Ledgers and innovation in banking

I was flicking through the New Scientist magazine from 29th November 1956 when I came across a very interesting article on the digitisation of banking, a subject of great current interest. The article has a very useful diagram for those of us who wonder how exactly it is that banks manage customers’ accounts using computers.

How things work at banks

I don’t know which bank this is, probably TSB, but in any case it is what the article says about digitisation that I found interesting. Apparently, it’s all to do with something called “ledger management”. The article gives a helpful example, explaining how “when a bank clerk first accepts a cheque, he prints on it with something like a typewriter a note of the amount in magnetic ink, all subsequent operations—sorting, listing and entering in ledgers—can be done without human assistance”.

Reading further on, I discovered that you can have different kinds of ledgers that work in different ways. The author notes that this is only one way of “ledgering automatically” and that the “choice of a system depends on how far was is prepared to go: whether automatic book-keeping is to be done only at head office, whether in this case the accounting for all the branches, or whether branches will have their own equipment or to be grouped around sub-centres”. The same centralisation versus decentralisation of ledgers argument continues to this day.

The article continues by noting that banks do not seem to be making as much of this interesting new technology as they might and that “what may prove to be more serious is the determination to cling to time-honoured procedures”. Well, yes indeed. This is just what Anthony Jenkins meant when he said that banks had yet to be disrupted by new technology (shortly before he was fired as Barclays CEO). And if you think those “time-honoured procedures” are fading, you’re dead wrong, since 95 percent of ATM transactions still pass through COBOL programs, 80 percent of in-person transactions rely on them, and over 40 percent of banks still use COBOL as the foundation of their systems.

There’s no point using blockchain, or any other shared ledger technology, to implement these existing processes. The way forward, in banking at least, is to use the new technology to implement new ways of doing businesses. There’s a good argument for thinking that the central co-ordination mechanism for these new ways of doing business might well be trust. Speaking at Davos, way back in 2015, Marc Benioff (the CEO of Salesforce) said that “Trust is a serious problem, we have to get to a new level of transparency – only through radical transparency will we get to radical new levels of trust.”

I could not agree more. I think he is absolutely spot on. This is why I have been focusing on the use of new technologies (and specifically biometrics, blockchains and bots) to create a different kind of financial services infrastructure. I spoke about this earlier in the year and the Digital Jersey Annual Review [YouTube, 24 minutes] and have pushed a similar message out to a number of different audiences since then.

When I talk about radical transparency, I don’t mean it as a vague slogan. I come from the tech side of things, so I interpret it to mean specific technological changes. This is the environment of what I have taken to calling “the glass bank” for short because it is an infrastructure of radical transparency. It is a platform for financial markets that exhibits ambient accountability using translucent transactions with trading built on reputation and regtech. This is an infrastructure that reduces the overall cost of the financial markets that sit on it, thus benefiting the economy as a whole. We finally have chance to build something that looks different to the vision of a bank shown above, so let’s not use all of our amazing new technologies just to simulate what he had back in 1956.

Transactions, hoards, stashes and exports

In 2016, cash was used for 44% of all consumer transactions in the UK. That was down from 50% the previous year and from 68% a decade earlier. Victoria Cleland, Chief Cashier at the Bank of England says that the value of notes “in circulation” has been increasing year on year for the past decade or so and that “we are still seeing growth in total demand for cash”. This seems puzzling, considering that this year the UK will see 13.4 billion debit card payments (of which a third will be contactless) but only 13.3 billion cash payments (according to PaymentsUK).

 Studio 34

Now, as it happens, Victoria and I were both guests on the BBC’s flagship personal finance programme Moneybox last month [you can listen to the show here]. We’d been invited to take part in a phone-in about the trend to the cashless society, along with Andrew Cregan (Head of Payments Policy at the British Retail Consortium). The topic had been triggered by the head of the Swedish central bank calling for a pause in Sweden’s rush to cashlessness. At the end, Victoria and I rather agreed on the need to have a strategic conversation about cash at the national level. The issue in Sweden is that cashlessness is just happening: it’s not part of a plan that addresses the issues associated with a cashless economy (eg, inclusion). In the UK, we can learn from this.

But back to the steady growth in notes “in circulation”. The trend growth of cash in circulation running ahead of GDP growth isn’t a UK phenomenon. The amount of cash “in circulation” around the world has gone from 7% of GDP in 2000 to 9% of GDP in 2016.  On the show, I couldn’t resist an oblique snark about what these notes being used for (ie, money laundering, tax evasion and so on) since they aren’t being used to buy things.

That’s right. Banknotes, statistically, not being used to buy things. Cash is no longer primarily a means of exchange. The latest figures from the Bundesbank show that nine out of every ten euro banknotes issued in Germany are never used in payments but hoarded at home and abroad as a store of value. Not “rarely”. Not “infrequently”. Never. The notes are not in circulation at all but are stuffed under mattresses.

Similarly, down under, the Reserve Bank of Australia (RBA) Bulletin for September 2017 notes that the value of notes “in circulation” has gone up 6% per annum for the past decade while the use for payments has collapsed (from two-thirds of consumers payments down to one-third) over the same period. It goes on to note that higher cash usage may be concentrated in “groups not included in the survey of consumers (who may well use cash more often than the average consumer)” as well as the shadow economy.

