Payments 2016Will these be the top five

payments trends?

By Jonathan WilliamsDirector of Payments Strategy, Experian

2015 was a year when big ideas started to take shape and I’m hoping that 2016 will be the year that we see those ideas developed into real solutions. In this e-book, we’ve collated the top 5 things we think we’ll see over the coming year.

Foreward

Gearing up for PSD2 – strong authentication and identity management

#PAYMENTS TREND ONE1As the Second Payment Services Directive (PSD2) starts to get implemented in national laws, customer authentication is going to become more fundamental in the payments process: it will be needed more frequently and will need to be more robust using multiple factors for re-authentication.

As part of the process of transposing PSD2, the European Banking Authority issued a consultation on strong customer authentication, responses were due by 8 February 2016. This will determine the approach used across all member states, in addition to how each of them decides to implement the directive. Authentication will also be required to support the open banking and payments APIs currently being investigated in the UK as a precursor to defining the third-party provider (TPP) interfaces to the banking system enshrined in PSD2.

Vendors and service providers will have to incorporate strong customer authentication at point of payment initiation for the vast majority of payments, value is likely to be the determining factor.

With people needing to be authenticated every time a payment is made, providers will need to take care to strike a balance between strength of authentication and convenience. Solutions that can authenticate without introducing friction into the payments process will be needed and 2016 will be the year that technology companies determine their approach to this often complex issue. It will also become necessary to separate (re-) authentication techniques from identity proofing and from identifiers.

Approaches which separate the proof that an individual exists and the related confirmation that this is the customer presenting themselves from data about that person, including payment account information, will make it clearer how much confidence can be stated in a given identity. Whilst in the past it was good enough to make a binary decision – “it is, or is not, Joan Smith” – modern risk management requires us to be able to state how confident we are that an individual is who they claim to be and is connected to the data about them.

To do this we need more dynamic identity confirmation tools so that, if an identity is successfully obtained using a false passport, transactions attempted after the forgery has been discovered will be distrusted. 2016 promises to start defining the standards for how we trust each other, in real-life as well as banking and payments.

It will also become necessary to separate (re-)authentication

techniques from identity proofing and from identifiers.

The customer/bank interface will be opened up...

#PAYMENTS TREND TWO2 The customer/bank interface will be opened up... A key topic for a number of regulators is how to increase competition in the provision of bank account services. Some of the issues to be addressed are the sizable investments required to get a new bank off the ground, the problem of gaining access to payment and clearing services and finally ensuring that all banks can provide good interfaces to all their customers.

Whilst some progress is being made on access to payment services and appropriate regulation, there seems to be a view that control over bank accounts could be provided not only through banks.

The Payment Services Directive 2 establishes a regulatory regime for trusted third parties (TPPs) to access corporate and consumer bank accounts on behalf of their customers. These are broken into two types in the directive: Account Information Service Providers, who provide services related to account and statement data such as financial analysis, and Payment Initiation Service Providers, who can enable payments from the associated payment accounts. Each TPP will have no contractual relationship with the bank or payment institution and will require customer authentication to access the payment accounts.

This can be successful only if there is a similar, if not identical, Application Programme Interface (API) to access accounts. Currently, multiple banking apps are used to manage accounts at each bank. A multiplicity of apps to cover each consumer’s bank, credit card and alternative payment accounts is what we have now, this gives poor user experience and causes confusion.

Whilst transpositions are at least 12 months away, the work

required to implement them IS STARTING NOW.

£

£This “unbundling” of banking, similar to what happened in the telecoms, gas and electricity industries over the last 20 years, separates the provision of banking from the way that customers access it. In the telecoms industry this created increased competition with new telcos able to leverage the existing infrastructure owned by the large national provider and own the “last mile” connection to the customer, either by renting telephone lines or by installing their own connections. Could this approach work for competition between #FinTechs and banks in the same way?

It is unclear which organisations will become a TPP, it could include some or all of these:

In the UK, HM Treasury has helped to create the “Open Banking Working Group”[1] initiative with Payments UK and the Open Data Institute. This focuses on creating open APIs for consumers and businesses to control and monitor their bank accounts. This project may well influence the way that the PSD2 is implemented across Europe and goes beyond what the directive requires. An initial report is awaited eagerly, giving a first, formal response from the payments industry to the PSD2. It is anticipated that 2016 will see more detail around the proposal and potentially some early prototypes and proofs of concept.

