Thursday, June 23, 2016

The DAO - Ethereum incident: if you can't stand the heat, stay out of the kitchen !

Ok, I admit: I may be a payments or banking dinosaur and an old school kind of guy. I have personally witnessed the emergence of new payment methods (POS, I-pay, VbV, purse, online-purse, Paypal, EMV, etc) as well as the failure of banks (Icesave, DSB). And I have a keen interest in the history of banking and finance.

With this background I have been intrigued by the Ethereum-DAO incident and its further follow up. What now seems to happen is that an undemocratic, interest driven community that hasn't secured or enforced proper governance and safeguards, is taking the right in their own hands when some digital assets of theirs appear to move in different places than envisaged.

Lay-out of options to solve the issue
Pondering the issues at hand was stimulated by this very good presentation by Gavin Wood last Monday at the Dutch Blockchain Conference. See below

In the presentation Gavin Wood presents 3 options:
- do nothing
- soft fork by community
- hard fork by community.

How logical the 'community' approach appears to be, I couldn't escape at noticing that the concept of community is limited to those directly involved as owners/investors in ether. All of those people were aware that they're investing in a very speculative, new technology and digital asset.

Gavin introduces the concept of moral consensus by the people, rather than the machine, to solve the issue. This consensus is not really the people, he explains, but the miners. In my view this means that the bottom line is that the interested actors take the right into their own hands to cheat the attacked back out of his possessions.

What's missing: the legal consensus
What's truly missing in the discussion is a fundamental fourth 'community' option:
- owners of 'stolen' ether  call the police (in whichever jurisdiction) so that a judge may determine whether or not this is a theft or otherwise.

Any system existing on earth, is always under some jurisdiction which allows formal legal arbitrage on differences of opinions as to whether this is theft. And lacking the proper arbitrage rules in this obviously not so smart contract, this is the domain where the Ether and DAO community should revert to.

Any other road than turning to the formal/legal mechanisms to solve this issue, constitutes a power batlle between interested parties. One party claimed to offer autonomous smart contracts without human intervention (but slides back as soon as they lose money on it) and another party took them up on the offer and fights back to keep the first party to their offer.

If you can't stand the heat, stay out of the kitchen
From a macro point of view, I don't see a reason why a response in forking by the ethereum community is justified. We're just witnessing a private, risky enterprise doing not-so-smart-things with not-so-smart contracts. This will mean that a limited remit of private investors (that know that they are risk investors) lose their assets to someone else.

As tough as it may be to see someone mess up your assets/system in front of your own eyes, it is hoewever the ultimate consequence of a philosophy in which one proclaims that is exclusively the machine that drives the asset moves.

So as this all happens, you just better buckle-up, take the hit and make sure there are no more accidents waiting around the corner. And if you're not up for it, it's time to leave the play under the motto: If you can't stand the heat, better stay out of the kitchen. When seen from a financial history perspective this whole incident is just one silly drip in the ocean of follies that has ever occured.

Up next: proof it or put in arbitrage
In a practical sense, the lesson is easy. Either have full formal proof of smart contracts, allowing you to  check all possible states of the implementation, or include an arbitration and third party mediation into the smart contract.

It's not a new concept: I've been speaking with Ian Grigg numerous times on the relevance of arbitration for smart contracts (see also his blog on this). So with this incident, the lesson will surely sink in somewhat faster.

Friday, January 08, 2016

A new FAQ for PSD2 would be very useful to harmonise interpretations across Europe

The second Payment Services Directive, published end of December last year, is an important and welcome next in the further integration of payment services in Europe. In order to achieve a true European level playing field ‘on the ground’, a clarifying FAQ for those who prepare its implementation today would be very welcome.

A FAQ that explains how the PSD2 definitions will apply in all Member states to the variety of business models and transaction mechanisms observed, will enhance the purported level playing field. This harmonised guidance is just as important as the FAQ/guidance provided for the first PSD. Both regulators and the market have further developed since PSD1 and it is essential to recognise some of the underlying dynamics and developments of the payments market.  

1. Out of scope, limited network or regulated?
At present, member states use the harmonised PSD-rules to determine whether or not a certain business model defines as a payment activity or can be categorised as an exemption. Both in terms of content and process, the approaches vary considerably between supervisors. The feedback of supervisors varies from an elaborate argumentation to merely the brief outcome of an internal review process. 

Also in terms of content, the approaches vary. Business models that are out of scope in one member state may be exempt or require a license in others. The lack of a central register of supervisory statements on those matters makes this hard to identify, but the PSD2 will change this. All business activity exempted under article 3k and 3l, must be notified and the exemption decision will be published in a central register.

The practical consequence is that market participants can more easily determine which business models are exempted in which countries. This means that the supervisors must ensure that their qualifications are well-grounded and harmonised. One of the major challenges in this respect is to take into account the technological and market developments.

2. Technological developments: open and device-agnostic
Just one look at a user’s technical environment demonstrates that the major trend in payment technology development is the move from closed, bespoke systems and standards to more open structures. Whereas previously payment providers would control (sometimes own) all technological instruments to be used in a payment transaction, this is no longer the case.

