I have been on a bit of a roll this week when it comes to the security around PSD2. The announcement that the FCA was given permission to give extensions to companies implementing Strong Customer Authentication (SCA) was a gentle reminder to me that a major deadline was close.
Here is another opinion article. Here Paul Adams, director of acquiring at Barclaycard Payment Solutions, shares his thoughts on meeting the SCA standard and gives detailed advice to companies that will have to meet the standard.
SCA: Setting the record straight and making the most of the new payments regulation
By Paul Adams,
Ever since Strong Customer Authentication (SCA) was first announced as part of PSD2 in 2015, we have seen a number of myths and inaccuracies floating around the industry. While general awareness and understanding has certainly improved over the past four years, the recent opinion published by the European Banking Authority (EBA), which gave the FCA, CBOI, and their European counterparts more flexibility to grant SCA deadline extensions, has resulted in a resurgence of some of these myths, some of which are placing UK businesses at risk.
Businesses understand the impending changes – not only around how and when to prepare for the transition deadlines, but also how to think about SCA differently, in order to turn it into a strategic advantage.
Be the Ant, not the Grasshopper: The SCA deadline is still September 14
The most dangerous myth we’re seeing at the moment is that some businesses have taken the EBA’s announcement as an excuse to take their foot off the gas when it comes to complying with the new legislation, in anticipation of a deadline extension.
In reality, while the EBA’s announcement does give the FCA and CBOI more flexibility to grant deadline extensions in the UK and Ireland, right now the compliance deadline of 14 September has not changed. What’s more, if the FCA and CBOI do decide to extend the deadline for certain SCA activities, they will need to set out clear compliance roadmaps, and we expect 3-D secure version 2 (3DS2) to be one of the first milestones for which businesses are held accountable.
Therefore, any businesses pushing compliance down their list of priorities could be lulling themselves into a false sense of security.
It is of the utmost importance that businesses continue to push towards preparing themselves for SCA, in particular by embedding 3DS2 into their payment journeys, in order to avoid a situation where they have too much to do, in too little time. If they don’t comply in time, there’s a very real risk that they could start seeing their customers’ transactions automatically declined.
Is this the end of One Time Passcodes (OTPs)?
Prior to the EBA’s announcement, many issuers had been planning to send One Time Passcodes (OTPs) via SMS to customers going through SCA. With SCA requiring consumers two provide two out of three of ‘something they know’, ‘something they have’, and ‘something they are’, it was generally thought that OTPs would qualify as ‘something they know’, which could then be used in conjunction with a ‘something they have’, such as credit card details, to pass through SCA successfully.
However, the EBA announcement also made it clear that OTPs would qualify as a possession factor, rather than a knowledge factor, which means that OTPs and credit card details now fall under the same category. As a result, those two methods can no longer be used in isolation in order to pass SCA.
This has had a major impact on the banks / issuers who had been hoping to offer OTP as one of their authentication methods. Those providers now need to review their remaining authentication journeys to make sure that they are still able to provide their entire customer base with a compliant solution. If the removal of OTP leaves a gap for certain customers, they may need to build and promote another method, e.g. biometrics.
The knock-on impact this could have on merchants is that if an issuer hasn’t properly promoted their compliant SCA solution, or hasn’t designed a slick authentication journey, merchants could see an increase in that issuer’s customers abandoning their baskets.
However, that doesn’t mean that OTPs will disappear overnight – they do still have value in keeping fraud low. For now, we expect many issuers to continue using OTPs at a possession factor, at least until consumers are more comfortable with newer and better authentication methods.
New complexities for multi-national businesses
Before the recent EBA announcement, all merchants, issuers and acquirers were working towards the same, pan-European compliance date – September 14. However, the EBA’s recent announcement means that the FCA, CBOI and each of their European counterparts have the flexibility to impose their own compliance deadlines and country-specific exceptions. While that might seem to make sense at an in-country level, this has the potential to cause quite a lot of confusion.
