As mobile payment solutions become a more accepted payment medium for consumers, they could also ultimately have a significant impact on the work of corporate treasuries. But what are the risks with mobile payment applications? And are corporate treasurers ready to approve large payments using their mobile devices?
Consumers appear more comfortable than ever using their mobile devices as a means of transferring money. Earlier this year in the UK, for example, a retail bank customer used a mobile payment application to put down a deposit on a house, in what is thought to be the first transaction of its kind in the world. The UK is widely recognised as one of the most forward-thinking digital economies, and the country is often one of the first to embrace innovations in payment technology. Developments in the UK are therefore likely to be replicated in other regions in the not-too-distant future.
This preparedness to accept mobile as a means of payment is filtering down to corporates, with banks increasingly offering mobile services to larger corporate clients that allow them to approve payments, check balances and even initiate payments using their mobile handsets. After all, treasury departments are staffed by consumers, and their experience of payment technology in their personal lives (provided it is positive) can influence the technology they introduce into the corporate treasury.
“We have seen increased customer demand for mobile payments via the Pingit app and are confident our customers will use both methods to suit their needs.”
Darren Foulds, Mobile Banking and Pingit Product Director, Barclays
Unlike Direct Debits (DD), which pull funds from a bank account, many mobile payment solutions push the payment, effectively transferring control to the payer. Popular examples of applications that work on this basis include Barclays’ Pingit and VocaLink’s Zapp, both of which run via the UK’s Faster Payments system. As more solutions appear on the market, mobile is becoming a hot topic for both corporates and banks.
At the end of April the UK’s Payments Council – the body responsible for ensuring the smooth running of payment services in the country – will launch its Paym (pronounced “Pay Em”) mobile payments service. The service allows customers of the participating banks to make payments by entering the beneficiary’s mobile number, then confirming their name. The service translates the phone number entered by the initiator into the beneficiary’s sort code and account number, which are securely held on a central database designed and developed by VocaLink.
What marks Paym out from other services is that it is industry-wide, and has the potential to link to every current account in the UK using just a mobile number. “Many of the mobile payment services on offer at the moment suffer, to some extent, from a lack of ubiquitous reach. With lots of them, to receive a mobile payment you’ve got to be part of a club, or an existing customer of the bank,” says Chris Dunne, Payment Services Director at VocaLink. VocaLink operates the infrastructure behind payments in the UK – Dunne describes it as the ‘national grid’ for UK payments.
At launch, the Paym database will already be populated with a large number of accounts. Nine banks and building societies – Bank of Scotland, Barclays, Cumberland Building Society, Danske Bank, Halifax, HSBC, Lloyds Bank, Santander and TSB Bank – will be able to use Paym once it is launched, with a further seven joining later in 2014. The Payments Council says that by the end of the year, nine out of ten current accounts in the UK will be covered by the scheme.
But what will the launch of Paym mean for banks who already have their own mobile payment solutions? Will they be rendered obsolete? Barclays, one of the banks participating in Paym from the launch, says its customers can still use Pingit in conjunction with Paym. “We have seen increased customer demand for mobile payments via the Pingit app and are confident our customers will use both methods to suit their needs,” said Darren Foulds, Barclays Mobile Banking and Pingit Product Director in a statement.
And despite a greater ubiquity of reach provided by services like Paym, mobile payments are unlikely to revolutionise the financial system as we know it. They will just make certain transactions easier.
Another payment channel
Mobile payment solutions are unlikely to turn the treasury function upside down either – at least for the moment. These solutions will, however, add a degree of flexibility as a complement to existing payment channels. “Corporates will continue to use desktop-based banking in the back office for high volume payments, as mobile is not a practical medium for this type of activity. Where it does become practical is when a handful of high value payments need approval while the treasurer or senior payment approver is on the move. The approval workflow lends itself to mobile, and treasurers are very happy to use a mobile to approve payments. The mobile itself is another channel, and the mobile payment is just another payment. In its simplest term, you’re settling to a telephone number instead of a bank account,” says Jon Ashton, Managing Director and Head of eChannels at Barclays.
However, as the medium adapts, it could start benefiting corporates at a much more fundamental level. “While it is just a new channel, it is also a channel that could challenge existing business models and ways of managing cash. It can make treasury processes much more efficient and lean, improve cash handling, and help right down to the working capital level, as money is coming in before it would have with the old way of doing things,” says Mark Wraa-Hansen, Head of MobilePay at Danske Bank, which offers a retail mobile payment application and is currently developing a corporate solution.
