Take a listen to Don Cardinal, GM of the Financial Data Exchange and Glenbrook’s George Peabody as they discuss the FDX API and its importance to the fintech and financial services community. It’s important to end users. And it’s a great example of how comprehensive standards can be developed swiftly.

The “supermarket” days of financial institutions providing all of our financial services and holding all of our accounts are long over. Brokerages, insurance companies, and the expanding array of fintechs compete to hold, manage, or organize our assets.

With so many custodians of our financial data, it can be difficult for an individual to generate a complete picture of her finances. That’s been a longstanding problem that was addressed over two decades ago by data aggregators like personal financial management app Mint.

Individuals found this single portal approach quite useful. All we had to do was provide the aggregator with the login credentials to each of our online accounts. The aggregator would then log into that account on our behalf, “read” our data off of the web page, and display all of that data in a single consistent fashion (this is “screen scraping”, the method of data gathering that started it all).

This single view capability has been a compelling proposition that dozens and dozens of firms have emulated in the years since.

Further, use cases have proliferated where a fintech, for example, simply needs access to one or two accounts in order to fulfill its goals. The mobile app model has just accelerated the expansion of apps needing access to user account data.

Yodlee and Plaid, now a Visa company acquired in a whopping big transaction, are examples of companies selling access to user account data either through screen scraping or, in a more modern approach, direct integration to individual financial institutions.

Direct integration to each bank or credit union’s data is, of course, inefficient because each banks exposes its own interface. The syntax and functions of each vary making everyone’s development and maintenance tasks more difficult..

Evolution of a Standard

Into this gap is the Financial Data Exchange organization. With over 100 members https://financialdataexchange.org/pages/members
from a wide range of companies – Chase, Plaid, FS-ISAC, Intuit, PNC, Fannie Mae, Truist, Cashflow Solutions – its goal is to standardize the domain of permissioned at a sharing through an API layer in operates in front of financial institution data.

FDX is a true standards organization. Its members pay dues, yes, but their more important contribution is time and effort. Working groups take on particular technical and usage aspects, develop them, and generate draft standards for the entire membership to ratify.

One of its working groups focuses, for example, on the user experience, on the use cases that benefit from data sharing and how to make that process transparent and secure for end users.

In this Payments on Fire® episode, George and FDX Managing Director Don Cardinal discuss the API, its many reasons for being, and the standards development process.

They also discuss Akoya, Fidelity’s former data sharing unit that is now owned and operated by The Clearing House and 11 member banks. Akoya serves as a central integration provider making it easier for a fintech app to connect its users to the banks subscribing to the Akoya service.

So take a listen. FDX is important to the fintech and financial services community. It’s important to end users. And it’s a great example of how comprehensive standards can be developed swiftly.

Welcome to Payments on Fire® and to our third, now annual, discussion with Steve Ledford, SVP Products and Strategy at The Clearing House, and the leader of his company’s Real Time Payment Network initiative.

As in prior conversations, Steve and George discuss the growth of the RTP Network both in terms of transactions and dollar volume as well as an important metric, the growth in the number of financial institutions and FI processors who are already or in process of connecting to the network.

The evolving set of use cases supported by a new payment system is often surprising. Few expected Zelle’s leading use case to be rent payments. While the RTP Network is in its infancy, Steve shares a number of use cases already in flight.

Changes to the network’s rules also position it for expanded use. For example, the network’s recent increase in transaction size limit to $100,000 positions it far better for B2B transactions.

Like all bank services, strong user authentication is critical and firmly out of scope for the new network. Banks will have to improve their authentication processes because account takeover is a real risk.

As Steve says in this discussion, banks can also reduce the risk of accountholders sending money to bad actors simply by well-timed messaging. Financial institutions can adopt best practices that have evolved in the UK and other markets with similar systems in place. For example, the bank should ask the accountholder if they personally know the recipient of the funds and if they have been pressured to make the payment within a certain timeframe. Both questions are meant to caution the accountholder before pressing Send.

Steve also addresses the announcement of FedNow and its ripple effects on the RTP Network.

New national payment rails are a once in a generation event. New rails, better data representation techniques, and mobile devices make for an innovator’s playground. Take a listen.