For merchants operating in more than one country, things could get complicated quickly, because they could be subject to multiple overlapping deadlines. At Barclaycard, we believe that a harmonised, pan-European approach would benefit both merchants and consumers, and we will continue to advocate for that with the help of key industry stakeholders and regulators.
Having said that, the best thing that merchants can do to minimise any cross-European complexity will be to keep working towards becoming SCA compliant ahead of September 14.
Challenging the customer experience myth
Alongside misconceptions around the implementation deadline, we have also seen concerns that SCA will have a detrimental impact on business revenue.
First of all, it’s important to note that these concerns are not entirely unfounded – while the primary purpose of SCA remains to tackle cybercrime, SCA will introduce friction into the shopper journey, and this friction could lead to an increase in basket abandonment, resulting in a decline in sales.
However, a lot of that fear stems from people’s personal experiences with the current 3-D secure authentication technology, known as 3DS1. While innovative when it first launched, by today’s standards 3DS1 has started to feel clunky, and its use of pop-up windows might seem suspicious to those who equate pop-ups with spam and phishing. It’s fair to say that 3DS1 has been rendered obsolete by the technology changes and security risks that brought about strong customer authentication in the first place.
As a result, the prospect of more customers being asked to authenticate themselves could understandably be alarming. However, the good news is that are two reasons why businesses don’t need to panic.
The first is that the payments industry has designed a new iteration of 3-D secure, known as 3DS2, and this newer version uses much more advanced infrastructure, and is far more dynamic and streamlined than its predecessor. This should mean that the 3DS2 authentication experience will be much smoother than with 3DS1, meaning that customers won’t feel as much of a break in the payment journey.
The second reason is that there are proactive steps that businesses can take to reduce the volume of their customers’ transactions that require full authentication, thereby taking away that additional friction.
That’s because, under SCA, certain types of transactions are exempt from full authentication, as long as certain criteria are met. Examples of exemptions include low value transactions, low risk transactions and transactions with merchants that the consumer has ‘white-listed’ with their credit card issuer / bank.
Businesses hoping to turn SCA into a strategic advantage should maximise and optimise their use of these exemptions, and in order to do that they should consider partnering with a trusted payments services provider to apply those exemptions on their behalf, once SCA comes into force.
Preparing your business for SCA success
As we approach the September deadline, it’s time to rethink SCA and re-evaluate the fears surrounding the new system. If solutions are implemented promptly and correctly, both consumers and businesses should see significant benefits.
Our advice to clients is to keep working towards embedding the new 3DS2 authentication technology into their payment journeys, and to speak to their payment acceptance / gateway provider if they have any questions. In addition, retailers should already be thinking about how to maximise their use of SCA exemptions, in order to minimise customer friction.
Funding Options is a fintech that started out with the aim of being like a MoneySuperMarket for business lending said Conrad Ford, CEO and founder, at the company. It later became more like a dating site, he added.
Ford had spent most of his career working in banking including at a large investment bank and most of his career at Barclays.
It was during his time at Barclays and more specifically when he was moved into an innovation unit at the bank, that his interest in developing tech led products was ignited.
“Fintech wasn’t a word at the time but like other banks Barclays created a standalone unit with high independence to build new propositions,” said Ford.
He said this was a bit different to some of the “fluffy incubators” initially set up by banks. “We were told to go and build real businesses with real revenues.”
He said within the unit he was in a team focused on creating new services for small businesses. “Barclays had a huge number of small business customers and there was an opportunity to go beyond traditional banking services.” This included creating a tool that small businesses could use to do credit checks on customers.
He said he did not go into the unit out of a desire to innovate or get fintech experience (before the term existed) but because he wanted management experience. He expected to move back into Barclays in a bigger operational role, he said: “But my taste for freedom was enough and I didn’t want to do that.”
This is when the genesis for Funding Options emerged, which he described as his mid-life crisis of sorts. He said he was in his late thirties and decided now was the time to turn his years of experience in the banking to something new.
He said startup founders in their late thirties and early forties are statistically the most successful because of experience. “Many have previously tried things out with other people money and failed.”
