Structural Changes in Payments

2 January 2015

Today’s blog is focused on discussing the structural changes influencing consumer retail payments in the US. For those interested in looking at a broader global view of all payments, I highly recommend reading the Cap Gemini World Payments Report (https://www.worldpaymentsreport.com/) .

Payment Value - highlighted

Payments have been a focus of mine for 20 or so years… it is perhaps the MOST interesting of all network businesses. Payment is a critical part of commerce and a product of it. It is the event in which almost every commercial contract is based upon. Payments can be simple (cash), complex (bitcoin), and political (interchange, rules). Payment efficacy, reliability and data are important to: consumers, merchants, banks, governments and economies.

Globally, electronic payments are still in their infancy, which makes investing in it so much more exciting. For example, over 90% of the global electronic transactions occur in the top 10 markets (representing less than 10% of the world’s population).  This would seem to point to a future where electronic payments (and the banking/commerce they represent) are poised to grow geometrically as the number of nodes grow. There is a chicken and egg argument here.. are payments the result of strong economic environments or are they the enabler? Perhaps a bit of both, but finding markets where they are growing (ie Brazil, Peru, Philippines, Kenya, … ) are worth exploring (Democratizing Access to Capital – see blog).

Not only are payments poised for exciting growth, there are also tremendous forces driving change within existing systems and networks. Investors must consider these structural changes impacting existing players across the entire value chain.

In its simplest form, payments are a brokering business which manages value exchange between two entities engaged in commerce. Logically, a broker must be removed from the transaction to maintain the trust of both parties, and deliver value through managing the financial risk associated with the transaction. My view is that Card issuing banks, have lost the neutrality of their “brokering” role by creating a card rewards system that incents card use (paid by the merchant). However, this ideal “neutral” world is NOT the nirvana that we should seek, as no one would invest and we would be stuck with cash (and SEPA in the EU .. see blog).

Complexity in payments is driven by the quest for control and margin of the various participants, not by necessity. This is what makes understanding payments so hard…. most of the changes are not logical, but political. The friction (inefficiencies and illogical design) in payments is what makes them work. As I’ve stated before, no engineer would design a payment system to operate the way we do today (see Push Payments). Thus there is beauty in this chaos! The V/MA model created incentives for 1000s of banks to invest in payments, and I doubt if we will ever see any other companies that could repeat this feat (thus my V/MA personal investments).

What changes are likely to impact the world’s oldest profession in the next 10 years? My list (in order of impact)

  1. Risk and Identity
  2. Data/Commerce Value
  3. Consumer Behavior/Trust/Acceptance
  4. Issuance/Customer Acquisition/HCE
  5. Regulatory/Rates/Rules (Fees)
  6. Mobile/Payment in the OS

#1 Risk and Identity: Authentication and Authorization

How would you authenticate someone’s identity? Best practice is to validate a combination of what you are (biometric, image, DNA), with something you have (mobile, token, OTP FOB, …) and something you know (shared secret). Apple’s new iPhone 6 is the first major consumer device that can manage all 3 securely. It is truly revolutionary.  The ability to authenticate a consumer eliminates fraud risk, and thus impacts both Account Opening and Transaction Authorization.  Both of these services in turn impact the “core” banking relationship (see Future of Retail Banking).. How do consumers choose a bank? A credit card? What is the value proposition?PIN Fraud Rate 2013 Value

Before there is payment there must be an account in which to pay from. The key to opening an account is identity (Regulatory KYC or Know Your Customer). Account Opening has been automated (and online) for over 10 years. In 2004, my team at Wachovia was the first in the world to introduce instant account opening (online) for deposit accounts (Credit Cards were just 2 years ahead of us..). 10 years ago I used products like Equifax accountChex or EWS AOA (Validating questions based on prior financial history and credit bureau data), today could I use Apple!?

Identity and authentication is changing rapidly, and if the first two paragraphs were not already enough to ponder on this topic, we must mention Bitcoin. As opposed to authenticating the person to give access to funds and services, bitcoin authenticates itself enabling the holder to be anonymous. It is a self authenticating instrument.. imagine a dollar bill that can tell you it is genuine with 100% accuracy.  Self authenticating instruments exist independently of the holder and are a store of value (ie, Gold, Bitcoin, …etc). Normally there was physical presence required to exchange self authenticating instruments (exchanging gold), bitcoin changed all of that. A virtual self authenticating instrument that can be exchanged remotely and cannot be tracked (easily). Whereas payments are instructions move money (value) from one bank (store of value) to another, a bitcoin exchange is value exchange (not instructions). bitcoinhow-100032615-orig

The power of bitcoin to disrupt payments, companies, government, economies, .. cannot be understated.  How could any central bank manage money supply in this model? How can you tax something that cannot be tracked? The growth challenge for bitcoin is in “connecting” to other payment networks and regulated entities (ie cash out).  Unfortunately the entities which benefit the most from bitcoin are those that seek anonymity… which of course impacts the willingness of mainstream (regulated) institutions to accept it.

