The new paper from the European banking industry, produced by the European Banking Federation (EBF), European Association of Co-operative Banks (EACB) and the European Savings and Retail Banking Group (ESBG) sets out the industry’s vision for the EU payments market in detail. There’s lots of interesting stuff in there, but I was particularly interested in their views on the regulatory environment.
I couldn’t help but notice this paragraph on page six…
“From a data privacy perspective, global BigTech’s existing data superiority combined with access to payments data should be concerning and could lead to unintended negative outcomes for EU citizens.”
This is not a new position. It’s been obvious to any serious surveyor of the European payments landscape that it has been tilted. This is what I wrote for Wired magazine back in 2017:
“Non-banks are about to get a huge boost from European and UK regulators, thanks to the European Commission’s Second Payment Services Directive (PSD2)”.
I’m hardly the only person to have realised that PSD2 would mean that the playing field is tilted against banks and in favour of Big Tech. In fact I gave a keynote address on this topic at PaymentsNZ a couple of year ago, so if you are interested in a more detailed explanation of why the current regulatory environment is unsatisfactory, put your feet up and watch this:
The question is what to do about it now. Fortunately, I wrote about this in some detail more than a year ago, so if the European banking industry needs some help in formulating specific policies to lobby the legislators for, I stand ready to point the way. Last year, following the Paris Fintech Forum where this topic was discussed, I commented on the suggestion from Ana Botin of Santander that organisations holding personal data ought to be subject to some regulation to give API access to the consumer data. Not only banks, but everyone else should provide open APIs for access to customer data with the customer’s permission. This is what the European banks are asking for in their vision document. They want “concrete support” from policy makers to help achieve their objectives, including this levelling of the playing field between banks and Big Tech competitors, brining in a mutually-beneficial approach to data sharing address the inherent asymmetry in the post-PSD2 environment.
So, yes, Open Banking. But open everything else as well. Particularly Open Bigtech. This sharing approach creates more of a level playing field by making it possible for banks to access the customer social graph but it would also encourage alternatives to services such as Instagram and Facebook to emerge. If I decide I like another chat service better than WhatApp but all of my friends are on WhatsApp, it will never get off the ground. On the other hand, if I can give it access to my WhatsApp contacts and messages then WhatsApp will have real competition.This is approach would not stop Facebook and Google and the other from storing my data but it would stop them from hoarding it to the exclusion of competitors.
Forcing organisations to make this data accessible via API would be an excellent way to obtain the level playing field that the European banks are calling for. This would kill two birds with one stone, as we say in English: it would make it easier for competitors to the internet giants to emerge and might lead to a creative rebalancing of the relationship between the financial sector and the internet sector. So, if the European Union wants to begin thinking about PSD3, in my opinion it writes itself.
I was quoted in The Economist (“Plug and pay”, 21st November 2019) talking about the impending reshaping of the retail financial services sector. Although the quote isn’t quite accurate — I was responding to the statement that a a bank is a balance-sheet, a factory that turns capital into financial products (such as loans and mortgages) and a sales force, I didn’t make the statement — the paraphrase is correct. Those first two activities are heavily regulated, as they should be, which is why Big Tech is uninterested are in them. They are more than happy to have banks, for example, do this boring, expensive and risky work with all of the compliance headaches that come with it. As noted in article, the Apple credit card is actually issued by Goldman Sachs (although it was Apple that caught the flack in the row about gender discrimination around credit limits) and the Amazon cards are issued by Chase, Synchrony and American Express. Similarly, the Google “checking” account (this is the American word for a current account, because they still use cheques, which must be something to do with the Continental Congress or something) is actually provided by Citi.
What big tech wants is the distribution side of the business, as shown in this old diagram of mine. They have no legacy infrastructure (eg, branches) so their costs are lower, but to my mind more importantly the provision of financial services will keep customers within their ecosystems. If you use the Google checking account and Google pay then Google will have a very accurate picture of your finances. As the article says “Amazon wants payments in-house so users never leave its app”. Indeed.
The business model here is very clear. What Big Tech wants isn’t your money (the margins on payments are going down) but your data. That’s why when people talk about “challengers” they should really be talking about Microsoft and not Monzo.
This is where there are some pretty serious implications. If Big Tech takes over consumer relationships, banks will end up having to give away margin but, far more seriously, data. Andrei Brasoveanu of Accel, a venture-capital firm, is quoted as saying that they could turn into “utilities, providing low-margin financial plumbing”. Well, that’s the lucky ones. The unlucky ones will be wiped out in a wave of consolidation and closures.