Aha. The shadow economy.

A couple of years ago I was at an event where Victoria said that only about a quarter of the cash the Bank puts into circulation is for “transactional purposes”. I wrote a comment piece on it for The Guardian at the time, so I thought it might be interesting to review and update my comments using the Bank of England’s four-way categorisation of the demand for cash, which is that cash is required for:

  1. Transactions. Here the trends are clear. Technology is a driver for change but that the impact is weak. In other words, new technology does reduce the amount of cash in circulation, but very slowly.

  2. Hoards. These are stores of money legally acquired but held outside of the banking system, like the 300 grand that Ken Dodd used to keep in his loft. If the amount of cash that is being hoarded has been growing then that would tend to indicate that people have lost confidence in formal financial services or are happy to have loss, theft and inflation eat away their store of value while forgoing the safety and security of bank deposits irrespective of the value of the interest paid.

  3. Stashes. These are stores of money illegally acquired or held outside the banking system to facilitate criminal behaviour. My personal feeling is that stashes have grown at the expense of hoards.

    In a fascinating paper by Prof. Charles Goodhart (London School of Economics) and Jonathan Ashworth (UK economist at Morgan Stanley), they note that the ratio of currency to GDP in the UK has been rising and argue that the rapid growth in the shadow economy has been a key cause. If you look at the detailed figures, you can see that there was a jump in cash held outside of banks around about the time of the crash, but as public confidence in the banks was restored fairly quickly and the impact of low interest rates on hoarding behaviour seems pretty marginal, there must be some other explanation as to why the amount of cash out there kept rising.

    Two rather obvious factors seemed to support the shape of the curve are the increase in VAT to 20% and the continuing rise in self-employment (this came up a couple of times in comments to that Guardian piece by the way), both of which serve to reinforce the contribution of cash to the shadow economy.

  4. Exports. The amount of cash that is being exported is hard to calculate, although the Bank itself does comment that the £50 note (which makes up a fifth of the cash out there by value) is “primarily demanded by foreign exchange wholesalers abroad”. I suppose some of this may be transactional use for tourists and business people coming to the UK, and I suppose some of it may be hoarded, but surely the strong suspicion must be that at lot of these notes are going into stashes.

If, as I strongly suspect, the amount of cash being stashed has been growing then the Bank of England is facilitating an increasing tax gap that the rest of us are having to pay for. Cash makes the government (i.e. us) considerably worse off. In summary, therefore, I think think that the Bank’s view on hoarding is generous and that it is the shadow economy fuelling the growth in cash “in circulation”. Hence my point that it is time for Bank of England to develop an active strategy to start reducing the amount of cash in circulation, starting with the abolition of the £50 note as well as the ending the production of 1p and 2p coins (almost half of which are never used in a transaction before being returned to the banking system or simply thrown away).

As it happens, the future of those coins and that note are the subject of a current HM Treasury “consultation”. I urge all you of sound mind to reply to the consultation and hasten their abolition here.

Identity at the sharp end

There’s a bit of a row going on about Twitter, Facebook, social media in general and bots. It’s a serious issue. Democracy was invented before bots and doesn’t seem to work terribly well in their presence, so in order to restore peace, low taxes and the tolerable administration of justice we need to do something about one or the other. Many people seem to think that we should do something about bots. The noted entrepreneur Mark Cuban, for example, caused some debate recently by saying that…

He’s wrong about the real name, because anyone familiar with the topic of “real” names knows perfectly well that they make online problems worse rather than better. He’s right about the real person though. Let me use a specific and prosaic example to explain why this is and to suggest a much better solution to the bot problem. The example is internet dating, a topic on which I am a media commentator. Or at least I was once. 

A few years ago, I appeared on a programme about internet dating on one of the more obscure satellite TV channels. They wanted an “internet expert” to comment on the topic and since no-one else would do it, eventually the TV company called me. I agreed immediately and set off for, if memory serves, somewhere off the M4 in West London. The show turned out to be pretty interesting. I didn’t have much to say (I was there to comment on internet security, which no-one really cares about), and I can’t remember much of what was said, but I do remember very clearly that the psychologist at the heart of the show made a couple of predictions. While interviewing a couple who had met online, she said (and I am paraphrasing greatly through the imperfect prism of my memory) that in the future people would think that choosing a partner when drunk in bar is the most ludicrous way of finding a soulmate, and that internet dating was a better mechanism for selecting partners for life. Now it seems that this prediction is being confirmed by the data, as the MIT Technology Review reports that “marriages created in a society with online dating tend to be stronger”.

The psychologist’s other prediction was that internet dating gave women a much wider range of potential mates to choose from and allowed them to review them in more detail before developing relationships. Of course, internet dating also increases the size of the pool for men, but think that her thesis was that men don’t seem to make as much use of this as women do. Anyway, the general point about the wider pool now seems to be showing up in the data, assuming that interracial marriages are a reasonable proxy for the pool size. When researchers from the National Academy of Sciences looked at statistics from 1967 to 2013, they found “spikes” in interracial marriages that coincided with the launch of online matchmaking sites.

