Podcast 3, The cybersecurity contradiction
Speakers: Jenni Himberg-Wild, David Shinkins and Steve Lappin
Jenni: So, hello everybody and welcome to our third and final podcast of the series in which we’ll be discussing what is possible in the FinTech landscape. My name is Jenni Himberg-Wild, I’m the head of UK FinTech and Payment Service Providers Coverage at Barclays Corporate Banking, and together with my colleagues David Shinkins, the Global Head of Cash Management Sales at Barclays, and Steve Lappin, Managing Director, Barclaycard Business, we're taking a deeper dive into the findings from our Alive to Opportunity report. So welcome back both.
David: Thank you, Jenni.
Steve: Hi Jenni.
Jenni: As a recap for our listeners, the findings from our report were taken from a recent survey we undertook with Money20/20. The survey results helped us to produce our 2020 report Alive to Opportunity, which explores the key trends within the FinTech landscape for 2021, and should you wish to take a look at the report you can find it by typing barclayscorporate.com/fintech into your browser.
So, during the last episode we discussed innovation in the payment sphere, and today we’ll be talking about regulation and security. So, it's clear there's been a bigger shift in regulatory landscape over the years, with different elements of the industry having certain impacts. Now, this in turn has affected how the industry is viewed. This in mind – David, let’s start with you – can you tell our listeners about some of the elements and big, big sort of themes we see in the regulatory landscape?
David: Thank you very much for the question. The thing I would always say firstly is, regulation is an important part of a regulated business, and what I would say is, actually, it’s an enabler, I think, to really drive new types of business models; but also, more importantly, to really help to drive the overall experience, and also, really, to protect consumers, to protect the businesses we operate in, and also to ensure security and, I’d say, real structure in the financial system.
The other thing I would also talk about is something else that’s really going to be on our agenda and we’ll touch on this later – is very much around ISO 20022. Particularly those benefits that will come in, particularly in the payment systems.
But the important thing I would talk about really, and I think that that's the key, the ability to horizon scan and to look at all of this regulation, see how it impacts both banks, regulators, clients, and then also the end consumers, is going to be really important, and it's going to be here to stay.
Jenni: Thanks David.
And Steve, from your perspective, coming from more the card payments side, anything to add to that rather comprehensive list already?
Steve: Yes. Hi Jenni. Yeah, consumer payments, and particularly card payments, equally really carefully regulated to make sure fair outcomes for retailers and consumers alike, and alongside some of the names David’s mentioned, including the payment systems regulator we have here in the UK, which covers things like PSD2, I'm going to come on to talk about Open Banking a little later on in this podcast; you have the card scheme operating regulations.
So these are really Visa and MasterCard’s rules of the road to make sure consumers globally, when paying by cards, can rely on the same experience, be that entering the PIN at point of sale in the same way; be that checking out online in a way that they recognise, with the correct password authentication; or be it, eventually, when they get their goods, and if there are any problems with the services or goods delivered, relying on the chargeback process to ensure they get their money back or some sort of remediation from the retailer in question.
There are hundreds and hundreds of pages of these regulations; one of the particular pieces of operating regulation when it comes to the card schemes is the payment card industry data security standard, or PCI DSS as it's known in the industry, and retailers have put a huge amount of work and time into getting themselves compliant with this standard and making sure those all-important cardholder payment data is capped really, really, really safe.
Particularly important in an online environment where cardholder data is passing through several servers, millions of times a day as internet payments have taken off, particularly post COVID. But even in a physical environment, you know, the position of a CCTV camera in-store – is that directed in a way that it could be used in the future to divine somebody's PIN number? There's a real load of detail about exactly how you need to set yourselves up to comply with this piece of regulation, and any non-compliance fines can be particularly punitive.
So anybody who’s interested in getting into card payments, make sure you take a good look at the payment card industry data security standard.
Jenni: Yeah I agree Steve, very much so. Lots and lots of elements that make up the world of regulation. And clearly, as the industry matures, the relationship between the regulators and business becomes even more important. In fact, in our report when we asked what impact regulation will have on businesses, half – 50 per cent – of respondents noted that it would provide new opportunities to do business. And that’s quite a significant increase from 39 per cent in the 2019 report.
So David, coming back to you, it seems like regulation is being seen as a catalyst rather than a burden for business; and with that in mind, how important do you feel the relationship between the business and the regulators is?
