What the Square and Starbucks alliance means for payments…

Square and Starbucks just announced their intent to form a partnership for the purpose of improving or ‘revolutionizing’ in-store payments around the approximately 1,700 retail stores and 5,000 other points of presence in the USA. Square has had phenomenal success growing their merchant base to 2 million users in just over 2 years, which when taken in the context of around 8 million merchants across the US shows their rapid capture of market share. Starbucks, on the other hand, already has one of, if not THE most successful in-store mobile payment program in the US today. The deal also sees Starbucks investing $25m in Square.

Last year Starbucks processed more than 26 million mobile payments via the Starbucks Card App, which also resulted in more than $820 million being committed or deposited onto Starbucks Cards. No bank in the US, or the world, that I know of can claim to have had nearly $1 billion in deposits made on a mobile-only payments platform. Ironic that the biggest and best in mobile payments today in the US has nothing to do with either the major banks or the card networks isn’t it?

Starbucks has the most successful mobile payment deployment in the US to-date

The 20 million mobile payments made at Starbucks stores in fiscal 2011—plus another six million by December’s end—were fueled by our hugely popular Starbucks Card Apps for the Android™ and iPhone,® once again reflecting our ability to respond to the constantly changing marketplace in ways that strengthen our connections with customers – 2011 Starbucks Annual Report

This alliance has been characterized by the media as variously the approaching death nell for cash, or the acceleration of mobile wallet adoption:

Cash moved one small step nearer to its deathbed with the announcement on Wednesday that Square, the mobile payments start-up, would form a partnership with the Starbucks Coffee Company – NY Times, August 8th, 2012

Mobile payments service provider, Square, got a $25 million investment from Starbucks (SBUX) — valuing the start-up at $3.25 billion — that could mark the beginning of the end of cash – Forbes Tech, August 8th, 2012

Today’s announced partnership between the west coast innovators Square and Starbucks represents a significant milestone in the advancement of mobile payment and digital wallets – Forbes, August 8th, 2012

Others are not so sure…

Starbucks is one of the biggest retailers yet to embrace the “digital wallet,” and tech blogs are gleefully heralding the death of cash. But such pronouncements may be premature. The digital wallet still faces several hurdles, and it starts with the consumer – US News, August 8th, 2012

But my take is a little different…

The issue for the banking industry at large here is that both Starbucks and Square have demonstrated that payments can be made much simpler through the use of mobile, and without any of the fraud issues currently plaguing mag-stripe in particular, but cards in general. Secondly, the question of whether ‘mobile’ payments are mainstream really must be dismissed as a smoke screen for lagging adoption when 25% of Starbucks consumers and 25% of US merchants have flocked to mobile-enabled payments in the last 2 years, and adoption is rapidly increasing.

From a pure usability perspective swiping your credit card on a Square reader is analogous to a typical POS (Point-of-Sale) terminal and as such Square merchants have quickly adapted. Pay with Square is also easy, but relies on you being able to communicate your name as your unique identifier. Square polls your phone to check if you are in the same physical geography as the merchant, and if you are it displays your Square profile photo on the merchant’s register, so that when you give your name the merchant can verify it’s you and process the payment. No swipe or interaction required. The only challenge is that in a noisy Starbucks with 10 people standing in line behind you trying to communicate your name might be a challenge. Using NFC tap to initiate the payment as an alternative, would certainly speed up this process and allow for some user authentication of the payment also.

The real issue for Amex, Visa, Discover and Mastercard right now is that the ‘cardless’ movement is rapidly accelerating and customers are flocking to these new technologies. The issue is not the death of cash – but the death of plastic. In a much simpler, better informed payments interaction, plastic just looks dumb, insecure and outmoded.

Those working hard to disrupt payments are not the incumbents, but new players like Starbucks and Square. Like photos, books, video, music and many other industries that have fallen fowl to disruptive behavioral shift over the last few years, there is always a false sense of security of how secure the incumbents ‘platform’ or market is. This is the case with payments. Many have said that security, regulation and such prevents exactly this sort of disruption in banking. I would argue that once customers are no longer using plastic that your days as a valued provider of a ‘card’ whether physical or digital, is surely numbered.

This is not the end of cash as much as it is the end of three decades of card-based payment behavior. The shift to the phone as the primary payment device has started, and it’s happening much faster than you think. The only problem Square might have is that the current Starbucks App is probably the one they have to beat, not plastic cards.

What will it take to restore trust in the banking system?

I grew up in a world where a run on the ‘bank’ was never realistically going to happen. I grew up in a world where when someone wished to declare the truthfulness of their assertion they’d simply say “you can take that to the bank” or when it was a sure thing they’d say “you can bank on it!” I grew up in a world where the government ‘guaranteed’ my deposits, my cash, or my nest egg – as long as I deposited it with a recognized bank or financial institution. But that was then…this is now.

Long memories

In the 1930s and 40s in the United States after the Great Depression, there was a perception that the destruction of individualism and community banking practices in favour of cookie-cutter branch banking approaches built on efficiency, sales, and transaction banking was a risk to the stability of the banking system. If there were just a few big banks, and there was a broad loss of confidence, then the whole system could fail. This explains why the US has so many institutions (7,334 FDIC-insured institutions as of 8 March  2012) compared with other developed economies (5,404 banks in the entire EU[1]) , as US regulators historically sought to institutionalise community support and make it harder for monopoly approaches. These so-called “foreign systems” of branch banking were labelled  “monopolistic, undemocratic and with tinges of facism” and as “a destroyer of individualism”.[2]

This lingering psychology of safety in the physical banking place (and density) stem from long memories over epidemic “runs” on the banking system during the Great Depression:

“It is known to be a large bank and, being distant and perhaps consisting of thousands of branches, is less distinctly visualized than the local bank; and so the people are likely to think of it as great and powerful, and able to meet its liabilities. In the second place if the depositors were to initiate a run on a local branch, it would be difficult to spread their psychology and arouse depositors in distant branches.”[3]

There was a whole post-war generation that grew up with a healthy skepticism of ‘big banks’ and the risk of a run on the bank. With almost 70 years having passed since the Great Depression, however, the banked population as a whole finally started to believe that banks were inherently securely, safe and trustworthy. We were in for a rude shock!

