues, as should be expected given that there was no business incentive nor a PAN EU regulator to enforce it. SEPA Credit Transfers and SEPA Card Framework have been in place for a few years (2008). While the SEPA framework commoditizes payments, and while this is consumer friendly, there is no business incentive to for large banks to implement it (see Barclay’s consumer support on SCT).  The same can be said for the SEPA Card Framework (See MA’s Self Assessment). The main points from ECB’s regular status report:

  1. Banks must create greater awareness of SEPA, and must offer better products, based upon the SEPA infrastructure. Government should accelerate programs to adopt SEPA as the standard for its disbursements.
  2. The banking industry must commit to work together to remove obstacles which might compromise the Nov 1 2009 launch date of the SEPA Direct Debit. Debates on the launch date, the validity of existing DD mandates, and interchange fees must be closed out rapidly.
  3. Bank systems need to be improved to enable end-to-end straight-through-processing, originated by files submitted or by e-payment, e-invoicing, and m-payments.
  4. The ECB wants to see a target end date for migration to SEPA products, and for exiting out of older credit transfer and direct debit.
  5. The SEPA card framework in its current form has not yet delivered the reforms which the ECB wants. In particular, ECB wants to see a European card scheme emerging.
  6. The ECB perceives a lack of consistency in card standards. It wants to ensure that a clear set of standards are adopted and promoted throughout the industry.
  7. A common, high level of security for Internet banking, card payments and online payments is needed.
  8. Clearing and settlement organizations in many countries have made good progress on SEPA, and several are upgrading from national to pan-European.
  9. The banking industry, and its representative body, the EPC have not sufficiently involved other stakeholders.

 SEPA’s Impact on Innovation

European harmonization is a fantastic objective, but translating EU guidance in to country law, with each country’s banking regulators responsible for interpretation and guidance, is problematic. This becomes even more difficult when Banks (who were not included in the SEPA design) have an inverse adoption incentive. An analogy in the telecom world would be telling the land line carrier that the must open up the switch to anyone that wants it at no cost.. and they have to assume all of the risk and operational responsibility.

Early stage companies and “payment innovators” are left with a complex set of constraints.

  • Dependent on local national relationships to launch a product,
  • SEPA creates harmonization, but country specific laws and regulatory guidance are unique
  • ECB initiatives (ex. See ELMI) create opportunities for non-bank participation in payments,  but SEPA has removed all margin from the business

So in Europe we see the consequences of over regulation.  While SEPA was designed to increase competition and create new European schemes, there are few business models capable of supporting investment. Hence Europe is not the place to start a retail payments business.  Hence Asia, LATAM  and Canada are all great places to start a payments business (my picks: PH, HK/China, Brazil, Malaysia, SG, Colombia, Indonesia and New Zealand).

Europe and Advertising

I don’t have time to finish the thought here. For those of you that read my blog you know I’m very enthused about the prospect for advertising to be a future payments revenue driver. Unfortunately for the EU, consumer privacy regulations (and subsequent “tracking” issues) are the most onerous in the world. In Germany for instance, my Citi team was forced purge the web log of IP addresses every 30 minutes.. for our own customers. The point here is that we could not even maintain loosely correlated consumer information in regulated accounts. Google has similar problems today (see Das ist verboten).

Where is the EU opportunity?

Where there is an intersection of: low margin payments, businesses with frequent cross border (within EU) transactions, without need or desire for banking relationship. MoneyBookers is an excellent example of this model in gaming.

Other possible  investment drivers relate to when payment transaction infrastructure is a commodity:

Arbitrage – Move intelligence to new regions or countries where the cost of maintaining it is lower

Aggregation – Combine formerly isolated pieces of dedicated infrastructure intelligence into a large pool of shared infrastructure that can be provided over a network

Rewiring – Connect islands of intelligence by creating a common information backbone

Reassembly – Reorganize pieces of intelligence from diverse sources into coherent, personalized packages for customers

 Thoughts appreciated.