The future infrastructure setting is one in which consumers and merchants will use their own technical device, and providers need to ensure that it can be used safely. We can now see card-based payments, where no plastic is used anymore, as the payment is made via a virtual card application in the mobile phone or PC. At the same time, in the back-office, the systems are opening up to the outside world via Application Programming Interface’s (APIs). Rather than having one instrument that operates as a shopping and a payments tool simultaneously, we can see that the value chain of search, shop and pay can be arranged via modularized interfacing of channels and technologies.

Therefore, when assessing the qualification of the technologies in todays payments, an open and functional approach is required. The classical approach, in which one tries to find the main device (such as a card) that services as the payment instrument and then builds the further classification of a system around that instrument, will no longer work. There will be all kinds of devices and technical tools and while some may classify as payment instruments, others may not.

Fortunately, the definition of payment instrument in the payment services directive enables this functional approach. The definition mentions both ‘a personalized device’ and/or a ‘set of procedures’ to be viewed and defined as the payment instrument:
"payment instrument" means a personalised device(s) and/or set of procedures agreed
between the payment service user and the payment service provider and used in order
to initiate a payment order;

3. Where is the commerce and where is the payment transaction?
As technology slices up the commercial value chain, we should note the relevance of the last element of the definition of payment instrument: ‘to initiate a payment order’. There is a clear difference between the commercial use of devices for purchases (apps, shopping carts on the web, nfc-identification devices) and the later moment in which aggregated purchases are actually being paid. This can be compared to the difference between the shopping cart/button on a website and the payment button.

The main question to ponder is therefore: does the technology service allow the user to make a payment to any other payee in Europe (under the SEPA-rules) and is the transaction actually a payment order, or is it merely a shopping transaction, with payments being arranged later on.

I wouldn’t be surprised if in the next years, we will witness a shift away from devices as the actual payment instrument. It may be more suitable to put the (user) accounts centre stage as the actual payment instrument. When applied by retailer organisations, such a choice will enable them to build a multi-channel sales-channel in which the device used is irrelevant. The sales channel aggregates purchase transactions towards the user account at the retailer. In cases where the retailer merely aggregates these purchases and initiates a direct debit for the total sum to be paid, this remains an administrative account as the actual payment account in the process is that of the bank. Only in cases where actual payments orders are initiated from such an account, it would become the payment account as well as the payment instrument for the commercial transactions.

It is crucial to distinguish the commercial from the payment process domain when evaluating apps and identification tools on the market. The actual payments can be expected to become the afterthought of commerce, rather than a primary service. These can flow via a payment account in the background, which is provided by retailer, bank or payment service provider. It is that account that will then function as the payment instrument in the commercial transaction and not the purchase device/application used. Supervisors should thus not immediately label ‘the card’ or any specific technical tool in a commercial business model as the payment instrument.

4. Areas and definitions of interest for the application of the PSD2
We’ve seen that the democratisation of technology allowed non-bank payment service providers to enter the payment space. Among those will also be retailers that can leverage the technology to provide a better customer experience. If those retailers are to use a services and customer contract with a monthly SEPA-direct debit agreement in the background, the payment services directive will not be relevant for them.

Similarly there is the question whether the payments services directive would have to apply to intermediary web-based platform companies that help users transact among themselves. Such business models could be in or out of scope based on the interpretation whether:
- the payments are seen as a regular occupation or business activity (art 1,2b),
- the agency model applies,
- the new definition of acquiring applies,
- the limited network exemption applies.

I hope that the collective of regulatory players involved in the transposition and application of the PSD2 will succeed in addressing those scoping and definitions issues early-on. In this respect the publication of a FAQ on those issues, may be a very effective tool to clarify and ensure the level playing field.

Thursday, December 10, 2015

Satoshi rumours reminds me of being John Malkovich

These days, there's a rumour going around that an Australian guy would actually be Satoshi, the inventor of bitcoin. Next morning, this guys house was raided by the police, in search of all kinds of evidence.

To me, it seems sufficient evidence to assume that the true Satoshi will choose never to reveal his or her identity. If all kinds of law enforcers incorrectly wish to blame the inventor instead of the users of his invention, you better steer clear of such hassle.In addition I could well imagine Sathoshi to be a bit of a hermit.

In that sense, even getting a Nobel price or the Turing Award would make no difference. We won't know who Satoshi is, which means we may get stuck with all kinds of impersonisations of him. Which reminds me of the movie: Being John Malkovich (see trailer here) .

In the movie, people may enter the brain and become John Malkovich for some time, until being spit out and landing at the side of a road. My best guess is that we will witness similar events for those who wish to be Satoshi.

Thursday, October 08, 2015

Now that the voting on the PSD is done, the real work starts...

The second Payments Services Directive, also known as PSD2, will be officially established today. In the plenary session discussion yesterday all political groups backed the achieved consensus and highlighted the benefits to consumers, the increased security of payments, further innovation in the payments area and lower cost overall.

Some work ahead...
We should realize however, that with the promulgation the real work will start for a whole range of involved players. First and foremost, there is a lot more work ahead for regulators and supervisors in the transposition process, but in particular also for the European Banking Authority. The PSD2 that seeks to open up access to banks and customer bank accounts for new players, leaves quite a bit of work to be done by EBA.

