The following notes are from the "Round Table Workshop" held in Amsterdam, 31st March, 1999, to discuss electronic money within a European regulatory perspective.
Present were approximately 30 commentators - those who had responded to the original request for comments put out by the EC's Joint Research Centre (JRC) and the Institute for Prospective Technological Studies (IPTS). See http://www.systemics.com/docs/papers/index.html#euro_e_cash for the original request for comments.
The workshop was chaired by Demosthenes Papameletiou, <Demosthenes.Papameletiou@jrc.es> and local arrangements were conducted by De Nederlandsche Bank (Central Bank of the Netherlands).
As I recorded this on the fly, the result is scrappy. Errors in comments can only be mine, and I have not gone to any great extent to record names. Where sentances seem incomplete, that's because I didn't completely record them.
There are a few highlights:
Merchants and suppliers are now aware that SET is a con, and everybody is arguing their divergant opinions as to why the credit card companies are trying it on. Merchants in France have been given a year to change over, users have been told they will lose their guaruntee unless they use SET, and merchants that have been denied access to credit card clearing and have had to go overseas. The whole SET scene is FUD-ridden in the best traditions of the good old days of IBM, and not much intelligent analysis was possible.
OTOH, there weren't a lot of alternate proposals - maybe the forum was inappropriate for that, or maybe because the proposed directive is so loose in its definition it is hard to see where the EMI was heading.
PS: EPS == Electronic Payment Systems
PPS: comments on any and all aspects of the project are due by 20th April.
Commented on uniqueness of experience - first time that experts have been invited to comment on subject in Europe.
Mr Metten was looking for consensus from the experts, and if not, then politics continues, and what politics needs is a description of the breadth of opinions, and the reasoning behind.
May of this year is the target for the final report to be presented to the Members of the Economic and Monetary committee; They will use the report to deliberate proposals and proposed directives now under consideration.
It is important to take a step back and have a wider view of what is happening in the field. This is the subject of the study commissioned by the Monetary Committe.
We need to ask the question: "What is the Community interest in the electronic payments?"
We could say, there is the principle of subsidiarity, the EC could just stand back and say it is a local issue.
There are these issues:
These new methods could develop in divergent directions, and perhapds the EC could suggest lines of convergance. It would, for example, be convenient for us all to visit Amsterdam and pay with a card issued in our respective home countries.
Experts say that the smart card is issued only for domestic purposes, but he believes that the smart card might become more international.
We are interested in standards. The commission is interested in commonality across the countries, and standards is one way to do this. The Common Electronic Purse Specification is very interesting for this reason, as it embraces most systems ( Visa, Europay, Geldkarte, Proton).
The standard is not however the full solution, the standard still needs to be applied, and the cards issued in one country still need to be workable in another. It may be that a card issued in Germany can be entered into an retailer terminal in France, bit this is not useful unless the terminal can facilitate the remote settlement.
"Will smart cards be mandated?" is another question that is frequently heard. A4 paper size is not mandated, it has just succeeded as a widely deployed standard because it is convenient.
On the other hand, Green headlights on cars are forbidden for safety reasons.
With smart cards, we can hardly make standards mandatory. It will be difficult to impose laws at the EC level to impose one standard or another.
Studies on electronic money are progressing. On electronic commerce, there are many things going on in Brussels, a proposal on signatures, work on trade, the electronic money directive.
The directive is proposed and is currently being studied, it covers the supervisory aspect, and not the monetary policy aspects. It covers the safety risk, the financial safety. If XYZ Telecom would hand out cards for 100 Euro, and would receive cash for the cards, and they issued 100,000 cards, then that is a lot of money.
If XYZ invested the money in their business, and then lost it, then that would have a public confidence effect. Retailers would not be interested in such a product, and neither would consumers.
"Only banks can issue these instruments" is a very common view. The commission thinks this might be a bit narrow. There are important examples in European and other countries where this doesn't happen.
There are systems where the money gets transferred directly from client to merchant. These are access instruments.
We are envisaging that the cards can be issued by electronic money companies, which are specialist companies for this purpose and this purpose alone. Supervision would exist, and they would need to be close to banks - "near-banks".
