Category Archives: Financial Services

Banking Blues (pt. 481)

Posted on by
Reply

Last week, I attended a networking evening for Intersekt, Australia’s largest annual fintech conference. Billed as the “flagship event of the Digital Innovation Futures Victoria Festival”, the 2-day event is supposed to take the pulse of Australian fintech – by highlighting current industry trends, showcasing local success stories and identifying areas for future growth and collaboration. I wasn’t able to attend the 2-day conference itself, but based on the networking audience, and the program agenda, it feels like there is very little “innovation” these days, and certainly not among the major banks.

The fintech product focus is still very much on payment solutions and open data – even though we’ve had the NPP and Open Banking for several years – plus SME lending (since the major banks have largely abandoned cashflow lending, just as they have exited wealth management and financial planning). There was barely an hour of the conference given over to crypto currencies and digital assets, and from what I could see, no sessions dedicated to Blockchain technology.

Challenger or neo-banks have not managed to gain traction in Australia, mainly due to the dominance of the incumbent banks, especially the so-called Big 4, which continue to enjoy an entrenched oligopoly protected by regulation. Despite Financial Services (banks, diversified financials and insurance) forming the largest sector (27%) of the ASX 200, it is highly concentrated and appears structurally designed to keep out competition (and hence, stifle innovation).

Indeed, I cannot think of a single new product that my bank has introduced in the 20 years I have been a customer. Over that time, I have held both personal and business accounts with this bank – mortgages, investment loans, credit cards, transaction accounts and savings products. They no longer offer wealth management services under their own name, and the share trading account I hold with them is actually operated by a foreign financial institution. At the same time, the bank has been shuttering branches, and disbanding services, often without any notice or customer communication.

My frustration with this bank goes unheeded – if anything, the customer service has worsened, often under the guise of “the Royal Commission”. The latter has no doubt given rise to staff cuts to pay for greater compliance costs, and is used to justify over-bureaucratic customer processes. Meanwhile, every time I raise a complaint, I’m told it’s the bank’s “systems” that are to blame, or their third-party service providers – it’s never the bank’s own fault, and they never take responsibility or demonstrate accountability.

These are just the latest incidents in a litany of poor customer experience:

1. A simple title transfer involved me visiting three different branches (thanks to branch closures and rotating staff), plus e-mailing and phoning an interstate office (at least the settlement was probably executed on Pexa’s blockchain-enabled platform…)

2. A glitch in setting up a replacement bank-issued credit card in my digital wallet was blamed on the card provider’s technology (even though I had just successfully linked this same card to my smart watch). I hope the bank has robust SLAs with this third party…

3. Some unsolicited (and highly misleading) e-mail marketing sent out under the bank’s name was blamed on another third-party provider (surely the bank must authorise what communications are issued in its name?)

4. I spent over 2 hours in a branch to open some basic term deposits in the name of existing businesses that already have client profiles and accounts with this same bank – a combination of bureaucracy, slow technology and cumbersome processes which still involve wet signatures on hard copy documents.

5. In the process of setting up one of these business accounts, it turns out the bank had the wrong company details on their core records, even though the statements are sent to the correct address. I advised the bank of the change of address several years ago, but despite the findings of the Royal Commission, the bank has not bothered to run a check on the ABN register, which is free to use, to check the company details.

The really depressing thought is that even if I switch banks, I will probably run into similar problems elsewhere!

Next week: Non-binary Politics?

Digital Identity – Wallets are the key?

Posted on by
Reply

A few months ago, I wrote about trust and digital identity – the issue of who “owns” our identity, and why the concept of “self-sovereign digital identity” can help resolve problems of data security and data privacy.

The topic was aired at a recent presentation made by FinTech advisor, David Birch (hosted at Novatti) to an audience of Australian FinTech, Blockchain and identity experts.

David’s main thesis is that digital wallets will sit at the centre of the metaverse – linking web3 with digital assets and their owners. Wallets will not only be the “key” to transacting with digital assets (tokens), but proving “identity” will confirm “ownership” (or “control”) of wallets and their holdings.

The audience felt that in Australia, we face several challenges to the adoption of digital identity (and by extension, digital wallets):

1. Lack of common technical standards and lack of interoperability

2. Poor experience of government services (the nightmare that is myGov…)

3. Private sector complacency and the protected incumbency of oligopolies

4. Absence of incentives and overwhelming inertia (i.e., why move ahead of any government mandate?)

The example was given of a local company that has built digital identity solutions for consumer applications – but apparently, can’t attract any interest from local banks.

A logical conclusion from the discussion is that we will maintain multiple digital identities (profiles) and numerous digital wallets (applications), for different purposes. I don’t see a problem with this as long as individuals get to decide who, where, when and for how long third parties get to access our personal data, and for what specific purposes.

