Blog article
See all stories »

An article relating to this blog post on Finextra:

ECB sets out draft mobile payments security recommendations

The European Central Bank has set out draft recommendations on mobile payments security, covering everything from customer authentication to data protection.

See article

ECB moves to securing mobile payments

The ECB published its recommendations for the security of mobile payments last week last week. Although unrelated, this latest set of recommendations shows how Governments and Central Banks (US Federal Reserve Banks recently announced a public consultation exercise on improving the future U.S. payment system, and the newly formed Financial Conduct Authority (FCA) has also just published an interim report exploring some early findings of a review into mobile banking services) see their role in shaping the new payments landscape.

When it comes to financial services (mobile or otherwise), consumers want convenience and trust. Mobile payments can deliver a strong value proposition here so it is inevitable that such services are attracting the ECB’s attention. Mobile is clearly at the centre of a revolution that is happening. This is logical as we have an intelligent, sophisticated device that is with us 24x7, be it our smartphone or tablet, we expect to be able to control our lives through this one device, for communication, commerce, banking, work, watching films, playing games and listening to music. The attitude of consumers to banking and payments is no different, and why should it be? The mobile device is set to become the dominant device to enable a paradigm shift in traditional business models, and the device to enable new business models and experiences.

I read the paper with interest even though I was uncertain as to what conclusions I should expect. I have to admit that I was pleased to see that the ECB shows a good grasp of the challenges and opportunities at hand. As analysts predict the number of payments using mobile devices could grow by 52.7% a year to reach 17bn in 2013 (source:  World Payments Report 2012) – this is to be added to predictions of up to $670bn of global mobile payments being made by 2015 (source: Juniper Research). The ECB is right, security is a major challenge to ensure that the mobile payments sector realises its full potential – Gartner has predicted that the financial impact of cybercrime will grow 10% per year through to 2016. It’s a no brainer, as payments evolve, cyber-crime grows in size and sophistication - the correlation is clear.

The ECB recommendations point to the correct direction: Security procedures need to be integrated into the mobile payments architecture, by design, from the outset, which leads us to the $million question: “Who’s responsibility is it any way?”. As some of these transactions and capabilities can carry considerable risk, fraudsters will certainly focus their attention on the new way that we make payments and are quick to capitalise on any inherent weaknesses, be it in processes, procedures, or methods. As the payments space moves mobile we need appropriate solutions, constructed from the ground up, for this new area; the FCA is right to engage early with the FS industry on that area. Many of the mobile-based offerings available today provide little application, i.e. end-user, functionality, possibly due to weak registration processes, whilst others require onerous registration processes that are more aligned with other, traditional banking channels. The solution, as is so often the case with electronic financial services, is implementing the right security architecture and recognising the needs of the consumer in the most demanding of all channels: the consumer interface channel. Such approach needs to extend to the full lifecycle of the mobile banking app, not just the registration or enrolment function.

Criminals are very sophisticated these days, and organised crime will expose the weaknesses in the chain. It is no longer just down to the bank to bear the responsibility for securing transactions. Every step of the chain, holistically, needs to be secured, from the phone manufacturers, to the mobile network operators, the merchants, the acquirers, the payment processors, the schemes, and of course the consumers' bank. I believe that telcos could be at an advantage here. They can leverage their unique position as the mobile network operator, just as groups like ISIS in the US and in the UK, Project Oscar (the NFC consortium made up of Vodafone, O2/Telefonica, Everything Everywhere) have positioned themselves in the mobile payment space. Ultimately, they have the “last mile” in terms of the relationship with their subscriber.

Faced between the choice of catching the crooks or stopping the fraud, I am of the view that detection and prevention is of course the preferred outcome. Improving our capabilities before the fraud event, or as the event is occurring is the ultimate result. Being able to determine the difference between a fraud event and a false positive is of course the ultimate weapon in the defence against crime, and the ultimate in terms of best practice consumer protection and customer satisfaction. The key of course lies in the security architecture, built from the ground up to reflect the individual transaction needs of the new mobile payments landscape, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on the consumer side. Consumers will be quick to recognise the brand of trust that provides them with the assurance that their identity is assured, their transactions are secure and their interactions are intuitive – in short, the $billion brand of the future!


Comments: (0)

Pat Carroll

Pat Carroll

Founder/Executive Chairman


Member since

17 Mar 2011



Blog posts




More from Pat

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all