EBA should:
- develop rules on level of guarantee/professional indemnity insurance for payment initiation service providers and account information service providers,
- set up standards for cooperation and data exchange between local supervisor and resolve disputes on different applications of the PSD2,
- set up a central register of payment institutions and agents licensed under the directive,
- develop regulatory standards that define when the appointment of a central local contact point can be demanded by local supervisors and what its functions should be,
- be informed immediately in the case of emergency situations (such as large scale fraud),
- coordinate requirements as to the security frameworks applied,
- specify the requirements of common and open standards of communication to be implemented by all account servicing payment service providers that allow for the provision of online payment services,
- develop guidelines on a harmonised set of information to be provided during the application for a payment institution license,
- publish local exemptions under article 3k and 3l in the public register,

Clarity for industry on EU-application of definitions and scope
When the first PSD was delivered, it turned out that quite some players in the market required timely insights as to the future scope of the directive and how it would impact them. The European Commission then published an FAQ that further outlined how definitions should be understood.

It seems to me that it would be worthwhile to perform a similar exercise right now as there are quite some areas that can give rise to questions. As an example: the recital on the agency exemption leaves open the existence of agents for both buyer and supplier as long as the agent does not enter into posession of the funds. Yet, the definition of acquiring appears to be purposefully wide, meaning that such commercial agents might after all be viewed as acquirers.

The sooner this clarity is provided, the better it is, as the lead time for setting up and getting a license as a payment institution is similar to the lead time that now exists for transposing the PSD2.

I therefore hope that, for the sake of a proper EU level playing field, the collective of regulatory players involved in the transposition and application of the PSD2, will seek to address those scoping and definitions issues early-on.

Wednesday, March 04, 2015

ECBs renewed virtual currencies report: implications for the Third Payment Services Directive

This week the European Central Bank (ECB) revisits the subject of virtual currencies (VCS) in a renewed virtual currencies report with a further analysis. I have read the publication with interest to discover that the previous position on the subject essentially remains the same:
- virtual currencies don't come near money or legal tender concepts,
- the uptake of virtual currencies is still very limited
- the wait and see approach of the ECB will be continued.

The typical paragraph that summarises this approach is:
The usage of VCS for payments remains limited for now, which implies that there is not yet a material risk for any central bank tasks, including promoting the smooth operation of payment systems. However, a major incident with VCS and a subsequent loss of trust in VCS could also undermine users’ confidence in electronic payment instruments, in e-money and/or in specific payment solutions. 

Whereas at first sight the report doesn't lead to a lot of new insights, the broader scope of its definition of virtual currencies does beg a number of fundamental questions with respect to the future regulation of payments. These questions lead me straight into a renewed regulatory approach, to be used in the Third Payment Services Directive.

An improved definition
The major improvement of this Eurosystem-report over the previous one lies in its correction of the definition used for virtual currencies. In an earlier blog I commented that the definition was too vague:
“A virtual currency is a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community”.
With this report, the definition of virtual currencies has formally changed into:
"a digital representation of value, not issued by a central bank, credit institution or e-money institution, which, in some circumstances, can be used as an alternative to money."

I am quite pleased with this change as it allows for a better understanding and classification of the subject of virtual currencies. Interestingly, the elimination of the element of decentralized issuance leads to a far broader range of virtual currencies than previously discussed. And this leads to an interesting follow up question.

Virtual currencies are suddenly everywhere... 
The table below lists the major payment options in the Netherlands, with the virtual currencies listed at the far right. When looking at the turnover figures, one can understand why the Eurosystem will be primarily monitoring the virtual currency scene. The most interesting observation is however that all the blue coloured segments of the table are now also considered to be virtual currencies.

We can see that in particular the giftcard and transport payments (which are out of scope of the payment regulations for a number of reasons) do amount to quite a substantial payments volume. Literally these payments are now also considered to be payments with virtual currencies. And from an analytical perspective, this is a logical consequence.

Regular (e-) payments
Mobile telephone
Retailer Giftcards
Bitcoin / alt-coins
16 million per day
5 million per day (includes loads)
Premium services
500.000 - 1.000.000 per day
Less than 1000 trx per day in NL
€ 903
€ 2 - € 20
€ 2- € 5
€ 12
€ .?
Payment Services Directive (PSD)
Exemption under PSD2
Explicit exemption of PSD1
Out of scope when issued as a single retailer
Out of scope of PSD

Effectively we can now better appreciate today's payments world, seen from the eyes of the consumer. Because the consumer is not bothered by the details of Payment Services Directives and obscure exemptions of mobile payments. The consumer will use the mobile or ticketing payment means as a matter of convenience (or: obligation) and will have to undergo the payment experience as a fact of life.

Particularly in the Netherlands this leads to the interesting situation where a sloppy and easily hackable implementation of NFC is being widely used for public transport payments, alongside a safer NFC implementation of banks that is still working on its nationwide roll-out. Users use them both.

Similarly interesting was the occurrence, last month, of a virtual currencies bank run. As retailer V&D threatened to go out of business, one could witness the sale of its pre-paid gift cards on Marketplace (the Dutch ebay) for considerable discounts. At the same time everyone in the Netherlands dug up and spent their old gift cards, before it was too late.