Be Safe. Be Well. Help Out.

This is our era’s unprecedented event. I hope you’re staying safe, your family is all well, and you’ve got what you need for what looks to be a pretty long time. On the upside, I’ve seen and experienced people helping one another like never before. That gives me confidence we’ll be able to mitigate COVID-19’s impact on our healthcare system – and on all of us. The downside is obvious. The weight of the pandemic is going to come down heaviest on those with the fewest resources. Helping out is our best response.

Among the Exploiters of The Pandemic

There are characters out there, however, who are bent on taking advantage of this global challenge because the corona virus has only added gasoline to the growth of e-commerce and online fraud of all kinds.

While e-commerce volume skyrockets as so many hunker down, online credit applications are rising at traditional lenders, challenger banks, and fintechs. Responding to the pandemic, some fintechs are making it easier than ever for sole proprietors to get loans in the hopes of having their business survive the pandemic. For similar reasons, others are encouraging government action in support of their SMB customers.

These laudable efforts will attract fraudsters in droves. What could be better than overburdened systems (Robinhood anyone?) and modified onboarding and underwriting processes?

Socure is an identity management company serving financial institutions old and new, fintechs, and marketplaces that extend credit via online applications. Socure’s service operates right at their front door, at “day zero,” when the applicant first appears at the provider’s digital door. The company promises to reduce fraud, reduce the manual review of questionable applications, and onboard more customers through its KYC services.

In this Payments on Fire® episode, George speaks with Rivka Gewirtz Little, SVP Marketing & Strategy at Socure on a range of topics, from the what and how of Socure’s service to the larger concerns of fraud rates, model governance, and the definition of identity.

Socure’s Own Digital ID

Socure is working on its own version of a digital identity, essentially taking all that it knows about each individual and creating a profile that is updated based on the individual’s behavior, system changes, etc. This “Socure Identity” then can be used beyond the Day Zero identity proofing step but for subsequent authentication when the individual returns to Socure’s customer’s website or app.

FI Internal Collaborate on Identity

An encouraging evolution in enterprise organization is the growing collaboration of the produce line leadership within traditional financial institutions in the areas of risk management and marketing, teams with traditionally conflicting goals. Marketing wants as little friction as possible; Risk wants to keep the bad actor out. In the past, each product line fought its own battles and chosen its own solutions. Now that the digital channel is firmly established even among incumbent and with more flexible tech available, coordination and alignment is taking place.

Data Minimization

“Data minimization” has achieved buzzword status. And its meaning varies depending on who you are. Essentially, it means a provider should hold only that data that’s necessary and no more. For a Socure that lives on massive data resources, data minimization is meaningless. Socure has to be an exceptional custodian of all of that data.

George and Rivka discuss another connotation for that term, the ability of the accountholder or user to release only the data that’s relevant to the transaction. Showing a driver’s license to prove you’re over 21 is a classic case of over-sharing.

So, take a listen. Stay safe.

For more on digital identity and synthetic identity in particular, check out Episode 115 – Finding the Phantoms – Synthetic Identity and the Issuer – with Naftali Harris of SentiLink.

Sometimes events delay things. Other times, they hasten them. At Glenbrook, the corona virus has sped us along a path we’ve been traveling for some time. The path is digital delivery of the Glenbrook Payments Boot Camp®.

In this Payments on Fire® episode, Russ Jones, partner in charge of Glenbrook’s education team, talks with George about two major changes in our payments education program.

1. Digital Delivery – what it looks like, how it works, and when we will launch it for our public participants
2. Curriculum Update – how Glenbrook maintains the currency of our training and some of the major updates made recently

As you’ll hear Russ say, we’re excited by the capabilities of today’s teleconferencing capabilities, how we can use them to inject a high level of interactivity into each session, and the challenge of bringing the Glenbrook Payments Boot Camp® magic to the digital medium.

Join us April 7-9 for the Glenbrook Payments Boot Camp® digital edition. No travel required!

All of us at Glenbrook wish you the very best of experience and outcome as each and all of us navigates the corona virus threat. Be calm, carry on, and keep your social distance.

