By Gerhard Oosthuizen, chief technology officer, Entersekt
Another year has passed, people like to say, as if every annum were alike. I predict that when we look back five years from now, we’ll recognize 2019 as the year that a new change cycle started in the banking industry.This will build over the next three years and shape financial services and payments for at least a decade.
Jockeying for position
New alliances will be forged, and new leaders will emerge in the battle for the consumer. The incumbents in payments and identity know this and are already advancing to head off the competition. Some of them have even started to show their hands with a number of big plays announced.
Simply put, we are seeing heavyweights in payments advancing into identity and the early leaders in identity attempting to bolster their positions by expanding into payments.
In the techfin or BigTech space, the action started heating up in 2019. Apple entered the identity provider race with Apple ID;it also tried its hand at banking, launching its own card, along with Google. There’s Amazon Pay and Facebook Pay,and Libra, of course.
I think we can all agree that the announcement of Libra did not go to plan.As a bold attempt to snatch the prize, however, it was perfectly in line with the way things are going,especially since the “prize” here isn’t so much leadership in consumer payments as control of identity provision.
Neither did the payments networks rest on their laurels. EMV Secure Remote Commerce(SRC) was launched in the United States, with Visa retiring Visa Checkout and Mastercard mothballing Masterpass in favor of a single new specification and the more streamlined, consistent payments experiences it makes possible.
This is EMVCo’s big play to get closer to the consumer – and its intention is not only to ensure the schemes remain at the top of the payments food chain. As with Libra, SRC plays into the race to capture the market for identity. In parallel, Mastercard has just launched ID, a universaldigital identity service that’s less about “transactions” than “interactions”.
Other standards like FIDO and OpenID Connekt are gaining traction, which should help drive innovation and cooperation in identity. FIDOwas probably the biggest winner in 2019, with WebAuthn, a web standard central to the FIDO2 Project, gaining hold, including quite startlingly at Apple and EMVCo. European regulators have also signaled their approval of it as a form of strong customer authentication.
Red flag for the networks?
Back to leaders in payments. EMVCo now has three standards: tokenization, EMV 3-D Secure, and Secure Remote Commerce.These are complex specifications that require a lot from merchants and financial services providers to understand, implement, and certify. The networks will offer acceleration kits to help (Mastercard’s Identity Check Express in Europe and India, for example, or data-only flows in the USA) and fintechs have a role to play in easing the burden too. Still, getting all of these up and running by the end of 2020 may be too daunting a goal for many institutions.
This is something of a red flag for the networks. Alternative payment rails have multiplied over the last few years and some merchants may go with them to avoid the complexity that the networks are adding. Zelle and Venmo found success in the United States, and you can expect ramped up competition in peer-to-peer and peer-to-business payments with simpler integration and other benefits for network participants and users.
Reversing years of consolidation, we can expect the proliferation of payments options in 2020 as each network competes on real-time processing, integrated loyalty, lower fees, or other benefits, and new players explode onto the scene. I expect at least one of the recent mega-mergers (FIS and Worldpay, Fiserv and First Data, Global Payments and TSYS) to launch their own closed-loop system in 2020. Wasn’t the pursuit of network efficiencies after all part of what made those acquisitions so attractive to shareholders?
Growing identity parade
The identity space will see projects become a lot more concrete with individual initiatives taking shape and big industry players marking out their positions. One of the payments networks will make a big play for control of consumer identity. They are already offering banks the option to delegate their authority to merchants for payment authentication. This situates them very advantageously,with aview of the consumer from both the merchant’s and the issuer’s ends.
This will be a highly lucrative market, so everyone who’s anyone is jumping in. Initially, we’ll see a wide range of players vying for dominance, but these will consolidate over a few years into just a couple of winners. I don’t expect that we’ll know who those will be anytime soon, but by the end of 2020 we’ll have a shrewd enough idea of the organizations that are willing to try.
Open banking is the biggest change in this area, broadly speaking, and arguably the prime catalyst. As it develops, I’ll be watching for the first big success story. A headline-grabbing collaboration between a third-party provider and a bank would provide a model for rapid adoption and increased revenue for the benefit of both parties and the consumer–thus realizing the regulator’s intent. Until we have these case studies, open banking will continue to be regarded as a threat by banks and an empty catchphrase by consumers.
Broader technical impact of regulatory changes
The “final”PSD2 deadline came and went in September. What looked like a non-event had involved enormous effort and much angst behind the scenes. Nevertheless, the show must go on, and as most of us expected it would, the EBA issued an extension.(Your feelings on this could depend on whom you most identify with in Aesop’s fable about the ant and the grasshopper.)
It seems as though SMS one-time passwords will eke out an existence into the third decade of the twenty-first century as the default institutional answer to PSD2’s strong consumer authentication requirement. You can forgive banks resorting to as top gap in the rush to comply but, with SIM-swap attacks taking off in the region, there is no better time to invest in more advanced techniques for gaining consumer approval.
I can also see a lot of people jumping onto the FIDO bandwagon. Entersekt is a long-standing FIDO Alliance member, and FIDO really ought to form part of your planning, but there are challenges there, including enabling frictionless transacting and managing authenticators’ lifecycles.
Meanwhile, consumer concern over privacy and data protection will continue to mount with increased invigilation by consumer watchdogs. Governments will pass more legislation to protect individuals from businesses playing fast and loose with their personally identifiable information. Europe has GDPR, South Africa has POPI, and many other countries and regional groupings are following suit.Living up to its long record on consumer protection, California took the lead in the United States with the 2018 California Consumer Privacy Act.
The effects of all this regulation will be far reaching. Look at web browsers, for example. Brave is getting a lot of attention for its privacy-first approach and more established browsers are preparing to close the PII tap too. They will shortly disable a number of user tracking features in response to commercial and regulatory pressure, with more significant consequences than those annoying cookie disclaimers. A lot of functionality on the Internet relies on this tracking – and not only to sell us things.
Digital security and data privacy don’t always sit on the same supermarket shelf. 3-D Secure and Secure RemoteCommerce depend on payment networks and card issuers tracking user activity to combat card-not-present fraud while providing frictionless checkout experiences.
There are, of course,entirely secure and private means of assuring user identities online when you really need to know. Banks will want to acquaint themselves with these technologies as standard device and browser fingerprinting becomes a thing of the past. Indeed, any organization preoccupied with security and convenience in equal measure will be looking for new solutions in this area.
Back to the end customer
New developments are coming thick and fast. Many consumers will be confused, not knowing whom to trust or what interactions are safe and what are not. Banks will have to work harder than ever to streamline digital experiences so that they appear simpler and more consistent to their customers, never exposing them to maelstrom of change the industry itself must contend with. They inspire the greatest trust, but they have to deliver on the user experience too. If they don’t, the techfins and other challengers will claim more of their business in 2020 and the years after that.
Entersekt is dedicated to helping financial institutions make the most of digital transformation, so I’m very excited to see what challenges and opportunities will be addressing together further down the line.