What the third Payment Services Directive will have to look like 
If we take the wider definition of virtual currencies that the ECB uses, it becomes clear that the user experiences with virtual currencies (and losses: for example the sudden vaporisation of retailer gift card value after a period of 18 months) happen alongside the heavily PSD-regulated instruments and mechanisms.

Based on some prudential rules we now burden some forms of payments with a whole lot of rules, while we neglect all schemes that are out of scope (but may still have relevant consumer effects). This difference is - in my view - too big and requires a changed approach to be used for the Third Payment Service Directive (PSD3).

Under the Third Payment Service Directive, we should recognise that payments can and will be made and offered by everyone to everyone. The PSD3 should thus define a light-weight conduct supervisory framework for all payment mechanisms, regardless of the institutional status of the issuer. Alongside this wide conduct framework, we keep the current prudential framework intact, which outlines the prudential rules applicable to the different institutional payment setups (e-money, payment institution, bank).

The new conduct based framework would apply to payment mechanisms and e-money alike and have as a goal that the user is always properly informed on the basic terms and conditions, redeemability etcetera. The control-mechanisms should not be supervision based, but could be reputation-based for example, allowing the market to monitor and redress, rather than costly supervisors. Only in exceptional circumstances would a European conduct supervisor step in.

In sum: more analysis ahead
The broader scope of the Eurosystems definition of virtual currencies begs a number of fundamental questions with respect to the future regulation of payments. In particular the area of non-regulated payment schemes at the fringes of the PSD might deserve more attention than they do receive right now.

Not only could the question be whether or not a separate regulatory conduct-framework should apply, the European Retail Payments Board might also decide to expend its analysis towards these mechanisms, particularly when they reach a volume/scale which is equivalent to that of the regular payments.

Tuesday, January 06, 2015

Reflection on almost 100 years of retail payments in the Netherlands

These next few days we will be processing the last Chipknip transactions in the Netherlands. This marks the end of a period of almost hundred years of consumer payments in the Netherlands. Here is a brief reflection on this period. My hope is that we retain our innovative mindset and that we abandon old school practices like: competition on technology and inward-thinking-based marketing practices.

The beginnings
It all started out with a certain demand of the public and small retailers, around 1900. It took however more than ten years before the city giro of Amsterdam (1916) and the national giro of the Netherlands (1918) were set up. In the period leading up to this moment, the cashiers were asked whether they wished to improve their services, as this might lead to the parliament to conclude that no national giro was necessary. Their response was too meagre as a result of which they created their biggest rival: the national giro system, operated by government.

This system effectively created a benchmark for the private industry by offering (some time after it's start) payment services for free to the public. Today we would call this the Internet model, but in those days, this lead to repeated discussions on the undue competition element. Bankers and cashiers assumed that the national giro was cross-subsidized by government; while effectively the reverse became true. The national giro acted as a cash cow that covered some of the other costs for the Ministry of Transport (including the costs of post offices etc).

The city giro Amsterdam has stood out mostly for its innovations: the use of modern bookkeeping machines, the introduction of photo-imaging (in the 1930s) to process payments easier as well as the early introduction of a payment card to the public. The national giro, in turn, was early to create a mechanism of inpayments that could be used by government services, that used similar (punch card) standards.

In this respect it should be noted that the national giro, during the previous century, was plagued by several operational distortions, leading to 'giro stops'. One big one occurred in the 1920s and shut the system down for almost a year, other ones happened after the second world war. These stops instilled a big trauma into the organisation with the effect that when in 1965 a change was made to using punch cards and mainframes, this was done with meticulous scientific precision in order not to fail. Ever since, the postal giro (later Postbank) would be very keen and strong in the area of operational logistics and control.

Competition on standards and technology
For the most part of the evolution of Dutch payments, there were differences in technology used. A first attempt to bridge these differences occurred after the second world war when a commission on the integration of giro traffic tried to bridge the bankers vs giro gap. This didn't work out.

In the mid 1960s the bankers were keen to find funding in the retail market and realised they needed a better clearing system to process faster payments. While they were in the process of deliberating this move, the postal giro offered them to join/use the same standards as they were, in order to achieve uniform processing. For strategic reasons, the banks decided not to do this and chose a slightly modified technology and numbering system of their own. Remember: this was of course the age of shielding off markets by technology.

The net effect for the consumers and companies was less positive however. In the end it took some 30 years to create bridging standards/protocols to integrate the different payment standards of bank and giro. And even when the digital, networking time started (in the 1980s) banks and giro found it hard to abandon the classic competition by technology paradigm. For the EFTPOS network they did use a common standard and this also seemed to work for the Chipknip e-money products. Yet, due to misunderstandings and distrust at the board room level, the Postbank decided to jump the Chipknip ship to start the separate Chipper product. Again, the effect was that consumers and retailers were burdened with dual standards in a market that is too small to do so.

Inward based marketing of the big banks
With the deregulation of financial markets and the privatisation of the Postbank, all providers of payments were commercial companies. The Dutch banks grew bigger and with that their bureaucracies. Postbank gradually lost its touch-and-feel as a former public entity and became a bank like all others. The best event that symbolises this is the abolition of the Postbank brand by ING.