Consumer protection - just having the issuer as a near-bank provides some protection. The relationship between the card and the issuer - maybe the user must be told what happens with fees, etc.
The old rules say that the user is liable only up to 150 Euro, if the customer has lost a card. This does not make sense if the card has money on it, the recommendation needs to adjust these rules. Studies are going on to see if the rules are applicable, and what changes to make.
Another aspect is the question of fraud, and fraud protection. The credit card organisations have been saying that plastic is becoming as important as cash. But the forgery of cash is a crime, whilst the making of credit cards is not - only the usage of a forged credit card makes it a card.
Proposals are underway to make the production of a credit card a crime. In a number of months, there will be a joint action plan - with the force of law (derived from the Treaty of Amsterdam) - to make new legislation to make the production of cards illegal.
[Editors note: Such a proposal by the credit card companies would seem to be completely against the spirit of the Internet and would be particularly worrying in the context of the hacking scene. I thought that this might mean that efforts by the Dutch hackers, for example, to crack the smart cards - which were rampant in the early days because it was so much fun - would result in criminal charges if successful.
However, I am told that hackers will have a back-door, as just making a counterfiet of *your own* card is ok, as this is an issue between yourself and the bank, simply a question of property. (It is already criminal in NL, since 1990, on this basis.) End note.]
He presents one view, but there are many different views, and "prevaling" official views are subject to change. Everything said today is transitory.
If there is one lesson, it is that we know less than we thought we knew a year ago. We've been proved wrong, the fundamental changes are occuring but are not complete. Tools have been created, but they are still being created.
The US is lucky in some ways, telecomms costs are good, and policies were made early on. Gingrich and Clinton (no matter what you think of them now) recognised in 1994 that electronic commerce would pull them out of recession.
The policy was to support electronic commerce.
That support has come at a cost - consumer protection, national security and crime control have suffered.
Some of the problems sorted themselves out. Consumers on the Internet have a voice. National security and crime control have also made their voices heard.
There are important differences between Europe and the US - harmonisation, technical and legal history. Regulations E (debit cards) and Z (credit cards) are something that Europe doesn't have in that form. The feeling is that companies can be allowed to put out new products because consumers reject products that don't meet the standards of Regs E and Z.
Payment systems are mature, which results in a different way of thinking. How do you move money, exchange, etc? The US has lots of different solutions already. Fedwire, CHIPS, a private system run by the clearing houses, is focused on international payments.
ACHs - Automated Clearing Houses - there are a number of different ones in the country, 40 or so. Some are run by Federal Reserve, some by groups, some even by individual banks. NACHA has decided to expand the ACHs into EDI, automatic crediting as well as debiting, certificate authorities for banks.
Local ATM networks, Credit card networks, are set up to "sell money." Banks needed to go electronic - and the ATM network was a great model for the Internet,
Credit card solves the connection between consumer and merchant. It also solves the trust issue with an intermediary.
Credit card works great over the Internet. There isn't that much that works as well. Electronic Purses try and do the exchange later, not immediate, and they might not be a better model.
There are non-banks that are more active than banks in stored value - mass transit, telecoms. The banks can't figure out a good use for it, they continue to push it because they ae afraid. They think there might be demand but they don't see it yet.
The policy is to promote Internet commerce, keep hands off, with notable exceptions. This policy was temporary, it was expected that there would be trouble. Now congress is asking for consumer protection, and other cracks in the policy are appearing.
Payment systems are evolving, but not much new. Fed Reserve thought in 1996, stored value cards should be given some protection, that they would work under Reg E. That wasn't acceptable, so the next possibility is that Issuers should disclose information, nothing else - even for that, Congress said no, you cannot regulate smart cards at this stage, and in fact Congress forced Fed to write a report stating why they had changed their minds :-)
The prevailing view is that "this isn't a big problem yet." If we try and regulate we'll do more harm than good. The approach that works is to let a lot of experiments happen. They will fail and succeed on their own merits. If there is a failure, it is a business failure - the US can survive a busines failure.
Same thing from the States - they each wrote digital signatures law that were different. This has strengthened the intellectual debate in signatures, because we can see the strengths and weaknesses. Capability of letting experiments flow, and harmonising later.
How long before harmonisation is always a discussion.
