Open Banking, Open Payments and Trust Networks

A blog to my bank friends. Sorry for typos.. feedback appreciated!

Thought for the day

Open systems garner greater participation, but margins are held either by orchestrator or proprietary components that offer unique performance or capabilities. Payments and Banking are trust networks, trust requires not only enforceable and auditable assessment of counterparty operations, but a shared business case for investment.  

Trust networks revolve around a shared and enforceable definition of roles, standards, counterparty identity, trust and risk. Trust network attributes and operating model drive scale and participant investment. In all cases, networks require participation of both consumer and merchant. A trust network of known participants operating within a defined set of operations and economics stands in stark contrast to the open, anonymous and distributed internet (see Transformation of Commercial Networks). 

Today we will take a look at Open Banking and Open Payments. If you are looking for the summary, here it is: 

  1. The “golden geese are safe”.  Data clearly shows network effects taking hold for Visa and Mastercard, as card issuance, acceptance and frequency of use all drive GDV growth in the mid 20s (see blog). As one top US bank CEO said of V/MA “there is no scheme we can define together that will result in improved economics… why on earth would we want to spend our time assessing one”? 
  2. Open is a terrible business model, but a fantastic technical one. Tip toe into any “open” effort as a form of intelligence gathering. Standardizing messages will enable merchants (and banks) to deliver new forms of payments within embedded processes and systems. 
  3. There can be no shared investment without a well defined and enforceable operating model

Operating Model is Core to Trust Networks

The core asset of a trust network is a well defined operating model. This operating model enables shared investment to take place. For example, within the Visa and Mastercard schemes, operating agreements define: technology, message standards, certification protocols, participant roles and enforceable compliance mechanisms, consumer agreements, auditing, indemnification for breach, ability to define and communicate risk to participants, …etc.  This hard work can not be accomplished without participation of consumers, merchants and banks and a well defined economic model where each participant understands the overall economics, and has confidence to predict their own. 

The need for operating models holds true across telecom, financial markets, healthcare, supply chains, and most other collaborative interactions between companies in creating a “bundled” product or service. The economic theory behind this is laid out by nobel economists Oliver Williamson and Ronald Coase in Transactions Costs and Nature of the Firm

As discussed in Collaboration and the Sharing Economy, a reduction in transaction costs is leading to fragmentation of previously integrated companies (ie specialists win). Bundled services and products thus become easier to create as the specialists can assemble more quickly. It is important to note that growth of specialists and reduced transaction costs is ENABLED BY an operating model agreed to by participants (ex mortgage securitization). An evaluation of the operating model is the first question to ask when evaluating any “open innovation” or a bundled product/service.  Operating models manifest themselves in contracts. As the model grows and becomes more defined, contracts become more standardized.

In addition to the growth of specialists and bundles on the supply side, the mobile revolution has greatly increased the ability for consumers to manage participation in many networks. Just look on your mobile phone and count the apps that you use.What services provide the most value? Apps from Uber to Amazon have created operating models that assemble many specialists through a defined agreement.  

Story – Standards without an Operating Model

Back in 2000, I was with Oracle leading the rollout of our Rossetta Net integration. Cisco was  Oracle’s largest ERP customer, and a founding member of the Rosetta Net framework where supply chain members would operate in a defined set of messages. A key message set was Work in Process (WIP) inventory. A key Cisco supplier had all of the Oracle suite and just had to “turn it on” to make it work…my team went to help them go live. Dave (Supplier division manager)  told me something that holds this day “I will never let my system answer this message..why? Because  Cisco will switch orders to another supplier within minutes if they don’t like what they see.. They will think I am at capacity or have an issue. This data is key to my survival and profitability.. I will key this data in with my tongue if I have to.. There is no economic incentive for me to answer accurately “

Can you imagine a service bundle without contractual agreements supporting them?. Where Uber sends a nearby driver a message with “I think a customer is here and he may pay”, or if your stock broker couldn’t fulfill your buy/sell order? Operating agreements are the hard part of trust networks, they must exist and are key to understanding anything with the word “Open” in them. Open Source, Open APIs, Open Platforms assist in the CREATION of content (ie Wikipedia), services and products. But the economics of “open” sit with the entity that manages the proprietary products/services enabled by them

