Digital Wallets – Core Functions and Competitive Strategies

Posted on by

What are the core functions of a digital wallet and what will the future bring now that Apple has opened up their Secure Element (see blog)?

I’ve been writing about wallets for over 12 yrs. Let me recap some history

  1. In 2006, mobile operators had control of what “apps” could operate on a phone. In the US Qualcom bought Firethorne in an effort to create a single bank application, where banks had to pay $1 for every balance request. I’m not joking.. Open app stores destroyed this model quickly, but so the MNOs pivoted to the SE and SIM card. 
  2. In 2010, Mobile Network Operators (MNOs) had control of the encryption keys for secure elements. Their pitch to Google was, “Give us a billion dollars, and we’ll give you the keys”. The absurdity here was only surpassed by Doug Bergeron (CEO of Verifone) marching into Google the next year and asking for a “Billion dollars” for Verifone to support contactless (I was just outside the meeting room).  Of course there was no economic model for Google to make a single penny off of payments back then. Even worse, there were 12 parties in the NFC ecosystem, all looking for economics, yet there wasn’t a dime to share between all of them (blog). Now wrap all this silliness into a MNO consortium with the name ISIS.. yep.. What a great brand!
  3. From 2008-2014 the GSMA had a global vision for managing the phone’s secure storage (see blog) and monetizing it for the MNOs. MNOs could control either the secure storage within the SIM card with Single Wire Protocol (SWP) or within the secure element.
  4. ApplePay’s 2014 launch did several things that changed the game. 1) Ripped away control of the SE from MNOs and OEMs, 2) integrated payments and security into the OS (Card in SE, biometrics in Secure Enclave), 3) required a card to activate a new phone, 4) Created economics with the networks for payment (see blog).
  5. From 2007-2014, US Issuers wanted to only enable credit cards for contactless (a premium experience). 27 Issuers (led by Citi’s Paul Galant) were working on their own wallet, to “own” mobile payments (see Civil War). In 2014 launch of ApplePay, Apple forced the Issuers to enable debit at parity to Credit, and also gave Issuers a take it or leave it revenue share (15bps in US, 7bps in EU and ROW). Charlie Sharff (then CEO of Visa) also established a fundamental network rule in “no wrapping”. You can’t wrap a Visa card with another number and let it operate. A rule that was ahead of its time and also more formerly established with Durbin regulations.
  6. The 27 bank project thus floundered for 16 yrs until last year when saw  the light of day in PAZE. Paze is Gen 5 of this effort, and really a white label version of SRC. A wallet that abandons the POS and focuses on eCom with Visa given the reigns as the lead architect only last year (see eCom Politics and Scenarios)
  7. Today, Issuers classify Apple as “enemy number 1” because of the 15bps fee that the Issuers voluntarily signed up for. Their renewed complaint is that merchant discounts (ie 45 bps and Costco, Walmart and Target) puts them upside down on transaction economics. Apple’s position (anecdotally)  is “you knew what my fee was when you gave the discounts.. You voluntarily signed the agreement.. And now its successful you want a discount”? (see 2022 US Payments Environment)
  8. Visa and Mastercard have become the identity infrastructure for the internet because of the binding of identity to payment. India’s UIDAI and UPI have shown the power of separating identity from payment. Europe is working to build a new digital identity infrastructure (and wallet) in eIDAS. Commerccially, Fast Identity Online (FIDO) is at the heart of new eCommerce experiences that will massively disrupt investments in risk and fraud infrastructure. These services are in Card Networks Payment Passkeys, PayPal’s Fastlane and others. These first generation identity services will be surpassed by 2nd generation identity solutions with hardware bound credentials. Google’s Seccure Payment Authentication (SPA) is the best in class authentication solution globally. (also see Adios 3DS hello FIDO2). 
  9. While the tech changing eCom is amazing, there are only 3 options for organizing it into a successful platform: 1) Government Led, 2) Standards Led, 3) Commercial (payment) Network. Of the 3 only V/MA have established an economic model where participants can invest (see Identity Models and my new blog this week on topic)
  10. Wallets have grown substantially from “payments” to the consumer interaction point for “everything” between the virtual and physical world. Door keys, concert tickets, boarding passes, DLs, loyalty cards, student IDs (see Apple’s list of UC’s it will support). 

     

Core Functions of a Wallet

I see 5 core functions of a wallet:

  1. Customer Experience (CX) across all UCs from payment to door keys and ticketing. How does the consumer use them?
  2. Security, Authentication and Identity. From provisioning to storage and use. Credentials must be bound to both the phone and to a known user. The process of binding is known as provisioning in the payments world. 
  3. Acceptance. How does the phone transfer credentials to another phone or device (ie payment terminal, door, concert ticket line). 
  4. Economic Model. How does a wallet make money?
  5. Data and Intelligence. Imagine your phone combining your health, fitness, grocery and calendar data to make recommendations? This is coming in the next phase of wallet with 2 very different models: 1) cloud and 2) secured in your phone (Apple Intelligence). 

Competitive Scenarios – Bank Wallet

Lets take a look at a bank wallet EPI in the EU or PAZE in the US. Their benefit is that all cards and payment methods will be pre-registered and authentication (the process of verifying and identity) will be done through standard bank methods. These wallets will work successfully, but there are problems in creating incentives for both consumers and for merchants (ie acceptance). 

Merchants will only accept a new payment method if it leads to increased conversions. New methods bring on new costs (as new models and support infrastructure is needed). Beyond conversions (and reduced abandonment) merchants would love to have known customers entering the funnel and a guarantee that their transactions would be approved. This is part of SRC and the associated rules (TAF for MA, DAF for V). 

