'DNBcoin': the Dutch central bank experiment with a blockchain-based coin

Today, the Dutch central bank published its Annual Report. This coincided with the death of our most famous soccer player, Johan Cruyff, so it's clear that there is not so much undivided attention to their whole report.

 Scanning through the report, I noticed an interesting paragraph in the sustainability-part of the report (p. 208), under the header of inclusion and accessibility of payments. It stated that DNB aims to develop a working prototype DNBcoin based on blockchain technology.

So, there we have it: central banks are entering the market of digital cash once again. After the announcements on RSCoin, the blockchain based electronic cash proposed for the UK central bank, the Dutch central bank is following suit.

So is this new and revolutionary?

No and yes.

No, because I recall that twenty years earlier, the Danish central bank sold its electronic cash solution (Danmont) to the market (withdrawn as a micropayment tool in 2005), as did the Canadian central bank (selling of its Mintchip). So there is not much news in central banks setting up electronic cash. 

What is new however is the environment in which this development occurs. Previously, central banks were keen on getting rid of cash as an inefficient payment method. As this starts to be succesfull (in Sweden and the Netherlands for example) the central banks adapt their position. The policy line now is that for availability and financial inclusion reasons cash still needs to be around as a payment mechanism.

So when we now see central banks moving forward in the electronic cash domain (now conveniently labelled: blockchain/fintech, instead of bitcoin) it might be to no longer spin it off to the market, but to create a permanent digital replacement of cash.

Therefore, this time it might be different.

A new FAQ for PSD2 would be very useful to harmonise interpretations across Europe

Summary

The second Payment Services Directive, published end of December last year, is an important and welcome next in the further integration of payment services in Europe. In order to achieve a true European level playing field ‘on the ground’, a clarifying FAQ for those who prepare its implementation today would be very welcome.

A FAQ that explains how the PSD2 definitions will apply in all Member states to the variety of business models and transaction mechanisms observed, will enhance the purported level playing field. This harmonised guidance is just as important as the FAQ/guidance provided for the first PSD. Both regulators and the market have further developed since PSD1 and it is essential to recognise some of the underlying dynamics and developments of the payments market.  

1. Out of scope, limited network or regulated?

At present, member states use the harmonised PSD-rules to determine whether or not a certain business model defines as a payment activity or can be categorised as an exemption. Both in terms of content and process, the approaches vary considerably between supervisors. The feedback of supervisors varies from an elaborate argumentation to merely the brief outcome of an internal review process. 

Also in terms of content, the approaches vary. Business models that are out of scope in one member state may be exempt or require a license in others. The lack of a central register of supervisory statements on those matters makes this hard to identify, but the PSD2 will change this. All business activity exempted under article 3k and 3l, must be notified and the exemption decision will be published in a central register.

The practical consequence is that market participants can more easily determine which business models are exempted in which countries. This means that the supervisors must ensure that their qualifications are well-grounded and harmonised. One of the major challenges in this respect is to take into account the technological and market developments.

2. Technological developments: open and device-agnostic

Just one look at a user’s technical environment demonstrates that the major trend in payment technology development is the move from closed, bespoke systems and standards to more open structures. Whereas previously payment providers would control (sometimes own) all technological instruments to be used in a payment transaction, this is no longer the case.

The future infrastructure setting is one in which consumers and merchants will use their own technical device, and providers need to ensure that it can be used safely. We can now see card-based payments, where no plastic is used anymore, as the payment is made via a virtual card application in the mobile phone or PC. At the same time, in the back-office, the systems are opening up to the outside world via Application Programming Interface’s (APIs). Rather than having one instrument that operates as a shopping and a payments tool simultaneously, we can see that the value chain of search, shop and pay can be arranged via modularized interfacing of channels and technologies.

Therefore, when assessing the qualification of the technologies in todays payments, an open and functional approach is required. The classical approach, in which one tries to find the main device (such as a card) that services as the payment instrument and then builds the further classification of a system around that instrument, will no longer work. There will be all kinds of devices and technical tools and while some may classify as payment instruments, others may not.

Fortunately, the definition of payment instrument in the payment services directive enables this functional approach. The definition mentions both ‘a personalized device’ and/or a ‘set of procedures’ to be viewed and defined as the payment instrument:

"payment instrument" means a personalised device(s) and/or set of procedures agreed

between the payment service user and the payment service provider and used in order

to initiate a payment order;

3. Where is the commerce and where is the payment transaction?

As technology slices up the commercial value chain, we should note the relevance of the last element of the definition of payment instrument: ‘to initiate a payment order’. There is a clear difference between the commercial use of devices for purchases (apps, shopping carts on the web, nfc-identification devices) and the later moment in which aggregated purchases are actually being paid. This can be compared to the difference between the shopping cart/button on a website and the payment button.

The main question to ponder is therefore: does the technology service allow the user to make a payment to any other payee in Europe (under the SEPA-rules) and is the transaction actually a payment order, or is it merely a shopping transaction, with payments being arranged later on.

I wouldn’t be surprised if in the next years, we will witness a shift away from devices as the actual payment instrument. It may be more suitable to put the (user) accounts centre stage as the actual payment instrument. When applied by retailer organisations, such a choice will enable them to build a multi-channel sales-channel in which the device used is irrelevant. The sales channel aggregates purchase transactions towards the user account at the retailer. In cases where the retailer merely aggregates these purchases and initiates a direct debit for the total sum to be paid, this remains an administrative account as the actual payment account in the process is that of the bank. Only in cases where actual payments orders are initiated from such an account, it would become the payment account as well as the payment instrument for the commercial transactions.

It is crucial to distinguish the commercial from the payment process domain when evaluating apps and identification tools on the market. The actual payments can be expected to become the afterthought of commerce, rather than a primary service. These can flow via a payment account in the background, which is provided by retailer, bank or payment service provider. It is that account that will then function as the payment instrument in the commercial transaction and not the purchase device/application used. Supervisors should thus not immediately label ‘the card’ or any specific technical tool in a commercial business model as the payment instrument.

