So, where’s the retail payments puck going?

Wayne Gretzky is arguably the greatest hockey player of all time, and, as a tribute to his impact on the game, his number 99 has been retired across the NHL. His quote has resonated with business people as legendary as Apple’s Steve Jobs.  Because while some success in business and marketing may come from chance, or from being in the right place at the right time, serendipity, or an adjacency to conditions that allow for success.  There is an element of informed understanding from a 360 synoptic view that improves the odds of success in any undertaking. Gretzky’s intuition and understanding of the game put him in a unique position among his peers to be able to anticipate where to position himself in real time to make the greatest impact.

Corporations with an intellectually rigorous process that provides a synoptic view of the market for a new product or service backed by detailed studies and plans still face great uncertainty with respect to launching successful new ventures.

  ‘…life always finds a way…’

• Ian Malcolm in Jurassic Park

Played by Jeff Goldblum

A painful illustration of the point is what FedEx eventually discovered shortly after they launched their Zapmail service.

Not the first victim of Moore’s law and certainly not the last.

Where we find ourselves in the world of retail payments and banking today is at the convergence of demographics and technology.

Look at the demographic breakdown of India and the United States from the charts below.

With greater than 50% of the population below the age of 30 on a total population of over 1.3B, there is a market in India that is twice the size at 650B of the total US population. This younger segment has grown up with smartphones and social apps and is much more inclined to embrace changing banking and retail payment models.  So, while we don’t know where the puck is going in retail payments and banking, watching what is happening in India is a good barometer.

And while India might not have been the first country with a real time retail payments interface, the UPI (Unified Payments Interface) started in 2016, is rapidly gaining acceptance in part because of the demographics and flexibility of the interface and the commitment of the government to digitize the ecosystem.

A brief description from: Forbes June 4, 2021 “What is UPI and How Does It Work?

“The unified payments interface or the UPI is an interface via which you can transfer money between bank accounts across a single window. This means you can send or receive money or scan a quick response (QR) code to pay an individual, a merchant, or a service provider to shop, pay bills or authorise payments.    To enable payment using your phone, all you need is a mobile payment application and the virtual address of the payee (that reads something like merawalashop@xyzbank). This implies you can make payments directly to the accounts of a vendor or a person in one step. There is no repetitive step involved. For example, entering bank details or other sensitive information each time you need to make a payment. It is simple, free of charge, and instantaneous. UPI allows you to make transactions 24/7 throughout the year. Currently, one can transfer up to INR 1 lakh in a single UPI transaction.

UPI was launched in 2016 and is the brainchild of the National Payments Corporation of India (NPCI), the umbrella organisation that oversees retail payment systems in India. The NPCI is governed by the central banking authority, the Reserve Bank of India, and its primary goal is to drive India towards becoming a digital economy.

Let’s understand how you can use UPI and what its framework entails.

Virtual Payment Address (or VPA)

The Virtual Payment Network (VPN) looks like an email address and is unique to you, for example, xyz@merabank. Your VPA unlocks the immense potential of payments and transfers through UPI. The VPA is the gateway that allows you to pay with your phone from your bank account. It is also possible to link more than one bank account to the same virtual payment address.  The VPA frees you from having to type in long bank account details of both parties participating in the payment, i.e., the sender and the receiver. It also protects your bank information. The VPA is the reason UPI is such a user-friendly platform for any payment when compared to digital wallets, credit cards, or normal bank transfers.

Quick Response (QR) Codes

QR codes are unique to every transaction and enable a seamless payment experience. Several merchants, both online (ecommerce) and brick and mortar shops, use this effectively. There are two kinds of QR codes: static and dynamic.

Static QR codes are the ones we see pasted at a shop counter, an advertisement on the TV, or at an event. By scanning them, you’re able to make the payment directly to the merchant’s bank. Static QR codes have data already encoded in them. It is unique for a merchant and has their bank account linked to it. The only thing a customer has to enter is the amount needed to be paid, after scanning the code. This is ideal in situations like small shops, restaurants, and pharmacies, where the amount can vary from one transaction to another.

