This week I had the pleasure of joining a panel on retail payments innovation as a part of a seminar by van Doorne and Innopay on the Payment Services Directive and the future changes for the payment industry. Panel chair Gijs Boudewijn challenged me to formulate some thoughts on the future direction of retail payments. I answered that the best place to look would be in places and via perspectives that we could be overlooking right now.
1. Is it access to the account or a traceable id that matters?
There is a lot of discussion on the text of the second Payment Services Directive and on the legal and technical mechanisms that are required to make access to the account work. Due to their origin, these discussions are quite bank centric and the implementation issues surrounding this topic will drain a lot of resources of many players involved.
While being busy with this PSD2 issue, we may overlook the fact that all one really needs is a simple chip-id. In the Netherlands for example, one could use the chip-id of public transport ticket issuer TLS as a basis for use in hip and new proprietary retailer/consumer applications. These would combine the chip-id with an intelligent voucher/billing/customer system that utilises SEPA-direct debits in the back-end. It would provide a smooth customer and retailer experience while the bank only sees regular transactions.
My proposition here is that if we're all looking towards access to the account as the hot spot for innovation, we may be looking in the wrong direction. It might be more about the traceable id.
2. The retailers have landed in an interesting position
In his tomorrows transactions blog Dave Birch referred to an analysis by Peter Jones from PSE on the impact of the interchange fee regulation, published in the Journal for Payments Strategy and Systems. The main conclusion of it was that financially the retailers are the winners by getting a cap on their fees. I agree with that and would be inclined to broaden this perspective.
By tradition banks were the players with the monopoly on payments technology and security knowledge. Even in the 1980s, the collective of retailers in the Netherlands had done a feasibility study to set up their own Point of Sale system. This showed they could set it up for € 5 million euro but they didn't want to take the risk of it failing. So they left it to the banks (to complain about high fees later).
Since that time, the knowledge on processing and payments has become available to a wide range of players, to the extend that banks are now lagging in expertise and capability (while being locked into old technology solutions). The consequence is that retailers will be well able to develop or use in-house apps, customer relation services and payment mechanisms that use the bank infrastructure, without being subject to the rules of the Payment Services Directive.
The main development is therefore that the obliged intermediary role of banks in providing payment mechanisms is gone and will erode. Retailers can regain their customer relationship by themselves or in cooperation with any other ICT-provider that allows them to identify the customer and provide a processing infrastructure. Some interesting innovations can therefore be expected at the outer boundaries of the PSD, as a consequence of the possible exemptions.
I expect both physical and e-retailers to use the non-bank, non-payment space that the PSD defines to achieve exactly what they're after: increased customer retention, increased conversion and a smooth payment experience. Bottom line: we might better be looking outside of the PSD to see innovation in action.
3. On ledgers and tokens
As a final thought I would encourage everyone to try a different mindset for the developments that we are witnessing. Because in essence, anything that happens (in payments/retail) boils down to either tokens (coins, notes, points) or ledgers (private or public). Now let's see what happens if we apply this framework.
We might then appreciate the bitcoin emergence as an innovation in the area of collective ledger provision with distributed trust. We could reposition Linked-In as a privately owned, open and self-administered ledger, that logs individuals achievements that are relevant in the work domain. The same would hold for Facebook and many other e-commerce companies. We would call banks the keepers of the trusted and well protected financial ledgers and would also note that in the public domain, a whole range of ledgers are being interconnected for the sake of security, anti-fraud measures etc.
We could also look at the world of tokens, in its many variations. Tokens of shopping behaviour (saving points), tokens of access (tickets), tokens from government (coins and banknotes), tokens of appreciations (awards, prizes) and tokens that prove identity or personal characteristics. Some of those tokens might be valuable and lead to a change of some of the ledgers, while others would have a role in their own right (voucher for a free coffee).
While it is clear that there are quite a few interesting new developments in the ledger-space, could it be that it is the token-domain where the true action is going to be ?
Payments as an afterthought
In sum: the non-bank, identity-based, non-regulated commercial domain might well be the area where we can see innovations that show us how today's technology can be made to work best so that payments become the afterthought that they are.
Wednesday, November 26, 2014
Friday, September 26, 2014
Lawsuit in the Netherlands on Bitcoin as 'money' or 'current money'
Since May this year, there is an interesting discussion here in the Netherlands on the legal status of Bitcoin as money.
First law suit on failed bitcoin delivery
The discussion starts with a law suit of two people engaged in a bitcoin transaction. Party B failed to pay up the whole amount of bitcoins, although it had received all the money for it. Party A, after two weeks partially annulled the agreement (for the part of the bitcoins not delivered). However, this party later on decided to demand to be compensated for the financial loss that resulted due to the increase in price of bitcoins over the course of the year (after the moment of canceling the contract).
Party A based its reasoning on the fact that our law allows for something as 'current money' to be used in order to pay a sum of money. This terminology was explicitly chosen by our legislator (instead of the legal tender concept) to allow non-State forms of money to be condoned in our country in situations where it was commonly used and accepted by all the people.
Should this argument succeed and bitcoins be considered such 'current money' the consequence could have been that an additional compensation claim could be made under our civil law. The judge however outlined that Party A should be compensated for the price rise of Bitcoin between the moment of concluding the contract and of canceling it (some € 1700). No compensation was due however for the remainder of the time, as it was party A that had initiated the canceling of the contract.