Fraudster innovation is a constant. As the defenders of payment transactions thwart one fraud vector, these innovators, playing offense, switch tactics.

Today, the problem of knowing who you are, that you are who you say you are, in the digital domain demands stronger authentication techniques. Many of those rely on the attributes, the data, provided by the user or by the applicants in the case of credit extension.

In turns out that even the data supplied by applicants can be both entirely bogus and sufficient to convince a credit issuer to onboard the applicant and extend credit. This is the problem of synthetic identity.

To explore the synthetic identity challenge, take a listen to this conversation with Naftali Harris, CEO of SentiLink, a company focusing on detecting synthetic identities. Coming from years at Affirm, Naftali and the SentiLink team serve credit issuers struggling with this new fraud vector.

First, let’s define synthetic identity using the Fed’s Synthetic Identity Fraud in the U.S. Payment System Payments Fraud Insight white paper as the source:

“The generally agreed-upon definition of synthetic identity fraud is a crime in which perpetrators combine fictitious and sometimes real information, such as SSNs and names, to create new identities to defraud financial institutions, government agencies or individuals.”

Now we’re looking for phantoms. Uh-oh.

There are terabytes of personally identifiable information for fraudsters to use because of data breaches and our own over-sharing of our personally identifiable information. Knowledge-based authentication based on static data like SSNs, birthdays, and the name of our hometown isn’t hard to break. Nor is this static data generally protected by tokenization or encryption in any way.

The fraudsters know what we know. Uh-oh.

And because the real data presented by the fraudster creating a virtual identity is often that of a child or an elder or even the deceased, well, it’s super hard to detect. That comes from my GLenbrook colleague Yvette Bohanan who has years of risk management experience at Amazon, Google, eBay, BofA and others.

Of course, the fraudster’s goal in making up a new identity is to open a credit line in order to subsequently defraud the issuer, perhaps by carefully using a credit line carefully for years to build up a high credit limit before busting out with a lot of spending and then disappearing to a beach somewhere.

Multiple Types of Synthetic Identities

A startling aspect of some synthetic identity fraud is that it doesn’t take advantage of purloined PII. All of the data used by the credit application is made up out of whole cloth and thin air. The proper format of a social security is well known so why not generate a random one? After all, the federal government doesn’t operate a central SSN repository with realtime validation. A variant approach relies on real and fake data, combining, for example real names with made-up SSNs.

To explore the synthetic identity challenge, take a listen to this conversation with Naftali Harris, CEO of SentiLink, a company focusing on detecting synthetic identities. Coming from years at Affirm, Naftali and the SentiLink team serve credit issuers struggling with this new fraud vector.

On Payments on Fire® we’ve talked with gateway operators, processors, tokenization specialists, fraud management firms, and others – all providers who help payment acceptors handle their payments.

The range of services and business value they deliver varies a lot. Some providers do everything. Others, like Spreedly, the subject of this Payments on Fire® podcast, focus on a narrower set of functions and business outcomes.

Payment Flow and the Payment Service Provider (PSP)

When we talk about merchant acquiring in the Glenbrook Payments Boot Camp, we highlight the following transaction flow:

1. The merchant or its ISV, perhaps running as an PayFac, accepts the customer’s payment
2. They connect to a gateway or a processor
3. The gateway routes the transaction to an acquiring bank or its processor OR the merchant connects directly to one of these entities
4. The transaction is routed by the acquirer or processor into the payment network and on to the accountholders’s financial institution

That picture oversimplifies the tasks at hand. Depending on what kind of merchant you are, the set of payment-based services you need can vary substantially.

If you answer yes to any of the following, there are payment service providers ready to help you with specific tools:

• Are you an e-commerce merchant
• Is omnichannel commerce important?
• Are you strictly a bricks-and-mortar operation?
• Are you a biller or a heavy user of invoicing?
• Do you operate unattended devices like vending machines and kiosks?
• Are you global or have global aspirations?
• Are you an SMB or enterprise-class payment acceptor?

