Disclaimer: I am a member of the Open Banking Working Group (OBWG) and was involved in drafting the OBWG report. However, the thoughts and opinions presented here are strictly my own.
The OBWG’s report was published yesterday with the somewhat misleading title The Open Banking Standard. We’re a long way from a standard but this report is a significant step along that path. Its purpose is to lay out a roadmap for defining an Open Banking API standard that can achieve widespread adoption, and to put forward some strawman proposals, intended to generate discussion of their merits and weaknesses, with the objective of generating new and better proposals.
The OBWG’s work follows on from the Fingleton report, which looked at the potential benefits of banking APIs and open data, and HM Treasury’s public consultation on data sharing and open data in banking.
The OBWG was convened with three core objectives:
- Deliver a framework for the design of an open API standard in UK banking focussing on personal and business current accounts;
- Evaluate how increased levels of open data in banking can benefit consumers, businesses and society; and
- Publish recommendations in a paper by end of 2015 outlining how an open API standard can be designed, delivered and administered, alongside a timetable and implementation roadmap for achieving this
It’s important to note that this initiative is separate from – and has a wider scope than – PSD2. However, I would predict with a high degree of confidence that the functionality required to fulfil PSD2’s requirements will form part of the Open Banking API Standard, and I would not be surprised if the UK implements PSD2 by mandating compliance with the Open Banking API Standard.
One of the key challenges in coming up with such a standard is to figure out how banking APIs can be opened up to third parties while ensuring that consumers are adequately protected against fraud and banks aren’t unreasonably held liable for third parties’ failings. Currently, banks control the technology channels that their customers use to access their accounts electronically. Online banking is through the bank’s own website; mobile banking is through the bank’s own app. Liability for any losses rests with either the bank (if their security proves inadequate) or the customer (if they fail to take the necessary security precautions). Opening up banking APIs and granting access to third parties complicates that picture and banks are understandably wary.
The proposals presented in the report comprise a combination of provisions (including an OAuth-based authentication and authorisation model, and vetting and licensing of third parties) that represent a compromise somewhere between completely open access that would allow even hobbyist programmers to create apps that connect to banks’ APIs, and a overly-restrictive regime with requirements or costs that are too onerous for finch innovators and startups. One aspect that I’m a particular fan of is the idea that API functionality should be permissioned atomically, and that the security standards to which the third party will be held and the scrutiny to which they will be subjected should be commensurate to the level of access they wish to obtain. For example, a startup wishing to offer a personal financial management solution, which requires “read-only” access to accounts would be subject to less onerous requirements than a company seeking access to instruct payments from their customers’ accounts.
I’m keen to see people’s reactions to the report and, to that end, I’m setting up a mailing list for discussion of the report and future developments in this place. Contact me if you’re interested in taking part.
Fundamentally, I believe that the UK fintech sector will benefit hugely if we can make rapid progress towards an Open Banking API standard, and I believe that there’s an opportunity for the UK to take a leadership role, in the same way that it did in information security standards, with the adoption of BS7799 as ISO27001.
It’s entirely possible that neither the banks nor fintech innovators will be entirely happy with the report’s proposals. If so, then I think we’ve done a good job. Personally, I think it’s a significant step forward and I hope to remain involved at the next stage of establishing an implementation entity to take the concept forward.
The Telegraph today published a piece titled “Why is Silicon Valley helping the tech-savvy jihadists?“, which essentially suggests that, in war on terror, “the enemy is being aided by Western tech companies” who, in the pursuit of profit, “have calculated that they build user numbers by inflaming fears of violations of privacy and offering more secrecy than anyone else.”
It’s an inflammatory piece, penned by Clare Foges, a former special advisor at 10 Downing Street, and speechwriter to David Cameron during the Coalition government. Unfortunately, while she can clearly string a sentence together better than most of us, she clearly lacks any knowledge or understanding of cryptography. She appears to be under the impression that, if tech companies simply put their minds to it, they could come up with a solution that would protect the “good guys'” communications while simultaneously permitting the intelligence services to snoop on the “bad guys”.
The global tech industry made around $3.7 trillion last year. They employ some of the brightest people on the planet. Apple et al could, if they wanted, employ a fraction of these resources to work out how we can simultaneously keep the good guys’ data secure and keep the bad guys in plain sight.
Unfortunately, encryption doesn’t work like that. Clare even quotes Apple CEO Tim Cook’s explanation that “If you put a key under the mat for the cops, a burglar can find it, too.” but she clearly believes that, with her degrees in English and Poetry, she knows better than the CEO of the largest and most successful technology company in the world, not to mention the world’s top cryptographers, computer scientists and security specialists.