4. Areas and definitions of interest for the application of the PSD2

We’ve seen that the democratisation of technology allowed non-bank payment service providers to enter the payment space. Among those will also be retailers that can leverage the technology to provide a better customer experience. If those retailers are to use a services and customer contract with a monthly SEPA-direct debit agreement in the background, the payment services directive will not be relevant for them.

Similarly there is the question whether the payments services directive would have to apply to intermediary web-based platform companies that help users transact among themselves. Such business models could be in or out of scope based on the interpretation whether:

- the payments are seen as a regular occupation or business activity (art 1,2b),

- the agency model applies,

- the new definition of acquiring applies,

- the limited network exemption applies.

I hope that the collective of regulatory players involved in the transposition and application of the PSD2 will succeed in addressing those scoping and definitions issues early-on. In this respect the publication of a FAQ on those issues, may be a very effective tool to clarify and ensure the level playing field.

Satoshi rumours reminds me of being John Malkovich

These days, there's a rumour going around that an Australian guy would actually be Satoshi, the inventor of bitcoin. Next morning, this guys house was raided by the police, in search of all kinds of evidence.

To me, it seems sufficient evidence to assume that the true Satoshi will choose never to reveal his or her identity. If all kinds of law enforcers incorrectly wish to blame the inventor instead of the users of his invention, you better steer clear of such hassle.In addition I could well imagine Sathoshi to be a bit of a hermit.

In that sense, even getting a Nobel price or the Turing Award would make no difference. We won't know who Satoshi is, which means we may get stuck with all kinds of impersonisations of him. Which reminds me of the movie: Being John Malkovich (see trailer here) .

In the movie, people may enter the brain and become John Malkovich for some time, until being spit out and landing at the side of a road. My best guess is that we will witness similar events for those who wish to be Satoshi.

Now that the voting on the PSD is done, the real work starts...

The second Payments Services Directive, also known as PSD2, will be officially established today. In the plenary session discussion yesterday all political groups backed the achieved consensus and highlighted the benefits to consumers, the increased security of payments, further innovation in the payments area and lower cost overall.

Some work ahead...
We should realize however, that with the promulgation the real work will start for a whole range of involved players. First and foremost, there is a lot more work ahead for regulators and supervisors in the transposition process, but in particular also for the European Banking Authority. The PSD2 that seeks to open up access to banks and customer bank accounts for new players, leaves quite a bit of work to be done by EBA.

EBA should:
- develop rules on level of guarantee/professional indemnity insurance for payment initiation service providers and account information service providers,
- set up standards for cooperation and data exchange between local supervisor and resolve disputes on different applications of the PSD2,
- set up a central register of payment institutions and agents licensed under the directive,
- develop regulatory standards that define when the appointment of a central local contact point can be demanded by local supervisors and what its functions should be,
- be informed immediately in the case of emergency situations (such as large scale fraud),
- coordinate requirements as to the security frameworks applied,
- specify the requirements of common and open standards of communication to be implemented by all account servicing payment service providers that allow for the provision of online payment services,
- develop guidelines on a harmonised set of information to be provided during the application for a payment institution license,
- publish local exemptions under article 3k and 3l in the public register,

Clarity for industry on EU-application of definitions and scope
When the first PSD was delivered, it turned out that quite some players in the market required timely insights as to the future scope of the directive and how it would impact them. The European Commission then published an FAQ that further outlined how definitions should be understood.

It seems to me that it would be worthwhile to perform a similar exercise right now as there are quite some areas that can give rise to questions. As an example: the recital on the agency exemption leaves open the existence of agents for both buyer and supplier as long as the agent does not enter into posession of the funds. Yet, the definition of acquiring appears to be purposefully wide, meaning that such commercial agents might after all be viewed as acquirers.

The sooner this clarity is provided, the better it is, as the lead time for setting up and getting a license as a payment institution is similar to the lead time that now exists for transposing the PSD2.

I therefore hope that, for the sake of a proper EU level playing field, the collective of regulatory players involved in the transposition and application of the PSD2, will seek to address those scoping and definitions issues early-on.

ECBs renewed virtual currencies report: implications for the Third Payment Services Directive

This week the European Central Bank (ECB) revisits the subject of virtual currencies (VCS) in a renewed virtual currencies report with a further analysis. I have read the publication with interest to discover that the previous position on the subject essentially remains the same:
- virtual currencies don't come near money or legal tender concepts,
- the uptake of virtual currencies is still very limited
- the wait and see approach of the ECB will be continued.

The typical paragraph that summarises this approach is:
The usage of VCS for payments remains limited for now, which implies that there is not yet a material risk for any central bank tasks, including promoting the smooth operation of payment systems. However, a major incident with VCS and a subsequent loss of trust in VCS could also undermine users’ confidence in electronic payment instruments, in e-money and/or in specific payment solutions. 

Whereas at first sight the report doesn't lead to a lot of new insights, the broader scope of its definition of virtual currencies does beg a number of fundamental questions with respect to the future regulation of payments. These questions lead me straight into a renewed regulatory approach, to be used in the Third Payment Services Directive.

An improved definition
The major improvement of this Eurosystem-report over the previous one lies in its correction of the definition used for virtual currencies. In an earlier blog I commented that the definition was too vague:
“A virtual currency is a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community”.
With this report, the definition of virtual currencies has formally changed into:
"a digital representation of value, not issued by a central bank, credit institution or e-money institution, which, in some circumstances, can be used as an alternative to money."

I am quite pleased with this change as it allows for a better understanding and classification of the subject of virtual currencies. Interestingly, the elimination of the element of decentralized issuance leads to a far broader range of virtual currencies than previously discussed. And this leads to an interesting follow up question.

Virtual currencies are suddenly everywhere... 
The table below lists the major payment options in the Netherlands, with the virtual currencies listed at the far right. When looking at the turnover figures, one can understand why the Eurosystem will be primarily monitoring the virtual currency scene. The most interesting observation is however that all the blue coloured segments of the table are now also considered to be virtual currencies.

We can see that in particular the giftcard and transport payments (which are out of scope of the payment regulations for a number of reasons) do amount to quite a substantial payments volume. Literally these payments are now also considered to be payments with virtual currencies. And from an analytical perspective, this is a logical consequence.