Why am I telling you all this? Well, it’s to make the point is that internet dating is mainstream and that is it having a measurable impact on society. This is why it is such a good use case at the sharp end of digital identity. It is rife with fraud, it is a test case for issues around anonymity and pseudonymity, it is a mass market for identity providers and it is a better test of scale for an identity solution than logging on to do taxes once every year. Now, I am not the only person who thinks this and there are already companies exploring solutions. And you can see why they want to: online dating is a huge business. A third of the top 15 iOS apps (by revenue) were dating apps.

So. How to bring the benefits of digital identity to this world. One way not to do it is that Mark Cuban way of demanding “real” names. Last year, the dating platform OKCupid announced it would ask users go by their real names when using its service (the idea was to control harassment and promote community on the platform) but after something of a backlash from the users, they had to relent. Why on Earth would you want people to know your “real” name? That should be for you to disclose when you want to and to whom you want to. If fact the necessity to present a real name will actually prevent transactions from taking place at all, because the transaction enabler isn’t names, it’s reputations. And pretty basic reputations at that. Just knowing that the apple of your eye is a real person is probably the most important element of the reputational calculus central to online introductions, but after that? Your name? Your social media footprint? (Look at the approach of “Blue”, a dating service for Twitter-verified-users-only.)

I don’t think this is a solution, because if I were to be on an internet dating site, I would want the choice of whether to share my name, or Twitter identity, or anything else with a potential partner. I certainly would not want to log in with my “real” name or anything information that might identify me. In fact, this is an interesting example of a market that does not need “real” names at all. “Real” names don’t fix any problem. Your “real” name is not an identifier, it is just an attribute and it’s only one of elements that would need to be collected to ascertain the identity of the corresponding real-world legal entity anyway. Frankly, presenting “real” names will actually make identity problems worse rather than better since the real name is essentially nobody’s business and is not necessary in order to engage in the kinds of transactions that are being discussed here. Forcing the use of real names will mean harassment, abuse and perhaps even worse.

What internet dating needs, and what will solve Mark Cuban’s social media problem as well, is the ability to determine whether you are a person or a bot (remember, in the famous case of the Ashley Madison hack, it turned out that almost all of the women on the site were actually bots). On Twitter it’s not quite that bad yet, because there are still many people posting there, but with bot networks of 500,000 machines tweeting and re-tweeting it is not in good shape. The way forward is surely not for Twitter to try and figure out who is a bot and whether they should be banned (after all, there are plenty of good bots out there) but Twitter to give customers the choice. Why can’t I tell Twitter that I don’t want bot followers, that I want a warning if an account I follow is a bot, that I don’t want to see posts that originated from bots that I don’t follow and so on. Just as with internet dating, the problem is not real names but real people.

Now, working out whether I am a person or not is a difficult problem if you are going to go by reverse Turing tests or Captchas. It’s much easier to ask someone else who already knows whether I’m a bot or not. My bank, for example. So, when I go to sign up for internet dating site, then instead of the dating site trying to work out whether I’m real or not, the dating site can bounce me to my bank (where I can be strongly authenticated using existing infrastructure) and then the bank can send back a token that says “yes this person is real and one of my customers”. It won’t say which customer, of course, because that’s none of the dating site’s business and when the dating site gets hacked it won’t have any customer names or addresses: only tokens. This resolves the Cuban paradox: now you can set your preferences against bots if you want to, but the identity of individuals is protected.

One of my acid tests of whether a digital identity infrastructure is fit for the modern world is whether it can offer this kind of strong pseudonymity (that is, pseudonyms capable of supporting reputations). If we can construct an infrastructure that works for the world of internet dating, then it can work for cryptocurrency, cars, children and all sorts of other things we want to manage securely in our new always-on environment. We have to fix this problem, and soon, because in the connected world, if you don’t know who IS_A_PERSON and who IS_A_DOG and who is neither, you cannot interact online in a functional way.

Germany is an outlier

The G4S World Cash Report came out and I was e-leafing through it when it struck me once again just how much Germany is an outlier when it comes to retail payments. The average German wallet contains 103 physical euros, the European Central Bank (ECB) estimated last year, more than three times the figure in France. Bloomberg says that cash is used in 80% of German point-of-sale (POS) transactions, compared with only 45 percent—and falling fast—next door in the Netherlands. I think they must mean 80% by value because the FT says that 48% of retail transactions are in cash (down from 58% a decade ago).

Perhaps it is that Germans are just naturally conservative people. The Roman historian Tacitus (55-117CE) wrote in his history “Germany and its Tribes” that the barbarian inhabitants of that land had traditionally exchanged weapons, slaves, cattle, women and such like to settle up between themselves but that the Romans had introduced them to money. Having changed their medium of exchange once in the last two millennia, perhaps they just don’t want more change for change’s sake. Or perhaps there is another explanation. The use of cash in retail is falling slowly and we all know that Germans prefer to keep some of their money as cash at home rather than in the bank, maybe much of the cash “in circulation” there just isn’t.

Given the suspicion that much of the cash in Germany is stuffed under mattresses rather than circulation in the economy, it was still rather surprising to hear from the Bundesbank that nine in ten of the euro banknotes that they are are never used in transactions. That’s right: nine in ten. Approximately all of the cash printed in Germany is never used. Not rarely, not occasionally, but never. So this led me wonder whether this huge volume of never used banknotes are in “hoards” (that is, legitimate money held outside of the banking system) or in “stashes” (that is, illegitimate money held outside of the banking system). Can it really be that the German predilection for holding some of their money in the form of cash account for these billions of euros in inert paper money?