UCC and state law stuff. Intent to harmonise without federalize. Work on software sales,
At the Federal level, mainly consumer protection (E, Z). Reg E deals with electronic issues, access. Congress said that if the banks wish to offer cheaper services, then banks must take the risk. Writing your pin on the back of the card is ok, banks must cover you, but if you claim you didn't give out your pin, banks therefore prove you must have done the transaction, and you are not covered!
We want the unit improving the system to have the incentive to improve the system. We want the provider to reduce systemic risk - which users cannot do. And providers are doing it. Shifting the risk to the banks makes market sense - shifts incentive to banks to improve the system, and reduces systemic risk.
Stored value cards - the banks don't take on the risks - therefore they have not been used!
Micropayments, other online electronic systems? Credit cards tend to be the solution. All the trials came in, and failed. Absolute failure. Merchants say "we won't touch that."
The germination will be through a non-banking application. Telephone, mass transit, Now banks are looking to non-bank functions.
Over the Internet, send the credit card, in the clear, or over SSL. No authentication of user, except that the goods destination is known!
SET is going nowhere. Lots of money and effort behind it. It's overkill, written to protect the banks. Written to eliminate merchant fraud, but the larger merchants insist on receiving the credit card number anyway.
But what's the purpose of the technology - users are covered by Reg Z so they don't care.
We'll see - maybe non-crypto, using biometrics perhaps?
Micropayments - nothing much seen. These may not be the most sensible solution. Maybe aggregation is more sensible, like the phone company. Maybe the newspapers should get to know you, and bill you later.
Carries problems - privacy, data mining. But, US businesses are working with the model of getting to know the customer! Which precludes micropayments.
Electronic money - on a card - is a difficult problem. It can be considered as a batched electronic access transaction. Some products are redeemable for cash, some for services only.
Are they open or closed / single or multipurpose - these are irrelevant. These distinctions are not viable in the long run. Redeemability is the key.
Two quesions already confirmed:
"We have consumer protection but we don't know what the implementation results are."
What is the business case for micropayments? The US view is that there is no case - or it hasn't been identified as yet. (Richard Field.)
In general we know that the technical problems are easy. Once we have the technology, then the problems start. To address this, the IPTS has the scope of providing a panorama of experts' viewpoints.
A series of policy questions were presented (see site) to experts. These were also worked on by the ESTO, who also produced a country report. Greater than 500 people have been consulted - EU and world-wide, from Dec 1998 to Jan 1999.
(Presentation of people and organisations that contributed.)
Next steps - confirm areas of consensus, and specify open questions.
There is consensus on growth factors and barriers.
No consensus on security matters.
Are Growth rates effected by lack of Secure payment system?
yes - 8 respondents
no - 13
yes and no -
Lessons learnt in the USA
Open questions for the EU
Cross-border Prospects for e-commerce
Key factors for cross-border growth
Case of Non-standardisation
Issue - Role of Regulator(s) not well understood. It is not an obvious role. The Regulator might stimulate developments in the right direction. For example SET might be where it is going, or maybe OTP.
Is there an internal market in EU cross-border retail payments?
What is the definition of e-money?
What monetary implications of e-money are there?
Is E-money issuance initiative a key priority?
Is this because of the market needs, or because non-banks have the chance to enter the market?
Conclusion - Consumer protection is key. It's a question of competitiveness.
1. Payment approaches - cross country comparison software- and card-based schemes are of no or almost no importance.
Therefore regulation of these schemes is unimportant also. There may be some migration from SSL, etc, to others.
SSL has some importance. Some integrated systems exist, only France and Italy are big. Other systems are based on aggregation.
Even in Finland, which has an Internet capability for smart cards, there is very low volume which is hampering development.
2. In France there is no reloadable purse, and no Internet solution - possibly because of the Act that prohibits merchant and consumer fees for such systems.
They have a different model - the "Kiosk" (sp?) system - where France Telecom is in the payments business.
The Kiosk system, up until a few years ago, was the biggest electronic commerce system in the world.
(open discussion follows)
"Every telecom is in the micropayments business 7 days a week."
Three quarters of British GSM registrations are now pre-paid. Britain is credit card, France is debit. Does this effect the electronic commerce - not known?
One observer blamed lack of card readers and reloading stations.
