Friday , March 29, 2024

Payment Improvements Take the Long Way Home

The U.S. is finally moving toward faster and more secure payments, but the process is far more deliberate than it needs to be. Look at Australia for an example of how it could be done better.

Observers of the U.S. payments industry can be forgiven for wondering—in the wake of the colossal Equifax breach last fall—where the fixes in security and efficiency are supposed to come from, and who’s going to see them through.

A lot of those observers hoped the Federal Reserve could create a level of urgency and unanimity to finally fix this nation’s fraud-prone and excessively expensive payments system. But what we’ve learned from Australia’s two decades of experience is that meaningful reform of payments requires a sustained and resilient effort that acknowledges problems and addresses solutions in a holistic way.

Very little of that is happening in this country so far.

It was bad enough that big credit-issuing banks formed third-party credit “bureaus” to help the banks make better decisions on creditworthiness for financial products like credit cards. In the process, these banks created largely unregulated entities that vacuumed up credit histories and personally identifying information (PII) for tens of millions of consumers—often without their knowledge or permission.

What’s even worse is that the shocking lack of attentiveness and responsibility that resulted in divulging data that enables hackers to move up from one-off payment card compromises to seemingly endless Social Security benefit and tax-return fraud seems lost on an apparently recalcitrant legacy payments constituency.

What’s missing, it’s clear, is a regulatory body or federal agency that’s able to circle the wagons of the industry around collaborative assessments of what needs to be done.

How Australia Did It

The Fed has a general charter to “promote the integrity and efficiency of the payments system,” as well as metrics for recovering its costs for “the provision of payment services to all depository institutions on an equitable basis and to do so in an atmosphere of competitive fairness.” This charter was outlined in an appendix to the Fed’s White Paper (January 2015), which launched its comprehensive approach to making improvements in the payment system.

Australia’s equivalent of the Fed, the Reserve Bank of Australia (RBA), faced a similar issue two decades ago, when many observers then viewed the payments system as lacking impetus for innovation. The RBA, in consultation with the industry, managed to pass legislation (The Payment Systems Act of 1998) that expanded the central bank’s mission to provide specific forms of direction and guidance to the payments industry:

Part 3—Regulation of payment systems

Division 1—Overview

10 Overview of main regulatory provisions

(1) Under this Part, the Reserve Bank is given the power to designate payment systems (see Division 2).

(2) The Reserve Bank has the following powers in relation to a designated payment system:

(a) it may impose an access regime on the participants in the payment system (see Division 3); and

(b) it may make standards to be complied with by participants in the payment system (see Division 4); and

(c) it may arbitrate disputes relating to the payment system  (see Division 5); and

(d) it may give directions to participants in the payment system  (see Division 6).

The ability to set interchange rates was included as part of 2 (b). While the RBA was empowered to decide what issues it needed to address, the legislation also required the central bank to consult with the industry for feedback and direction:

27 Power to determine requirements for applications

The Reserve Bank may, in writing, determine requirements to be complied with in relation to applications under this Act, including (but not limited to) requirements relating to:

(a) the means by which an application is to be made; and

(b) the information or documentation that is to be included in or submitted with an application; and

(c) the verification of an application or of information or documentation included in or submitted with it.

28 Consultation obligations

(1) Subsection (2) applies to the following actions proposed to be taken by the Reserve Bank:

(a) the proposed imposition of an access regime;

(b) the proposed variation of an access regime, other than a variation to which subsection 14(3) applies;

(c) the proposed determination of a standard, other than a determination to which subsection 18(5) applies;

(d) the proposed variation of a standard, other than a variation to which subsection 18(5) applies.

(2) If this subsection applies to a proposed action, the Reserve Bank must, before taking the action:

(a) cause a notice to be published in the Gazette:

(i) advising of the proposed action; and

(ii) summarising its purpose and effect; and

(iii) inviting people to make submissions within a specified time to the Reserve Bank on the proposed action; and

(b) consider any submissions that are received within that time limit

The foundation for this legal mandate was reviewed in 2007-08, and updated again in May 2016.

One of the first actions the RBA took under its new mandate was a rejiggering of interchange rates for credit and debit cards. This came in 2002, following comprehensive consultation with the industry.

The concern was that bank card rates were excessive, and contributed to a perceived lack of innovation and less-than-expected support for alternatives to cards, including the national EFTPOS network. So credit card portfolios were limited to an average of 50 basis points, and debit card rates were capped at 12 Australian cents. Also, merchants were permitted to surcharge for use of credit cards.

The RBA has checked in on the industry at various points to see if proactive regulation was still warranted. For example, the milestone timeline was produced for the U.S. Fed in 2010 in a study done for it on regulation in Australia.

Since that time, the RBA—under its preferred mode of non-confrontational engagement with the payments industry—has continued to revisit the rate of innovation (and competitiveness internationally), including progress toward a faster-payments network option.

