One of the (many) problems in the payments world is that no-one likes to do things in the same way as everyone else. It’s the root cause of why making standards is such a long and drawn out process, and why everything we do is essentially a compromise.
It means that when standards (and rules) for payment schemes are finally published they are often set at the lowest common denominator instead of being something aspirational to move the industry forwards. Take for example the ongoing US EMV migration. As I’ve mentioned before, the majority of Issuers in that market will own a Ferrari and use it for the school run [here], but this is a pragmatic approach and isn’t the worst thing that could happen. Bad things happen when implementing organisations skimp on living up to standards just so that they can rubber-stamp compliance – invariably on the testing component of a project, but more often than not at the specification stage where projects are dumbed-down to the ‘least we can get away with doing’ business ideology. A good example of this is recent news on PayPal’s latest hack [here], which is only really hacking in the very loosest terms as the 17-year old in question simply walked around PayPal’s Maginot line.
Considering the vital role that electronic payments play in modern society, it seems strange that we allow our money to be passed through systems that are often the IT equivalent of using a pair of tights (pantyhose) in place of a fan belt in your car – yes it’ll get you there, but it’ll breakdown again sooner or later, and probably sooner [example here].
With the great rush for SEPA compliance in Euro currency countries now finally behind us [here] the next year or so will show what sort of job has been done. Some banks have used SEPA as an opportunity to upgrade infrastructure – usually on the back of past issues [here] – but many have taken the rubber band/glue/paper approach and will likely run into problems as volumes begin to increase. I know that investment in new infrastructure is often viewed as a pure ROI question, but perhaps it’s about time that the ECB and other Central Banks worried as much about infrastructure assets as they do about fiscal ones. The robustness and fit-for-purpose of our core payments infrastructure is as important to the future of our economic stability as our roads, rail or telecom lines – ask a Russian if you don’t believe me [here].
Essentially, our current certification frameworks for payments systems are not fit for purpose as most participants in the market take the approach ‘as long as it works, who cares how it’s done?’ Of course, I generalize and there are some great examples of organisations building new infrastructure and doing things in a positive way, but if you delve into the inner workings of most banks, they are typically a mish-mash of spaghetti systems, interfaces and legacy. Hark, I hear you say, the author works for a vendor of payment systems and so would say invest in new stuff – and to some extent that’s true, I do think that new systems are part of the solution, but honestly a badly implemented IBM stack can do just as much harm as the robust mainframe it replaces (note: other stacks are available and equally as good/bad).
And this is where we get down to the crux of what I’m getting at. The banking industry we have today has evolved and so carries a pile of legacy that can often cause more problems than it solves. Legacy also has the effect of limiting what is possible to achieve as it creates boundaries in which innovation can happen. Think how many projects have been shelved as the costs of interfacing to old systems made them impractical. Where it gets interesting is where legislation forces infrastructure change – EMV migration in the US; XS2A in Europe and XML in South Africa for example – because the change is so radical that it can no longer be supported by ancient and creaking systems. But of course, competition is now coming from the speed with which new entrants can take market share as they’re not tied down by this legacy, but can capitalize on swift implementations of standards and seek out the loopholes created by the payment industry to allow legacy to continue. So if our industry of electronic payments is to move forwards and be a system fit for purpose in the future, then perhaps the next regulatory stress tests should not just look at the books, but the ability for banking systems to cope with new volumes, changing channels and evolving customer needs.