The net effect of becoming bigger and more ambitious is that straightforward customer research and marketing gets stampified. This is a word that I coined to denote the fact that in those big banking bureaucracies the responsibilities of employees - with the only exception of the board - becomes limited to the size of a postal stamp. The result is that these companies (marketing) departments require more time for internal debate, offcie politics and consensus-finding which they can't spend at finding out how to best serve the customer.

The consequence of this stampification is that the banks lose touch with their customers and reality. Our last retail payment product, the Chipknip, showed this most clearly. The ridiculous local battle between two competing e-money schemes (although perfect from a competition perspective) created so much nuisance for retailers that this inspired them to get back at the banks. Infuriated by high terminal switching costs, they found the newly set up competition authority at their side to fight the banks cartel behaviour.

As such our retailers were quite successful: the banks were being fined and a part of the fine was channeled towards them (via a Covenant) to improve the EFTPOS situation in the Netherlands. This Covenant was even prolonged to ensure a continued collective rebate for retailers on EFTPOS fees. Effectively we could thus see the retailers as being the clear winners in the last 15 years of retail payments here in the Netherlands. [And as with today's MIF-debate we can wonder whether the benefits they derived from emptying the pockets of banks did really end up in the consumer pockets by lower prices.]

Back to inward-based-marketing: the best (and typical) example is the way the Chipknip product was initially taken off the market. Banks informed the customers that they all had to unload their Chipknips at specific loading/unloading points. This lead to a big confusion and questions on twitter. Eventually some individual banks decided to give the money back on the basis of the internal administration so that customers didn't need to bother going to an obscure loading point. And then, quickly, all banks decided to do this.

I sincerely hope that we will no longer witness these old school thinking marketing methods in the new year. Banks need to find a way to innovate and listen to clients and society or they will be trapped in old behaviour that is only comprehensible from a stampification point of view but not understandable for customers outside the bank.

If history is anything to go by, we may well see a repetition of the SEPA-dynamics in the banking domain. What I mean with that is the following: as banks are busy lining up their internal systems in order to conform with a whole range of upcoming new EU regulation (keywords: PSD2, MIF, AML), the non-banks will be able to build all kinds of new products at the fringes of the payments market.

Most of these new products won't be made from a payments perspective but will solve a user problem. Creating a payment button in these products doesn't require much more than a direct customer relation and a European direct debit agreement. So we might well see the banks moving into a back-seat role of providers of the payment rails for non-bank providers of user services.

Wednesday, November 26, 2014

Where and how to look for innovation in payments ?

This week I had the pleasure of joining a panel on retail payments innovation as a part of a seminar by van Doorne and Innopay on the Payment Services Directive and the future changes for the payment industry. Panel chair Gijs Boudewijn challenged me to formulate some thoughts on the future direction of retail payments. I answered that the best place to look would be in places and via perspectives that we could be overlooking right now.

1. Is it access to the account or a traceable id that matters?
There is a lot of discussion on the text of the second Payment Services Directive and on the legal and technical mechanisms that are required to make access to the account work. Due to their origin, these discussions are quite bank centric and the implementation issues surrounding this topic will drain a lot of resources of many players involved.

While being busy with this PSD2 issue, we may overlook the fact that all one really needs is a simple chip-id. In the Netherlands for example, one could use the chip-id of public transport ticket issuer TLS as a basis for use in hip and new proprietary retailer/consumer applications. These would combine the chip-id with an intelligent voucher/billing/customer system that utilises SEPA-direct debits in the back-end. It would provide a smooth customer and retailer experience while the bank only sees regular transactions.

My proposition here is that if we're all looking towards access to the account as the hot spot for innovation, we may be looking in the wrong direction. It might be more about the traceable id.

2. The retailers have landed in an interesting position
In his tomorrows transactions blog Dave Birch referred to an analysis by Peter Jones from PSE on the impact of the interchange fee regulation, published in the Journal for Payments Strategy and Systems. The main conclusion of it was that financially the retailers are the winners by getting a cap on their fees. I agree with that and would be inclined to broaden this perspective.

By tradition banks were the players with the monopoly on payments technology and security knowledge. Even in the 1980s, the collective of retailers in the Netherlands had done a feasibility study to set up their own Point of Sale system. This showed they could set it up for € 5 million euro but they didn't want to take the risk of it failing. So they left it to the banks (to complain about high fees later).

Since that time, the knowledge on processing and payments has become available to a wide range of players, to the extend that banks are now lagging in expertise and capability (while being locked into old technology solutions). The consequence is that retailers will be well able to develop or use in-house apps, customer relation services and payment mechanisms that use the bank infrastructure, without being subject to the rules of the Payment Services Directive.

The main development is therefore that the obliged intermediary role of banks in providing payment mechanisms is gone and will erode. Retailers can regain their customer relationship by themselves or in cooperation with any other ICT-provider that allows them to identify the customer and provide a processing infrastructure. Some interesting innovations can therefore be expected at the outer boundaries of the PSD, as a consequence of the possible exemptions.

I expect both physical and e-retailers to use the non-bank, non-payment space that the PSD defines to achieve exactly what they're after: increased customer retention, increased conversion and a smooth payment experience. Bottom line: we might better be looking outside of the PSD to see innovation in action.

3. On ledgers and tokens
As a final thought I would encourage everyone to try a different mindset for the developments that we are witnessing. Because in essence, anything that happens (in payments/retail) boils down to either tokens (coins, notes, points) or ledgers (private or public). Now let's see what happens if we apply this framework.