As the countdown to the PSD2 implementation in 2017 proceeds, more information will emerge but 2016 looks like the year which will set the agenda for access to accounts and the proposed responses from the payments industry.

A personal financial analysis businesses gaining easier access to more consumer data

Mobile payment companies getting increasing country coverage across the EU

Banks or existing payment institutions competing against other banks, PLC’s and #FinTechs

Corporate banking applications gaining direct, real-time connectivity to accounts

Debt assistance companies help consumers manage their financial accounts

Other innovative software providers

Electronic push payments start to stem the rise in debit cards

#PAYMENTS TREND THREE3Over the last few years, debit card transactions have increased significantly, overtaking cash by volume of payments in 2015. This has been in part driven by the adoption of card payment terminals by smaller merchants and the move to contactless and mobile payments in 2015[2]. People want an easier experience when paying and are happier to use their smartphones to pay for goods.

PEOPLE WANT AN EASIER EXPERIENCE when paying and are happier to use their smartphones to pay for goods.

Last year, interchange fees on card payments were capped at 0.3% for credit cards and 0.2% for debit cards. This has meant cheaper costs for merchants of card payments for higher value transactions. Against this background merchants are likely to be looking to get a better deal on lower value transactions. Historically in Germany merchants grouped together to create the Elektronisches Lastschriftverfahren (ELV) scheme which makes a direct debit payment at point of sale. With automated clearing house (ACH) costs being significantly lower than card payments, merchants’ profits improved.

The widespread adoption of mobile devices means people are now empowered to make push payments from their bank accounts. Over the last few years, we have seen an increase in the number of mobile apps backed by bank accounts as opposed to, or in addition to, payment cards. This is low friction for the customer and low cost for the merchant.

In Denmark, MobilePay transactions peaked at

532,000 a day5

These services, such as iDEAL in the Netherlands, Sofort and MyBank across the EU, Pingit and Zapp in the UK, can save money on payment transaction fees for merchants and may increasingly be attractive for lower-value payments. In Denmark, MobilePay[3] from Danske Bank has been very popular with over 2.7 million clients and a peak of almost 532,000 transactions per day at the end of 2015.

This system uses both bank and card accounts and represents the kind of revolution in purchasing, both in-store and in-app, that will significantly affect the payments landscape. Debit card transaction volumes have risen steadily over the past 10 years but as ease of use becomes critical we foresee this growth will slow and may reverse. Consumers are in control of if and when this happens.

Updates to internet security cause confusion and failures

#PAYMENTS TREND FOUR4The fourth item on the list of payments trends for 2016 is not specifically a payments industry issue although it could have a significant impact if not properly managed.

Internet security researchers investigating the strength and robustness of the protocols used to secure communications on the internet have recommended that older protocols, such as SSL (Secure Sockets Layer) and SHA-1 (Secure Hash Algorithm), be replaced by newer standards.

HOW DOES THIS AFFECT THE PAYMENTS INDUSTRY?

Many communications rely on internet protocols to secure payment instructions. From consumer card payments using online merchants to corporate-to-bank connections in addition to the links used by automated clearinghouses and payment networks, many of these rely on secure electronic signatures and encrypted communications.

This will require users to update operating systems, browsers and networked software on smartphones, tablets, PCs and servers. Already newer browsers are flagging up the old protocols and in some cases are refusing to connect to them. 2016 will be an important year rolling out these upgrades. As an example, Windows XP, already retired and out of support, cannot support these updated protocols and users are being advised to upgrade to more modern operating systems.

In addition to payment-specific connections, access to online banking systems, such as EBICS, and banking networks should also be considered as part of the upgrade. There is a risk that some businesses and consumers won’t upgrade some components of their systems in time to meet the industry deadlines; these deadlines are closer than for other typical industry migration timelines, such as the three-year timeline for Bacs between 2003 and 2005. Those who don’t update software and browsers as necessary are likely to be unable to access systems.

...it is unlikely that at all users will not be ready on time... With hard deadlines and widespread use of Bacs for Direct Debit, Direct Credit and UK Faster Payments, it is likely that at least some payment system users will not be ready. Those who aren’t ready by applicable deadlines will not be able to access services and this will prevent them from making or receiving payments.