A dynamic code is generated every time a payment has to be made by the merchant. This code contains the amount to be paid, in addition to the merchant’s name and bank details. This is becoming increasingly popular in cases such as home delivery of groceries, online shopping, or delivery of food. Dynamic code enables easy, cashless payments, as it instantly closes the payment loop, which can empower more customers and retailers. It is not uncommon to see consumers at kirana shops being requested by merchants to show their own phone screen for proof of payment. This makes the small retailer dependent on his customer for payment proof.   Some retailers, bigger shops maybe, even have a note pasted at their counter asking the customer to “please wait for payment confirmation,” and spend precious minutes waiting for confirmation on the payment. Some retailers even have an extra screen to just track the payment closure. The dynamic QR code eliminates all of this and closes the payment loop instantly.

Aadhaar For Payments

The NPCI has facilitated payments without a mobile phone aimed at social and financial inclusion and to support those who do not own smartphones with the Bharat Interface for Money (BHIM) Aadhaar Pay feature.  The BHIM app is primarily a UPI app available in several Indian languages and was created by the NPCI. Under this, it introduced a feature called BHIM Aadhaar Pay that enables a merchant to receive payments with their Aadhaar number and the biometric information of the customer. With this, it is now possible to pay over the counter at any merchant or trader who uses the BHIM Aadhaar app using Aadhaar authentication.

To make this work:

• The merchant should have an android mobile with BHIM Aadhaar app and a certified biometric scanner attached with a point-of-sale (POS) POS devices are varying in range and include mobile phones, kiosks, mPOS, or tablets, among others.
• Both the merchant and the customer must have linked their bank accounts to their Aadhaar numbers.
• The payment process is as simple as entering your Aadhaar number and placing your thumb on the scanner for your fingerprint. Currently, there is a limit of INR 10,000 on BHIM Aadhaar Pay transactions.

Are UPI Transactions Safe?

The NPCI claims that the UPI is the most secure platform for cashless transactions. This claim is supported by certain safety features:

Safety During Verification: The first feature is the mobile number verification during the initial registration. This binds your UPI account to your number, making it a point of identification. If you change your number, you will have to re-initiate the verification all over again. In the event of mobile phone loss, you can block the mobile number, preventing any further transactions from your bank account. This is a safety net against identity threat.

Safety During Transactions: On signing up, the UPI provides an option to set up a 4 or a 6-digit mobile pin called the MPIN. Once created, you can authenticate every transaction with the MPIN. This prevents someone else from using the app on your phone to make a payment from your account, as the MPIN is known only to you.

Safety During Authentication of Other Parties: Another feature embedded in the UPI system enables you to check the authenticity of merchants, thus preventing fraud. The Quick Response or the QR code and signed intent option allows you to find out if the merchant is UPI-verified or not. If the merchant is not UPI-certified, you instantly get notified. QR code tampering fraud is also very low and enhances the security of UPI transactions.

Bottom Line

The NPCI, through the UPI, has created a robust payments infrastructure for making payments cashless and hassle-free. It is fairly simple to understand and use, what with the myriad payment apps and convenient steps to register and start transacting.  The exponential growth of cashless transactions in India is imminent, with the NPCI predicting the number of UPI users is expected to touch 500 million in a few years.”

UPI By the numbers

While the numbers in the tables are not large in absolute terms, looking at the growth of a system that only came into being in 2016 and, during the pandemic basically doubled transaction volume and value in 5 quarters is a testament of both acceptance and design. It bears repeating that what India has done from an interoperability and inclusiveness standpoint is a model of public private partnership.

“Growing at a steady pace, UPI transactions are likely to reach 1 billion per day by 2026-27, accounting for 90 per cent of the retail digital payments in the country, said a PwC India report. Unified Payments Interface (UPI), which is driving the digital payments revolution, accounted for about 75 per cent of the total transaction volume in the retail segment during 2022-23, said the PwC report titled “The Indian Payments Handbook – 2022-27”.

“It is estimated that UPI will record 1 billion transactions per day by FY2026-2027, going from 83.71 billion transactions in 2022-23 to 379 billion transactions by 2026-27,” it added.

As the FedNow service is just starting, retail payments in the US are already finding a way…

A recent article in American Banker August 14, 2023, titled “How ‘Pay by Bank’ could affect US card volume”   elaborated on  merchants frustration with credit card expense leading to a rise in the Pay by Bank movement.