Clare is, of course, entitled to her opinion, however misinformed it may be, but it’s worth exploring how she formed that opinion. Her tenure at Downing Street included the abortive attempt to introduce the Draft Communications Data Bill (aka the Snoopers’ Charter) and she presumably helped draft speeches given by David Cameron in support of powers such as those now proposed as part of the Investigatory Powers Bill. It’s not unreasonable to assume that she was exposed to the policy-making process that produced those bills.
Good policy results from debate informed by facts and evidence, but Clare’s misconceptions about cryptography and tech firms’ motivations raise the question of whether the policy-making process which informed her opinion and produced the Investigatory Power Bill, was properly informed.
No doubt the government sought advice and guidance from GCHQ, which employs some of the UK’s top cryptography and security talent. However, they’re hardly impartial in this particular debate. Their job is to snoop, not to champion privacy. If the government is prepared to make their jobs easier, they’re hardly going to object. It’s difficult to imagine that an expert from GCHQ would make much of an effort to highlight the downsides of mandating that tech companies be required to insert backdoors at the government’s behest.
But I’d like to think that the policy-making process would ensure the presence of someone who would do so, who would provide the counter-argument, present the competing hypotheses, act as the Devil’s Advocate.
The question is, who fulfilled that role? Did anyone? Or was the Investigatory Powers Bill the result of policy-making in an echo chamber?
I fear the latter. The Investigatory Powers Bill represents bad policy, built on misconceptions like Clare’s assumption that solving the “key under the mat” problem is simply a matter of putting one’s mind to it. Any advantage it will give the intelligence and security services pales into insignificance compared to the damage it will do, both to our right to privacy, and the UK economy, which could be impacted to the tune of billions of pounds if, as seems likely, cyber security companies avoid setting up shop in the UK for fear of being forced to backdoor their own products.
The government shouldn’t just take the Investigatory Powers Bill back to the drawing board. It should also review the policy-making process that produced it.
Last night, Groupon just released its earnings for the quarter ending 30th September 2015. Revenue was below expectations, and flat compared with the same period last year. The company issued revenue guidance for Q4 of $815-865m, which would be a drop on the same period last year ($883m), suggesting that growth has stalled. The share price dropped by 25% in after-market trading.
There’s more bad news buried in the balance sheet numbers. Groupon benefits from a negative working capital model, where it receives gross revenue 60 days before it has to pay its suppliers. During the year before its IPO, Groupon’s current liabilities exceeded its current assets by hundreds of millions of dollars, which meant that it was reliant on continued growth to remain solvent.
The money it raised from the IPO eliminated that deficit but the situation deteriorated sharply during the past quarter – net current assets (i.e. current assets less current liabilities) plunged from over $300m to just $87,000.
Part of the decline is attributable to a share repurchase program – the company spent $192.9m repurchasing shares (which seems ill-advised with hindsight, given that it paid an average of $4.36 for shares that are currently trading at $3.09).
If revenue growth has indeed stalled, and the decline in net current assets continues into negative territory, Groupon could once again find itself at risk of the loss-of-confidence scenario I described four years ago:
..the question that merchants should be asking themselves is this: Will Groupon be able to pay me what they owe me in 60 days time?
If a merchant ever thinks that the answer to that question might be “No.”, they’ll opt not to offer deals through Groupon. Why would you sell (at a heavy discount, mind you) your products or services through a company that may not be able to pay you? Better to take the guaranteed revenue from normal customers who pay up front, than risk selling through Groupon and never recouping a penny.
Without deals to offer to the people on its mailing list, Groupon can’t make sales. If it can’t make sales, it can’t generate revenue. And, if it can’t generate revenue, its negative working capital model will very rapidly lead it to run out of cash.
The most dangerous thing about this situation is that it doesn’t matter whether or not Groupon actually can pay the merchants. If enough merchants believe that Groupon is not creditworthy, a tipping-point will be reached and it will become a self-fulfilling prophecy.
So, Groupon’s negative working capital model exposes it to the risk that a loss of confidence could cause it to become insolvent.
When I wrote that, I questioned the wisdom of Groupon’s decision to pay out most of the money it raised in its Series C, D and E rounds to previous investors. Today, I wonder why it’s depleting its cash to repurchase shares when there’s a real risk that it might need that cash to remain solvent.
Uber is often cast as the plucky upstart, taking on taxi monopolies and cartels on behalf of customers. Some cities artificially restrict the number of taxis. In New York, this drove the price of a taxi medallion to $1m in 2011.
In London, however, the number of taxis (or “hackney carriages”, to use the legal definition) is not limited. Anyone can become a licenced taxi driver, provided they meet the requirements. A prospective London cabbie must spend 3+ years learning the Knowledge (which literally causes their brains to grow bigger) , take an enhanced driving test, invest in a vehicle that meets specific requirements (including the ability to accommodate a wheelchair, and a 25-foot turning circle), commit (under pain of fines) to pick up anybody in the street who hails them if their yellow light is on, and agree to be subject to the fares set by TfL (Transport for London – the body that regulates transport in London).
