From DNB Coin to ECB Coin...?

About a year ago, it became clear that the Dutch central bank, much like other central banks, was actively experimenting with blockchain technology to further establish pros and cons of distributed ledger technology. It had developed a so-called DNB-coin - a private fork of the bitcoin blockchain - which further reinforced a whole discussion on central bank issued bitcoin-like currencies (Fedcoin as outlined by the blog of JP Koning).

Fast forward to the EU parliament, where last week, rapporteur Cora van Nieuwenhuizen presented a draft Fintech report, that calls on the European Commission to draw up a Fintech Action Plan. And in this plan, under item number 6, the ECB is recommended to launch experimentations with a 'virtual Euro'. I think we may dub this as the call for an ECB-coin.

One can only guess what exactly would be meant here, but my best guess would be that this means the ECB can now freely choose to experiment with methods for distributing digital euro's using advanced blockchain or distributed ledger technology. So would they design it themselves, or involve themselves into market initiatives such as R3, Hyperledger?

Anonymous ECB-coins or not? 
Time will undoubtedly tell how this experiment with ECB-coins will evolve. We should note however that, there is also a European legislative initiative to limit the use of cash. So it appears logical that the cash-limiting initiative could reinforce the development of central bank issued virtual currencies (i.e. euro's on a blockchain).

Those will not be truly anonymous ECB-coins, if you ask me. Close reading of this last legislative proposal, I noticed that anonymous digital currencies (such as the good old digicash) are not truly desired:

In view of the development of cryptocurrencies and the existence of other means of payments ensuring anonymity, an option could be to extend the restrictions to cash payments to all payments ensuring anonymity (cryptocurrencies, payment in kinds, etc.) 

The end of anonimity and begin of pseudonimity 
In sum we will be watching the end of anonimity, but this may not be its true end. I think it would be fairly easy to device new business and payment models where one slices off the good-reputation of a payer/payee (not blacklisted, no terrorist etc) into a pseudonomous, tokenised system that allows payer, payee and all involved financial institutions not to know each other but still transact securely and within the legal parameters as set by society.

Which most likely brings us back to square one: the blockchain.

A new FAQ for PSD2 would be very useful to harmonise interpretations across Europe

Summary

The second Payment Services Directive, published end of December last year, is an important and welcome next in the further integration of payment services in Europe. In order to achieve a true European level playing field ‘on the ground’, a clarifying FAQ for those who prepare its implementation today would be very welcome.

A FAQ that explains how the PSD2 definitions will apply in all Member states to the variety of business models and transaction mechanisms observed, will enhance the purported level playing field. This harmonised guidance is just as important as the FAQ/guidance provided for the first PSD. Both regulators and the market have further developed since PSD1 and it is essential to recognise some of the underlying dynamics and developments of the payments market.  

1. Out of scope, limited network or regulated?

At present, member states use the harmonised PSD-rules to determine whether or not a certain business model defines as a payment activity or can be categorised as an exemption. Both in terms of content and process, the approaches vary considerably between supervisors. The feedback of supervisors varies from an elaborate argumentation to merely the brief outcome of an internal review process. 

Also in terms of content, the approaches vary. Business models that are out of scope in one member state may be exempt or require a license in others. The lack of a central register of supervisory statements on those matters makes this hard to identify, but the PSD2 will change this. All business activity exempted under article 3k and 3l, must be notified and the exemption decision will be published in a central register.

The practical consequence is that market participants can more easily determine which business models are exempted in which countries. This means that the supervisors must ensure that their qualifications are well-grounded and harmonised. One of the major challenges in this respect is to take into account the technological and market developments.

2. Technological developments: open and device-agnostic

Just one look at a user’s technical environment demonstrates that the major trend in payment technology development is the move from closed, bespoke systems and standards to more open structures. Whereas previously payment providers would control (sometimes own) all technological instruments to be used in a payment transaction, this is no longer the case.

The future infrastructure setting is one in which consumers and merchants will use their own technical device, and providers need to ensure that it can be used safely. We can now see card-based payments, where no plastic is used anymore, as the payment is made via a virtual card application in the mobile phone or PC. At the same time, in the back-office, the systems are opening up to the outside world via Application Programming Interface’s (APIs). Rather than having one instrument that operates as a shopping and a payments tool simultaneously, we can see that the value chain of search, shop and pay can be arranged via modularized interfacing of channels and technologies.

Therefore, when assessing the qualification of the technologies in todays payments, an open and functional approach is required. The classical approach, in which one tries to find the main device (such as a card) that services as the payment instrument and then builds the further classification of a system around that instrument, will no longer work. There will be all kinds of devices and technical tools and while some may classify as payment instruments, others may not.