In addition the judge outlined that Bitcoins cannot be considered current money that is condoned by the State. Our Ministry of Finance has outlined that it doesn't fit the definition of legal tender, nor that of electronic money and that it should be considered a means of exchange. The nature of bitcoin (tradeable) doesn't work as an argument as also silver and gold are tradeable but not considered to be current money.
New law suit on status of bitcoin as money
A number of players in the Dutch Bitcoin community have chosen to challenge the above verdict of the judge and has raised more than € 15.000 to pay for expenses of a law suit. It challenges the first verdict in order to have the judge reconsider its position and outline that Bitcoin is money. As a consequence it feels that it must then also be treated as such by our administrative bodies, supervisors, tax authorities etc. This would mean that bitcoin operators could be payment institutions, supervised and exempt from VAT (which, as I understand, are the underlying goals).
While I am very sympathetic to the concept of challenging a status quo and laws, I fail to see how a verdict on civil contract law could spill over into:
- the definitions of payments, money and payment institutions under the Payment Services Directive (and Dutch law),
- the definitions of payments under the Sixth Tax Directive.
Having said that, it will surely be very interesting to see which approach will be taken by the law firm involved and see if they are able to convince the judge that at least in civil contracts bitcoins may act as money.
Last edit: October 1, to outline that it's not the whole Bitcoin community that seek to challenge the verdict.
First law suit on failed bitcoin delivery
The discussion starts with a law suit of two people engaged in a bitcoin transaction. Party B failed to pay up the whole amount of bitcoins, although it had received all the money for it. Party A, after two weeks partially annulled the agreement (for the part of the bitcoins not delivered). However, this party later on decided to demand to be compensated for the financial loss that resulted due to the increase in price of bitcoins over the course of the year (after the moment of canceling the contract).
Party A based its reasoning on the fact that our law allows for something as 'current money' to be used in order to pay a sum of money. This terminology was explicitly chosen by our legislator (instead of the legal tender concept) to allow non-State forms of money to be condoned in our country in situations where it was commonly used and accepted by all the people.
Should this argument succeed and bitcoins be considered such 'current money' the consequence could have been that an additional compensation claim could be made under our civil law. The judge however outlined that Party A should be compensated for the price rise of Bitcoin between the moment of concluding the contract and of canceling it (some € 1700). No compensation was due however for the remainder of the time, as it was party A that had initiated the canceling of the contract.
In addition the judge outlined that Bitcoins cannot be considered current money that is condoned by the State. Our Ministry of Finance has outlined that it doesn't fit the definition of legal tender, nor that of electronic money and that it should be considered a means of exchange. The nature of bitcoin (tradeable) doesn't work as an argument as also silver and gold are tradeable but not considered to be current money.
New law suit on status of bitcoin as money
A number of players in the Dutch Bitcoin community have chosen to challenge the above verdict of the judge and has raised more than € 15.000 to pay for expenses of a law suit. It challenges the first verdict in order to have the judge reconsider its position and outline that Bitcoin is money. As a consequence it feels that it must then also be treated as such by our administrative bodies, supervisors, tax authorities etc. This would mean that bitcoin operators could be payment institutions, supervised and exempt from VAT (which, as I understand, are the underlying goals).
While I am very sympathetic to the concept of challenging a status quo and laws, I fail to see how a verdict on civil contract law could spill over into:
- the definitions of payments, money and payment institutions under the Payment Services Directive (and Dutch law),
- the definitions of payments under the Sixth Tax Directive.
Having said that, it will surely be very interesting to see which approach will be taken by the law firm involved and see if they are able to convince the judge that at least in civil contracts bitcoins may act as money.
Last edit: October 1, to outline that it's not the whole Bitcoin community that seek to challenge the verdict.
Saturday, June 14, 2014
EBA concerned about anonimity and security for bitcoin
From May 15th until May 17th, the Bitcoin 2014 conference took place in Amsterdam. One of the break-out sessions was dedicated to the topic of Anti-Money Laundering on Transparent Networks. During this session, Dirk Haubrich of the European Banking Authority (EBA) outlined some of the issues and concerns of the EBA with respect to digital currencies and bitcoin.
In his initial statement Haubrich sketched the concerns of the EBA with respect to:
- the use of digital currencies to transfer the proceeds of crime and act as money transmission,
- the fact that anonimity is a burden to link the transactions to persons,
- seizing assets and restoring or undoing criminal or illegitimate transfers,
- the emergence of a hawalla-like new channel via which international transfers may occur to countries that are on the FATF-sanction list,
- the use of those currencies by terrorists and criminals,
- the integrity of creators of digital currencies.
Role of the EBA
As a part of the discussion, mr Haubrich outlined that the EBA has a specific remit in the area of consumer protection and financial innovation. It is from this perspective that the EBA issued its warning on virtual currencies in December 2013. The question whether or not to further regulate virtual currencies is now being investigated by a cross-sectoral working group of European supervisors. This group will publish its outcome in a couple of months.
When asked to discuss the major challenges for digital currencies, he outlined anonimity and it-security as major topics of concern. In combination with the aforementioned list of concerns, the overall impression was one in which further regulation appeared to be more likely than a continuation of the current hands-off approach.
