Historians may look back at 2018 as a pivot point for the U.S. banking system. Just a decade after the nadir of the 2008 financial crisis, this year will likely be remembered as the beginning of a new era in payments and customers’ control of their financial data, as well as a year in which banks began to take on a new role as trusted stewards of data security and privacy. It is no exaggeration to say that these changes are the culmination of years of effort, development, and technological investment in tools and systems that will serve as the foundation of American commerce for generations. And remarkably, these efforts are driven by a partnership between the public and private sectors rather than government mandates.
One of the most potentially transformational changes to the U.S. financial landscape has been the late-2017 launch of the RTP network, the real-time payments platform from The Clearing House (TCH). After years of discussion, real-time payments in the U.S. are now a reality. With payments occurring in seconds and accompanied by rich data, the RTP network – the first completely new payment system deployed in the U.S. in 40 years – is poised to move the nation’s payment system toward faster payments by 2020, the stated goal of the Federal Reserve’s Faster Payments Task Force. While some have argued that existing batch-oriented ACH networks that settle payments over a one- to three-day window could be adapted to help move the industry toward this goal, these networks are over 40 years old and not functionally equipped to handle the rich data that is associated with secure faster payments. The rapidly expanding RTP network, however, can meet this objective handily. Additionally, as part of the task force, RTP was evaluated against many other existing payment systems and FinTech applications, and RTP was found to have the best combination of speed, functionality, and security across all evaluated options.
Meanwhile, after more than a decade of high-profile data breaches that compromised millions of accounts, along with ongoing debate in the media about various approaches for controlling and protecting financial data, the use of consumer financial data is poised for a major shift. With “open banking” regulations such as Europe’s PSD2 requiring banks to enable application programming interface (API) access to consumer bank account data, and voluntary industry-led efforts in the U.S., the control of financial data is quickly becoming a consumer-driven exercise – rather than bank- or FinTech-driven. With or without regulation to require it, the combination of APIs and tokenization, a technology that masks financial data for every transaction, will have a profound change on the privacy and security landscape.
FASTER PAYMENTS TODAY
Faster payment systems are proliferating rapidly all over the globe. As of September, 40 faster-payment systems had been implemented worldwide, up from 25 only a year ago. Five more programs are under development, and another 16 are expected to go live within the next year and a half.
Many countries have gotten a head start in the march toward real-time payments thanks to nationwide government mandates. The U.S. has no such mandate – in fact, the Federal Reserve lacks the authority to enact one – but the Fed has pushed for change through its Payment System Improvement project, which officially began in 2015. The project has convened a wide swath of industry stakeholders – banks of all sizes, processors, vendors, FinTechs, and more – to come up with ideas for a faster, more secure payment system in the U.S., with a goal of nationwide, ubiquitous service by 2020.
TCH’s RTP: ONE YEAR LATER
The Clearing House and its owner-banks foresaw the need for real-time payments and began to develop the RTP network in 2014. The new system has clearly tapped into considerable pent-up demand. The RTP network, which is open to all banks, currently includes eight banks, accounting for 25% of U.S. transaction accounts. By year’s end, 14 banks will be on the RTP network, which will reach almost 50% of U.S. transaction accounts. That number is expected to balloon quickly as core providers such as Jack Henry and FIS go live with their interface to the RTP network in the second half of 2019, providing a means for their customers (thousands of smaller financial institutions) to join the RTP system. Additionally, TCH is actively working with bankers’ banks and corporate credit unions to explore ways in which these entities can provide services to smaller institutions to help them use the RTP network. The RTP network is on track to meet the ultimate goal of reaching nearly all endpoints – ubiquity – by the 2020 target.
RTGS: A NEW CONTENDER FROM THE FEDERAL RESERVE?
In October, the Federal Reserve issued a request for comment on two potential new Fed services. The first, a tool for financial institutions to move money between Federal Reserve accounts during off hours, would facilitate liquidity management for payment systems such as the RTP network. The other, however, is more controversial. The Fed is considering the development of a real-time gross settlement (RTGS) service that would provide 24/7 clearing and settlement of payments in real time. In other words, the Fed is considering launching a real-time payment service that will provide payment capabilities that are similar to the RTP network. The Fed is seeking public comments on the proposal through December 14.