Fraud and Risk

As you can see from picture above “risk” in payments has several components: credit risk, settlement risk, fraud risk, regulatory/AML risk, … etc. Fraud risk is the area in the most flux, both WHO owns the risk and HOW it is managed. In the US Card Not Present transactions follow the pattern of ACH and Checks in that the originator of the transaction bears the risk of loss. In a retail transaction, that is the merchant. applepayinapps

Risk and fraud management were historically the key areas where banks excelled and differentiated (big banks have multi billion dollar investments), but the merchants and platforms have now passed banks in their ability to manage it. This mobile authentication advancement had rendered the multi billion dollar bank risk investments moot (for mobile initiated payments).  Proof is in the picture above (see Federal Reserve 2013 Payment Study), all fraud has fallen tremendously! Both for Card Present, Card Not Present and even for Checks. Why? As the former EVP of a Kleiner Perkins backed Fraud Prevention company I’m not going to give you all the details, but suffice to say that identity plays a key role. Paypal, Amazon, Google, Apple all have fraud rates under 8bps, some have the around 3bps.  These numbers will get better for Apple and Google as mcommerce starts to take an ever larger share of eCommerce (see my previous blog) and they bake in biometrics into mobile payments.

A key point that investors must understand here is that the large CNP merchants have gotten so good at managing fraud, that they could care less about a liability shift. What they want is a rate reduction (risk based pricing).  After all, if you could manage fraud at a rate of 3-8bps.. what work is the bank doing to justify taking 240 for payments? The Paypal investors read this and say “ahh.. Apple and Google want to become Paypal”.. No they don’t! while Apple/Google COULD assume all the functions of Paypal, their role as commerce orchestrators is of FAR greater value. In this role you must not force a consumer to a merchant, a good, or a payment instrument. “Let the consumer decide” is the common mantra across the Google, Apple, Amazon.

The investor impact is complex. Large merchants have proven ability to manage fraud and risk, and want the consumer to choose the payment instrument of their choice. Banks ability to differentiate in managing risk is greatly reduced, and the cost of issuance/acquisition is dropping to 0. Banks have proven incompetent at creating a Visa/MA replacement. What are the levers in negotiation? How will merchants negotiate a lower rate?

The path in Europe, Australia and the US (Durbin/Debit) has been driven by regulation. No one likes having regulators define the rules, but my investment hypothesis is that there will be a very large TILT of Visa/MA toward the merchant. This will address the both regulatory pressure, and open up new revenue streams surrounding data (below). This tilt means moving rates in the direction that retailers want, creating new rate tiers where risk and identity can be managed by the merchant/platform. Remember Apple is getting 25 bps for their service, the next logical move would be make this same “discount” available to anyone that can drive down risk. Personal-Data-Ecosystem-Diagram-from-FTC-Roundtable

From an identity perspective, Google and Apple have authentication as the CORE feature of their mobile platforms.. it is key to everything they do in mobile. See my blogs on Brokering Identity Authentication in Value Nets, and Authentication – Key Battle for Monetizing Mobile for more here.

#2 Data and Commerce Value

The comments below are largely taken from my blog Banks, Non-Banks and Commerce Networks. As a side note, this is the focus of my new Company: CommerceSignals. We are working with the Fortune 50 to serve as the neutral broker, one layer above the network, supporting companies working together offline and in mobile.

Today, every issuer and card network is chasing after American Express and Alliance Data Systems. Both ADS and Amex have made SUBSTANTIAL progress in working with merchants to deliver new value to consumers. AMEX and ADS have the benefit of working in a 3 party model where they own both the merchant and the consumer relationship.  As I’ve stated before, I believe these 2 companies are 3-5 years ahead of everyone else. Is this data stuff delivering any revenue? Market Size AdvertisingFor ADS the answer is a resounding yes, for Amex the benefits seem to be less direct and more on customer loyalty/spend/engagement. See my blog on Amex Innovation Leader for more details.

