2015 was a year when big ideas in payments started to take
shape and I’m hoping that 2016 will be the year
that we see those ideas developed into real
solutions. In this e-book, we’ve collated the top 5
things we think we’ll see over the coming year.
Payments 2016 - Will these be the top five payments trends?
1. Payments 2016
Will these be the top five
payments trends?
By Jonathan Williams
Director of Payments Strategy, Experian
2. 2015 was a year when big ideas started to take
shape and I’m hoping that 2016 will be the year
that we see those ideas developed into real
solutions. In this e-book, we’ve collated the top 5
things we think we’ll see over the coming year.
Foreward
3. Gearing up for PSD2 – strong
authentication and identity management
#PAYMENTS TREND ONE1As the Second Payment Services Directive
(PSD2) starts to get implemented in national laws,
customer authentication is going to become more
fundamental in the payments process: it will be
needed more frequently and will need to be more
robust using multiple factors for re-authentication.
As part of the process of transposing PSD2, the European
Banking Authority issued a consultation on strong
customer authentication, responses were due by 8
February 2016.
This will determine the approach used across all member
states, in addition to how each of them decides to
implement the directive.
Authentication will also be required to support the open
banking and payments APIs currently being investigated
in the UK as a precursor to defining the third-party provider
(TPP) interfaces to the banking system enshrined in PSD2.
Vendors and service providers will have to incorporate
strong customer authentication at point of payment
initiation for the vast majority of payments, value is likely to
be the determining factor.
With people needing to be authenticated every time a
payment is made, providers will need to take care to
strike a balance between strength of authentication and
convenience. Solutions that can authenticate without
introducing friction into the payments process will
be needed and 2016 will be the year that technology
companies determine their approach to this often
complex issue.
It will also become necessary to separate (re-)
authentication techniques from identity proofing and
from identifiers.
Approaches which separate the proof that an individual
exists and the related confirmation that this is the
customer presenting themselves from data about that
person, including payment account information, will make
it clearer how much confidence can be stated in a given
identity.
Whilst in the past it was good enough to make a binary
decision – “it is, or is not, Joan Smith” – modern risk
management requires us to be able to state how confident
we are that an individual is who they claim to be and is
connected to the data about them.
To do this we need more dynamic identity confirmation
tools so that, if an identity is successfully obtained
using a false passport, transactions attempted after
the forgery has been discovered will be distrusted.
2016 promises to start defining the standards for how
we trust each other, in real-life as well as banking and
payments.
It will also become necessary
to separate (re-)authentication
techniques from identity
proofing and from identifiers.
4. The customer/bank interface will
be opened up...
#PAYMENTS TREND TWO2The customer/bank interface will be opened up...
A key topic for a number of regulators is how to
increase competition in the provision of bank account
services. Some of the issues to be addressed are the
sizable investments required to get a new bank off the
ground, the problem of gaining access to payment and
clearing services and finally ensuring that all banks can
provide good interfaces to all their customers.
Whilst some progress is being made on access to
payment services and appropriate regulation, there
seems to be a view that control over bank accounts
could be provided not only through banks.
The Payment Services Directive 2 establishes a regulatory
regime for trusted third parties (TPPs) to access corporate
and consumer bank accounts on behalf of their customers.
These are broken into two types in the directive:
Account Information Service Providers, who provide
services related to account and statement data such
as financial analysis, and Payment Initiation Service
Providers, who can enable payments from the associated
payment accounts. Each TPP will have no contractual
relationship with the bank or payment institution and
will require customer authentication to access the
payment accounts.
This can be successful only if there is a similar, if not
identical, Application Programme Interface (API) to
access accounts. Currently, multiple banking apps are
used to manage accounts at each bank. A multiplicity
of apps to cover each consumer’s bank, credit card and
alternative payment accounts is what we have now,
this gives poor user experience and causes confusion.
Whilst transpositions are at
least 12 months away, the work
required to implement them
IS STARTING NOW.
£
£This “unbundling” of banking, similar to what happened in the telecoms, gas and electricity industries over the
last 20 years, separates the provision of banking from the way that customers access it.
In the telecoms industry this created increased competition with new telcos able to leverage the existing infrastructure
owned by the large national provider and own the “last mile” connection to the customer, either by renting telephone lines
or by installing their own connections.
Could this approach work for competition between #FinTechs and banks in the same way?
