Community

Last week Mastercard provided me with confirmation that mandates were still in place which decree that every POS device in Europe must be contactless enabled by 1 Jan 2020 (not just new ones) and also, crucially, that they must also be CVCVM enabled. 

That's ‘Consumer Device Cardholder Verification Method’ which is software that enables the POS device to accept smartphone payments using tokens that are authenticated (finger or face) as well as unauthenticated contactless card payments.

Whether or not the card schemes timetable for CDCVM ubiquity is implemented on time it won't be long before we're able to say goodbye to multiple rectangular bit of plastic.

There’s continuing upward pressure on the unauthenticated contactless card limit of £30 but with POS moving online there's a decent case to hold it down which would encourage migration to the most secure means of making payments at point of sale.   

Next stop 2FA on the web using smartphone authentication ... and goodbye 3DS.

Precisely so.

The idea that a bunch of FinTechs could just turn up and earn a living sitting atop an incumbent ASP platform whilst fishing from their pool, when the immediate returns of engagement for the ASPs was all cost and zero income, was naïve in the extreme.

FinTechs with such an MO are unsurprising now grounded: caught up in the enduring saga of how that’s all actually really and truly going to work.  Fair to say it's currently akin to a playground tantrum … “he was my friend but now he’s both our friends, so who gets to sit next to him at lunch and break?”. 

The ongoing squabble alone as to how a customer consents a TPP looks set to rumble along for a couple of years and let’s not even go into how the TPP then accesses the customer’s account once consented.  

This is in all in stark contrast to the Open Banking scenario where both TPP and Bank mutually reap benefits from a symbiotic alliance …. 

Whilst much attention is paid to the debate engaging the EBA, the EC, the ECB, the ERBP, the European Fintech Alliance and more recently the new ‘API Evaluation Group’ … Challenger banks offering current accounts such as Starling and Monzo are quietly getting on with the business of forming mutually beneficial alliances with TPPs and developing a platform to deploy new live services devised by, inter alia: TrueLayer, Flux, Tail, PensionBee, WealthSimple, MoneyBox, Yoyo Wallet, Yolt, Habito and Kasko.  Many of which they have already taken live.  

I particularly like the Flux solution.  They capture SKU level data at point of sale (via software integrations) to enable digital e-receipts which they route back to the card owner's bank (via API) so that when the card holder clicks on that £127 spend at M&S that's tuned up in their bank app, not only are they reminded what it was for, but it usefully also acts as their proof of purchase for return or exchange. 

Kind of incredible isn't it that we’re only just getting to this in 2018 but that's an aside, it’s a fine example of an overlay service where the retailer, the Fintech, the Bank and the customer all get to benefit and that's where the future of Open Banking surely lies.

Worth noting too Flux achive that without using an API that is the product of the vast Open Banking machinery (OBIE for UK) because it's what I’d call a ‘permissioned-API’ being agreed upon by the TPP & ASP, who both stand to benefit.  

In the case of Starling say and their fresh approach using 'MarketPlace' philosophy .... maybe the early bird really will get the worm?

With respect to the CMA9 in the UK's example and perhaps beyond: once the fighting's over and the music stops Banks will perhaps at least be equipped with a secure interoperable API platform and can focus on the task of recouping construction costs by developing new revenue streams.

A secure API network will be capable not just to connect TPPs & ASPs but to handshake with wider business and Gov’t entities for Non-Financial token exchange.  Non-Financial APIs might well be the unintended consequences – banks taking an identity arbiters role via attribute management for instance, but that's of course if they get off their hands in time before others do it for them.

They (TPPs) don't have much to worry about, the likelihood of an exemption granting is some way off. 

The EBA wrote to the EC a month back complaining about a number of aspects included by their 11th hour changes before submitting to the European Parliament & Council.

Included within their concerns around Article 33 for exemption granting was the small matter that one of the conditions laid down upon the Competant Authority was that the dedicated interface "has been designed and tested in accordance with Article 30 (5) to the satisfaction of the payment service provider (TPP) referred to therein". To the "satifaction"?

The EBA went on to say "this is of particular concern, inter alia because this provision appears to make the eligibility for the exemption to a legal requirement of one category of providers (ASPs) contingent on the 'satisfaction' of another competing category (TPPs) and does so without specifying how CA's (Competant Authorities) and the EBA are meant to establish said satisfsction".

Their letter also added that the provisions lay down that each CA should consult with the EBA for every exemption attempt and that neither the CA's in each geography nor the EBA had the preequisite specialist IT resources and competancies to test each PSP and its IT system individually (potentially up to 6,000 ASPs).

The EC responded last week but their response was silent on this particular matter.

Will this simply be waived on thru by the EP&C?

When they look back I fear the CMA may deeply regret pushing our UK banks into XS2A more than 18 months ahead of the mandated PSD2 timetable for Europe, and crucially, before the rules & regs are fully cooked.

Even thru an optimistic lens the key comms, security & liability protocols for PISP activities (in partic) might just have been figured out, agreed & bedded down under the RTS by end 2019. 

Until the it’s the Wild West for ASPs & TPPs ... & the fallout, the failures & the fraud will reach the public’s ear in nanoseconds.

So too the EC may deeply regret not taking the EBA’s advice to ban Screen Scraping. Instead of outlawing ALL scraping activities & nullifying the sharing of Account Login credential by, say, enforcing 2FA (incl hard device-ID checks) the EC has pushed Screen Scraping forward as the required fall back mechanism: in such a way that all ASPs have little choice but to leave that channel open for some time to come. Sufficient time for the Daily Mail to have done its worst.

Cue fraudsters masquerading as TPPs: “tick here to permit us to access your current a/c and enter Login & Password here”. 

A scammer’s heaven.