The FUTURE OF REAL-TIME PAYMENTS: UBIQUITY BY 2020?
The timing of this announcement threatens to slow down industry momentum and put the 2020 deadline for ubiquity in jeopardy for several reasons:
TIMING: If the Fed decides to plan, develop, and launch its own new payment network, the undertaking will take years.
ADOPTION: Banks that are currently in the process of joining TCH’s RTP network may wait to see what the Fed does before finalizing applications that can take advantage of the expanded functionality on the RTP network, slowing down the very ubiquity the Fed desires.
FRAGMENTATION: Interoperability between the two systems cannot be presumed. Developing interoperability between two real-time systems, where clearing and settlement take place instantaneously, is a significantly more complex and operationally risky endeavor than, for example, developing interoperability in the ACH network, where final settlement is delayed. If the RTGS service is not interoperable with the RTP network, it could fragment real-time payments in the U.S. and, thus, prevent ubiquity. In Europe, for example, the real-time system operated by the European Central Bank does not interoperate with the real-time system offered by the private sector. Alternatively, to achieve ubiquity without interoperability, financial institutions would need to join more than one real-time network.
The Fed’s announcement that it may develop its own system has the potential to significantly delay the U.S. payment industry’s movement to real-time payments. Even so, banks and other stakeholders can take heart: as faster payment systems proliferate worldwide, businesses are demanding the same capabilities here in the U.S., and the market will have to answer. Businesses will want the competitive edge that the RTP network provides them, and they will want more choices among payment types. The RTP network is the ideal payment mechanism for many use cases, especially when speed and/or additional payment information is a priority. For banks, the RTP network’s capabilities will become expected, and businesses will move to banks that offer them. The Fed’s potential introduction of a new standard may delay the goal of ubiquity, but it will not diminish businesses’ appetite and need for real-time payments.
DATA AGGREGATION:
KNOWLEDGE IS POWER
Along with the changes in payments brought by the RTP network in 2018, this year has also seen a shift in the way the banking industry controls, uses, and protects customers’ financial data. The financial services industry is increasingly driven by data and all of the ways it can be used to help customers. Banks are not the only ones that use that data, of course; increasingly, FinTechs are leveraging data aggregators by collecting customer data (with their permission and on their behalf) to offer innovative new financial tools and services. Customers are willing to allow access to their private data because the services they receive are valuable, but as this model proliferates, concerns are growing about data use and protection.
CONCERNS ABOUT PRIVACY
Banks, regulators, and customers are all concerned about how financial data is collected, deployed, shared, and secured. Recent high-profile data breaches at Equifax and Facebook have only intensified these concerns and have helped spur regulatory action here and abroad. In May, the European Union enacted its sweeping General Data Protection Regulation (GDPR), which stipulates that consumers in the EU’s 28 countries must explicitly consent to having their data collected and processed; and in June, California enacted its Consumer Privacy Act of 2018, which gives consumers the right to know what information companies like Facebook and Google are collecting, why they are collecting it, and with whom they are sharing it.
Even as consumers are worried about the possible misuse of their financial data, they lack adequate knowledge about how this data is collected and shared. In the first quarter of 2018, TCH surveyed more than 2,000 U.S. banking consumers and found that one-third use at least one FinTech app, nearly 90% are concerned about data privacy and data sharing, and a majority (56%) want to be able to control access to their information.4 Most of these consumers think that they understand and can control how third parties access, collect, use, and share their data, but they lack awareness of FinTechs’ actual data aggregation practices. For example, when told that FinTechs’ terms and conditions agreements often gain consumers’ consent to use their data for purposes other than operating the app, almost half (47%) of consumers surveyed said that they would be less likely to use those apps.
In what is largely good news for banks, these consumers see their banks as the most trusted provider of data security and expect banks to protect their personal information. This trust, however, can be a double-edged sword; if a consumer suffers a breach of privacy, the bank often gets the blame, whether or not it bears responsibility. It
is in banks’ own best interest, then, to continue to do all they can to protect their
customers’ data.
TECHNOLOGICAL SOLUTIONS
Fortunately, a number of technological solutions are gaining ground in protecting consumer data. One such solution, tokenization, involves the use of special, limited-purpose codes, known as tokens, in lieu of actual account numbers in mobile and online payments. In short, tokenization replaces sensitive data with nonsensitive data during transaction processing. Tokenization prevents malware from capturing customer account numbers, because account information is never present on the systems or devices where malware is present. Even if a system at a retailer or third-party processor is compromised, the digital token is useless to criminals because the customer’s account number remains securely stored in firewall-protected bank data vaults.