Regular (e-) payments	OV-Chipcard	Mobile telephone	Retailer Giftcards	Bitcoin / alt-coins
16 million per day	5 million per day (includes loads)	Premium services	500.000 - 1.000.000 per day	Less than 1000 trx per day in NL
€ 903	€ 2 - € 20	€ 2- € 5	€ 12	€ .?
Payment Services Directive (PSD)	Exemption under PSD1	Explicit exemption of PSD1	Out of scope when issued as a single retailer	Out of scope of PSD

Effectively we can now better appreciate today's payments world, seen from the eyes of the consumer. Because the consumer is not bothered by the details of Payment Services Directives and obscure exemptions of mobile payments. The consumer will use the mobile or ticketing payment means as a matter of convenience (or: obligation) and will have to undergo the payment experience as a fact of life.

Particularly in the Netherlands this leads to the interesting situation where a sloppy and easily hackable implementation of NFC is being widely used for public transport payments, alongside a safer NFC implementation of banks that is still working on its nationwide roll-out. Users use them both.

Similarly interesting was the occurrence, last month, of a virtual currencies bank run. As retailer V&D threatened to go out of business, one could witness the sale of its pre-paid gift cards on Marketplace (the Dutch ebay) for considerable discounts. At the same time everyone in the Netherlands dug up and spent their old gift cards, before it was too late.

What the third Payment Services Directive will have to look like 
If we take the wider definition of virtual currencies that the ECB uses, it becomes clear that the user experiences with virtual currencies (and losses: for example the sudden vaporisation of retailer gift card value after a period of 18 months) happen alongside the heavily PSD-regulated instruments and mechanisms.

Based on some prudential rules we now burden some forms of payments with a whole lot of rules, while we neglect all schemes that are out of scope (but may still have relevant consumer effects). This difference is - in my view - too big and requires a changed approach to be used for the Third Payment Service Directive (PSD3).

Under the Third Payment Service Directive, we should recognise that payments can and will be made and offered by everyone to everyone. The PSD3 should thus define a light-weight conduct supervisory framework for all payment mechanisms, regardless of the institutional status of the issuer. Alongside this wide conduct framework, we keep the current prudential framework intact, which outlines the prudential rules applicable to the different institutional payment setups (e-money, payment institution, bank).

The new conduct based framework would apply to payment mechanisms and e-money alike and have as a goal that the user is always properly informed on the basic terms and conditions, redeemability etcetera. The control-mechanisms should not be supervision based, but could be reputation-based for example, allowing the market to monitor and redress, rather than costly supervisors. Only in exceptional circumstances would a European conduct supervisor step in.

In sum: more analysis ahead
The broader scope of the Eurosystems definition of virtual currencies begs a number of fundamental questions with respect to the future regulation of payments. In particular the area of non-regulated payment schemes at the fringes of the PSD might deserve more attention than they do receive right now.

Not only could the question be whether or not a separate regulatory conduct-framework should apply, the European Retail Payments Board might also decide to expend its analysis towards these mechanisms, particularly when they reach a volume/scale which is equivalent to that of the regular payments.

Reflection on almost 100 years of retail payments in the Netherlands

These next few days we will be processing the last Chipknip transactions in the Netherlands. This marks the end of a period of almost hundred years of consumer payments in the Netherlands. Here is a brief reflection on this period. My hope is that we retain our innovative mindset and that we abandon old school practices like: competition on technology and inward-thinking-based marketing practices.

The beginnings
It all started out with a certain demand of the public and small retailers, around 1900. It took however more than ten years before the city giro of Amsterdam (1916) and the national giro of the Netherlands (1918) were set up. In the period leading up to this moment, the cashiers were asked whether they wished to improve their services, as this might lead to the parliament to conclude that no national giro was necessary. Their response was too meagre as a result of which they created their biggest rival: the national giro system, operated by government.

This system effectively created a benchmark for the private industry by offering (some time after it's start) payment services for free to the public. Today we would call this the Internet model, but in those days, this lead to repeated discussions on the undue competition element. Bankers and cashiers assumed that the national giro was cross-subsidized by government; while effectively the reverse became true. The national giro acted as a cash cow that covered some of the other costs for the Ministry of Transport (including the costs of post offices etc).

The city giro Amsterdam has stood out mostly for its innovations: the use of modern bookkeeping machines, the introduction of photo-imaging (in the 1930s) to process payments easier as well as the early introduction of a payment card to the public. The national giro, in turn, was early to create a mechanism of inpayments that could be used by government services, that used similar (punch card) standards.

In this respect it should be noted that the national giro, during the previous century, was plagued by several operational distortions, leading to 'giro stops'. One big one occurred in the 1920s and shut the system down for almost a year, other ones happened after the second world war. These stops instilled a big trauma into the organisation with the effect that when in 1965 a change was made to using punch cards and mainframes, this was done with meticulous scientific precision in order not to fail. Ever since, the postal giro (later Postbank) would be very keen and strong in the area of operational logistics and control.

Competition on standards and technology
For the most part of the evolution of Dutch payments, there were differences in technology used. A first attempt to bridge these differences occurred after the second world war when a commission on the integration of giro traffic tried to bridge the bankers vs giro gap. This didn't work out.

In the mid 1960s the bankers were keen to find funding in the retail market and realised they needed a better clearing system to process faster payments. While they were in the process of deliberating this move, the postal giro offered them to join/use the same standards as they were, in order to achieve uniform processing. For strategic reasons, the banks decided not to do this and chose a slightly modified technology and numbering system of their own. Remember: this was of course the age of shielding off markets by technology.

The net effect for the consumers and companies was less positive however. In the end it took some 30 years to create bridging standards/protocols to integrate the different payment standards of bank and giro. And even when the digital, networking time started (in the 1980s) banks and giro found it hard to abandon the classic competition by technology paradigm. For the EFTPOS network they did use a common standard and this also seemed to work for the Chipknip e-money products. Yet, due to misunderstandings and distrust at the board room level, the Postbank decided to jump the Chipknip ship to start the separate Chipper product. Again, the effect was that consumers and retailers were burdened with dual standards in a market that is too small to do so.