Trust evaporates in the Global Financial Crisis

Since the Global Financial Crisis we’ve learned that banks are just like any other business, if run poorly they can and do fail, and unfortunately there are many banks that made poor business decisions last decade. Many exposed themselves to sub-prime mortgages, CDOs (Collateralized Debt Obligations) and ABS (Asset Backed Securities), others were over leveraged, had poor risk mitigation strategies, or had their own lines of capital too heavily tied to capital markets. Some like Northern Rock were struggling financially long before the financial crisis, and thus were quick to face dire problems when the economy turned south.

The modern day “run on the bank” @NorthernRock (Credit: The Guardian UK)

We also learned that despite a government-backed system of licensing and regulation, that banks aren’t actually part of a social-support mechanism built to help the end consumer – banks are simply corporations with a primary focus on generating profitability for their shareholders. We learned that at a time of great angst in the community over the role and health of the banking system, bank’s support for consumer financing and lending, that there was no overriding moral imperative to bank policy. In fact, they’d be quite happy to take tax payer funds on the premise that it would increase liquidity and allow them to lend back to the end consumer, when none of that happened and they were more likely to invest those funds in generating bank profits and large bonuses for their executives.

As consumers do we trust banks? We might trust that the deposits banks hold are secure, but we’ve seen through the veil and know that banks are not infallible, they’re just corporations hell bent on profits, like all good companies should be. We know they can be mismanaged and fail, and while we might have been ready to support a “bail out” when the financial crisis first hit, we’re now dubious as to whether that was the right strategy.

Regulation and Advertising won’t rebuild trust

The concept that the industry can rebuild trust in banking through a combination of corporate messaging, advertising or reinforcing regulation is somewhat erroneous.

Consumers today have a healthy skepticism and distrust of big banking. As consumers we also have a social dialog structure (social media) that allows us to reinforce our healthy skepticism at mass scale. There’s a group psychology involved, but one that society perceives as a protection, creating transparency. Banks might feel frustrated at this, but the reality is that ‘trust’ in the industry was largely engineered over the last few decades through a combination of advertising and visible regulation, and with the missteps of the crisis quickly evaporated. Now similar attempts to re-engineer trust are likely to backfire.

“Trust” is a common theme in many banking ads

Even regulators, who might believe they are protecting the market and consumers, are increasingly just creating friction between the consumer and institutions (through increased regulation) and the resulting customer frustration and cynicism works against reinforcing trust.

The only way for us to ‘trust’ banks again like we used to, is changing the way banking works. The greater transparency and the better banking serve customer needs, the more we’ll trust banking to work for us. Transparency, utility and great service are all that ultimately matters now, because the old pillars of trust safety, security, brand messaging, fiscal management and regulation are no longer effective.


[2] Source: American Banker Journal, 23 March 1939, p.2

[3] Branch Banking: Its historical and theoretical position in America and abroad, Arno Press 1980 (Chapman and Vesterfield), page 275

Do you need a Banking License to do Banking?

Clearly, to be a deposit taking bank and offer products like Mortgages, loans, savings accounts and so forth, it would be easier to have a bank charter. However, today the lines between banks and non-banks offering financial services is blurring faster than speculative investors dumping shares for Facebook.

There are many types of ‘banks’ or organizations that use the word ‘bank’ to describe their business activities such as Photo Banks, Seed banks, Sperm Bank, DNA bank, Blood Bank. There are also organizations that use the word bank in their name for other reasons like the “Bank Restaurant” in Minneapolis, JoS. A. Bank Clothiers and others. JoS. A. Bank offers a Pre-paid Gift Card program for individuals and corporates that has the name “Bank” in it’s offering, but isn’t regulated by industry. Bank Freedom, from Irvine California, offers a pre-paid Mastercard Debit Card but isn’t regulated as a bank.

Despite some claims to the contrary, it isn’t actually illegal to call yourself a ‘bank’ or have ‘bank’ in a tradename. In some states in the US, you might have difficulty incorporating yourself as a “Bank” if you have bank in the name of your company and you’re intending on offering financial services. But then again CIticorp, JP Morgan Chase, HSBC and others don’t actually have “Bank” in their holding company name. You don’t need the name ‘bank’ in your name to be licensed as a bank, and having the name ‘bank’ doesn’t force you to be a chartered bank either.

Then there are the likes of iTunes, PayPal, Dwolla, Venmo, Walmart, Oyster card in the UK, Octopus in Hong Kong, and the myriad of telecoms companys who offer pre-paid contracts, who regularly take deposits without the requirement of a banking license. In some markets, this has resulted in a subsidiary ‘e-Money’ or basic deposit taking licensing structure, but these organizations do not have the restrictions, regulations or requirements faced by a chartered bank. For more than 7 million Americans, 11 million Chinese and many others, their basic day-to-day method of payment in the retail environment is a pre-paid Debit Card (sometimes called a “general purpose reloadable” card). The pre-paid market is expect to reach an incredible $791 billion in the US alone by 2014.

When a bank account is not offered by a bank
What’s the difference between a prep-paid debit card account in the US and a demand deposit account from a chartered bank? Both can be used online commerce and at the point-of-sale. Both can be used to withdraw cash from an ATM machine. Both allow cash deposits to be made at physical locations. Both can receive direct deposit payments like a salary payment from your employer. Often pre-paid debit cards can offer interest on savings also. So what can’t a pre-paid card do that a typical deposit account can?

Most prepaid cards don’t allow you to write cheques (or checks), deposit more than a few times a month, keep a balance in excess of $10,000, make transfers/payments that exceed $5,000 per day, and/or going into the red with an overdraft facility.

For many customers who use pre-paid debit cards, these are not restrictions at all – and thus the card represents an alternative to a typical bank account from a chartered bank. Behind the program managers of pre-paid cards there is an issuing bank with an FDIC license in the US, but the program manager is not regulated as a bank. That nuance may be lost on some, but for the customer they are generally completely unaware that there is a “bank” behind the card – they simply see the program manager as the ‘bank’ or the card as a ‘bank account’ based on the utility provided by the product.

