The Disruptive Role of ACH in US Card Payments and Impact of Tokenization on Network Pricing

ginna
Print Friendly
Share on LinkedIn0Tweet about this on Twitter0Share on Facebook0

SEE LAST PAGE OF THIS REPORT Howard Mason

FOR IMPORTANT DISCLOSURES 203.901.1635

hmason@ssrllc.com

June 30, 2014

The Disruptive Role of ACH in US Card Payments and Impact of Tokenization on Network Pricing

  • The ACH network provides low-cost access to consumer DDA accounts and is increasingly being used by online payments franchises, such as PayPal, and retailers such as TGT as an alternative to Visa and MasterCard for debit transactions. Along with internet-originated transactions more broadly (which now account for $1.5tn of ACH volumes vs. $4.5tn of card purchase volume both on- and offline), these new payment products are important growth areas for the ACH network and are offsetting the impact of declining check volumes.
  • Specifically, internet and merchant-card ACH volumes grew 10% and 50% respectively (albeit in the second case from a low base) offsetting the 8% decline in check-related volumes (see Exhibit below). We expect merchant-card volumes to grow substantially as MCX rolls out its payment product in 2015 as detailed in our December 8th note titled: “The MCX Opportunity for PayNet”.
  • We view MCX as a critical response by merchants to bank success, since the Durbin cap on debit interchange was introduced in October 2011, in shifting payments to products, such as credit and prepaid cards, with unregulated interchange and hence high cost to merchants.
  • Bank participants in the ACH network face a dilemma. On the one hand, they want to improve ACH capabilities to respond to regulatory pressure for a broader, more secure, and faster payments system in the US and to offer better services, particularly in P2P payments, to consumers; on the other, they do not want to further enable ACH-enabled debit which has weak bank economics. The large banks (JPM, BAC, and WFC) found a partial resolution by forming their own P2P network, clearXchange, in April 2011; and then, in August 2012, voting against a proposal for same-day ACH settlement.
  • COF bought into clearXchange in Feb 2014 and other banks are now left with the choice for their P2P franchises of working with clearXchange (which is dominated by large competitors) or with the ACH network (which risks under-investment as large banks focus on clearXchange).
  • Banks, through the Clearing House, also responded to the dilemma by announcing in March 2013 plans for tokenization standards. These can improve security for IP-connected payment devices (such as desktops, chip cards, and mobile ‘phones) by replacing the primary account number or PAN statically embossed on the front of most plastic cards with a proxy or “token” that can be dynamically changed from one transaction to another; the security advantage is that, if there is evidence of fraud, the token can be disabled rendering any the stolen information without the cost, delay, and consumer inconvenience of re-issuing a card. A commercial advantage of tokenization is that, based on security arguments, banks may be able to restrict non-tokenized ACH-access by third-party senders[1] such as Target and PayPal, and then charge them for tokenized access.
  • The networks responded in October 2013 by announcing a tokenization initiative of their own to improve security on card payments and manage a potential shift in the balance of power between issuers and networks. Specifically, networks may lose pricing power precisely because tokens can be dynamically adjusted without the need to re-issue a card so that, in effect, networks are competing for issuer business transaction-by-transaction rather than portfolio-by-portfolio as in the past.
  • Traditionally, issuers have made an up-front choice of network for a card portfolio and then faced high switching costs because of the need to reissue cards to change network allegiance; as a result, networks have offered issuers up-front incentive payments and then enjoyed pricing power. However, tokens change this arrangement because the network information (along with that of the bank, cardholder, and merchant) is dynamically encoded into the token, and can be changed from one token to another (and hence one transaction to another) at zero cost.
  • In competing for transactions, the networks have some protection from their branded acceptance infrastructure. Indeed, Visa has argued that if a transaction is originated on a Visa-branded card it must be processed over the Visa network and, in 2002, sued First Data to prevent transactions originated on Visa-branded plastic from being processed over First Data Net. However, in a watershed event for the US card industry, Visa conceded this principle in February 2013 by allowing JPM to process transactions originated on cards carrying the Visa brand to be processed on its proprietary ChaseNet infrastructure. As tokenization is implemented, we expect other large banks to push the networks aggressively for more control over routing choices even if they do not choose to build out a proprietary settlement infrastructure as Chase has done.
  • Greater control over routing will catalyze exploration by banks of alternative to Visa and MasterCard including: direct BIN routing (where a transaction is routed directly from the acquiring processor to the issuing bank by-passing the network altogether); the ACH network assuming same-day, if not real-time, settlement is implemented as large banks look to manage regulatory risk; the extension of clearXchange from P2P to POS; routing platforms leveraging the access to DDA accounts provided by the EFT networks such as NYCE, STAR, and PULSE and infrastructure providers such as FIS and FISV; and, possibly, IP-enabled networks.
  • This will put Visa and MasterCard in a prisoner’s dilemma. If they refuse bank demands for greater routing control, they risk losing business as MasterCard did with a Chase commercial portfolio when Visa agreed to ChaseNet terms; and if they accede, they weaken the duopoly structure of the industry. Furthermore, having substantially closed the acceptance gap in the US with Visa, Discover has shown in its deal with PayPal that it is willing (if not yet fully able given contractual arrangements with third-party acquiring processors) to provide access to the acceptance infrastructure even if it does not process the transactions.