Inward based marketing of the big banks
With the deregulation of financial markets and the privatisation of the Postbank, all providers of payments were commercial companies. The Dutch banks grew bigger and with that their bureaucracies. Postbank gradually lost its touch-and-feel as a former public entity and became a bank like all others. The best event that symbolises this is the abolition of the Postbank brand by ING.

The net effect of becoming bigger and more ambitious is that straightforward customer research and marketing gets stampified. This is a word that I coined to denote the fact that in those big banking bureaucracies the responsibilities of employees - with the only exception of the board - becomes limited to the size of a postal stamp. The result is that these companies (marketing) departments require more time for internal debate, offcie politics and consensus-finding which they can't spend at finding out how to best serve the customer.

The consequence of this stampification is that the banks lose touch with their customers and reality. Our last retail payment product, the Chipknip, showed this most clearly. The ridiculous local battle between two competing e-money schemes (although perfect from a competition perspective) created so much nuisance for retailers that this inspired them to get back at the banks. Infuriated by high terminal switching costs, they found the newly set up competition authority at their side to fight the banks cartel behaviour.

As such our retailers were quite successful: the banks were being fined and a part of the fine was channeled towards them (via a Covenant) to improve the EFTPOS situation in the Netherlands. This Covenant was even prolonged to ensure a continued collective rebate for retailers on EFTPOS fees. Effectively we could thus see the retailers as being the clear winners in the last 15 years of retail payments here in the Netherlands. [And as with today's MIF-debate we can wonder whether the benefits they derived from emptying the pockets of banks did really end up in the consumer pockets by lower prices.]

Back to inward-based-marketing: the best (and typical) example is the way the Chipknip product was initially taken off the market. Banks informed the customers that they all had to unload their Chipknips at specific loading/unloading points. This lead to a big confusion and questions on twitter. Eventually some individual banks decided to give the money back on the basis of the internal administration so that customers didn't need to bother going to an obscure loading point. And then, quickly, all banks decided to do this.

I sincerely hope that we will no longer witness these old school thinking marketing methods in the new year. Banks need to find a way to innovate and listen to clients and society or they will be trapped in old behaviour that is only comprehensible from a stampification point of view but not understandable for customers outside the bank.

Outlook
If history is anything to go by, we may well see a repetition of the SEPA-dynamics in the banking domain. What I mean with that is the following: as banks are busy lining up their internal systems in order to conform with a whole range of upcoming new EU regulation (keywords: PSD2, MIF, AML), the non-banks will be able to build all kinds of new products at the fringes of the payments market.

Most of these new products won't be made from a payments perspective but will solve a user problem. Creating a payment button in these products doesn't require much more than a direct customer relation and a European direct debit agreement. So we might well see the banks moving into a back-seat role of providers of the payment rails for non-bank providers of user services.

Where and how to look for innovation in payments ?

This week I had the pleasure of joining a panel on retail payments innovation as a part of a seminar by van Doorne and Innopay on the Payment Services Directive and the future changes for the payment industry. Panel chair Gijs Boudewijn challenged me to formulate some thoughts on the future direction of retail payments. I answered that the best place to look would be in places and via perspectives that we could be overlooking right now.

1. Is it access to the account or a traceable id that matters?
There is a lot of discussion on the text of the second Payment Services Directive and on the legal and technical mechanisms that are required to make access to the account work. Due to their origin, these discussions are quite bank centric and the implementation issues surrounding this topic will drain a lot of resources of many players involved.

While being busy with this PSD2 issue, we may overlook the fact that all one really needs is a simple chip-id. In the Netherlands for example, one could use the chip-id of public transport ticket issuer TLS as a basis for use in hip and new proprietary retailer/consumer applications. These would combine the chip-id with an intelligent voucher/billing/customer system that utilises SEPA-direct debits in the back-end. It would provide a smooth customer and retailer experience while the bank only sees regular transactions.

My proposition here is that if we're all looking towards access to the account as the hot spot for innovation, we may be looking in the wrong direction. It might be more about the traceable id.

2. The retailers have landed in an interesting position
In his tomorrows transactions blog Dave Birch referred to an analysis by Peter Jones from PSE on the impact of the interchange fee regulation, published in the Journal for Payments Strategy and Systems. The main conclusion of it was that financially the retailers are the winners by getting a cap on their fees. I agree with that and would be inclined to broaden this perspective.

By tradition banks were the players with the monopoly on payments technology and security knowledge. Even in the 1980s, the collective of retailers in the Netherlands had done a feasibility study to set up their own Point of Sale system. This showed they could set it up for € 5 million euro but they didn't want to take the risk of it failing. So they left it to the banks (to complain about high fees later).

Since that time, the knowledge on processing and payments has become available to a wide range of players, to the extend that banks are now lagging in expertise and capability (while being locked into old technology solutions). The consequence is that retailers will be well able to develop or use in-house apps, customer relation services and payment mechanisms that use the bank infrastructure, without being subject to the rules of the Payment Services Directive.

The main development is therefore that the obliged intermediary role of banks in providing payment mechanisms is gone and will erode. Retailers can regain their customer relationship by themselves or in cooperation with any other ICT-provider that allows them to identify the customer and provide a processing infrastructure. Some interesting innovations can therefore be expected at the outer boundaries of the PSD, as a consequence of the possible exemptions.

I expect both physical and e-retailers to use the non-bank, non-payment space that the PSD defines to achieve exactly what they're after: increased customer retention, increased conversion and a smooth payment experience. Bottom line: we might better be looking outside of the PSD to see innovation in action.

3. On ledgers and tokens
As a final thought I would encourage everyone to try a different mindset for the developments that we are witnessing. Because in essence, anything that happens (in payments/retail) boils down to either tokens (coins, notes, points) or ledgers (private or public). Now let's see what happens if we apply this framework.

