Community

when an EMI issues e-money (eg on a prepaid card) it has to keep the same value of funds in a bank account (or appropriate liquid securities) separate to bank accounts the EMI uses for its operations. These are safeguarded funds that can be used for no purpose other than backing £ for £ the e-money issued. In an insolvency, the claims of the holders of e-money are met ahead of any other creditors. Since e-money is 100% backed by safeguarded funds, then the claims should be met in full. EMIs can choose to insure the full value of the e-money they issue as an alternative, but the result is the same.

I suspect this action from the FCA is an exercise in managing their own risks.

Tony points out correctly that consumer funds with EMIs are 100% safeguarded, while those with credit institutions are dependent on the solvency of the institution, hence is why they need FSCS insurance.

However, safeguarding is dependent on the integrity of the EMI and its processes, which the FCA has the (difficult) task of policing.

The Wirecard situation last year showed safeguarding works perfectly well (although as pointed out in the FCA letter, there can be delays in getting refunded, which caused stress and issues for the consumers and fintechs affected).

If Wirecard had resulted in losses from safeguarded funds then the outcome for UK consumers would have been very different, and the FCA's supervision would have been called into question (as happened with LCF).

Generally, I expect that most consumers have no idea whether their funds are insured or safeguarded, they just trust they are safe. Probably many consumers will bin their letter without reading it, but I suspect the main message is to remind EMIs, rather bluntly, of their safeguarding obligations, while giving themselves some cover if an EMI goes rogue in the future.

Given that safeguarding has been shown to work, EMIs can at least be thankful they only need to write a letter rather than deal with a slew of new regulation.

 A key feature of a digital Euro, or any CBDC is that it needs to be indistiguishable to the public from the digital money they hold as deposits in commercial banks or with EMIs (if you disagree, how would you explain different types of digital money to the public and why they are different?).

This is critical for public adoption, and so is ubiquitous use - which means a digital Euro/CBDC wallet needs to work for all standard and new payment use cases - ecommerce, in-store, in-app, P2P, taxes, bill payments, machine (tolls).

Given the European Payments Initiative is also gaining momentum, it is imperative that the EPI and digital Euro are compatible with a common payments  initiation and acceptance infrasturcture that works for both initiatives and both types of digital money.

Commercial banks will still be around with CBDCs, as they have the lending and credit risk management skills and industrial capabilities that will still be needed to lend to consumers, SMEs and corporates and manage their savings. These skills and capabilities will always be needed, and are far outside the core competencies and appetite of central banks.

A digital Euro/CBDC could of course eventually replace commercial bank deposits, but that would be a massive migration likely to take decades, so the two types of money will need to co-exist for a long time.

Banks should be tackling fraud by identifying and shutting down the fraudsters' bank accounts - better KYC and better account and transaction monitoring, within and across banks. If AI is as powerful as its made out to be, then banks should be able to do this much more effectively with AI.

It is difficult to see how publishing bank reimbursement rates has any effect on reducing fraud and fighting crime; but if banks were forced to publish the number of their accounts used by fraudsters each year and the value of fraud processed by them, then that would galvanise them in to action.

Central bank omnibus accounts are a great idea - they open the way for innovative new private sector payments systems to compete with the established interbank systems. However, they seem to be available only to payment operators of payments systems recognised by HM Treasury, so I expect there will be significant hurdles for new entrants.

Still, it is a good lead from the Bank of England, and if other central banks follow suit, it opens up the possibility for some great liquidity and business models for cross-border payments.

CBDCs seem to be gaining a momentum that makes their widespread rollout around the globe over the next five years almost inevitable.

Also inevitable is that many CBDCs will be designed as surveillance and control systems, to keep track on spending, tax and monetary flows at an individual and organisation level, as well as control and incentivise where CBDC can be spent, and who can spend it.

Alarming as this is, I expect that CBDCs will be sidelined by DeFi and stablecoins, with innovation that goes far beyond that designed into individual CBDCs.

DeFi could even embrace CBDC, for example, programmable stablecoins that simply wrap, or tokenise CBDC as collateral, allowing the CBDC to be used through the medium of the stablecoin, but with features provided by the stablecoin such as privacy.

The answer is yes – unless fraud is dealt with properly, it will lead to unintended consequences, specifically a higher cost of entry for payment innovators and for new entrants, in turn creating a regulatory moat protecting large incumbents from competition - in direct contradiction to the PSR’s purpose.

Like quality in manufacturing, to be effective and efficient, fraud controls should be embedded in banking processes rather than bolted on.

The APP consultation measure to make the CRM code more effective in reimbursing victims will have no direct effect on APP fraud, except perhaps to prompt banks to improve their controls. The root cause of APP fraud is the ability of fraudsters to use bank accounts to receive funds, so the measure to publish APP scams data is a good one – provided it separates out the receiving bank data, from the sending bank data. The proposed measure to standardise and share fraud data between banks is also useful, in particular to trace transfers across multiple accounts.