In return, the government prohibited private hire vehicles (PHVs – i.e. unlicenced taxis/cabs) from picking up customers who hail them in the street or using a taximeter to calculate a fare based on time and distance. In effect, PHVs must be booked in advance and the customer must be able to agree the fare up-front.
Effectively, there was a social contract between London taxi drivers and the government. Taxi drivers had certain advantages over PHV drivers but they were also subject to more onerous licensing requirements. With no restrictions on the number of taxi licences issued in London, the laws of supply and demand dictate the number of black cabs on the streets, and customers get to choose what type of service they want to use.
Then Uber came along.
When Uber began operating in London, the London Taxi Drivers’ Association (LTDA) complained to TfL that Uber’s fares are calculated based on time and distance. TfL referred the matter to the High Court, where the case focused on whether the smartphone-and-app combination used by Uber drivers is a taximeter. The High Court decided that because the calculation of the fare does not happen on the smartphone, but on Uber’s servers, the smartphone is not a taximeter.
I’m not a lawyer but that seems like a loophole to me. To my mind, the real question is not whether a smartphone falls outside an archaic definition of what constitutes a taximeter, but whether Uber drivers should be allowed to charge a fare that is calculated based on time and distance. If the answer to that question is “No”, then the law should be updated to close the loophole.
However, if the answer is “Yes”, the government is effectively tearing up London’s taxi drivers’ social contract, and calling into question the economic viability of becoming a licensed taxi driver. Why bother spending all that time, effort and money if the rules mean that you’ll be operating at a disadvantage?
The worst-case scenario is that black cabs go from being a regular sight on the streets of London to an historical curiosity. That might suit Uber but I don’t think it would be a good outcome for the rest of us. Personally, I like to be able to flag down a cab (even when my phone battery is dead), secure in the knowledge that the cabbie’s done the Knowledge and isn’t just blindly following a satnav directions (which is the difference between getting home in 20 minutes versus being stuck in traffic on Pall Mall and Trafalgar Square for half an hour). I’d be quite happy if the cost of that is to require that Uber set the price of a journey in advance.
The outcome of the current public consultation being conducted by TfL should be a reaffirmation of the social contract with London’s licensed taxi drivers, and a regulatory regime that allows consumers to benefit from innovation, while preserving choice and ensuring that the quality of London’s taxi services doesn’t get dragged to the lowest common denominator.
Time was, Silicon Valley was the place to found a tech startup. British tech entrepreneurs would up sticks, move to Silicon Valley and never look back. Today, things are different. Increased competition for talent and rising real estate costs have reduced the Bay Area’s competitiveness, while the UK has developed its own tech eco-system. Lanyrd and Songkick both returned to London after graduating from Y Combinator, whereas ten years ago, they may well have opted to stay in the Bay Area.
At the same time, the cost of international air travel has declined and new technologies have emerged that make it easier for geographically-distributed teams to work together. The end result is that it’s no longer an “either/or” choice. Startups can have the best of both worlds – access to both the Silicon Valley eco-system and the UK talent pool (which, thanks to the UK’s membership of the EU, extends across 28 countries, with a combined population of over 500m).
Huddle’s senior management team moved to San Francisco but the product and technology team remains in London. David Richards, CEO of WANdisco, opted to establish dual headquarters right from the beginning:
“It’s very difficult to hire lots of java programmers in Silicon Valley,” he explains. “They cost a lot and there are companies like Google and Facebook who have significant presence in the Bay area.”
We’re also seeing US-based players starting to take notice and recognise the importance of the UK. Last year Y Combinator decided to run a Startup School in London, while Techstars expanded into the UK and is now attracting FinTech startups from the US to take part in the Barclays Accelerator.
I believe that what we’re seeing is the growth of a trans-Atlantic startup eco-system. Founders should no longer be thinking about London versus Silicon Valley – they should be thinking about how they can take advantage of the best resources, opportunities and talent in both London and Silicon Valley.
This is one of the reasons I founded LDN2SFO – I think that one of the best ways to help London-based entrepreneurs is to expose them to the Silicon Valley eco-system so they can both learn about the culture that has made it so successful, and make connections with their peers there (and, in doing so, strengthen the links between the London and Silicon Valley eco-systems).
Our next trip takes place from April 27th to May 1st. If you want to join us, apply now.
Yesterday was a significant day for FinTech in the UK. Having previously made it clear that the government wants to make London the leading location for the FinTech and digital currencies sectors, the Chancellor, George Osborne, used the Budget to lay out more details of how the government intends to achieve that.
The Government Office of Science also released its Blackett review into FinTech, and HM Treasury published both their response to the call for information on digital currencies that they launched last November, and a policy paper outlining the government’s strategy for delivering competition and choice banking.
