Payments: Tokenization Increases Large-Bank Leverage over Visa/MasterCard
SEE LAST PAGE OF THIS REPORT Howard Mason
FOR IMPORTANT DISCLOSURES 203.901.1635
October 2, 2013
Payments: Tokenization Increases Large-Bank Leverage over Visa/MasterCard
- Yesterday, Visa, MasterCard, and Amex announced a proposed framework for “tokens” that replace account numbers for online and mobile transactions; the idea is that:
- the merchant will request a one-time, randomly generated “token” number to authorize a transaction in place of using an account number.
- the cardholder obtains the token from the cloud and provides it to the merchant either automatically (for NFC-enabled payments, for example) or manually just as a PIN is used for some transactions today.
- The rationale for tokens is that they reduce fraud risk since there is no need for banks to disseminate account numbers or for consumers/merchants to store them. A less obvious consequence is that they increase bank control over transaction routing and hence leverage over Visa/MasterCard.
- The reason is that traditional card account numbers encode routing instructions (through the leading digit or “system number” in the case of Visa/MasterCard accounts); in a tokenized architecture, however, an issuer like Chase responds to a token request and can then (technically) settle a resulting transaction through its private processing network or ACH rather than routing it over Visa/MasterCard.
- Visa and MasterCard have nonetheless joined the tokenization project because of competition from ACH payments enabled by online providers such as PayPal and by store cards such as the Target debit card (now 6% of Target sales volume). It is likely that MCX will promote ACH funding and so increase the threat to Visa/MasterCard debit volume.
- Tokens blunt the threat of ACH by giving an approval role to the account-holding bank; indeed, through the rule-making body NACHA, the largest banks may disable altogether non-tokenized ACH-access to consumer accounts by PayPal and other wallet-providers. More generally, the fees for non-tokenized ACH access to consumer accounts will likely be higher than those for tokenized access whether via ACH or Visa/MA debit.
- The proposed framework for tokenization includes fields for transaction data giving V/MA access to information that otherwise is available only to wallet-providers. These data are increasingly important as payment models shift from interchange-based to advertising-based.
Exhibit: Free Riding on ACH
Chris McWilton, MasterCard President of US Markets, March 2013
ACH is a riddle (see Exhibit 1). Banks bear the cost and ultimately the risk of the system, yet merchants and other non-banks (PayPal in the US is licensed under State Law as a “money-transmitter” but is not regulated as a bank) are using ACH to extend their online payment franchises to point-of-sale and so compete with banks on their core transaction account franchises.
Exhibit 1: Payment Flows in ACH System
To be sure, ACH-enabled payments do not provide merchants with the same level of settlement risk protection or consumers with the same level of fraud protection as bank debit cards. Visa and MasterCard have “zero liability” policies as a guarantee to retail consumers that they will not be held responsible for fraudulent transactions which they process (so that this policy does not extend to transactions processed over competing PIN debit networks or, presumably, transactions processed by Chase under the 10-year VisaNet license announced in July). Certainly, it does not apply to ACH-enabled “decoupled” debit products so that, for example, if your Target “Red” debit card is compromised you are at risk if you do not notify Target promptly after becoming aware of the fraud; Target’s policy seems fair (see Exhibit 2), but it is not zero-liability.
Exhibit 2: Target Policy on Unauthorized Transactions on Target Debit Card
You will tell us AT ONCE if you believe your Card, Card number, or PIN has been lost or stolen. Telephoning us is the best way of keeping your possible losses down. You could lose all the money in your Deposit Account (plus your maximum overdraft line of credit) that can be accessed by the Card. If you tell us within four business days after your learn of the loss or theft of your Card, Card number, or PIN you can lose no more than $50 if someone used your Card, Card number, or PIN without your permission. If you do NOT tell us within four business days after your learn of the loss or theft of your Card, Card number, or PIN, and we can prove that we could have stopped someone from using your Card, Card number, or PIN without your permission if you had told us, you could lose as much as $500. Also if your statement from the Depositary Bank shows EFTs that you did not make, you must tell us at once. If you do not tell us within 90 days after the statement was mailed to you, you may not get back any money you lost after the 90 days if we can prove that we could have stopped someone from taking the money if you had told us in time. If a good reason (such as a long trip or hospital stay) kept you from telling us, we will extend the time period.
However, neither merchants nor consumers are letting the incremental risks prevent growth in “one off” ACH-enabled payments at point-of-sale (versus the recurring payments between known counterparties for which ACH was originally designed). In 2012, PayPal’s charge volume was near $150 billion and, while the firm does not disclose the funding mix from transactions between ACH and branded payment cards, the spread between the “take rate” of 3.72% in Q4 2012 and expenses of 1.03% (excluding fraud losses of 0.28%) suggests at least half are ACH-funded. Starbuck’s prepaid card accounts for 25% of legal tender in the US and Target debit cards accounted in Q3 2012 for 6% of spending versus 8% on Target credit cards (with the comparable figures for 2011 being 2.5% and 6.8% respectively).
