Carpadium Consulting

There have been rumours for a while now that @jack from Twitter was working on a new payments venture. Well, it seems that those rumours are true with today’s announcement of SquareUp.

The home page has some information about what they are doing, but the service is in soft-launch / invite-only mode at the moment so full details are not yet available.

Straight away, SquareUp looks cool, and from what limited information is available on the site, it looks like it has the potential to shake-up the way small businesses work with credit cards to accept payments.

Two things stand out. Firstly, it looks like it is designed only for card-present transactions (as far as I can tell), and secondly, it uses a magnetic stripe reader to acquire the card details. The first point means that its not likely SquareUp can be used for online payments, and the second point will probably mean that it does not handle chip cards.

However, this does not mean the system is without a security overlay. One neat feature is that it supports a form of photo id check. When a merchant accepts a payment, the iPhone application shows them a photo of the cardholder, which they can use to verify against the payee. I have to assume that this only works for cardholders that have pre-registered a photo with SquareUp.

To some extent (but certainly not all), this gets around the need to use a chip card, although I wonder what the card schemes will have to say about this as they roll out chip cards and readers everywhere.

One final note about SquareUp that is specifically relevant to the Australian market (although I have no information about plans to roll-out the service here) is what it might look like against the proposed MAMBO payments service.

Is this another payments innovation that the big banks should take notice of, or something with a limited niche for use by small businesses currently lacking in ability to work with credit card payments?

My first impression is that it will certainly be successful in that niche, however you have to wonder what they might have up there sleeve. If we have learnt only one thing from the history of Twitter its that they understand how to build a platform.

M@

Update 1: Here’s some words from the Man himself. Pretty much confirms my initial thoughts. Still no CNP option, as far as I can tell.

More and more banks and financial institutions are looking at Electronic Verification (EV) as a way to improve their customers’ online experience, while at the same time improving the efficiency and accuracy of customer enrolment to tackle the ever-increasing threats of online crime.

EV is coming up more and more often in our consulting activities, so we thought it would be useful to provide a quick introductory overview of the basic concepts for anyone wondering what it is all about.

What is Electronic Verification?

Electronic Verification (EV) is a process that verifies the identity of a new customer to a bank or financial institution using a combination of publicly and privately available electronic data sources.

EV is the electronic equivalent of sighting a physical identity document to verify the correctness of information provided by a customer. EV is attractive to financial services organisations because it can remove the need for a new customer to present physical identity documents in person or via certified copy.

In general, the EV process works as follows:

• An individual’s identity information finds its way onto a government or private sector database through an existing identity collection and verification process.
• The individual provides identity information to the financial services organization as part of a customer or product origination process, typically performed by the customer using the financial institution’s web site.
• The organisation tries to match that information against available government or private sector databases to verify the customer’s identity.

It is important to note that any rejection via electronic means does not exclude the customer; it only excludes them for this type of verification. Traditional paper based identification is still available, and so EV is typically used in conjunction with other forms of identity verification.

At its best, Electronic Verification:

• Is a very cost effective way of complying with the identity verification component of anti-money-laundering/know-your-customer (AML/KYC) requirements,
• Removes the need for new customers to produce paper-based identification documents face-to-face or via mail as a certified copy, and
• Removes human error and provides a separation between customer-facing staff and the original identification due-diligence process.

However, EV is not perfect. It can also:

• Open the door to the creation of many fraudulent accounts,
• Expose the Australian public to an increased threat of identity takeover,
• Lead to a downward spiral in the value of existing identity credentials, and
• Result in contracts and agreements becoming unenforceable in court.

Balancing these risks and rewards as Australian financial services organisations roll out EV programs is critical to acceptance of the approach by the general public.

The Electronic Verification landscape

There are five main elements to the EV landscape in Australia:

• The Legislative Environment is the combination of the Australian anti-money-laundering/counter-terrorism financing (AML/CTF) and Privacy legislation, including how it is applied and interpreted.
• Data Providers are those Government and Private entities and organizations that allow access to data for identity verification purposes.
• Service Providers allow access to identity data, including the ability to verify and score it against an identity scorecard.
• Businesses (also known as relying parties) are the entities that use this data for the purposes of verifying the identity of new customers.
• Private Individuals are people living in Australia that have physical or electronic identity information.

The Legislative Environment

Part B of the Australian Government’s AML legislation provides for a “risk-based approach” to customer identity collection and verification, along with guidance on minimum requirements. In addition, the legislation also provides for a second level of identification collection and verification called “safe harbour”.