In his initial statement Haubrich sketched the concerns of the EBA with respect to:
- the use of digital currencies to transfer the proceeds of crime and act as money transmission,
- the fact that anonimity is a burden to link the transactions to persons,
- seizing assets and restoring or undoing criminal or illegitimate transfers,
- the emergence of a hawalla-like new channel via which international transfers may occur to countries that are on the FATF-sanction list,
- the use of those currencies by terrorists and criminals,
- the integrity of creators of digital currencies.
Role of the EBA
As a part of the discussion, mr Haubrich outlined that the EBA has a specific remit in the area of consumer protection and financial innovation. It is from this perspective that the EBA issued its warning on virtual currencies in December 2013. The question whether or not to further regulate virtual currencies is now being investigated by a cross-sectoral working group of European supervisors. This group will publish its outcome in a couple of months.
When asked to discuss the major challenges for digital currencies, he outlined anonimity and it-security as major topics of concern. In combination with the aforementioned list of concerns, the overall impression was one in which further regulation appeared to be more likely than a continuation of the current hands-off approach.
Tuesday, June 03, 2014
Dutch central bank will strictly supervise banks / payment institutions that deal with virtual currencies (and companies)
Just one hour ago DNB, the Dutch central bank and bank supervisor, issued a warning on bitcoin. It was not the regular warning or disclaimer for consumers, but a warning for the payments industry. Essentially DNB concludes that virtual currencies (bitcoins and altcoins) are viewed as products with a very high risk profile. DNB also announces that it will strictly supervise banks and payment institutions:
DNB will therefore strictly assess the compliance with applicable law (a.o. Wwft and Wft) for those banks and payment institutions that decide to get involved - in whichever way - with virtual currency-companies or that decide to invest in virtual currencies themselves. In 2014, DNB will investigate whether banks and payment institutions are actively involved with new payment products such as virtual currencies and (it) will assess the degree to which these institutions control/manage their integrity risks. The control should include effective measures with respect to client acceptance and the monitoring of new innovative suppliers.
Guidance considerations
The brief statement of DNB contains some considerations that are the basis for this decision. A first consideration has to do with anonimity. DNB notes that transactions are being recorded in a public transaction ledger. Given that these transactions cannot be matched to physical persons and the virtual currencies are usable as a means of payment, they are an attractive chain of a money laundering process.
The current anonimity in virtual currency systems has consequences for banks and payment institutions. As a result of this anonimity, the buyers and sellers of virtual currencies become indirect relations of the bank. Thise indirect relations can also affect the reputation of the institution which leads to a 'derived' integrity risk. Without having that intention, banks and payment institutions could be facilitating money laundering.
DNB doubts whether banks and payment institutions are able - as a part of their controlled business operations and integrity of policies - to take the appropriate measures for transactions or clients that involve virtual currencies.
A meteorite or a pebble in the virtual currency pond ?
With the statement being just published it is too early to tell whether this is a meteorite that effectively wipes out the virtual currency business in the Netherlands or whether it is merely a pebble that aims to ensure that all virtual currency businesses doing business in the Netherlands ensure full identification and transaction monitoring.
My best guess is that the strong wording is used to stress the urgency and degree of concern that the Dutch bank supervisor has on this matter. So anyone operating in the Dutch environment better take this to heart.
DNB will therefore strictly assess the compliance with applicable law (a.o. Wwft and Wft) for those banks and payment institutions that decide to get involved - in whichever way - with virtual currency-companies or that decide to invest in virtual currencies themselves. In 2014, DNB will investigate whether banks and payment institutions are actively involved with new payment products such as virtual currencies and (it) will assess the degree to which these institutions control/manage their integrity risks. The control should include effective measures with respect to client acceptance and the monitoring of new innovative suppliers.
Guidance considerations
The brief statement of DNB contains some considerations that are the basis for this decision. A first consideration has to do with anonimity. DNB notes that transactions are being recorded in a public transaction ledger. Given that these transactions cannot be matched to physical persons and the virtual currencies are usable as a means of payment, they are an attractive chain of a money laundering process.
The current anonimity in virtual currency systems has consequences for banks and payment institutions. As a result of this anonimity, the buyers and sellers of virtual currencies become indirect relations of the bank. Thise indirect relations can also affect the reputation of the institution which leads to a 'derived' integrity risk. Without having that intention, banks and payment institutions could be facilitating money laundering.
DNB doubts whether banks and payment institutions are able - as a part of their controlled business operations and integrity of policies - to take the appropriate measures for transactions or clients that involve virtual currencies.
A meteorite or a pebble in the virtual currency pond ?
With the statement being just published it is too early to tell whether this is a meteorite that effectively wipes out the virtual currency business in the Netherlands or whether it is merely a pebble that aims to ensure that all virtual currency businesses doing business in the Netherlands ensure full identification and transaction monitoring.
My best guess is that the strong wording is used to stress the urgency and degree of concern that the Dutch bank supervisor has on this matter. So anyone operating in the Dutch environment better take this to heart.
Wednesday, May 28, 2014
The Euro Retail Payments Board: first meeting and outlook
On
Friday, the 16th of May, the Euro Retail Payments Board (ERPB)
held its first meeting (with this agenda) in Frankfurt. The ERPB is the successor to the SEPA Council, which aimed at realising the SEPA-project. Whereas the SEPA Council was co-chaired by the ECB and the European Commission, the chair of the ERPB is Yves Mersch, Member of the Executive Board of the ECB.
