The move to mobile: an overview of the key mobile payment technologies and the challenge of risk management
April 2014 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
The mobile payments landscape is changing fast. Traditional financial services companies, such as banks and building societies, have finally begun to respond to huge consumer demand to more easily make payments on-the-go using mobile phones. Exciting evidence of this can be seen in the recent (10 March 2014) announcement by the UK Payments Council of a new mobile payments service that will make it possible to send and receive payments to any UK current account using just a mobile phone number. Nine banks and building society brands will offer the service – called ‘Paym’ – from launch, which is expected to be this spring.
In addition to the traditional players, many technology and telecommunications companies and other new entrants have begun to develop competing technologies facilitating mobile payments for goods and services. Each of these create a number of commercial risks to businesses wishing to enter the market place or adopt such technologies. Such risks must be considered and managed in order for businesses to survive and thrive in this new marketplace – and are in addition to any financial services regulatory issues that must be considered.
Payments using mobile phones have increased exponentially year on year. Some reports claim that such payments now account for almost 20 percent of all consumer transactions processed worldwide (Adyen, Mobile Payment Index, 30 January 2014). Whilst the exact number of mobile payments remains uncertain, Capgemini and The Royal Bank of Scotland estimate that mobile payments – or ‘m-payments’ as they are now known – will grow at a rate of 58.5 percent annually, reaching 28.9 billion transactions in 2014 (World Payments Report, 2013). These figures clearly demonstrate that consumer appetite is high. What is yet to be determined is which technology will lead the way and therefore which provider, or providers, will benefit.
The options
There are several primary technologies emerging in the m-payments market.
Near-field communications (NFC)
NFC has been widely adopted in the last couple of years. It enables wireless payments by momentarily touching a device on a designated contactless reader. The technology has been most notably implemented by Visa’s contactless platform. The success of this is clear, with more than 300,000 shops in the UK (including Starbucks, McDonalds, Pret A Manger and, more recently, Marks & Spencer and Transport for London) adopting contactless readers for low value payments. Following such success, last month the UK’s three largest mobile network operators, EE, O2 and Vodafone, launched a new mobile advertising and payments platform. The platform, known as Weve, allows their customers – accounting for some 80 percent of all mobile phone users – to store credit and debit cards along with loyalty cards and coupons. This information is linked to the SIM card in a mobile phone, allowing payments to be made at tills with existing contactless readers, such as those used for the Visa contactless platform.
Bluetooth
According to Adyen – a provider of international mobile payment technology – Apple devices remain the most popular platform for m-payments. Its iPad and iPhone devices accounted for 72.6 percent of all worldwide m-payments made between September and December 2013. With such popular hardware, and with access to more than half a billion users’ credit card details through its iTunes platform, Apple’s offering is a very credible contender. Whilst there has been much speculation on how Apple might commercialise its position, it appears that it favours Bluetooth (low energy beacons which send data in a similar way to Wi-Fi). This technology is already present in most mobile phones, including the iPhone.
PayPal has also launched a Bluetooth m-payments platform called Beacon. This enables the sending of a photo of the consumer to the merchant’s pointof-sale system, allowing the consumer to be greeted by name. The consumer can then order or pay for goods, requiring only a verbal confirmation to complete the purchase.
Apps
The examples so far have all required third party hardware infrastructure. There are, however, m-payment systems that do not. One example is Zapp, which has partnered with HSBC, First Direct, Nationwide, Metro Bank, Santander and Worldpay in the UK to provide m-payments through an app alone. The app can also be used with NFC technology. More excitingly, however, it enables payments to be made using an authorisation code sent to a mobile phone, which is then verified by the merchant to confirm the transaction. In addition, Quick Response (QR) codes – a type of barcode – can be scanned with a mobile phone’s camera to make payments. These options permit interoperability among existing infrastructure, removing some of the barriers that have hindered the success of other m-payment platforms.
Managing the risks
There are some key commercial risks for businesses to consider prior to progressing their m-payment strategies.