I highlight some of the key announcements from the Budget below.
Promoting competition is one of the FCA’s three objectives (the other two are protecting consumers and protecting financial markets) and, fortunately, its leadership fully recognises both the role that innovation can play in driving competition, and the fact that regulation can be a significant barrier to innovation. Project Innovate is an initiative launched last August to help innovator companies navigate regulatory hurdles and bring new products and services to market.
One of the key challenges is that existing regulations often don’t cover emerging business models. Even when they do, startups often lack the resources to achieve full compliance. Hopefully, the FCA will be able to come up with a sandbox model that allows innovators to pilot new products, services and business models that they would otherwise struggle to bring to market.
Just as technology is transforming the way financial services are delivered to customers, it has the potential to transform the way regulation is delivered and reduce regulatory costs. By taking the lead in this area, the FCA and PRA can make the UK a more attractive regulatory regime and provide a fertile environment for UK companies to develop ‘RegTech’ products and expertise that can be exported overseas.
In Germany, the widespread adoption of the HBCI/FinTS banking API has helped foster a strong FinTech sector, spawning startups like Fidor Bank, Figo, Number26 and Avuba, as well as the Open Bank Project. If the UK banking sector can be persuaded to adopt a similar API, it can only be a positive development for UK FinTech.
The Bank of England has taken a keen interest in digital currencies and blockchain technology, and even raised the question of “Why might central banks issue digital currencies?” in a recent discussion paper. HM Treasury launched a call for information on digital currencies last November, and released a detailed response to the feedback alongside the Budget yesterday. The paragraphs below (with numbers in red) are taken from the latter document.
The government clearly perceives a significant opportunity in this space but the key challenge is to ensure consumer protection and prevent the use of digital currencies for criminal purposes (including money laundering and terrorist financing) without stifling innovation.
There’s little doubt that here in the UK, lack of regulation has hampered the digital currencies sector. Banks, having been hit with punitive fines in the past for failing to do enough to prevent money-laundering, refuse to touch anything Bitcoin-related with a 10-foot bargepole, meaning that UK companies in this space are typically forced to bank overseas (e.g. Bitstamp, Coinfloor and CEX.IO bank in Slovenia, Poland and Latvia, respectively, despite being based in the UK). Applying AML regulation to exchanges should remove this barrier to banking services and help make the UK a more attractive regulatory regime.
The next Parliament will begin in May so, with luck, we will see the result of this consultation by the end of the year.
The new Payment Systems Regulator may also have a role to play in ensuring that that digital currency businesses are not excluded from payments networks by UK banks.
BSI is the UK’s national standards body. As well as safety standards for things like crash helmets and seatbelts, it pioneered the quality assurance and information security standards which formed the basis of the ISO 9000 and ISO/IEC 27000 series, respectively.
The digital currency sector has seen its fair share of fraud, ponzi schemes and fiduciary failures, so it’s interesting to see the UK government opting against prescriptive regulation to protect consumers, in favour of giving the sector the opportunity to self-regulate. It’s very much a pro-innovation stance, and stands in marked contrast to the approach taken by the New York Department of Financial Services – it’s possible that the UK government, having seen the negative reaction to the New York Department of Financial Services first BitLicense draft, saw an opportunity to steal a march on New York (which vies with London for the title of the world’s leading financial capital).
It’s worth bearing in mind that “self-regulation” has a decidedly mixed track record in the UK, so there’s a question-mark over whether this approach will engender enough consumer confidence to support mainstream adoption. Also, the use of the phrase “at this stage” is significant.
The £10m in funding for research is a relatively small but significant indication that the government is willing to put its money where its mouth is. The Research Councils are the primary source of funding for research in the UK. The Alan Turing Institute is a newly-formed organisation intended to support research in Big Data and algorithms. Digital Catapult is an Innovate UK initiative intended to help commercialise data innovation.
Concentration of talent plays a key role in the formation of industry clusters. If the UK can attract talent to conduct research, and provide a fertile environment for commercialising the fruits of that research, it stands a very good chance of establishing a strong digital currency cluster.
FinTech is a significant contributor to the UK economy, and are are a key element of London’s role as a global financial centre. Yesterday’s announcements are a clear sign that the government is not just paying lip service when it says it wants the UK to be the best place in the world to do business in this sector.
The prospect of being formally regulated will likely prove highly attractive to companies focusing on Bitcoin and other digital currencies. It will confer legitimacy, and give both customers and investors greater confidence in the sector. Passporting will also give companies regulated in the UK the ability to offer their services across the rest of the EEA.
We’ve already seen companies like CoinJar move to the UK because of its Bitcoin-friendly tax regime. I wouldn’t be surprised if others follow in its footsteps.