Bank Freedom offers an alternative to a checking account, but is technically not a bank

Today PayPal, Dwolla, Venmo and others offer the ability to transfer money via P2P technologies that mimic the likes of the ACH and Giro networks. I think it is fair to say that no one considers these organizations to be ‘banks’, but until recently (certainly prior to the Internet) we would have considered the activity of these businesses to be “banking”. Now you could argue that PayPal is more like a WesternUnion than a Bank of America, but the point is that these organizations are increasingly attacking traditional ‘bank’ functionality.

Then you have P2P lenders who in the US have offered more than $1 billion in loans since 2006, despite not having banking licenses.

If only ‘banks’ did banking…
Today banking is not restricted to those with banking licenses. Banks no longer have an exclusive on the business of banking. If they did PayPal, iTunes, Dwolla, and the myriad of prepaid debit cards would be illegal. They are not. If they did, you couldn’t deposit money on your prepaid telephone contract without visiting a bank branch. If they did, you couldn’t send money to a friend without a bank BSB, sort code or routing number.

The assumption that only banks can do banking is a dangerous one, why? Because often, like any other industry suffering from competitive disruption, the only thing that forces positive change on an industry mired in regulation and tradition are competitive forces. Sometimes those forces result in the complete disruption of the industry (see Telegraph versus Telecoms), other times it results in fragmentation.

Are there banks who don’t have banking licenses? There are hundreds of organizations today that are doing banking activities that don’t have bank charters or licenses. Can they call themselves a bank? Some do, but they obviously don’t need to in order to offer banking-type products and services, and those that do generally have a regulated bank charter behind them through a partner. Like Post Offices around the world that offer a place to pay your bills or deposit money on behalf of a regulated bank, this activity is not illegal, nor does it require regulation. Why? Because the partner bank who has a charter is responsible for ensuring their agents and partners stay compliant within the legal framework

The activity of ‘banking’ is going to become a lot less defined, owned or identifiable in the next few years as many non-banks start infringing on the traditional activities of banking, and as banks are forced to collaborate more and more to get their products and services into the hands of consumers. While we still have banks doing the heavy lifting, much of the basic day-to-day activities of banking will become purely functional and will be measured by consumers on the utility of that functionality, rather than the underlying regulation of the company or institution that provides it. Thus, customers won’t really care if a bank is at the front end or what it’s called; just that they can get access to banking safely, conveniently and securely.

What will regulators have to say about this? Well that’s an entirely different matter.

How to Transition to the new Branch Reality

I guess with a title like Branch Today, Gone Tomorrow it’s no surprise that a lot of people think I’m anti-branch. I’m not anti-branch, I just don’t drink from the branch kool-aid fountain that goes something like “if only we could find the right formula we’d reverse this trend of not visiting the branch and customers would flock back to our physical space”. I think most Bankers and Credit Union executives, instinctively feel there is a change in the importance of the ‘channel mix’, but as often as I hear questions about how quickly this is going to occur, I hear executives talking about how customers used to behave. “But don’t customers need to come into a branch for lending products; to talk to a loan officer about more complex products?” This is a legitimate question in the old world, but it’s light on today in respect to the facts, which don’t actually indicate the branch is central to lending.

The fastest growing lending institutions in the country right now aren’t the big banks, community banks or even credit unions. The fastest growing lenders certainly aren’t mortgage brokers. The fastest growing lenders in the United States at the moment are actually peer-to-peer social networks, namely Prosper and Lending Club (thanks to @netbanker for this gem). In terms of percentage growth of loan book, you’ll be hard pressed to find any FDIC insured institution doing better. In fact, I’d wager that a 375% increase in Loan Originations in the last 18 months, coming off the back of the Great Recession as the global financial crisis is being called, is one of the most impressive new FI growth stories you’re likely to hear globally.

Lending Club growth thru April 2012

Last time I checked, neither Prosper, Lending Club or Zopa had any branches…

Why customers think they want branches
Now my point here is not to argue that P2P Lending is better, it is to argue that the perception that to sell a complex product you require bricks and mortar, just isn’t supported by the data. To be fair, however, there is actually some valid behavioral data at work here that comes out through qualitative research supporting the role of the branch for legacy customers. That is, that there are still plenty of customers who say they want a branch – that doesn’t mean they will visit it, but they like to have them around. In Branch Today I examined the data and reasons for the recent rapid decline in branch activity, both from a visitation and transactional measure, but the question is why some customers still say they want to visit a branch?

There’s really only three things that drive a customer to a physical branch:

  1. I need a physical distribution point to deposit cash (primarily for small retail businesses)
  2. I need advice or a recommendation for a product or need I don’t fully understand, or
  3. I have a humdinger of a problem that I couldn’t solve offline, so I’m coming into the branch to get relief.

Branch bankers hang on to #2 for dear life, hoping that this will somehow keep customers coming back, helping justify those massive budget line items dedicated to real-estate; sadly it just isn’t happening that way. And yet, when you ask customers what determines their choice of ‘bank’ relationship, often the convenience or availability of a local branch, remains a stalwart factor.

Since the mid-80s, branches the world over have generally been transformed into streamlined cost/profit centres. The industry has attempted to reduce cost and improve efficiency to optimum levels and in this light customers have been forced to trade off between either big bank efficiency and utility, or the personalized service of a high street, community banker interaction without all the bells and whistles.

Despite this drive for efficiency there’s still a lingering psychology of safety in physical banking place and density, which stem from long memories over epidemic ‘runs’ on the banking system during the great depression. So what remains are two core psychologies that play to the need for physical places which reinforces the safety of a “bank” where they’re going to entrust their cash :

  1. I recognize that I visit the branch less and less for banking, but I’d like it to be there just in case I need to speak to someone face-to-face about my money or I have a problem, OR
  2. The more branches you have, the less likely you’ll go under in the case of a ‘run’ on the bank

But who is going to pay for the space?
The big problem with this, of course, is that as customers more commonly neglect the branch in favor of internet, mobile, ATM and the phone (call centre), the economics of the real estate and branch staff is no longer sustainable. So how do you have a space that still ensures the confidence of those customers that require the psychological ‘crutch’ of a space they might need to go to, but who aren’t willing to pay more for the privilege and won’t change their day-to-day banking habits back to the branch because the web and mobile are just so much more convenient?