Think about the battle in connecting networks, as each of us have limited resources we can connect only to a finite set of “hubs” (unless there is some larger orchestrator). Examples are Wikipedia and Google… these serve as the directories of information. It is almost IMPOSSIBLE to displace an efficient hub. This is why I love Visa, MA and Amex. If they can shake the issuer “tilt”.. and add a few merchant friendly services, they could leverage their networks in many new ways. The revenue opportunity? Payments in the US is roughly a $200B business (issuers, acquires, processors, networks), whereas marketing is $750B (in US).Infographic_Showrooming-lg

Payments work well, but so did the Sony Walkman. The bets that Google, Apple, Amazon, Facebook and others are making is on value orchestration. Does this involve payment? Not really.. at least not as a primary focus.. Payment is there.. but orchestration is about commerce; payment is just one of many important processes (See blog Payment in the OS).  Don’t look at payments as something in isolation, payments are the “connections” made in commerce; they are made for a purpose. Visa and MA also have the potential to expand their “traditional network”, but this must involve a separate agreement with separate rules.

Payments = Network

Here is my network view. Payments are the connections of the GDP. If we were to map payment flows, we would unlock a map of the global GDP at the micro level, from employment to shopping, behavior and preferences, to demand and supply. Free information flow on the internet is enabled through openness and a single primary protocol, whereas payments operate within 100s of proprietary networks with a complex series of clusters and “switches” (there is effort in connecting, authenticating and managing risk). Just as it would be nearly impossible to change the protocol for the internet, it would be difficult to bring fundamental change in payments (see Rewiring commerce).  Now think about the value of payment data. Connecting business is much different than connecting information (the core of CommerceSignals.. but I digress).

From a network strategy perspective, the business opportunity of changing “payments” pales in comparison to the opportunity to influence connections in commerce, banking and manufacturing. Payments support business and consumer needs; they do not alter their path. This insight is the downfall of bank payment strategies around “control”, and their inability to “tilt” toward merchant friendly value propositions.

A top 5 retailer provided my favorite commerce quote

“I think of Commerce as a highway, the payment networks are like a toll bridge. I don’t mind paying them $0.25 to cross the bridge, but they want to see what is in my truck and take 2-3% of what is inside. Hence I’m looking for another bridge… “

ADS, Amex, Google, Amazon, Facebook, Alibaba, V, MA all understand this. Rather than charging toll for crossing their bridge, these networks are beginning to execute against plans to grow the size of the goods in the merchant’s truck.

Existing networks have an existing value proposition, and many don’t like to have their services leveraged by competitors, thus there is a much more highly “regulated” flow of information. Intelligent use of data increases the effectiveness of networks in a way that also benefits consumers. Tilting more toward merchants and consumers.. means tilting away from banks. This is VERY hard for a bank to initiate. It is a change worth making however, as assisting merchants (or consumers) is what brokering is about. My firm belief is that both V and MA have the opportunity to grow Revenue 4x+ in the next 5-10 years. Their principal challenge is to “tilt” their models away from Banks and toward the 2 parties that matter most in commerce: Merchants and Consumers.

#3 Consumer Behavior/Trust/Acceptance

Perhaps nothing matters more in business than consumer behavior (see Consumer Behavior: Discerning and Capturing Value). In payments we learn over and over again that behavior changes slowly in 20 year cycles (Checks, Debit Cards, ATMs, Mobile). Any investor looking for payment innovation should run away unless there is some underlyibranch visitsng commerce value proposition. Payments work REALLY well its everything else that is broken (in OECD 20 countries)…. Among Payment innovators/founders there is a common saying.. you only start ONE payment company.

It is easiest to find the hotspots in payment by looking first for the changes in consumer behavior. For example, the tremendous change in how consumer’s are using their phones, as I outlined earlier this week in eCommerce/mCommerce Convergence.  The banking relationship is also changing, as customers visit branches less than 3 times per year, and the billions spent on huge buildings, huge vaults, sports sponsorships and brand names gives way to value.

Brand reputations for 2014 just came out last week (see Venture Beat), with Amazon, Apple, Google topping the list. How did these companies earn this reputation? Through consbank likabilityistent daily interaction delivering value in every interaction. Value delivery and interaction are my key metrics for assessing investment and focus; both are key measures of consumer behavior and trust. There are many strategies: whereas Google engages with the average consumer 10-50 times per day (winning in frequency and insight), Amazon has a lower interaction but a much greater impact on transaction (value delivery), Apple’s interaction is more holistic within a much more affluent base, Facebook’s is more social.

If I were to outline one KEY point to my bank friends it is this: you can’t reach consumers where you want them to be.. you must reach them where they are. This is the essence of why most bank strategies to engage are failing. Consumers choose to go to Google, Apple, Amazon because of the value and service. As the charts above show, most banks are challenged to deliver value within the core banking products they already delivery, why would any customer want to use a new service in this environment. Thus Bank’s efforts are ill suited to drive a deliver products outside of their core, and outside of existing consumer behavior, banks play a role in SUPPORTING commerce.. not leading it (see Card Linked Offers).Measure Data

Apple is the greatest company in the world in delivering value, experience and changing consumer behavior (see blog Apple and Physical Commerce, and Consumer Behavior). Apple’s reputation is well deserved and earned “the hard way” by remaking: phones, music, mice, computers, apps, …etc.  Through consistent delivery of value within fantastic hardware delivering great (and fun) consumer experiences they earned trust for their products and brand. The greatest NEW opportunity for Apple to influence consumers beyond the individual (music/contacts/calendar) and eCommerce (browser, apps) to the real world: Commerce.

