Risk – Carving it up in Payments

27 Feb 2014

I was reading this Wharton paper on Risk Management in Financial Institutions and the lead paragraph struck me

Financial institutions exist to improve the efficiency of the financial markets. If savers and investors, buyers and sellers, could locate each other efficiently, purchase any and all assets costlessly, and make their decisions with freely available perfect information, then financial institutions would have little scope for replacing or mediating direct transactions. However, this is not the real world. In actual economies, market participants seek the services of financial institutions because of the latter’s ability to provide market knowledge, transaction efficiency, and contract enforcement.

How would I adapt this to cover a Financial Institution’s role in Commerce and Payments? Let me share a few background points to provide context:

  1. Risk Based Pricing (of Consumer Transactions). This is perhaps the #1 “ask” by the big retailers I work with. For example, Amazon, Apple, Paypal, Visa/Cybersource, Google all do a fantastic job managing eCommerce risk. Their fraud numbers are below 20bps. Why do they still get hit with CNP pricing? We know the answer here of course… Each issuer gets to set pricing and there is no network scheme to price based upon demonstrated fraud/risk performance.
  2. Selective Settlement Risk (SSR – my term… I just made this up). In the POS world, my local Kroger would be quite comfortable taking the settlement risk on my grocery transaction, after all they have seen me purchase about the same amount or groceries for 20 years (using the same debit card). At the POS, Retailers want to be able to leverage their data to take risk on certain transactions, and shift it to other intermediaries when they do not want the risk (big screen TV). This is the central challenge for Target Red Card (and perhaps MCX) in a decoupled Debit model. For those thinking about check fraud, make sure you take a look at the Fed’s 2013 payment study “Checks had the lowest fraud rate by number (0.45 basis points) and a fraud rate by value of 0.39 basis point”. Thats right, checks have a lower rate of fraud than credit and debit cards (not PIN debit in isolation).
  3. Instant Credit for Commerce Transactions. PayPal’s billmelater , and Macy’s, Nordstroms, Kohls and other leading Private Label Card (with Citibank leading the sector) to a fantastic job of taking credit worthy customers off of Open Loop bank cards.  The successful programs are unbelievably profitable for the retailers. With the card held by highest spending, most loyal customers.. and 1500bps on ANR. It wasn’t that long ago that most retailers had their own in store credit (see blog on Private Label), they also accepted checks.
  4. Authentication. As I outlined in Authentication – Core Battle for Monetizing Mobile, and Apple in Commerce, and Who do you Trust, Authentication is core to the platform (Google, Apple, ..) role in Commerce. With respect to Payments, how does a Bank PAY GOOGLE and APPLE for performing the authentication role (example using handset biometric features)?  In this model they are mitigating transaction risk. This is shaping up to be one of the key issues with HCE and Tokens as the new token spec has fields for authentication. I’m not speaking of the technical issues here, but rather the business issues.. how do payment providers compensate an authentication service for reducing fraud? As a side note, for US readers, there is no better service in the market than what Payfone has right now.. with access to both Telecom network integration and Bank ID/Acct verification information.

payment-value

What makes modern financial markets unbeatable? The ability for many parties to identify and segment risk, specialize and a market which allows all of these specialists to interact with transparency. Consumer Finance in general, and Payments specifically must take on some of these features.

Yesterday Jamie Dimon was quoted saying that Google, Apple, … all want to “eat our lunch” in this metaphor I guess consumers like me are on the menu. As much as I respect Jamie as the best banker on the planet, he continues to miss the consumer view… we are not owned, we migrate to where value is provided. Rather than working to specialize in consumer, Consumer Banks tend to work to build higher walls and create rules which work against the specialization. These walls will become their own jail if they fail to focus on value and specialized risk management. Today, it would be almost impossible for 4 party networks to adopt to a flexible “risk based pricing” model. My view is that Paypal, Amex, and Discover have the infrastructure to support this today.