We might then appreciate the bitcoin emergence as an innovation in the area of collective ledger provision with distributed trust. We could reposition Linked-In as a privately owned, open and self-administered ledger, that logs individuals achievements that are relevant in the work domain. The same would hold for Facebook and many other e-commerce companies. We would call banks the keepers of the trusted and well protected financial ledgers and would also note that in the public domain, a whole range of ledgers are being interconnected for the sake of security, anti-fraud measures etc.

We could also look at the world of tokens, in its many variations. Tokens of shopping behaviour (saving points), tokens of access (tickets), tokens from government (coins and banknotes), tokens of appreciations (awards, prizes) and tokens that prove identity or personal characteristics. Some of those tokens might be valuable and lead to a change of some of the ledgers, while others would have a role in their own right (voucher for a free coffee).

While it is clear that there are quite a few interesting new developments in the ledger-space, could it be that it is the token-domain where the true action is going to be ?

Payments as an afterthought
In sum: the non-bank, identity-based, non-regulated commercial domain might well be the area where we can see innovations that show us how today's technology can be made to work best so that payments become the afterthought that they are.

Friday, September 26, 2014

Lawsuit in the Netherlands on Bitcoin as 'money' or 'current money'

Since May this year, there is an interesting discussion here in the Netherlands on the legal status of Bitcoin as money.

First law suit on failed bitcoin delivery 
The discussion starts with a law suit of two people engaged in a bitcoin transaction. Party B failed to pay up the whole amount of bitcoins, although it had received all the money for it. Party A, after two weeks partially annulled the agreement (for the part of the bitcoins not delivered). However, this party later on decided to demand to be compensated for the financial loss that resulted due to the increase in price of bitcoins over the course of the year (after the moment of canceling the contract).

Party A based its reasoning on the fact that our law allows for something as 'current money' to be used in order to pay a sum of money. This terminology was explicitly chosen by our legislator (instead of the legal tender concept) to allow non-State forms of money to be condoned in our country in situations where it was commonly used and accepted by all the people.

Should this argument succeed and bitcoins be considered such 'current money' the consequence could have been that an additional compensation claim could be made under our civil law. The judge however outlined that Party A should be compensated for the price rise of Bitcoin between the moment of concluding the contract and of canceling it (some € 1700). No compensation was due however for the remainder of the time, as it was party A that had initiated the canceling of the contract.

In addition the judge outlined that Bitcoins cannot be considered current money that is condoned by the State. Our Ministry of Finance has outlined that it doesn't fit the definition of legal tender, nor that of electronic money and that it should be considered a means of exchange. The nature of bitcoin (tradeable) doesn't work as an argument as also silver and gold are tradeable but not considered to be current money.

New law suit on status of bitcoin as money
A number of players in the Dutch Bitcoin community have chosen to challenge the above verdict of the judge and has raised more than  € 15.000 to pay for expenses of a law suit. It challenges the first verdict in order to have the judge reconsider its position and outline that Bitcoin is money. As a consequence it feels that it must then also be treated as such by our administrative bodies, supervisors, tax authorities etc. This would mean that bitcoin operators could be payment institutions, supervised and exempt from VAT (which, as I understand, are the underlying goals).

While I am very sympathetic to the concept of challenging a status quo and laws, I fail to see how a verdict on civil contract law could spill over into:
- the definitions of payments, money and payment institutions under the Payment Services Directive (and Dutch law),
- the definitions of payments under the Sixth Tax Directive.

Having said that, it will surely be very interesting to see which approach will be taken by the law firm involved and see if they are able to convince the judge that at least in civil contracts bitcoins may act as money.

Last edit: October 1, to outline that it's not the whole Bitcoin community that seek to challenge the verdict.

Saturday, June 14, 2014

EBA concerned about anonimity and security for bitcoin

From May 15th until May 17th, the Bitcoin 2014 conference took place in Amsterdam. One of the break-out sessions was dedicated to the topic of Anti-Money Laundering on Transparent Networks. During this session, Dirk Haubrich of the European Banking Authority (EBA) outlined some of the issues and concerns of the EBA with respect to digital currencies and bitcoin.

In his initial statement Haubrich sketched the concerns of the EBA with respect to:
- the use of digital currencies to transfer the proceeds of crime and act as money transmission,
- the fact that anonimity is a burden to link the transactions to persons,
- seizing assets and restoring or undoing criminal or illegitimate transfers,
- the emergence of a hawalla-like new channel via which international transfers may occur to countries that are on the FATF-sanction list,
- the use of those currencies by terrorists and criminals,
- the integrity of creators of digital currencies.

Role of the EBA
As a part of the discussion, mr Haubrich outlined that the EBA has a specific remit in the area of consumer protection and financial innovation. It is from this perspective that the EBA issued its warning on virtual currencies in December 2013. The question whether or not to further regulate virtual currencies is now being investigated by a cross-sectoral working group of European supervisors. This group will publish its outcome in a couple of months.

When asked to discuss the major challenges for digital currencies, he outlined anonimity and it-security as major topics of concern. In combination with the aforementioned list of concerns, the overall impression was one in which further regulation appeared to be more likely than a continuation of the current hands-off approach.