David: Jenni, what we're getting in my mind is very simple: it's of paramount importance. So, the critical part is fundamental to how we operate today. So constant dialogue with the regulator around changing trends in the market; really understanding how infrastructure operates and how we best serve the needs underlying clients and consumers; how we create transparency – you know, we’ve seeing this along with MiFID as an example, when MiFID 1 was introduced also MiFID 2, as an example. I think, more importantly, is it creates stability in the financial system.
So, you know, another great example of that was the new payments architecture came about, driven predominantly by the Bank of England, as we look to the real-time gross settlement systems, and also then the underlying payment architecture. So, for example, with BACS faster payments and CHAPS in the UK; but there are similar other examples around the world that we can easily talk to.
Therefore, what that creates from my perspective, is it gives the ability to innovate. We saw that very much with Open Banking; we saw direct access being given to new participants to direct clearing in the UK, and we’ve seen then, therefore, other regulators adopt a similar approach by re-leveraging what the UK built, actually.
The other point I think I would also talk about is, again, really highlighting that consumer experience; because again, better client journeys, seamless experience frictionless payments, speed, efficiency – these are all buzzwords that we’re clearly hearing. But ultimately, these are all being helped along by the regulator to make sure that really there’s competition in the market and ultimately, the client and the consumer are really at the heart of that journey.
Jenni: Thanks, David.
Steve maybe with you next. It is our miniseries all about FinTech – so, how much potential is there for FinTechs out there to support our financial institutions and the regulators themselves, perhaps, with monitoring and compliance? And maybe we could look at this from that Open Banking perspective we've mentioned already a few times.
Steve: The regulatory requirements certainly open up, from a consumer payments perspective, opportunities for FinTechs to find themselves a niche role in solving particular problems for retailers or financial institutions alike.
When I speak to colleagues within the FinTech environment, I think, actually, the regulatory piece is a difficult one for them to navigate. You know, they don’t tend to have the banks of lawyers and regulatory governance and compliance experts that you see in a corporate environment – a large corporate environment. So making sure they have the right relationships, making sure they're ahead of the game when it comes to presenting their propositions back to retailers is something they have to think through really, really carefully.
So, you mentioned Open Banking there, Jenni, and actually we asked respondents to our survey which would be the biggest area impacted by regulation in 2021, and 37 per cent of respondents said that would be Open Banking. Alongside that, 45 per cent of respondents thought open banking would ease integration and enable value-added services to be developed for consumers.
When I think about the consumer payments industry the retailers are going to have to work out how they offer a solution to enable consumers to pay via Open Banking propositions. Offering card payments has solved the majority of consumer payments requirements to this point in time, but it's clear from the respondents to the survey that Open Banking is going to be an increasingly important method of payment going forward.
Jenni: So thanks, Steve.
So let's keep with that topic of Open Banking for a little bit longer, then. So, our report highlights that 42 per cent of respondents feel Open Banking could have some benefit to their business, and 40 per cent feel also that it will impact their business in a big way.
So if we break this down further, in the Asia Pacific where Open Banking is currently being rolled out, businesses were unanimous, with 59 per cent expecting Open Banking to impact them in a big way and a further 41 per cent expecting it to have some benefit to them. However, looking at the kind of EMEA region, only 38 per cent in this region expected Open Banking to have a big impact on their business, compared to 48 per cent in our 2019 report.
So David, what do you think has caused this drop in the EMEA region’s opinion on Open Banking and the impact on their businesses?
David: Yeah, it's quite interesting, Jenni. I think what may be is that, within EMEA, there's really widespread acceptance for Open Banking. You know, we've seen, clearly, the rise of new types of businesses; you know, the substantial business flow in the FinTech industry in terms of level of funding that’s being provided, and actually, we’ve seen some really strong, successful stories that have come off the back of Open Banking. So maybe that's one of the core reasons.
Jenni: Thanks David.
And Steve, from the cards and payments perspective, any additional insight you can give?
Steve: Yeah, just a couple of things I would add. One in terms of EMEA, and particularly here in Europe, from a consumer payment standpoint, is that many European countries – as you know Jenni we talked about this previously – have a very different makeup of consumer payments versus the UK. The UK is so card heavy, be that debit or credit card.