Well, because of the current unusual circumstances with respect to interest rates and so forth, it’s certainly a plausible hypothesis. The European Central Bank (ECB) interest rate for bank deposits is currently minus 0.4%. Conventional economic theory would predict that at a minus rate, depositors would prefer to hold cash rather than pay the banking system to look after their money for them.

(One of the reasons why economists are interested in getting rid of cash is in order to allow the interest rates to go further into negative territory in order to stimulate economic activity over hoarding.)

Now, it clearly costs something to manage cash over and above the cost of managing an electronic deposit hence it is interesting to speculate what the German “crossover” negative interest rate might be, the modern version of the old “specie point” at which it was cheaper to hold bullion for monetary purposes rather than paper instruments.

The current negative interest rate cost German banks about a quarter of a billion euros per annum. The Bavarian Savings Bank Association sent around a circular to their members some time ago setting out their calculation of the crossover rate, which they calculated as something like -0.2%, or half of the current negative rate. However, as I wrote at the time, this isn’t really a serious calculation because, as it says at the end, it doesn’t take into account the significant costs of cash in transit (CIT) or the additional security expenditure that would be needed to guard cash hoards. But it does make a fun point, at least to me, which is that the existence of the €500 notes has an impact on that crossover rate. Now that the ECB has decided stop printing the 500s, banks will have to store masses of 200s, so the cost of storage and transport will be higher (which, in turn, will put a premium on the 500s in circulation so that they will trade above par). Just as an indication, two billion euros in 200 euro notes weighs about 11 tonnes.

While that calculation may not be complete, it does make the interesting point that although we have passed the crossover point already, no banks have to date decided to store their squillions under the mattress rather than leave them on deposit. It seems to me therefore that Bavarian estimates must be too low and that the costs of transport, security, insurance and so on are actually quite high, so the ECB will be able to push interest rates further negative before it gets close to a genuine crossover point that would see banks investing in larger mattresses.

Trading and hard currencies

Talking about central banks and digital / crypto / virtual (* delete where applicable) currency, I was interested to read (in the Russia Today Business News) of an initiative to create a joint digital currency for BRIC countries and the Eurasian Economic Union (EEU) that has been proposed by the Central Bank of Russia, according to its First Deputy Governor Olga Skorobogatova. She is reported as saying that “The introduction of a national digital currency seems to us not entirely justified from the point of view of macroeconomics” (presumably because as Russia is still quite cash-intensive the costs might not be justified and the benefits too concentrated). I can see why the alternative suggestion of a cross-border digital currency set up between trading partners would have much wider benefits.

This is not a new idea. As I discussed in my book “Before Babylon, Beyond Bitcoin“, some years ago the then-Chancellor John Major proposed a similar concept as an alternative to the euro which at the time was labelled the hard ECU (and ignored). The hard ECU would have circulated alongside existing national currencies. It would be used by businesses and tourists. It would never exist in physical form but still be legal tender (put to one side what that actually means) in all EU member states. Thus, businesses could keep accounts in hard ECUs and trade them cross-border with minimal transaction costs, tourists could have hard ECU payment cards that they could use through the Union and so on. But each state would continue with its own national currency — you would still be able to use Sterling notes and coins and Sterling-denominated cheques and cards — and the cost of replacing them would have been saved.

Thus, businesses could keep accounts in hard ECUs and trade them cross-border with minimal transaction costs, tourists could have hard ECU payment cards that they could use through the Union and so on. But each state would continue with its own national currency — you would still be able to use Sterling notes and coins and Sterling-denominated cards — and the cost of replacing them would have been saved.

(As an aside, it wasn’t John Major’s idea. It had it’s origin a few year before in a 1983 report of the European Parliament on the European Monetary System, the EMS. The proposal was supported at the time across the political and national groups in the parliament.)

The idea of an electronic currency union to facilitate international trade has new resonance. While Bitcoin captures the media attention, there are a great many other possibilities: new community currencies, brand-based plays, commodity baskets and goodness knows what else. All of these make it an exciting time to be in the electronic money business, but they also make it unpredictable, which is why it is fun. As I say in the book, we’re not looking at a world in which some kind of new global currency takes over, but a world in which a great many communities choose the currencies that are most efficient for themselves. At it happens, one of those communities could be the European Community! Noted political theorist Marine le Pen herself has said that she could see the EU setting up another currency “like the ECU”. I’m sympathetic, obviously, because the idea of restoring the Franc while simultaneously creating a new pan-European currency makes economic sense.

If anything, however, Ms. le Pen’s proposal is not really that radical. Why have nation-state control over money at all? Why not allow regions to have their own currencies? Why not use Normandy Money? Why not have pan-national currencies? Or Islamic e-Dinars? I’m on the same page as “The Futurist Magazine” here. In September 2012, as part of a compilation of pieces about life in 2100, they said that it is quite likely that we will still have money in 2100, but it may not be issued solely by nation states. I couldn’t agree more.

Madame First Deputy Governor Skorobogatova is, incidentally, far from alone in wondering about new digital currencies at this level. Christine Lagarde, head of the International Monetary Fund (IMF), gave a talk on “Central Banking and Fintech” in September last year in which she said that digital currencies (of the kind proposed by Madame Deputy First Governor) could actually become more stable than fiat currencies. She says that they could be issued against “a stable basket of currencies” ( a hard SDR?) but I would extend that suggestion to a token based on a basket of commodities (or, indeed, a mixture of both) or some other “root” with long-term stability.