Android Example

There is a free version of Android.. But no one wants a device that can only operate with non-Google best of breed apps (CNET Article).. The completely open and free version of android does not have Google Search, Play Store, Google Maps, …etc. Any telecom operator can load up the free android on the handsets they sell. Google created shared revenue incentives for the MNOs to install their version. The EU fined Google 4.34B EUR for this bundling. In my view this is completely absurd, consumers can still choose the free version of android. However the free android delivers no economic value to Google, to MNOs or to Consumers. It takes defined roles, agreements and a high quality curated experience to deliver value.  Google’s ability to deliver value within this open model pales in comparison to Apple closed model. Which has enabled over $500B in commerce  (2019) and captures over 66% of global handset profits and 32% of all handset revenue. (ie Closed and proprietary is always a better model if you can get away with it) 

Open: A New Front Door

The business model for most open initiatives in banking revolves around a new customer experience..data sharing and technology “standards”. In other words a new front end that consumes bank data to create a new service (with no shared economic model). Why would banks participate in this?  Obviously, any entity that manages the front end customer experience, reaps the benefits of the virtuous cycle of data (more data → better products →  more use → better data). . 

The power of fresh data and data modelling across commerce cannot be understated. Remember Google indexed the world’s public information and the power of “intent” gleaned from this search powers a $160B+ ad business. While search is powerful, Google doesn’t know what you actually bought, what investments you hold, what your income is, how much you spend on healthcare and with which specialists, your credit rating, or your real identity.  These ARE things your bank knows. You trust your bank with this information, and Banks do a very good job at protecting it.. When you share your bank or investment credentials with a third party, all of this control is lost. Consumers become responsible for all downstream data sharing and indirect modelling. 

Most operating models serving banks today were created by a consortium of banks (Visa, Mastercard, SWIFT, TCH, NACHA, Pulse, Star, EWS, …etc). The entities they create draft the initial roles, rules and technologies. Regulators have also attempted to create networks, but the key component missing in most regulatory driven plans: an economic operating model to support shared investment. Most banking networks operate with a very strong central hub defining standards, this structure is referred to as a “star network” in network theory. There is another model developing around strong nodes.. we will cover this in a future blog on federated networks.

Open Banking

I’ll leave it to readers to explore the definition of Open Banking on their own. I see 2 primary initiatives: 

  1. PSD2 – Within the EU, open banking and payments are a regulatory driven initiative. The technology and roles with PSD2 are well defined, the economic model is not.  
  2. FDX – Financial Data Exchange. A standards based group seeking to update the industries previous effort in OFX (driven by Microsoft and Inuit). Bank and tech participation, no defined operating model.

Let’s start with Europe. I’m not going to debate the technical or operational models the ECB defines, but rather the economic case. As described above, banks are losing their data advantage and specialists are disintermediating their traditional roles in commerce. Open banking creates yet another additional “hole in the dike” by providing data to any third party provider (TPP)  permissioned by the consumer. In other words the bank is being “wrapped’ by another set of consumer front end “specialists”. A great Finextra article Open Banking as a World of Opportunities and Hidden Risks, outlines a hypothetical bank case for PSD2.  

  • Banks consume other FI APIs to expand their offerings.
  • Banks will be able to offer marketplaces of different products and services. One good example is Starling Bank, which provides its customers access to the “services platform” integrated with their account. 
  • Banks can organize partnership alliances, inviting customers to view the relevant information about their accounts in other partner banks through one interface. 
  • By connecting to other Open APIs, banks will be able to receive and analyse additional information about the behaviour of their customers and offer them more personalized and relevant services.
  • …etc

Normally, when you exchange something of value to another party, there is value exchange (see effective markets). Logically a $0 cost service will have infinite demand, and very little quality. Within the EU structure there is no carrot (economic model) and a BIG STICK (compliance). ECB’s directive is meant to empower consumers with the ownership of their data. While I understand the value to the consumer, and to the TPP, Open Banking further erodes competitive advantage and exposes consumers to new risks (ex sharing bank credentials and detailed data). Most indigenous bank efforts in the EU have been focused on enabling an instant switch or consolidation of accounts. 

