As mentioned yesterday, the regulator tries to keep up with
the banks who try to keep up with customer, and I said that banks often
innovate too slowly.
There are many examples of this, but the one that I come
back to regularly is Chip & PIN.
Chip & PIN has been an enormous success, lauded and
applauded by the Payments Council and now emulated worldwide with just the USA
The program was agreed in principle back in 2000 through
APACS, the Association of Payments Clearing Services, and the implementation
plan sorted out in 2003. The EMV-based
Chip & PIN program was introduced to the UK in 2005 and made mandatory in
The great news is that after Chip & PIN was introduced card
fraud decreased considerably, with lost and stolen cards down over half …
the criminals just moved to targeting other areas where card not present and online
fraud gave opportunity:
Key trends in UK cards from 2004 to
Abuse of authentic
- Lost and stolen: down 53% to $54.1m
- Mail non-receipt: down 86% to $10.2m
31% to $169.8m
- Card-not-present: up 118% to $328.4m
- ID theft: up 28% to $47.4m
- Online: up 330% to $52.5m
- Check: down 9% to $41.9m
Total: dip in
2005–2006, but up 25% to $704.3m
Slide and detail from a presentation by Stephen Murdoch of
Cambridge University, 2009
Admittedly this was the case after Chip & PIN was introduced
but, as retailers and banks cracked down on the Card Not Present fraud too, the
UK example is held up by one and all as the best illustration of security.
For example, here are a few charts from Douglas King of the US Federal Reserve Bank of Atlanta who, along with many colleagues, is
trying to convince the USA to incorporate Chip & PIN.
Fraud Losses on UK-issued Cards (doubeclick image to enlarge)
Card-Not-Present Fraud Losses on UK-issued Cards (doubeclick image to enlarge)
So Chip & PIN is fandabadoozy and the best thing since
sliced bread, yes?
In fact, Chip & PIN is an example fo an industry moving
at a snail’s pace and hten slapping each other on the back on how effecigtve it
Rewind to my opening paragraphs and you realise it took the
UK Payments Council six years to determine, agree and then implement Chip &
During those six years another technology blossomed and matured:
Pre-Chip & PIN, in 1997, a Hungarian bank had proven
that mobile technology was just as good at reducing fraud as Chip & PIN, if
The bank is OTP Bank, and was one of the first to use text
message SMS alerts to inform customers of potentially fraudulent transactions.
Their experience proved that fraud could be reduced from over twice the
market average at that time, to a third of the average within a year.
And it was by using a simple text message.
Cheap and easy and, oh yes, the customer pays.
Because they want to.
The customer sets the payment alert for transactions at the level
that suits their risk appetitie. Each
text costs 30 cents, but they don’t mind paying as it allows them control over
The idea took off rapidly in Eastern European and Russian
When I asked one of the bankers who made the decision to go
Chip & PIN rather than mobile text alerts in 2007, seven years after the decision
was taken, he said: “because we did not believe then that mobile technologies
were secure enough.”
He also said they would have made a different decision in retrospect but, as they committed to the Chip & PIN, this is their direction.
Six years, seven years, a decade (in the case of SEPA) …
things change rapidly.
Take eight years ago.
Eight years ago, 2004, the things we talked most about were
second homes, buy to lets, easy mortgages and easy credit. We talked a lot about European harmonisation,
the start of EU directives to create a single financial market, and the early
draft text of MiFID and the plans for SEPA.
There was no Facebook or iPhone, just Nokia and Friends Reunited. George W Bush had started his campaign for
his second term in office and Justin Bieber was a ten year old boy (still is
Eight years is a long time and a lot changes.
In 2007, my first book: “the future of banking in a
globalised world” appeared, and the index makes no mention of subprime or liquidity risk.
Today, all we talk about is subprime and liquidity risk. We avoid discussions of re-mortgaging and
credit markets, and instead focus upon regulations to avoid further collapse of
the financial house of cards. The EU
dream has turned into a bit of a nightmare, and commitments to further
harmonisation are on hold for many. Nokia has been joined by Microsoft to try
to beat off the Apple and Google war, and no-one talks about reuniting with
friends other than on Facebook.
Eight years is a long time, and it is far too long to make
industry-wide strategic decisions to change.
Instead, countries, banks and institutions need to take
steps to future-proof themselves from this march of consumer-led change.
A final thought.
I recently held up Poland as an example of how to get
is Europe’s leading market for contactless payments, with over 54,000 terminals
and 5.7 million Visa contactless cards deployed as of March 2012.
of the acquirers and key merchants were on board from the start and, between
December 2010 and December 2011:
- The number of cards in use increased
- The number of contactless
transactions increased forty-fold;
- The value of transactions increased
by a factor of 43.1 times; and
- Poland’s use of contactless payments
has overtaken the UK’s usage in just one year.
- Because the issuance of contactless
cards in Poland was coordinated across the industry (the UK was uncoordinated);
- The rollout was national, whereas the
UK had a partial rollout;
- Poland’s program focused upon Tier 1
merchants first, rather than Tier 2 in the UK;
- Transaction limits were appropriate
for the Polish markets, whereas the UK’s limit was too low at the start;
- The commercial framework was based
upon the payment value for each transaction in Poland, rather than the UK
program which used the same interchange structures as higher value payments;
- The technologies for the POS systems
in Poland were proven and reliable, rather than a pilot terminal that was unproven
in the UK at launch.
in all, by entering into contactless later rather than sooner, the Polish
deployment has seen far more success than the UK.
So when I start talking about NFC and contactless being well
past its sell-by date,
they took a little offence and asked me if I really believed this and, if so,
what should they do about it?
And here’s where I take a different tack, as the fact they
did something innovative and early is a good thing.
The UK has been pushing contactless in an uncoordinated way
for over four years. It’s too long and
too slow such that, now, the opportunity they could have grasped has been
The investment to make contactless work in the UK now is not
going to payback in time, as other technologies like QR codes and Proximity
Payment Apps have taken over.
However, the fact that Poland acted fast and did something
early in a co-ordinated way within commitment, means that they made the appropriate
investment at the appropriate time with the right level of commitment.
The net:net of that comment is that: if you are going to innovate and take a lead, commit to it and make it
happen before the timescale opportunity is lost.
And that comment applies equally to the UK Chip & PIN project, e.g. doing something is better than doing nothing at all.