This isn’t a technology prediction, by the way. In Europe at least it is a regulatory prediction. Back in 2016, I wrote about regulators demanding that banks open up their APIs that “if this argument applies to banks, that they are required to open up their APIs because they have a special responsibility to society, then why shouldn’t this principle also apply to Facebook?”. My point was, I thought, rather obvious. If regulators think that banks hoarding of customers’ data gives them an unfair advantage in the marketplace and undermines competition then why isn’t it true for other organisations in general and the “internet giants” in particular? This same point was just made by Ana Botin, Chairperson of Santander. My good friend Chris Skinner notes her comments to Bloomberg: “I need to know you and that’s based on data. Why should data be regulated in a different way if you’re called a bank and if you’re called something else”.
There are big changes coming, and banks and payment companies in particular are going to need effective strategies to survive. It’s not only a problem for those legacy incumbent dinosaurs that the happening new digital kids like to poke fun at. The fintech “challengers” also have a problem. Just as Big Tech has made ecosystems impervious to competition, so it could cross-subsidise (with data as well as with money) its financial services products to raise such a barrier to competition that no newcomer will be able to spend enough to gain traction.
There are some really big changes coming in retail financial services. And that’s not a prediction, that’s a fact.
I’ve been reading an interesting paper from Northumbria University called “Recipes from Programmable Money“. The paper looks at what customers of the UK challenger bank Monzo have done with its integration with IFTTT (the “if this, then that” automation software) to draw some early lessons that may have wide applicability to post-PSD2 financial services infrastructure. This is fascinating to me (even though I think the title is wrong, because it’s not the money that is being programmed but the bank accounts) because it is natural to wonder what, once third-parties are free to build on banks’ interfaces because of PSD2, customers will want from the new product and service providers.
The paper goes about examining how real users (albeit savvy early adopters in the UK) used the ability to automate a selection of Monzo account actions. Since these automations are a small window into what users might want from from more general third-party API-based interactions, I think the researchers have uncovered useful insights about just how important XS2A will be. After all the speculation about what API access to accounts might mean for Europe’s banks, there’s no substitute for looking at what consumers actually do with the new technology.
It seems to me that the key finding of the paper is that “some of the most intriguing recipes in our corpus were those that integrated Monzo with applications that ordinarily have little to do with banking”. (“Recipes” are the IFTTT automation scripts.) That is, in general, consumers use banking services as integral to other services, which is what you might expect on reflection because users don’t want to do banking, which is boring, they want to do other more interesting things that happen to be facilitated by banking.
The authors also observe that “this proliferation of financial data across different platforms, and channels, highlights the way in which programmable money may cut across services” and that “we are seeing how money and transactions are potentially just another form of data, to be pushed and pulled around integrated services”. I am sure they are correct about this, which is why it will be so hard for banks to find effective strategies to compete with other providers of those integrated services. It may well be that only the lower margin “‘pipe” services are available to them, in which case they need to focus on operational efficiency to compete.
All very interesting, and wholly congruent with earlier analyses from informed industry observers (eg, me). But it’s another point made in the “programmable money” paper that caught my eye. It’s impossible to disagree with it when it concludes that technologies such as machine learning, AI and smart contracts “foreground the delegation of significant financial power to automated systems and agents”. As I wrote last year, in the context of competition in retail banking, the future choice of banking services provider (the AS-PSP, in the euro-jargon) will be made not by customers, but by bots. It seems to me that the early indications from the real world are that this is correct, and that it has many ramifications.
I’ll give you an example. If you live in the UK and are over the age of around 30, you may have seen an advertisement with a man in a spacesuit in it.
No, not that one. I mean an advert on TV, the sort of thing that no-one under 30 ever sees any more. It’s an advert for a bank. It doesn’t matter which one. The point is that it’s about brand and image. But what will be the point of it a world where an AI-powered child-of-IFTTT is doing the heavy lifting? Consumers may neither know nor care who their bank is. This will pose a challenge to those with a career in marketing, but it may have some positives too. For example, I can assure Barclaycard that my bot will pay no attention whatsoever to their advertisement with Simon Cowell in it, whereas like most normal people I would cancel my card because of it.
My bot will chose your bank on the basis of interest rates, response times, jurisdiction, functionality, service uptimes and other such measurable parameters. Your logo? Your sponsorships? Your history? Whatever.