It’s one thing to have crackpot technologists such as me talking about augmenting and perhaps even replacing national currencies, but when people who are actually in charge of money start speculating about the same, then you do have to suspect that some things are about to change.

The token Saga

As I explained to the Financial Services Club in London recently, I have a theory that while Bitcoin isn’t the future of money, tokens might well be. In case you are interested, here’s the deck I presented to them: it’s in three parts, first of all a high-level explanation of what tokens are, then a discussion about using tokens to implement money and finally a model to help facilitate discussion around these topics.

 

Of course, I’m not the only one who thinks that the financial services mainstream should be developing their token strategies. At Money2020 Asia in Singapore I had the privilege of interviewing Jonathan Larsen, Corporate Venture Capital Manager at Ping An and CEO of their Global Voyager Fund (which has a $billion or so under management). Jonathan has already forgotten more than I will ever know about financial markets and as he is also Chief Innovation Officer at Ping An (and a very nice guy too), I take his views very seriously. When I put to him that the tokenisation of assets will be a revolution, he said that “tokenisation is a really massive trend… a much bigger story than cryptocurrencies, initial coin offerings (ICOs), and even blockchain”.

Dave Birch and Jonathan Larsen

 

Photo courtesy of Fintechcowboys.cz

He went on to say that he had no doubt about the potential for tokenisation to “reduce friction across every asset class and to create fractionalization of assets where it does not exist today”. In fact, and I paraphrase only slightly here, he said that when the token market is properly regulated and the technology is stable then everything will be tokenised.

Wow.

Why do people like Jonathan (as opposed to techno-deterministic utopians such as myself) think that tokens are such a big deal? I think it’s because tokens are the first viable implementation of the 1990s dream of digital bearer instruments with the “code is law” (sort of) management infrastructure. They allow for the exchange of assets in an auto-DvP (delivery versus payment) mode with no clearing or settlement which means for efficient, liquid markets.

Now, one of the first steps towards a regulated token market has come the Swiss regulators (who are important because of the Zug “crypto valley” that has become the home of many token plays). The regulator there, FINMA, has developed an approach based on the underlying purpose of the tokens that are created. FINMA categorises tokens into three types: Payment tokens (ie, money), Utility tokens (tokens which are intended to provide digital access to an application or service) and Asset tokens (which represent assets such as stakes in companies or an entitlement to dividends). Of course, hybrid forms are possible and in practice there are likely to be a few different configurations. One good way to think about this, I think, is to think in terms of combinations of these token types as a means to implement the “digital bearer instrument” (DBI) that has long been seen as the basis of the post-internet, post-crypto financial marketplace.

DBI Schema

 

 

This is a realistic vision of the future. DBIs as a synthetic instrument comprising regulated tokens, DBI trading that operates without clearing and settlement on shared ledgers and shared ledgers with ambient accountability to create marketplaces that are not only more efficient but better for society as a whole. I touched on this in my talk at the FS Club but then went on to focus on the specific implications for digital money, as it is interesting to speculate what digital money created this way might look like.

We might, for example, imagine that for tokens to be used as money in the mass market they should be much less volatile than cryptocurrencies have been to date. Hence the notion of “stablecoins” that are linked to something off-ledger. An example of this category is the “Saga” coin (SGA). SGA has some pretty heavyweight backers, including Jacob Frenkel, chairman of JPMorgan Chase International, Nobel prize winner Myron Scholes and Emin Gün Sirer, co-director at the Initiative for Cryptocurrencies and Smart Contracts at Cornell University, so it deserves a look. This is a non-anonymous payment token that is backed by a variable fractional reserve anchored in the IMF’s special drawing right (SDR) basket of currencies which, as the FT pointed out, is heavily weighted in US dollars. These reserves will be deposited with regulated banks through algorithms in the underlying smart contract system.

It seems to me that initiatives such as Saga are more representative of the future of money than cryptocurrencies such as Bitcoin, but even they represent only part of the spectrum of possibilities that will extend across many forms of tokens. As I wrote last year, in “Bitcoin isn’t the future of money, but tokens might well be”, tokens won’t only be issued by companies, of course. It seems to me that tokens that implement the values of communities (and, because they are “smart”, can enforce them) may come to dominate the transactional space (think of the Islamic e-Dinar and the London Groat). 

Brazil? Ah, I get it…

I was as alarmed as I am sure all of you were to read a story in Computing telling how EMV cards could be cloned with malware. Now, as you might imagine, were this to be true it would be a matter of the highest priority in the world of card issuers. If EMV cards could be cloned (spoiler alert: they can’t) then the whole world of payment cards would collapse. Since my I spend some of my time in that world, yet hadn’t heard anything about this catastrophic turn of events, I was naturally curious as to the accuracy of the report. Delving further into the “news” story, I found the interesting qualification that the fake cards work “on virtually any Brazilian POS system”.

Brazilian POS systems? What? Ah, wait… Now I know that they are talking about. Sadly, this yonks old hack won’t work in most places any more. But it does work in a few remaining places, and Brazil is one of them. Why? Well because Latin America, an early adopter of EMV, is still heavily reliant on “static data authentication chips”, which allow the criminals exploiting them to create usable new chip cards with the data that they can extract.