First
Meeting
The first
meeting was dedicated to agree to the mandate,
functioning and work plan of the ERPB. The ERPB Members decided to set up a working
groups on post-migration issues relating to the SEPA credit transfer and SEPA direct debit schemes as well as one working group on pan-European electronicmandate solutions for SEPA direct debits. In addition the ERPB acknowledged and asked the
Cards Stakeholder Group (CSG) to carry out a stock-taking exercise and devise a
work plan with respect to card standardization.
The
ERPB further discussed the expansion of the SEPA Direct Debit scheme (SDD)
with a non-refundable (one-off) direct debit. It was agreed that the EU
legislators would be asked to clarify legal refund-conditions when evaluating
the Payment Services Directive and that a possible scheme would be launched
only after this review was complete.
In
order to further investigate the future use of pan-European electronic mandatesfor SDD, the ERPB set up a separate working group. Finally, the EPC presented
the latest update on the migration to SEPA. Whereas the migration to
credit-transfers was very close to completion, there remained work done for direct
debits. The ERPB called upon all stakeholders in the euro area to complete
their migration to SEPA payment instruments as early as possible and before the
deadline.
Outlook for the ERPB
The
launch of the European Retail Payments Board marks a new
starting point for discussing the future of European payments with all
stakeholders involved. The inclusion of payment institutions and e-money industry can add considerable value given their different approach and background. These providers live and breathe Internet-based technology, seek EU-standardisation and do not have similar legacy-systems as the banks. I expect this to lead to fruitful debates and exchange of insights.
Some
observers may cite the lack of legislative powers as a disadvantage of the
ERPB. Others may wonder if it is possible to achieve results in a body that
only meets twice a year. I would submit however that in ten year’s time, the sceptics will look back in surprise to see how the ERPB has positively shaped
the outcome of the European debate on retail payments. The Dutch experience with similar standing committees (see this separate blog) demonstrates that there is a lot of unlocked potential that lies in the trust and
bonds that will be formed and shaped by this collective effort.
Wednesday, April 23, 2014
FCA kicks the Securepay-can down the road...
In March 2014, the FCA, the prudential supervisor for UK based payment institutions and e-money providers, outlined that it would not be strictly assessing the compliance with the Securepay Recommendations on the security of Internet Payments. This announcement was quite interesting as in February 2014, the Forum also published an assessment guide that assists payment service providers with the implementation of these Recommendations by February 2015.
FCA Statement:
We have decided to await the publication of guidance from the European Banking Authority on measures for the security of internet payments and will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect.
The updated Payment Service Directive will enter into effect at the earliest by mid 2016. It will assign the European Banking Authority with the task of further developing guidance for the security of retail payments. The FCA has chosen to wait for this guidance rather than pre-empt it.
Kicking the security-can down the road
It is interesting to note that the FCA seeks a pragmatic middle ground. It carefully states that it finds security an important issue while at the same time outlining that it will wait for a solid legal basis to assess the security of retail payments. In doing so it effectively kicks the tricky security can down the road.
I can well understand the FCA desire to kick this can. The Securepay recommendations on security lead to quite some questions in their practical application for different technologies (see the blog here). On top of that, the detailed prescriptions on the basis of the new Payment Services Directive may lead to further rules that limit the choices that market entities can make to achieve a certain level of security.
Rather than confuse the market with layering requirements which quickly follow each other, the FCA apparently chose to wait and see, hoping that the final rules on security for retail payments may become more balanced.
It will be interesting to see if other supervisors follow suit.
FCA Statement:
We have decided to await the publication of guidance from the European Banking Authority on measures for the security of internet payments and will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect.
The updated Payment Service Directive will enter into effect at the earliest by mid 2016. It will assign the European Banking Authority with the task of further developing guidance for the security of retail payments. The FCA has chosen to wait for this guidance rather than pre-empt it.
Kicking the security-can down the road
It is interesting to note that the FCA seeks a pragmatic middle ground. It carefully states that it finds security an important issue while at the same time outlining that it will wait for a solid legal basis to assess the security of retail payments. In doing so it effectively kicks the tricky security can down the road.
I can well understand the FCA desire to kick this can. The Securepay recommendations on security lead to quite some questions in their practical application for different technologies (see the blog here). On top of that, the detailed prescriptions on the basis of the new Payment Services Directive may lead to further rules that limit the choices that market entities can make to achieve a certain level of security.
Rather than confuse the market with layering requirements which quickly follow each other, the FCA apparently chose to wait and see, hoping that the final rules on security for retail payments may become more balanced.
It will be interesting to see if other supervisors follow suit.
Sunday, March 16, 2014
ECB provides outlook on retail payments in Europe at EPCA-conference
Pierre Petit, deputy director general (payments and market infrastructure) of the European Central Bank, has outlined the ECB’s views on European retail payments. He made his remarks at the EPCA Summit 2014, where he defined the role of the European Retail Payments Board (ERPB) and the follow-up on the SecurePay recommendations on access to payment accounts.
New players to be part of drive towards integrated European payments market
The ERPB is to become a forum for driving the further development towards an integrated European payments market in the post-SEPA situation. Petit confirmed that the first meeting of this group is to take place in May, and new industries such as e-money providers and payment services institutions are to join in these discussions, along with other representatives of both consumers and providers.