5. It is unclear which organisations will become a TPP, it could include some or all of these:
In the UK, HM Treasury has helped to create the “Open
Banking Working Group”[1] initiative with Payments UK
and the Open Data Institute. This focuses on creating
open APIs for consumers and businesses to control
and monitor their bank accounts. This project may well
influence the way that the PSD2 is implemented across
Europe and goes beyond what the directive requires.
An initial report is awaited eagerly, giving a first, formal
response from the payments industry to the PSD2. It
is anticipated that 2016 will see more detail around the
proposal and potentially some early prototypes and
proofs of concept.
As the countdown to the PSD2 implementation in 2017
proceeds, more information will emerge but 2016 looks
like the year which will set the agenda for access to
accounts and the proposed responses from the payments
industry.
A personal financial analysis businesses gaining easier access to
more consumer data
Mobile payment companies getting increasing country coverage
across the EU
Banks or existing payment institutions competing against other
banks, PLC’s and #FinTechs
Corporate banking applications gaining direct, real-time
connectivity to accounts
Debt assistance companies help consumers manage their
financial accounts
Other innovative software providers
6. Electronic push payments start to stem
the rise in debit cards
#PAYMENTS TREND THREE3Over the last few years, debit
card transactions have increased
significantly, overtaking cash by
volume of payments in 2015. This
has been in part driven by the
adoption of card payment terminals
by smaller merchants and the move
to contactless and mobile payments
in 2015[2]. People want an easier
experience when paying and are
happier to use their smartphones to
pay for goods.
PEOPLE WANT AN EASIER EXPERIENCE
when paying and are happier to use their smartphones to pay for goods.
Last year, interchange fees on card payments were capped
at 0.3% for credit cards and 0.2% for debit cards. This has
meant cheaper costs for merchants of card payments
for higher value transactions. Against this background
merchants are likely to be looking to get a better deal
on lower value transactions. Historically in Germany
merchants grouped together to create the Elektronisches
Lastschriftverfahren (ELV) scheme which makes a direct
debit payment at point of sale. With automated clearing
house (ACH) costs being significantly lower than card
payments, merchants’ profits improved.
The widespread adoption of mobile devices means people
are now empowered to make push payments from their
bank accounts. Over the last few years, we have seen an
increase in the number of mobile apps backed by bank
accounts as opposed to, or in addition to, payment cards.
This is low friction for the customer and low cost for the
merchant.
In Denmark, MobilePay
transactions peaked at
532,000 a day5
These services, such as iDEAL in the Netherlands,
Sofort and MyBank across the EU, Pingit and Zapp in
the UK, can save money on payment transaction fees for
merchants and may increasingly be attractive for lower-
value payments.
In Denmark, MobilePay[3] from Danske Bank has been
very popular with over 2.7 million clients and a peak of
almost 532,000 transactions per day at the end of 2015.
This system uses both bank and card accounts and
represents the kind of revolution in purchasing, both in-
store and in-app, that will significantly affect the payments
landscape.
Debit card transaction volumes have risen steadily over
the past 10 years but as ease of use becomes critical we
foresee this growth will slow and may reverse. Consumers
are in control of if and when this happens.
7. Updates to internet security cause
confusion and failures
#PAYMENTS TREND FOUR4 The fourth item on the list of payments trends for
2016 is not specifically a payments industry issue although
it could have a significant impact if not properly managed.
Internet security researchers investigating the strength
and robustness of the protocols used to secure
communications on the internet have recommended
that older protocols, such as SSL (Secure Sockets Layer)
and SHA-1 (Secure Hash Algorithm), be replaced by
newer standards.
HOW DOES THIS AFFECT THE
PAYMENTS INDUSTRY?
Many communications rely on internet protocols to secure
payment instructions. From consumer card payments using
online merchants to corporate-to-bank connections in addition
to the links used by automated clearinghouses and payment
networks, many of these rely on secure electronic signatures
and encrypted communications.
This will require users to update operating systems, browsers and networked software on smartphones, tablets, PCs and
servers. Already newer browsers are flagging up the old protocols and in some cases are refusing to connect to them.
2016 will be an important year rolling out these upgrades.
As an example, Windows XP, already retired and out of support, cannot support these updated protocols and users are
being advised to upgrade to more modern operating systems.
8. In addition to payment-specific connections, access to online
banking systems, such as EBICS, and banking networks
should also be considered as part of the upgrade.
There is a risk that some businesses and consumers won’t
upgrade some components of their systems in time to meet
the industry deadlines; these deadlines are closer than for
other typical industry migration timelines, such as the three-
year timeline for Bacs between 2003 and 2005. Those who
don’t update software and browsers as necessary are likely
to be unable to access systems.