We might then appreciate the bitcoin emergence as an innovation in the area of collective ledger provision with distributed trust. We could reposition Linked-In as a privately owned, open and self-administered ledger, that logs individuals achievements that are relevant in the work domain. The same would hold for Facebook and many other e-commerce companies. We would call banks the keepers of the trusted and well protected financial ledgers and would also note that in the public domain, a whole range of ledgers are being interconnected for the sake of security, anti-fraud measures etc.

We could also look at the world of tokens, in its many variations. Tokens of shopping behaviour (saving points), tokens of access (tickets), tokens from government (coins and banknotes), tokens of appreciations (awards, prizes) and tokens that prove identity or personal characteristics. Some of those tokens might be valuable and lead to a change of some of the ledgers, while others would have a role in their own right (voucher for a free coffee).

While it is clear that there are quite a few interesting new developments in the ledger-space, could it be that it is the token-domain where the true action is going to be ?

Payments as an afterthought
In sum: the non-bank, identity-based, non-regulated commercial domain might well be the area where we can see innovations that show us how today's technology can be made to work best so that payments become the afterthought that they are.

Lawsuit in the Netherlands on Bitcoin as 'money' or 'current money'

Since May this year, there is an interesting discussion here in the Netherlands on the legal status of Bitcoin as money.

First law suit on failed bitcoin delivery 
The discussion starts with a law suit of two people engaged in a bitcoin transaction. Party B failed to pay up the whole amount of bitcoins, although it had received all the money for it. Party A, after two weeks partially annulled the agreement (for the part of the bitcoins not delivered). However, this party later on decided to demand to be compensated for the financial loss that resulted due to the increase in price of bitcoins over the course of the year (after the moment of canceling the contract).

Party A based its reasoning on the fact that our law allows for something as 'current money' to be used in order to pay a sum of money. This terminology was explicitly chosen by our legislator (instead of the legal tender concept) to allow non-State forms of money to be condoned in our country in situations where it was commonly used and accepted by all the people.

Should this argument succeed and bitcoins be considered such 'current money' the consequence could have been that an additional compensation claim could be made under our civil law. The judge however outlined that Party A should be compensated for the price rise of Bitcoin between the moment of concluding the contract and of canceling it (some € 1700). No compensation was due however for the remainder of the time, as it was party A that had initiated the canceling of the contract.

In addition the judge outlined that Bitcoins cannot be considered current money that is condoned by the State. Our Ministry of Finance has outlined that it doesn't fit the definition of legal tender, nor that of electronic money and that it should be considered a means of exchange. The nature of bitcoin (tradeable) doesn't work as an argument as also silver and gold are tradeable but not considered to be current money.

New law suit on status of bitcoin as money
A number of players in the Dutch Bitcoin community have chosen to challenge the above verdict of the judge and has raised more than  € 15.000 to pay for expenses of a law suit. It challenges the first verdict in order to have the judge reconsider its position and outline that Bitcoin is money. As a consequence it feels that it must then also be treated as such by our administrative bodies, supervisors, tax authorities etc. This would mean that bitcoin operators could be payment institutions, supervised and exempt from VAT (which, as I understand, are the underlying goals).

While I am very sympathetic to the concept of challenging a status quo and laws, I fail to see how a verdict on civil contract law could spill over into:
- the definitions of payments, money and payment institutions under the Payment Services Directive (and Dutch law),
- the definitions of payments under the Sixth Tax Directive.

Having said that, it will surely be very interesting to see which approach will be taken by the law firm involved and see if they are able to convince the judge that at least in civil contracts bitcoins may act as money.


Last edit: October 1, to outline that it's not the whole Bitcoin community that seek to challenge the verdict.

EBA concerned about anonimity and security for bitcoin

From May 15th until May 17th, the Bitcoin 2014 conference took place in Amsterdam. One of the break-out sessions was dedicated to the topic of Anti-Money Laundering on Transparent Networks. During this session, Dirk Haubrich of the European Banking Authority (EBA) outlined some of the issues and concerns of the EBA with respect to digital currencies and bitcoin.

In his initial statement Haubrich sketched the concerns of the EBA with respect to:
- the use of digital currencies to transfer the proceeds of crime and act as money transmission,
- the fact that anonimity is a burden to link the transactions to persons,
- seizing assets and restoring or undoing criminal or illegitimate transfers,
- the emergence of a hawalla-like new channel via which international transfers may occur to countries that are on the FATF-sanction list,
- the use of those currencies by terrorists and criminals,
- the integrity of creators of digital currencies.

Role of the EBA
As a part of the discussion, mr Haubrich outlined that the EBA has a specific remit in the area of consumer protection and financial innovation. It is from this perspective that the EBA issued its warning on virtual currencies in December 2013. The question whether or not to further regulate virtual currencies is now being investigated by a cross-sectoral working group of European supervisors. This group will publish its outcome in a couple of months.

When asked to discuss the major challenges for digital currencies, he outlined anonimity and it-security as major topics of concern. In combination with the aforementioned list of concerns, the overall impression was one in which further regulation appeared to be more likely than a continuation of the current hands-off approach.

Dutch central bank will strictly supervise banks / payment institutions that deal with virtual currencies (and companies)

Just one hour ago DNB, the Dutch central bank and bank supervisor, issued a warning on bitcoin. It was not the regular warning or disclaimer for consumers, but a warning for the payments industry. Essentially DNB concludes that virtual currencies (bitcoins and altcoins) are viewed as products with a very high risk profile. DNB also announces that it will strictly supervise banks and payment institutions:

DNB will therefore strictly assess the compliance with applicable law (a.o. Wwft and Wft) for those banks and payment institutions that decide to get involved - in whichever way - with virtual currency-companies or that decide to invest in virtual currencies themselves. In 2014, DNB will investigate whether banks and payment institutions are actively involved with new payment products such as virtual currencies and (it) will assess the degree to which these institutions control/manage their integrity risks. The control should include effective measures with respect to client acceptance and the monitoring of new innovative suppliers. 

Guidance considerations
The brief statement of DNB contains some considerations that are the basis for this decision. A first consideration has to do with anonimity. DNB notes that transactions are being recorded in a public transaction ledger. Given that these transactions cannot be matched to physical persons and the virtual currencies are usable as a means of payment, they are an attractive chain of a money laundering process.