Fortunately, the definition of payment instrument in the payment services directive enables this functional approach. The definition mentions both ‘a personalized device’ and/or a ‘set of procedures’ to be viewed and defined as the payment instrument:

"payment instrument" means a personalised device(s) and/or set of procedures agreed

between the payment service user and the payment service provider and used in order

to initiate a payment order;

3. Where is the commerce and where is the payment transaction?

As technology slices up the commercial value chain, we should note the relevance of the last element of the definition of payment instrument: ‘to initiate a payment order’. There is a clear difference between the commercial use of devices for purchases (apps, shopping carts on the web, nfc-identification devices) and the later moment in which aggregated purchases are actually being paid. This can be compared to the difference between the shopping cart/button on a website and the payment button.

The main question to ponder is therefore: does the technology service allow the user to make a payment to any other payee in Europe (under the SEPA-rules) and is the transaction actually a payment order, or is it merely a shopping transaction, with payments being arranged later on.

I wouldn’t be surprised if in the next years, we will witness a shift away from devices as the actual payment instrument. It may be more suitable to put the (user) accounts centre stage as the actual payment instrument. When applied by retailer organisations, such a choice will enable them to build a multi-channel sales-channel in which the device used is irrelevant. The sales channel aggregates purchase transactions towards the user account at the retailer. In cases where the retailer merely aggregates these purchases and initiates a direct debit for the total sum to be paid, this remains an administrative account as the actual payment account in the process is that of the bank. Only in cases where actual payments orders are initiated from such an account, it would become the payment account as well as the payment instrument for the commercial transactions.

It is crucial to distinguish the commercial from the payment process domain when evaluating apps and identification tools on the market. The actual payments can be expected to become the afterthought of commerce, rather than a primary service. These can flow via a payment account in the background, which is provided by retailer, bank or payment service provider. It is that account that will then function as the payment instrument in the commercial transaction and not the purchase device/application used. Supervisors should thus not immediately label ‘the card’ or any specific technical tool in a commercial business model as the payment instrument.

4. Areas and definitions of interest for the application of the PSD2

We’ve seen that the democratisation of technology allowed non-bank payment service providers to enter the payment space. Among those will also be retailers that can leverage the technology to provide a better customer experience. If those retailers are to use a services and customer contract with a monthly SEPA-direct debit agreement in the background, the payment services directive will not be relevant for them.

Similarly there is the question whether the payments services directive would have to apply to intermediary web-based platform companies that help users transact among themselves. Such business models could be in or out of scope based on the interpretation whether:

- the payments are seen as a regular occupation or business activity (art 1,2b),

- the agency model applies,

- the new definition of acquiring applies,

- the limited network exemption applies.

I hope that the collective of regulatory players involved in the transposition and application of the PSD2 will succeed in addressing those scoping and definitions issues early-on. In this respect the publication of a FAQ on those issues, may be a very effective tool to clarify and ensure the level playing field.

Towards a more flexible approach of authentication

In July last year, the European Commission published a proposalfor a revised Payment Services Directive (PSD). The proposal draws on the work of the SecuRePay forum of supervisors and requires ‘strong customer authentication’ when a payer initiates an electronic payment transaction.

Strong authentication
Strong authentication is defined as a procedure for the validation of the identification of a natural or legal person based on two or more elements categorized as knowledge, possession and inherence. These elements are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

The concept of strong authentication is in itself nothing new. What is new however, is its appearance as a detailed regulatory requirement. So far, both the Payment Services Directive and the Electronic Money Directive contained a more generic requirement for licensed operators to demonstrate that their governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate. This allows for a system wide supervisory review of risks and security measures.

The current approach in both the envisaged PSD and Recommendations of the supervisors in Europe is however to take out and stress one element of the risk/security puzzle. This approach may turn out to be counterproductive and be an impediment to achieve retail payments that are as secure, efficient and as frictionless as possible.

Different market approaches to customer authentication
Traditionally the banking sector and card schemes have played a major role in the payments industry. For a long time they acted as the main channel through which new technological developments were introduced. In this process, strong authentication in a range of countries became a standard for use in payments. Further security measures for use in transactions over the Internet were then being developed as an add-on to the basic design.

More recently, Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs) have entered the payments value chain using the Internet as their basic transaction processing initiation channel. As a result, their approach to payment security tends to be based on a variety of methods, to be able to counter a range of attacks associated with this inherently unsafe environment. PSPs have had to move very quickly up the e-payment security learning curve and found out that they must remain vigilant with respect to new threats. PSPs are consistently using additional information (geo-location information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing “profile” etc.) to validate the interaction with a user.

