By Bill Trueman CEO of Riskskill a division of UKFraud
Only a few of the mobile payments sector stakeholders are truly ready to cope with the growth of their market, the changes in technology and the pressures that will be put upon some of existing standards in the sector. This current status quo is worrying. Combine these factors, and a cocktail of risks is created that will pose significant new challenges for risk managers and other stakeholders in the market.
To assess the potential risks involved, we recently studied developments in the mobile payments (M-Commerce) arena, i.e. all types of mobile payment services including mobile money and mobile wallets, which are subject to financial regulation and performed from or by mobile devices, and classified the key areas of risk as follows:
1. The Scale of Sector Growth and Technology Change.
With commentators suggesting that the mobile payments sector will reach US $1 trillion in global transactions by 2015, our research highlighted that many risk professionals are concerned by the sector’s rate of growth. In our view, this rapid growth could mean that many proven risk strategies, once thought of as realistic and elastic, could be left ‘out of touch’ in the medium term and lack the solid infrastructure required to be able to accommodate such growth.
It is therefore easy to recognise that as a consequence of this growth, one of the greatest challenges to the development of plans and strategies that align organisations within the mobile payments sector is not only the diversity of sources of change but also the sheer speed of technology change, whether it is the hardware, the software or the technology platforms used.
The main ‘mobile payments’ players are now extremely keen to produce the next ‘big thing’ and this is reflected in the significant investment being made by these key players. Many feel that Apple with its i-infrastructure and significant market presence has the potential to launch something ground-breaking within iOS7. Other market leading names such as PayPal, Google and Amazon are also likely to have a significant and positive market impact with upcoming developments of their own, as will global and EU based telecom infrastructure owners. The international card schemes too, , will have a major and positive impact on the development route(s) in the sector as will many other highly innovative and respected third parties including: iZettle and mpowa.
I believe that it is the technology organisations, which act the most responsibly and altruistically now will help minimise market risks over time. They are concerned though that in the rush to ‘jump on the bandwagon’, smaller players will adopt solutions that are based upon outmoded foundations and infrastructures. If this happens some regulators and stakeholders could struggle to keep up with the pace of technology change. This could mean that they might be unable to introduce the safeguards, protected environments and fraud prevention methodologies that are required at this early stage of market evolution. Fraud is deemed to be the greatest risk here as the fraudster thrives in such fast-paced environments, especially when there is no history, formality, process standards, anti-risk architecture or common IT foundations. Typically, fraudsters just ‘adapt’ and outsmart their targets.
2. Globalisation of Mobile Payments
The rapid spread of mobile payments globally, with the explosive growth of M-Commerce in China, India, Latin America and the Far East is another factor. Recent data from the ITU (International Telecommunication Union) points to global mobile subscriptions now reaching 6 billion. In some of these newer territories, the mobile payments sector is compensating for the lack of a physical and sufficiently robust banking structure and therefore proves extremely popular. Consequently, whilst the growth figures are impressive, the rate of growth could draw into question whether the existing and on occasion nascent regulatory systems and controls are sufficient to cope. Indeed, the most worrying aspect of this global spread is whether the technical and security infrastructures are built and based upon the solid foundations required. And if all these global payment solutions start to become interoperable, then where are the regulators, and last resort funders/funding-guarantors to be found?
3. Consumer Communication and Information Risks.
In addition, in the mobile payments sector there is a continuous stream of new financial products that are all seeking to outdo each other in the eyes of providers and consumers. Our concern is that alongside other areas of rapid market change, a fast churn of product lifecycles and the sheer variety of product nomenclature might cause consumers to become confused and thus more vulnerable to fraudsters exploiting their confusion. This will also be compounded by the absence of adequate fraud systems which will not have been put in place by all the main players, at an early stage, as some will only just have kept up with competitive product development.
4. Standards and Regulation Outpaced?
The impact of such a rapid evolution of technology and financial products could threaten the applicability and implementations of many existing ‘standards’ programmes. Other newer standards will need to be evolved, although these too might still struggle to keep up with the rate of change and the global nature of these things. There is such a broad range of organisations and bodies from which such standards might come, that this in itself could cause confusion for market stakeholders and consumers alike. Once again, the most likely beneficiary of such confusion could well be ‘professional’ fraudsters. The hope is then, that standards bodies will harmonise with other similar organisations around them, especially those who take a lead.
There are a number of widely regarded bodies whose intervention could have a major impact in reducing market risk. This includes highly respected organisations such as UK Payments (formerly APACS), the ISO or the European Payments Council, which could potentially, some feel, develop a new SEPA-type regulation for the mobile payment sector. Other widely acclaimed and respected card schemes (such as: CUP / Visa / MasterCard etc.) might also take a lead as they have a strong commitment to acting responsibly and correctly in the market.
If the standards that do emerge could drive the right risk–reduced conditions, it could in turn lead to both an evolution and a revolution in M-commerce practice and risk management. This could then prove to be a facilitator for wider adoption of mobile-based NFC /contactless payments.
We have also studied whether the effects of the ‘potential standards debacle’ might also have a ‘knock-on’ effect upon government regulation too, as there is always the possibility that more interventionist governments might take the opportunity to play a constructive role. With the respected EU Cyber Security Directive focussing on setting good foundations with the Network and Information Security standards in individual member states, the current thrust seems potentially a long way from specifically addressing mobile payments. In the UK, some question whether the government is likely to drive innovation in this area, as the risk, payments and fraud skills within the leading departments (Cabinet Office, FED and the National Fraud Bureau) might not be those required to lead direction and strategy in the UK mobile payment sector. Understandably, much of their current focus, many feel, is deployed in addressing the public sector fraud element of the UK’s existing £52 billion fraud problem, as defined by the AFI statistics produced by the National Fraud Authority.
Whilst the risk in each of these areas can be incorporated into risk strategies, the combined effects are harder to predict. You see, it is easy to plan for many risks individually – however, the wide and varied nature of the risks associated with the changing and rapidly growing mobile payments sector create a whole array of risks that will challenge even the best of plans and strategies for addressing problems within the mobile payments sector.
This is a simply enormous issue to address. Organisations and indeed many governments are often now too ‘silo based’ to evolve direction and protection from the attacks in a market that are so rapidly evolving. The ideal solution for leading sector stakeholders should be to drive proper standards through appropriate bodies that will in turn drive both a governmental and a business response globally. It’s a ‘tall order’ and only time will tell if it is possible to regulate or whether we just end up with a Molotov cocktail.