The current anonimity in virtual currency systems has consequences for banks and payment institutions. As a result of this anonimity, the buyers and sellers of virtual currencies become indirect relations of the bank. Thise indirect relations can also affect the reputation of the institution which leads to a 'derived' integrity risk. Without having that intention, banks and payment institutions could be facilitating money laundering.
DNB doubts whether banks and payment institutions are able - as a part of their controlled business operations and integrity of policies - to take the appropriate measures for transactions or clients that involve virtual currencies.

A meteorite or a pebble in the virtual currency pond ?
With the statement being just published it is too early to tell whether this is a meteorite that effectively wipes out the virtual currency business in the Netherlands or whether it is merely a pebble that aims to ensure that all virtual currency businesses doing business in the Netherlands ensure full identification and transaction monitoring.

My best guess is that the strong wording is used to stress the urgency and degree of concern that the Dutch bank supervisor has on this matter. So anyone operating in the Dutch environment better take this to heart.

The Euro Retail Payments Board: first meeting and outlook

On Friday, the 16^th of May, the Euro Retail Payments Board (ERPB) held its first meeting (with this agenda) in Frankfurt. The ERPB is the successor to the SEPA Council, which aimed at realising the SEPA-project. Whereas the SEPA Council was co-chaired by the ECB and the European Commission, the chair of the ERPB is Yves Mersch, Member of the Executive Board of the ECB.

First Meeting

The first meeting was dedicated to agree to the mandate, functioning and work plan of the ERPB. The ERPB Members decided to set up a working groups on post-migration issues relating to the SEPA credit transfer and SEPA direct debit schemes as well as one working group on pan-European electronicmandate solutions for SEPA direct debits. In addition the ERPB acknowledged and asked the Cards Stakeholder Group (CSG) to carry out a stock-taking exercise and devise a work plan with respect to card standardization.

The ERPB further discussed the expansion of the SEPA Direct Debit scheme (SDD) with a non-refundable (one-off) direct debit. It was agreed that the EU legislators would be asked to clarify legal refund-conditions when evaluating the Payment Services Directive and that a possible scheme would be launched only after this review was complete.

In order to further investigate the future use of pan-European electronic mandatesfor SDD, the ERPB set up a separate working group. Finally, the EPC presented the latest update on the migration to SEPA. Whereas the migration to credit-transfers was very close to completion, there remained work done for direct debits. The ERPB called upon all stakeholders in the euro area to complete their migration to SEPA payment instruments as early as possible and before the deadline. 

Outlook for the ERPB

The launch of the European Retail Payments Board marks a new starting point for discussing the future of European payments with all stakeholders involved. The inclusion of payment institutions and e-money industry can add considerable value given their different approach and background. These providers live and breathe Internet-based technology, seek EU-standardisation and do not have similar legacy-systems as the banks. I expect this to lead to fruitful debates and exchange of insights.

Some observers may cite the lack of legislative powers as a disadvantage of the ERPB. Others may wonder if it is possible to achieve results in a body that only meets twice a year. I would submit however that in ten year’s time, the sceptics will look back in surprise to see how the ERPB has positively shaped the outcome of the European debate on retail payments. The Dutch experience with similar standing committees (see this separate blog) demonstrates that there is a lot of unlocked potential that lies in the trust and bonds that will be formed and shaped by this collective effort. 

FCA kicks the Securepay-can down the road...

In March 2014, the FCA, the prudential supervisor for UK based payment institutions and e-money providers, outlined that it would not be strictly assessing the compliance with the Securepay Recommendations on the security of Internet Payments. This announcement was quite interesting as in February 2014, the Forum also published an assessment guide that assists payment service providers with the implementation of these Recommendations by February 2015.

FCA Statement:
We have decided to await the publication of guidance from the European Banking Authority on measures for the security of internet payments and will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect.

The updated Payment Service Directive will enter into effect at the earliest by mid 2016. It will assign the European Banking Authority with the task of further developing guidance for the security of retail payments. The FCA has chosen to wait for this guidance rather than pre-empt it.

Kicking the security-can down the road
It is interesting to note that the FCA seeks a pragmatic middle ground. It carefully states that it finds security an important issue while at the same time outlining that it will wait for a solid legal basis to assess the security of retail payments. In doing so it effectively kicks the tricky security can down the road.

I can well understand the FCA desire to kick this can. The Securepay recommendations on security lead to quite some questions in their practical application for different technologies (see the blog here). On top of that, the detailed prescriptions on the basis of the new Payment Services Directive may lead to further rules that limit the choices that market entities can make to achieve a certain level of security.

Rather than confuse the market with layering requirements which quickly follow each other, the FCA apparently chose to wait and see, hoping that the final rules on security for retail payments may become more balanced.

It will be interesting to see if other supervisors follow suit.

ECB provides outlook on retail payments in Europe at EPCA-conference

Pierre Petit, deputy director general (payments and market infrastructure) of the European Central Bank, has outlined the ECB’s  views on European retail payments. He made his remarks at the EPCA Summit 2014, where he defined the role of the European Retail Payments Board (ERPB) and the follow-up on the SecurePay recommendations on access to payment accounts.

New players to be part of drive towards integrated European payments market

The ERPB is to become a forum for driving the further development towards an integrated European payments market in the post-SEPA situation. Petit confirmed that the first meeting of this group is to take place in May, and new industries such as e-money providers and payment services institutions are to join in these discussions, along with other representatives of both consumers and providers.

The ERPB will aim to further stimulate the development of the European retail payments market by working together on topics such as innovation and integration.  The group will identify  and address strategic issues and work priorities, including business practices, requirements and standards. Issues could include the development of a single e-mandate solution or the improvement of interoperability between national e-payment schemes.

Security requirements for payment account access services

The ECB announced that it would this month publish the responses and the results of the consultations on security for payment access to the accounts. The publication would be for information only, given that the European Banking Authority will be providing guidelines on security measures under the revised Payment Services Directive.

Although the ECB does not want to impose formal requirements as there is a risk that the EBA could take a different position, it is likely that the two-factor authentication model of the SecurePay forum will remain the norm for retail payments account access services and mobile payments.

