Evolution of the Mobile Payment Market

NYTECH Council Event October 15, 2015

New York City Robert Tibbs, Founder and CEO, Kayden

Andy Lorentz, Partner, Davis Wright Tremaine Paul Miller, CEO, mSIGNIA

2

Andy Lorentz Partner,

Davis Wright Tremaine

Robert Tibbs Founder and CEO,

Kayden

Paul Miller CEO,

mSIGNIA

Moore’s Law*

The number of transistors on a chip doubles every year for a doubling of the computing power at roughly the same cost

Updated in 1975 to forecast a doubling of computing power every two years

*From Gordon Moore, head of research at Fairchild Semiconductor, later co-founder and CEO of Intel

Intel 4004 (1971) vs. Intel Core i5 (current model):

3,500 times the performance

90,000 times more energy efficient

60,000 times lower cost

Source: NY Times (5/13/2015)

3

Moore’s Law and the Volkswagen Beetle

Volkswagen Beetle (1971) vs. Volkswagen Beetle (current model – IF Moore’s Law applied to VWs)

Top speed of 300,000 miles per hour

2,000,000 miles per gallon of fuel

Cost of 4 cents

Source: NY Times (5/13/2015)

4

What if we apply Moore’s Law to financial services? “FinTech” – worlds colliding or connecting?

5

What Divides “Fin” from “Tech”…

Banks Product Development:

– Bank grade product / technology before it hits the market

– Invest on the front end – Slow to market – Don’t fail (or even better,

be “too big to fail”), don’t run out of other people’s money

– Ask permission Outsourcing means Due

Diligence, Contract, Monitoring: – Protracted and detailed

APPs Product Development:

– Philosophy of “Lean Startup” by Eric Ries: only “Minimum Viable Product” before it hits the market

– Invest on the back-end – Rush to market – Fail fast, iterate product,

don’t run out of money – Beg forgiveness

Outsourcing means “take out” food: – Handshakes instead of

contracts

…Leads to Culture Clash

7

Growth in “Alternative Payment Providers”

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 8

In January 2014, it was estimated that APPs will account for 59% of online transactions and

that e-wallets will equal cards in

terms of market share in 2017

Peer-to-peer payment market

expected to reach $17 billion in 2019

Growth of P2P Market, APPs for

online transactions, e-wallets, mobile

payments, “Buy” Buttons

Who (and what) are these guys?

9

bought

The Clearing House Diagnosis: An Uneven Playing Field in Data Privacy and Security

“Financial Institutions” are subject to extensive regulatory, supervisory and enforcement scrutiny by their prudential regulators

GLBA Interagency Guidelines

More stringent implementing regulations and consequences

Safety and soundness

Banks ultimately bear customer service and fraud costs

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 10

Alternative Payment Providers (APPs) provide products and services utilizing “backbone of existing payment systems” and avoid the reach of prudential regulators

GLBA FTC Safeguards Rule

Not subject to regular examinations, enforcement actions or oversight

– Lighter substantive requirements

– Lower odds of facing enforcement actions or sanctions

“Banks and APPs engaging in functionally similar activities should be subject to similar

regulatory regimes.” The Clearing House

The Clearing House Prescription: Level the Playing Field

Enhance substantive regulatory requirements imposed on APPs

Use available examination authority to examine APPs – CFPB should designate “larger participants” in

payments market

– CFPB and others – use authority over “service providers”

Enforce existing requirements for APPs – FTC GLBA Safeguards Rule

– FinCEN (money services businesses)

Legislate additional data security requirements for APPs, resource FTC further, give FTC or CFPB exam authority over APPs

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 11

“REGULATORY FAILURE”

“Gaps” in The Clearing House Paper

12

Premise is wrong regarding sources of risk to data

– Encryption, tokenization and biometrics are APP staples

Treats “banks” as a monolith and “APPs” as a monolith – ignores tremendous variation within both groups, except that:

– All banks enjoy exclusive powers in the “business of banking” including certain network access

– Banks can borrow at the Fed window and are FDIC insured

– Nationally chartered depository institutions benefit from preemption

Ignores possibility that cacophony* of legislatures and regulators and fractured regulatory regime are the root causes of disparities in regulation, supervision, and enforcement

Soft-pedals bank obligations to oversee service providers

*jarring, discordant sound; dissonance. The Free Dictionary.