“I jokingly describe Funding Options as my mid-life crisis because at the time I had a good job in a large bank, but I wanted to go off and do my own thing.”
It was 2012 when Ford “got serious” about Funding Options.
He said because of his connections he was able to raise initial funding just on the business plan. This plan, was for a fintech that helps SMEs find funding, and it came in at a time when they were struggling to get access to loans.
“The peak of the impact of the financial global crisis in 2008 on small business lending was probably around 2010/2011.”
He said the challenges for small businesses getting loans was central to his thinking at the time. “It seemed to be the right business at the right time.”
This is when the idea of building a platform like MoneySuperMarket but for business lending. “There are lots of sources of funding, and even were during the crisis, but the problem is small businesses and lenders couldn’t find each other.”
“So there was a big problem that had to be solved,” added Ford.
He said too many startups are focused on either not big enough opportunities or not big enough problems.
Towards the end of 2012 Ford made his first entry into the market, which he said was an abject failure. “We are a perfect example of a company that takes a couple of year to get the right product/market fit.”
“Some startups get the right product in the right market straight away but this was not the case for us and it took a couple of years to get it right,” added Ford.
This was an important lesson for Ford. He said people think they can run a business but then realise very quickly that running a startup is very different from running a large company.
Keeping investors interested during the early years required some “very inspirational speech” Ford joked. “There were occasions in the early period when we came close to going under, with two or three occasions when the management wasn’t sure if it was going to be able to pay staff.”
Initially Ford and his team built what he described as a “tech heavy solution” to the problem using advanced technology, but he said it didn’t work for small business customers which can be relatively unsophisticated. The initial platform also used accountants as a channel to customers, which despite research showing this to be a good idea, didn’t work, said Ford. “There was a discrepancy in what the accountants do in practice and what they say in surveys.”
By 2014 Ford said the team had worked out how the business should look and managed to raise some venture capital funding. “We got a couple of million pounds which is the start of where we are today.”
The platform today is like a dating site for small businesses and lenders. A small business goes onto the platform and is asked for information about what they want to achieve, how much money they need, how quickly they need money as well as questions about the business. Funding Options’ proprietary algorithms quickly match these small businesses with the most appropriate lenders. External data sources is also being brought in to improve and speed up matching.
Ford said: “A dating site will say there are thousands of singles in London, but how do you find the three that are worth having dinner with?” He said Funding options applies the same type of technology as dating sites to small businesses and lender matching.
It currently instigates loans of about £100m a year.
In June Funding Options was awarded £5 million grant, from the Alternative Remedies Fund, to ensure finance choice for SMEs across the UK.
Funding Options has about 60 staff in London and is also growing its new operation in the Netherlands. This came about after Dutch bank ING invested in the company.
Expansion won’t end there. “We plan to be a pan-European business,” said Ford.
Read the previous fintech interviews
Part 25 FutureBricks, Part 24 Esme, Part 23 The ID Co, Part 22 Currencycloud, Part 21 Tandem, Part 20 Tink, Part 19 Goldex, Part 18 Azimo, Part 17 Yoyo, Part 16 Bud, Part 15 Previse, Part 14 Finastra, Part 13 InstaReM, Part 12 Eucaps, Part 11 AimBrain, Part 10 Meniga, Part 9 TrueLayer, Part 8 InvestCloud, Part 7 ClauseMatch, Part 6 Rebuilding Society, Part 5 Honcho, Part 4 Akoni, Part 3 Wrisk, Part 2 CreditLadder, Part 1 Taina Technology
I blogged yesterday about a conversation I had with an anti fraud expert about PSD2/open banking security. This post was focussed on the risks that human behaviour combined with the opening up of banking could increase the risks of social engineering from fraudsters. You can read it here.
There was also news yesterday of a study that shows that most fintech startups, like most banks, are failing to address vulnerabilities in the web and mobile application. Food for thought with the likely confusion that early open banking will bring to the market for consumers.
Banks and retailers have been given an extra 18 months to meet PSD2’s Strong Customer Authentication (SCA) rules as I previously wrote and have an interesting opinion piece from James Maude, head of threat research at UK security software company Netacea, on open banking security, which I thought timely.