Thus problem isn’t that “EMV cards” can be cloned. They can’t. The problem is the use of Static Data Authentication (SDA) in EMV. We all knew about this many years ago. In fact, although lots of people knew about this, at the time we thought it would have been irresponsible to blog about it, so I put it to one side until stimulated by an enquiry from Brazil, I finally wrote about it back in 2014, explaining in detail what the problem was, how it was fixed and why it was no longer a worry.

So, no need to panic. Having put your mind at rest (unless you are a Brazilian card issuer, in which case my colleagues at Consult Hyperion stand ready to answer your call) I cannot resist re-telling the story that explains what the “malware” does…

Many years ago, when my colleague at Consult Hyperion were testing SDA cards in the UK, we used to make our own EMV cards. To do this, we essentially we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). This is what the criminals referred to in the story are doing. Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.

Untitled

You might call these cards pseudo-clones. They act like clones in that they work correctly in the terminals, but they are not real clones because they don’t have the right keys inside them. Naturally, if you make one of these pseudo-clones, you don’t want to be bothered with PIN management so you make it into what is called a “yes card” – instead of programming the chip to check that the correct PIN is entered, you programme it to respond “yes” to whatever PIN is entered.

We used these pseudo-clone cards in a number of shops in Guildford as part of our testing processes to make sure that issuers were checking the cryptograms properly. Not once did any of the Guildford shopkeepers bat an eyelid about us putting these strange blank white cards into their terminals. But I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this he made a white plastic pseudo-clone card and went into a shop to try it out.

Untitled

When he put the completely white card into the terminal, the Brazilian shopkeeper stopped him and asked him what he was doing and what this completely blank white card was, clearly suspecting some misbehaviour.

The guy, thinking quickly, told him that it was one of the new Apple credit cards!

Cool” said the shopkeeper, “How can I get one?”.

The campaign against extreme cash is gaining momentum

I’m veery much in favour of getting rid of “extreme cash”. What I mean by this is cash at the extremes of the value range: the small coins and the big notes. In the UK, this means getting rid of the coppers and the largest banknote. So… hurrah! I read that the UK government is considering phasing out 1p and 2p coins, as well as £50 notes, in a bid to tackle tax evasion, money laundering and waste.

Since I’ve been going on about this for more than two decades I’m delighted to see that the government is finally coming around to my way of thinking. I read some newspaper reports that the government is to begin consultations on the subject, but I haven’t heard from them yet and I can’t imagine who else they might consider asking, so I stand ready to answer the nation’s call when as soon as it comes.

The issue of coins is a no-brainer. Back in 2014, I asked whether it is in the interests of the economy as a whole to continue to produce these small coins, saying that “I have no idea why the Royal Mint are messing about wasting our money on making 1p and 2p coins that nobody uses any more. It’s about time we recognised low-value coins for what they are. Scrap metal”. Five years ago I pointed out that in many countries, merchants and consumers alike had simply given up using small coins (such as the one- and two-cent euro coins) whether the mints produced them or not. When Nigel Lawson abolished the old halfpenny in 1984 it had a purchasing power close to the current 2p and there was no contactless. So I fully expect to see the 1p and 2p vanish, and if the government caves to the metals lobby to perpetuate them, which case I will be outraged.

I think the consultation around the £50 note will be more interesting, since there is “a perception among some that £50 notes are used for money laundering, hidden economy activity, and tax evasion”. I’ll say there is. Of the £ billions of notes and coins “in circulation” in the UK, which were in 2016 growing at 5.7% in a year when the economy grew by about 1.8% and the use of cash in retail transactions (retail spending grew 5.2%) was overtaken by the use of electronic payments, a fifth is in the form of £50 notes, which you never see in polite society. As I have discussed exhaustively and on many occasions, only about a quarter of the Bank of England’s notes are used for transactional purposes so these £50 notes must be disproportionately concentrated in the non-transactional (i.e., largely criminal) uses. As everywhere else, high-value banknotes are a major cause for concern. So why not make crime, terrorism, drug dealing, money laundering and bribing corrupt politicians marginally less convenient and marginally more expensive by getting rid of high-value banknotes? It is not only deranged digital money deviants like me who think this is right path to take, by the way. This kind of thinking is beginning to percolate up to the higher echelons of the financial establishment. Mario Draghi, European Central Bank president, told the European Parliament that “we are determined not to make seigniorage a comfort for criminals”. By which he means that the stack of £50 notes underneath the Mafia boss’ pillow are earning interest for the British government. The government is, in a very real sense, living off of the proceeds of crime.

Now, I’m not so stupid that I think that getting rid of the £50 will stop crime! If the government drops the £50, then the criminals will carry on using the $100, €200 and the worst offender, the Swiss Franc. Sooner or later the law-abiding nations of the world will have to institute sanctions against the Swiss. When I last went to Switzerland and I never saw a CHF note or coin: I used cards everywhere, and as far as I could see so did everyone else. Yet Switzerland has a CHF1,000. That’s right: a banknote worth $1,000. And you can spend it, too. Mind you, the Swiss have been cracking down: since 2016, you have had to show ID (how they verify the ID is beyond me) for cash transactions of $100,000 or more (Charles Goodhart, a former Bank of England policy maker, said this limit was so high that it could only be described as a joke).

