Banks are facing a digital attack on all fronts and risk losing out on billions of profits by the year 2025, according to the McKinsey Global Banking Annual Review 2015.
No, the analysts at McKinsey & Company aren’t talking about hackers, they’re talking about the financial technology (fintech) startups and other brands showing a sudden interest in disrupting the financial services market. The attack is less of a frontal assault on these companies and more of a covert operation under the cover of night, seeking to pluck the customer away from the grasp of banks without being noticed.
In its report released last week, McKinsey sets the scene for a challenging future for banks that are interested in owning the relationship with their customers. As a result of shifting of transactional habits to digital channels, consumers are considering the services of new entrants that offer them convenience and savings. Banks risk becoming commoditized, left to handle the lesser-margin operations of moving money around while new players capitalize on earning the customer’s attention.
“Many of these companies have built strong relationships with huge customer bases. The primary obstacle, of course, regulations, and the considerable compliance burden that comes with a banking charter,” explains the report. “Most do not want to become a bank. They want instead to skim the cream – the customer relationship and the value it carries.”
One wedge of that challenge faced by banks comes on the mobile payments front. Technology brands like Apple, Google, and Samsung are allowing customers to pay with their smartphones. That’s not to mention all the retail brands that are also pushing payments through their mobile applications (think Starbucks.)
As a result, the payments market is going to grow, but banks aren’t likely to win a share of that growth. As the new players collect more data about the transactions on their platforms, they could also win more opportunities to cross-sell higher margin services to customers.
McKinsey projects the disruption on mobile payments will cost banks 35 per cent of the profit they otherwise would have enjoyed in this area, and 30 per cent of the profits.
But why is it so difficult for banks to compete for the customer relationship on the mobile payments battlefront? After all, our analysis of mobile banking apps shows that four out of the big five Canadian bankers are offering mobile payments through Android smartphones already. (Offering it on iPhone isn’t available to them yet because Apple doesn’t allow for it.)
Yet how those mobile payments are offered and the technical coordination and planning that goes into executing on them is anything but easily achieved. It demands a seamless experience across a fragmented eco-system, explains Almis Ledas, the chief operations officer at Toronto-based EnStream LP.
“We are juggling many different kinds of technologies,” he says. “Banks find it very frustrating to get these up and running.”
EnStream is a partnership between Canada’s incumbent telecommunication firms – Rogers, Bell, and Telus – and a separate entity that’s dedicated to enabling mobile payments on a smartphone.
The challenge of delivering mobile payments starts with the SIM card. Since payment credentials must be stored on an area that is separate from the other memory on the device, a SIM card is an ideal spot to keep it since it’s literally physically separated from the phone’s onboard storage.
To create a digital version of a payment credential, banks need to use an applet created by the card issuer – for example Mastercard or Visa. There are two manufacturers of SIM cards; Gemalto and G&D. So the applet used must be compatible with the SIM manufacturer. As a result, banks have to licence both manufacturers to ensure its customers will be able to store their payment token.
Once that’s done, every time it’s used in a transaction the credential has to be authenticated with the bank. To complete this transaction, the carrier-side server retrieves the token from the SIM card and passes it back to the bank-side server. There’s two different encryption keys – one stored by the carrier and one stored by the bank – that must both be turned in order to unlock the credential and complete the authentication. A token is passed to the merchant to complete the transaction.
EnStream provides a service that manages the above process for its clients – both on the financial and telecommunications side. It works with banks such as TD, CIBC, ScotiaBank, and Desjardins.
RBC, on the other hand, is managing its entire mobile payments process in-house. Instead of relying on a carrier to help keep payment credentials secure, it uses a process called host card emulation (HCE), which encrypts a token with software and stores it on your device memory in a logically separate area.
“They’ll be in an ongoing race to keep the software secure from hackers,” Ledas says.
Given all these technical heroics required to deliver mobile payments, it’s no wonder that banks in the U.S. opted to make a deal with Apple. Apple replaces the role of the carrier in this scenario, retrieving the tokenized payment credentials from the secure element on the iPhone and sending it to the bank. Also, there are no worries about having to worry about applet compatibility on SIM cards.
The downside of course, is that Apple now owns the customer relationship when it comes to mobile payments.