Trends come and go – this also applies to payment transactions. The drivers of innovation are often technological progress, regulations, costs and the customer. But what are the latest developments and research in this area? An OSTHAVEN perspective on the future in banking and payment.
Now, be honest, how many different passwords do you actually use for your everyday business? Studies have shown that a typical behaviour for users, on many devices, Internet portals or even online banking, is to use the same password. The human brain likes it easy and is lazy. So, the name of grandmother’s dog in connection with the own landline phone number as a password is very tempting. The risk of misuse of this password, however, is very high. A big trend is starting right here, and using new technologies, it is looking for ways to measure or identify the biological uniqueness of people and thereby enable a secure recognition. The science behind it is biometrics. First solutions have long since spread into everyday life. Unlocking a smartphone via a fingerprint has made it unnecessary for years to enter a code or password. In the meantime, entire payment transactions are triggered by means of a fingerprint. Apple has determined an error rate of 1:50,000 in the process of the Touch ID (apple.de). With the birth of the new generation of smartphones, face recognition has become socially acceptable and works very well. With the Face ID the error rate of 1:1,000,000 on devices with an apple in the logo is still clearly below the rate of Touch ID. The appearance of the mouth, nose, eyes and ears as well as the individual head shape and other features are unmistakable in combination and are ideal for authenticating. In addition to the techniques and procedures that have already appeared in everyday life, there are other possibilities that once sounded like science fiction but have now arrived in the midst of reality. In the search for distinctive human biometric features, a person‘s voice is as unique as its appearance. Barclays Bank has recognised this fact for itself. Customers can register via a voice scan. As soon as a customer‘s voice can be heard in the call centre, it is automatically identified based on numerous voice characteristics. The method of voice identification pays attention to another trend in the field of payment and banking. We are talking about „Voice Banking“. Since Amazon’s Alexa, Apple‘s Siri and other digital assistance systems have spread out in the living room and have simplified many things of everyday life, the desire of customers is to manage their bank account by voice and make payments almost by tongue.
Payment by „laying on of hands“ is also no longer a utopia. Another method that can be used for payment procedures is the so-called vein scan. Customers of the British supermarket chain, Costcutter, can pay for their purchases with this new biometric procedure. The vein pattern of their fingers is scanned and connected to the bank data. At the supermarket checkout, the stored data is then compared with the scan data. The customer actually pays by a „laying on of hands“.
OSTHAVEN is convinced that biometrics will become an increasingly important topic in banking and payment transactions. The new authentication methods especially impress with their high security factor and convincing practicability in everyday life. Another trend in payment and banking is Artificial Intelligence (AI). This is known by many as the „new industrial revolution“. AI does not stop at the financial sector. Since banking is more about services than about a physical product, and personnel is a significant cost factor, it makes sense to use artificial intelligence to automate processes more. Thus, in the past few years the Chatbot service has been introduced in direct customer contact in many houses. With the help of a good AI solution, the majority of customer inquiries can be answered directly around the clock, without human interaction. For banks there is a huge savings potential and more opportunities to increase customer satisfaction. However, AI is not only used in customer interfaces, but also in sales analysis. AI in combination with big data enables a customer to analyse and evaluate his data in a matter of seconds. In addition, we see possible applications of AI in fraud prevention or individual product recommendation based on the comprehensive analysis of customers‘ financial position. Especially in the financial industry there is a wide range of applications.
It is obvious that there are many parallel technical developments in all areas of human life. The potential benefits and theoretical applications seem to be unlimited. In addition to individual innovations and the use of different devices in the daily lives of users, the networking of these different technologies will become increasingly important in the future. The Internet of Things describes the rapid growth of Internet-connected, intelligent devices. The networking of physical and virtual objects is in the foreground. In the target vision, these objects should work seamlessly together through information and communication
technologies. There will be completely new application scenarios for payment transactions in the future. Imagine that every networked device can be used for cash transactions and thus become its own, individual Point of Sale. It is conceivable that garage parking and toll fees and petrol station tab could be paid contactless by means of „Connected Car“. The driver can stay comfortably in the car and save himself the trip to the cash register or to the ticket machine. What happens in this case with the petrol station shop sales? Car manufacturers, however, go one step further and change their business model by offering custom features, accessories and digital services in the connected car as „pay-as-you-go“ services. The resulting opportunities for car manufacturers are enormous and also the benefits of cost reductions and efficiency gains in production.
OSTHAVEN sees the increased customer requirements for the most secure but noiseless authentication as an opportunity to drive forward the bank‘s own digital payment solutions. In the context of new technical developments such as AI and regulatory framework conditions such as the PSD II, which encourage the design of new products, innovative forces can be released from traditional players on the market. What all approaches have in common, however, is the fact that the „customer“ and his needs for simplicity remain as the foci of interest and are drivers or obstacles to possible developments.