Surprised? 30 years ago most retailers began to abandon roles in transaction risk… only to be taken to the cleaners. Hence we see investment to reassert their roles (ie MCX, Private Label, …).  Retailers have no choice but to build consumer financial networks which allow for the (selective) assumption of risk (settlement, fraud, credit, Authentication…)? This taken together trends of branch closures, prepaid, mass market retail profitability make for a very chaotic environment.. (which is ripe for a new leader that can deliver value).

Thoughts appreciated

Call to Action – Submit Response to Fed

1 Dec 2013

As most of you know, the Federal Reserve published a paper entitled Payment System Improvement and opened it for comments http://fedpaymentsimprovement.org/. Responses are due 13 days from Today. My response can be viewed here.

After witnessing the mess that Regulators and Central Banks can create (FFIEC 2 Factor Auth, UK Faster Payments, SEPA, …), you should take time to submit something for your organizations.  We all need a flexible regulatory environment which provides a fertile field for Innovation and technology evolution (of payments and banking).  How should the US payment system evolve? What is Broken? What is working? Who should lead (Government or Industry)? This is the context behind the survey which covers: tokens, real time payments, fraud systems, mobile payments, and approach.

Summary View

  • The Payment System works today for 95% of needs. Let’s NOT force everything to be real time. Just as we have Rail and Ship transport today… some consumers still demand next day air delivery (a business need that consumers will pay extra for).
  • The problem with the payment system is NOT speed, it is control. The American Banker article How Big Banks Killed a Plan to Speed Up Money Transfers speaks to the uneven playing field faced by small banks, MSBs and other service providers.  Why are big banks blocking this real time effort? Because the top 4 are formulating plans to restrict use of bank owned settlement infrastructure and create new semi-open REAL TIME settlement networks (ie ClearxChange) which will only work for the largest institutions (see New ACH Payment System for background on this initiative). The second paragraph of the Fed’s paper

    Industry adoption of new payment services and technology in this country has been driven mostly by market forces rather than government direction

    is incorrect. Industry adoption of CORE payment services is driven COMPLETELY by the top 5 banks. Top 5 Banks created and hold veto power over: Visa, MA, TCH, NACHA, … and most industry infrastructure.

  • There are only 2 regulatory changes I would request: #1 mandate transparency in rule making for both government controlled (FedWire) and private Payment Entities. No more anonymous voting on common infrastructure, the NACHA and TCH voting procedures are a mess.  The WSJ article above demonstrates the obfuscation.. and the subsequent success of this blog. #2 Allow non banks to assume risk and decrease compliance requirements (for banks) surrounding this service. (more on that later)
  • Over 40% of US consumers are no longer well suited for traditional banks and are migrating to new products (pre-paid/GPR cards) that are offered by new intermediaries. Payments are not only critical to the top of the pyramid but to the bottom. Non banks and the unbanked must be able to participate in the payment system. Again the issue is NOT real time payments, but ACCESS (control).
  • The core technical challenges in Payments are #1 Consumer Authentication, and #2 Risk Management. Non banks are best positioned to Authenticate a Consumer, and may also be best suited to manage risk (as Paypal does in Card Not Present). Banks bear the weight of KYC/AML requirements today and therefore look to control the entire process. If we want consumer centered investment, Non Banks must be able to participate, and bear risk. If the central bank commits to technology of yesterday  we will not be able to leverage new capabilities and consumer experiences will be highly fragmented. (ex a new Apple device which would enable real time, irrefutable transaction signing).
  • The core business challenges in payments today are around value. Banks do not want to invest in networks that benefit merchants (ie Debit, DDA) and Merchants don’t want to invest in networks that benefit banks (ie Credit, Contactless). Payments are just the last (easiest) phase of a long Commerce process. No one should force banks to invest in merchant friendly mechanisms, but banks should not be in a position to BLOCK success here.
  • There will be NO INVESTMENT, if there is NO RISK. Payment profitability is driven by risk management (including fraud, authentication, credit risk, …).  We must allow entities that can bear risk to participate and invest.
  • Network efficiencies MUST IMPROVE (see Thomas Phillippon below). The GOAL of payments should be to provide LEAST COST ROUTING to support consumer preferences of where and how they want to pay and authenicate (ex Apple, Google, …). Expanding an existing utility (ie Fed Wire) may provide a faster path to new capability, and develop a higher quality of service, as competition develops among private networks (analogy is Darpanet ).