Exhibit: Declining Check Volumes and Rising Internet Volumes on the ACH Network

Large Banks are Shifting Spend to Payment Products with Unregulated Interchange

Debit arrangements in the US are not sustainable. While consumers have the convenience of a card-swipe (either authenticated by a signature like a credit card or a PIN like an ATM card[2]), the back-end infrastructure is insecure and the Durbin-cap on debit interchange[3] has taken the economics out of the business. Based on Fed data, Durbin-regulated banks (so those with more than $10bn in assets) lose about a nickel for each signature-authenticated debit transaction and make about a nickel on each PIN-authenticated transaction; this compares with unregulated and pre-Durbin profit of about 30 cents on each signature-debit transaction.

As a result of the reduction in card “swipe” profits and tighter regulation of insufficient fund fees, the two key drivers of bank revenue for low-balance customers, some 40% of US checking accounts are breakeven or unprofitable. Banks have responded by looking to introduce consumer fees (although with caution after the consumer backlash in late 2011 after BAC attempted to lead the industry by suggesting a $5 monthly debit card fee for those customers that did not maintain a balance above $5,000 or directly deposit their paychecks) and using rewards to influence consumers towards payment products that are not covered by the Durbin interchange cap including:

  • Credit cards (so that the spend velocity, which is the ratio of card spending to outstanding loans, has increased dramatically – see Exhibit 1); and
  • Prepaid cards, such as Chase Liquid, which are not covered by the Durbin interchange cap. There is an important regulatory nuance in that if a prepaid account offers non-card access to funds (such as online bill-pay) then it is subject to the Durbin interchange-cap except in the case of three-party networks such as AXP and DFS which are entirely carved-out from Durbin. These networks therefore have a regulatory advantage and are offering card-based prepaid and debit products, with online bill-pay features, at a cost to consumers that is subsidized by unregulated interchange; examples are Serve from AXP (branded as Bluebird through the WMT channel), and cashback checking from DFS.

Exhibit 1: Banks are Shifting Consumer Spending to Credit Cards

Merchants Have Responded by Developing Retailer-Sponsored Payment Products

Merchants have long been concerned at the model where interchange drives the payment system (so that they fund rewards which the customer associates with a bank brand) and looked for ways, through store cards for example, to influence consumers away from bank reward programs. These concerns have intensified with the tender-shift from interchange-regulated debit to unregulated credit and the prospect that banks will accelerate it by reserving the mobile channel for credit cards; card acceptance costs already run at over $70bn annually with the average rate on Visa/MasterCard credit cards being ~2.2% of purchase volume versus less than 0.8% on debit cards (see Exhibit 2).