Additionally, files that are signed and submitted within Bacstel-Ip software are moving to an updated signing standard known as SHA-256 (Secure Hashing Algorithm). Businesses must therefore upgrade all software which connects by June 2016 or risk losing the ability to submit Direct Debit collections, salary and supplier payments. This may involve the installed software and any required components: for hosted or cloud-based services this may require upgrades to browsers and smartcard or “signing” software.

The payments industry has plans in place to ensure all their services use modern protocols. However, because both ends of the link need to support the same standards, any systems which connect to these services will also need to be upgraded. As an example, the latest PCI Data Security Standards have been updated – impacting all systems within the scope.

Another example is the Bacs clearing house in the UK, which operates a service for corporates called Bacstel-IP. Submissions into the Bacs system are protected by both encryption and digital signatures. The secure communication between a payments gateway and Bacs via the internet, currently SSL, will be upgraded to a minimum of TLS 1.1 (Transport Layer Security).

June

1

New banking providers get up \and running

#PAYMENTS TREND FIVE5The final trend for 2016 is a significant development in the race to provide banking to consumers and small businesses in a new way. During 2015 two new banking licences were issued in the UK to digital-only banks. These new entrants see themselves as banks for the 21st Century and their focus is engagement with clients electronically and delivery of real-time services that meet the needs of today’s customers. With mobile banking becoming increasingly popular Internet banking is now the main channel and branch banking is decreasing in usage. People are moving to electronic and always-open banks.

In addition to these new starters, established banks are spinning out parts of their operations under new brands, or in some cases revitalising old brand names These operations are now looking to differentiate themselves in the marketplace and build their appeal to the tech-savvy modern customers they want to attract. Banks in both of these categories will need access to the existing payments systems through existing providers, typically the main banks. These providers of what PaymentsUK terms“Indirect Access” have jointly developed and are voluntarily signing up to a new code of conduct to ensure that smaller providers are not disadvantaged.

PaymentsUK has just concluded a consultation on this code of conduct which will indicate whether wholesale banking has opened up enough. The Payment Systems Regulator is also conducting work on how banks access clearing systems, to ensure competition in the banking provider market and to ensure good outcomes for payment service users.

During 2015 two new banking licences were issued in the UK

to digital-only banks.

As well as giving people more choice as to who they bank with, it will also lead to banking specialisation. We will see some providers choosing to focus on single segments or sets of services and will look to buy in additional financial products from third-party suppliers when they have identified a demand from their customers. These providers may therefore offer white-label loans or investment services from other banks. This represents a significant change in the banking industry and the path new providers will have to take is by no means clearly defined or certain.

By the end of the year I believe there will be at least one new bank experiencing significant success, however, given the amount of new ground which needs to be addressed, at least one may be merely staying afloat.

Finally, as mentioned as a previous trend for 2016, both new and old banks will be required to open up their services using new programmable interfaces to their banking systems. The Open Banking Working Group has issued an initial report with a target go-live of the end of 2016. This means that competition will also come next year from technology companies building on the existing banking infrastructure.

What can we expect in 2016?Certainly there will be new campaigns asking us to move our bank relationships to new operators. We expect that many of the new providers will unveil innovative and simple interfaces to the services we demand but the acid test will be whether consumers decide to switch their accounts.

With London being widely recognised as the capital of Financial Technology, or #FinTech, it is likely that many of these companies will launch services for the UK market.

New banks must therefore look over their shoulders to the #FinTech companies who will be coming up swiftly behind them.

While it could be make or break for some new banks, there is certainly a danger that the traditional banking services will be commoditised and the higher-value, data-centric services will be the key to gaining new and retaining

existing clients.

To stay ahead, the more established banks will need to consider the range of products they provide, look to their key strengths and the depth of relationships they have formed with their customers.

© Experian 2016.

The word “EXPERIAN” and the graphical device are trade

marks of Experian and/or its associated companies and may

be registered in the EU, USA and other countries. The graphical

device is a registered Community design in the EU.

All rights reserved.

Experian Ltd is authorised and regulated by the Financial Conduct Authority. Experian Ltd is registered in England and Wales under company registration number 653331.

Registered office address: The Sir John Peace Building Experian WayNG2 Business ParkNottinghamNG80 1ZZUnited Kingdomwww.experian.co.uk