Our recent research paper on Britcoin examined several of the failures in the Fintech digital payments industry that have gone unresolved.
The paper is entitled ‘CAPTURE – BigTech and Digital Payment Giants dominate the committees evaluating the replacement of physical cash with ‘Britcoin’ – a UK ‘Central Bank Digital Currency’’.
You can find a click-through to the full paper here:
A major Fintech detriment for end-users comes from Open Banking, which has become a channel for Authorised Push Payment Fraud.
The Open Banking service is provided to end-users by Fintechs called Third-Party Providers or TPPs, and many have established themselves, the capital needed for set-up being even lower than is needed for Electronic Money Institutions or Payment Institutions.
One type of TPP – an ‘AISP’ or Account Information Service provider – handles sensitive customer data and there must be a question as to whether the size of investment deployed enables an IT architecture commensurate with properly discharging the AISP’s duty to safeguard this data.
An even more serious issue has arisen at the other type of TPP – the ‘PISP’ or Payment Initiation Service Provider. This relates to Authorised Push Payment Fraud.
A PISP cannot hold customer funds but it relays customers’ payment orders to customers’ banks. The value of the PISP is convenience: a customer gives it the security credentials for all their bank accounts, enabling the convenience of not having to log in separately to each bank’s eBanking service with differences of process, devices, User IDs, passwords and so on. The customer need only concern themselves with the credentials to log in to the PISP’s service.
This means that a fraudster, obtaining the customer’s credentials for their relationship with the PISP, can empty all of the customer’s accounts in one go. Major banks are reputedly afraid to raise this issue to the Competition and Markets Authority for fear of being labelled anti-competitive.
The Payment Systems Regulator’s ‘Digital Payments Initiative’ issued a report where this problem was mentioned on p. 7, and it proposed that PISPs should join the Contingent Reimbursement Model (CRM) and have to compensate victims of fraud where the PISP was involved.
One does not know whether to laugh or cry. PISPs are by their nature thinly capitalized It is a question of pure conjecture whether the PISP would have the resources to reimburse the entirety of a customer’s money even if they were bound by the CRM.
The proposal will only work if the risk can be covered under the PISP’s professional liability insurance, and for a sum that will be radically in excess of the PISP’s own resources: the maximum possible loss is the entire amount in all the accounts registered at the PISP for all its customers.
How will the PSP even know what that amount is at any one time? How can that be translated into a maximum amount insured such that the premium can be calculated and paid, and the cover put on-risk? How can it be ensured that the PISP abides by the policy conditions and that the premia continue to be paid, so that any claim is paid out and not refused by the underwriter? How is it ensured that a pay-out from the policy goes to the victims of fraud in the case that the PISP is itself insolvent?
As ever, the Fintech industry has brought about a major detriment for UK businesses and consumers, and the problem does not get resolved despite the extensive committees established for that purpose.