Mount Gox tumbles off the learning-curve

This week, Mount Gox, a very large provider of bitcoin services, couldn't live up any more to its services agreements with bitcoin users. It provided exchange and storage services for bitcoins, but due to a technical implementation flaw, the bitcoin holdings of users were compromised. Essentially it wasn't clear who really owned the bitcoins. The website went black and users can no longer claim their bitcoins.

Tumbling off the learning curve
I view the failure of Mt Gox as a logical consequence of the learning curve that bitcoin holders and bitcoin companies face. The bitcoin, although considered decentralized, is just as centralised a system as any other value transfer mechanism. However, for ideological reasons, the developers chose to only describe the technical heart of the system (the algorithm) leaving the rest up to the market.

This open source code approach has some advantages, among which a very speedy development of applications. Yet, we are for some time now witnessing what it means if systems lack a central authority or scheme manager. There is no entity taking responsibility and chasing users or companies because they don't abide by:
- usage conditions (demanding user identification),
- security requirements and certification of tools,
- specific legal frameworks.

As a result we have seen a whole community of interested companies and users climbing up the payments, banking, investments and monetary learning curve. The inevitable consequence is that those who do not get it right, will pay a price, while the others continue to learn. Due to the digital nature of bitcoin, these developments unfold rapidly, allowing us a compressed overview of lessons from financial history.

Frijda's theory of money (1914)
The essential lesson at stake is that the usage of any value transfer mechanism does not just rest on its acceptance by users, but just as well on the rules and regulations that underly the value transfer. In 1914, the Dutch lawyer Frijda analysed this topic in his dissertation on the theory of money. At that time discussions emerged on the nature of banknotes. Did they have value because they were exchangeable for bullion, because they were defined as legal tender or because the public used and accepted it?

Frijda pointed out that the underlying legal framework that safeguards property in a society constitute a necessary precondition for the use of payment instruments. Without such safeguards, people will tend to stick to other stores of value rather than attaching value to local bank notes. Until today this effect is clearly visible: consumers tend to hold and use foreign cash or commodities if they live in country with a lot of curruption, a weak system of justice and an instable monetary climate.

Trust is built by institutions and markets
What makes money tick is a solid institutional basis, upon which trust can be further developed. The latter part can be done by a combination of regulation (supervision) and self-regulation (market action). Which brings us back to the Mt Gox case.

Following the events of this week, a statement was released by the bitcoin companies Coinbase, Kraken, BitStamp, Circle, and BTC China. The industry leaders committ to safeguarding the assets of customers, to applying strong security measures, to using independent auditors to ensure integrity of their systems and to have adequate balance sheets and reserves to be able to ensure continuity.

In sum we can now see both a gradual development of both the institutional framework for virtual currencies and the market-driven self-regulation. This reflects the fact that - whether you like it or not - trust for financial services is always built on institutions, regulations and self-regulation.

The bitlicense: current state of thinking in New York

A week ago, the New America Foundation organised a meeting (Cryptocurrencies, the new coin of the realm) on the topic of virtual currencies and regulation in New York. Some news bulletins picked up on the meeting and the future New York Bitlicense regime. The good thing is that the New America Foundation has streamed the whole event, so it allows me (and you) to listen first hand to the speech by Benjamin M. Lawsky, Superintendent of Financial Services, New York State Department of Financial Services (DFS).

I will outline some of the highlights of his contribution below as I think that the New York discussion represents a good example of the issues at stake when it comes to regulation of Bitcoin. I expect to further touch on those issues in my contribution to the Bitcoin Pre-conference expert session of the EPCA-summit in Brussels (March 12-13).

Open source code currencies and open source code regulation
In his speech, Lawsky outlines the current remit of the NY department of Financial Services. It acts as the supervisor for money transmission companies in New York. The DFS-starting point is therefore that in some instances dealing with virtual money may effectively constitute money transmission, which needs to be regulatred. This is similar to the approach in the FINcen guidance of one year ago.

The New York regulator chose to emulate the open source code approach of virtual currencies. And thus, Lawsky refers to the DFS-approach as 'open source code regulation': regulation based on a public exchange of thoughts, allowing the best insights to be used. Given their current remit, the main idea is to see where the money transmitter rules need to change in order to suit the nature of virtual currencies.

As for the further process in 2014, Lawsky explained that the DFS will move towards further regulation this year and will most likely hold a  market consultation for the proposed regulatory framework for companies that want a so-called 'bit-license.'

What will the bitlicense be like?
When listening to the speech, my impression is that the core fundamentals of the bitlicense will be:
- very strong customer disclosure, requiring companies to outline that transactions are irreversible and that the digital currency may be very volatile,
- a strict adherence to know-your-customer requirements, essentially demanding that anti-money laundering rules are adhered to,
- a robustness/capital requirement, ensuring that the company will be able to withstand some of the market shocks that may occur when dealing with volatile digital currencies/commodities,
- safety and soundness requirements, ensuring a certain quality of operations and consumer protection.

As for the nature of capital and collateral requirements, the DFS is still wrestling with the concept of virtual currencies. This has to do with the angle and object of regulation. While it is easy to require capital safeguards for banks that deal with attracting and lending money, this is harder to apply for companies that issue, distribute or redeem virtual currencies.

Similar questions arise when defining the scope of transaction monitoring. Should only the purchase and redeem-transactions be subject to rules or does the supervision extend to a full transaction logging of all transactions with the virtual currency? Should those transactions be in a public ledger and to which extend can they be anonimized?

Step-up regulatory approach with a safe harbour
Although the DFS is still contemplating its exact licensing regime, I expect it to also contain a safe harbour provision. This would allow companies that comply with customer disclosure and know-your-customer rules, to continue to operate, while further obtaining the full bitlicense. Such a regime would assist in lowering the barriers for virtual currency platforms/traders/exchanges and create an easy entry towards the proper regulatory regime.