An additional incentive for retailer action is the sense that payments will become increasingly integrated with commerce as the transaction data generated in the payments process can be used to support data-enabled marketing programs from mobile wallet providers and other advertisers to target high-value customers and increase share of trade-spend from the CPGs. Taken together, the trends in card acceptance cost and concerns about the control and protection of payments data have motivated merchants to explore develop their own payments products. The Target RED cards are a leading example now accounting for over 20% tender-share at Target stores in the US, and with debit growing particularly fast even through the security-scare of last November as TGT announced that hackers had breached its point-of-sale system and accessed sensitive card data (see Exhibit 3).

Exhibit 2: US Card Merchant Fees in 2013 – $bn

Source: Nilson 1041

Exhibit 3: Tender-Share of Target Store-Branded “RED” Debit and Credit Cards

Source: Company filings

Beyond avoiding the acceptance costs associated with Visa- and MasterCard-branded products and providing greater control of transaction data, TGT reports incremental sales from consumer use of its store cards: “our internal analysis has indicated that a meaningful portion of the incremental purchases on REDcards are also incremental sales for Target, with the remainder representing a shift in tender type” and a commitment to “re-accelerate REDcard growth” after the breach-related deceleration in 2014Q1. The Target RED debit cards, and other debit cards sponsored by retailer-members of the Merchant Payments Consortium MCX, access consumer demand-deposit or “DDA” accounts through the ACH system rather than through the Visa/MasterCard systems.

Online payments franchises, such as PayPal and Google Wallet, also use the ACH network to access DDA accounts. The ACH network itself is operated by the Fed and a consortium of banks through two entities: NACHA which sets operating rules; and The Clearing House or TCH responsible for transaction processing. Only banks may participate directly in the network either as an originating depositary financial institution (“ODFI”) or a receiving depositary financial institution (“RDFI”), but third-parties can gain access through them. Hence, for example, PayPal is a “third-party sender” or TPS with ACH access via WFC (see Exhibit 4).

Exhibit 4: Third-Party Senders on the ACH Network (using example of PayPal)

Source: http://blog.starpointllp.com/blog/?p=2295

In 2013, the ACH network handled $39bn of payments volume, up ~5% from 2012, of which approximately one-third was consumer related. The main consumer-related uses are direct deposit of payroll checks and direct payments including preauthorized payments (e.g. club memberships) and recurring bill payments (e.g. utilities) and the conversion of checks to electronic instruments (although this volume is declining with check usage). Internet-related payments, including online bill-pay and PayPal payments (when funded by a consumer DDA, rather than credit, account) are substantial at $1.5tn (vs. $4.5tn of payments volume on V and MA) and growing at an annual rate of over 10%. While still small at $10bn, and largely driven by Target, the fastest-growing category of consumer-related ACH-use is retailer-sponsored cards (see Exhibit 5).

Exhibit 5: The Changing Profile of ACH Transactions

Source: Nilson, 1042. Other includes pre-authorized payments (e.g. club memberships) and recurring bill payments

This growth in retailer-sponsored cards, together with the prospect of online services such as PayPal extending their franchises from e-commerce to point-of-sale, has led bank and network executives to complain that, in using the ACH infrastructure, third-party senders “ride for free on the back of other business models”. As President of MasterCard US markets, Chris McWilton went on to comment in February 2013 that: “they [PayPal and other digital wallets] have got to be cautious they don’t get too big and start making people wake up and say wait a minute I’m actually losing business here because of your moving into the physical space”. Indeed, pay-with-Chase (which is enabled by the ChaseNet infrastructure announced the same month) will compete with PayPal for e-commerce business.

The Conflicting Bank Objectives for ACH Governance

Large banks have three core objectives for the ACH network:

  1. To improve security and, in particular, limit the dissemination of DDA credentials such as routing and account numbers. The challenge for bank members of ACH is that, in practice, they bear the costs and risks of the infrastructure (including the fraud risk on DDA withdrawals and know-your-customer or KYC risk for ODFIs) even in cases where third-party senders, such as PayPal, are “riding the rails”; these risks increase as third-party senders store customer DDA routing and account numbers, and could step-up meaningfully if MCX achieves the same consumer adoption of its cards as Target. These risks can be worthwhile if the bank owns the consumer relationship, and the transaction data flows that typically go with it; but are less compelling if a third-party sender (whether PayPal or a retailer) owns the customer relationship and does not pass on the transaction data. Indeed, in April 2013, MasterCard introduced the staged-digital wallet operator (SDWO) fee, estimated at ~30 basis points, on POS transactions where a digital wallet operator, such as PayPal, does not pass details of the ultimate beneficiary along with the payment instructions but rather acts itself as the merchant-of-record.
  2. To control the use of the ACH by third-party senders particularly those, such as PayPal and likely the MCX consortium, sponsoring payment products that compete with bank-sponsored cards. In particular, large banks have not been pro-active about upgrading ACH settlement speeds and, indeed, in August 2012 voted against a proposal for the ACH system to accommodate same-day settlement on transactions submitted before 2pm EST.
  3. To manage the risk of regulatory intervention (as occurred in the UK and led to the Faster Payments Service or FPS) particularly as regulators push for US payments systems to have broader reach and faster processing with the Fed, for example, using a September 2013 public consultation paper[4] to articulate the following “over-arching problem statement for the US payment system”:

End users of payment services are increasingly demanding real-time transactional and informational features with global commerce capabilities. Legacy payment systems provide a solid foundation for payment services; however, some of these systems (e.g., check and ACH) rely on paper-based and/or batch processes, which are not universally fast or efficient from an end-users perspective by today’s standards. The challenge for the industry is to provide a payment system for the future that combines the valued attributes of legacy payment methods – convenience, safety, and universal reach at low cost to the end user – with new technology that enables faster processing, enhanced convenience, and the extraction and use of valuable information that accompanies payments.

These objectives can come into conflict most obviously around settlement speeds for the ACH network where the large banks are looking to respond to regulatory demands for faster-processing while not upgrading the capabilities of ACH-enabled payment products from competitors. For example, for a third-party sender (whether a retailer or online franchise such as PayPal), a key drawback of the ACH system is the settlement risk. The third-party sender cannot verify funds availability in real-time at the time of the transaction and, even if this were possible, funds could be removed during the three-day settlement period; in short, for a third-party sender, the settlement risk on an ACH-enabled payment is the same as that on a paper check.

Furthermore, governance of the ACH network is also generating conflict between large banks and small banks. Increasingly, the ACH network is being used, both by bank members and third-party senders, to enable person-to-person (P2P) payments, and last March new NACHA rules went into effect to clarify the P2P protocol including designating a code for P2P transactions (the WEB credit code[5]) which, until then, had been designated using either direct-deposit or bill-pay codes (making it difficult to track P2P volumes). However, as with all ACH-enabled transactions, ACH-enabled P2P payments are subject to a 3-day settlement delay.

The large banks want more flexibility, and the opportunity to provide a differentiated service from smaller banks, and so have formed a separate P2P network referred to as clearXchange announced in May 2011. The founding members are JPM, WFC, and BAC although COF joined in February 2014. clearXchange is open to any bank but is now jointly and equally owned by these four large institutions and provides them with a platform to offer faster P2P payments processing (at least where both sender and recipient banks are clearXchange participants[6]) without the adverse competitive effects of upgrading ACH. For the time being, however, clearXchange payments do not settle more quickly than ACH payments.

Tokenization and Security

The commercial conflicts between banks and third-party senders, as well as between large and small banks, are having an important impact decision-making around not only around ACH settlement speeds but also around improving the security of payments transactions whether or not ACH-enabled through tokenization. Tokenization works by using a proxy or “token” for transaction authorization rather than the primary account number or “PAN”. The advantage, for IP-connected payment devices such as chip cards and phones, is that the token can be issued at the time of the authorization request and changed rather than being embossed statically on the front of a card like the PAN; in particular, tokens can be disabled after each use, terminated if a card is reported lost or stolen or if there is evidence of fraud, and restricted to a particular merchant or context (e.g. point-of-sale only).

Given concerns about the dissemination of DDA account numbers in part to enable payment products such as those sponsored by Target and PayPal, the Clearing House announced plans in March 2013 for tokenization standards for the ACH network. This was followed quickly by an October announcement around tokenization standards made jointly by Visa, MasterCard and American Express; this, in effect, trumped the ACH announcement since it will not make sense to have competing standards. Before looking at the underlying commercial issues, we review the security context.