Banks still unprepared for open banking security
By James Maude
Open Banking was the UK’s attempt to get ahead of PSD2 regulation, with an ambitious timetable for the biggest banks to create open Application Programming Interfaces (APIs). Despite this head start, the banks are underprepared for PSD2’s second major requirement, the demand for improved anti-fraud measures.
However, retailers and banks have a short reprieve. Strong Customer Authentication (SCA), the new EU rule that demands certain payments use two factor authentication, has just been kicked down the road by the Financial Conduct Authority (FCA). It was predicted that 25% of payments were set to fail, thanks to a lack of preparation, so an extended deadline of eighteen months is bound to be a relief.
Criminals and fraudsters will also be relieved. SCA will make their jobs significantly more difficult—they’ll have to work a lot harder to bypass extra authentication methods. Without this extra step, it’s far easier to perform card cracking, using bots to check thousands of stolen card details. These details, leaked by data breaches and sold on the dark web, are much less effective if hackers need to also try to subvert one-time passwords and other security methods.
The issue that banks and other financial service providers face is that when one method of attack is thwarted, cybercriminals won’t simply give in—instead, they look for another way in and PSD2 presents a prime opportunity: APIs. The UK has already gone some way to adopting banking APIs thanks to its Open Banking initiative, opening up banking data to fintechs and other providers for the benefit of consumers and to encourage competition. The introduction of SCA means these APIs are more likely to be targeted.
Access to APIs is restricted to regulated third party providers (TPPs) that have been subject to extensive verification of their security, operational governance and risk management controls. But this doesn’t mean that they are necessarily 100% safe from attack. APIs can extend the ways in which an attacker will attempt to gain entry—through the TPP, mobile applications, or access to the API directly. Plus, while Open Banking has defined API standards, PSD2 is more open to interpretation, potentially leading to confusion over exactly how a secure API should be implemented.
The problem for banks is that, even if they take every precaution to make sure that the API is secure, there are ways to attack it that are out of their control. A hacker with access to a TPP’s system could use it to scrape personal details, but it doesn’t have to be quite so direct. An improperly secured and poorly designed third-party app configured to share the bank’s data is a direct link to an API that can be exploited in a “supply chain” attack—in which instance, automated attacks that test credentials and card details and commit fraud become possible.
Blocking IPs and blacklisting will only go so far to beating this problem—but APIs also present a new problem. The influx of third-party data will mean banks will no longer fully understand the data traffic on their systems. Previously, while there was some understanding of a user’s behaviour, this will be lost on the other end of an API. The potential issues, however, go beyond a loss of market intelligence.
Right now, bots (both good and bad) and humans are interacting with online and mobile banking. Banks understand this traffic, know what it looks like and can identify ill intent to block some common automated attack techniques. But they do not have the same knowledge and understanding of traffic to new APIs. Their ability to separate the good from the bad will be limited—not only is this a new attack vector, it’s one where an attack won’t be immediately obvious.
PSD2 is a much-needed legislation that presents financial institutions with new challenges. It also presents ample opportunity for banks to update legacy systems, collaborate and improve their security platforms. But banks not only need to secure their APIs, they need to quickly get up to speed as to what is normal use and what bad intent looks like. PSD2 represents a new spirit of openness, but it’s vital that embracing this does not expose financial service providers or their customers to additional risk.
I had a conversation with a financial fraud expert at BAE Systems recently about some of the security risks being created by the PSD2 regulations.
You can put all the security technology under the sun in place but human fallibilities, which PSD2 might inadvertently increase, will undo them all.
Gareth Evans at BAE Systems told me how PSD2 creates more potential entry points for fraudsters who prey on consumer confusion.
There has been a lot of discussion about security standards around payments with for example PSD2’s Strong Customer Authentication (SCA) rules, being introduced. SCA means that any online payments worth over €30 would require two methods of authentication from the person making the payment, such as a password, biometric authentication like a fingerprint, or having a phone that can identify them.
