What is the Future of Payments Regulations?

Regulation and Compliance

Neira Jones

Jul 9, 2019

Is Facebook’s Libra a cat amongst the pigeons?

Unless you’ve been on another planet, you can’t have missed that on June 18th 2019, Facebook launched Libra.

Whether Libra is a cryptocurrency or not, uses a blockchain or not, is a Venmo on steroids or not, or whether it is a good thing or not, very competent people have already discussed this very ably, so I will not dwell on the matter.

What is far more interesting, in my opinion, is that Facebook is seemingly trying to (re)enter the payments world at scale, after their failed Facebook Credits initiative. The opening statement is very clear:

“Libra’s mission is to enable a simple global currency and financial infrastructure that empowers billions of people.”

  • Scale is suggested by a number of factors:
  • The clear intent to be international with the establishment of an independent governing body based in Switzerland, the Libra Association
  • The open sourcing of the code for the Libra Blockchain
  • The impressive list of initial partners, including Visa, Mastercard, eBay, PayPal, Stripe, Spotify, Vodafone, Uber, Lyft, Coinbase and of course, Facebook itself (unsurprisingly, no sign of Amazon or Google, whilst we know that Apple just launched its Apple ID…)
  • The name itself: it’s not FaceBucks or FaceCoin, it’s something completely different, suggesting the aim to dissociate this initiative from the negative press and lack of trust associated with the Facebook brand of late
  • The 2.38 billion Facebook users.

But let’s look East and wonder for a second: Alibaba (Alipay’s parent) had already applied for 262 blockchain patents, when a few months earlier, they stated that technology services, not payments, will be its main business in the future, and then proceeded to launch two blockchain subsidiaries… And Jack Ma famously said that that the blockchain technology could change our world "more than people imagine”.

And let’s cast our mind back to the ebay and Paypal split in 2015. Anyone in the payments space will know that the industry is inextricable from regulations. It was therefore not unexpected for ebay (a marketplace) to split from Paypal (a payments company). A marketplace simply cannot strive in a heavily regulated environment, and a payments company is by its very nature, heavily regulated. So why would a social media network like Facebook (Marketplace? Ecosystem?) deliberately choose to enter a heavily regulated industry?

Indeed, regulators around the world are throwing wobblies at the prospect.

Well, maybe, just maybe, the answer lies in a small sentence buried deep in the Libra launch white paper (Chapter 5, paragraph 6):

“An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition.”

Bingo! There you have it. Suddenly, it all makes sense, once you get passed the headline grabbing word “cryptocurrency”. 2.38 billion Facebook users could suddenly benefit from a “decentralized” and “portable” digital identity, through the creation of an “open” identity standards. But there are already open identity standards available, I hear you say... And there again, we can understand why Facebook was noticeably reluctant to support DID standards or community efforts such as W3C.

In recent years, digital identity has indeed become an intrinsic part of the payments industry in particular, and financial services in general. As consumers continue to adopt new and emerging technologies, businesses are faced with the challenge of balancing customer experience with security. This will mean that businesses must ensure that they deploy dynamic approaches to counter the proliferation of stolen identity credentials and advanced device and identity spoofing techniques which allow fraudsters to bypass the most complex screening procedures. In addition, the ability to recognising legitimate customers across industries and channels can also fuel growth and opportunities.

If an open identity standard is trusted enough that it gets traction, not just in payments or financial services, but across the board so that we could use “Just Enough Identity” depending on the risk associated with the interaction (i.e. not much for reading the news, quite a lot for accessing your bank account),

  • and that the identity information actually belongs to the identifiable entity (e.g. a person),
  • and if subsequent activity related to an identity owner that can be derived from processing, handling, or supporting the infrastructure that enables the identity ecosystem to operate remain under the control of the identity owner (similar to the “purpose limitation” principle of the GDPR),
  • then, perhaps, we have something very interesting.

There is really nothing much about Facebook’s intent in relation to digital identity in the Libra paper other then the paragraph I mentioned earlier, which has led to a lot of speculation. But with Facebook’s track record on privacy and data monetization, the first and second bullet points above remain valid questions...

Our current technological and socio-economic landscapes mean that as the ever increasing amounts of data flowing across ever blurring geographical boundaries make it increasingly difficult to catch up with criminals. Consequently, developing regulations able to cope with new technologies and new crimes is a massive challenge. If we examine some of these regulations more closely, it will become apparent that many requirements overlap. For example, stringent customer authentication and fraud prevention measures are required by PSD2 (Strong Customer Authentication; Transaction Risk Analysis), the various Anti-Money Laundering regulations/directives (KYC, eKYC, due diligence), the GDPR  (protection of personal data and sensitive personal data), to name but a few. Similarly, requirements for incident response and timely disclosure of security incidents is required by, amongst others, the PSD2, the GDPR, AML regulations/ directives worldwide and the EU NIS Directive . And last but not least, the requirements for data and information security, privacy and protection are common to all of these and many more...

To meet the regulatory challenge and manage risk effectively, organisations must get as close as possible to a single end-to-end view of the customer, regardless of service/product, channel or device. And they must do this as seamlessly as possible. In other words, businesses must be able to distinguish between genuine customers (who are increasingly ubiquitous) and fraudsters (who are increasingly able to mimic genuine customers), whilst collecting more data to deliver exciting and seamless experiences, all the while maintaining consumer trust and privacy. Moreover, the lack of digital identity integration with wider customer engagement strategies will lead to fragmented customer experiences and customer attrition, the inability to capitalise on customer data to inform decision-making and enhance the overall customer experience, as well as to data privacy challenges.

Could Facebook’s Libra-based digital identity be part of the solution to that regulated ecosystem? Or will they flout regulations on the basis of their scale, betting on mass adoption of a captive audience? Will other players follow suit (e.g. Amazon, Google)? Will the Apple ID become an open ecosystem in response? How will regulators respond? Time will tell.

For even more insights into the payments industry and beyond, subscribe now and stay up-to-date on the latest trends and topics.

©2019 Neira Jones

Related topics

Global Payments

Posted by

Neira Jones

Neira Jones is an independent advisor and international speaker, partner for the Global Cyber Alliance, and ambassador for the Emerging Payments Association.
Browse all posts
footer curve