The ERPB will aim to further stimulate the development of the European retail payments market by working together on topics such as innovation and integration. The group will identify and address strategic issues and work priorities, including business practices, requirements and standards. Issues could include the development of a single e-mandate solution or the improvement of interoperability between national e-payment schemes.
Security requirements for payment account access services
The ECB announced that it would this month publish the responses and the results of the consultations on security for payment access to the accounts. The publication would be for information only, given that the European Banking Authority will be providing guidelines on security measures under the revised Payment Services Directive.
Although the ECB does not want to impose formal requirements as there is a risk that the EBA could take a different position, it is likely that the two-factor authentication model of the SecurePay forum will remain the norm for retail payments account access services and mobile payments.
Thursday, February 27, 2014
Mount Gox tumbles off the learning-curve
Tumbling off the learning curve
I view the failure of Mt Gox as a logical consequence of the learning curve that bitcoin holders and bitcoin companies face. The bitcoin, although considered decentralized, is just as centralised a system as any other value transfer mechanism. However, for ideological reasons, the developers chose to only describe the technical heart of the system (the algorithm) leaving the rest up to the market.
This open source code approach has some advantages, among which a very speedy development of applications. Yet, we are for some time now witnessing what it means if systems lack a central authority or scheme manager. There is no entity taking responsibility and chasing users or companies because they don't abide by:
- usage conditions (demanding user identification),
- security requirements and certification of tools,
- specific legal frameworks.
As a result we have seen a whole community of interested companies and users climbing up the payments, banking, investments and monetary learning curve. The inevitable consequence is that those who do not get it right, will pay a price, while the others continue to learn. Due to the digital nature of bitcoin, these developments unfold rapidly, allowing us a compressed overview of lessons from financial history.
Frijda's theory of money (1914)
The essential lesson at stake is that the usage of any value transfer mechanism does not just rest on its acceptance by users, but just as well on the rules and regulations that underly the value transfer. In 1914, the Dutch lawyer Frijda analysed this topic in his dissertation on the theory of money. At that time discussions emerged on the nature of banknotes. Did they have value because they were exchangeable for bullion, because they were defined as legal tender or because the public used and accepted it?
Frijda pointed out that the underlying legal framework that safeguards property in a society constitute a necessary precondition for the use of payment instruments. Without such safeguards, people will tend to stick to other stores of value rather than attaching value to local bank notes. Until today this effect is clearly visible: consumers tend to hold and use foreign cash or commodities if they live in country with a lot of curruption, a weak system of justice and an instable monetary climate.
Trust is built by institutions and markets
What makes money tick is a solid institutional basis, upon which trust can be further developed. The latter part can be done by a combination of regulation (supervision) and self-regulation (market action). Which brings us back to the Mt Gox case.
Following the events of this week, a statement was released by the bitcoin companies Coinbase, Kraken, BitStamp, Circle, and BTC China. The industry leaders committ to safeguarding the assets of customers, to applying strong security measures, to using independent auditors to ensure integrity of their systems and to have adequate balance sheets and reserves to be able to ensure continuity.
In sum we can now see both a gradual development of both the institutional framework for virtual currencies and the market-driven self-regulation. This reflects the fact that - whether you like it or not - trust for financial services is always built on institutions, regulations and self-regulation.
Wednesday, February 19, 2014
The bitlicense: current state of thinking in New York
A week ago, the New America Foundation organised a meeting (Cryptocurrencies, the new coin of the realm) on the topic of virtual currencies and regulation in New York. Some news bulletins picked up on the meeting and the future New York Bitlicense regime. The good thing is that the New America Foundation has streamed the whole event, so it allows me (and you) to listen first hand to the speech by Benjamin M. Lawsky, Superintendent of Financial Services, New York State Department of Financial Services (DFS).
I will outline some of the highlights of his contribution below as I think that the New York discussion represents a good example of the issues at stake when it comes to regulation of Bitcoin. I expect to further touch on those issues in my contribution to the Bitcoin Pre-conference expert session of the EPCA-summit in Brussels (March 12-13).
Open source code currencies and open source code regulation
In his speech, Lawsky outlines the current remit of the NY department of Financial Services. It acts as the supervisor for money transmission companies in New York. The DFS-starting point is therefore that in some instances dealing with virtual money may effectively constitute money transmission, which needs to be regulatred. This is similar to the approach in the FINcen guidance of one year ago.
The New York regulator chose to emulate the open source code approach of virtual currencies. And thus, Lawsky refers to the DFS-approach as 'open source code regulation': regulation based on a public exchange of thoughts, allowing the best insights to be used. Given their current remit, the main idea is to see where the money transmitter rules need to change in order to suit the nature of virtual currencies.
As for the further process in 2014, Lawsky explained that the DFS will move towards further regulation this year and will most likely hold a market consultation for the proposed regulatory framework for companies that want a so-called 'bit-license.'
What will the bitlicense be like?
When listening to the speech, my impression is that the core fundamentals of the bitlicense will be:
- very strong customer disclosure, requiring companies to outline that transactions are irreversible and that the digital currency may be very volatile,
- a strict adherence to know-your-customer requirements, essentially demanding that anti-money laundering rules are adhered to,
- a robustness/capital requirement, ensuring that the company will be able to withstand some of the market shocks that may occur when dealing with volatile digital currencies/commodities,
- safety and soundness requirements, ensuring a certain quality of operations and consumer protection.