The traditional security model in the card business is that issuers bear the fraud risk for the “card-present” transactions which occur when a consumer swipes a card at point-of-sale while the merchant bears the fraud risk for the “card-not-present” transactions which occur online; the reasoning is that banks should not bear the fraud risk if the merchant cannot authenticate the cardholder in-person. The large banks have sophisticated fraud risk-management systems to create the right balance for card-present transactions between denying fraudulent efforts while avoiding as far as possible the “false positive” denial of a valid transaction (embarrassing a legitimate cardholder and potentially costing the merchant a lost sale). Smaller banks leverage network-level fraud risks management (embedded, for example, into Visa’s debit processing service, DPS). Large e-commerce merchants also have sophisticated fraud risk-management systems and, indeed, PayPal nearly foundered in its early years until it established workable fraud protection.

The shift to mobile muddies the waters between card-present and card-not-present particularly in cloud-enabled solutions where card credentials are not stored on the device. A simplistic approach of defining point-of-sale transactions as “device-present” and e-commerce transactions as “device-not-present” does not take account of potentially different levels of security provided by the mobile device. There is an alternative framing around whether the ‘phone is effectively an extension of a desktop screen (in which case the transaction is card-not-present) or a substitute for physical plastic (in which case the transaction is card-present). In practice, however, Visa sets the standards and has established that EMV-compliant mobile transactions are card-present, while all others are not. This creates some paradoxes:

  • Visa has approved mobile transactions using Android host-card-emulation technology as card-present (even though the card credentials are called down from the cloud).
  • For now, mobile transactions in accordance with Apple’s recent patent – where card credentials are stored on a secure element embedded in the ‘phone, masked by an alias, and supported by a finger-print risk-score for cardholder authentication – would be treated as card-not-present.

The bald fact is that the security agenda for card payments has become entwined with the commercial agenda. Visa supports host card emulation from a security standpoint because it preserves the status quo and, in particular, existing network influence over the payments system; the ‘phone truly does stand-in for, or “emulate”, a physical card. Visa is not supportive of Apple’s proposal to use Bluetooth wireless to communicate card credentials not because it is less secure than NFC-enabled EMV transactions but because it has the potential to undermine network control over the point-of-sale. The details are our May 30th note “Apple vs. Banks in Mobile Payments: Update”.

Tokenization, Routing, and Network Brand

The confusion last year over who will set tokenization standards – whether the banks acting through the Clearing House or the network consortium – conceals a deeper conflict over the routing control for card-based transactions. This in turn arises because of an important difference in the authorization protocol for ACH-based transactions and network-branded transactions (whether Visa, MasterCard, Amex, or Discover). An ACH-based transaction is authorized against a DDA routing and account number issued by the bank owning the account; a typical card transaction is authorized against a primary account number or “PAN” issued by the network whose brand appears on the card; in particular, the PAN for a debit card is not the DDA account number.

If the Clearing House were to set tokenization standards, then the ACH-based authorization protocol could likely prevail with transactions being authorized against tokens issued by banks (or, for smaller banks, the Clearing House). If the network-brands set tokenization standards, then the current card-based protocol would more likely prevail with transactions being authorized against tokens issued by networks at least for smaller banks. In either case, however, large banks are likely to argue that since they bear the fraud risk they want control of tokens so as to be able to integrate de-activation into their fraud risk management systems.

We expect the large banks to win this argument and assume responsible for issuing tokens against which transactions are authorized – whether for ACH-based or card-based transactions – and maintaining the “token directory” mapping tokens to the number of the funding account whether a DDA account (for a debit card payment) or pre-approved line of credit (for a credit card payment). This is different from the current architecture where networks issue the PAN against which transactions are authorized, and may have important implications for routing versus the current system.

In the current system, a bank issuer effectively makes a near one-time choice of network brand for a particular portfolio customer. If, say, Visa is chosen then the bank issues cards carrying the Visa brand, Visa provides a PAN for each customer which is embossed on the front of the card (encoding the network, the bank identification number, and information about the customer identity), and all signature-authenticated transactions route to the Visa network. As it well-known, this monopolization of the card does not extend to PIN-authenticated transactions because the network-exclusivity provisions of Durbin, which went into effect in April 2012, in effect require that cards carrying the Visa or MasterCard brand for signature-authenticated transactions had to represent an independent network for PIN-authenticated transactions[7].