But in other countries, particularly Germany, for example – Finland we talked about previously as well – they just don't have the same proportion of spend going through card payment types, so they're already very, very used to account-to-account payments or push payments from their bank account, which is the definition of Open Banking from a consumer payments perspective.
So perhaps it's a case of, within Europe, particularly outside the UK, push payments account-to-account payments, are already a thing – are already really well established – and therefore respondents don't feel it's quite as big a development as elsewhere in the world.
Secondly, I wanted to touch on PSD2 because we're coming up to an important date in September, in 2021, where the secure cardholder authentication or secure customer authentication as part of the PSD2 regulation will kick in and will introduce more friction into the card payment environment.
You'll be required to put in a one-time single use password, for example when buying online, versus the single password you set up at the start when making internet payments today. So that's going to introduce additional friction into card payments; and at that point I think consumers will start to look very carefully at what will become an easier way to pay from a push payment from the bank account.
And if, from an Open Banking perspective, we can make sure consumers are protected in a similar way to the way card payments protect consumers today, then I think Open Banking will really start to take off – later this year and certainly into ‘22 and beyond.
Jenni: That's really interesting, thanks Steve. And thank you David, too.
So, we've, clearly, we've discussed we’ve seen the benefits that come with the use of Open Banking, but I think we had two topics for this podcast; it was looking at that sort of regulatory landscape, and we've gone through open banking but then also the security aspects. So, let’s turn on to that side a little bit- worth us touching on the security sort of breaches that can occur when things don't quite go as planned, are not handled correctly.
So interestingly, our report shows that more than half the responders across all regions are not confident, that they have robust approach to cybersecurity – that was 57.9 per cent.
So Steve, I mean, are you surprised by that statistic?
Steve: I am surprised, Jenni, but I'm actually surprised that it’s not higher. Working in the industry, as I do, working with retailers, and particularly technical teams within retailers who are tasked with making sure their own data is really, really secure; making sure the hackers can't get access to their servers; and from the payments perspective making sure cardholder data is kept secure and cannot be hacked and then subsequently used for fraud, the people I work with tend to have a sense of paranoia in this space.
And therefore, I would put it, you know, a lot higher in terms of the individuals I work with in the industry – 75/80 maybe as high as 85 per cent that are not confident they have a robust approach.
I think the moment you do get confident in your robust approach can lead to complacency, and you only need to look at some of the front pages from the British press over the last 18 months/two years to see that some of the biggest names in industry have hard those cyber breaches and have had payments data in particular stolen and subsequently misused, leading to, obviously, brand/reputational damage and also significant fines from a card industry perspective.
Jenni: Very much so, Steve, absolutely. And, maybe David, just coming back to you then – you know, we've discussed a little bit about that cybersecurity, but from your point of view, you started off with a big list of various different regulations. Anything there that, from your kind of angle, links back into the security? Any sort of top trends that you are seeing?
David: Yeah, thanks Jenni, and I completely agree – I think clearly cyber has to be, and particularly if you think about it from a fraud perspective, has to be of utmost paramount importance when thinking about protecting of funds or also protecting the stability of the payments flows.
As an example, as you’ve mentioned, I spoke about earlier about the new ISO standards that are coming in over the next three to five years. And really, what they’re going to bring is an awful lot of benefits that are really going to help, particularly to attack, effectively, these bad actors, effectively, in the system.
So, the first thing we're going to see is enriched data quality enhanced, particularly for creditor and debtor details, so they'll come in a form of a consistent format, so again that will help with reconciliation and operational efficiency; but again will show and provide more access to data in the payment flow.
Of course, that richer data again will help support improved compliance practices by regulators, banks, and also the end users, to prevent fraud and target financial crimes so again, really key component. But also, obviously again let's come back to the point it’s going to enable us to have increased innovation.
So, these common data standards are really going to be the key for all of the markets around the world and how clients and consumers basically access their banking services more efficiently based on one global standard, and I think that's going to be really important.
Jenni: Great. So it brings me very much the end of the podcast miniseries, so thank you very much David, and thank you for Steve for sharing their valuable insights.
David: Thank you, Jenni.
Jenni: And thank you all for joining. So, I hope that we have provided you with some valuable insights over our three podcasts and do remember that if you'd like to learn more about what we have been discussing just type barclayscorporate.com/fintech into your browser where you can download our Alive to Opportunity report.
So, thanks very much for tuning in everyone, and goodbye.