SCA was due to be introduced on 14 September but due to The Financial Conduct Authority has given payments and e-commerce firms an extra 18 months because of the “complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers”.
But consumers have other things to worry about according to Evans, with the introduction of PSD2 likely to be seized on by fraudsters to take advantage of consumer confusion.
Instead of just having your mobile app or internet banking app to access your account it is opening up your bank account to a whole host of third parties. “They can do really innovative things for you but it also means you are opening up vulnerabilities that people can exploit,” said Evans.
“I am less worried about the technical vulnerabilities from traditional hacking, I am more concerned about the human element that PSD2 brings in,” said Evans. “When anything changes it creates confusion. When you create confusion it gives people a chance to phone you up or send you an email to try and get people to divulge information you shouldn’t.”
Evans said there has been a general increase in financial fraud although he has not seen any directly related to PSD2 yet. “PSD2 has not captured the public’s imagination yet. While I think a lot of banks have been working behind the scenes to get the technical side right there has not been a lot of take up,” he added.
“It is not about what we have seen but where this could go.”
As an analogy he said in the past if you had your money under your bed and you had one door, when you locked it that route was secure. But he said PSD2 creates more doors to your finances. “For example fraudsters could set themselves up as third parties and spoof their way to gaining access to a bank account.”
Basically the target for criminals is being made bigger by PSD2, added Evans. “I don’t think there will necessarily be any groundbreaking new threats but the number of attack vector is growing.”
He said that third party financial services providers, which will include many fintechs, might not have done the same level of security work as the banks have, which could open up vulnerabilities.
There will also be questions over which financial services supplier is responsible when a fraudster manages to get access to a consumer’s account. “At the moment it is usually the bank’s responsibility but where will that go after PSD2 takes off?”
FutureBricks is a tech startup that enables people to invest savings in housing projects, which offer high interest and are secured against properties, while making money available to small building companies.
It is solving three problems in the UK through its platform where people can lend as little as £500 to house builders, for returns of up to 12%.
SME house builders struggle to get loans, there is a huge housing shortage in the UK and ISAs offer interest rates way below inflation. The first problem is solved through making money available to SME house builders in the UK, then secondly this indirectly helps address the shortage of homes in the UK, while thirdly giving people the chance to get good returns on their savings.
Meanwhile it is disrupting two parts of the financial services sector: SME lending and consumer savings.
I recently spoke to Arya Taware, founder of FutureBricks. She told me that once overcoming the challenge of being a young woman in an industry dominated by men, doing deals down the pub, she began work on the lending platform.
Taware was doing her undergraduate degree in urban planning, design and management, real estate development at University College London before taking up a role at a small house builder where she was tasked with finding good sites for building projects. “We would find lots of appropriate sites but in many cases the developers could not get funding,” she said.
“This was 2013 and was happening quite a lot, which got me thinking.”
She said there is a shortage of homes in the UK and it is the large house builders that have access to funds. But she said these companies are building houses for investments rather than for people to live in.
“This is where I saw the gap. The guys that are building homes for people to actually live in are not getting access to funds,” she said.
Her own challenges when looking for the best way to save money helped her with the part of the business aimed at investors. As a consumer she did not think investing in ISAs, stocks and shares or buy to lets were appealing. Be secured loans with high monthly interest payments would.
Having identified the problem to address Taware had to work out how to do it. “The only way to do this is through digital technology,” she said.
It started building the platform about 18 months ago. It now has an app with a fully automated process for lenders to go, including know your customer checks. Then the customer can chose which projects they want to lend to.
The company’s mobile app and web platform enables investors to sign up and lend in two minutes. The fully automated process includes things like anti-money laundering and KYC checks. Then investors can chose which projects they want to invest in.
The company was set up three years ago and the platform went live in late 2018, after getting the upfront capital and regulatory approval from the FCA required, which took time.
An initial obstacle for Taware was the fact that the building and financial services sectors are often archaic. “The challenge was I was a young woman straight out of university. It is a very traditional male dominated industry with deals happening in the pub,” she said
Today FutureBrick’s tech team is made up of six people based in India.