• “Overall, card-processing costs in the U.S. are among the highest in the world, and when you factor in the significant rise in credit card chargebacks merchants are seeing and ongoing fraud issues, Pay by Bank is becoming more attractive,” said Eric Shoykhet, which co-founded Link Money in San Francisco in 2021.
• Fiserv also is seeing more use of its Pay by Bank services, and the company expects the momentum of faster payment processing to accelerate adoption, said Charles Williams, vice president and general manager of alternative payments at the Wisconsin-based payments processing firm.
• Through its Carat from Fiserv e-commerce platform, Fiserv guarantees merchants immediate settlement of Pay by Bank transactions. Merchant clients already using Fiserv’s Pay by Bank service include gasoline retailer Sunoco and a large not-yet-named U.S. grocery store that recently launched a Pay by Bank option for consumers. Earlier this year, Walmart signed a deal to extend Fiserv’s Pay by Bank services to consumers for real-time settlement of certain transactions.
• Target Corp. has also proven that with the right incentive, consumers will consent to fund purchases directly from a bank account. The Minneapolis-based retail giant introduced a check card in 2007 that taps customers’ checking accounts via ACH to pay for purchases.  It evolved into the Target Debit RedCard, which dangles an incentive of 5% savings on the total purchase amount as an incentive. More than 11% of the company’s revenue flows through its private-label debit card.

The FedNow service is just beginning and, while there will be growing pains as it moves toward retail deployment, the lessons learned by India will serve as a guide to where the payments puck is going.

The UPI saw its early growth primarily through P2P and utility payments. Presently though, with the use of QR code based payments over half of UPI transactions are P2M (person to merchant)*.

*”How Indian banks gave away an opportunity called UPI, and its control, to PhonePe, and Google Pay”

ET Prime 12/29/22 Nitesh Singhal

In the US we have Zelle, Venmo, and Paypal to facilitate both P2P and service based P2B payments as an option to evolve from card based payments, in addition to those options described in the box above.  However, in a recent ABA Webinar**sponsored by Finzly and Cornerstone Advisors, there was a discussion and interactions with the audience about how to enable the new real time payment rails (RTP and FedNow) into a profitable business in the emerging real time B2B payments segment.

In the summary that Finzly published, it was reported that over 90% of the transactions in India will be real time payments, whereas in the US, 77% of payments are done on cards; most low value with high fees for banks – the implication is that these small payments moving to instant payments would be a cost reduction to banks but, that would seem to imply an evolution at the point of sale.

Other potential use cases to drive instant payments adoption were earned wage access, instant funding, and integrating into ERP applications.  All of these have potential to disrupt existing revenue streams, and that is a concern for banks but not as big of a concern as Fraud and the implementation of the technology.

While the responses given were based on B2B payments, the same concerns probably apply to P2B payments in a Pay by Bank world where the RTP rails are used.  Will there be a new payment medium like the QR code to supplant the existing card payment medium like has been seen in India.  A new super app from a tech-fin a la Google or Paytm or a major retailer perhaps.  Hopefully, this stimulated some thoughts on the big picture evolution that is coming to retail payments.

Since the payment puck is clearly headed toward real time/instant payments, what are the ramifications?

To begin, fraud and financial crime are predicted to force a financial burden of nearly $41 billion on Financial Institutions (FI) by 2027. The FedNow launch in the U.S. is also estimated to contribute to a 32.6% increase in real-time payment volume also by 2027.  Much of the fraud will be directed toward the FI’s themselves, but Banks must protect their customers.  Financial firms must employ a layered risk management solution that identifies suspicious transactions before the transaction is completed.  In real time/instant payments, like debit card transactions, once the money transfers, it is nearly impossible to recall it.

A system needs to support real time transaction analysis to prevent bad actors from stealing consumers money.  With shorter times between payment initiation and settlement, bad actors have a reduced risk that their activity will be detected before they receive the stolen funds. Accelerated money movement makes it easier to launder funds through multiple accounts, increasing the complexity of tracing stolen funds back to the criminal.  Adding to that, Artificial intelligence (AI – used by bad actors) is going to increase both the intensity and depth of attacks, using deep fakes (digitally generated imagery, audio, and video) to gain account access.

Financial institutions need to take a layered approach to fraud prevention. There must be layers of fraud protection based three items – transactions (“Does this transaction look normal?”), authenticity (“Are they behaving like a bot or a human?”) and identity (“Is this person who they say they are?”). This approach should also include education and account activity alerting. Financial institutions need to provide education for account holders.  They should be the best line of defense, considering it’s their money. If customers opt-in, setting up alerts for money movement, also each time someone uses banking credentials, can greatly reduce fraudulent activity. Financial institutions also need to educate and train their own staff on evolving fraud threats and patterns.