The Paris FinTech Forum this year was a superb event. I take my hat off to Laurent Nizri for pulling it all together and especially for his terrific first day panel with Christine Lagarde (who is Managing Director of the IMF and is therefore the woman in charge of money), Stefan Ingves (the governor of the Bank of Sweden), Carlos Torres Vila (Group Executive Chairman BBVA) and Kathryn Petralia (President of Kabbage) [video].
At one point, the conversation shifts to data. Carlos said that we should treat ownership of data as a human right, which I have to say I am not entirely sure about, and that “we should have regulation that forces data to flow” rather than the limited prescriptions of the 2nd Payment Services Directive (PSD2) “so that all sectors have to share their data, with consent, as banks have to do”.
(The reason that I’m not sure about the data ownership thing is that, as discussed in the MIT Technology Review recently, it may be a counterproductive way of thinking that “not only does not fix existing problems; it creates new ones”. Instead, was that article says, we need a framework that gives people the ability to stipulate how their data is used without requiring them to take ownership of it.)
That is a very interesting perspective on a very important issue.
What Carlos was talking about is the asymmetry at the heart of PSD2, an asymmetry that the regulators created and which if left to its own devices means an uncomfortable future for banks. I wrote about this back in 2017 for Wired, pointing out that the winner in this new environment will not be innovative startups across Europe but the people who already have all the data in world and can use data from the financial system to obtain even greater leverage from it. In other words, the GAFA-BAT data-industrial complex.
In Prospect (August 2018) there was a debate between Vince Cable, the former chief economist at Shell, and the economist John Kay. The issue was whether the internet giants should be broken up. Mr. Cable felt that the new data-industrial complexes (the DICs, as I call them, of course) need regulatory taming and that competition authorities should take a wider view of social welfare rather than focus solely on price, while Mr. Kay felt that regulators should focus elsewhere on higher priorities and let internet competition sort itself out. He has a point, because regulators have so far failed in this respect. As The Economist (Antitrust theatre, 21st July 2018) noted, despite headline grabbing fines and other antitrust actions, the European Commission has done little to strengthen competition.
So what to do? Do we sit back and allow the DICs to form unassailable oligarchies or should there be, as Carlos clearly thinks, a regulatory response? And if so, what response?
Mr. Cable’s call for some form of regulatory response is hardly unique. Last year I had the honour of chairing Professor Scott Galloway at a conference in Washington, DC. Scott is the author of “The Four”, a book about the power of internet giants (specifically Google, Apple, Facebook and Amazon). In his speech, and his book, he sets out a convincing case for regulatory intervention to manage the power of these platform businesses. Just as the US government had to step in with the anti-trust act in the late 19th century and deal with AT&T in the late 20th century, so Scott argues that they will have to step in again to save capitalism. His argument centres on the breaking up of the internet giants, as Mr. Cable called for, but I cannot help but wonder if this is an already outdated response to changing economic dynamics in a world where data is the new oil (and personal data is the new toxic waste). Perhaps there is a post-industrial alternative to replace that industrial age regulatory recipe for healthy competition in a future capitalist framework. As Viktor Mayer-Schönberger and Thomas Range note in Foreign Affairs (A Big Choice for Big Tech, Sep. 2018), a better solution is a “progressive data sharing mandate”. They suggest sharing anonymised subsets of data to boost competition, but I think there might be an alternative.
The Banking Example
To see what this might look like, consider the example of the UK’s banking sector where regulation at both the UK and European levels has turned it into a laboratory for what is called “open banking”. Here, a “perfect storm” of the combination of the Competition and Markets Authority (CMA) “remedies”, the European Commission’s Second Payment Services Directive (PSD2) “XS2A” (weird euro-shorthand for access to accounts) provisions and the Treasury’s push for competition in retail banking mean that new business models, never mind new product and services, will be developed and explored here first.
(The rest of Europe will move to open banking in September 2019, when PSD2 comes into force, and other jurisdictions such as Australia are bringing in similar regimes — more on this later.)
Under the open banking regime, the banks are required by the regulator to install sockets in customer accounts so that anyone can plug in and access those accounts (with the customers’ permission, of course). Who knows what new businesses will be created by companies using these standard plugs to access your bank account? Who knows what new services will be delivered through the wires? It is an earthquake in the finance world and no-one can be completely sure as to what the competitive landscape will look like when the shocks have settled.