There is still much to gain by combining the expertise of both the “classic” and more recently-established providers of payment services. Customers will be using all kinds of devices as a service entry point; this requires a flexible approach to authentication. Rather than two-factor authentication we could speak of multi-factor authentication, which would include the specific user-payment service provider interaction context. But that is not all.

Stuck with two-factor customer authentication?
The analytical flaw that underlies the SecurePay recommendations is its strong focus on too detailed a part of the business and security process: customer authentication. Of course this is quite an important element of the transaction process, but the overall security of (mobile) retail payments is always achieved by a proper combination of security measures.

Customers, devices, processes and issuers should all be authenticated properly. And any risk control structure does not just rest on authentication but on a wide array of logical and functional controls. These controls may sometimes be labeled: 'fraud detection' but the quality of the risk prevention that they achieve can be just as good as one of the classic factors, that are not in the definition of strong authentication.

It is evident that new authentication measures and security challenges are being used and developed to achieve a level of security in retail payments which is contingent on the risks that are relevant in the user-transaction-device context. We can witness this in the bank, card, Internet and mobile payment domain. As these developments occur, it is unwise to freeze one detailed building block of security measures into a regulatory requirement. This will skew the market into less efficient and more cumbersome customer experiences, while technically not necessarily safeguarding a strong level of security.

In particular the mobile domain allows for a wide array of additional capabilities to achieve the security levels that supervisors desire. It would therefore be wrong to make the low-value threshold of the PSD the dividing line between strong and alternative customer authentication measures. A better approach is to link the degree of authentication to the degree of risks and the further security measures that are in place. This will allow the market to develop solutions that achieve both ease of use to the consumer and the desired level of security.

A more future-proof approach
It is not unlikely that the envisaged inclusion of a detailed requirement on strong customer authentication may distort the current market developments rather than allow for further innovation and market development. A more future-proof approach is desirable.

In my view such an approach would be to allow for a broader 'multi-factor authentication' which includes authentication based on the user-interaction context. In addition it would be good to recognise that the quality of some of the security measures which are often labeled: 'fraud detection' may have become such that they achieve a similar level of security as the traditional authentication factors.

We should also allow alternative authentication mechanisms to be used, dependent on the risk involved, rather than a certain value threshold. It would then be up to the supervisors to make the context-based and risk-based assessments on the whole array of security measures as a part of their supervisor reviews.

This approach should ideally be complemented by excluding todays specific definitions of strong authentication from the wording of the Payment Services Directive and replacing them with a generic reference to the relevant security recommendations.

The result would then be that we will have a clear and flexible security requirements framework in Europe that sets the boundaries within which the market can futher innovate and develop.

Central Banks and Payment Instruments: a Serious Case of Schizophrenia

There's an interesting article out there: published by IDATE, Institut de l'Audiovisuel et des Télécommunications en Europe. It's written by Leo van Hove from Belgium and concerns the dual role of central banks. I can only read the abstract, but it sounds quite interesting:

Central Banks and Payment Instruments: a Serious Case of Schizophrenia
This article analyses the competition between cash and payment cards against the backdrop of the dual role of central banks - as issuers of cash and as institutions with a mandate to foster the efficiency of payment systems in general. It is argued that this dual role results in a number of policy dilemmas, namely concerning pricing, traceability of banknotes and the choice of denominations of coins and banknotes. On a general level, the article argues that central banks should place greater emphasis on improving the efficiency of retail payments and less on protecting their self-interest. More concretely, the article repeats the suggestion - originally put forward in VAN HOVE & VUCHELEN (1996) - that the ECB should place the upper limit of its banknote series at EUR 50 instead of EUR 500. It is also argued that policy makers should explicitly foster the use of cost-based pricing and in particular create a legal environment that makes it possible for commercial banks to start using it.

Dutch central bank closes last cash-outlets....

A couple of days ago, the central bank closed its last cash-outlets. See the press release here. This marks a period of 140 years during which the central bank started out as a single office in Amsterdam, then on demand of politicians expanded its role as a provider of cash until it had a whole bunch of local offices.

And then, deciding that all this stuff be left to the market, it closed down its branches. So now the money couriers in the Netherlands must all drive to either a bank money center or Amsterdam (to deposit cash). Funny thing is that the nearby option for Maastricht banks to deposit their euro's in Aachen or Brussels is not allowed by the central banks......

... those same institutions that claim that banks have not achieved a sufficient harmonisation in European payments are unwilling to harmonize their own cash processing rules out of fear for job loss in their own house.