About £500,000 has been lend so far to five builders through the platform which currently has about 500 active lenders.
The building companies that receive the funds have a different dashboard. At the time I spoke to Taware she said the company was receiving about 100 applications from builders every month, with about 10% accepted.
“We have our own underwriting team that do the initial due diligence and then we use industry experts such as surveyors to complete this. It is a very heavy part of our business but it is behind the scenes
The first building project backed by the platform, in Southfields London, was four the development of a four bedroom house. It needed to raise £100,000 through the platform, which it successfully did through 18 investors who got 12% interest. The development worth over £1m is now complete and investors have had loans paid back.
Read the previous fintech interviews
Part 24 Esme, Part 23 The ID Co, Part 22 Currencycloud, Part 21 Tandem, Part 20 Tink, Part 19 Goldex, Part 18 Azimo, Part 17 Yoyo, Part 16 Bud, Part 15 Previse, Part 14 Finastra, Part 13 InstaReM, Part 12 Eucaps, Part 11 AimBrain, Part 10 Meniga, Part 9 TrueLayer, Part 8 InvestCloud, Part 7 ClauseMatch, Part 6 Rebuilding Society, Part 5 Honcho, Part 4 Akoni, Part 3 Wrisk, Part 2 CreditLadder, Part 1 Taina Technology
I recently spoke to Innovate Finance’s CEO about the desire to get fintechs to look beyond London when establishing themselves.
To this end Charlotte Crosswell was keen to emphasise how the London based fintech trade body is trying to reach further afield.
Innovate Finance had at the time signed agreements with Fintech North and Fintech Scotland. She said this helps spread the fintech solutions coming from those regions but and means financial services are looked at in a different way.
Last week Innovate Finance announced the addition of Fintech Northern Ireland, Fintech Wales and Fintech West to the national network.
Alex Lee, Member of Fintech Northern Ireland said welcomedthe establishment of a National Network to showcase Fintech outside of London. “This initiative will allow the ecosystem to collaborate nationally and learn from more developed hubs on the challenges, successes and importantly failures. We recognise that working alongside regional partners will only aide our development of Northern Ireland as a regional Fintech Hub.”
Meanwhile Gavin Powell, general secretary at Fintech Wales said: “This will not only boost the benefits for Wales and our members, but will also help to create a stronger and more resilient national economy. Fintech is a key area of excellence for the UK and the National Network will both support and enable its continued growth.”
Julian Wells, director of Fintech West said the organisation itself grew out of a smaller more localised body. “It was created in 2019 from the solid foundations of several years of work by what was formerly known as Bristol Fintech. Joining the national network is a really positive step to ensuring this region rightly takes its place as a key player in the UK’s national Fintech sector.”
Dan Rajkumar, at peer to peer fintech Rebuilding Society is one of the founders of Fintech North. He recently told me that the organisation’s partnership with Innovate finance and Fintech Scotland, known as the UK Fintech Network, disseminates the message and getting people around the country engaged with the industry.
TSB is integrating technology into its banking app that will allow people to open accounts via a selfie.
The bank devised the plan with the over 55s in mind, because they won’t have to visit a branch.
TSB did some research recently that found that 57% of over 55s never use mobile banking, even though they have smartphone. This compares to 82% of 18-34-year olds who say they use mobile banking.
But 73% of them said they would benefit from being able to do their banking remotely, citing ‘speed’ and convenience and ‘24/7 access as top reasons.
Pol Navarro, digital director at TSB said the introduction is about reducing hassle for customers.
“We know that life can take over and that quick lunch time visit to a branch might not happen. With this new experience, we are making banking better and enabling customers to fully complete their application in a way that fully suits their busy lifestyles: just with a simple selfie.”
ID verification technology from Jumio in the app to enable selfie account opening.
It is by no means the first bank to offer this type of service. About three years ago HSBC launched a mobile app that enabled business customers to open accounts using a selfie as ID. There are many more examples.
It is another example of how biometric authentication is becoming increasingly common place with its ease of use. People always have their face with them and don’t need to remember anything.