However, a harder line is needed to give teeth to APP fraud controls - the PSR should be calling for banks to improve their KYC processes, and embed AI to monitor their accounts for handling APP payments, especially to detect fraudulent incoming payments and subsequent payments onforwarding.

The consumer protection consultation gives the impression of regulation looking for a problem. The dynamics and risks of A2A push payments in UK retail commerce are unknown, and unquantifiable until this type of payment is established in UK retail. The cards networks are no guide, although their mature chargeback controls appear to be the model. However, cards are inherently risky, and as a result the cards industry spends billions on combatting fraud. In contrast for example, the iDeal A2A push payments system in the Netherlands, used in 60% of ecommerce payments, after 15 years of operation still has no chargeback controls, and very little fraud. Adding a consumer protection overhead to A2A retail commerce payments before they have barely started in the UK (with open banking and request-to-pay) risks a significant slowing in innovation and take-up.

Generally, with new technology to make banking better, and regulation better, a wholesale rethink and reinvention of banking regulation is required - dealing with the root causes of payments fraud is a good place to start.

APP fraud is fast becoming a UK banking scandal.

UK Finance figures show APP fraud was £208m in H1 2020, so although the total for the year is up 5% on 2019, H2 fraud was £271m, a massive 30% increase on H1, and 10% up on H2 2019.

According to the PSR, 79% of APP scams occur on Faster Payments, so assuming this held for the whole year, £378m was through FPS, or 0.02% of FPS processed value for the year. This is still low compared to cards (0.075%), but cards are inherently far riskier than authorised push payments, and in absolute terms APP is catching up - UK card fraud was £620m in 2019 (UK Finance).

This matters because real-time payments are core to the future of UK payments, core to the adoption of Open Banking payments and core to the UK economy. They continue to grow at over 20% per year, such is the demand for them. But unless APP fraud is brought under control, real-time payments in the UK will be under threat - already there have been calls to "delay the payments", which would wreck the real-time proposition and business models that depend on it; and bank fraud systems are being used more frequently to hold outbound payments in some instances for further authorisation, compromising the customer experience.

There are initiatives to deal with APP fraud, such as confirmation-of-payee, the Contingent Reimbursement Model Code, and The Stop Scams initiative, but no-one seems to be taking overall responsibility for stopping APP fraud. For example, APP fraud is a priority for the PSR, but CHAPS is outside its scope (Bank of England), as are FIs only indirectly connected to the payment systems it regulates, as is it would seem, APP fraud on-us book transfers, while only a sub-set of banks use confirmation-of-payee or adhere to the CRM code.

The real issue is that APP fraud is a failing of account management rather than payment systems. Banks have a regulatory obligation for customer due diligence and KYC. Since all APP fraud payments must go from the victim's UK bank account to the fraudster's UK bank account (set up fraudulently, taken over, or herded), it shows that bank KYC and CDD are failing.

With almost 10 billion payments flowing annually through UK payment systems, it is fiendishly difficult to detect the 150,000 or so that slip through as APP fraud each year, but banks must do more to prevent it. Better technology should be used to monitor accounts for unusual activity and be used to detect unusual inbound payments, as well as outbound payments. I would hope that an account can be used only once to receive APP fraud, so the arrival in one of an unusual payment must be detectable, especially if followed shortly after by an attempt to make an unusual outbound payment.

Very little seems to be discussed on bank KYC in the context of APP fraud. Much of the emphasis is on the victim's bank, the sending bank, whereas it is the receiving bank, the fraudster's bank that is at fault.

It is time for the UK banking industry to step up and do more, be seen to be doing more and be accountable for fixing CDD and KYC failings in APP fraud.

While the regulatory inititiatives focused on APP victims are laudable, and necessary, regulators can play their part to greater effect by also setting ceilings for APP fraud on each bank as a receiving bank, with severe enforcement penalties if the ceilings are breached.

the UK interchange increase will be a big boost for adoption of open banking payment APIs by online merchants

Starting 2008, it took around 7 years for SIPS, real-time payments in the UK Faster Payments system, to reach ~1bn annual txns, or just over 15 real-time payments per capita per year, and just 7 months for the Nets real-time payments system in Denmark to reach the same level after it launched in late 2014.

It is over 3 years since the first SCT Inst payment in the Eurozone, and looking at EPC stats, the current run rate of SCT Inst is about 1.8bn txns per year, or 5 real-time payments per capita per year in the Eurozone. This is more like the steady adoption of the UK experience than the fast adoption of the Denmark experience, and a little surprising given we are now much more advanced in a digital age of always on, instant services.

Given that real-time payments are core to a modern digital economy, and that even targets for adherence to SCT Inst (under Article 4 of the SEPA Regulation2) appear still to be met in Eurozone countries, I expect that the EC may mandate adoption targets for SCT Inst, and soon.

Meanwhile, UK SIPS are currently running at about 32 real-time payments per capita per year, or 2bn payments, growing at over 20% annually (and on a system that is 13 years old needing replacement), illustrating that Eurozone banks and other PSPs have a massive upside from SCT Inst, and should get motoring, with or without a regulatory push.