Some payment service providers (PSPs) are owned or captives of larger upstream entities. Their role is to capture an ever widening stream of transactions to flow on to their parent company. CyberSource, owned by Visa, may not care a lot about who the acquirer is but the company’s transaction handling drives revenue for Visa.

Other independent PSPs like NMI and, in today’s podcast, Spreedly, focus more on the needs of the merchant. NMI anchors it many other talents around its core gateway. Spreedly might be considered is a gateway to gateways. It connects to processors and has developed a broad set of connections into domestic systems around the world. Spreedly is a also payments tokenization provider.

Given that range, Spreedly refers to itself as a merchant-facing payments infrastructure provider. More casually, Spreedly is a layer of glue between the payment acceptor’s operations and the payment systems that the acceptor needs to support. Payment orchestration is another in vogue term to describe what Spreedly, and others, do.

This is an evolving story and marketplace. Definitely worth a listen to Justin Benson, CEO of Spreedly, as we talk about what his company does and a range of industry topics including tokenization, risk, and more.

In this Payments on Fire® podcast, we examine the role of a payment service offered through a commerce solution targeted at the small and medium business (SMB) market. To do that, we talk with Nan Siler, Head of Payments Strategy and Operations, at Kabbage.

The small and medium business market is important to both the national and local economies. It’s big. According to the U.S. Small Business Administration, over 40% of GDP is generated by this segment. Over the last decade and more, SMBs have come to face new competition (Amazon and the high concentration of Big Retail) and a less willing lender community of traditional financial institutions. Kabbage has stepped into that environment.

Kabbage has loaned over $9B since its inception to some 220,000 customers and last fall added a new service, Kabbage Payments, to ease payment and invoicing for its SMB customers.

SMBs live and die on cash flow. If a big customer’s payment doesn’t come in on time, the business owner can end up paying her employees but not herself.

Kabbage has built sophisticated onboarding and lending models around the needs and realities small businesses. Cash flow management includes, of course, timely access to money, via lending, to fill funding gaps or help expand the operation.

Nan takes us through how Kabbage’s Payments solution complements Kabbage Funding, its lending operation, and how the two come together to provide better insight on the business’s cash needs. With better insight, the goal is to help the small business borrow less money for shorter periods of time when funding the day-to-day with the expectation that Kabbage can provide larger sums to meet the capital requirements of business expansion.

Many independent software vendors (ISVs) bring payments capabilities to their merchant customers to meet functional expectations as well as enjoy payment related revenues. Indeed, the ISV is now the channel through which many SMBs acquire payments acceptance capabilities. The payment-focused PSP group, and especially the Independent Sales Organization (ISO), no longer control that channel.

Kabbage, while not an ISV, has built its payment service to help merchants get paid faster. Every SMB wants that. So, take a listen to Nan as she discusses both the lending capabilities of her firm and how the new payment service complements that funding function.

As our lives shift online, our providers needs strong digital representations of each of us in order to make authentication and authorization decisions. Besides payment transactions, there are the diverse risks they must manage when, for example, we establish new credit relationships, add new payees to our online accounts, and move money in new ways. The providers of these capabilities—and often a single party offers multiple services—must be concerned with the associated risks each poses.

This is the special domain of risk and fraud management companies. In this conversation with Payfone‘s CEO Rodger Desai, we focus on digital identity services and the role of the mobile ecosystem in particular. Take a listen.

Many risk and fraud vendors base their services on different data types, such as the email address, SSN, or phone number.

In Payfone’s case, it is the combination of the mobile number, the device it is connected to, and the mobile network serving it that have powerful attributes to measure against. Relevant data attributes include:

1. Tenure. How long the mobile subscriber has had the phone number tells a lot about the subscriber itself.
2. Phone’s Aren’t Free. Unlike email addresses which are cost-less, almost anything to do with a phone costs money, i.e. the service and device costs. Therefore, phone-based frauds, for the fraudster, cost money. Such hacks don’t scale as well as a card data breach. But when there is a phone-based hack, the impact on the victim can be particularly severe.
3. Lots of Activity to Examine. With 50% of American eleven year olds having phones, we generate a rich history using our phones. For billing purposes alone, that activity is tracked by the mobile network ecosystem and, given appropriate privacy controls, can be used to support risk decisioning.
4. Even More Data. Biometric unlocking of devices, behavioral fingerprinting—how we actually interact with the device user interface—and device fingerprinting—the digital portrait developed from such rich data—expand the data available for risk assessment.