At the heart of the new regime, which began in January of this year, is the requirement for banks to implement these sockets, technically known as Application Programming Interfaces (APIs), for third-parties to obtain direct access to bank accounts. Just as apps on your smartphone can use map data through the Google Maps API or post to your Twitter stream using the Twitter API, open banking means that apps will be able to pull your statement out through an HSBC API and tell my bank to send money through a Barclays API.
Thus there is a genuinely new financial services environment coming into existence. But who will take maximum advantage of it? The incumbent banks or fintech startups? Financial services innovators or entrepreneurs who want to harness the banking infrastructure for social good? Customers taking control or challenger banks able to deliver better services to them?
I don’t think it’s any of these. Deutsche Bank Research published a note PSD 2, open banking and the value of personal data (June 2018) noting that while the new, free interfaces open up opportunities with respect to payment services, retail financing and other tailored products for fintechs who can “seamlessly attach their innovative services to the existing (banking) infrastructure”, there are others who can similarly take advantage. Retailers with a large customer bases, for example. And of course the internet giants and, somewhat surprisingly perhaps, the existing retail banks. As Deutsche Bank point out, the incumbents could also benefit and act as third-party providers “vis-à-vis other account servicing banks” and offer an array of new or extended services to their customers, which will intensify competition among all providers.
We already see these responses out in the market. Deutsche Bank themselves have announced a project with IATA and there is great work being done by other incumbents (see for example, my Barclays mobile app) as well as challengers. Of particular interest I think is Starling Bank’s strategy to create a platform for new players. But… as I have said before, I think the regulators have made a miscalculation in their entirely laudable effort to increase competition in the banking sector. In brief, forcing the banks to open up their treasure trove of customer transaction data to third parties is not going to mean a thousand fintech flowers blooming, precisely because of the advantages it affords the incumbents vs. incomers. And while some big retailers will take advantage, the overall impact will be to tip the balance of power to a new, different and potentially more problematic oligarchy (to use Vince’s label).
What is going wrong?
Back in 2016, I said about the regulators demanding that banks open up their APIs that “if this argument applies to banks, that they are required to open up their APIs because they have a special responsibility to society, then why shouldn’t this principle also apply to Facebook?”. My point was, I thought, rather obvious. If regulators think that banks hoarding of customers’ data gives them an unfair advantage in the marketplace and undermines competition then why isn’t it true for other organisations in general and the “internet giants” in particular? As the Diane Coyle, Bennett Professor of Public Policy at the University of Cambridge, pointed out in the Financial Times a year ago (Digital platforms force a rethink in competition policy, 17th Aug. 2017), economies of scale and insurmountable network effects mean that it will be very difficult for fintech startups to obtain significant market traction when they are competing with these giants.
Now, of course, when I wrote about this last year for the Wired magazine Wired World in 2018, no-one paid any attention because I’m just some tech guy. But when someone like Ana Botin (Executive Chairman of Santander) started talking about it, the regulators, law makers and policy wonks began to sit up and pay notice. In the Financial Times earlier this year (Santander chair calls EU rules on payments unfair, 16th April 2018) she remarked on precisely that asymmetry in the new regulatory landscape. In short, the banks are required to open up their customer data to the internet giants but there is no reciprocal requirement for those giants to open up their customer data to the banks. Amazon gets Santander’s data, but Santander doesn’t get Amazon data. Therefore, as Ana (and many others) suspect, the banks will be pushed into being heavily regulated, low-margin pipes while the power and control of the giants will become entrenched (broadly speaking, the distribution of financial services has a better return on equity than the manufacturing of them).
It boils down to this: If Facebook can persuade me that it’s in my interest to give them access to my bank account, I can press the button to give it to them and that’s that. They can use the PSD2 APIs to get to my data. On the other hand, if a financial services provider can persuade me to give them access to my Facebook data… well, hard luck. Carlos said, rather elegantly, that one of the nice things about data as a resource is that it doesn’t get used up.
What is to be done?
Ms. Botin suggested that organisations holding the accounts of more than (for example) 50,000 people ought to be subject to some regulation to give API access to the consumer data. Not only banks, but everyone else should provide open APIs for access to customer data with the customer’s permission. This is what is being planned in Australia, where open banking is part of a wider approach to consumer data rights and there will indeed be a form of symmetry imposed by rules that prevent organisations from taking banking data without sharing their own data. If a social media company (for example) wants access to Australian’s banking data it must make its data available in a format determined by a Consumer Data Standards Body. (Note that these standards do not yet exist, and as I understand things the hope is that the industry will come forward with candidates.)