MCI Interconnect in Financial Services?

The metaphor for change in the payment system may be the 80s MCI interconnect battle (see Wikipedia), combined with a new regulatory regime which would allow non-bank participation in an OPEN settlement network (Connection + Settlement). See my blog How to Deregulate Payments like Telecom. To understand the current state of industry quantitatively,  NYU’s Thomas Philippon published jaw dropping research detailing how Payments and Banking are one of the few network businesses in the HISTORY OF MAN to grow less efficient (rail, telecom, energy, …). Obviously Regulatory Capture is an issue as regulators protect Bank margins and discourage rate competition. The fundemantal flaw to the Fed survey is an underlying assumption that change will be made to existing utilities and existing players. I’d rather take the MCI approach where the government provides for open interconnect and allows other parties to assume risk. This is why Telecom, Airlines, Stock Exchanges, and the Internet work today. There will be no change, or new investment, unless Regulatory Capture and Big bank control over common utilities is broken.

In another example, from my blog Tokens – Merchant Options obviously there is a need to tokenize a direct draft ACH/DDA to hide the consumer’s account number. This is what the TCH upick system (bespoke TCH token system) was developed around. However banks have NO incentive to deliver innovation around DDA tokens as it would decrease risk and increase consumer adoption in a model where they can not charge ANY interchange. Thus innovation is directed toward revenue (a logical imperative), and conversely merchant avoidance is based upon cost/value (hence no adoption of card POS tokens).

The EU’s ELMI model is perhaps the best developed regulatory standard. Perhaps the US pursues something similar which would serve as a federally chartered MSB. Or provide for existing MSBs to operate (and assume risk) on a settlement network (like Fed wire).  This is my core recommendation, rather than taking a 5 year approach, the Fed should create an open settlement service, in which private utilities (ACH, Visa, …) must compete with. Australia (EFTPOS) and Canada (Interac) have both successfully consolidated debit infrastructure as a result of regulatory mandates (and these remain bank owned networks). Today Fedwire competes with TCH in settling payments, but garners much less than 1% of settment (see FedWire Volumes).

The Fed should consider consumer requirements and preferences, after all it is the consumer’s money. Similar to the MCI telecom case, regulators should consider the minimum consumer servicing requirements. If a consumer wants to pay through an intermediary (like PayPal, Amazon, Google, MCX, … ), or have money stored with an intermediary, or want to remain anonymous to the merchant in a transaction, they should be able to do so. As the Visa model evolves, Consumers should be able to INITIATE the payment request with the Bank (as opposed to the Visa/MA model of merchant requesting payment based upon consumer credentials).

Today, ODFIs are responsible for all risk (in ACH and Card Present). The Regulatory burden they face is substantial (Fed, OCC, CPFB, …etc.).  There are very big plans by the banks to gain tighter control over the payment network (see Tokens and Consumer Authentication).  Fundamentally, if we want change, we must improve transparency and allow risk to be assumed by non banks (and consumers).  Consumers should have the choice to take the slow railroad (with guaranteed delivery) or an instant transfer that cannot be reversed.