US – FDX

First off it’s important to note that retail banking is not a highly profitable business. Average US Net Interest Margin is 3.2% (St. Louis Fed), and fee based income has been greatly reduced by regulations and improved transparency (see The Financial Brand Article). In fact, the bottom 4 deciles of consumer relationships are unprofitable (for most banks).  Economies of scale are winning as fewer new banks open and the large (top 5) banks significantly gain deposit share (see FDIC) and are decreasing their cost to serve. 

The forces acting on consumer banking are complex as they drive BOTH consolidation and new models for engagement (neo banks).  In general, retail bank switching costs are going toward 0 (as is the speed to switch accounts). A fantastic McKinsey Rewriting the rules: Succeeding in the new retail banking landscape (Feb 2019) articulates 4 key shifts:

  1. Branch footprint (distribution) has lost its role as the primary driver of growth
  2. Banks are competing on customer experience
  3. Scale economies are back (technology/data economies of scale)
  4. The retail banking relationship is becoming unbundled along product lines

FDX and OFX

The first industry standard on account information started with OFX protocol in 1997 (see Wikipedia). This standard was driven in the days of Personal Financial Management (PFM) software like Microsoft Money, Intuit’s Quicken/Quickbooks where consumers had a desktop application that downloaded, aggregated and reconciled their transaction information. In 2002, my customer base at Wachovia was the largest PFM user base in the US. Part of the reason was our large wealth and small business segments. These customers had complex financial holdings. The OFX standard was driven by consumer demands to support the PFM platforms. OFX enablement made sense for us, as PFM users had balances of over 3x the average customer, the highest profitability of any segment, and much lower churn. 

Most banks have operational OFX servers in place today (ie quickbooks and yodlee connections), and the protocol remains the primary data exchange mechanism for account access. FDX participation is much broader than OFX and actually encompasses the OFX effort (see whitepaper). Today 95% of all “open banking” interactions today DO not involve message transfer (OFX/FDX), but rather screen scraping. Banks are reluctant to open up OFX access as tokenized one time credentials are not part of their existing platforms. They have thus joined FDX to influence standards AND have created Akoya to wrap existing OFX/proprietary access services with tokenized credentials. My view is that Akoya will be the central clearing house for bank information that operates within FDX protocols and manages tokenized access. TCH is the primary operator of Akoya.  

Risks for Banks

Banks hold very unique data. Google creates value from intent data based upon search.. Search represents what you are thinking, it is not truth marked to what you are DOING. Data from your primary DDA is your actual behavior, a data set that is significantly more valuable. The aggregation services mentioned in the PSD2 business case are not new. 

Story – 2005 Advisor View

Yodlee’s very first customer was Wachovia Bank in 1998 (run by Lawrence Baxter). I came on board to run the online bank in 02 and Yodlee proposed a new service for wealth customers: Advisor View. Our retail customer absolutely loved Yodlee’s aggregation service, with a solid 20% of our actives using it. Of these actives, almost 30% were wealth customers with complex holdings across more than 5 financial institutions. Yodlee sent me an encrypted report as a draft of what could be accomplished with Advisor view. Upon opening it I was completely shocked, it was the detailed financial holdings, and transaction history, of each customer by name at each financial institution. My immediate reaction was “holy crap no one is permissioned to see this data”. I thus immediately destroyed the data and let Yodlee know they can’t ever generate this again. Data this detailed must be permissioned by the consumer for an explicit use and term. 

Open banking aggregators (Yodlee, Intuit, Plaid, Finicity, …etc) have access to this data today (primarily through screen scraping). In the example above, Yodlee operated as a branded bank service (accountable to Wachovia), today these aggregators do not. For example, PayPal is Plaid’s largest customer and primary user of the account ownership verification service. Visa and Mastercard’s interest here goes beyond their CENTRAL role of authentication, account verification, credit worthiness, … etc. If these aggregators can continue to successfully gain access to consumer sensitive information (PII) and detailed purchase data, they will be something much more.. the truth marked Meta Directory of Payments, Banking and Commerce

Open Payments

Open Payments are not as well defined as Open Banking (see EPI blog). There are many good ideas for “Open Payments” as technical standards across point of sale, payment acceptance infrastructure, tokenization, identity, treasury/accounting, and banking are poorly defined. 

