The European Payment Services Directive (PSD) became a reality for CQR UK in November 2009 when we gained authorisation from the Financial Services Authority (FSA) to operate as a payment institution (PI).
CQR UK’s seven years’ experience of data processing services already included authorisation, capture and settlement services, as well as cash management, risk management, and fraud prevention and verification services, so the step to become a PI seemed a natural fit.
One of the aims of the PSD, as envisioned by the European Commission (EC), is to increase competition through the introduction of PIs and hopefully provide opportunities for the new players to not only share business with the existing industry, but also to innovate new payment methods and services.
That is why a copious amount of blood, sweat and tears went into our understanding of the new directive and the FSA’s approach to those regulations – although finding out that ‘maximum harmonisation’ allowed for EU countries to interpret nationally over 20 variations – or the official term of derogations – did have us questioning our sanity at times. CQR had many different versions of contracts and processes over time, as our understanding and confidence in the business grew.
In my role as head of compliance and operational risk, everyone who would listen heard me talk about ongoing compliance and reporting obligations. There was danger of ‘death by PowerPoint’, as the business discussed anti-money laundering (AML), treating customers fairly, safeguarding, framework contracts, one-leg-out transactions and information requirements as set out by the various titles within the PSD.
Payment services providers have to look at a number of risks, such as credit, liquidity and operational risks, as well as fraud and AML, all of which required us to ensure we had good quality people that were knowledgeable in their chosen field. Specific management oversight policy had to include a robust management structure to support the ongoing development of CQR that included a minimum of five years of senior management experience in the payment processing industry.
Developing a Clear Strategy
In today’s IT-driven business environment, with its increasing complexity, a clear vision and strategy was necessary to ensure the desired service levels, especially when outsourcing services to partners. To enable CQR employees and service partners to understand our goals and thus develop and run the services at the highest possible quality, an IT strategy was developed and published.
Having the PI licence and to gain sufficient payment processing volumes across Europe needed a marketing and sales strategy, so plans for country and industry merchant expansion were developed, as were dates for exhibitions, conferences and trade fairs. The profile of the business from a consumer or merchant perspective is important, and it was necessary to evaluate our internet marketing and public relations behaviour.
The opportunity to start to talk in acronyms – such as SEPA (single euro payments area), RFID (radio-frequency identification), IBAN (International Bank Account Number), and SYSC (Senior Management Arrangements, Systems and Controls) – and to dream of payment methods such as contactless, alternative payments and mobile technology, allowed us to look at ways of being multi-dimensional instead of being just a ‘me too’ business. As part of our business strategy, CQR has become an acquirer with both major card schemes, and as a result are increasing our financial independence by not having to involve third party merchant acquirers.
There were, of course, questions that looked at the downside of the impact of the PSD. Could we rely on acquiring margins to support the business? Would we damage our existing business relationships? And how well could we use the passport opportunities that the PSD encouraged? All of these questions and more involved numerous versions of our three-year financial plan forecasts to provide an analysis of the revenue, cost of sales, overheads and balance sheet projections. The discussions about interchange fees and unbundling had our finance team diving into their spreadsheets to prove or disprove what we were suggesting.
Making a profit and staying profitable is not ‘talking dirty’; however, making a good business case for survival in the sea of payments where the banks previously held court and now had to swim with the new PIs, means being innovative and providing a better service. The banks themselves have had to cope with legacy systems when implementing the PSD, while the new entrants had relatively new platforms on which to provide their services.
It was recognised that if a PI can keep up with the ever-changing regulations, scheme mandates, new products, features and developments, then they have a chance of competing or maybe even working in collaboration with the existing banks and acquirers.
SEPA is the next vision we have to address which, according to the SEPA Council, is “a euro area in which all payments are domestic”. When this comes into being, PIs will have to look at those payment solutions that generate little or no money and decide if they are competitive enough to survive and be confident that the new payment schemes will increase revenues. Senior management will be asking for strategic road maps that identify where we are going to generate the profit.
Security in the payments industry, where Payment Card Industry Data Security Standard (PCI DSS) standards are essential, is another headache that requires nursing. You can think of data loss examples, such as WorldPay and Heartland, and add “there but for the grace of god…” to that, but also think about card fraud losses and chargeback figures that make for uncomfortable reading at board level. That is another small industry within your company that some say does not add value and prevents business opportunities, but is a necessary evil. The fraud threat is real and ever changing, so we have to believe that any new product will be like jam to a wasp for the fraudsters, as they continually search for ways to make money illegally and, as a consequence, impact a PI’s profit margin.
Do not underestimate these things because PIs must rely on rules and regulations to ensure their transactions are safe and secure, and also to keep the consumer or merchant confident enough to continue to use our services.
Regardless of our own internal control audits, there are PCI audits, IT audits, scheme audits, year-end financial audits and, now that PIs are regulated by the FSA, perhaps ARROW risk assessment visits. It is a continual process of proving we are worthy.
Today, the talk in the market is different from pre-November 2009. People now quote the ‘Facebook generation’ who do not use emails and only talk to each other on walls or through instant messaging services. As they mature this generation will not want to have to mess around with pieces of plastic to pay for things, as they seek instant gratification while using their smart phones. Innovation will have to include payment platforms that work with the smart phones and provide security. Therefore mobile commerce (m-commerce) is another solution that many PIs are considering as not new but now.
I don’t believe that anything I have written here is unique to CQR. The marketplace is quite small and, if you have been in it long enough, you know most of the players and their business. There is a lot of discussion about margins being squeezed – everyone is looking for that edge that will give them an advantage, if only for a short time.
Merchants and retailers are asking PIs for more of everything. There is pressure on businesses to provide faster integration, clearer breakdown of fee structures and better reporting suites. They are querying whether the old banking models are still fit for purpose, and the industry is being pushed and prodded to provide better services to the nascent merchants who are embracing social networks, low value payments and mobile technology.
The PSD has given CQR the opportunity to develop its business model and the past two years have been a rollercoaster ride that, if you have the appetite, is well worth the effort. The highs and lows and the endless hours of discussion are part of the learning curve that we have all had to go through.
A Chinese essay, ‘The Thirty-six Stratagem’, in which one chapter is entitled ‘Deceive the Heavens to Cross the Ocean’, best describes what we have learned. An interpretation of this would be “prepare too much and you lose sight of the big picture; what you see often, you do not doubt”. While CQR wanted to play on the same pitch as the other PIs, we also recognised that the rules were changing, as were the payment and delivery methods. We watch and listen to the existing players, but also want to keep our eyes and minds open for new opportunities.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.