Am I taking crazy pills? The Bank of England, the Swiss National Bank, the European Central Bank and the Federal Reserve should not be competing to be the currency of choice for Mexican drug lords, Albanian people traffickers and Syrian terrorist groups. So yes, let’s ditch the £50 but let’s also spearhead an international campaign to add morality to the cash issue and reduce the maximum value of the circulating medium of exchange to EUR 50, USD 50 and CHF 50. If the central banks won’t do it, then we should prosecute their governors for conspiracy to support money laundering. 

The Bitcoin rule of thirds, and what Bitcoin tells us about the future of money

In my presentation to Seamless Payments in Australia, I made reference in passing to the nature of the Bitcoin universe and how informs thinking, so I thought I’d take the time to explore that thinking in a little more detail to explain my comments.

I don’t have the exact figures to hand, but as I understand it the Bitcoin coinbase breaks down roughly into thirds…

 A third of them are lost (well, last year 23% but I think it will get worse as more people forget their passwords). This is because (like me) someone wiped their old phone wallet away and forgot to transfer it over to their new phone wallet first or because they accidentally threw away the old hard disk with all the Bitcoins on them or because the dog ate the Bicoin cold wallet or because they died or whatever. As Jonathan Levin of Chainalysis, who I regard as the “go to guy” for tracing Bitcoins, told NPR in January: “For the people that have lost their bitcoins, I say tough luck”.

(These lost Bitcoins, as my good friend Steve Bowbrick rather eloquently observed, are like treasure in sunken galleons waiting to be discovered by an intrepid explorer in the very latest kind of submarine. Which, in this instance, would be a quantum computer. It’s not only Bitcoin tucked away in these sunken galleons, by the way. There’s half a billion dollars in Ethereum stuck in just one Ethereum address: it’s the address “0”, essentially. In July 2016 someone accidentally sent ETH 1,493, currently worth more than a million dollars to that address. And thanks to the magic of the cryptography, it will stay there until the quantum submarine can uncover it.)

Another third of the Bitcoins are in the hands of the .0001%, the cryptoscenti. Bloomberg estimated that a few hundred people at most own these Bitcoins, but I’ve heard estimates that fewer than 50 people have the lion’s share. These are the people who have every interest in driving the value of Bitcoin higher so that they can cash out at a steady rate. If they dump their coins, that will drive the price down (a row has just been going on about the sale of the Mt. Gox assets for this very reason), so they need a rising market where they can convert Bitcoin to one Lambourghini at a time.

Meanwhile the other millions of Bitcoin peasants scrabble for their share of the remaining third. This distribution makes America look like a kibbutz in comparison and stands testimony to the deranged nature of utopian projections around this “digital gold” for the masses. So, to get to the question that I was asked on Sky News a few weeks ago, what does the Bitcoin market tell us about the future of money?

Nothing.

I’m not sure that the state of Bitcoin, or indeed the history of Bitcoin, tells us very much about the future of Bitcoin or money. It’s not anonymous enough for criminal enterprise on a large scale (and there is every evidence that criminals are turning to crypto alternatives) and it’s not functional enough to be a mass-market medium of exchange. If it is to remain a store of value beyond speculation then it must be useful for something and I’m at a loss as to what that something might be, although I’m perfectly prepared to believe that it’s because I grew up in an era of chip and PIN cards and ApplePay.

Does that mean that we should ignore it? No, of course not. There are many different ways to look at Bitcoin and it deserves study as a much as a social and political phenomenon as it does as a technological and economic one. What’s more, it does tell us something about the future. In yesterday’s Financial Times, Benoît Cœuré and Jacqueline Loh from the Bank for International Settlements (BIS) said that “while bitcoin and its cousins are something of a mirage, they might be an early sign of change, just as Palm Pilots paved the way for today’s smartphones“.

Values, Tokens, Accounts

I agree, but in a slightly different way. I see Bitcoin and its cousins not as prototypes but as a base layer — as shown in this “thinking out loud” picture that I’ve been using to explore these ideas — that will be used by some, but not by most, people to make real transactions in the future. I think most transactions will take place at the token layer, exchanging bearer assets over an efficient (no clearing or settlement) transaction layer. And most of those transactions will be pseudonymous, but some will be linked through accounts to people and organisations. 

Seamless Sydney

So what can we guess about the future of money, given what we have learned so far? Well, as I said in my Seamless Payments presentation what we may have learned is that the token economy is a more accurate pointer toward the future of money than the underlying cryptocurrencies are, because the tokens link the values managed on shared ledgers to the “real world”. There’s a logic to this model of “the blockchain” as the security infrastructure for a token economy and I really enjoyed engaging with the good people of Sydney on this view of the emerging cryptoeconomy.

Banks and digital IDs*

In CapGemini’s “Top 10 Trends in Retail Banking 2018”, they highlight “banks leveraging digital IDs beyond authentication” as their third most important trend. As it happens, I was talking about this earlier in the week in Trondheim at Betalingsformidling 2018, where I was asked to give a talk about the open banking era and the potential responses from incumbent banks.

Trondheim 2018

Photo: Betalingsformidling 2018 / Wil Lee-Wright Photography.