We are all starting with the answer:
What was the question?
The biggest spread of Internet is in Finland, Sweden, Norway. Also France, is huge if Minitel is included. Per capita, these are much bigger than the US.
Retailer: this represents a big opportunity in reaching attractive segments - early adopters, high income, university background.
Scandanavian banks don't offer SSL solutions - so merchants go to UK and France. Merchants will trust a foreign bank, and users don't care. (Also, credit card is expensive anyway from Scandanavian banks.)
Many US companies have 3000 transactions per day - in Scandanavia. Also in Russia, Turkey, etc. Most of this is because the local merchants don't have a service, but also, locals do not care for authorities to know what they are buying.
Merchant wants to do Goods and Services, and Delivery. He doesn't care about the payment, will take any form that is efficient.
The Physical Marketplace Model Applies
Internet Credit card: Slow in Europe, lack of customer security, as there is no address verification system in Europe that allows the merchant to check who he is sending the goods to.
Card-not-present fraud on European Credit Cards: 0.0054% by value
Official credit card policy in Europe is to tell people to not use the Internet, but send the credit card number via phone.
2% of the settlements for credit cards are over the Internet, but half of the total disputes come from the Internet.
Merchants are the only people who lose on credit cards.
SSL: merchants are looking for payment guaruntee and repudiation SET 1.0:
Costs of merchants:
Merchant Payment Software
Is Payment software is expensive? No, the real issue is what to select, and then installing and integrating it, as the merchant does not know whether it works until all the costs are in.
What is SET? It is now decoupled Client message based messages -> certificate Client repudiation is only possible when you are using the client certificates.
SET is not accepted because of the fat wallet. Legislation is another problem - Visa/MC think that a certificate provides repudiate. However the legislation supports the ability of the consumer to repudiate any time!
They are saying to the merchant, with SET, "spend more money so that we can be protected from your fraud."
You may not want to base your national policies on the chargebacks experienced with the porn industry.
|Unsecured||Encrypted (SSL)||Authentication (SET)|
Involvement is higher when certifice authentication is used, if not, involvement is low.
Cardholder - if not authenticated - denies, which causes chargeback, which results in costs to merchants. Whereas, if the cardholder is authenticated, with a cert of smart card cryptogram, there is non-repudiation, chargeback is not allowed, and there is no liability.
(open discussion follows)
Percentage of failure at checkout is a problem, for example Amazon gets 17% failure on checkout.
People do like to use US stores because they always give money back, no questions asked.
3/4 of electronic commerce is completed - paid for - off the net. Remote selling of all forms includes repudation rights within 7 days in Europe.
Visa/MC have given merchants in France one year to move across to SET, else they will be punished.
(One person commented that these merchants will probably bypass Visa/MC and go to, for example, First Data.)
The Internet is safer than Minitel or any other system has ever been. Why are the banks saying that the Internet is unsafe? They saw that SSL was being used for payments, and got scared. They thought that they had to control the entire chain, or they would lose their franchise. What could they do? They can't uninvent SSL but they can invent something new - SET.
Circles of Trust are created to facilitate payments. These circles exist with Acquirers, etc.
If you are forced to get into more than one scheme then the costs go up.
Payment methods need to be matched - characteristics-wise - with the requirements of e-commerce.
Retail is not growing as fast as B2B.
We will need micropayments, Info: articles, cartoons, Meter access: applications ... Buy software: java applets, active x...
E-money - different types depending on clearing.
EFT / e-money Purse / e-notes Credit / debit on-line / offline authorisation clearing is instant / delayed pay per purchase / incremental issued by financial instrument / Buyer
Standardisation processes data technology
The more widely adopted standards, the cheapest for the community Understanding of business requirements is essential ...
dynamics, economics & interoperability,
Old models are dead, but new models are not well-established. There is polarisation and controversy. With sectoral frontiers, what is the role of the public sector?
Co-existance or darwinism? Winner-takes-all or antitrust considerations?
Interoperability is the key concern.
Competition ==> co-opetition <== Cooperation
Is Visa a friend of banks or a competitor? Is a merchant?
Two categories of games: Zero sum and non-zero sum.
An example of win-win is GSM: everyone is happy. However, there is the alternate, which is loss-loss!