The FED should be very mindful that their direction does not just impact Innovation at the top end of the consumer pyramid: over 40% of US consumers are unprofitable to US Banks (see Prepaid – Future of Banking?). The Amex/WMT Bluebird product is proving to be an attractive alternative “banking lite” product with ability to direct deposit. The story of MPESA in Kenya may be useful here, as a non-bank was granted an exception which enabled the service to grow from 0 to 10% of the GDP in 3 yrs. Regulators and the Central bank do NOT look favorably on this development, as 10% of the GDP flows out of M1 into a single non-interest bearing settlement account which cannot be leveraged by banks to offset loans (ie liquidity ratio). But consumers love the service…

Key Topics which I believe need to be addressed:

#1 Bank Ownership and Control of the Payment Rails

  • Cost Transparency/Reporting
  • Speed Transparency/Reporting
  • Transparency of Rule Making and Voting in Infrastructure
  • Non Bank Ability to Connect
  • Non Bank Ability to Take Risk
  • Non Bank Participation in Settlement (ex Federally chartered MSB, or non-bank access to FedWire)
  • Consumer Authentication Standards, and Ability for non-banks to assume role (see KYC)
  • Common Reporting/Alert Interface in Transaction Origination and Settlement

#2 Issuance and Value Storage (from How to Deregulate Payments like Telecom)

We need to look no further than BitCoin to see the need for new regulations surrounding issuance. Transfer of funds between entities is covered above, and my view is that non-bank participants should be licensed and agree to abide by current money transfer  regs (ie. Fincen/AML, ..). Issuance of “credentials” and storage of funds is another matter. Long term storage of funds is a banking function, and should be regulated, settlement funds face state escheatment issues (but largely unregulated unless interest is paid), while storage of “Value” is completely unregulated (ie Coupons – a form of legal tender, Pre paid offers, bitcoins)?

From above, if we allow non-banks to participate in real time funds transfer, third parties (ie Sofort) would act as agents (on behalf of consumer, merchant or bank) to direct the funds and assume risk on behalf of consumer. If a good/service is purchased immediately (commerce) then there is no regulation, however if the value is “held” for future use it is generally regulated (hence MSB, eGold, bitcoin issues). Thus the rules under which third party senders operate (as agents), are different from the entities at the end of the transactions (banks, merchants, consumers). See ACH Origination Risk.

As in the MPESA example above, there is an obvious CONSUMER need for issuance to more closely resemble cash in its ease of exchange, verification, anonymity and storage.

Our current need is for simplified laws surrounding account under a given value amount (say $2000). Providers of service should be lightly regulated through self reporting, “transparency”, and the need to keep settlement funds with the Fed. In this proposed model, a bitcoin exchange must ensure that no single individual has processed more than the threshold in a given time period. Hence the need for KYC of exchange participants (when converting to cash).

Summary – new HUB vs evolving existing networks

The current ACH system will never go away (related blog). There were $33.91 TRILLION moved over the network in 2011, compared to total debit and credit volume of around $4.5 Trillion. What path should regulators take?

#1 Improve ACH (primarily speed and fraud management). The highest priority will be around third party senders (TPS), the lowest priority will be regular customer directed debits and payments to billers.

Third party senders (TPS) are a subclass of Third Party Service Providers (TPSP) which originate ACH transactions based on a direct consumer relationship.  Alternatively TPSP are also known as “processors” whose customers are banks (primarily) and have no direct consumer relationship. Banks are not happy with the “free riders” on their network (see  blog). Most bankers view companies like PayPal and Xoom as riding on their rails for free. One of their biggest issues is that they do not have visibility into the actual beneficiary as the settlement account hides where the payment is going to. This impacts their ability to perform risk management and authorization. Take these issues together with the increased regulatory focus on AML and we have a fertile environment for change (HSBC’s See Deferred Prosecution Agreement, and business overview of HSBC’s issues from Reuters). Note that AML concerns are much more relevant to International ACH Transactions (IAT). This blog is not focused on IAT.Token

Banks must therefore architect a solution to evolve ACH while the ship is moving. This is a much better approach than that taken by the UK of mandating faster payments… (one bank was losing 30M GBP a WEEK from fraud when launched). The consensus approach seems to be one surrounding tokens and directory (my blog from last year Directory Battle Phase 1).

#2 Build a new competing network (around Fedwire) which would allow for non-banks to assume risk

 

Sorry for abrupt end.. I’m sounding repetitive.. .so I’m stopping