Some Europe this is.

Another remittances report, this time by the BIS...

The Committee on Payment and Settlement Systems (CPSS) and the World Bank issued a report today entitled General principles for international remittance services. Not for use by the market, merely for use by governments/regulators.

The CPSS-World Bank report provides an analysis of the payment system aspects of remittances, on the basis of which it sets out general principles designed to assist countries that are seeking to improve the market for remittance services. The report contains five general principles, covering: transparency and consumer protection; payment system infrastructure; the legal and regulatory framework; market structure and competition; and governance and risk management. The report highlights the roles of both public authorities and remittance service providers in implementing the general principles.

New payment data for 2005 from the BIS

can be found here (summarizing tables). But please all you scientists, be aware that these contain quite a condensened and in some sense arbitrary classification as to the nature of instruments. Don't bet your grandma on it.

Why regulate banks and/or competition?

This pdf is an interesting piece of work of the International Competition Network (ICN) with an overview of arguments why regulation of banks occurs and what the role of the competition authorities should be. A tiny bit outsiders perspective, as one tends to see more often when non-industry supervisors take a bite in the banking cake, but generally quite good.

The ICN is a supranational coordination body, exclusively for competition regulators. What the BIS is to central banks, the ICN is to competition authorities. ICN started in 2002.

Landmark speech by Swedish Governor of the Central bank on cash

At the BIS website I noted this speech given by Stefan Ingves, Governor of the Sveriges Riksbank, to the first meeting of the so-called cash management advisory board in Stockholm (26 April 2006). This board will meet twice a year to discuss cash-management issues in Sweden and its members are: banks, cash-in-transit companies, representatives of the retail trade, trade unions and authorities such as Finansinspektionen (the Swedish Financial Supervisory Authority), the police and the Swedish Work Environment Agency.

As a sort of kick-off for further discussion in Sweden, the Governor describes the situation in Nordic countries with respect to usage of cash and preferred pricing policy:
I think that we should ask the question of why Sweden has so many more cash transport robberies than other countries, not just other Nordic countries, but the majority of European countries. There have occasionally been suggestions put forward in the general debate that if one tried to reduce the use of cash in society, the number of transports to ATMs could be reduced. Given this, it is interesting to reflect on why we Swedes prefer to pay by cash rather than by card more often than our Nordic neighbours. The number of card transactions per inhabitant in 2003 was around 130 in Norway, just over 100 in Finland and Denmark and just over 80 in Sweden. There is no clear explanation for this, but one clue may lie in pricing. In Sweden, cash withdrawals from all ATMs are free of charge, despite the large costs entailed in cash handling. In the other Nordic countries, cash withdrawals are only free of charge from the customer’s own bank’s ATMs, which has led to a reduction in the use of cash.

Well, it's nice to find out that there are still central bankers that dare to include cost of criminality into the calculations of (social) cost of cash. And that they are not afraid to draw the appropriate (cost-based pricing) conclusions.

Remittances: An opportunity for growth - the Albanian

And here is another remittance link in a long hype-like chain of events.

General principles for international remittance services - BIS consultative report

See this draft report with general principles for international remittance services. It's a consultative report of the Bank for International Settlement, so one may react.

Generally, however, the BIS does not really change the contents on the basis of such reactions. So unless one really has an additional contribution, don't bother... ;-)

Interpay system complies with central bank standards

Read this press release to discover that Interpay, the Dutch ACH, complies with central bank standards.

That is, the release should read that one of the systems of Interpay (rather than Interpay itself) complies with central bank standards. It appears from the DNB report in its Quarterly bulletin from September 2005 that Interpay's Clearing & Settlement System (CSS) complies with the BIS standards for system-critical retail payment systems. This covers ten Core Principles that relate to all aspects of an organisation: from security and management efficiency to control of financial risks and legal matters.

Too bad that this unique system, with features as half-hour settlement periods during the day, may have to be adapted / downgraded to fit the unified Target2 environment... just to show how European harmonisation experience in payments may result in improvements in Europe generally, but not for the Dutch in particular....

Conference "Past and Future of Central Bank Cooperation"

The BIS publishes the proceedings of the Conference "Past and Future of Central Bank Cooperation" held: 28 - 29 June 2005. The conference was held to mark the 75-years existence of the BIS.

International Journal of Central Banking launched

The BIS announces the publication of the first issue of the International Journal of Central banking. The IJCB, a new quarterly publication, features articles on central bank theory and practice, with special emphasis on research relating to monetary and financial stability. The IJCB website provides additional information about the journal as well as free access to journal articles.