Author: Dr Gavin Scruby
The first generally useful application of Open Banking is here in the UK. While it will be some time yet before it gets much use, new organisations soon will be able to initiate payments between bank accounts on a consumer’s behalf. This creates a new layer between consumers and banks, hopefully spawning novel ideas and services. Moving the centre of payments away from banks though causes significant shifts in the market, and could well affect the dynamic around banks’ payment card cash cow.
Any authorised organisation can now make payments; it doesn’t need to be a bank. That’s already the case with cards you might think. But cards are expensive for a company to process. Alternative systems such as Direct Debit (account to account transactions) are often much cheaper, especially when a payment is recurring, but for non-recurring payments Direct Debit is not ideal. What is a payment card fundamentally though? It’s just a token that along with a PIN or signature, identifies a payer and payment source. With Open Banking, that token is your bank details, nothing physical needed, along with the authentication mechanism (likely to be through a phone) chosen by the account-owning bank.
If a company uses Open Banking APIs to process payments instead of cards, it could save a lot of money, both because there is no physical token needed, and because there will be a lot more competition; the barrier to entry is lower by design.
Big online retail organisations will be doing this already. They process a huge number of card payments. If they could bypass both the cost (from the card processors) and effort (following up expired cards, fraudulent cards etc.) by processing account-to-account, they would do it. It would be so much easier to store bank account records than credit cards from a compliance perspective too (though I think that will change). Of course we’ve made an assumption here: Open Banking transactions will have a similar saving on credit cards that Direct Debit does. There’s nothing to suggest that this will not be the case so far, but banks will not want to lose these margins and will be looking very creatively at ways to keep them.
This leads us to the sensationalist title of this article. We will soon have a payment mechanism that needs no physical token or infrastructure (using an authenticator that most people carry with them), is cheaper through greater competition and uses the bank account itself directly as the payment source. It will take quite some time to change, but what is the point of payment cards then? Outside of niche use cases such as going on holiday to other countries, pre-paid loaded cards or situations where you need a physical token, cards seem like a payment hack that have had their time.
Chip and pin became mandatory in the UK twelve years ago. There are adults now who have never seen a credit card pushed through the carbon roller mechanism that existed before chip and pin. Changes of convenience become normalised very quickly. We may soon see a time where physical payment cards are looked at in the same way we look at audio cassettes today. I for one miss cassettes; who will say the same for payment cards?
Author: Dr Gavin Scruby
Within the next year, the Competition and Markets Authority (CMA) will force UK banks to open up their transaction interfaces so that third parties can make payments on behalf of customers. The aim of this change is to remove the stranglehold held by ‘traditional’ banks on financial transactions, to force innovation and drive common standards that organisations can use to create new and transformational services.
The CMA’s stated goal with the Open Banking initiative is to make traditional institutions compete harder for customers and reduce the barrier to entry for new players. But what does this mean for customers? What advantages will normal banking users get out of such a substantial change to banking responsibilities? To work out what’s likely to happen, we can look at similar developments in other technology areas and predict the evolution Open Banking will go through, and how this will impact our lives.
Exploring open interfaces
The basis of all Open Banking is open transaction interfaces (APIs) provided by the banks to other companies in order to carry out basic retail banking activities; i.e. creating payments and reading transactions. There are many more interfaces around loans and interest rates, data on banking product services for comparison sites for example, but to achieve many new services we don’t need to look beyond making and viewing payments. This alone is transformational. These transaction interfaces will be made available to any reputable and authorised third party organisation, who will use them to build services that work on behalf of banking customers.
The first thing new third party systems will do is become a central, better-designed proxy for a bank’s services. They will become aggregators for all accounts across different banks and will allow customers to set up payments from any account, all in one place, with one well-designed portal. Aggregation services like this exist now, but they only read transactions. To create payments in the current system, users must log in to the individual bank’s interface. In the near future, customers will have full control of all finances from one place. This is a powerful first step in providing a complete view of our finances.
The power of contingent payment events
Once users have full, direct control, third party aggregators will then start to further improve the services they provide. With just basic read and create for transactions, they can start to build more complex rules. There will be options such as ‘only pay the mortgage after the monthly salary comes in’; i.e. if this happens (salary in), do something contingent (mortgage out). This can be a powerful tool for the automation budgeting and will ensure individual accounts never get overdrawn. Behind the scenes, these rules will be implemented using a scripting language and algebra created by the aggregator. Often this will never be exposed in all its complexity to the end user, but it’s important for the next innovation stage.
Once they see the possibilities, customers will continually demand more flexibility and power in how they define contingent events within their finances. This will force providers to gradually expose more of their scripting systems so that customers, and then other third parties, can create complex financial applications layered on top of basic transaction and aggregation logic. The most successful of these will be the ones who provide a simple interface with maximum flexibility. Users will start to think of novel new uses, tying their transactions into other aspects of their lives.