Big traditional banks have embraced fintech, some more than others, with Royal Bank of Scotland/NatWest one of the more active.
Through its innovation cells RBS Group incubate startups in a Wework office in central London.
At the back end of 2016 as part of this project, the banking group started looking at what it could do to add a bit of fintech to its SME lending business.
This eventually led to the creation of Esme Loans, which offers business loans to SMEs in minutes through a completely automated process.
I interviewed Esme CEO Richard Kerton a while back about the company’s history and plans. Here is the interview, better late than never.
It is an interesting company because it demonstrates how banks can support startups through their development with expertise and funding.
A separate entity to RBS Group, the company cuts the time it takes to apply for a loan to 10 minutes for SMEs, offering SMEs loans of up to £150,000. Application is made easy through the use of the latest technology, including artificial intelligence and application programming interfaces (APIs) so it can connect with external data.
About 1000 loans, worth over £50m, had been made by Esme when I did the interview a couple of months ago.
Kerton was brought from another part of the bank to turn the organisation’s idea of a digital lending business into a reality. “We could see looking at our own business and that of fintechs that customers wanted to be served in a different way,” he said.
The first thing to do once establishing what customers wanted was to get the technology.
Esme decided to use the existing technology from a fintech company called Ezbob, which had been lending for a few years but had decided it wanted to focus on technology as its business. “We partnered up with Ezbob and we could see they had the core of a really good proposition. You could take an SME through an application process and give them a quick decision.”
The application process takes 10 minutes and an instant yes, no or maybe decision can be given. This is possible while the customer is filling in the application systems are going about their work in the background.
“As the customer is filling out their application we are pulling data in from different external sources through APIs and then with that data we are doing the onboarding process with know your customer (KYC) etc, and at the same time pushing the data into a risk engine which uses AI to crunch the data to make a decision.”
Only when the decision is a “maybe” will humans become involved, said Kerton.
The offering is a bit different to what the traditional bank offers. It provides up to £150,000 unsecured business loans in an automated environment said Kerton. Other differences include not having access to a relationship banker.
Esme has 36 staff in London. These work on marketing, underwriting and operations
For Kerton, who has 30 years’ experience as a banker at RBS/NatWest, the opportunity to get involved with the development of a fintech within RBS was irresistible. “I jumped at the chance as it was a great opportunity,” he said. “I always had an entrepreneurial side to me and I have amassed experience from all across the business. Being able to bring all that together and design product from scratch, that customers want, was just a brilliant opportunity.”
Kerton sees fintechs like Esme as complimentary to the banks. “I think traditional banks will have their core propositions and upgrade the technology to better service customers, but there is an opportunity to develop new business revenue streams in the fintech sector.”
He said doing fintech inside a big bank has its advantages. “It’s easy because you have a huge amount of resources and expertise behind you.” But he added that there are challenges. “It is harder because you have to comply with the banks policies and procedures which aren’t always naturally aligned to a startup culture,” he said.
One good example where Esme might not want to work too closely with the bank is in technology. The legacy systems of traditional banks, while reliable and stable, are not something agile fintechs want to use. None of Esme’s technology touches RBS technology which, according to Kerton, allows Esme to be agile.
Although Esme has made thousands of loans worth millions of pounds it has only really been testing the water so far. A big test you might say. But it has set its sights on scaling the business this year after establishing that the concept and technology works. “We pushed through quite a high volume and through that you get feedback. We will now use that insight to help us scale the business,” said Kerton.
Another area where Esme is looking to improve is the proportion of loans that go through without any human involvement. So far during the early phase the company has been watching closely and human involvement has been deliberately higher than the company will eventually want. Kerton said about 10% of loans so far have been automated from start to finish, but he said this will increase.
To this end it is working with Microsoft to develop a data warehouse, introduce more AI. “This will power are understanding of what customers want and help us build things like chatbots,” said Kerton.
For example this will also help Esme bespoke customer journeys and help them offer loans at the time businesses need them, and improve the efficiency of its risk engine.