The extent to which the Privacy Act influences the EV landscape is limited to the Government’s agreement on access and disclosure of new sources of identity verification data. The most contentious part of the legislation to date is the provision and use of consumer credit data. Part IIIA of the Privacy Act expressly excludes the use of credit information for the purposes of accessing transaction history. At this point in time the debate continues without official guidance.

Data Providers

Existing Sources of EV Data

Data providers are those government and private entities that hold data and make it available for the purposes of identity verification. There are two principal sources of this kind of identity data in Australia:

• Government sanctioned data sources including the Australian Electoral Roll, OFAC, DFAT, Department of Immigration and Citizenship Visa Verification Service.
• Privately held databases including Sensis White Pages DirectAccess™, Public Number Database, Historical Public Number Database and the National Homeowners File.

Future Sources of EV Data

Existing identity verification companies are actively trying to unlock new data sources from both government and privately held sources. In Australia there are six other government data sources that remain essentially untapped:

• Electoral Roll, including date of birth information
• Birth Deaths and Marriages, including full name and date of birth
• Tax File number, including full name and address
• Drivers Licence, including full name, address and date of birth
• Passport Office, including full name and date of birth
• Medicare, including full name and date of birth

Other Sources of EV Data

Credit data is explicitly restricted in its uses by the Privacy Act. There are two major sources of credit data in Australia: Veda Advantage and Dunn and Bradstreet. While there has been significant rhetoric from financial services organisations and data providers regarding the use of credit data as a safe harbour mechanism for electronic verifications, to date there has been little or no regulatory guidance.

Service Providers

Electronic Verification service providers offer the ability to verify identity credentials against a list of both publicly and privately held databases. This takes the form of a technical interface that allows data to be matched and/or compared.

For the most part, these companies act as a data hub, allowing a relying party to verify against multiple sources with a single call into the Service Provider’s technical infrastructure. Some Service Providers also offer an identity scorecard that allows a relying party to make a risk-based decision to either accept or reject the EV data.

EV Service Providers create their value by gaining access to and aggregating publicly and privately available databases. Their success in matching an individual’s identity details depends entirely on the quality and breadth of the data held in the databases they access.

All Australian EV vendors offer access to similar public databases, and they all claim to be able to verify to a satisfactory level according to the AML/CTF legislation, including the safe harbour provisions.

Businesses

Businesses that make use of EV service providers typically do so to reduce the risks associated with original identification and customer or product enrolment processes. Before embarking down this path, it is important that businesses understand the risks and rewards of EV.

Risks worth considering include:

• Compliance risk, including their adherence to AML/CTF rules, impact on the future value of identity credentials, and how their implementation approach aligns with the organisation’s existing audit and compliance regime.
• Legal/privacy risk, including product terms and conditions and existing privacy principals.
• Fraud risk, including understanding how attacks happen and how to mitigate them.

Rewards to consider include:

• Better customer experience, including removal of the need to be physically present to enrol, which can then enable straight through processing.
• Capture of market share, by removing time delays involved in customer and product enrolment process.
• Cost reduction, by removing the need for face-to-face identity verification and handling physical identity documentation.

Experience shows that the benefits of EV can outweigh the risks, as long as the program is properly executed.

Individuals

Private individuals are potentially the most impacted by changes in the EV landscape because it is their detailed, personally identifying information with which relying parties and service providers transact. This raises two significant issues that individuals need to consider:

• The validity of personally identifying information depends entirely on an individual’s ability to maintain the correctness of their credentials on the various databases in which their data resides.
• The decision to EV (generally) lies with the individual. However, if a fraudster chooses to EV, then it is very unlikely that the defrauded person will have any idea – at least until is too late. This raises the question of just who is responsible for protecting individuals’ personally identifying information.

Individuals are most at risk when problems in the EV process manifest, yet it can be argued that they derive only marginal benefits. This misalignment between risks and rewards means that there is a very strong role for Government and regulators to ensure that relying parties and service providers do not exploit their positions at the expense of the individual.

The Top-5 Issues Hindering EV Adoption in Australia

Based on our experience with EV programs, we think that the Top-5 issues hindering EV adoption in Australia are:

• The validity and availability of current sources of identity for the purpose of identity verification
• Lack of a secure centralised identity verification service.
• Any degradation of identity credentials on any one part of the system degrades the whole.
• Ensuring that individuals keep their identity credentials up to date
• Understanding who is ultimately responsible for protecting the public from identity fraud: individuals or Government?

Addressing these issues is something that we are well placed to help our clients with over the coming years, because developing elegant solutions is a pre-requisite for further EV adoption in the Australian financial services marketplace.

Andrew