Which is SET - is it loss-loss?
Unstable mix of players - changing as with the boundaries.
Impact of Interoperability:
pros cons ++++ ---- Lower costs Greater compertition Larger Markets Easier switching
= Ambivalent strategies of suppliers! Is this Constraint or Opportunity?
Various types of interoperability:
Technical (10%) versus business (90%)
Issues for financial applications - smart cards Evolution path: EMV ==> SET ?? Integration:
Why would a telecom or transport company wait outside the room until Visa/MC comes out to tell them what they can accept?
We need to recognise tha variety of approaches: Create a formal structure for:
A GSM success is a long way away.
Simple payment systems:
Issue, acquire, settle, ops | | | | | | user 1 user 2 user 3
Clearing & Settlement | | | | Issuer Acquirer / \ | User 1 User 2 User 3
There is no difference between open and closed systems - just large and small.
Operational, procedural, contractual and legal provisions are all the same.
Definition 1: if the balance of the end-user is electronic, it is electronic money.
Prepayment is often mentioned...
D2: if the payment instrument requires pre-payment to the issuer before it can be used, it is electronic money.
A strange definition!
We can develop the definition further:
D3: if the payment instrument requires pre-payment to the issuer and if the value is spent at another organisation than the issuer, then, it is electronic money.
and, with a nod to Richard Field's comments earlier today,
D4: if the payment instrument requires pre-payment, is spent elsewhere, and if it is *redeemable*, then, it is electronic money.
There is a difference between being in the business of providing a payment instruments and being a bank.
D5: if (all of the above) and it is transferable between users, then it is electronic money.
There is a difference between access-products and real digital bearer products, so
D6: if it is (all of the above) and without registration of transaction, then it is electronic money.
So the difference is between traceable and untraceable e-money.
D7: if the issuer defines the payment instrument in a legal sense as barter, it is not electronic money?
Does the legal qualification of the Issuer matter?
Switching to the current regulatory favourite...
D8: if it is not prepayment of goods to a single issuer, it is not money.
This is a wide definition, very useful in a legal sense, there is a probable need for exemptions to prevent really covering the full subjects.
leading on to...
Final Definition: Electronic representation of a value or spending capacity on a device
"paying with bits and bytes"
(Payment is a transfer of value between users)
EPS: set of agreements which allow users to transfer value
Why not apply the e-money rules to direct debit?
There has to be regulation of electronic money, laissez faire is not an option,
An example - a sainsbury's voucher worth 2.50 pounds. It is a piece of paper, and therefore it is legal, if it was on a chip it would be illegal.
The most aviricious solution is to have
Option 1: implement the ECB recommendation not acceptable - inovation will be stifled in many countries the issuers are not banks (telcos and mass transit operators)
The ECB position is therefore not tenable
There is already experience of this with German signature legislation - too close to the technology.
( How to cut down credit card fraud - pass a law saying it is not a crime to use someone else's card. Within 3 weeks, Natwest will issue a card requiring a fingerprint... )
Option 2: implement the EMI proposal anyone can issue, but must be regulated like a bank.
Even if you adopt these regulations, you still need to regulate banks (?) We could leave protection of the consumers to the market, but if we don't regulate banks the costs will be very unfairly distributed.
In a few years you will use your GSM phone to pay for many items.
At the moment, all costs of the cash system are distributed across society.
Suppose you don't regulate. Rich people have mobile phones and the transaction costs go down for them. Then, the entire cost of the cash infrastructure falls on those without phones - the poor.
The people who don't have purses will pay a surcharge and this is unfair. In US it is already happening, if you are poor, you are paid with a cheque, which costs you to clear! If rich, you get paid by a transfer, which doesn't.
3/4 of GSM phones in Brit are now pre-paid! 2.5 million over Xmas. In portugal, pre-paid GSM is already more than half.
To reload, the user gets a card, scratches off the number, and calls the operator to get the phone charged.
Now, as soon as the phone is used for paying for cokes or car washes (Finland) then the system is money.
All of the things we are concerned about are there, and are happening - and we can't wait to sort it out.
I'm interested to see how it will conclude, in the last week of May the final report will be due, and this will be very useful for the Commission.