As for the nature of capital and collateral requirements, the DFS is still wrestling with the concept of virtual currencies. This has to do with the angle and object of regulation. While it is easy to require capital safeguards for banks that deal with attracting and lending money, this is harder to apply for companies that issue, distribute or redeem virtual currencies.
Similar questions arise when defining the scope of transaction monitoring. Should only the purchase and redeem-transactions be subject to rules or does the supervision extend to a full transaction logging of all transactions with the virtual currency? Should those transactions be in a public ledger and to which extend can they be anonimized?
Step-up regulatory approach with a safe harbour
Although the DFS is still contemplating its exact licensing regime, I expect it to also contain a safe harbour provision. This would allow companies that comply with customer disclosure and know-your-customer rules, to continue to operate, while further obtaining the full bitlicense. Such a regime would assist in lowering the barriers for virtual currency platforms/traders/exchanges and create an easy entry towards the proper regulatory regime.
Lawsky outlined that the regulator prefers companies to be in his state and regulated, rather than driven off-shore. A safe harbour rule helps achieve that and fits a model where a light-weight, low-barrier entry model is developed to prevent legitimate providers from leaving the jurisdiction, while creating a sufficient barrier for the illegitimate players in the market. This is also a realistic approach considering the alternative channels for illegitimate behaviour: cash and banks. In the words of Lawsky:
I commend the DFS for their open minded approach to the topic of regulation of virtual currencies. I do disagree however with one of the remarks of the Superintendent. He outlined that regulators are in new and unchartered waters when it comes to virtual currencies.
I don't think they are.
Since day and age, people have used all kinds of symbols, coins and means of representation of goods that worked fine for transferring ownership of property. We created a number of laws and institutions to ensure these property rights and a fair treatment of parties to certain contracts. In doing so we were able to move from coins to paper-based money to deposit accounts. At the same time we created digital representations of shares, bonds, IOUs and agreed that ledgers at private companies and government institutions could officially represent a claim on goods, services, bits of land, anything.
Then, when it comes to new forms of money, we also have recent experience. In the late 1990s we witnessed a very similar type of discussion on bank supervision and specialised supervision regimes for new forms of 'electronic-money' as it was called in those days. It took some time and deliberation to get to grips with pre-paid digital representations of fiat-currencies, but we found our way in the end.
The challenge: finding the right regulatory framework
The true challenge is to first consider the fundamental nature of virtual currencies and then determine the appropriate regulatory framework. In essence, the DFS is doing the reverse as their starting point is their existing legal competence as supervisor of money transmitter businesses. While there is a lot of logic to it, it might be useful to reconsider alternative types of regulation that exist.
It's my hunch that perhaps an exchange/trade oriƫnted regulatory framework might make more sense as the basis for regulation, than the money transmitter framework. So that is what I will explore in my next blog.
I will outline some of the highlights of his contribution below as I think that the New York discussion represents a good example of the issues at stake when it comes to regulation of Bitcoin. I expect to further touch on those issues in my contribution to the Bitcoin Pre-conference expert session of the EPCA-summit in Brussels (March 12-13).
Open source code currencies and open source code regulation
In his speech, Lawsky outlines the current remit of the NY department of Financial Services. It acts as the supervisor for money transmission companies in New York. The DFS-starting point is therefore that in some instances dealing with virtual money may effectively constitute money transmission, which needs to be regulatred. This is similar to the approach in the FINcen guidance of one year ago.
The New York regulator chose to emulate the open source code approach of virtual currencies. And thus, Lawsky refers to the DFS-approach as 'open source code regulation': regulation based on a public exchange of thoughts, allowing the best insights to be used. Given their current remit, the main idea is to see where the money transmitter rules need to change in order to suit the nature of virtual currencies.
As for the further process in 2014, Lawsky explained that the DFS will move towards further regulation this year and will most likely hold a market consultation for the proposed regulatory framework for companies that want a so-called 'bit-license.'
What will the bitlicense be like?
When listening to the speech, my impression is that the core fundamentals of the bitlicense will be:
- very strong customer disclosure, requiring companies to outline that transactions are irreversible and that the digital currency may be very volatile,
- a strict adherence to know-your-customer requirements, essentially demanding that anti-money laundering rules are adhered to,
- a robustness/capital requirement, ensuring that the company will be able to withstand some of the market shocks that may occur when dealing with volatile digital currencies/commodities,
- safety and soundness requirements, ensuring a certain quality of operations and consumer protection.
As for the nature of capital and collateral requirements, the DFS is still wrestling with the concept of virtual currencies. This has to do with the angle and object of regulation. While it is easy to require capital safeguards for banks that deal with attracting and lending money, this is harder to apply for companies that issue, distribute or redeem virtual currencies.
Similar questions arise when defining the scope of transaction monitoring. Should only the purchase and redeem-transactions be subject to rules or does the supervision extend to a full transaction logging of all transactions with the virtual currency? Should those transactions be in a public ledger and to which extend can they be anonimized?