Unfortunately Apple is inept at partnerships, even within its own supply chain. While apple has the talent to accomplish this, their commerce, payment and ad teams are buried within a hardware culture. They will only succeed if they are spun off into a separate division, thus my view is that there is a very low probability of Apple acting in an orchestration role across 1000s of Banks, millions of retailers and billions of consumers. If they did move, it my recommendation (and guess) is that it would be a consumer centric orchestration role as I outlined in Brokering Identity.

One technology (and behavior) I’m keeping an eye on is Beacons and mobile use in store (engagement). Qualcomm Retail Systems spun off the IP around Beacons to Gimbal with Qualcom and Apple both rumored to have 30-40% of the equity. Today Retailers are the entity best positioned to change consumer instore activity for 2 reasons: they alone know consumer product preferences, and they physically touch the consumer (trust, value, presence). See Retailers as Publishers , and Apple iBeacon Experience for more detail.greendot

#4 Issuance/Customer Acquisition/HCE

Now this is a mixed bag of topics. What is fundamentally changing in card issuance? Most of you know I ran remote channels at both Citi (06-07) and Wachovia (02-06). Today, most new customer bank accounts are originated online as branch visits go down and direct mail (the old way) even directs the consumer to this “instant” channel.

Historically I had to spend about $150 in marketing for every new card customer, and around $80 for every new deposit customer. Banks still incur roughly these same costs, but prepaid cards have an acquiring cost of less than a tenth of this cost (See Future of Retail Banking: Prepaid). In this pre-paid model banking products sit on a shelf in a retailer and compete for customers just like shampoo and candy bars.

I would challenge all card participants to think about the credit card product… what delivers value? what about it is unique? how do consumers view it? how is it part of a great consumer experience? When you leave Disney World do you think wow.. buying the ticket with my card was just fantastic? How are new customers acquired? Who benefits when cost of issuance is $0? Is charging the average consumer 12-16% on a card, paying them 0.2% on their savings charging merchant 2% a great model?  Do you think that there is room for improvement? Where do retailers win (ADS, Private Label, Co-Brand, )?

What prohibits you from having 20 retailer cards in your wallet today? Bank card issuers will roll their eyes, but you can not understate the influence that trusted retailers have in consumer decisions. Take this trust together with direct sales force and frequent consumer interaction and you have Private Label and industry whose cards outnumber everyone else’s by a factor of 2. As this week’s Morningstar article on Private Label shows, private label (the largest card segment) is making a tremendous comeback.Private label market share

Citi, GE (now Sychrony), ADS, HSBC are leaders in this space, with ADS advancing most in use of technology. Retailers like Nordstrom, Macy’s, Sears and Kohls are fanatical on their private label program, as their most valuable customers use this product. All new customer experience must first address this base, which you can see is one reason why we don’t see ApplePay being pushed here at all. As I described in Retail 101 (and What do Retailers want in Mobile), most retailers don’t know who their customers are today. Private label and Loyalty programs solve this problem.

Let me throw in a little tech now. I’m on the board of advisors of SimplyTapp, the company that created HCE. Instant issuance is key to everyone in the card space, why wouldn’t every retailer want to enable a private label card if card issuance cost is $0!? Credit worth customers can get store credit, sub-prime get decoupled debit (see Target Red Card) and everyone else gets a loyalty only? I believe we will see this happen, not only within MCX but within platforms like Google, with PL managers like ADS and Citi. This is the strategy focus of the top retailers… (focusing on their top customers).Private Label Profitability

My bet on the future of Google wallet is that it will be very merchant and consumer friendly, enabling them to uniquely integrate to 100s of merchant platforms to create great consumer experiences. This linking of PL, Loyalty, in store, maps, mobile, advertising is value orchestration.. but it all starts with consumer opt in. The opt in is both to merchant (private label/loyalty) and to Google. See blog Host Card Emulation for more background.  Google made the right technical move in HCE, but it dropped the ball in enabling merchants through last mile.. not a technical limitation .. an educational / awareness one.

Do I believe that the world will go private label!? No, it will be at the margins. My view of Visa and Mastercard have changed over the last 2 years. Before I was much keener on the development of a new scheme, but no more. Why? How many networks can you list where millions of participants have invested billions of dollars to make it work? Visa has 1.7B cards and 36M merchants.. how could anyone compete with this? This network works REALLY well, with the only issues with their network are in their control (merchant costs and rules).