Esme is also working with Ezbob to break the platform into lots of Micro services. This would break the journey up into modular services, such as onboarding. “This will allow us to use them in different products, bespoke services and help integrate more easily with third parties,” said Kerton.
Read the previous fintech interviews
Part 23The ID Co, Part 22 Currencycloud, Part 21 Tandem, Part 20 Tink, Part 19 Goldex, Part 18 Azimo, Part 17 Yoyo, Part 16 Bud, Part 15 Previse, Part 14 Finastra, Part 13 InstaReM, Part 12 Eucaps, Part 11 AimBrain, Part 10 Meniga, Part 9 TrueLayer, Part 8 InvestCloud, Part 7 ClauseMatch, Part 6 Rebuilding Society, Part 5 Honcho, Part 4 Akoni, Part 3 Wrisk, Part 2 CreditLadder, Part 1 Taina Technology
More established UK fintech’s were the biggest recipients of investment in the first half of this year, which demonstrated that businesses are maturing.
Investment in UK fintechs in the first half of this year was $2.9bn, which is 85% of the total invested in 2018, according to figures from fintech industry body Innovate Finance. It is also 45% higher than the same six month period last year. London based companies took 90% of this.
It was challenger banks that got most investment during the six months with payments and foreign exchange fintechs close behind.
For example challenger banks including OakNorth ($440m), Monzo ($147m) and Starling Bank ($98m) got the most significant investments. In payments and foreign exchange sectors Checkout.com ($230m), WorldRemit ($175m) and GoCardless ($76m) were major recipients.
A total of that 85% of the investment was in more established fintechs, with early stage fintechs taking the remainder.
Charlotte Crosswell, CEO of Innovate Finance, said the type of investments is a reflection of the sectiors maturity. “The flow and impressive size of individual investments demonstrate an ecosystem that is showing signs of growing maturity. “
But the sector could face difficulties if the UK leaves the EU without a deal. “. Both the flow of capital and a wide talent pool are essential to maintaining the sector’s strength, and we remain committed to support efforts in these vital areas,” said Crosswell.
According to a survey from banking software supplier Crealogix, there is lack of awareness of open banking among UK current account holders.
In fact its survey carried out by Censuswide found that two thirds of them had never heard of open banking. But it also found that the same proportion are interested in the digital banking features enabled by open banking.
This is not a surprise. For example most people desire all manner of cloud services but how many of them know what the cloud is? A few years ago not many people had ever heard of it.
But the big difference between using the cloud and open banking is that people have to agree to sharing their data, so they really need to understand it before they use it.
Jo Howes, commercial director of Crealogix UK, said a lot of the focus so far has been on understanding regulations and figuring out details of new technology for secure data sharing. “While all this is essential, consumers are far less interested in education or understanding how this all works. People want to use financial apps that make their lives easier and more secure, and they will change provider to get what they want. Financial institutions which have the ability to put innovations into customers’ hands faster have a key competitive advantage. Open banking offers a greater range of possibilities for differentiation than the industry has ever had before.”
But there are clearly challenges and customer understanding and subsequent trust is vital.
I had a conversation with Hans Tesselaar, executive director at not for profit banking IT development BIAN. He told me that the take up of open banking, PSD2 in its case, is slow on the continent.
“After the scandal with Facebook and Cambridge Analytics, people have become more reluctant and especially if it involves sharing financial data,” he said.
He said a lot of banks are pulling back a bit. “While there are a lot of opportunities for banks it is not easy to fulfill them due to the political climate and sentiment in the market. That is why it is slow.”
He said it will take off eventually but added that there is an over reliance on Millennials driving adoption. “Everybody says look at the Millennials, they try everything, but the moment they start a company and need a loan does or she want to share that? Or when they want a mortgage? When you mature you are less willing to share.”
But of course cloud adoption had similar hurdles, not least in banking. There was a lot of scepticism about using the cloud in the past, but that was quickly overcome when consumers and their suppliers realised the benefits. I don’t think we could function in the developed world without the cloud. My kids certainly couldn’t.