Community

The conflict of interest can't be denied but Deutsche Boerse IT has been doing this for years. According to its website, it "runs 30 marketplaces and exchanges ... for other ... exchanges around the world."

@NeilB:

That's precisely my point: Regulation is very much an integral part of the landscape in which new payment products can, or cannot, be designed. Lacking a similar millstone around their neck, many other industries can - and do - come up with products that deliver greater value at lower costs. It's not so easy matching that in payments. 

India may be special in some ways but other markets have unique characteristics of their own: I was shocked to hear from a US-based relative of mine a couple of weeks ago that his bank's Internet Banking portal didn't even support domestic Account-to-Account fund transfer within USA (forget cross-border). He was surprised to learn that the Netbanking portals of most banks in India supported ACH and RTGS equivalent online A2A payments. When I mentioned UK FPS and Barclays PingIt, he was completely bowled over!

'Mobile Order - Telephone Order' has been virtually wiped out after 2FA was made mandatory for card payments made on the channel - erraneously called MOTO locally - just because card payments made online were subject to 2FA in India. Therefore, I'm in favor of viewing each MOP-Channel as having its unique trifecta of functionality-security-convenience and adjusting each attribute in such a way that the CX is maximized. To me, this is the only way to boost customer adoption of any MOP-Channel. Taking A2A, if Mobile-PIN-DeviceAuthentication is deemed less secure than Online-2FA, I'd advocate mitigation of the security risk by pushing the functionality lever on the former by, say, limiting its maximum daily transfer figure. My personal experience warns me that imposing the latter's security mechanism on the former ignores the unique and different characteristics of the former and will likely cause so much friction that the former will never reach mainstream adoption.

As for whether EMV is worth it or not, I was referring to the industry's view. But, since I now have the chance to weigh in with my personal opinion, here it is: I've been trying hard to get hold of the following two metrics for EMV and non-EMV markets (likewise for 2FA and non-2FA markets): (1) Fraud as a % of Revenue, and (2) Revenue Loss caused by False Positives as a % of Revenue. Only when these figures are available can the benefit of EMV be compared with its cost and a logical decision arrived at as to its worth. Despite reaching out to many sources, including EMV (and 2FA) solution providers, my efforts have failed to bear fruits so far. Therefore, at this point, I'd lean on the side of EMV-skeptics who hold that EMV may be worth it in markets like Europe where card payment authorizations (reportedly) happen offline but not in markets like USA where they (reportedly) happen online.

At last, it's great to see a mobile banking app that leverages not just one, but many, features supported by a smartphone - mobility, camera, GPS, for example - instead of being designed as a trimmed down version of Internet Banking. Shame about the need for a plastic card, though, which I guess is forced upon GoBank by current card industry regulation.

My company provides marketing solutions for some of these "Ambulance Chasers", by which I guess you're referring to PPI Claims Management Companies. To that extent, I may be biased in my views but there's no denying that CMCs are performing an important service for victims of PPI mis-selling. If, as you say yourself, 50% of them bought PPI while being "completely unaware what they had agreed to" and with no idea that "there was a cost attached" to it, there's very little chance that they'll now start claiming back their PPI premium on their own. While chasing ambulance is not one of the most dignified professions around, CMCs are surely making claimants aware of their rights and entitlements. Even if banks had all recordings of PPI sales, I'm skeptical if too many of them would review the conversations and decide to reimburse the deserving cases proactively. 

We already have different authentication standards for different modes of payments: With cash, you just hand it over with no authentication; with cheque, you authenticate by wet-ink signature. Just like cash and cheque, mobile payment is yet another MOP and there's no reason why it must have the same authentication standard as cards, which is a different MOP. The real problem would be if there were dual / multiple standards for the same MOP viz. some people have to sign cheques, others have to sign and place fingerprint on cheques and still others have to sign, fingerprint and show proof of ID with cheques. On second thoughts, maybe not: I remember that, a few months ago, when I wrote a high value cheque to fund a demand draft for a home purchase, my bank did ask me for my passbook and proof of ID. For 'normal' cheques, signature alone would've sufficed, but for this high value cheque, it did not.

Another way of looking at it is, with the hindsight gained over almost a decade of EMV, the industry has perhaps realized that EMV wasn't worth it, so why repeat the mistake with mobile payments.

Personally, as long as the mobile payment app has a PIN - and does not rely solely on the lockscreen password - I'd feel that it's secure enough.

@ChrisP:

There's no argument about the role of IdM in managing identities - in fact, by definition, they do that. However, my point was that, according to the classic view of IdM, they're not responsible for identifying entities. Besides, based on my personal knowledge and experience, I'm unable to come to terms with why a single firm would need hundreds, let alone thousands, of IdM systems. I admit that, with CIFs, it's a wholly different matter.

If a leading bank like US BANK chooses to introduce such an NFC solution, maybe it suggests that there's a strong consumer demand for mobile payments that the bank is trying to capitalize upon instead of missing the bus by waiting for Apple to include NFC on the iPhone. I've myself highlighted the clear and present danger with NFC in this Finextra post, so there's no denying that US BANK's solution is not so secure. But, the real question here is, does the average John / Jane Doe care about security when they get convenience? This question is especially relevant in the USA where the following predominantly American practices suggest that convenience trumps security in this market: (a) There are payment methods such as ACH TEL which permit one person to pull out money from another person's bank account without any written mandate from the latter (b) Millions of people have shared their Internet Banking credentials with BillGuard, Mint and other financial services startups (c) Few, if any, ecommerce companies have implemented 2FA for online payments, fearing - rightly, if I might add - that the resultant friction might result in shopping cart abandonment and loss of revenues.

@AndresF:

Props for a very balanced post. In a recent Finextra post The Death Of Cash Is At Least 190 Years Away, I'd highlighted the role played by friction in bringing cash back into online shopping in India, even for e-ticket booking and other wholly digital processes that hitherto supported only online payment methods. Despite online payments being free to the customer, cash-on-delivery is still the most popular method of payment in India, even in ecommerce. Against that backdrop, I can readily understand how tariffs imposed on online payments - like in Colombia as you've pointed out - can further distance mobile payments from mainstream adoption.

On another note, I didn't know that there were any success stories of mobile payments or mobile financial inclusion in India. Please enlighten. As things stand, only entities with a banking license can conduct banking, whether on mobile or in a branch. So, under the present regulatory framework, the presence of ~1B mobile phone subscribers does not automatically mean they can all become banked. It's more like, if they're already banked and their bank supports mobile banking - neither of which has anything to do with being a mobile subscriber - then they have the opportunity to become mobile banking customers.

A few years ago, I was involved in the implementation of a leading Identity Management System at a Top 10 global FI. Apart from the one solution on which my company was working, we were aware of 4-5 more IdM systems in use at different SBUs and geographies of the FI. Therefore, when I read in this blog  post that there are hundreds or even thousands of IdM systems per firm, I searched for a definition of IdM and this is what I found on Wikipedia: "Identity management (IdM) describes the management of individual identities, their authentication, authorization, roles, and privileges". This confirms what I'd suspected, namely, IdM excludes identification of customers, counterparties and other entities, which I've known to fall under the purview of Customer Information File (CIF). Besides, this Wiki article lists fewer than 20 providers of IdM solutions. Therefore, I'm not sure if this blog post is expanding the scope of IdM to include CIF.