#5 Regulatory

From a regulatory perspective, the US retail payment system has been impacted by the Durbin Amendment and the EU to an even greater extent by SEPA and PSD (see my blog).  Most of you have also read my token blogs outlining how the US banks were planning to build a new payment network to compete with V/MA (Now dead).  If someone has a info-graph picture of global acceptance rates I’ll put it in here.. but suffice to say that airline ticket pricing has NOTHING on the complexity of payment pricing.

Visa and Mastercard are largely insulated from the regulatory driven pricing changes, as the issuers continue to bare most of the impact. The EU has created a payment nightmare environment with “cross border” Credit card merchant interchange (MIF) at 30bps starting in later this week Jan 1, 2015 (see article and Visa’s response). The EU can not mandate change within country (domestic transactions), but there will be a race to the bottom in fees.

EU competition commissioner Margrethe Vestager claimed that interchange fees are a form of tax levied on retailers by banks and said that the new legislation would reduce those costs and “lead to lower prices and visibility of costs for consumers”.

Ms Vestager may be correct from a transparency perspective, but SEPA and the PSD put governments into the brokering role with no incentives for intermediaries to invest.. making payments a nearly free infrastructure service (with agreement of consumers and merchants). Network work best when there are shared incentives, and minimal regulation.  I believe Visa and Mastercard will work with new vigor to build relationships with merchants and deliver value, to head off the regulatory driven approach. Unfortunately Europe is already too far gone for this to work.

A prediction (next week’s blog) will be merchants providing greater influence in V/MA rules.

#6 Payments in the OS

My blog from this week: Payment in the OS

card-financial-compete view

Comments appreciated.

Risk – Carving it up in Payments

27 Feb 2014

I was reading this Wharton paper on Risk Management in Financial Institutions and the lead paragraph struck me

Financial institutions exist to improve the efficiency of the financial markets. If savers and investors, buyers and sellers, could locate each other efficiently, purchase any and all assets costlessly, and make their decisions with freely available perfect information, then financial institutions would have little scope for replacing or mediating direct transactions. However, this is not the real world. In actual economies, market participants seek the services of financial institutions because of the latter’s ability to provide market knowledge, transaction efficiency, and contract enforcement.

How would I adapt this to cover a Financial Institution’s role in Commerce and Payments? Let me share a few background points to provide context:

  1. Risk Based Pricing (of Consumer Transactions). This is perhaps the #1 “ask” by the big retailers I work with. For example, Amazon, Apple, Paypal, Visa/Cybersource, Google all do a fantastic job managing eCommerce risk. Their fraud numbers are below 20bps. Why do they still get hit with CNP pricing? We know the answer here of course… Each issuer gets to set pricing and there is no network scheme to price based upon demonstrated fraud/risk performance.
  2. Selective Settlement Risk (SSR – my term… I just made this up). In the POS world, my local Kroger would be quite comfortable taking the settlement risk on my grocery transaction, after all they have seen me purchase about the same amount or groceries for 20 years (using the same debit card). At the POS, Retailers want to be able to leverage their data to take risk on certain transactions, and shift it to other intermediaries when they do not want the risk (big screen TV). This is the central challenge for Target Red Card (and perhaps MCX) in a decoupled Debit model. For those thinking about check fraud, make sure you take a look at the Fed’s 2013 payment study “Checks had the lowest fraud rate by number (0.45 basis points) and a fraud rate by value of 0.39 basis point”. Thats right, checks have a lower rate of fraud than credit and debit cards (not PIN debit in isolation).
  3. Instant Credit for Commerce Transactions. PayPal’s billmelater , and Macy’s, Nordstroms, Kohls and other leading Private Label Card (with Citibank leading the sector) to a fantastic job of taking credit worthy customers off of Open Loop bank cards.  The successful programs are unbelievably profitable for the retailers. With the card held by highest spending, most loyal customers.. and 1500bps on ANR. It wasn’t that long ago that most retailers had their own in store credit (see blog on Private Label), they also accepted checks.
  4. Authentication. As I outlined in Authentication – Core Battle for Monetizing Mobile, and Apple in Commerce, and Who do you Trust, Authentication is core to the platform (Google, Apple, ..) role in Commerce. With respect to Payments, how does a Bank PAY GOOGLE and APPLE for performing the authentication role (example using handset biometric features)?  In this model they are mitigating transaction risk. This is shaping up to be one of the key issues with HCE and Tokens as the new token spec has fields for authentication. I’m not speaking of the technical issues here, but rather the business issues.. how do payment providers compensate an authentication service for reducing fraud? As a side note, for US readers, there is no better service in the market than what Payfone has right now.. with access to both Telecom network integration and Bank ID/Acct verification information.

payment-value

What makes modern financial markets unbeatable? The ability for many parties to identify and segment risk, specialize and a market which allows all of these specialists to interact with transparency. Consumer Finance in general, and Payments specifically must take on some of these features.