What banks should consider for timely implementation.
On 13th January, 2018, the PSD2 came into force and has been the law since then. But there can be no talk of relaxation among banks in Europe, because there is still a lot to do. The regulatory standards for strong customer authentication and common and secure communication, RTS for short, issued by the European Banking Authority (EBA) give financial institutions 18 months to implement them. That sounds like a lot of time, but the first impression is deceptive.
The core element of the RTS is the requirement for an interface for the connection of third-party payment service providers, which include payment initiation services (PIS), account information services (AIS) and payment service providers who issue card-based payment methods. If you do not want to give third-party payment service providers, also known as TPPs (Third Party Providers), access to customer accounts through regular online banking, you have to build a dedicated access interface.
So far so good. However, the challenge is not necessarily in the implementation itself, but above all in the rather ambitious timetable of the EBA. Implementation deadline for the RTS and its associated interface is 14th September, 2019, 18 months after the RTS was published in the Official Journal of the EU. At least that’s what you’ve always thought…
But the first date on which the payment institutions have to work is 14th March, 2019, already half a year earlier! The account-providing payment institutions must provide the TPPs with a test environment including support six months prior to Go Live, because the whole thing should be tested properly and work properly. The FinTechs were able to assert themselves in preliminary discussions on the RTS at the EBA with their demand that the new PSD2 interface must have the same performance and availability as existing customer interfaces (for example, in online banking) – keyword prohibition of discrimination.
But that’s not all. If banks think they have until September 2019, at least for the completion of their interface in live operation and for all the associated organizational measures, they could, in the coming weeks, experience a rude awakening. BaFin has not yet communicated a concrete date, but if a bank wishes to receive the waiver of the establishment of a fallback access in case of unavailability of the actual interface, we believe it should rather consider a Go Live by 14th June, 2019, at the latest. The date has already been mentioned verbally by the authorities at one point or another. One of the four prerequisites for not having a fallback scenario at hand is the evidence of at least three months of widespread use of the interface by the TPPs in live operation. Thus, you will end up in the next year of June as a milestone for the provision of the interface; Banks and FinTechs will therefore only have 10 months left to implement the requirements. Is this already clear to anyone on the market? Our feeling tells us that not all institutions are aware of the seriousness of the situation. And what is the consequence if the interface is live on time, but no TPP uses the interface during the three months? That can happen, at least to the smaller houses. The EBA already has an answer for that, too. In this case, the institute must prove that it has done everything in its power to communicate the availability of the interface to the outside, to actually advertise it. For example, through an appropriate publication on the homepage, via social media channels or in another suitable network. So let’s wait and see, as to how it looks later in practice.
In addition to the tight schedule, there are a few more obstacles that need to be overcome. A controversial topic, for example, are the possible business transactions that a PIS may trigger for the customer via the interface. The opinion of the German Banking Industry Committee (GBIC) and among the associations and institutes was so far that standing orders and date transfers do not fall under the PSD2. The EBA sees this very differently and has clarified in its Opinion on RTS on 13th June, 2018, that a PIS may trigger exactly the same payment transactions as the customer himself. According to the latest information, that apparently are based on an exchange of the GBIC associations with BaFin for the implementation of the RTS at the end of July, the BaFin will follow the EBA’s opinion and institutions should therefore also include standing orders and date transfers in their scope if they have not already done so. Depending on the system landscape, this change is not an easy task for the banks. The good news is, however, that only the creation and deletion of a standing order, not the processing or the suspension of the standing orders, must be made possible by the ZAD. An inventory report against the KID is neither necessary for standing orders nor for scheduled transfers. Direct debits remain unaffected by the PSD2.
The Opinion, among other things, made it clear once again that the AIS must be granted access to the same account information that the customer can also see through its online access. This is nothing new. But now this information should also be made available to a PIS on request. Namely, when the bank has batch booking in use, which probably applies to the majority of all banks in Germany, and thus the PIS cannot confirm immediately upon payment initiation that the payment has been posted. With the help of the account information, the PIS should be enabled to assess the risk of a default on their own. But how should that work in practice? Does the payment initiation service then have the dual role of the PIS and AIS in the transaction? Does the bank still need to give it access to the account information without the customer having to do another strong customer authentication? Or do the same requirements and the 90-day rule apply here as in the classic PIS?
There is still a lot of need for clarification. We will continue to follow the latest developments and publications by EBA, BaFin and GBIC with eagle eyes and keep you up to date.