The answer is two-fold.

The Flagship Store
If you need to instill confidence in the brand, then the best way is to build a new, large square footage space that screams new-age, tech-savvy branch banking with coffee and comfy chairs! Think the opulent Airline loyalty lounges that started to emerge in the late 80s. Think Virgin Megastores or the “Gold Class” cinemas of the 90s. Think Apple Stores today.

Brand spaces that inspire confidence. Enable a connection with your customers. Spaces that tell customers you’re all about service, advice and solving their banking problems – not about tellers and transactions.

Jeff Pilcher at FinancialBrand.com regularly covers the best of these new Flagship and Concept Stores, so head over there if you want some examples to work from. However, this is not exactly going to lower your bottom line around distribution. If anything it’s going the other way. Knowing that you’re going to have to downsize, the average FI will only be able to support a handful of Flagship stores in key, high-traffic, high-visibility location. So how do you equalize the ledger?

The Satellite Service Space
Supporting the Flagship stores at your secondary locations (i.e. anywhere that is not your best, most densely populated geography) will be very simple, cash-less brand presence stations. These will be small spaces in prime traffic locations like shopping malls, without any teller space, but the space to service the pants of a customer who needs that advice or help with a sticky problem. If they want cash, there will be an ATM. If they want to deposit notes or checks, the ATM can do that too, or you might incorporate a dedicated check deposit machine in the space too. In fact, the bank representative in the space could just use his iPad for that – although it’s better to move them to the ATM and go no transaction in the service space.

A good example of this sort of space would be the likes of smaller UPS franchise stores, or the BankShops of the TESCO variety in the UK. Small footprint of no more than 300-500 square feet, but enough space to represent your brand and tell customers they can still come and see if you if they need a solution.

Spaces don’t need to be big to provide service

The ratio of flagship store to satellite spaces will probably be at least 10 to 1, if not greater. You don’t need every branch to be “big” in the new reality; to give your customers a level of comfort that you are safe enough to put your money with them. In fact, as the likes of UBank, ING Direct and Fidor show, for some customers you don’t need any spaces. But for those that still want a space ‘just-in-case’ then this strategy is a great transitional approach.

One day soon, within the next decade, we’ll need less than half the branches we have today. But as we make that transition, the need for a space to be an available component of service and support remains a key component of what we call financial SERVICES. It just doesn’t have to cost us the earth.

The problem with passwords

In 2009, Marsha and Michael Shames-Yeakel, sued Citizen’s Bank in the United States for the loss of $26,500 as a result of a successful phishing fraud instance against their home equity line of credit. The plaintiff’s position, successfully argued, was that Citizen’s Bank did not adequately protect them because they did not implement the FFIEC guidelines as to the use of two-factor security or authentication (2FA) for Internet banking access. The successful case has significant implications in the United States, where the majority of banks are still to implement 2FA. In the EU region, two-factor has been common for sometime and is a legislated requirement for both Internet Banking and SEPA. However, we’re becoming increasingly aware of the weakness of basic security built up around passwords or PINs. While 2FA is a good solution right now, clearly the chink in the armor is the password mechanism itself. I thought I’d share some research and thoughts on this that are great principles when you’re looking at digital security in the user experience.

Common passwords are a big security risk

Joseph Bonneau, Sören Preibusch and Ross Anderson analysed 32 million passwords stolen from the RockYou social gaming Web site in 2009 and 200,000 iPhone unlock codes before carrying out an online survey of more than 1100 people for what they claim is the first quantitative analysis of the difficulty of guessing four-digit banking PINs chosen by the cardholder. They found that thieves can expect to crack 1 in 11 stolen cards due to the common reuse of classics like 1111 and 1234.

Splashdata likewise analysed millions of passwords used in eCommerce and Internet Banking fraud, and found the most common passwords are also the most readily used to execute fraud. SplashData created the rankings of ‘worst passwords for 2011’ based on millions of stolen passwords posted online by hackers. Here is the complete list:

  1. password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123
  6. monkey
  7. 1234567
  8. letmein
  9. trustno1
  10. dragon
  11. baseball
  12. 111111
  13. iloveyou
  14. master
  15. sunshine
  16. ashley
  17. bailey
  18. passw0rd (‘0’ zero used instead of ‘O’)
  19. shadow
  20. 123123
  21. 654321
  22. superman
  23. qazwsx
  24. michael
  25. football

So one might conclude by this that issuing a more complex PIN, forcing customers to cycle passwords, or choose passwords with say one capital letter, and a mix of alpha-numeric passwords might make Internet Banking safer, and more secure. But actually you’d be wrong. There’s a false economy there.

Longitudinal analysis of password behavior

Between 2004-2006 Peter Brooks and Michael Armstrong at HSBC eCD (e-Channel Department as it was then known), along with myself and David Jacques, embarked on a series of usability tests looking at password interaction and memory load. We tested multiple password mechanisms in a champion/challenger environment using retail banking consumers, we filmed these encounters, and we also used HSBC call centre staff to test the impact of these various mechansims over a period of 6-8 weeks to see what role memory played in security interactions.

What we found out is essential learning for anyone working on digital channels these days trying to improve security. There were many interesting findings, but here are four that I’d like to share:

Two-Passwords and the Memory Load Problem

We tested the use of a normal User ID & Password combination, but then added in a second password. In this instance we tried calling it a secret word, a verification word and a second password. Users frequently got the two passwords confused, not sure which order to put them in. Secondly, the additional memory load meant that around 30% of the customers wrote down or stored their second password in a plain text file, so they could access it later if they forgot it.

At the time we asked the Usability Guru Don Norman for his input into what we were observing and he gave us a classic quote that is so applicable to this debate on password security:

“The more secure you try to make a system, the less secure it is likely to become” – Don Norman, NielsenNorman Group

We saw over and over again that when you made it hard to remember a password, people would find workarounds. Post it notes on their monitor, plain text files stored on the desktop, a memo note on their smartphone. The harder it was to remember, the more people resorted to the least secure mechanisms to recall the password. This played into our second use case also.