Think of the contingent payment event discussed above; with a rules algebra, users can define their own extensions, such as ‘move 10% of everything left to a savings account after the salary has come in and after the mortgage has been paid’. This will still live in the realm of early adopters, but the pace of innovation will drive more rules development and it will soon seep into the mainstream. People will also share useful rules with others to shortcut the process, much like the popular web mashup service ‘If This Then That’ has done for cloud services.
Rise of the machines
Once complex third party scripting and rules engines exist and are available through their own web interfaces, artificial intelligence (AI) systems can use them to provide natural language interfaces with their own interpretive power on top. With systems like Amazon Alexa and Google Home, users can build on the basic payment transaction interfaces, with rules on top. This will bring rules-based payment processing to those who have no interest in the arcana of scripts and programming.
Even rules have rules
While the way finances are managed is broadening, financial rules logic will continue to advance. The next step is to create metadata on the top of basic rules. For example, systems can define things like an agreement to pay someone in the future, where that agreement can be transferred to another person (effectively an IOU). These are metarules (rules about rules), analogous to metadata (data about data): the rule is ‘pay someone at this time’; the metarule is ‘verify and sign this rule, then allow it to be transferred or proven to someone else’.
Services will extend in various directions to support the idea of making rules about rules. The first examples will be completely standard and understood applications such as IOUs between friends, but much like the word ‘meta’ itself, options are only limited by the flexibility of the metarule-set and the imagination of the user.
Into the metaverse: the options are endless
Once metarules are available, new and creative application cottage industries can emerge. IOUs between individuals can be extended to friends, making microcredit brokerage groups without any further financial institution involvement.
The ability to define rules of rules on transactions allows value to be transferred in and out of the system. People can create rules that define exchange rates and mechanisms of a commodity anchored to real currencies, events or places; making possible specific time-based or exchange-based local currencies. Here, ‘local’ doesn’t even mean local geographically – it could just mean local within the group’s membership criteria. Once this happens, the very idea of financial institutions becomes blurred: we all become banks, and the legal and regulatory implications of this could be frightening.
The developments coming to open payments only describe innovations we have seen many times before, even in some limited cases within finance itself. The difference with open banking is that there is a huge legacy to overcome, both institutional inertia and the difficulty in changing something that permeates every aspect of our lives. At the same time, once an idea takes hold, it can make a whole new paradigm seemingly overnight. This is where most of the large Silicon Valley successes have come from. The progress we can make on a system that is still based in some form on passing pieces of paper around is hugely exciting and liberating, and could revolutionise the whole finance industry.
Author: Dr Gavin Scruby
Open Banking is now here in the UK, although not yet completely supported by all high-street banks.
As new companies and services are created, we will soon be able to do ever more with our bank details, from account aggregation apps to creating new kinds of payment rules. Not only does this mean a change in what can be done directly from our bank accounts, it means our bank account details themselves are now the source data we use to make payments. This is important, because it changes the power dynamic for criminals when choosing what to target.
Electronic payments and Direct Debit
In the past, only a customer’s bank could make a payment from an account. Then, we had Direct Debit, which allowed companies to take money from customers’ accounts on a regular basis. This mechanism, while powerful, has strong controls on how and when payments are made; it is never ad hoc or without notice, and can be refunded in every case under the Direct Debit Guarantee.
Enter cards and PCI DSS
The only way ad hoc payments could be initiated by non-banks was through credit cards. This made credit card data valuable, and so it naturally became a target for criminals. 2017 has seen over £1 billion stolen from bank accounts through credit and debit card fraud according to recent research.
To combat fraudulent behaviour, the industry got together to create the Payment Card Industry Data Security Standard (PCI DSS), which aimed to ensure that organisations processing and storing credit card details were vetted, or at least worked to specific data and information security standards. The card brands (Visa, MasterCard, American Express, Discover and JCB) first created their own standards with a similar aim of achieving a minimum level of security. The Payment Card Industry Security Council (PCI SSC) was then formed in 2006 to align the brands’ policies, which led to the creation of the PCI DSS.
Open Banking – a new target for criminals?
With the rise in Open Banking, we spin this around again. Bank account data could well become the most convenient source mechanism for transactions and payments. No matter the security we put in place, bank account data may become as attractive to criminals of the future as credit card data was in the past.
My question to the industry is: do we need a PCI equivalent standard for bank account data?
The UK Financial Conduct Authority has been increasing its accreditation requirements for providers, but I’m not sure this is sufficient. Right now, bank account data can be treated and processed with no more ceremony than any other personal data. Is this good enough given how much more useful such data may become? Responsible processors such as SmartDebit have always treated bank account data with the same care as credit card data, but that isn’t the case universally and there are no industry standards in place to ensure bank data is stored securely.
My prediction is that this lack of security regulation on bank account data will survive a couple of high-profile breaches before the industry and regulators take action. If they don’t, nascent confidence in Open Banking as a framework could start to collapse. I just hope it’s not my bank details caught up in the news that eventually highlights the way.
© Vivolution Limited