(More) “Gaps” in The Clearing House Paper

13

Fails to ask whether particular regulation is sensible – why should we “level” to inappropriate standards?

– Ignores policy preferences for regulation based on performance rather than design standards

• BUT beware UDAP/UDAAP combined with excessive authority

Ignores considerations of consumer choice and reaching underserved markets for financial services

Is one-dimensional – data privacy and security only – when the need for (sensible) regulatory policy changes is much broader

– Data-driven risk-based approach informed by behavioral economics?

Fails to ask why bank partners of APPs agree to participate in platforms that so disadvantage them

Business of banking / Deposit-Taking

Truth in Lending Act / Reg Z

Reg

ulat

ion

B

Bank Secrecy Act

OFAC Reg D

Truth in Savings Act

Regulation II

Gramm-Leach-Bliley Act Fair Credit Reporting Act

Data breach/security FDIC Deposit Insurance

E-SIGN Act

Unfair, Deceptive or Abusive Acts and Practices Laws

State Money Transmitter Laws

State Privacy and Security Statutes

Card brand rules Gift

car

d

Anti-Money Laundering Compliance

OFAC

TISA/Reg DD

Reg CC

Escheat

Durbin Amendment Identity-Theft Red Flags

Check 21

Truth in Billing Electronic Fund Transfer Act / Regulation E

Regulation DD

The banking lawyer’s world…

14

Reflection

American Bankers Association: “Lets Innovate. Not Mandate.”

U.S. Chamber of Commerce: “[T]he Chamber believes that industry self-regulation and technology-neutral best business practices are the most effective way to enhance innovation, investment, competition, and privacy.”

Building a 21st-Century Regulator’s Toolkit by Daniel Gorfine and Chris Brummer of the Milken Institute

21st Century Regulation: Putting Innovation at the Heart of Payments Regulation by Ebay/PayPal’s Public Policy Lab

The Regulator of Tomorrow by Shrupti Shah, Rachel Brody, & Nick Olson of Deloitte

15

Mobile Payments Overview

16

17

Who’s Leading Mobile Payment Innovation?

Copyright ©, Confidential 2015

The ‘Usual Suspects’ ??? A New Leader ??? A Disruption???

Visa MasterCard Amex Discover Banks

Apple Google Operators Samsung Merchant PayPal Bitcoin

Copyright ©, Confidential 2015

18

CP Payment: EMV (online)

Merchant website

Consumer / Issuer Network / Interoperability Merchant/Acquirer

Issuing Bank Card Network

(w/Tokenization Service)

Acquiring Bank

Merchant SE

Payment Token +

Verification

Transaction Data &

Payment Token

Payment Verification … Transaction Approved

Transaction Data &

Payment Token

Payment Verification

Transaction Data & Card #

Payment Verification

PIN

Bio

Sign

Copyright ©, Confidential 2015

[CATEGORY NAME] [PERCENT

AGE] [CATEGORY NAME] [PERCENT

AGE] [CATEGORY NAME] [PERCENT

AGE]

[CATEGORY NAME] [PERCENT

AGE] 89% of the 3B Smart

Devices Worldw

ide have NO

Secur…

Global Security HW Availability

NO NATIVE HARDWARE SECURITY … NO MASS MARKET

19

[CATEGORY NAME] [PERCENT

AGE]

[CATEGORY NAME] [PERCENT

AGE]

[CATEGORY NAME]

[PERCENTAGE]

Android FP 0%

81% of the 365M Smart Devices in the US have NO …

US Security HW Availability

How do Merchants and Web Services Reach the Majority of their Customers? Copyright ©, Confidential 2015

20

Merchant website

Consumer / Issuer Network / Interoperability Merchant/Acquirer

Issuing Bank Card Network

(w/Tokenization Service)

Acquiring Bank

Merchant Payment

Token

Transaction Data &

Payment Token

Transaction Approved

Transaction Data &

Payment Token

Payment Verification

Transaction Data & Card #

Payment Verification

PIN

Bio

Sign

CP Payment: Host Card Emulation (HCE)