When you increase memory load, people use workarounds which reduce security

The random letter selector

In the tests we had users test a password mechanism I’ve seen in use occasionally which involves asking users to select the 2rd, 5th and 7th character of their password. The idea behind this is from security experts that say that if someone is using sniffers or keystroke logging tools that this avoids them learning the entire password at any one time. However, this again created memory load issues. To figure out random letters within their password, how did users react or adapt?

“If you ask me for the 3rd or 5th character in my password or if I had to break it into chunks, I’m probably going to have to write it down” – HSBC customer during a usability test

Again memory load presented it’s ugly head. By increasing the workload to remember or break up a password into chunks, the customer commonly wrote down or typed the password into a plain text file on the screen again. Once again, by attempting to make the system more secure, we were actually introducing workarounds that dramatically decreased security.

Online Password Reset (OLPR) Questions

This mechanism is still in use today by many banks and social media networks, etc. That is, if you forget your password you’ve had to answer some questions that only you are supposed to know the answer to. Things like what is your Mother’s maiden name, what was the name of your first pet, your first school, which city were you born in, what’s your favorite movie?

In longitudinal testing over a 2-6 week period, we found more than a 50% failure rate in this methodology. There were two reasons for this. The first that was many of the questions such as favorite movie, favorite book, etc were very subjective and the answers to that question changed week to week. The second problem was inconsistent use of the ‘answer’ – for questions like your Mother’s maiden name, people got case sensitivity wrong; for first school they sometimes put the word ‘school’ at the end of the school name, other times didn’t; for the city they were born in, it sometimes changed from a local suburb or borough, to the main city closest to where they were born, etc.

‘Secret’ questions for recalling your forgotten password, have massive failure rates above 50%

The OLPR method proved to be a massive headache creating more customer support and service calls than it saved. The reason we were using OLPR was to stop people having to call the call centre to reset their password, but in fact, OLPR actually resulted in a significant next increase in call centre calls.

Onscreen keyboards and tokens

We tested mechanisms like on-screen keyboards, one-time use tokens or password generators and other such mechanisms. Of these, the token was the only reliable method that consistently was able to be introduced into the standard user id/password system without creating workarounds that actually reduced either the user experience or actual security due to work arounds.

Hence, HSBC was one of the first global banks to introduce one-time password tokens from Vasco back in 2004. Two months after the introduction of tokens phishing fraud had dropped through the floor, and the initial call centre spike for support had returned to normal.


Clearly we’re entering an era (or should it be error) where the simple password and user id combination is no longer secure or robust enough to cope with the myriad of access points we’re using digitally. Increasingly memory load by forcing specific password types, playing with chunks or individual digits within a ‘word’, or adding in additional security words or passwords, is a costly mistake in the user experience as it invariably increases support costs, and reduces actual security due to work arounds.

In this light, the short-term viable solutions are still two-factor authentication. However, longer term, biometrics (voice, facial or fingerprint recognition) that replace passwords is the ultimate solution.

Whenever you ask people to remember a password to access a system, you are inviting risk. Like cash, cheques and branches – passwords are not long for this world.

Mobile Banking versus the Mobile Wallet – what's the difference?

With recent news that Barclays Pin-git (or is it Ping-it) has had 120,000 downloads in 5 days, that Square has 1m merchants on their payments platform (1/8th of all US card merchants/retailers) and Starbucks is doing 25% of it’s North American payments via a cardless App – it seems like Mobile Payments are taking off like the H1N1 virus. The interesting thing is that many bankers are looking at all of this activity as if it has little meaning or impact on their business at this point in time. I think part of that may be that there is a fundamental misunderstanding of how the mobile can be utilized in the banking and payments space.

120,00 downloads in 5-day for Barclay’s PingIt

When showing glimpses of Movenbank’s Mobile App I often get asked by bankers whether it is a mobile wallet or a mobile banking app? It’s as if the two worlds of cards/payments and banking are destined never to meet when it comes to a conventional view of the banking world. In banks today, we even institutionalize this by having cards as a separate division or business unit, separate from the retail banking function. The only time they ever seem to meet is in the form of a debit card or within internet banking. But the cards business, while being a strong revenue earner generally for banks because of credit card fees and interest margin, philosophically is not really considered banking per se by most die-hard bankers.

In fact, I’ve known banks where if you walk into a branch, the teller needs to call the call centre to find out any information about your credit card, even your balance. With many of the banks I work with, in-branch or in the contact centre, CSRs/Tellers need to navigate between separate screens to see your credit card details and activity versus transactions in your checking account.

For a long time these two worlds have remained largely operationally separate. The popularization of the smartphone is destined to destroy that division of labor.

The world of Two Channels

Today retail banking is emerging out of the hyperconnected, digital transformation age as not much more than a collection of channels and utility. In the past, you had branches which were THE distribution channel, but that has rapidly fragmented. You also had cheques and cards which provided you a mechanism, or utility, for moving your money around. Historically banking was really about two primary things – storing or protecting assets, and helping in the conduct of trade and commerce. Rudimentary cheques (or bills of exchange) were around almost 800 years before physical currency, and prior to bank branches ‘assets’ were often stored in temples and palaces. At the core of banking was assets that you either kept safe, or moved around to effect trade. In many ways, that’s still at the core of the bank value proposition.

As some of you may have noted in BANK 2.0 I call out bankers for calling digital channels ‘alternative’ or e-channels because of the psychology internally within banks that tends to put these channels in a subordinate role to the branch. Recently I was approached by a recruiter looking at placing a global head of ‘E-Channels’ into one of the big global brands and asking me for my input into how could take on the role. I told the recruiter that any digital guy worth his salt would immediately stay away from this major banking brand, largely because the decision to classify the role as a head of ‘E-Channels’ already told me everything I needed to know about the brand – that they still thought of digital as ‘E’ rather than mainstream, everyday banking. That told me that anyone taking on this role would still be faced with massive inertia around branch networks and would be fighting everyday to justify budget, investment and mindshare in the total channel experience – and that is why I said this brand was not ready.

With Internet Banking being the primary day-to-day channel for banking in the developed world, and branch frequency/visitation off 90% from it’s peak in the mid-90s, the branch is really ‘alternative’ banking today, rather than pride of place at the core of banking behavior. So the pendulum has shifted.