It could also transform the way some corporates invoice customers. As an alternative to Direct Debits (DD), invoices with a Quick Response (QR) Code allow mobile payments that are almost instantaneous. Furthermore, these payments have embedded in them a token containing information about the customer and the bill, thus saving the corporate on administration costs, as well as making it easier for the customer to pay. This form of payment could bring particular benefits to regulated utilities in billing customers who are either unable or unwilling to pay by DD.
Indeed, the advantages of the mobile medium are particularly relevant to certain industries – such as the utility example above. But certain regions, too, stand to benefit from mobile payments more than others owing to demographic and infrastructural idiosyncrasies. Africa is one such example.
Africa is particularly ripe for the growth of mobile payment platforms, with its combination of a large unbanked population and widespread mobile phone usage. In 2010 management consultants McKinsey estimated that 326 million people – 80% of the adult population – in Sub-Saharan Africa were financially unserved. Meanwhile, GSMA, the body that represents the world’s mobile operators, has forecast that there will be 346 million mobile users in the region by 2017.
“Mobile can play a key role in getting access to the massive population in Africa that is currently unbanked, or underbanked, and wholly dependent upon physical cash as a means of payment,” says Jerry Pearce, Head of Product Management and TPS at Standard Bank, which offers mobile payment services to its customers in 12 of the 18 countries in which it operates, including Kenya, Nigeria and South Africa. Mobile banking solutions are an essential part of the new banking ecosystem in the continent,” he adds.
M-Pesa, the Kenyan money transfer system supported by mobile phone operators Safaricom and Vodacom has grown rapidly since its launch in 2007. Roughly $19 billion, equivalent to around 25% of the country’s GNP, is now transferred through the medium. Other applications, such as SnapScan, which allows users to scan codes in retail stores before paying electronically, are also proving popular.
As is the case in other regions, mobile payment proliferation for retail customers is driving demand for corporate solutions. Mobile payment solutions also present opportunities to development and charitable organisations as a safer and more efficient way of remitting funds. The potential benefits of the new channel to individuals, corporates and development organisations alike in Africa are clear. “We’ve seen cases where companies and organisations have previously had to ship large quantities of physical cash to remote rural locations, which carries significant associated costs and risks. Now this can be done in real time through a mobile service,” says Pearce.
“From our research, it’s very clear that people are much more likely to use a mobile payment application, if it is provided by their bank rather than a third party, because they trust their bank, they trust their banking application, they’ve had to go through the setup, and they know it’s secure.”
Chris Dunne, Payment Services Director, VocaLink
Pearce also thinks the spread of mobile payment technology in Africa could be replicated in other parts of the world where there is a similar financial and mobile ecosystem. He highlights Bangladesh, India, Sri Lanka, and Vietnam as examples of countries with low levels of bank accounts and high mobile usage.
Mobile payment applications represent something of an architectural shift from what is used for web-based payment applications. This has posed new challenges in securing the solutions. “With the web model, you had a browser and some HTML code, but the bulk of the logic was on the back-end server. And that’s really the way mobile started as well, the first generation of mobile applications were effectively just web browser applications on your mobile device,” says Vince Arneja, Vice President, Product Management at Arxan Technologies, an application security group whose security is “baked in” to some of the leading mobile payment solutions.
But recent mobile payment applications have progressed to the point where a large part of the functionality is now running on the device itself. “Now the application has effectively become a target because it doesn’t hide behind a firewall any more where trust is embedded in the firewall layer; the trust has to be embedded into the application itself,” he adds.
Users are much more willing to put their trust in a brand they know. “From our research, it’s very clear that people are much more likely to use a mobile payment application, if it is provided by their bank rather than a third party, because they trust their bank, they trust their banking application, they’ve had to go through the setup, and they know it’s secure,” says VocaLink’s Dunne.
For example, Zapp, a real-time mobile payment solution and VocaLink subsidiary, is delivered through the user’s mobile banking application, and utilises the bank’s existing mobile security channel. This provides the twofold benefit of securing the solution using safeguards that are tried and tested, and gaining the trust of the user via their existing relationship with the bank.