Side Note: This is one of the biggest advantages of the MA and Visa networks: defined standards (ISO 8583) and defined operating agreements.  These networks also work to certify all devices that touch card information AND also certify each participant (bank license).

From a payment scheme perspective open payments typically means leveraging a low cost clearing network (ex SEPA, ACH, Debit, …etc) or cryptocurrency with enhanced risk or identity services. Note that a good portion of PSD2 actually covers open payments (see article) defining the role and risk of a Payment Initiation Service Providers(PISP), in this model a new intermediary logs into your bank and pushes the payment out to the intended beneficiary (ie think bill payment in the US). Other examples of open payment efforts: 

The Golden Goose is safe, as minimal progress has been made in converting consumers to these schemes. Consumers love their reward points, and open payments value flows primarily to merchant (in form of lower transaction costs). For example, PISPs in the UK have plenty of merchant interest, but consumers have yet to jump on board. Additionally, banks have proven the ability to “fraud screen” all payment types and throw sand in the gears of new intermediaries.

Story – 2004 VBV/MSC in Europe

Verified by Visa (VBV) and Mastercard Secure Code (MSC) rolled out in 2003 (Europe) and shifted eCommerce CNP risk to Banks. It was a complete and utter failure, not just from a tech view but also from a customer experience and business model. Merchants were incented to put the technology in place (10bps and fraud shift to Banks). VBV/MSC failed to catch the fraud… who was motivated to fix the flaws? Not the merchants.. they had given the fraud loss to the Banks and received a discount. It was rather the Banks, which were left with declines as their only tool (as I outlined in Perfect Authentication – A Nightmare for Banks). In other words, Banks had no way to incentivize merchants to managing risk in VBV/MSC, but only penalize a merchant for poor performance (through declines). This is why we don’t see VBV or MSC running in Amazon, Apple, Paypal, … etc.. Merchants fear declines much more than they do managing the fraud.

Tom Noyes, 2014 Authentication in Value Nets

Open payment efforts must not only create a SUPERIOR economic model for “most” participants, they also must overcome switching costs and blocking efforts. I’m a big fan of “open payments” for another reason: efforts to standardize payment message sets are yielding substantial benefits to the integration of payments into back end systems (see Embedded Payments). Adyen is the clear leader here, and may be the first “payment” player to create a sustainable business model that does not rely on interchange.

Beyond the shared model for investment, the central friction in the V/MA schemes surrounds identity and purchase detail. While banks know the consumer, they don’t know exactly what they bought at the merchant. While the schemes support the ability to receive transaction detail (in Level 2 data), no merchant provides this information as SKU and Price would provide transparency and power to banks. Similarly, most merchants do not know who the customer is.. As cards protect consumer identity (see Brokering Identity). Similarly Visa and Mastercard are constrained by not knowing EITHER identity or detail. 

PICTURE 

There is much room for innovation here, as the service bundle changes from just payment to the brokering of identity (and preferences) for discounts (see detail on Target and Google). For example, eCommerce transactions are driven by the stuff we want, with payment as the last (and easiest) part of the transaction. Alipay, Amazon, Paypal, Apple, Google and the Merchant are all better placed to assist consumer in:

  • Shopping/Discovery 
  • Selection/Omni Channel (ex Google Shopping, Target Circle)
  • Incentive/Rebates (Ex Paypal Honey)
  • Purchase/Delivery (ex Prime, Google Shopping Express)
  • Credit within the transaction (ex: Walmart/Affirm)

The value is in connecting consumers throughout this process. Where payment interchange is despised by merchants (50-250bps), merchants gladly hand over 2000bps to Google and Facebook for advertising. Brokering of data and identity is central to any new payment scheme. The challenge? Google, Facebook and the Banks share a common philosophy: Data goes in.. but never goes out. This creates a tremendous technical challenge in data collaboration, as the value of data is based upon its intersection. 