So what are the two emerging channels?

If you characterize banking today from a day-to-day perspective, you’ve really got two core classes of activity. Payments AND day-to-day banking based on your assets, including applying for new products, wealth management engagement, etc. If you look at either customer engagement, transactional activity or the role of an advisor in respect to your assets, you’d be hard pressed to identify activities that aren’t done through either Payments Channels or Delivery Channels (credit to Terence Roche @Gonzobanker for this insight).

Given the way retail banking is structured today, this means that many banks look at a mobile wallet as an instantiation of payments – the ultimate, downloadable payment channel ‘function’ or utility.  However, they look at Mobile Banking as a mobile-enabled version of the Internet banking platform, which is ultimately just channel migration of transaction activity from branch to digital – hence, a delivery utility. Some progressive banks are even looking at onboarding customers entirely electronically through the web, mobile, ATM or call centre – without a signature. More delivery channels. The branch is the premier delivery channel still, and more so as transactions shift out of the branch, and it becomes about high touch sales and service (delivery of revenue and service).

When two worlds collide

The problem philosophically for retail banks is that the mobile device is collapsing this view of the world. Payments and traditional day-to-day banking utility will be packaged into one portable, handheld ‘channel’. It doesn’t make sense to have one app for ‘banking’ and one app for ‘payments’ or the wallet, you must have the utility of both the bank and payments capability in one.

That presents an organizational shift because it merges the two disparate parts of retail banking, but it also presents massive opportunities.

What is possible is that my day-to-day connection with my money is far tighter than it is in a traditional banking relationship. Whether it is simply the fact that I can see my balance before and after I make a payment (not possible with plastic, cheques or cash) or whether you can start to advise me day-to-day on how to utilize my money better – the opportunity for mobile is not the wallet, and not mobile banking. It is re-imagining the utility of banking from a mobile perspective.

Mobile Payments: Leave them to their own devices

As we’ve embarked on our Movenbank project, we’ve had a lot of people express concerns about our choice to be completely cardless and go with NFC and various other P2P solutions. There’s also often raised questions over which handset platform to support, which devices are certified, the lack of real NFC standards, how to enable the secure component on the various cellular networks and so forth? To a novice this all sounds very complex? Shouldn’t we worry about adoption rates? When will mobile hit critical mass? ISYS versus Google Wallet versus Visa’s play versus PayPal, etc, etc.

There are those that will tell you it will be many years before mobile payments is mainstream. You’ll hear figures like 2014, 2016 or even later bandied around as to when mobile payments will hit mass adoption. However, I believe the primary measure to focus on when looking at these sorts of predictions is first and foremost exhibited customer behavior – the predilection to a shift in the way they pay, bank, purchase or shop. If you look at consumer behavior, the story is very simple. The great mass is not only ready for mobile payments, they are racing towards it as fast as they can whenever the opportunity presents itself.

When will Mobile Payments be mainstream?

That’s a question that at worst shows ignorance, or at best a pigeon-holing of mobile payments into a single category around POS-only interactions. I’d strongly argue that mobile payments are already mainstream. Ask yourself this; what constitutes a mobile payment? Surely a mobile payment is simply a payment made from or via a mobile phone.

By that measure alone, anyone who has a smartphone and who has bought an “App” or downloaded digital content via their phone, is already in the habit of making regular mobile payments. 25 Billion Apps were downloaded in 2011 on the Android and iOs platforms, a 300% increase from 2010. In the US that represents 44% of the population, with the 50% tipping point estimated for the first half of 2012.

In reality, 67% of consumers flagged their intention to make a mobile purchase of real world goods and services in 2011 (source: PayPal), and we have hard data to show that 47% used their smartphone to make a purchase in December, 2011 alone (digital content such as songs/music, eBooks, ringtones, images, movies, TV shows, etc being the most common purchase.)

Here are some common mobile payment methods that are off-the-chart successful today:

PayPal – In 2009 PayPal processed just $141 million in mobile payments. However, last year that jumped to a whopping $4Bn, and PayPal projected that will increase to $7Bn in 2012 – a figure many consider conservative. PayPal classifies a mobile payment simply as a payment across their network from one party to another, however, by attacking the mode of payment, PayPal has created an electronic payment method that is both simpler and cheaper than ACH and Wire transfers offered by banks – the only viable bank alternative to checks.

Starbucks – In just over 1 year, the Starbucks Mobile App accounted for 1/4th of all Starbucks purchases in-store across North America. That’s 26 million mobile transactions, and the usage of the Mobile App has doubled in the last 12 months on a run-rate basis going from 1.4 million transactions per month in January 2011 to 2.9 million transactions per month last December. Remember, this payment method didn’t exist a year ago, but today 25% of all in-store payments are made via a mobile phone. If you’re prepared to argue that 25% of Starbucks’ customer base doesn’t represent mass adoption or mass consumer acceptance – I think you’re very brave, or just plain crazy.

Square – Both the Obama and Romney campaigns are using Square to take campaign contributions in the lead up to the 2012 elections. Square, which launched in May 2010, has more than 1 million merchants using their App to take payments on mobile smartphones. Considering that there are only 8 million merchants in the US, that means that 12.5% of merchants in the US use a mobile smartphone to take credit card payments – that’s in the space of less than 2 years. Now you might argue that Square is not a “real” mobile payment because plastic is still involved – but think back to my assertion about changing behavior. Once I’m using my phone to accept a ‘swipe’ what happens when I no longer need you to swipe, but instead just tap your phone, give me your phone number or use some other ‘cardless’ methodology (Square’s is called CardCase) to pay. There’s now no barrier to entry as you already own the infrastructure – i.e. you don’t need a POS terminal and a hard line.

Dwolla – Unlike Square and PayPal, Dwolla works completely independently of the existing payment networks beyond cash-in and cash-out functionality. Dwolla’s main strategy is to attack the current transaction costs of moving money around. If a transaction is under $10 the transfer (or payment) is free, if over $10, there is a capped $0.25 fee. Dwolla has around 70,000 customers today (including 5,000 merchants or retailers) and they process around $1m a day through their network. Dwolla argues that their network is safer for consumers and merchants alike because it doesn’t send sensitive credit card details across the network, just a secure ID and the transaction details. Dwolla is more than a payment network, however, because it (like PayPal) stores your balance in your account – it is a proxy for a debit card with none of the fees, and none of the card fraud risks. The majority of it’s payments are transacted through Dwolla’s mobile app.