Step-up regulatory approach with a safe harbour
Although the DFS is still contemplating its exact licensing regime, I expect it to also contain a safe harbour provision. This would allow companies that comply with customer disclosure and know-your-customer rules, to continue to operate, while further obtaining the full bitlicense. Such a regime would assist in lowering the barriers for virtual currency platforms/traders/exchanges and create an easy entry towards the proper regulatory regime.
Lawsky outlined that the regulator prefers companies to be in his state and regulated, rather than driven off-shore. A safe harbour rule helps achieve that and fits a model where a light-weight, low-barrier entry model is developed to prevent legitimate providers from leaving the jurisdiction, while creating a sufficient barrier for the illegitimate players in the market. This is also a realistic approach considering the alternative channels for illegitimate behaviour: cash and banks. In the words of Lawsky:
Let's be frank: a lot more money has been laundered through banks than through virtual currencies'Boldly go where no man has gone before?
I commend the DFS for their open minded approach to the topic of regulation of virtual currencies. I do disagree however with one of the remarks of the Superintendent. He outlined that regulators are in new and unchartered waters when it comes to virtual currencies.
I don't think they are.
Since day and age, people have used all kinds of symbols, coins and means of representation of goods that worked fine for transferring ownership of property. We created a number of laws and institutions to ensure these property rights and a fair treatment of parties to certain contracts. In doing so we were able to move from coins to paper-based money to deposit accounts. At the same time we created digital representations of shares, bonds, IOUs and agreed that ledgers at private companies and government institutions could officially represent a claim on goods, services, bits of land, anything.
Then, when it comes to new forms of money, we also have recent experience. In the late 1990s we witnessed a very similar type of discussion on bank supervision and specialised supervision regimes for new forms of 'electronic-money' as it was called in those days. It took some time and deliberation to get to grips with pre-paid digital representations of fiat-currencies, but we found our way in the end.
The challenge: finding the right regulatory framework
The true challenge is to first consider the fundamental nature of virtual currencies and then determine the appropriate regulatory framework. In essence, the DFS is doing the reverse as their starting point is their existing legal competence as supervisor of money transmitter businesses. While there is a lot of logic to it, it might be useful to reconsider alternative types of regulation that exist.
It's my hunch that perhaps an exchange/trade oriƫnted regulatory framework might make more sense as the basis for regulation, than the money transmitter framework. So that is what I will explore in my next blog.
Tuesday, January 28, 2014
Towards a more flexible approach of authentication
In July last year, the European Commission published a proposalfor a revised Payment Services Directive (PSD). The proposal draws on the work of the SecuRePay forum of supervisors and requires ‘strong customer
authentication’ when a payer initiates an electronic payment transaction.
Strong authentication
Strong authentication is defined as a procedure for the validation of the identification of a natural or legal person based on two or more elements categorized as knowledge, possession and inherence. These elements are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.
The concept of strong authentication is in itself nothing new. What is new however, is its appearance as a detailed regulatory requirement. So far, both the Payment Services Directive and the Electronic Money Directive contained a more generic requirement for licensed operators to demonstrate that their governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate. This allows for a system wide supervisory review of risks and security measures.
The current approach in both the envisaged PSD and Recommendations of the supervisors in Europe is however to take out and stress one element of the risk/security puzzle. This approach may turn out to be counterproductive and be an impediment to achieve retail payments that are as secure, efficient and as frictionless as possible.
Strong authentication
Strong authentication is defined as a procedure for the validation of the identification of a natural or legal person based on two or more elements categorized as knowledge, possession and inherence. These elements are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.
The concept of strong authentication is in itself nothing new. What is new however, is its appearance as a detailed regulatory requirement. So far, both the Payment Services Directive and the Electronic Money Directive contained a more generic requirement for licensed operators to demonstrate that their governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate. This allows for a system wide supervisory review of risks and security measures.
The current approach in both the envisaged PSD and Recommendations of the supervisors in Europe is however to take out and stress one element of the risk/security puzzle. This approach may turn out to be counterproductive and be an impediment to achieve retail payments that are as secure, efficient and as frictionless as possible.
Different market approaches to customer
authentication
Traditionally the banking sector and card schemes have played a major role in the payments industry. For a long time they acted as the main channel through which new technological developments were introduced. In this process, strong authentication in a range of countries became a standard for use in payments. Further security measures for use in transactions over the Internet were then being developed as an add-on to the basic design.
More recently, Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs) have entered the payments value chain using the Internet as their basic transaction processing initiation channel. As a result, their approach to payment security tends to be based on a variety of methods, to be able to counter a range of attacks associated with this inherently unsafe environment. PSPs have had to move very quickly up the e-payment security learning curve and found out that they must remain vigilant with respect to new threats. PSPs are consistently using additional information (geo-location information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing “profile” etc.) to validate the interaction with a user.
There is still much to gain by combining the expertise of both the “classic” and more recently-established providers of payment services. Customers will be using all kinds of devices as a service entry point; this requires a flexible approach to authentication. Rather than two-factor authentication we could speak of multi-factor authentication, which would include the specific user-payment service provider interaction context. But that is not all.
Traditionally the banking sector and card schemes have played a major role in the payments industry. For a long time they acted as the main channel through which new technological developments were introduced. In this process, strong authentication in a range of countries became a standard for use in payments. Further security measures for use in transactions over the Internet were then being developed as an add-on to the basic design.