Yesterday Jamie Dimon was quoted saying that Google, Apple, … all want to “eat our lunch” in this metaphor I guess consumers like me are on the menu. As much as I respect Jamie as the best banker on the planet, he continues to miss the consumer view… we are not owned, we migrate to where value is provided. Rather than working to specialize in consumer, Consumer Banks tend to work to build higher walls and create rules which work against the specialization. These walls will become their own jail if they fail to focus on value and specialized risk management. Today, it would be almost impossible for 4 party networks to adopt to a flexible “risk based pricing” model. My view is that Paypal, Amex, and Discover have the infrastructure to support this today.

Surprised? 30 years ago most retailers began to abandon roles in transaction risk… only to be taken to the cleaners. Hence we see investment to reassert their roles (ie MCX, Private Label, …).  Retailers have no choice but to build consumer financial networks which allow for the (selective) assumption of risk (settlement, fraud, credit, Authentication…)? This taken together trends of branch closures, prepaid, mass market retail profitability make for a very chaotic environment.. (which is ripe for a new leader that can deliver value).

Thoughts appreciated

MasterCard follows Visa’s lead on EMV Push

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but the most important to note that neither large US issuers or retailers are enthused about this push as there is no business case for the change on either side.

31 January 2012

http://www.mastercard.us/mchip-emv.html

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but it is important to note that neither large US issuers nor retailers are enthused about this push for one primary reason: there is no business case for the change (on either side). Historically, networks do not change without sound financial incentives ( or there is some sort of regulatory mandate).

A Bank makes money by managing risk. Within the payments space large banks have invested billions of dollars in custom fraud infrastructure. The effect (if not the goal) of bank investment in custom fraud infrastructure is to push fraud into the weakest link (or bank) in the network. Smaller banks must seek partners like FIS, FirstData and the Networks to help them keep up. The EMV standard is used by card issuers in just about every market globally, except the US. EMV is effective in addressing certain kinds of fraud such as counterfeit and skimming. Within an EMV environment, international issuers and acquires thus could relax in maintaining related fraud controls IF cards existing in an EMV only environment.  However international travelers to the US and US travelers abroad lead to fraud “leakage”. US issuers did not suffer, due to their fraud infrastructure, but the other banks have.

Thus the “true” benefits of EMV cannot occur until there is 100% adoption at POS (10M in US), complete elimination of the mag stripe in the plastic that we all carry (approximately 1.5 billion in US). This is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout, nor is there a business case for either issuer or retailer to implement. Take this on top of the fact the EMV is 20 year old technology and we have a very challenging environment.

What are the benefits in retail? Both Visa and MA have established a carrot and stick approach. Given only the issuer can reduce interchange, the carrot is reduced PCI compliance costs and some terminal subsidy. The stick is a liability shift for to the merchant  if a consumer presents an EMV capable card and the merchant terminal does not accept it.  Given that the big issuers have no plans to reissue cards, the merchant risk is fraudulent EMV cards (starting in Oct 2015 for Visa). Perhaps if retailers see an EMV card, they should request an ID.  For issuers, the compliance dates are longer and the stick which Visa and MA have constructed is weaker given that US issuers already bear costs of card present fraud.

So what are Visa and Mastercard trying to accomplish? From a political standpoint they must address the international issuer concerns and be viewed as supportive of the EMV standard. But more importantly Visa and MA want to cement their control of the network, particularly in two areas: mobile and US debit cards. In mobile, Visa and Mastercard are aggressively trying to make mobile POS payments a “premium” service used exclusively by credit cards. A key to success in mobile is POS readiness to support contactless payment. The EMV mandate certainly helps provide another incentive to merchants. With respect to the Debit, the Durbin Amendment has impacted the incentives for US banks to continue support of Signature Debit. In the US, PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (96% of PIN fraud losses assumed by issuers, vs 56% in Signature). PIN debit transactions do not need to be routed through Visa and MA, and PIN only cards do not require their logo. EMV debit cards may be a tool for Visa to maintain a US debit business (MA US debit penetration is low).

What to expect?

Note that in virtually every geography, EMV was a regulatory driven initiative. In the US this is not the case, as the large banks have proven capable of managing fraud. Large issuers are thus reluctant to undertake any mass reissuance of cards, and US regulators are reluctant to have US Banks pay for a system that will primarily benefit issuers outside of the US. My guess is that we will start to see a trickle of new cards being issued on EMV starting in 2014 or so.