Tuesday, June 03, 2014

Dutch central bank will strictly supervise banks / payment institutions that deal with virtual currencies (and companies)

Just one hour ago DNB, the Dutch central bank and bank supervisor, issued a warning on bitcoin. It was not the regular warning or disclaimer for consumers, but a warning for the payments industry. Essentially DNB concludes that virtual currencies (bitcoins and altcoins) are viewed as products with a very high risk profile. DNB also announces that it will strictly supervise banks and payment institutions:

DNB will therefore strictly assess the compliance with applicable law (a.o. Wwft and Wft) for those banks and payment institutions that decide to get involved - in whichever way - with virtual currency-companies or that decide to invest in virtual currencies themselves. In 2014, DNB will investigate whether banks and payment institutions are actively involved with new payment products such as virtual currencies and (it) will assess the degree to which these institutions control/manage their integrity risks. The control should include effective measures with respect to client acceptance and the monitoring of new innovative suppliers. 

Guidance considerations
The brief statement of DNB contains some considerations that are the basis for this decision. A first consideration has to do with anonimity. DNB notes that transactions are being recorded in a public transaction ledger. Given that these transactions cannot be matched to physical persons and the virtual currencies are usable as a means of payment, they are an attractive chain of a money laundering process.

The current anonimity in virtual currency systems has consequences for banks and payment institutions. As a result of this anonimity, the buyers and sellers of virtual currencies become indirect relations of the bank. Thise indirect relations can also affect the reputation of the institution which leads to a 'derived' integrity risk. Without having that intention, banks and payment institutions could be facilitating money laundering.
DNB doubts whether banks and payment institutions are able - as a part of their controlled business operations and integrity of policies - to take the appropriate measures for transactions or clients that involve virtual currencies.

A meteorite or a pebble in the virtual currency pond ?
With the statement being just published it is too early to tell whether this is a meteorite that effectively wipes out the virtual currency business in the Netherlands or whether it is merely a pebble that aims to ensure that all virtual currency businesses doing business in the Netherlands ensure full identification and transaction monitoring.

My best guess is that the strong wording is used to stress the urgency and degree of concern that the Dutch bank supervisor has on this matter. So anyone operating in the Dutch environment better take this to heart.

Wednesday, May 28, 2014

The Euro Retail Payments Board: first meeting and outlook

On Friday, the 16th of May, the Euro Retail Payments Board (ERPB) held its first meeting (with this agenda) in Frankfurt. The ERPB is the successor to the SEPA Council, which aimed at realising the SEPA-project. Whereas the SEPA Council was co-chaired by the ECB and the European Commission, the chair of the ERPB is Yves Mersch, Member of the Executive Board of the ECB.

First Meeting
The first meeting was dedicated to agree to the mandate, functioning and work plan of the ERPB. The ERPB Members decided to set up a working groups on post-migration issues relating to the SEPA credit transfer and SEPA direct debit schemes as well as one working group on pan-European electronicmandate solutions for SEPA direct debits. In addition the ERPB acknowledged and asked the Cards Stakeholder Group (CSG) to carry out a stock-taking exercise and devise a work plan with respect to card standardization.

The ERPB further discussed the expansion of the SEPA Direct Debit scheme (SDD) with a non-refundable (one-off) direct debit. It was agreed that the EU legislators would be asked to clarify legal refund-conditions when evaluating the Payment Services Directive and that a possible scheme would be launched only after this review was complete.

In order to further investigate the future use of pan-European electronic mandatesfor SDD, the ERPB set up a separate working group. Finally, the EPC presented the latest update on the migration to SEPA. Whereas the migration to credit-transfers was very close to completion, there remained work done for direct debits. The ERPB called upon all stakeholders in the euro area to complete their migration to SEPA payment instruments as early as possible and before the deadline. 

Outlook for the ERPB
The launch of the European Retail Payments Board marks a new starting point for discussing the future of European payments with all stakeholders involved. The inclusion of payment institutions and e-money industry can add considerable value given their different approach and background. These providers live and breathe Internet-based technology, seek EU-standardisation and do not have similar legacy-systems as the banks. I expect this to lead to fruitful debates and exchange of insights.

Some observers may cite the lack of legislative powers as a disadvantage of the ERPB. Others may wonder if it is possible to achieve results in a body that only meets twice a year. I would submit however that in ten year’s time, the sceptics will look back in surprise to see how the ERPB has positively shaped the outcome of the European debate on retail payments. The Dutch experience with similar standing committees (see this separate blog) demonstrates that there is a lot of unlocked potential that lies in the trust and bonds that will be formed and shaped by this collective effort. 

Wednesday, April 23, 2014

FCA kicks the Securepay-can down the road...

In March 2014, the FCA, the prudential supervisor for UK based payment institutions and e-money providers, outlined that it would not be strictly assessing the compliance with the Securepay Recommendations on the security of Internet Payments. This announcement was quite interesting as in February 2014, the Forum also published an assessment guide that assists payment service providers with the implementation of these Recommendations by February 2015.

FCA Statement:
We have decided to await the publication of guidance from the European Banking Authority on measures for the security of internet payments and will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect.