Generally, faster payments are associated with three kinds of speed – faster (such as same-day ACH), real-time (such as Zelle), and instant (such as TCH RTP and FedNow), based on their times to post, clear, and settle.   Successfully rolling out faster payments means getting fraud controls right from the beginning. Any new financial product is going to be rigorously tested by bad actors, especially if it has the potential to move funds. Misaligning fraud controls exposes financial institutions (FIs) to significant risk in the early stages’ of new product adoption. By way of example, early fraud problems around the Zelle rollout were aggravated by very limited integration with existing fraud analytics tools at the founding banks, inadequate authentication and risk-assessment controls, and insufficient user education.

There are many things to watch and evaluate:

• Monitor for changes to contact information or authentication methods.
• Utilize early account limits to control risk around “gray area” accounts.
• Monitor for changes in existing payee information.
• Hotlist suspicious accounts and attributes.
• Automatically alert users to all transactions and account maintenance.
• Monitor user behavior to detect risk early.
• Integrate with fraud analytics platforms.
• Collect threat intelligence to get ahead of emerging fraud schemes.
• Leverage the collective intelligence of the market to identify fraud.

That’s a lot to accomplish.

Financial Institutions using the HPE NonStop platform process more than 65% of payment card transactions worldwide.  That means the transactions processed on HPE NonStop are a huge target for bad actors.  HPE NonStop itself processes the payments and should be leveraged with HPE AI systems to combat fraud.  Ideally, world-class fraud and Anti Money Laundering (AML) systems should be monitoring HPE NonStop payment processing.  Systems can support high-speed connections such as NonStop Application Direct Interface (NSADI) (see Figure 1)

HPE NonStop can process payment transactions, and using the high-speed InfiniBand fabric allows for inflight analysis on the new real time transactions.  NSADI provides a set of services to extend the existing NonStop kernel-level InfiniBand (IB) system interconnect to NonStop user space.

NonStop user-level applications utilizing NSADI can communicate with external Linux servers (HPE Cray/Apollo systems) using the following services:
• IB Verbs/Remote Direct Memory Access (RDMA) Communication Manager (CM)
• RDMA Sockets (rsockets)
• Preload Library

NSADI supports 64-bit OSS applications which use POSIX User Threads (PUT). An API layer is provided for applications to use the RDMA services. The following APIs are available:

• IB Verbs, which directly interface with the RDMA_CM layer. RDMA_CM is a communication manager library used to set up reliable, connected data transfers between NonStop and Linux servers. It provides an RDMA transport neutral interface for establishing connections. The API concepts are based on sockets but adapted for queue pair (QP) based semantics:
  communication must be over a specific RDMA device, and data transfers are message-based.
• RDMA Sockets or rsockets. Rsockets are a front end to IB Verbs/RDMA CM. The rsockets interface can be used by sockets-based applications. To convert a socket API to a rsocket-based application, prepend an “r” to the name.
• A Preload DLL is supplied that allows sockets-based NonStop applications to communicate over IB with no code changes required. The Preload logic determines whether to invoke standard socket calls or rsockets calls.The NonStop implementation does not support some standard rsocket and Preload functionality, such as fork(), exec(), poll(), and select(). The IB Verbs/RDMA CM APIs, either invoked directly or indirectly via rsockets or Preload, are part of the OpenFabrics Enterprise Distribution (OFED) networking open-source software package that delivers high-efficiency computing, wire-speed messaging, ultra-low microsecond latencies, and fast I/O for IB end nodes. OFED version 1.5.4 is supported for this release. For the initial NSADI offering, any given user application is restricted to using:
• IB Verbs/RDMA CM APIs
  • rsocket APIs
  • Preload Library interface

For this release, only IPv4 addressing is supported. The API layer interfaces with the kernel for session establishment and control. It also provides the infrastructure required to access the IB Host Channel Adapter (HCA) hardware directly.

It should be noted that NSADI is NOT fault tolerant in the usual NonStop fashion.  There is a single fabric connection.  That is, either the X fabric is connected to the Linux server or the Y fabric, NOT both, so if the cable fails, communication is lost.  I mention that just to make sure everyone is aware of this departure from standard NonStop products.  The AI and Fraud/AML systems can be connected over standard TCP/IP connections with standard NonStop failover, so there are fault tolerant options.

The combination of NonStop payment systems combined with HPE systems supporting fraud and AML combined with AI systems to determine new fraud discovery provides a complete layered approach to real time transaction processing and will be the best defense against the new cyber assaults we know are coming.