The union of all this data paints a crisp digital identity once algorithmic power has been applied to it.

In this episode of Payments on Fire® we discuss the risk assessment capabilities the mobile ecosystem provides with Payfone’ CEO Rodger Desai. His long experience in mobile “phone intelligence” informs this discussion. He explains how some very large clients are using Payfone’s scoring capabilities to assess transactional and account risk while addressing the challenge of improving the user experience. Risk and convenience are often at odds. Payfone’s services are designed to mitigate that conflict.

Today’s digital identification capabilities are powerful. But fraudsters are fast moving and well funded. For the relying parties—those enterprises that take on the risk—the role of defense is a tough one. Priorities, cost, business goals, even awareness vary. Each and every party’s approach to risk assessment is unique. Risk tolerance for the same transaction will differ from bank to bank, from enterprise to enterprise.

In other words, individual enterprises can assemble strong risk assessment and mitigation capabilities while, from a systemic view, there will always be gaps to be exploited. The best we can hope in today’s environment is for each enterprise to raise its security game.

The U.S. has just come off a record setting holiday shopping season with e-commerce sales rising over 18%. While the numbers aren’t in yet, there’s no doubt the fraudsters also had a record year. There are so many ways to defraud consumers, merchants, and financial institutions.

At Glenbrook, we are optimistic about our longer term ability to deter, prevent, and detect fraud. Our kit is getting better. The combination of tech and rule making will payoff: strong authentication enabled by standards-based smartphone-enabled biometrics; regulations requiring strong authentication as put forward in the EU through its SCA rules; and our expanding ability to detect new attacks using tools that operate within the transaction flow.

It is this last area that is the topic of this Payments on Fire® episode. Fraud detection tools operated by or on behalf of merchants that examine transactions are today’s major line of defense against payment, loyalty, and coupon fraud. In this conversation with Colin Sims, COO of fraud prevention company Forter, the development, deployment, and maintenance of a modern fraud management platform is the topic.

Colin and George discuss how fraud management and prevention technologies continue to evolve, Forter’s own approach, the role and impact of PSD2 and SCA regulations in the EU, and how fraud continues to adapt. While machine learning is a central technology, Colin makes clear that human effort and insight is what makes the difference.

Deployment of “clean sheet of paper” payment systems is a once in a generation event. In over 50 countries, new account-to-account push payment systems are either in full scale operation, implementation, or fully committed planning stages. The U.S., for example, has the RTP Network in operation and, in a few years, the FedNow system will be online.

This is hard, serious work. Technology decisions need to be paired with equally rigorous rules making. One of the major concerns for these systems is what to do when a transaction is sent in error or initiated by a fraudster. In contrast to card systems, dispute resolution capability is not a standard feature. These choices should reflect clear agreement and follow through by the system’s key participants.

In this Payments on Fire® podcast, Glenbrook’s Elizabeth McQuerry talks with builders of dispute resolution, complex messaging, and connectivity capabilities developed around Australia’s New Payments Platform (NPP).

Joining Elizabeth are Jack Baldwin, Chairman of BHMI, a U.S.-based developer of bank-grade settlement and reconciliation systems, and Nathan Churchward, Head of Product, Emerging Services at Australia’s Cuscal Limited. Cuscal is a developer of payments capabilities that include card issuing and acquiring, mobile payments, fraud prevention, switching and settlement.

There’s a lot to be gained by learning from someone else’s experience. Nathan and Jack address the dispute resolution process, ISO 20022 messaging, and the significant effort needed to build out systemically important payment infrastructure. Take a listen and you’ll gain a deep appreciation of the interplay of rules, regulations, technology, and effort.

Glenbrook Partners is working with the U.S. Faster Payments Council to help shape rules in the U.S. and address significant concerns around system interoperability, directory services, and dispute management. Take a look at the Faster Payments Barometer based on our industry survey. And visit the U.S Faster Payments Council site for more.