Now, I suppose that to a great many of you this really won’t be any surprise, since anybody who thinks about the mechanics of commerce in a connected age must already have come to the conclusion that digital identity is core to the new economy. That’s a superficial and almost trivial point to make, but it masks great complexity because choices that are being made right now about how digital identity is going to work in the future will have a profound impact on the shape and nature of all of society.

Of course, I don’t what identity is going to look like in the future any more than anybody else does (even if I do flatter myself that I’ve made some reasonably well-informed guesses on the topic) but I do think we ought to apply a kind of precautionary principle here. Since we don’t know how digital identity going to work, surely we should want it do develop under the auspices of institutions that society can constrain and influence. This is why I’m so convinced that banks should be the institutions to play the leading role as we evolve the tools, techniques and even the etiquette of a reputation economy.

An obvious first step, and one that has been apparent for many years, is to federate bank identity so that it can be used in multiple places. We have many years of experience now and have seen how schemes ranging from bank ID in the Nordics to Aadhar in India (and our own dear gov.verify) have performed in practice so we can make some informed decisions about how digital identity ought to work. We shouldn’t start from the technology, from blockchains and biometrics, and then work backwards to see what the technologists will allow us to have or what corporations will impose given the technological constraints of the day. Right now we should be discussing what society wants from a digital identities and then working out what the best way to implement them might be.

To do this, we need a model that can help banks, regulators, service providers and suppliers communicate and connect so that they can develop concepts and propositions to make some form of bank-centric, potentially cross-border, privacy-enhancing, secure “Financial ID” a reality.

3DID Basic Colour ID Taxnomy Picture

Let’s start with the basic “three domain identity” (3DID) model to create a straightforward framework for understanding and discussing digital identity. Now let’s look at a real example of bank doing some interesting work in this field. BBVA, for example, use this kind of model to map “real”, virtual and digital identities to identification, authentication and authorisation processes. BBVA describe the domains as follows (I’ve added my interpretation of what they mean with reference to a standard Public Key Cryprography, or PKC, implementation):

  • Identification: definition of the attributes that confirm, beyond any shadow of a doubt, that the user is who they say they are and not someone different pretending to be them. BBVA mean this in terms of Know-Your-Customer (KYC) of course, so what this means in practice is that the private key must be bound to the correct individual(s).

  • Authentication: verification through credentials that the user is the customer they say they are (username and password, OTP, digital certificates and others).  Obviously with PSD2 this means implementation of some form of 2FA to comply with the RTS on SCA.

  • Authorization: the financial service providers (TPP) with a license to operate must be given authorization by the customers before they can access their accounts. They need to have proof of consent, which can be obtained through access tokens. I would generalise this point away from banking, as per the CapGemini comments, to talk about tokens for access to a wider range of services than simply bank accounts.

Earlier this week I posted about digital identities (as opposed to digitised identities) and made the point that we are interested in electronic transactions, transactions that take place between virtual identities (that is, identities that exist only in the imagination of computers) we are primarily interested in the Authorisation Domain. I’ll come back to this in a moment, but for now let us assume that that Authentication Domain is essentially a solved problem and we don’t need to come back it in this discussion. My assumption is, that banks have strong authentication in place and that they use appropriate standards (eg, FIDO) so that they have device independence. In practical terms, in the world as it is now, this means that I can authenticate my bank Digital Identity (that is, I can demonstrate ownership of that private key) using any smartphone.

The problem then all comes to down standardisation and mutual recognition of credentials in the Authorisation Domain. Let’s take a simple example has been discussed many times recently: IS_OVER_18. Suppose I want to log on and join a Wine Club. The wine club needs to know that I am over 18, so it wants to see a virtual identity that includes the IS_OVER_18 credential (that is, an IS_OVER_18 attribute digitally-signed by someone that the Wine Club trusts – and by “trusts” I of course mean “can take legal action against and recover damages from if the credential is incorrect). The Wine Club would obviously trust banks, so this should be straightforward: provided that we have standardised the Virtual Identity (an X.509 certificate, for example, or an Evernym DID) and that we have standardised the attribute (let’s assume there is an XML dictionary somewhere that defines IS_OVER_18) and that can can recognise the digital signature from an organisation that is on our list of trusted organisations.

As I pointed out in Trondheim, this is a way for banks to participate in transactions, providing a useful service that is unrelated to payments or transaction fees. I, of course, understand that this means it will take sector-wide progress in the Identification Domain, practical implementation in the Authentication Domain and some commitment and co-ordination to get a working set of services in the Authorisation Domain. My question is why haven’t banks taken on board what Cap Gemini said in their report (and I’ve been saying with exhausting repetition for more than a decade) to come together to create the standards and definitions to move forward?

Or, to put it another way, where is the MasterCard or Visa for identity (and is it MasterCard or Visa?).

To the Mooooooooon!

 

I’ll be testing my assumptions and asking these kinds of questions in Singapore at Money2020 Asia, by the way, as I’m chairing the session on Exploring Digital Identities on 15th March and welcoming some old and very well-informed friends – including Victoria Richardson from AusPayNet, Shamir Karkal from Omidyar, Teppo Pavlova from BBVA and Andy Tobin from Evernym – who will help me open up the topic for the audience. Do come along to “The Moon” at 11am and join us.

* Again.