The sorry state of payment standards

Since my talk last year at Reboot on Agile Banking the Agile Banking Mailing List has been quite active with lots of different ideas. One of the most important yet also simple products of the list has been OpenTransact which I now realize I haven’t even mentioned on my blog.

OpenTransact aims to be the worlds simplest technical standard for transferring some sort of value between 2 accounts. We wanted it to be so simple that there wouldn’t be a good technical excuse for not implementing it and also make it extremely simple to build all sorts of new value added services on top of it. You can find out more at the OpenTransact site and I will post a detailed article about it tomorrow.

In this article I will focus on what we’ve got. Current payment standards and bank business processes are incredibly complex and I don’t pretend to understand all of it, but I will try to present a much simplified version of what goes on.

What is wrong with existing Payment Standards?

Complex messages

The big issue with most of them is that they are ancient (SWIFT the standard banks use to transfer funds internationally dates back to the mid 70s). Most of them are designed for ancient technology like mainframes with batch processing as well as ancient business practices such as delayed settlement and bank opening hours.

Most of these standards are message based and extremely complex.

SWIFT has 25 standard data elements and 79 types of messages with strange names like MT542. People make good money specializing in specific message types. You often see programmer jobs in the financial industry calling for 3 years of experience in eg. MT530.

ISO 8583 which is used for handling most payment card transactions dates from 1987 is a little better in that at least it does expect to be able to send one or two small messages online, but still most of the heavy lifting is done after the fact in the settlement phase.

Most countries have their own electronic banking clearing systems with their own set of standards and procedures. The largest US clearing system ACH won’t even let you at their online rules website without buying a $79 book.

Security nightmares

Any non cash financial transaction consists of one or more entries known as book entries into various companies databases. By definition any act of creating a financial transaction is delegated by you to someone else. Whenever your transaction involves another bank your original delegation gets delegated onwards to x number of other institutions. Unfortunately the transactions are often unauthenticated. Whether you are sitting in a bank office ordering a wire transfer or handing a waiter your credit card you are delegating authority to transfer funds out of your account. This is why a check says “Pay to the order of…”.

Card payments do support some level authentication from pin to signing via an onboard smart card. But they aren’t used when performing an internet payment. This is obviously where much of the fraud goes on. Credit Card or ACH fraud essentially boils down to convincing (delegating) someone to transfer funds from the victims account.

Since you can’t satisfactorily secure the payment message most of these standards come with complex reconciliation standards that make up most of their complexity and even larger and more complex rule books. These rules are what allow you to deny a transaction when you get your statement a month later after the fact.

Enter PayPal

PayPal’s original Website Payment API while not a standard was a big step up over the actual standards in that it was born of the web. Web 1.0 yes but still the web. So rather than using REST to hide some of the complexity it uses a single URL with lots of different fields including optional non payment fields such as address and shipping details.

A big issue that PayPal had was that they still had to interface with the traditional banking world with their settlement times and insecure payments. To make it economical for them they need to use ACH and similar slow low cost national payment networks guaranteed by credit cards if these don’t go through. This is where much of the complexity of dealing with their Instant Payment Notification comes from.

Most of PayPal’s competitors use similar API’s to PayPal’s, but there hasn’t been any real standardization on it yet.

Their new Adaptive Payment API is much clearer. Yet still fairly complex for a new developer faced with it. And no it’s still not REST.

Why is it like this?

Closing Time

There are many reasons why banking related standards are complex. Most of them are historical. For example banks still operate 5 days a week with close of business at some time like 6pm decided many decades ago by gentlemen in top hats. Of course they do work 24 hours but all their processes are still based on this pre online world.

This means there is still a lot of batch processing going on in that last hour before closing. Most banks have a cutoff time a couple hours earlier than their official closing time to give them time to batch up and reconcile the days business. This is why you have to rush to the bank with your checks before 3pm on a Friday or it won’t get credited until Monday evening.

Settlement

Settlement is another important issue that all of these ancient standards have to deal with. Once you’ve bought that dry martini in the bar after work with your debit card, the money doesn’t actually leave your account yet. Your bank basically puts a hold on your money first. Then over the next couple of days they settle it through a network of banks and institutions depending on the country. Most of the settlement processes is done through batch processes once a day, the more step between your bank and the bars bank the longer settlement takes.

Most of these settlement (clearing) times are standardized by rules set out by central banks or banking associations. The holy grail for many of these systems is to reach what is known a T+0 clearing, which is fancy banker speak for instant clearing. It will take a long time for this to happen in most large economies like the US as there isn’t really a demand for it from anyone except consumers and small businesses.

Conclusion

Any new standard or API that attempts to deal with the existing banking standard is very difficult to simplify. You need to account for each countries settlement and fraud prevention rules. SWIFT was updated to a fancy smancy new XML standard, which didn’t do anything to simplify it besides making it easier to parse.

Any kind of innovation in this needs to be designed for an online world with 7 days, 24 hours and clear simple standards that only aim to solve a simple need. We have had this magic new technology now called HTTP thats been here for close to 20 years now and it’s been kind of successful. OpenTransact is only a very thin layer on top of HTTP and uses OAuth for its authentication, I think it is going to be big. But I will write more on that in my next post.