2019 was a pivotal year in the reshaping of the financial services and payments industries. The changes now underway are likely to continue for several years.
New alliances began to be forged and new leaders will emerge in the battle for the consumer. The incumbents in payments and identity know this and are already advancing to head off the competition.
Simply put, we are seeing heavyweights in payments advancing into identity and the early leaders in identity attempting to bolster their positions by expanding into payments. We saw Apple entering the identity provider race with Apple ID; it also tried its hand at banking, launching Apple Card with Goldman Sachs. And of course, there was Google’s checking product, Amazon Pay, Facebook Pay, and Libra.
The announcement of Libra, most would agree, did not go to plan. But it was perfectly in line with the way things are going, especially since the prize it was attempting to snatch isn’t so much leadership in consumer payments as control of identity provision.
Identity is the Front Line in the Fight for Consumers
Controlling identity is like holding the keys to a consumer’s safe containing invaluable data, which is significant in an era where credentials are often used and shared across numerous sites. This means that the entities that control consumers’ identity are gatekeepers managing access to that consumer — they can reach out and give consent to share information with external parties, they can revoke access and they keep track of trusted sites where a consumer is signed in automatically.
In banking this is a big consideration. Financial institutions may not be a place where consumers store photos or messages, but they hold access to a customer’s entire financial existence.
In the payments space, there has been an equal degree of upheaval. EMVCo’s Secure Remote Commerce (SRC) was launched in the U.S. SRC is EMVCo’s big play to get closer to the consumer. As with Libra, SRC plays into the race to capture the market for identity. In parallel, Mastercard has just launched ID, a universal digital identity service that’s less about transactions than interactions.
Other standards like FIDO and OpenID Connekt are gaining traction, which should help drive innovation and cooperation in identity. FIDO was probably the biggest winner in 2019, with WebAuthn, a web standard central to the FIDO2 Project, gaining hold, including quite startlingly at Apple and EMVCo. European regulators have also signaled their approval of it as a form of strong customer authentication.
New Red Flags to Watch Out for
Some of these identity standards are complex specifications that require a lot from merchants and financial services providers to understand, implement, and certify. (EMVCo, for example, now has three standards: tokenization, EMV 3-D Secure, and SRC.) The networks will offer acceleration kits to help and fintechs have a role to play in easing the burden too. Still, getting all of these up and running by the end of 2020 may be too daunting a goal for many institutions.
This is something of a red flag for the networks. Alternative payment rails have multiplied over the last few years and some merchants may go with them to avoid the complexity that the networks are adding. Zelle and Venmo found success in the U.S., and you can expect ramped-up competition in peer-to-peer and peer-to-business payments with simpler integration and other benefits for network participants and users.
Reversing years of consolidation, we can expect a proliferation of payments options in 2020 as each network competes on real-time processing, integrated loyalty, lower fees, or other benefits, and new players explode onto the scene. At least one of the recent mega-mergers (FIS and Worldpay, Fiserv and First Data, Global Payments and TSYS) will lead to the launch of a closed-loop payment system in 2020. Wasn’t the pursuit of network efficiencies after all part of what made those acquisitions so attractive to shareholders?
The identity space is growing fast
The identity space will see projects become a lot more concrete with individual initiatives taking shape and big industry players marking out their positions. One of the payments networks will make a big play for control of consumer identity — they are already offering banks the option to delegate their authority to merchants for payment authentication. This situates the networks advantageously, with a view of the consumer from both the merchant’s and the issuer’s ends.
“Currently, banks hold customers’ identity. Soon, a card network might.”
This will be a highly lucrative market. If an identity provider, like a card network, can get customers to sign onto its identity platform, the network is, in effect, taking identity provisioning away from the banks. They can monetize their access to customers’ data by offering access to other financial services providers (merchants, insurance, etc.), and they won’t need the bank anymore, enabling them to hold all the revenue. Currently, banks hold customers’ identity. Soon, a card network might.
A wide range of players will vie for dominance, but these will consolidate over a few years into just a couple of winners.
Open banking is the biggest change in this area, broadly speaking, and arguably the prime catalyst. A headline-grabbing collaboration between a third-party provider and a bank would provide a model for rapid adoption and increased revenue for the benefit of both parties and the consumer — thus realizing the regulator’s intent. But until we have these case studies, open banking will continue to be regarded as a threat by banks and an empty catchphrase by consumers.
Expect More Impactful Regulation
The “final” PSD2 deadline came and went in September in Europe. What looked like a non-event had involved enormous effort and much angst behind the scenes. As many expected, the European Banking Authority issued an extension.
So it seems that SMS one-time passwords will eke out an existence into the third decade of the twenty-first century as the default institutional answer to PSD2’s strong consumer authentication requirement. You can forgive banks resorting to a stopgap in the rush to comply, but with SIM-swap attacks taking off, there is no better time to invest in more advanced techniques for gaining consumer approval.
Meanwhile, consumer concern over privacy and data protection will continue to mount with increased oversight by consumer watchdogs. Governments will pass more legislation to protect individuals from businesses playing fast and loose with their personally identifiable information (PII) — look at Europe’s GDPR, South Africa’s POPI, and California’s CCPA.
The effects of all this regulation will be far reaching. The Brave web browser, for example, is getting a lot of attention for its privacy-first approach. More established browsers like Google Chrome are preparing to close the PII tap too. They will shortly disable a number of user tracking features in response to commercial and regulatory pressure, with more significant consequences than those annoying cookie disclaimers. A lot of functionality on the internet relies on this tracking — and not only to sell us things.
Digital security and data privacy don’t always sit on the same shelf. 3-D Secure and Secure Remote Commerce depend on payment networks and card issuers tracking user activity to combat card-not-present fraud while providing frictionless checkout experiences.
The biggest challenge in this area is still multi-factor authentication (MFA) — combining something you know (like a password) or something you are factor (a biometric) with a something you have factor (like a phone).
The problem, however, is that device fingerprinting does not do a good job. It’s possible to copy or replay a device fingerprint. At the same time, browsers are shutting down fingerprinting capabilities in favor of greater user privacy.
There are, of course, entirely secure and private means of assuring user identities online when you really need to know. Various techniques are available and being used in interesting combinations. Some of the more well-known ones include FIDO authenticators that enable hardware-backed keystores. Apple Secure Enclave and Android TEE can store generated keys in hardware-backed environments. Modern browsers can now also start doing this where a private key is created and cannot be copied from the device.
So, the techniques to cryptographically prove possession are now available on most client endpoints, and can be used as a privacy-friendly, copy-protected way to establish a device’s identity. Financial institutions will want to acquaint themselves with these technologies as standard browser fingerprinting becomes a thing of the past. Indeed, any organization preoccupied with security and convenience in equal measure will be looking for new solutions in this area.
Avoiding Customer Confusion Key for Banks
New developments are coming thick and fast. Many consumers will be confused, not knowing whom to trust or what interactions are safe and what are not. Banks will have to work harder than ever to streamline digital experiences so that they appear simpler and more consistent to their customers, never exposing them to the maelstrom of change the industry itself must contend with. Financial institutions inspire the greatest trust, but they have to deliver on the user experience too. If they don’t, the techfins and other challengers will claim more of their business.