Retailers will have a similar adoption dynamic as they assess cards being used at their stores, and what future payment networks may offer not only in terms of compliance and interchange, but also in delivering customers through incentives and advertising.  I’m certain that the retail “first movers” in NFC must be pulling their hair out as they discover that their new NFC payment terminals are not equipped to accept the mandated EMV card. These retail CEOs will discover that the “stutter” in reterminalization was intentional and it will be a cost they will bear twice in 2 years.

In this dynamic environment, there will be high demand for companies that can help retailers develop a plan and navigate this chaotic environment. Oddly enough, start ups like Square and Payfone may have a tremendous advantage in simplifying the checkout process. In other words, EMV could actually provide the impetus for new payment networks to gain a foothold.

Mobile Swipe: Risk is Behavior … not Security

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

11 March 2011

I’ve been rather unambiguous in my views on Square. Yesterday I received a number of calls from my card friends, with over 50% in support of Square. After pondering their feedback, my bigger concern is customer behavior… a concern that expands beyond Square to all swipe based mobile payments (although I still feel quite strongly that they are not playing by the rules that everyone else agreed to).

For background, beyond my role as alternate channels head for Citi (Outside of the US), I also led sales and marketing for a little start up backed by Kleiner Perkins (41st Parameter) that focused on fraud. Through this role, I was fortunate to develop relationships with the fraud heads of every major US and UK bank and card network. Truly fantastic people… think of them as a mixture of James Bond, CSI, and Elliott Ness (Famous FBI guy). To be honest, I never saw these fraud teams during my time as a banker, and never really appreciated their role in keeping the banking system safe.

Frank Abagnale (of Catch me if you can) was on 41st’s Advisory Board. 40 years ago, this was the kind of fraudster that the bank’s team had to track down.. one guy in a garage with a printing press (magnetic ink). Today, the nature of fraud has changed tremendously. Well organized rings are flourishing, one of which has over 500 employees with product, engineering, marketing, sales…. a specialization of labor. Phishing was a great success, as customers responded to e-mails looking legit. Banks responded with improved online security. Fraud rings responded with malware and “man in the middle” attacks.. point is that this is a dynamic war taking place and bank fraud teams are the “special forces” that crack the code.  The online fraud environment is the most complex battlefield of all. 

It takes resources to win any battle. To give you an idea of the size of risk, gross fraud (attempted) at PayPal was around $500M dollars last year. Through technology and people, PayPal reduced that number to under $50. Bank margin is driven by the ability to manage risk; this is the nature of banking. The top banks, Paypal, Amazon and Apple all have world class teams and resources in this area… thus they seek both higher margin (ie risk) and volume. In essence they “compete” by managing risk more effectively than their peers. A well known axiom applies: If a hungry bear comes into your campsite, you don’t have to be faster than the bear.. just faster than all of the other campers.

There is no single solution for all of this fraud, it is a constant battle and weapons just continue to improve and evolve on both sides. For banks, there are 2 common elements to all fraud strategies: educating customers, and security of customer data. In the US, consumers are quite fortunate to have the risks associated with fraud completely borne by banks (Reg E/Z). Outside of the US if you have fraud on your credit card it is your job to prove it. Hence a UK consumer is much less likely to give their card to just anyone, which is why the waiter stands at your table with a mobile card reader for you to enter your PIN.. your card is never out of your sight.

Example story from yesterday.

Groups of brilliant fraudsters created small mini kiosks called “card cleaners” and placed them in ATM booths, grocery stores, vending machines.. “Clean your credit cards for free”..  I’m not making this up.. people really used them. The crooks just took the numbers and sent them to Algeria (a favorite destination) to create new cards, or to sell to other organized rings. The rest of world hates US use of magstripe.. we are the only country in the world that has not adopted the EMV standard (aka chip and PIN). EU readers still take mag stripe because of the US tourist dollars..

These fraudsters were successful with just magstripe. What if they had your name, e-mail, phone number, … ? If you went to the grocery store, and the clerk asked you for name and phone number and put it in her phone prior to authorizing your transaction would you provide it? This is exactly what Square is doing. Read Dorsey’s response to Verifone’s security concerns. Giving merchants additional data will not decrease fraud, but establish new patterns of customer behavior which will increase it for all. We have a “battle” within the banks today: The card business want to grow transaction volume. The fraud organizations want to protect customer information and ensure customers don’t give their data out to just any hot dog vendor on the street.