NFC Update – Zenius/InsideSecure

Posted on by
Reply

7 March 2011 

Previous Blog: OpenNFC 

I met with the Inside and Zenius folks last week, and am impressed with both teams. Their mutual objective is to make development of NFC applications “easier”. Both have developed a chipset independent framework (common API layer) which creates a layer of abstraction between an NFC application (ex wallet) and the underlying hardware. Both have also developed example applications that leverage this API layer (wallet, ticketing, loyalty, … ). My summary thoughts on the 2 teams are I like them both. Inside has expertise from hardware through software delivery. Zenius’ expertise extends from POS to Handset across multiple hardware architectures.

Comparison

Zenius

  • NFC API framework
  • Chipset independent (proven)
  • Vendor independent
  • Handset Applications
  • POS Applications
  • MNO experience

Inside

  • NFC API Framework
  • Marketed as Chipset independent (no proven)
  • Handset NFC Applications (5 of them)
  • Discourages Multi SE environment
  • Discourages Application Development (Use on of its 5 Applications)

What I struggled with was Inside’s insistence that there should only be 5 NFC applications. In other words, its NFC middleware layer was only for its own internal use to ensure that its applications work across all (competitor) NFC chipsets. The implication is that there will only be 5 NFC applications… for eternity. For example, ISIS selected the C-SAM wallet that sits on top of a custom built NFC stack.  In the Inside model, ISIS would need to jettison both CSAM and its custom middleware.  (Yeah, I had the same reaction).

Zenius has a much more mature model, driven from their legacy working within Verifone and VivoTech. The Zenius guys had to make their applications work across multiple hardware solutions, and hence developed a framework that is now productized. They have also developed 5 standard application, that are “reference implementations” of their APIs, you can use them in a white label fashion, customize them.. or take them apart to see how they leveraged the API layer. This is a better approach hands down.

Inside’s approach seems a little unrealistic, and could be perceived as a “land grab”.  What do I like about Inside’s OpenNFC? The middleware and their end-end experience. In the end they are driven by chipset volume.. my guess is that they would be willing to give away OpenNFC if it would drive their chip sales. Problem is that giving it away may only commoditize their core product, hence they would be tempted to ensure that their product “works best” with OpenNFC. This is one reason that middleware vendors (MQ, Tibco, WebMethods, ..etc) developed separate from software companies.

Given that developing native NFC applications is difficult, the experience largely sits within companies like: Inside, NXP, Verifone, VivoTech, Device Fidelity, Tyfone.. .  People within these organizations all know each other.. after all it is a very small community. I asked them how many of their colleagues are at Apple. The answer across the board is that they don’t know of anyone.  This tells me that Apple is probably more than a few months away from launching an NFC wallet, or that they are dependent on a vendor (?Gemalto) for all development.

Since ISIS has already completed development of its own NFC wallet (not on iPhone), what are Apple’s plans?  I’m told that Apple wants a wallet tied to their 200M Apple accounts, this could be mere speculation, but it seems logical. I’m also told that Apple has their own NFC wallet. If Apple does indeed have an NFC application, it is something they have procured (licensed and modified) from Gemalto.  This is not a bad thing, particularly if Apple is more focused on hardware architecture, and plans for managing secure elements (SEs). The first wallet will undergo significant testing, through a new hardware and software stack. They must have something they control (not ISIS) and that is tested (Gemalto) to reduce complexity. Apple will likely need additional applications, but they must start somewhere.

All of this just spells further trouble for ISIS, who was hoping to focus more on POS issues now that they have a working wallet application. If RIM and Apple are successful in keeping control of the NFC wallet, ISIS can only hope to be another “card” in the wallet… one that speaks Discover ZIP initially. Quite a different value proposition than what they started with 6 months ago.  

For Apple, this allows them to strike a strategic relationship with a card issuer (like Chase) who will likely invest in both marketing and POS infrastructure. I’m sure that Apple’s plan is to also integrate iAd… although it can’t possibly make it for 2011 (my guess).