TCH has been a pioneer in tokenization. Further, TCH recently partnered with card networks such as Mastercard and Visa to provision and manage Mastercard and Visa-branded tokens on behalf of banks for use in mobile wallets. TCH’s tokenization technology is production ready and will be market ready and offered through several banks by the end of this year or early 2019. Tokenization technology, more broadly, has the potential to replace actual account numbers (credit cards, bank accounts), regardless of the payment instrument used and is an effective way to protect customer account data and help prevent fraud without affecting the
customer experience.
APIS AND OPEN BANKING
Another, farther-reaching solution for payments security is the use of APIs, which allow banks to share information with data aggregators and other third parties in a much safer way than the “screen-scraping” that is typically used to gather financial data today. With APIs, consumers do not have to share their login credentials for their bank accounts. Hence, banks, regulators, prominent digital players, and FinTechs are coming together to advocate for the use of APIs as a safer, more efficient way for banks and FinTechs to share account data and facilitate innovation. API-based account aggregation solutions reduce not only risk but operating costs, too.
The use of APIs enables “open banking,” in which financial institutions provide APIs to third-party developers, who then build applications and services on those APIs. Open banking has been mandated in the EU and U.K. through government edicts. Here in the U.S., leading-edge banks are adopting it as a secure, fast way to innovate. Open banking’s potential benefits are not insignificant: better customer experience, more-efficient data sharing, reduced operating expenses for banks, and potential new revenue streams. Moreover, by adopting API-enabled product applications, more banks can participate in the scale economies of the industry’s biggest players because big banks could open up their product applications to other financial institutions to rebrand and resell.
While the push toward open banking will require significant technology and process change across banks, data aggregators and third parties, as with the RTP network, the benefits in terms of innovation and improved safety and soundness for consumers, banks, and data aggregators will likely make open banking inevitable. Ever-evolving technology combined with consumer demand for secure, frictionless, and digitized services will drive the U.S. banking system toward open banking and APIs.
A DIFFERENTIATING ROLE FOR BANKS
Open banking and the widespread collection and analysis of consumer data do pose some existential threats to the banking industry. At worst, today’s retail banks could become mere “balance sheets” and “pipes” for information and transactions while other players create value in connecting with the customer. More optimistically, though, banks could attain new heights in scale and competitive pricing.
Perhaps even more promising is the potential opportunity for banks to become exactly what consumers are seeking: a trusted advocate for their data security and privacy. As noted, consumers trust and expect their banks to keep their information safe. Perhaps better than any other player in the industry, banks are ideally positioned to serve a vital role in balancing technological advancement against consumers’ privacy interests by ensuring that data access supports the benefits to which consumers and service providers have agreed.
In this role, banks can take several actions, including: 1) educating consumers about how their data is used, 2) working to develop standards and guidelines for data use, 3) promoting secure technologies, such as APIs, and 4) ensuring that aggregators and FinTechs are held to sufficient standards in terms of how they are using and storing customer data. They could even consider developing products or tools that would help consumers to control access to their data.
THE FUTURE IS IN CUSTOMERS’ CAPABLE HANDS
The future of payments is about giving customers more choices and advocating for their needs. RTP will become an indispensable arrow in a banks’ quiver of payment options as businesses discover their value and begin to call for real-time service. The Fed’s RTGS system might temporarily slow U.S. advancement toward faster payments, but ultimately market demand will drive the industry forward.
In data aggregation and security, trust will become banks’ most valuable asset as they answer consumers’ desire for greater privacy. Banks can become a bulwark against the “Wild West” of online data aggregation and work alongside consumers – and with FinTechs – as trusted partners in protecting consumer data. Banks are aligning with consumers in pushing for market solutions that ensure consumers have the final say in how their data is shared, and they can work with data aggregators to ensure the proper balance between security and convenience.
The brave new world of payments and banking is upon us, with many of these advancements coming together to form meaningful change in 2018. Ultimately, whether through the RTP network or increased data privacy and security, banks and their customers are still at the forefront.