Detailed operating agreements that govern intersections of data, participants and use is much different than technical standards that cover the format (but not the economics) of information exchange:

  1. The value of data is dependent on HOW IT IS USED. The same piece of information has different value for different uses. If I don’t know the use, or manage the use I can’t price the data. 
  2. The rights and privileges that each participant has on data is dependent on USE
    1. Right to STORE the data
    2. Right to USE the data
    3. Right to SHARE the data 
  3. Data leakage causes the value of data to go to 0 and its value data decays quickly with time. 

Building a network is hard, far beyond the technology, creating an economic model that benefits all stakeholders AND gaining their commitments. I firmly believe Osama Bedier, and the Google Wallet team led the closest thing to a reinvention here. After $1B investment, solid merchant participation, banks found a way to kill Google wallet.

Bank collaboration is something most non-banks have learned to run away from, and every bank must work to change that. For example in 2015, ApplePay wanted to provide transaction detail within the wallet. Only a few select card issues would trust Apple with this information (ex Amex, Cap One, ….). This is just one driver for the Apple Card (beyond equipment financing), as Apple wanted card to demonstrate what great customer experiences are possible. But Apple shouldn’t feel bad.. Google’s experience was even worse.

Wrap Up

Traditionally bank margin is tightly linked to risk management. The core of risk management is data.. thus Banks have been among the best data businesses (see blog Banks as a Data Business). As I laid out in Changing Economics of Payments, for a majority of consumers, payments are the central function of the banking relationship, yet there has been minimal innovation that re-imagines the banking relationship, identifying smaller segment needs to drive reinvention of bank products/services (see blog “Banking the Masses”). 

The story that all banks know here is PayPal. In the late 90s consumers had to mail checks to eBay counterparties until Paypal came along. In emerging markets we see Alipay, WeChat Pay and MPesa as services that banks “should have” started. The speed at which new networks gain critical mass is astounding (see HBR –  Alibaba/Alipay). History demonstrates success begins with commerce value, seamless enablement of transaction and customer experience. 

Thus the bank innovation conundrum: 

  1. Brokering commerce is the primary role of retail banking, but banks have few relationships with merchants or big tech to “broker”. 
  2. Consumer relationships, and corresponding data, is under threat from specialists and aggregators wrapping bank products and riding their rails (banks as dumb pipes) 
  3. Regulators and customers are requiring me to open bank data, in a model where banks retain all of the servicing costs and regulatory risks.
  4. Bank networks are becoming more rigid (as increased scaled leads reinforces existing service value – rigidity and trust of participants is domain specific). 
  5. New networks will not improve economics.
  6. The unique value banks deliver is based upon data, but its uniqueness is decaying AND the management of data rights is becoming increasingly complex.
  7. Margin of retail banking is rapidly deteriorating, with specialists able to move customers with near 0 switching costs.  
  8. 40% of my current customers are unprofitable. I would love to switch these customers to neo banks.
  9. … I could go on but it doesn’t get much better

Bank Action plan

  1. It all starts with People. Who do you have running payments and partnerships? Today I would rate Capital One and Bank of America as the leaders. Capital One has the best software organization and data centric business. Bank of America has acquired some of the best banking and payments talent (from non banks like Apple). 
  2. KYC. Learn your customers and your competitors. Open is a terrible business model, but a fantastic technology one. Support the definition of open standards, but know they will be useful from an internal perspective only in next 10 years as new white label bank services. 
  3. Consumer behavior. How is it changing? You have data on what is happening to your customers today? How is their buying changing? Why are they calling to the call center? Stay on top of it weekly. How are you servicing your profitable segments? How are your products competing?
  4. Partner, Collaborate, Build and Emed when new market niches are identified.  How do you serve a high growth small business owner is much different than an average transactional customer. Fintechs all have a scale problem, and financial services are highly competitive. Your bank can likely manage risk better than any bank, but can you PARTNER better than any bank?  The two best “collaboration” banks are Meta and TBBK. Everyone goes to them first. Can your bank step in here?
  5. Deliver – New Technology Mindset. How often do you release a new mobile app? For each segment? If you aren’t delivering new features every 3-4 weeks your product process is broken.  Let your mobile team manage their own engineering team.. You can’t have a ferrari and a bull dozer run by the same operator. 
  6. Protect the core. Banks have a great track record at creating payment networks (Visa, MA, Swift, BACs, … ) but there they don’t have a monopoly on the commerce, the consumer or payments.. Common standards will provide accelerate “buy” options for banks to enhance services… and collaborate on new product bundles. Ensure you protect core bank data. Look to existing bank owned consortiums that have PROVEN the ability to create new products. The Early Warning team is at the top of the list. This is where account ownership and verification should reside.. There should be no screen scraping to accomplish this.. Make all requests go through your approved channel under a defined agreement in which the TPP pays. 
  7. Educate consumers on the risks posed by data leakage. Tell them what they should do, how do you keep them safe? What new things are you building for them?
  8. Executive Engagement. See this blog