The investment decision
One significant risk for merchants considering the adoption of m-payment technology is which technology and enabling infrastructure is appropriate for their particular business. Each of the technologies discussed inherently have a different risk profile, and although consumer demand for m-payments is high, there does not, as yet, appear to be a frontrunner for the emerging technology. As with all new offerings, the main challenges relate to interoperability and infrastructure. Most of the options thus far are backed by large companies and use some form of proprietary technology. Businesses must, therefore, consider very carefully which technology they choose to adopt.
Prior to making the investment decision, a key consideration is the stability and consumer perception of the technology. Negative consumer perception of mobile banking apps, following accessibility issues experienced last month in the UK by customers of RBS, Barclays and Santander, for example, are a concern. Such problems were principally blamed on high traffic, with RBS stating that over 5500 customers log on to its mobile banking app every minute. This highlights a wider issue of the ageing infrastructure of some legacy IT banking systems struggling to cope with the rise in consumer demand. The message therefore is that businesses must carry out their due diligence and invest in technology that is appropriate for the level of demand.
Fraud
Fraudulent transactions will, of course, always be a risk for any businesses using a payments system. A recent report by Lexis Nexis highlights that such risk is more acute for start-ups, which have, typically, been early adopters of m-payment technology – particularly mobile point-of-sale technology – as it facilitates card payments with a low initial investment. Start-ups are, perhaps understandably, more likely to under-invest in fraud technology solutions; specifically, by using too few fraud prevention systems (on average, two solutions, compared to four used by large merchants). However, the cost of such fraudulent transactions on average far outweighs the initial investment needed to provide a robust fraud-resilient system. Strong authentication is one such way to minimise the risk of fraud. Apple’s iPhone 5S, for example, already has the facility for market-leading authentication technology in the form of biometric fingerprinting, which if utilised in relation to a m-payments service, could add an additional layer of protection against identity fraud.
Data related risks
Data losses – such as Target’s loss of 40 million credit card details from its point-of-sale terminals in the US at the end of 2013 – have put data security firmly in the public spotlight. In addition to security, as the m-payments market develops and certain IT providers take the lead, there will be an increasing amount of geo-location data available in relation to buying habits. This data has a higher commercial value than the processing of the transactions alone. How this data is used or, perhaps, misused is likely to be a key battleground in the future.
In addition to any financial services regulatory issues, all businesses should, as a matter of course, consider carefully the data privacy aspects of any new m-payment system. In particular, businesses are advised to conduct a privacy impact assessment (PIA) prior to rolling out any new IT system which stores or accesses personal data. PIAs are a valuable risk management tool for identifying and minimising privacy risks relating to both individuals’ physical privacy and data privacy. This is particularly relevant to m-payment technology where financial data is often combined with other personal or geo-location data for commercialisation purposes, such as to provide loyalty initiatives or to market other products. As has already been noted, this data is incredibly valuable and as such should be appropriately stored and processed. On 25 February 2014, the UK Information Commissioner’s Office published an updated Code of Practice, which sets out practical guidance on conducting PIAs.
Outlook and conclusion
Despite the risks, the outlook for the m-payments market is very promising and presents opportunities to all those in the market, as well as new entrants. A word of caution: any business considering m-payments should thoroughly consider the risks associated with the particular technology as they apply to its specific business.
Belinda Doshi is a partner and Juma Weeks is an associate at Nabarro LLP. Ms Doshi can be contacted on +44 (0)20 7524 6200 or by email: b.doshi@nabarro.com. Mr Weeks can be contacted on +44 (0)20 7524 6134 or by email: j.weeks@nabarro.com.
© Financier Worldwide
BY
Belinda Doshi and Juma Weeks
Nabarro LLP
FORUM: Information technology and cyber security risk
Is the UK ready for cyber insurance?
Managing cyber risk: assess, monitor, respond, repeat
Enhancing your risk management capabilities through strategic partnerships
Utilising transactional insurance as a financial solution for your next deal
The value of a proactive legal risk management policy for retail companies