...it is unlikely that at all users
will not be ready on time...
With hard deadlines and widespread use of Bacs for
Direct Debit, Direct Credit and UK Faster Payments, it is
likely that at least some payment system users will not
be ready. Those who aren’t ready by applicable deadlines
will not be able to access services and this will prevent
them from making or receiving payments.
Additionally, files that are signed and submitted within Bacstel-
Ip software are moving to an updated signing standard known
as SHA-256 (Secure Hashing Algorithm).
Businesses must therefore upgrade all software which
connects by June 2016 or risk losing the ability to submit Direct
Debit collections, salary and supplier payments. This may
involve the installed software and any required components: for
hosted or cloud-based services this may require upgrades to
browsers and smartcard or “signing” software.
The payments industry has plans in place to ensure all
their services use modern protocols.
However, because both ends of the link need to support
the same standards, any systems which connect to these
services will also need to be upgraded. As an example, the
latest PCI Data Security Standards have been updated –
impacting all systems within the scope.
Another example is the Bacs clearing house in the UK,
which operates a service for corporates called Bacstel-IP.
Submissions into the Bacs system are protected by
both encryption and digital signatures. The secure
communication between a payments gateway and Bacs
via the internet, currently SSL, will be upgraded to a
minimum of TLS 1.1 (Transport Layer Security).
June
1
9. New banking providers get up
and running
#PAYMENTS TREND FIVE5 The final trend for 2016 is a significant development in
the race to provide banking to consumers and small
businesses in a new way.
During 2015 two new banking licences were issued in
the UK to digital-only banks. These new entrants see
themselves as banks for the 21st Century and their focus is
engagement with clients electronically and delivery of real-
time services that meet the needs of today’s customers.
With mobile banking becoming increasingly popular
Internet banking is now the main channel and branch
banking is decreasing in usage. People are moving to
electronic and always-open banks.
In addition to these new starters, established banks are
spinning out parts of their operations under new brands,
or in some cases revitalising old brand names These
operations are now looking to differentiate themselves in
the marketplace and build their appeal to the tech-savvy
modern customers they want to attract. Banks in both of
these categories will need access to the existing
payments systems through existing providers, typically
the main banks.
These providers of what PaymentsUK terms
“Indirect Access” have jointly developed and are
voluntarily signing up to a new code of conduct to ensure
that smaller providers are not disadvantaged.
PaymentsUK has just concluded a consultation on this
code of conduct which will indicate whether wholesale
banking has opened up enough.
The Payment Systems Regulator is also conducting
work on how banks access clearing systems, to ensure
competition in the banking provider market and to ensure
good outcomes for payment service users.
During 2015 two new banking
licences were issued in the UK
to digital-only banks.
10. As well as giving people more choice as to who they bank
with, it will also lead to banking specialisation. We will see
some providers choosing to focus on single segments or
sets of services and will look to buy in additional financial
products from third-party suppliers when they have
identified a demand from their customers.
These providers may therefore offer white-label loans or
investment services from other banks. This represents a
significant change in the banking industry and the path
new providers will have to take is by no means clearly
defined or certain.
By the end of the year I believe there will be at least
one new bank experiencing significant success,
however, given the amount of new ground which
needs to be addressed, at least one may be merely
staying afloat.
Finally, as mentioned as a previous trend for 2016, both
new and old banks will be required to open up their
services using new programmable interfaces to their
banking systems. The Open Banking Working Group
has issued an initial report with a target go-live of the
end of 2016. This means that competition will also
come next year from technology companies building
on the existing banking infrastructure.
What can we
expect in 2016?
Certainly there will be new campaigns
asking us to move our bank relationships
to new operators. We expect that many
of the new providers will unveil
innovative and simple interfaces to the
services we demand but the acid test will
be whether consumers decide to switch
their accounts.
With London being widely recognised as the capital of Financial Technology, or #FinTech, it is
likely that many of these companies will launch services for the UK market.
New banks must therefore look over their shoulders to the #FinTech companies who will be coming up swiftly
behind them.
While it could be make or break for some new banks, there is certainly a danger that the traditional banking services
will be commoditised and the higher-value, data-centric services will be the key to gaining new and retaining
existing clients.
To stay ahead, the more established banks will need to consider the range of products they provide, look to their key
strengths and the depth of relationships they have formed with their customers.