The updated Payment Service Directive will enter into effect at the earliest by mid 2016. It will assign the European Banking Authority with the task of further developing guidance for the security of retail payments. The FCA has chosen to wait for this guidance rather than pre-empt it.

Kicking the security-can down the road
It is interesting to note that the FCA seeks a pragmatic middle ground. It carefully states that it finds security an important issue while at the same time outlining that it will wait for a solid legal basis to assess the security of retail payments. In doing so it effectively kicks the tricky security can down the road.

I can well understand the FCA desire to kick this can. The Securepay recommendations on security lead to quite some questions in their practical application for different technologies (see the blog here). On top of that, the detailed prescriptions on the basis of the new Payment Services Directive may lead to further rules that limit the choices that market entities can make to achieve a certain level of security.

Rather than confuse the market with layering requirements which quickly follow each other, the FCA apparently chose to wait and see, hoping that the final rules on security for retail payments may become more balanced.

It will be interesting to see if other supervisors follow suit.

Sunday, March 16, 2014

ECB provides outlook on retail payments in Europe at EPCA-conference

Pierre Petit, deputy director general (payments and market infrastructure) of the European Central Bank, has outlined the ECB’s  views on European retail payments. He made his remarks at the EPCA Summit 2014, where he defined the role of the European Retail Payments Board (ERPB) and the follow-up on the SecurePay recommendations on access to payment accounts.
New players to be part of drive towards integrated European payments market
The ERPB is to become a forum for driving the further development towards an integrated European payments market in the post-SEPA situation. Petit confirmed that the first meeting of this group is to take place in May, and new industries such as e-money providers and payment services institutions are to join in these discussions, along with other representatives of both consumers and providers.
The ERPB will aim to further stimulate the development of the European retail payments market by working together on topics such as innovation and integration.  The group will identify  and address strategic issues and work priorities, including business practices, requirements and standards. Issues could include the development of a single e-mandate solution or the improvement of interoperability between national e-payment schemes.
Security requirements for payment account access services
The ECB announced that it would this month publish the responses and the results of the consultations on security for payment access to the accounts. The publication would be for information only, given that the European Banking Authority will be providing guidelines on security measures under the revised Payment Services Directive.
Although the ECB does not want to impose formal requirements as there is a risk that the EBA could take a different position, it is likely that the two-factor authentication model of the SecurePay forum will remain the norm for retail payments account access services and mobile payments.

Thursday, February 27, 2014

Mount Gox tumbles off the learning-curve

This week, Mount Gox, a very large provider of bitcoin services, couldn't live up any more to its services agreements with bitcoin users. It provided exchange and storage services for bitcoins, but due to a technical implementation flaw, the bitcoin holdings of users were compromised. Essentially it wasn't clear who really owned the bitcoins. The website went black and users can no longer claim their bitcoins.

Tumbling off the learning curve
I view the failure of Mt Gox as a logical consequence of the learning curve that bitcoin holders and bitcoin companies face. The bitcoin, although considered decentralized, is just as centralised a system as any other value transfer mechanism. However, for ideological reasons, the developers chose to only describe the technical heart of the system (the algorithm) leaving the rest up to the market.

This open source code approach has some advantages, among which a very speedy development of applications. Yet, we are for some time now witnessing what it means if systems lack a central authority or scheme manager. There is no entity taking responsibility and chasing users or companies because they don't abide by:
- usage conditions (demanding user identification),
- security requirements and certification of tools,
- specific legal frameworks.

As a result we have seen a whole community of interested companies and users climbing up the payments, banking, investments and monetary learning curve. The inevitable consequence is that those who do not get it right, will pay a price, while the others continue to learn. Due to the digital nature of bitcoin, these developments unfold rapidly, allowing us a compressed overview of lessons from financial history.

Frijda's theory of money (1914)
The essential lesson at stake is that the usage of any value transfer mechanism does not just rest on its acceptance by users, but just as well on the rules and regulations that underly the value transfer. In 1914, the Dutch lawyer Frijda analysed this topic in his dissertation on the theory of money. At that time discussions emerged on the nature of banknotes. Did they have value because they were exchangeable for bullion, because they were defined as legal tender or because the public used and accepted it?

Frijda pointed out that the underlying legal framework that safeguards property in a society constitute a necessary precondition for the use of payment instruments. Without such safeguards, people will tend to stick to other stores of value rather than attaching value to local bank notes. Until today this effect is clearly visible: consumers tend to hold and use foreign cash or commodities if they live in country with a lot of curruption, a weak system of justice and an instable monetary climate.

Trust is built by institutions and markets
What makes money tick is a solid institutional basis, upon which trust can be further developed. The latter part can be done by a combination of regulation (supervision) and self-regulation (market action). Which brings us back to the Mt Gox case.

Following the events of this week, a statement was released by the bitcoin companies Coinbase, Kraken, BitStamp, Circle, and BTC China. The industry leaders committ to safeguarding the assets of customers, to applying strong security measures, to using independent auditors to ensure integrity of their systems and to have adequate balance sheets and reserves to be able to ensure continuity.

In sum we can now see both a gradual development of both the institutional framework for virtual currencies and the market-driven self-regulation. This reflects the fact that - whether you like it or not - trust for financial services is always built on institutions, regulations and self-regulation.