Story – Why I Killed Yodlee Services at Wachovia

My customers loved the Yodlee service, and profitability of users far exceeded the average. Unfortunately, Yodlee represented over 30% of inbound call volume to our call center. Part of this service cost was due to the inaccuracies associated with screen scraping.. but this was not something Wachovia could fix alone. All FIs, investment specialists and loyalty programs also had to fix it. Operating costs also played a role, as the first customer of Yodlee we enjoyed some preferential pricing, but that needed to change. While I was willing to pay these costs for wealth and small business customers, our banking partners were not willing to pay these for our mass market segment. However the PRIMARY driver of our decision was the danger of sharing banking credentials outside of the customer relationship. We never wanted the customer to think it was “ok” to share banking credentials with anyone. In addition to cutting the service for most customers, we updated our customer disclosure to define credentials as joint property that cannot be shared. Consumers had to understand the risks associated.

The result? Our Wealth and SMB customers received higher service levels and more focused products. Our mass customers complained (greatly), but we upgraded our online banking to provide much greater budgeting and “PFM like capabilities” (#1 online bank in 2007) and the attrition was minimal. Thus.. focus on segment specific needs, support them in a bank orchestrated model.

In 2007, Yodlee operated as a white label bank service provider. New aggregators operate under their own brand and NO bank agreements. Bank leverage with consumers and TPPs is much lower in this model. A slippery slope of consumer expectations and data disclosure would seem to await. If I were in banking, I would make the customer authorize the disclosure of information to any outside party every week. Just like Apple does when an App is “always” using location services.

4 thoughts on “Open Banking, Open Payments and Trust Networks”

  1. From Alexander P

    Tom, a couple of additional thoughts.

    Trust
    With OB, trust is “built-in” – SCA takes care of that. I.e. when PISP runs a transaction, trust comes from the fact that transaction is handled within the familiar environment of a banking app/site.

    Business model
    As I mentioned, we see the following model working well in Europe with PSD2 – banks offer “premium APIs” to deliver adequate UX/SLA and get paid more than the current capped interchange (say 0.25%).

    My response
    ————–
    I’m interested.. this is exactly the dialog I want to have.. can we move it to the blog itself to capture? “Trust is built in” ok.. you are using the banking site to initiate the transaction. Were did the tokens/credentials come from? What form of agreement does the PISP have with the bank? Is there a bank led certification process and audit of the PISP? In the V/MA world each payment terminal (and eCommerce “initiator”) had to go through a certification process. Does that take place? Can an individual bank “turn off” a PISP? who makes that decision?

    With regard to premium APIs who is setting the price? is there a standard agreement?

    1. Great questions, Tom (always liked your methodical and logical approach).

      My comments were in respect of the mandated PSD2 model: banks must provide an API-based free (for now) access to account and payment services to ANY regulated entity.

      Trust
      In terms of certification, there is none as none is needed at present: each bank sets own rules for Secure Customer Authentication – that lack of conformity is one of the current limitation of Open Banking. When AIS and PIS are implement on a mobile, in most cases users complete the transaction inside their banking apps. Security-wise, that typically involves biometrics – or, at least, PIN.

      There are expectations that in the future banks will allow PISPs/TPPs to authenticate users direct, e.g. using FIDO2-compliant mechanism. I.e. it is still “mobile-first/only” approach.

      Business model
      Premium APIs are not even on the drawing board, industry- and regulation-wise. It’s just a logical way forward. However, the recently announced EPI (PEPSI) could derail/delay a move towards premium APIs.

Leave a Reply

Your email address will not be published. Required fields are marked *