Another major intervention on interchange occurred in 2016 (co-incident with the May 2016 confirmation of its proactive role) with respect to escalating rates on high-end rewards cards.

It turns out that the original rate structuring in the early 2000s came with an audit of issuer portfolios every three years. However, some issuers would juggle their card portfolios in between audits to take advantage of higher-rate offerings. The RBA addressed this situation by putting a cap of 80 basis points on rewards card portfolios, and by conducting the audit every quarter.

To the surprise of many observers, protests from issuers were quite restrained, with some relieved to be rid of pressures for an ‘arms race’ in cardholder rewards. And a comparison of Australia’s Big Four banks (which control about 80% of most financial services there) shows their profitability to be comparable to similar issuers in Canada, the U.K. and the U.S.—without all the extraneous fraud and other costs.

The lesson is that occasional regulatory intervention has been constructive of value throughout the payments system.

The Fed Steps in

In another era, perhaps in a different industry, the U.S. Fed’s subtle role as a central bank looking after payments might have found its way into meaningful collaboration with, and guidance for, a troubled industry.

The draft governance framework for faster payments scheduled for release for industry comment in late April by a working group of the Fed’s Faster Payments Task Force is one more effort to ‘tease-out’ progress on resolving volatile governance issues affecting legacy payments before they bog down faster payments.

But the U.S. payments industry has been embroiled in constant conflict between providers and users for decades—most recently on the levels of card fraud incurred compared to other countries, as well as on standards for data protection and cybersecurity.

As a recent example, the American Bankers Association (ABA) offered a series of Webinar briefings to its community-bank members on what it called the “jungle” of payment card fraud. It pointed out that this fraud “rose to over $20 billion globally last year alone, a rise of over 20%.”

Yet, in multiple venues and dialogs since last summer, the ABA (with support from some of its big bank members and the bank card brands) has fiercely resisted any public discussion that the U.S. has a fraud problem with cards—including and especially signature-debit fraud as compared to PIN-debit rates.

This legacy banking and payment card “consortium” also objects to endorsement of a new (and widely supported) cybersecurity framework from the National Institute of Standards and Technology designed to replace inferior frameworks currently required in financial services. The reason often given is to avoid more or duplicate regulatory requirements.

Instead, in a Feb. 28 letter to House of Representatives leaders, the American Bankers Association and several industry trade groups have advocated for “a national data-security and notification standard” in support of pending legislation to that end.

The letter noted the groups’ differences with “statements by some retailer groups” with respect to “regulatory mandates that set rigorous data-protection and breach-notification practices for financial institutions to follow.”

And on March 7, the ABA provided Congressional testimony that attributed most data-breach damage to compromises by “businesses” (ostensibly merchants and corporates), not “regulated financial institutions.”  Yet, nowhere is the Equifax debacle addressed.

And so it is no surprise that when the legacy payments providers hold the fraud data tight to their vests, and offer only partial descriptions of who or what is at fault, the Fed’s most interesting follow-up activity for faster and secure payments is a comprehensive fraud study of its own—designed to get to the bottom of sources and responsibilities for fraud, as well as effective solutions.

No Blame Game

By contrast, in Australia, the RBA’s frequent and comprehensive convening of the payments ecosystem around foundational industry issues such as security has resulted in quicker adoption of new technologies—including EMV (beginning in 2010)—designed to protect payment accounts.

Clearly, the argument can be made that with just four banks needed to convert 80% of payment volume, such technology migrations can move more expeditiously (and less painfully).

But recent research on the “Australian Journey to Payments Rationalization” depicts a process where senior payment-industry officials from all sides have come to collaborate materially on issues of consequence—thanks in no small part to the RBA’s soliciting and “nudging” the high-level “decision-makers” to work constructively on them.

A safer, saner transactional environment has resulted.  Caps on extravagant interchange, coupled with a high reliance on safer payment options such as PIN debit (while not being saddled with fraud-prone and high-cost card products such as signature-debit) and use of chip cards at the point of sale, have all contributed to manageable fraud rates.

As well, overseen by the Australian government, the financial-services industry and other sectors of the Australian economy collaborated productively on a comprehensive and action-oriented approach to escalating cyber attacks and threats: “Australia’s Cyber Security Strategy—Enabling Innovation, Growth & Prosperity,” published in 2016.

Instead of back-biting and playing the blame game, Australia’s payments leaders chose to harness cybersecurity acumen and investment to create an economic advantage for the country.

Further, the Australian government is working on a digital-ID system that matches a user’s photograph, Medicare, driver’s-license, and birth-certificate details with information already known by government services and departments.

These “GovPass” users will register for the service with their email address and mobile-phone numbers. That’s a far cry from the predominance of payment-account credentials and PII used largely in the clear by card issuers and their agents—such as Equifax.