SE Payment

Verification

Wallet Authentication

Copyright ©, Confidential 2015

21

Merchant website

Consumer / Issuer Network / Interoperability Merchant/Acquirer

Issuing Bank Card Network

(w/Tokenization Service)

Acquiring Bank

Merchant Payment

Token

Transaction Data &

Payment Token

Transaction Approved

Transaction Data &

Payment Token

Payment Verification

Transaction Data & Card #

Payment Verification

PIN

Bio

Sign

CNP Payment: 3-Domain Security (3DS)

Payment Verification

Wallet Authentication

Copyright ©, Confidential 2015

22

Who Are You?

Copyright ©, Confidential 2015

23

COMPARING AUTH METHODS FOR HARDWARE AND USER

45 Auth Methods Mapped by Security, Friction, and Cost

Ctxt Key Crypto

SIMaaS

Smartcard / USB Key

OOB eMail

ID Pict

Custom OTP Token

Card/RFID

Signature

BioRetina

PIN/ Swipe

Choose Image

BioHeart

Dev Geo

KBA preset

BioVoice

Bio3DFace BioFP

SE/Token

MNO Acct SMS Link

SMS OTP Up Contextual DevID

Push Alert

BioFacial

Passive Voice

Social Validation

SiteNav

Codebook

UI Tracking Password Cache PW

KBA Real-time

Soft Token

Device FP QR code 2 PC

OOB call

Push OTP

Soft OTP

Geo Proximity Zero U

ser Effort, Frictionless Fric

tion,

Use

r Act

ion

Requ

ired

Zero User Effort, Passive

High Security High Security

Fric

tion,

Use

r Act

ion

Requ

ired

Low Security Low Security

OS TEE

SMS OTP Contextual Auth

Net Geo

Hardware Auth Methods (26) User Auth Methods (19)

ID Cost Free Low

(<$1/yr) High (>$1/yr)

Dynamic Tag

(Assumes 50 auths/year)

Copyright ©, Confidential 2015

Active Biometrics • Requires discrete user action

• Examples

• Fingerprint

• Facial (static, proof-of-life, 3D)

• Cardio

• Retina

• Voice (scripted)

• Static validation

• Actual bio should stay local

• Perfect for Perimeter Auth where sensor high quality + trusted

• Boarder control

Passive Biometrics • ‘Learned’ behavior

• Frictionless

• Examples

• Geolocation

• User Data Analytics

• Voice (sampling)

• User Interface (kinesiology)

• Typing, mouse/pinch

• Site navigation

• Scoring threshold

24

ACTIVE VS PASSIVE BIOMETRICS

Copyright ©, Confidential 2015

25

Attributes (> 500 in total)

Select Examples

General Rate of Change

(varies by user)

User Added Personalization

• Music Count • Calendar Count

Volatile, behavior-based change rates

User Behavior • Location • UI Gestures

User-defined repeating patterns

User Secrets and Biometrics

• PIN • Fingerprint No change

Apps & OS • App binary • Jail broken

ISV and OS driven change

Connections • Cellular • Wifi • Bluetooth

Repeating, network related context

Hardware • Serial # • IMEI # No change

CONTINUOUS CONTEXTUAL IDENTITY

PII hashed at device to respect privacy

Data consistent across new & secondary user devices, Defends against account

takeover when adding a device

Device HW

Connections

Apps/OS

User Added Data

Behavior

Secrets + Bio

App

App

Perm

issi

on b

ased

dat

a us

ed b

y ap

p

Copyright ©, Confidential 2015

Definitely My Prediction?

26

So… Who’s Leading Mobile Payment Innovation?

Apple Google MasterCard

EMVCo

Copyright ©, Confidential 2015

THANK YOU! THANK YOU!

27

Robert Tibbs Chairman and CEO, Forbes Digital Commerce

Robert@kaydenllc.com 415.244.2055

Andy Lorentz

Partner, Davis Wright Tremaine andrewlorentz@dwt.com

202.973.4232

Paul Miller CEO, mSIGNIA

paul.miller@mSIGNIA.com 310.945.7744