In terms of the specific security threats facing mobile payment applications, one of the biggest is that of reverse engineering, where hackers repackage mobile applications after inserting malicious code and redistribute the application on secondary application stores online. The risk is that users will download these applications assuming that they are official bank products, only for the fraudsters to syphon funds from the account using the malware they had previously introduced. Arneja says several large banks have already approached secondary vendors in order to have reverse-engineered software taken down, to protect their customers, and to prevent damage to the bank’s brand.
Another risk with mobile payment solutions is that of non-repudiation, as it can be difficult to categorically identify the person who has entered or approved a payment. Some solutions turn the device itself into a security token, but in the absence of a smart card and reader – which are generally considered too unwieldy for mobile payments – this remains a challenge in the space.
“New handsets and tablets are coming out every day and the processing capabilities of these devices are exponentially growing at a pace even faster than laptops and desktops; on top of this, the wireless connection speed available on mobile handsets is comparable to that of fibre optic connections.”
Milton Santiago, Global eCommerce Executive, Bank of America Merrill Lynch
An extra dimension of security that some banks have started using behind their mobile payment firewalls is forward profiling, which is particularly used for higher value payments. This involves the monitoring of transactions for patterns, and highlighting outliers that do not correlate with the others. “We have historical data where we can compare the types of payment that have been approved in the past, with what is approved on a mobile device, so we can identify if there are any differences in the payment patterns that we’re seeing that get approved through both channels,” says Cindy Murray, Head of Global Treasury Product Platforms and eChannels at Bank of America Merrill Lynch.
As with any payment method, there is a trade-off between security and usability, and this can be a difficult balance to strike. In the retail space, mobile PINs range from five to ten digits. “Long PINs are very cumbersome to enter on a mobile device, and the chances of getting it wrong and disrupting the transaction are very high. It’s a question of playing off the simplicity of the workflow against elements of security. At the moment we’re trying to get a proposition in place that is both secure and easy to use, and we’re very cognisant of the balance to be struck there,” says Ashton.
Danske Bank’s Wraa-Hansen agrees that the security-usability trade-off is a difficult call, but counters that mobile is not a riskier medium per se. “You could make the most secure mobile payment solution in the world, but it would probably be so complex that no one would use it. A lot of the concerns come down to perception; some people just have not realised yet that mobile payments are not inherently riskier than other methods. Security is always a hot topic around new technologies, and this concern will die down,” he adds.
Wraa-Hansen also believes human error – akin to ‘fat finger’ trading mistakes – is perhaps even more of a risk than fraud, and that solution providers should address this by making applications as simple and user-friendly as possible.
In the future, the usage of mobile payment solutions is likely to evolve in line with new developments in the devices themselves. “New handsets and tablets are coming out every day and the processing capabilities of these devices are exponentially growing at a pace even faster than laptops and desktops; on top of this, the wireless connection speed available on mobile handsets is comparable to that of fibre optic connections. Allied to these technological changes, we’re going to see a richer, more intelligent, and more predictive experience coming from these solutions,” says Milton Santiago, Global eCommerce Executive at Bank of America Merrill Lynch.
He also believes the ownership of identity, which currently resides with the banks under the existing mobile security model, could shift to clients, as a result of disruptive mobile technologies devised by the likes of Apple and Samsung. “The integration of biometric security into mobile devices could have a similar effect on mobile payments to what smart card technology had on online payment solutions, significantly impacting how authorisation and authentication take place,” he adds.
According to Arxan’s Arneja, as mobile payment solutions evolve, so will the security behind them: “Mobile security is effectively where internet security was in 2003. It’s very, very early in the space. A lot of effort in enterprises right now is simply being directed to device management. But mobile security will inevitably mature, as it has for web.”
And while mobile payment solutions may not have revolutionised the way corporates make their payments just yet, they should ultimately become part of the standard suite of services banks offer corporate clients. “It’s a new channel and it’s evolving fast. This is not going to happen overnight, but certainly over time it will be expected of banks to include mobile capabilities in their end-to-end payment solutions,” says BofAML’s Murray.
In summary, the mobile payment solutions currently available have the potential to make certain tasks quicker and easier for treasurers. One of the most obvious examples of this is the ability to approve high value payments on the move. But it is only as the use of mobile payments across the supply chain becomes much more widespread that the medium will have a more profound effect on the treasury function and begin to have a material impact on corporates’ working capital.