More recently, Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs) have entered the payments value chain using the Internet as their basic transaction processing initiation channel. As a result, their approach to payment security tends to be based on a variety of methods, to be able to counter a range of attacks associated with this inherently unsafe environment. PSPs have had to move very quickly up the e-payment security learning curve and found out that they must remain vigilant with respect to new threats. PSPs are consistently using additional information (geo-location information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing “profile” etc.) to validate the interaction with a user.
There is still much to gain by combining the expertise of both the “classic” and more recently-established providers of payment services. Customers will be using all kinds of devices as a service entry point; this requires a flexible approach to authentication. Rather than two-factor authentication we could speak of multi-factor authentication, which would include the specific user-payment service provider interaction context. But that is not all.
Stuck with two-factor customer
authentication?
The analytical flaw that underlies the SecurePay recommendations is its strong focus on too detailed a part of the business and security process: customer authentication. Of course this is quite an important element of the transaction process, but the overall security of (mobile) retail payments is always achieved by a proper combination of security measures.
Customers, devices, processes and issuers should all be authenticated properly. And any risk control structure does not just rest on authentication but on a wide array of logical and functional controls. These controls may sometimes be labeled: 'fraud detection' but the quality of the risk prevention that they achieve can be just as good as one of the classic factors, that are not in the definition of strong authentication.
It is evident that new authentication measures and security challenges are being used and developed to achieve a level of security in retail payments which is contingent on the risks that are relevant in the user-transaction-device context. We can witness this in the bank, card, Internet and mobile payment domain. As these developments occur, it is unwise to freeze one detailed building block of security measures into a regulatory requirement. This will skew the market into less efficient and more cumbersome customer experiences, while technically not necessarily safeguarding a strong level of security.
In particular the mobile domain allows for a wide array of additional capabilities to achieve the security levels that supervisors desire. It would therefore be wrong to make the low-value threshold of the PSD the dividing line between strong and alternative customer authentication measures. A better approach is to link the degree of authentication to the degree of risks and the further security measures that are in place. This will allow the market to develop solutions that achieve both ease of use to the consumer and the desired level of security.
A more future-proof approach
It is not unlikely that the envisaged inclusion of a detailed requirement on strong customer authentication may distort the current market developments rather than allow for further innovation and market development. A more future-proof approach is desirable.
In my view such an approach would be to allow for a broader 'multi-factor authentication' which includes authentication based on the user-interaction context. In addition it would be good to recognise that the quality of some of the security measures which are often labeled: 'fraud detection' may have become such that they achieve a similar level of security as the traditional authentication factors.
We should also allow alternative authentication mechanisms to be used, dependent on the risk involved, rather than a certain value threshold. It would then be up to the supervisors to make the context-based and risk-based assessments on the whole array of security measures as a part of their supervisor reviews.
This approach should ideally be complemented by excluding todays specific definitions of strong authentication from the wording of the Payment Services Directive and replacing them with a generic reference to the relevant security recommendations.
The result would then be that we will have a clear and flexible security requirements framework in Europe that sets the boundaries within which the market can futher innovate and develop.
The analytical flaw that underlies the SecurePay recommendations is its strong focus on too detailed a part of the business and security process: customer authentication. Of course this is quite an important element of the transaction process, but the overall security of (mobile) retail payments is always achieved by a proper combination of security measures.
Customers, devices, processes and issuers should all be authenticated properly. And any risk control structure does not just rest on authentication but on a wide array of logical and functional controls. These controls may sometimes be labeled: 'fraud detection' but the quality of the risk prevention that they achieve can be just as good as one of the classic factors, that are not in the definition of strong authentication.
It is evident that new authentication measures and security challenges are being used and developed to achieve a level of security in retail payments which is contingent on the risks that are relevant in the user-transaction-device context. We can witness this in the bank, card, Internet and mobile payment domain. As these developments occur, it is unwise to freeze one detailed building block of security measures into a regulatory requirement. This will skew the market into less efficient and more cumbersome customer experiences, while technically not necessarily safeguarding a strong level of security.
In particular the mobile domain allows for a wide array of additional capabilities to achieve the security levels that supervisors desire. It would therefore be wrong to make the low-value threshold of the PSD the dividing line between strong and alternative customer authentication measures. A better approach is to link the degree of authentication to the degree of risks and the further security measures that are in place. This will allow the market to develop solutions that achieve both ease of use to the consumer and the desired level of security.
A more future-proof approach
It is not unlikely that the envisaged inclusion of a detailed requirement on strong customer authentication may distort the current market developments rather than allow for further innovation and market development. A more future-proof approach is desirable.
In my view such an approach would be to allow for a broader 'multi-factor authentication' which includes authentication based on the user-interaction context. In addition it would be good to recognise that the quality of some of the security measures which are often labeled: 'fraud detection' may have become such that they achieve a similar level of security as the traditional authentication factors.
We should also allow alternative authentication mechanisms to be used, dependent on the risk involved, rather than a certain value threshold. It would then be up to the supervisors to make the context-based and risk-based assessments on the whole array of security measures as a part of their supervisor reviews.
This approach should ideally be complemented by excluding todays specific definitions of strong authentication from the wording of the Payment Services Directive and replacing them with a generic reference to the relevant security recommendations.
The result would then be that we will have a clear and flexible security requirements framework in Europe that sets the boundaries within which the market can futher innovate and develop.