Future Scenario

A good crook would probably spend a few days developing an iPhone app that swiped your card, asked for your PIN, took a picture of the back of your card (w/ CVV), obtain phone number and e-mail address. A fraud ring sets up hot dog or ice cream stands (that only take cards) with $0.50 ice cream… they would never even use Square’s software.. or even try to submit a transactions. They would give the food away for free just to get the data.  Once I have this data, I could send within seconds to my HQ to commit ATM, online or even POS fraud in any number of countries.

Was Square’s technology any part of this? Nope.. people could do this today. Is Square encouraging a sustainable consumer behavior? Nope. Smart merchants (Apple, PayPal, …) are choosing Verifone PayWare Mobile because the device is secure.. your employees can’t put on a skimming app because the data is encrypted when it enters the phone. But do I want my bank customers examining the make and model of the card reader before they turn over there card? Heck no! So what do I tell my bank customers? Only give your cards out to merchants you can trust? Do banks incent proper consumer behavior on card use? No.  You get the picture… life just got much more difficult for the fraud and customer experience teams.

Individual issuers have the power to decline square transactions. My guess is that at least 2 major banks will begin to decline all square transactions within next month. Beyond the fraud risk, it also competes with their own mobile initiatives (Barclays/ISIS, Mastercard/RIM, …).

NFC is a step beyond EMV in security… subject for another blog.

Comments appreciated.

Visa – New Mobile Payment “Rails”?

Word on the street is that Visa is set for a major mobile payments announcement in next 6-8 weeks. Separately, US MNOs are also rumored to be collaborating on Near Field Communications (NFC) payments with acquirers. Could it be that the log jam on NFC is about to be broken? Is Visa developing new rails to support mobile payments?

25 November 2009

Word on the street is that Visa is set for a major mobile payments announcement in next 6-8 weeks. Separately, US MNOs are also rumored to be collaborating on Near Field Communications (NFC) payments with acquirers. Could it be that the log jam on NFC is about to be broken? Is Visa developing new rails to support mobile payments? Let me say up front that this blog represents “connecting the dots” more than a definitive market projection.

The US market is ripe for a break from the 6 party political “fur ball” that is hampering delivery of mobile payment (Card Issuers, Acquirers, Network, Merchant, MNOs, Handset Mfg). For those outside the US, MNOs have substantial control over handset features and applications, and have been leveraging this “node control” to “influence” direction of payments. The central US MNO argument being: “it is our customer, our handset, our network we should get a cut of the transaction rev”. Unfortunately existing inter-bank mobile transfers/ payments are settled through existing payment networks that provide limited flexibility in accommodating a “new” MNO role and the network rules leave much room for improvment in: authorization, authentication and consumer “control”. 

Outside the US, the situation is much different, as consumers have great flexibility in switching MNOs, have ownership of their handsets, and are largely on pre-paid plans. The MNO challenge for payments in this environment is largely regulatory. Many countries (EU, HK, Korea, Japan, SG) have open well defined rules for MNOs role in payments (example: ECB ELMI framework within the EU), while other countries are highly restrictive and are in the midst of developing their legal and regulatory framework. Even in the countries where MNOs participation is defined, they have largely benefited from the complimentary role that the service plays with pre-paid plans (not in interchange at POS).

Globally, MNOs are looking for a payment platform where they can benefit from interaction between consumer and merchant, with flexibility to deal with a heterogeneous regulatory environment. The competitive pressures on Visa/MC are much different then they were 5 years ago (when both were bank owned). The network fee structures and rules were written with banks and mature markets in mind. Emerging markets present a much different set of opportunities, as MNOs lead banks in brand and consumer penetration within every geography.

All of this leads to the case for a new “Mobile Payments Settlement” network, a network which will alienate many banks. I expect to see Visa roll out the initial stages of this network in the next 2 months with an emphasis on NFC. Quite possibly the best kept secret I have ever seen from a public company. I’m sure many Silicon Valley CEOs are crossing their fingers (with me) on this, as a “new wave” of innovation is certainly close at hand that will drive growth (and valuations).

For those not keeping up with the 50 or so product announcements a day on NFC, handset manufacturers committed to have NFC enabled phones to consumers in mid 2009 in the GSMA 2008 congress. NFC capabilities are numerous (Vodafone YouTube Overview), and may represent a true disruptive innovation surrounding payments. There have been many very recent product announcements that will enable existing phones to use NFC, and P2P Capability. All of which will blossom in a more “fertile” mobile settlement environment. See one example “future” Visa mobile service here: http://tomnoyes.wordpress.com/2009/09/24/googleoff/

Side note: This is not all bad news for Banks, as the structure will certainly provide for existing cards (debit/credit) and may deliver substantial revenue through cash replacement (small < $50) transactions. More details on structure of MNO in settlement 2 weeks….

Select Product/Alliances Below:

[youtube=http://www.youtube.com/watch?v=2AmeM33r7wM]