Lawsky outlined that the regulator prefers companies to be in his state and regulated, rather than driven off-shore. A safe harbour rule helps achieve that and fits a model where a light-weight, low-barrier entry model is developed to prevent legitimate providers from leaving the jurisdiction, while creating a sufficient barrier for the illegitimate players in the market. This is also a realistic approach considering the alternative channels for illegitimate behaviour: cash and banks. In the words of Lawsky:

Let's be frank: a lot more money has been laundered through banks than through virtual currencies'

Boldly go where no man has gone before?
I commend the DFS for their open minded approach to the topic of regulation of virtual currencies. I do disagree however with one of the remarks of the Superintendent. He outlined that regulators are in new and unchartered waters when it comes to virtual currencies.

I don't think they are.

Since day and age, people have used all kinds of symbols, coins and means of representation of goods that worked fine for transferring ownership of property. We created a number of laws and institutions to ensure these property rights and a fair treatment of parties to certain contracts. In doing so we were able to move from coins to paper-based money to deposit accounts. At the same time we created digital representations of shares, bonds, IOUs and agreed that ledgers at private companies and government institutions could officially represent a claim on goods, services, bits of land, anything.

Then, when it comes to new forms of money, we also have recent experience. In the late 1990s we witnessed a very similar type of discussion on bank supervision and specialised supervision regimes for new forms of 'electronic-money' as it was called in those days. It took some time and deliberation to get to grips with pre-paid digital representations of fiat-currencies, but we found our way in the end.

The challenge: finding the right regulatory framework
The true challenge is to first consider the fundamental nature of virtual currencies and then determine the appropriate regulatory framework. In essence, the DFS is doing the reverse as their starting point is their existing legal competence as supervisor of money transmitter businesses. While there is a lot of logic to it, it might be useful to reconsider alternative types of regulation that exist.

It's my hunch that perhaps an exchange/trade oriënted regulatory framework might make more sense as the basis for regulation, than the money transmitter framework. So that is what I will explore in my next blog.

Towards a more flexible approach of authentication

In July last year, the European Commission published a proposalfor a revised Payment Services Directive (PSD). The proposal draws on the work of the SecuRePay forum of supervisors and requires ‘strong customer authentication’ when a payer initiates an electronic payment transaction.

Strong authentication
Strong authentication is defined as a procedure for the validation of the identification of a natural or legal person based on two or more elements categorized as knowledge, possession and inherence. These elements are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

The concept of strong authentication is in itself nothing new. What is new however, is its appearance as a detailed regulatory requirement. So far, both the Payment Services Directive and the Electronic Money Directive contained a more generic requirement for licensed operators to demonstrate that their governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate. This allows for a system wide supervisory review of risks and security measures.

The current approach in both the envisaged PSD and Recommendations of the supervisors in Europe is however to take out and stress one element of the risk/security puzzle. This approach may turn out to be counterproductive and be an impediment to achieve retail payments that are as secure, efficient and as frictionless as possible.

Different market approaches to customer authentication
Traditionally the banking sector and card schemes have played a major role in the payments industry. For a long time they acted as the main channel through which new technological developments were introduced. In this process, strong authentication in a range of countries became a standard for use in payments. Further security measures for use in transactions over the Internet were then being developed as an add-on to the basic design.

More recently, Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs) have entered the payments value chain using the Internet as their basic transaction processing initiation channel. As a result, their approach to payment security tends to be based on a variety of methods, to be able to counter a range of attacks associated with this inherently unsafe environment. PSPs have had to move very quickly up the e-payment security learning curve and found out that they must remain vigilant with respect to new threats. PSPs are consistently using additional information (geo-location information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing “profile” etc.) to validate the interaction with a user.

There is still much to gain by combining the expertise of both the “classic” and more recently-established providers of payment services. Customers will be using all kinds of devices as a service entry point; this requires a flexible approach to authentication. Rather than two-factor authentication we could speak of multi-factor authentication, which would include the specific user-payment service provider interaction context. But that is not all.

Stuck with two-factor customer authentication?
The analytical flaw that underlies the SecurePay recommendations is its strong focus on too detailed a part of the business and security process: customer authentication. Of course this is quite an important element of the transaction process, but the overall security of (mobile) retail payments is always achieved by a proper combination of security measures.

Customers, devices, processes and issuers should all be authenticated properly. And any risk control structure does not just rest on authentication but on a wide array of logical and functional controls. These controls may sometimes be labeled: 'fraud detection' but the quality of the risk prevention that they achieve can be just as good as one of the classic factors, that are not in the definition of strong authentication.

It is evident that new authentication measures and security challenges are being used and developed to achieve a level of security in retail payments which is contingent on the risks that are relevant in the user-transaction-device context. We can witness this in the bank, card, Internet and mobile payment domain. As these developments occur, it is unwise to freeze one detailed building block of security measures into a regulatory requirement. This will skew the market into less efficient and more cumbersome customer experiences, while technically not necessarily safeguarding a strong level of security.

In particular the mobile domain allows for a wide array of additional capabilities to achieve the security levels that supervisors desire. It would therefore be wrong to make the low-value threshold of the PSD the dividing line between strong and alternative customer authentication measures. A better approach is to link the degree of authentication to the degree of risks and the further security measures that are in place. This will allow the market to develop solutions that achieve both ease of use to the consumer and the desired level of security.

A more future-proof approach
It is not unlikely that the envisaged inclusion of a detailed requirement on strong customer authentication may distort the current market developments rather than allow for further innovation and market development. A more future-proof approach is desirable.

In my view such an approach would be to allow for a broader 'multi-factor authentication' which includes authentication based on the user-interaction context. In addition it would be good to recognise that the quality of some of the security measures which are often labeled: 'fraud detection' may have become such that they achieve a similar level of security as the traditional authentication factors.

We should also allow alternative authentication mechanisms to be used, dependent on the risk involved, rather than a certain value threshold. It would then be up to the supervisors to make the context-based and risk-based assessments on the whole array of security measures as a part of their supervisor reviews.

This approach should ideally be complemented by excluding todays specific definitions of strong authentication from the wording of the Payment Services Directive and replacing them with a generic reference to the relevant security recommendations.

The result would then be that we will have a clear and flexible security requirements framework in Europe that sets the boundaries within which the market can futher innovate and develop.