However, only one network brand need be represented for any given authentication type (whether PIN or signature) so long as two independent network brands are represented on the card including, for example, one for PIN-authenticated transactions and one for signature-authenticated transactions. This monopolization of the card gives networks pricing power with issuers; having selected a network brand and issued cards, the issuer faces meaningful switching costs because of the costs, both financial and in terms of possible customer inconvenience and resistance, of reissuing cards with a different brand. Bank-controlled tokenization will shift this balance of power.

Like a PAN, a token will encode information about the network, bank, and cardholder (and, unlike a PAN, likely also encode information about the merchant); unlike a PAN, however, a token can be changed from transaction-to-transaction while a bank can change the PAN only by re-issuing a card (and incurring the associated costs and risks of customer resistance). In short, tokenization – if banks control the token directory – reduces to near-zero the switching costs between network brands and will fundamentally change the negotiation between issuers and networks; in particular, networks cannot expect to buy monopoly real-estate on the card face by making large up-front incentive payments to issuers.

Networks, of course, will argue that a card carrying a Visa brand is leveraging the Visa acceptance infrastructure and seek to require that therefore all transactions be routed through the Visa network. It is one thing, however, to make this argument and quite another to be able to enforce it through control of the authorization instrument. Furthermore, the traditional single-routing model where, if a Visa-branded card was presented at a Visa-accepting merchant, the transaction routed through Visa is already breaking down. For example, we have:

  • Cross-network products such as: the Google Wallet which uses the MasterCard acceptance infrastructure but can be funded with a Visa card; the Visa wallet which uses the Visa acceptance infrastructure but can be funded with a MasterCard; Serve which uses the Amex acceptance infrastructure but can be funded with either a Visa or MasterCard card; and PayPal which will use the Discover acceptance infrastructure but can be funded with other network branded cards of via ACH.
  • ChaseNet which uses the Visa acceptance infrastructure but allows for transactions to be processed over JPM’s proprietary infrastructure; this amount to ON-US routing where Chase is both issuer and acquirer but ChaseNet could evolve into a network if, for example, Chase were to make settlement arrangements with say WFC, perhaps through clearXchange, for card-based transactions acquired by Chase merchant-clients on WFC-issued cards.

We expect tokenization to further erode the single-routing model, and hence increase pressure on network fees.

  1. Third-party senders are firms, such as Target and PayPal, that have permission from end-customers to use the ACH network to access their DDA’s but are not ACH members and so must be represented on the system by a third-party bank which is. For example, PayPal is represented on the ACH system by WFC.
  2. Signature-authenticated transactions are settled over the Visa and MasterCard networks; PIN-authenticated transactions are settled over “electronic funds transfer” or EFT networks which also settle ATM transactions where the bank owning the ATM terminal is not the same as the bank issuing the card. The largest EFT networks are STAR owned by First Data, PULSE owned by Discover, NYCE owned by FIS, and INTERLINK owned by Visa.
  3. Interchange is the fee paid to the issuer when a merchant accepts a payment card from a consumer; technically, it is paid by the “acquiring bank” representing the merchant on the payment network but is almost always passed-through to the merchant.
  4. http://fedpaymentsimprovement.org/wp-content/uploads/2013/09/Payment_System_Improvement-Public_Consultation_Paper.pdf
  5. http://digitaltransactions.net/news/story/3655
  6. Only customers of banks participating in clearXchange can send payments which, like most P2P payments, identify the recipient using a mobile phone number or e-mail address; however, the recipient’s bank does not need to be a participant provided the recipient registers their account on the clearXchange web-site.
  7. In addition, some PIN-authenticated transactions are routed directly from acquiring processor to issuing bank, by-passing the network altogether, based on the bank identification number or BIN encoded in the PAN. This is known as BIN routing and requires the consent of the network.
Print Friendly