And in February, Australia announced its New Payments Platform (NPP) was open for business after years of development. The path to this important innovation is perhaps the most instructive use-case for central-bank regulation working in combination with a functional, respectful industry ecosystem.

At the urging of the RBA in 2006, the Big Four Australian banks set about to build a faster-payment network, nominally called MAMBO (“Me and My Bank Online”). After three years, and some fractious meetings among the big banks, the effort was mothballed.

But the need for a real-time network was surfaced again by the RBA in its payments-innovation review in 2010-12 as a central aspect of the next-generation payments that Australia needed to be competitive on the world stage.

The RBA continued to lobby behind the scenes for another stab at the project, and by 2013 the successor project—eventually named the New Payments Platform (NPP)—made its way to the Payments System Board (PSB) in the form of a business- development and design proposal. The PSB—an adjunct function of the RBA—approved it, and the new company launched in December 2014.

NPP’s approach to real-time payments was not without debate. Smaller banks (about 150 in number) had concerns about terms and costs of participation, including whether there was a choice of applications to pursue. The big innovation, in the eyes of many, was the design of the system to build “overlay services” (effectively, individual business applications) on top of an end-to-end, secure, digital-network component.

This design translated into banks serving as the primary originators and receivers of real-time payments—and therefore being unequivocally responsible for the security (the NPP network serves as an encrypted pipe).

Once a bank integrates into the network (big banks directly, smaller banks via third-party processors), it can then choose which applications make sense to field and offer. NPP thereby serves as a single, national utility for faster payments.

Importantly, the NPP and other payments-organization boards include user representation and are informally cultivated by the RBA (which regularly convenes consumer and merchant user councils separately).

Lost in Translation

By contrast, the U.S. Fed mounted a huge effort to nurture 16 different proposals for faster payments out of the payments ecosystem. The apparent early leader in the market was the big-bank alternative—fielded by The Clearing House (TCH), the consortium of the 24 largest financial-services companies, including 16 of the largest retail banks.

Smaller banks and credit unions (12,000 of them at last count) and their network processors have struggled with the business model of the TCH option, which for now allows them to participate, but only up to the funding level of a prepaid account (e.g., $1 million each).

Consumer and merchant users have their own challenges with the big-bank alternative for the U.S.—especially the availability of ubiquitous, low-cost, good-funds arrays of payment options capable of reaching all 12,000-plus financial institutions (as well as non-bank providers).

As a result, along with the uncertainty of how many faster-payments options will arise, there has been grass-roots support for the Fed serving as an operator, providing the ubiquity of its reach (it connects with every bank) as a default service—just as it does for smaller financial institutions with ACH and wire payments.

But many of the big U.S. banks say they are loath to consider any competitive network service from the Fed—unless perhaps as needed down the road to provide integrating capabilities that might arise (e.g., in the event four or five different faster-payments networks surface, including from new fintech providers).

Meanwhile, governance and ownership aside, a number of questions remain to be answered about how efficient, secure, and cost-effective the TCH network design—or any other faster-payments system—will turn out to be.

Lost in translation seems to be the industry will, motivation, and leadership to do better that should have come out of the Equifax travesty. What might still be a catalyzing event for collaboration on payments security so far appears to be just another wasted crisis.

 

Timeline of Australian Payment System Reforms

March 1997 – Financial System Inquiry final report (Wallis Report)

1998 – Payment Systems (Regulation) Act

October 2000 – RBA & ACCC Joint Study

December 2001 – Credit card reform Consultation Document

July 2002 – Debit reform process commences

August 2002 – Credit card reforms finalised & published

January 2003 – Merchant surcharging allowed

November 2003 – Regulated credit interchange method comes into force

April 2004 – New credit card Access Regime comes into force

February 2005 – Debit consultation document

November 2006 – Regulated debit interchange & HACR

November 2006 – Revised credit interchange benchmark

May 2007 – Review of Payment Systems Reforms commences

April 2008 – Consultation document

September 2008 – Findings of review published

January 2010 – Revised standard for EFTPOS interchange fees

2010 – EMV migration begins

2010-2012 – RBA Strategic Review of Innovation in the Payments System (including Faster Payments)

2011 – Contactless deployed

2013 – RBA’s Payments System Board (PSB) supports new payments platform

2013-14 – Financial Services Innovation Inquiry into, including Faster Payments

2015 – APC’s National Payments Strategy completed/announced in public documents

2015-2016 – RBA review of card payments regulation

2017 – Implementation of rewards card fee caps

2018 – Australia’s New Payments Platform (NPP) goes live

Check Also

Discover CEO Leaving and other Digital Transactions News briefs from 3/28/24

Michael Rhodes has resigned as chief executive and president of Discover Financial Services Inc., effective April 1. …

Digital Transactions