Faster and Slower Payments
We often hear about a “layer 2” for cryptocurrency payments, but bank payments need a layer 2 as well.
Dateline: Paris, 18th September 2024.
More than once in recent weeks I’ve had people ask why I am interested in digital currency, account-to-account transfers and decentralised finance. More than once, they’ve said something along the lines of “payments work well” or possibly even “the payments sector is cost-effective and provides excellent value for money”. I am unconvinced. Here are my last three payments. You can judge whether you think that the payments industry is working well or not.
Payments in Practice
First, I needed to send some money to a friend of mine (who I have sent money to before) for sundry purposes of no relevance to the narrative. I decided to use instant payments (or what we in the UK call “faster payments”). I opened up my bank app and entered his account details. The confirmation of payee came back good, so I pressed the send button. I was just about to text him and tell him that I’d sent the money when a message from the bank popped up to tell me that they would be carrying out security checks so that my payment might be delayed. They said that they “usually" finish the checks and send the money within four hours, although it might take until the end of the next working day. (In fact they called me after about three hours to complete the security checks and allow the transfer.)
In case you are wondering what this hold up is all about, remember that the UK was first into instant payments, with the Faster Payment System (FPS), and therefore first into instant fraud, which is out of control. FPS was launched in May 2008 and is a deferred net settlement scheme that allows for near real-time transactions among participating financial institutions. In contrast to traditional bank transfers that could take days, FPS aimed to processes payments within seconds: 24 hours a day, seven days per week including weekends and bank holidays. My bank was proposing to hold the transaction up for a day but now, because the sheer volume of fraud, the government is proposing to allow institutions to delay outbound payments for up to four business days.
Welcome to the SPS, the Slower Payment System. Colour me sceptical as to whether this will reduce fraud, because when the bank phones to ask “are you sure this isn’t a fraud”, the customer has already been convinced that she really loves him, that the Rolls Royce is really only £1,000 or that they really are helping Scotland Yard to catch a gang of international money-laundering drug dealers.
(There is a current FCA consultation on the changes to the Payment Services and Electronic Money Approach Document to support new legislation to tackle fraud that include the extended delay.)
with kind permission of Helen Holmes (CC-BY-ND 4.0)
For my second transaction, I needed to pay a bill. I’d forgotten about it and the business concerned sent me a polite reminder letter with a link to their payment portal. It was quite straightforward: I just clicked on the link, typed in my name and address, and date of birth (for “security”), and chose the name of the business from a pop-up menu, entered the invoice number and the account number from the letter, then entered my card number, expiration date and CVV. Simple. In no more than five or ten minutes I was done.
Finally, I needed to pay a medical bill from a surgeon. I found the sort code and account number from the e-mail I’d been sent, which bothered me because the email was not encrypted or signed, so there may have been a business e-mail compromise (BEC) fraud underway. As a precaution I phoned up to check that these were the right bank details. I was assured that they were and I entered them, got a red message that the details did not match, went back and double-checked and realised that I'd typed in the account number incorrectly, re-entered it and then got confirmation of payee and told the bank to send the money. Then I had to go and find my wallet to enter my debit card number, expiration date and CVV. Fortunately the bank considers people in the medical profession much less of risk than my friend and so there was no security check, even though I’d never sent money to this particular account before.
In every one of these interactions, the payment part was time-consuming, inconvenient and error prone.
A Better Way
So what should have happened? Well, in every case I should have received a request-to-pay (R2P). That is, the person requesting the money should have used their accounts package or banking app or Shopify or whatever to generate a request for funds that would come through a standard service to my designated R2P app (for most people this would I’m sure be their mobile banking app) and then with a single biometric authentication at my end either paid, refused or delayed. End of. No typing and retyping, no security checks, no using cards for confirmation.
All of the security and privacy infrastructure that is needed to make this work safely and efficiently would then be hidden from view and it would be the infrastructure, not the customer, that had to check the bank details, the digital signatures on the encrypted invoices and the credentials of the recipients (e.g., IS-A-DOCTOR, HAS-REAL-ESTATE-LICENCE and so on).
With a supportive financial infrastructure like this in place, my friend would send his request for payment, the bank would check the digital signatures on the request and do their security checks before the request ever shows up in my app. When the business sends me the invoice to pay, I will never even see the invoice unless the bank has already verified that the request comes from an authorised officer at a legitimate business.
When the doctor wants his bill paid, his secretary will send me a R2P. Paying my medical bill would then have been straightforward. The request reminder shows up on my phone, I use FaceID to authenticate and the bill gets paid via the default channel (instant payments). If I want to, I could select an alternative channel such as Dogecoin or a prepaid card or buy-now-pay-later or whatever, but in the general case I won’t bother, and in any case I will delegate such a decision to my smart wallet because I can’t be bothered to work out whether the card rewards are worth more than the merchant rewards or the bank rewards, but my bot can.
Layer 2
Direct account-to-account payments are growing everywhere. Brad Goad, Chief Revenue Officer for Matera, a Brazilian bank tech company that offers instant payment software says that merchants will drive the adoption because "they have the most to gain" from a more streamlined payment system but you can see from Visa and Mastercard’s announcements and acquisitions that they think this too. Data Bridge Research predict that instant payments will account for one in three of all consumer transactions globally by 2029 but the promise of a more secure and lower cost payments infrastructure will not be realized unless we can counter fraud more effectively.
It seems to me that R2P and its cousin VRP (variable recurring payment) are the desperately needed “layer 2” for payments that embeds digital identity in transactions. Frankly, we should be moving to a point where R2P and VRP are how consumers interact with the infrastructure. In this case, regulators can allow payments to proceed without delay and with compensation in the case of fraud.
Of course, people should still be allowed to do payments using instant payments directly, but in that case the payments would be subject to delay and the compensation in the case of fraud would be strictly limited.
This could be the way to cut the Gordian knot around competition, convenience and compensation that the UK is trying to deal with right now where the Payments Systems Regulator (PSR) consultation on reducing the maximum level of reimbursement for authorised push payment fraud from £415,000 to £85,000 (an arbitrary figure set to match the bank deposit protection limit and nothing to do with the payments problem, but one which covers some 99.8% of all such frauds) closes today with the new limit in effect from 7th October 2024.
Given the hundreds of millions that payment service providers will be paying out in compensation following this change, the business case for mass-market (and perhaps even cross-border) layer 2 looks unanswerable.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?
Thoughtful.. but most consumers want their bank involved in helping them manage the risk. Consumers don't want speed and finality, they want trust and recourse. No one wants to pay their bill faster.. with the rare exception of emergency bill payments.. Trusted person to person payments can take place in real time in most geographies today, and the number of times you set up a "new" payee is rare.
1) Visa Direct provides the ubiquitous engine with the CX of a real time payment. The bank shows the money has gone in our out.. and consumer has recourse.
2) for the Doc you wanted to pay.. we get a text message with the doc's web site. Use our card with applePay and done. The trust is in doc's domain and credentials to log in and see the bill. Then payment takes no time at all.
3) RfP is a good use case and I am in favor of that for RTP schemes. I see recurring billers moving this direction if there is no incremental price. Thats the problem in US w/ TCH. Banks are selling instant availability of funds with RfP at a significant premium. As a biller I'm not paying 2% when there was no cost to do it that way before. Advanced supply chain businesses don't want RfPs because they must first match the invoice to the terms and to the reciept and acceptance of goods. They also pay on their own timeline.