Bank Response I: Staged Digital Wallet Operator Fee
When they use ACH to settle customer transactions Paypal and Target are “third party senders” in the sense that they stand between the originating customer and his or her Originating Depositary Financial Institution or ODFI. So, for example, Target has an agreement with an originating customer (through the card agreement by which the cardholder “authorizes us [Target] to initiate an electronic funds transfer for the full amount of the transaction and any related fees from your [Customer] designated deposit account”). From the bank standpoint, two problems with this set-up are:
- Transaction Data: The bank does not see any transaction detail other than the amount and, in particular, has no information on the end-merchant since the third-party sender is the merchant of record. Banks argue that this increases fraud risk and, in a world where the value-add is through integrating payments transaction information into a broader customer profile to support electronic couponing and other loyalty initiatives, it disadvantages them. Of course, walling off this transaction data is one of the key reasons retailers like Starbucks have become third-party senders and leveraging this transaction data is one of the key appeals of a third-party sender role to online players, such as PayPal and Google, of extending their online wallet franchises to physical point of sale.
- Routing Control: The third-party sender has the ability to influence how the payment is “routed”. For example, PayPal could move to providing financial incentives to customers to route payments through ACH rather than through routes, such as Visa and MasterCard credit cards, which generate bank rewards. While PayPal has not done this, it is an explicit objective of MCX to migrate payments away from bank reward schemes.
To partially address bank concerns, MasterCard introduced in June 2013 the “staged digital wallet operator fee” under which wallet-providers pay a premium fee for transactions funded by MasterCard credit cards unless they participate in a registration process requiring them to share transaction data more transparently. The word “staged” refers to the case where the wallet-provider is a third-party sender (i.e. the merchant-of-record); it does not apply to NFC-enabled wallet transactions where the payment flows are identical to a card transaction.
Bank Response II: Tokens
The staged digital wallet operator fee has not yet been replicated by Visa and, in any event, does not address the critical question of control over routing. The banks’ second response is to replace account numbers with “tokens” for online and mobile transactions.
The bank initiative, with a proposed framework for global standards announced yesterday by Visa, MasterCard, and American Express, is motivated by the idea that once standards are in place, merchants and wallet-providers can request a token in place of a customer’s account number; the customer obtains this randomly-generated one-time token from the issuing bank via the cloud and provides it for use in authorizing, settling, and clearing a single transaction. The advantage is that the customer’s account information does not need to be disclosed to, or stored by, the merchant and tokens can be shorter than account numbers making them easier for consumers to work with. Given merchants bear the fraud risk for card-not-present transactions including online transactions, the promise of tokens to reduce fraud has potential appeal to them.
A less obvious consequence of tokenization is that the issuing bank gains more control over routing. For example, if Chase receives a token request from an account-holder and provides a token, technically it can settle and clear the authorization over the private network it is creating as a result of the recently-announced licensing deal for VisaNet or over ACH (which is actively investing in a tokenization project and will presumably join the standards of the branded payment networks). From a business standpoint, this may not be consistent with Visa or MasterCard rules if the transaction is originated on one of their brands, and indeed may directly conflict with the “bin routing” protocols currently associated with 16-digit account numbers which include as a leading digit a “system number” to designate the payment network (with 4, for example, designating Visa – see Exhibit 2), but large issuers have a great deal of negotiating leverage.
Exhibit 2: 16-digit account numbers encode network routing through a leading “system” number
Why Visa/MasterCard Participate in Tokenization
Tokenization increases bank control over routing since at the expense of Visa/MasterCard and yet they are participating in the tokenization project. The reason is that the alternative is to face increasing competition from ACH-enabled payments from online wallet-providers, such as PayPal, moving into point-of-sale and from merchants in general and MCX in particular. MCX is likely to follow Target’s precedent of decoupled
debit where a customer is issued with a debit card that is pre-linked to a DDA account with the customer providing account information through a voided check.
Tokenization provides banks with a range of responses that will reduce the potential threat of ACH to Visa/MasterCard. The most aggressive response is for the largest banks to disable ACH-enabled access by third-party senders for non-tokenized payments on the grounds that the dissemination of DDA account information creates fraud risk. This would then put merchants and MCX in the position of requiring tokens from banks (or, for banks that do not wish to issue tokens, from The Clearing House which runs ACH), and the terms on which these tokens are issued would be a matter for bilateral negotiation between a large issuer and a large merchant. These bilateral negotiations are part of a broader trend in payments with Jamie Dimon commenting in February of Chase’s plans for a private processing network: “it allows us to go to merchants and strike our own [deals]”.
At the same time that this reduces the appeal of ACH-enabled payments to merchants, Visa/MasterCard can reduce the rates on tokenized branded payments on the grounds because of lower fraud costs. Non-tokenized branded payments (such as when a QR-coded MCX transaction is funded by ACH) would likely attract higher rates on the grounds of higher fraud risk (just as card-not-present transactions presently attract higher rates than card-present rates because of differential fraud risk).
- Technically, the account-holder is liable if there is a fraudulent ACH transaction on their account but, in practice, reputation risk would probably drive the receiving depositary institution or RDFI to make the customer whole.