Consumers will only use if it is easier than their current method. For example, in guest checkout, Google’s Chrome autofill represents over 30% of guest checkout and costs the merchants nothing. Why would a consumer change from that.. It also works at EVERY merchant.

Even if a new bank wallet provides a better experience at every merchant, could a consumer turn off ApplePay? No way. POS payments, Subscriptions, iTunes,  boarding passes, tickets, loyalty cards, Drivers Licenses.  ApplePay will still run in the background… 

While new wallets face a new form of multi-domain network effects there is a very important point. Visa and Mastercard win in every model. They are the only entities providing the governance and commercial framework for operation. They want to see competition and great experiences, but regardless of who the consumer chooses they win. 

For Issuers.. I also believe they win. Card are the most successful consumer banking product of all time. Over 90% of interchange goes to reward programs, it is not a driver of NRFF.. NIM is where card programs earn their keep. Keeping cards as the best experience is what matters most. 

Scenario 2 – Europe’s ID Wallet eID

eIDAS provides a standardized framework for electronic identification and trust services across the EU, crucial for secure and seamless electronic transactions. PSD2, on the other hand, is a directive that mandates banks to open their payment services and customer data to third-party providers under stringent security requirements. The interplay between eIDAS and PSD2 is central to enhancing security and trust in digital financial services.

As we survey today’s eIDAS environment, there are many standards, technologies, domains and evolving law. While operational progress is being made within a single domain (ex, Government services in Estonia or UK Healthcare), there is little progress in harmonizing cross-domain interoperability (See eIDAS Country Survey – 2023). 

Examples

  • Spain – The Royal Decree 203/2021 [38] regulates the Electronic Identification Interoperability Node of the Kingdom of Spain, which is only aimed at public sector entities. Therefore, it seems that it would not be possible for private entities to connect to the Spanish node
  • Italy – Currently, no matter if you are a resident, a temporary worker, a student, a tourist, or a professional traveling often for business— in person (sighting) and physical identification document(s) presentment is necessary, and local address. 
  • Slovenia – The supervisory body is the same body providing trust services (QTSP)

No Economics – No Local Banking Law – No Governance

How will Europe’s eID digital wallet impact consumer experiences? Righ now its only government, and its only “some” government services as Germany recogonizes German credentials but not those of Slovenia or other countries that don’t have well regimented issuing processes. Thus “who” issued the credential matters much more than its existence.  

In banking and payments the issues are even more complex as there is no local requirement to accept digital credentials. Are they better than nothing? Sure, but economic incentives only come into play within commercial networks and their well established rules. For example a Mastercard TAF translation with liability shift and mandatory approval requires credentials that Issuers control (not the central government). 

Governance Issues

The governance of eIDAS within the banking sector reveals a complex landscape where EU-level directives must align with diverse national laws. Under PSD2, using eIDAS certificates for strong customer authentication is crucial, but the implementation varies across member states. This creates challenges in ensuring a uniform application of these standards across Europe.

  1. Central European Directives vs. National Banking Laws: The central governance by the European Commission under eIDAS and PSD2 requires that all member states adhere to common standards. However, national laws in individual countries may impose additional requirements or interpret the directives differently. For instance, the discretion given to Account Servicing Payment Service Providers (ASPSPs) under PSD2 to choose between different eIDAS certificates (such as QSealCs or QWACs) can lead to variability in implementation across countries.
  2. Mandatory Use of eID for Banking: While eIDAS certificates are strongly recommended for compliance with PSD2’s vital customer authentication requirements, they are not universally mandatory across all member states. The European Banking Authority (EBA) has provided opinions and guidance on this matter, emphasizing the importance of these certificates and recognizing the autonomy of national authorities to enforce them as they see fit.

Specific Challenges and Implications

  • Interoperability: Ensuring that eID schemes are recognized across borders remains a challenge, with differing levels of adoption and technological capability in different countries.
  • Compliance Costs: For banks, especially smaller institutions, the costs of implementing eIDAS-compliant systems under PSD2 can be significant, leading to potential disparities in the level of security across Europe.

Regulatory Ambiguity: The coexistence of eIDAS and PSD2 without fully integrated regulatory guidance has led to uncertainties, particularly regarding the responsibilities of different stakeholders in maintaining and revoking eIDAS certificates  .

The challenge in enabling identity exchange and authentication is not technical, rather it’s about the existence of authoritative parties and how they participate in a compelling end-to-end customer experience – from educating customers, facilitating changes in customer behavior/habits, providing insights/transparency with convenient controls. Thus Large Orchestrators are thus the source of most success at both a national level (ex India’s UIDAI) and across domains (Apple/Google). 

Competitive Strategies

How do you compete against multi domain network effects? Establish a new metaphor. For example peer to peer crypto payments is greenfield. 

Another option is to change the game on consumer value. Where everyone is locked into cards because of economics, can an open banking wallet exist that only has the best interest of the consumer in mind? My best example here is Curve (see blog), the only wallet capable of running on both iOS and Android with contactless. Their Swipe Now Pay Later allows consumers to choose how they want to split their payment across instruments after the purchase (ex optimize points vs reduce interest cost). 

Issuers refuse to give Apple transaction data. This data is available through open banking in the EU.. and would be available in the US under the recent 1033 guide.(likely to be terminated in the US within the next 12 mo as it was outside scope of CFPB’s charter). Consumers need financial intelligence that is integrated into “everything” else from health, fitness to shopping. This is the next big area of wallet competition. In this one Google is so far ahead as to be silly. 

Federated Identity and Distributed Trust

Identity is in the midst of both technical and legal/regulatory revolution driven by many overlapping efforts (ex eGovernment, payments, ID Issuance/Provisioning, Wallets, Web 3.0, …etc).  A condensed map of the technical evolution is provided below (see okta blog).

Please Login to Comment.