Dwolla, PayPal & Square all attack modality and simplicity of current payments networks

Core payments behavior has already shifted

This is what Visa and Mastercard already know. Mobile payments and the behaviour required to drive mobile payment adoption is already widespread. The mass market loves the ease of use and modality of a mobile payment compared with plastic, cash and cheques. While debit card usage is growing, check usage is rapidly declining and cash usage is declining in most developed economies. In the US, prepaid debit cards were the fastest growing form of electronic payment in 2011. Combine prepaid debit cards and smartphones that allow you to pay at the point-of-sale (with NFC or some other cardless method) and you have the perfect storm for disruption.

In the last 12 months, Visa and Mastercard have both been accelerating their move to replace all the existing merchant POS units with PCI-compliant alternatives that also facilitate NFC mobile payments. What Visa and Mastercard realize is that If they don’t push NFC as if their very life depended on it, with the mobile quickly becoming the dominant payment device, payments will shift away to alternative ‘network’ rails. The only way to ensure their current payment networks stay a part of the mix, is to ensure they can support the behavioral shift to mobile (regardless of whether that is NFC or some other solution.)

NFC is the only viable solution that allows Visa to support both legacy card transactions at the POS, and mobile payments. This makes for an orderly transition, and requires only a POS terminal swap out. The alternative would be new point-of-sale systems such as those offered by Square and PayPal. For larger retailers and merchants, this would require a considerable investment and could be risky, but not impossible. The last thing card issuers want right now is a major retail chain announcing a deal with Square, PayPal or Dwolla, that renders them obsolete.

If Visa and Mastercard don’t convert their networks to phone-capable in the next 24 months, I fear Square, PayPal, iTunes and a myriad of others are just waiting in the wings to circumvent their rails. Argue all you like about NFC adoption, that’s not what you should be watching. The tipping point is the behavioral shift on the mobile phone – that is what will kill plastic, and it’s already happened.

The upside and downside to the digital shift

I’m starting to hear of some very significant digital and multi-channel budgets being put in place by many of the leading retail banking brands in 2012. It’s about time!

While I won’t name names or budgets, I’ve heard of mid-sized banks dedicating more than $50m to Internet, mobile and social-media this year, and large banks in the range of many hundreds of millions. It’s obvious from some of the outcomes in 2012 that major brands like Citibank, BBVA, CommBank, and Amex, for example, are putting some major spend into various initiatives on the digital engagement side. Key to these activities is some groundwork around platform development, staying competitive on the customer interface side, exploring the mobile wallet and new forms of loyalty around payments, and of course, big social media plans.

2011 was a tough year for many bank brands

As earnings reports have been coming in this quarter, it’s no surprise that 2011 was a tough year for the big banks. Of course, I’ve also heard of major brands in the space whose budgets are woefully thin and spell major problems for them on a competitive front this year, some of these banks are already hurting. How can I argue that budgets for digital are too thin in the current environment? Well, when a major global brand in the space spends less on social media globally than the cost of deploying one branch in central London or New York, and they are yet to have any type of coherent social media strategy (no real Twitter presence as an example), that is a budget out of kilter with the reality of customer behavior and acquisition/retention mechanics.

The Intertia Problem

While I’m sure I’ll hear the justification that the economy and particularly the ongoing Euro crisis is the primary cause, there must be a recognition that banks are simply carrying a lot of redundant capacity, based on the old paradigms of the way banks should operate, and are under-invested in the new platforms and skills that will help them grow their business out of the current economic malaise. This appears to be forcing banks to try new fee structures to cover the costs of legacy business operations, rather than adapting the organization and thus cost structures. I could call out legacy branch infrastructure again, but I won’t beat a dead horse, as they say – the economics of that are becoming glaringly obvious to most. So let’s take two other simple examples where the organizational behavior is skewed by inertia:

Account Opening and Administration
With average account acquisition costs being in the range of $250-350, you would think that someone would have connected the dots between the need for a signature card (and related physical handling) at account opening, with the cost of acquisition. The easiest way to reduce acquisition costs is get rid of the paper. Which brings us to annual costs for checking accounts too. With an average checking account costing around $350 a year, sending paper statements, printing checkbooks that are never used, charging big fees for wire transfers so that you prop-up your dying legacy check business, all smacks of a business driven by inertia.

What’s my account balance?
This is the number one requested piece of information from the bank today, and while we provide internet banking access to this piece of information, the dominant method of a customer getting this is still through an ATM or through the call centre. A far simpler mechanism would be sending the account balance via text message when a major transaction occurs, at set intervals (say weekly) or as defined by the customer. The cost of sending a text of your balance to a customer 10 times a month, is less than the cost of one call to the call centre for the same information, and less than two ATM balance enquiries (based on current channel cost estimates). The deployment of mobile wallets will massive reduce these ongoing costs as well.

Investment prioritization

In terms of size of budget, here is my rough take on where the investment prioritization is occurring across the board:

  1. Mobile
    Clearly, whether it is deploying new mobile apps, iPad apps, playing with mobile wallets, or geo-location features and offers, Mobile is the big play in 2012 and everyone wants a part of the action.
  2. Social Media
    From deploying monitoring stations, building service paths organization-wide to cope with social media requests and incidents, building new loyalty programs powered by social platforms, or trying to tap-in to friends, likes and advocacy, social media is a big play this year.
  3. Acquisition/JVs/New Appointments
    Acquisitions are a tough one because it is only the larger organizations who are looking at this, but there’s an effort to acquire key skills, technology and business practices emerging though acquisition, and significant dedicated funds for exploring new lines of business. With CapitalOne’s acquisition of INGDirect, and other moves, we’re going to start to see this being a sizeable component of global plays in the space as the bigger players try to acquire core capability. We’ve seen banks like Comm Bank in Australia start to make strategic investments in core skills at the top, such as the appointment of Andy Lark, along with major changes in their budgets internally around digital. While Andy is billed as the Chief Marketing Officer, he bares little resemblance to the marketing officers of most banks traditionally.
  4. Core Systems replacement to cope with channel mix
    I think this one is obvious
  5. PFM, Big Data and Analytics
    I’ve put all these in one bucket, which isn’t really fair, but for many organizations the start to collating their big data into useful information only occurs through the move to PFM (Personal Financial Management) tools behind the login. The need to connect people to their money, to target cross-sell and up-sell messages and otherwise monetize account activity and data, is a big priority.
  6. Engagement Marketing and Collaboration
    Increasingly we’re seeing dedicated efforts at partnerships, API layers, new marketing initiatives across broader platforms and other such mechanisms. We’re starting to see a new slew of ‘business development’ and ‘partnership’ resources emerge as banks look beyond their own walls for growth opportunities. Expect this to grow significantly over the next 3 years as we see more JV, incubation and acquisition budgets emerge as well.

The downside to the shift

Clearly these changes are all good for staying relevant to consumers, changing business practices to adapt to new behaviors, and better aligning costs with operations as they shift. However, the downside is that as you move away from legacy operations there’s a lot of dead wood.

AUSTRALIA is on the cusp of a white-collar recession with insiders warning that thousands of jobs are at risk in the finance sector, after it emerged yesterday that ANZ planned to cut 700 jobs.

While many banks used the global financial crisis to ‘downsize’, the reality is that there are going to continue to be significant job cuts in the sector as a result of re-tasking the organization for the new reality. In fact, my estimates are that we’ll lose many more jobs to the ‘shift’ than we did in the global financial crisis. Sure, there will be new hires as well, but the reality is as we downsize branch staff, manual operations and traditional marketers, we simply don’t need the volume of skills to replace them on the digital front. Even in-branch we’ll be using technology to avoid queues, speed up transactions, and hence reduce branch staff footprints.

Joshua Persky, an unemployed banker, on the job trail

It’s inevitable in the shift to digital within finance, that some humans will be replaced by technology efficiency gains. As we really start to see digital making progress, those legacy skills sets will become glaringly obvious on the balance sheet. Unfortunately, it’s either lose legacy operations staff or lose customers and profitability.

Why snail mail is dying, and taking your identity with it…

There has been a 25% decline in the total mail volume for the USPS (United States Postal Service) from 2006-2011, resulting in a $5.1 Billion loss in 2011 alone. Since 2007 the USPS has been unable to cover its annual budget, 80 percent of which goes to salaries and benefits. In contrast, 43 percent of FedEx’s (FDX) budget and 61 percent of United Parcel Service’s (UPS) pay go to employee-related expenses. The USPS has 571,566 full-time workers, making it the US’s second-largest civilian employer after Wal-Mart. It has 31,871 post offices, more than the combined domestic retail outlets of Wal-Mart, Starbucks, and McDonald’s. It’s also more than double the number of branches of the combined retail distribution points of Wells Fargo, Chase and Citibank. The problem is that 80% of those USPS offices lose money annually.

USPS’ Rapid Decline started in 2007 and has been shocking

Why the decline?

The decline in first-class mail in the US has accelerated in recent years. The USPS relies on first-class mail to fund most of its operations, but first-class mail volume is steadily declining—in 2005 it fell below junk mail for the first time. The USPS needs three pieces of junk mail to replace the profit of a vanished stamp-bearing letter.

Junk Mail, or as Advertisers call it “Direct Mail”, promotion is rapidly declining with projected declines in the range of 39-50% estimated for the period 2008-2013.

Email, Internet Bill Payment and Statements, SMS alerts, and other information delivery mechanisms are much more timely and cheaper than “Snail Mail” today. Environmental awareness and ‘do not mail’ lists have contributed to the decline also. The couponing business, which has supported the ‘junk mail’ industry for the past two decades in the US, has been decimated in recent times by the daily deals industry. Jeff Jarvis predicted this shift back in 2009.

It shouldn’t be a surprise that the USPS is in major trouble.

What does this have to do with banking and IDV?

At least 80% of non junk mail I receive these days is from financial institutions that I have a relationship with (an even then it is often bank ‘junk mail’). This is despite my best efforts to eliminate snail mail as a formal method of communication with those service providers I choose.

Most banks still ask me for my address, and require verification of that address through some utility bill. This is a requirement of most regulators too.

The problem is – no bank has ever, as far as I know, actually verified my address is real. In theory, a utility bill is one of the easiest documents to compromise via identity theft, and/or fake with photoshop and a laser printer.

Why do banks collect my address?

The initial reason had nothing to do with regulatory requirements. The main reason initially was to send me my replacement cheque book, or send my regular monthly statements. Today, with snail mail all but disappearing, why do I still need to verify my address with the bank? I actually don’t want the bank sending me snail mail, and my physical address has nothing to do with my ability to pay for credit or the likelihood of anti-money laundering.

From a compliance perspective, sending you physical mail is one of the riskiest activities a bank can undertake today, because not only is it not secure – it actually increases the likelihood of fraud. If there wasn’t a legacy snail mail process, it is unlikely in the extreme that compliance would approve a process as risky as snail mail today.

Do we need an address?

Today your address is just a common data element shared as part of your profile. It is insecure. It can be easily compromised. It bears no relevance to the likely risk or otherwise of your suitability as a customer. It is unverifiable.

It doesn’t make sense to have address verification associated with a customer from an identity perspective.

There must be a better way. Why not use the guarantor method? Why not get trusted associates to vouch for you, as they do with new social networks likeConnect. Why not ask a new applicant to get an existing customer of the bank to vouch that he is real, and trustworthy? Why not take a photograph of the applicant and match their picture to their drivers licence or passport photo using facial recognition, along with cross-checking a government database?

There are a dozens of activities I could undertake which are safer, more reliable and more verifiable than a physical address.

Identity doesn’t need an address. Identity is about verifying you are real, and an address doesn’t do that.

Keep it as a data point, by all means. But let’s stop kidding ourselves that an address is a requirement for KYC.

Thank you to our sponsors:

© 2019 Breaking Banks