This sharing approach creates more of a level playing field by making it possible for banks to access the customer social graph but it would also encourage alternatives to services such as Instagram and Facebook to emerge. If I decide I like another chat service better than WhatApp but all of my friends are on WhatsApp, it will never get off the ground. On the other hand, if I can give it access to my WhatsApp contacts and messages then WhatsApp will have real competition.
This is approach would not stop Facebook and Google and the other from storing my data but it would stop them from hoarding it to the exclusion of competitors. As Jeni Tennison wrote for the ODI in June, a good outcome would be for “data portability to encourage and facilitate competition at a layer above these data stewards, amongst the applications that provide direct value to people”, just as the regulators hope customer-focused fintechs will do using the resource of data from the banks (who are, I think, a good example of data stewards). Making this data accessible via API would be an excellent way to obtain such an outcome.
It seems to me that this might kill two birds with one stone: it would make it easier for competitors to the internet giants to emerge and might lead to a creative rebalancing of the relationship between the financial sector and the internet sector. Instead of turning back to the 19th and 20th century anti-trust remedies against monopolies in railroads and steel and telecoms, perhaps open banking adumbrates a model for the 21st century anti-trust remedy against all oligopolies in data, relationships and reputation.
I can’t stress enough just how big a deal the UK’s transition to Open Banking is. The writer Wendy Grossman posted an excellent piece about this in her “net.wars” series recently. She said, without exaggeration in my opinion, that the “financial revolution” coming here in mid-January has had surprisingly little publicity perhaps because “it’s not a new technology, not even a cryptocurrency. Instead, this revolution is regulatory: banks will be required to open up access to their accounts to third parties”. As Wendy notes in her piece, Wired had a great article about this (written by Rowland Manthorpe) in October. Having talked to some of the key players and examined some of the key concepts, he draws an important conclusion, which is that open banking is not “just a technical fix, or even a solution specific to banking, but a new way of dealing with the twenty-first century’s most sought-after resource, personal data“.
He is spot on. Identity is, as some people maintain, the new money. Banks are about to be transformed from places that store digital monies (which they really don’t anyway, since the proportion of household wealth held in the form of demand deposits has already fallen to minuscule levels) into places that store digital identities. Now, this is hardly a new idea and it isn’t only techno-crackpots like me who keep going on about it. Back in 2014, the Financial Times was reporting that “Britain’s high street banks believe their future role will be as repositories of more than just money: they want to be the safe place where customers store their digital identities”. This makes complete sense as a strategy and as a European Banking Association (EBA) white paper of the time put it, “banks are well positioned” to be a crucial, supporting, positive part of their customers online lives. Banks know this to be the case, they just haven’t done much about it. I still can’t use my Barclays identity to open an account at RBS, much less to log in to Direct Line or Bet365.
Since that FT piece, some people (uncharitable persons, of whom I am not one) have suggested that banks will pratt about and muck it all up and hand digital identity on a plate to Apple, Facebook, Google, Amazon and Microsoft (the GAFAMs). Well, we’re going to start finding out in January, because I can’t help but feel that the major beneficiaries of the regulators pressure to open up the banks will not be nimble fintech startups but the internet giants who already have the customer relationships. Rowland speculates that open banking may expose some institutions to change and to competition that they simply cannot respond to. He even goes as far as to suggest that banks may well fail because of it. This is the sort of thing that they must have been mulling over down at Open Banking Limited, the entity set up to implement open banking in the UK, where the Implementation Trustee, Imran Gulamhuseinwala, “doesn’t seem to have much sympathy for failing banks”.
Now, having met Imran at dinner (with the Russian Ambassador, as it happens) I can confirm that he is one smart cookie (and a very nice guy too). He’s got a point about the competition that open banking should unleash, but when RBS goes under because all of its customers have shifted to Facebook and the bank becomes a low-margin heavily-regulated pipe that is not operationally-efficient enough to compete only on price and service levels, I suspect others may have a different perspective. Either way, I agree with Erik Tak, Head of the ING Payment Centre, who said at Trustech in Cannes this year (below) that the people who will benefit most from this opening up of retail banking will not be fintechs but those GAFAMs mentioned earlier.
Wendy’s words are well chosen. Open Banking is a revolution, and all we can say for sure is that there is going to be change. But as to who the winners and losers are… well, the UK is about to become an interesting, exciting and unpredictable laboratory experiment in banking regulation. In a year or two, we may at least have a signpost to the future of retail banking in place.