Next week: Defunct apps and tech projects

 

 

The Social License to Operate

Posted on by
Reply

The “social license to operate” is best described as follows: companies only get to do business so long as they retain the trust of their customers, employees and other community stakeholders.

The current debate about de-banking reminds us that financial institutions are among the largest beneficiaries of that social license, especially in Australia where the so-called 4 Pillar banks operate under a protected oligopoly. If you want to be cushioned against external and internal competition, then you need to demonstrate why you deserve to retain that privilege.

Apart from arbitrarily shutting customer accounts, banks are also closing local branches and/or reducing their opening hours. They are scaling back on the services available at some branches, even though their archaic processes still require existing customers to attend in person for things like ID verification and to apply wet signatures on hard copy documents. Seriously, you can’t have it both ways – reducing customer access while at the same time forcing customers to get to a branch to sign papers. (In a recent case, I ended up dealing with three separate branches, as well as an inter-state department, just to process some standard forms.)

The Banking Royal Commission dealt our major financial institutions several reputational blows – but rather than forcing them to improve their ways, foster innovation, increase efficiency, embrace technology and lift the overall customer experience, it seems that the banks have hunkered down in defence. They use the findings of that very same Royal Commission to justify why they now need to employ more and more layers of bureaucracy, form-filling and pen-pushing, in an attempt to cover their backsides and to mitigate against the public backlash.

And it’s not just the banks that are under increased community scrutiny – supermarkets, utilities, professional service firms, property developers, telcos, builders, insurers, landlords and tech companies are all facing various criticisms, for things like price gouging, squeezing suppliers, corruption, monopolistic and anti-competitive behaviours, poor quality products and service, financial irregularities, atrocious consumer data protection, environmental damage, unconscionable contractual terms and unreasonable policies. Unfortunately, our regulators don’t seem capable of holding these parties to account, so it will largely depend on consumers and the community to stand up for their own interests.

Next week: More on Music Streaming

 

 

 

Trust in Digital IDs

Posted on by
Reply

Or: “Whose identity is it anyway?”

Over the past few years, there have been a significant number of serious data breaches among among banks, utilities, telcos, insurers and public bodies. As a result, hackers are able to access the confidential data and financial records of millions of customers, leading to ransomware demands, wide dissemination of private information, identity theft, and multiple phishing attempts and similar scams.

What most of these hacks reveal is the vulnerability of centralised systems as well as the unnecessary storage of personal data – making these single points of failure a target for such exploits. Worse, the banks and others seem to think they “own” this personal data once they have obtained it, as evidenced by the way they (mis)manage it.

I fully understand the need for KYC/AML, and the requirement to verify customers under the 100 Points of Identification system. However, once I have been verified, why does each bank, telco and utility company need to keep copies or records of my personal data on their systems? Under a common 100 Points verification process, shouldn’t we have a more efficient and less vulnerable system? If I have been verified by one bank in Australia, why can’t I be automatically verified by every other bank in Australia (e.g., if I wanted to open an account with them), or indeed any other company using the same 100 Points system?

Which is where the concept of Self-Sovereign Identity comes into play. This approach should mean that with the 100 Points system, even if initially I need to submit evidence of my driver’s license, passport or birth certificate, once I have been verified by the network I can “retrieve” my personal data (revoke the access permission), or specify with each party on the network how long they can hold my personal data, and for what specific purpose.

This way, each party on the network does not need to retain a copy of the original documents. Instead, my profile is captured as a digital ID that confirms who I am, and confirms that I have been verified by the network; it does not require me to keep disclosing my personal data to each party on the network. (There are providers of Digital ID solutions, but because they are centralised, and unilateral, we end up with multiple and inconsistent Digital ID systems, which are just as vulnerable to the risk of a single point of failure…)

But of course, banks etc. insist that not only do they have to ask for 100 Points of ID each and every time I open an account, they are required to retain copies or digital versions of my personal data. Hence, we should not be surprised by the number of data hacks we keep experiencing.

The current approach to identity in banking, telcos and utilities is baffling. Just a few examples I can think of:

1. In trying to upgrade my current mobile phone plan with my existing provider, I had to re-submit personal information via a mobile app (and this is a telco that experienced a major hack last year, resulting in me having to apply for a new driver’s license). If I have already been verified, why the need to ask for my personal data again, and via a mobile app?

2. I’ve lived at my current address for more than 5 years. I still receive bank statements intended for the previous occupant. I have tried on numerous occasions to inform the bank that this person is no longer living here. I’ve used the standard “Return to Sender” method, and tried to contact the bank direct, but because I am not the named account addressee or authorised representative, they won’t talk to me. Fair enough. But, the addressee is actually a self-managed superannuation fund. Given the fallout from the Banking Royal Commission, and the additional layers of verification, supervision and audit that apply to such funds, I’m surprised that this issue has not been picked up the bank concerned. It’s very easy to look up the current registered address of an SMSF via the APRA website, if only the bank could be bothered to investigate why the statements keep getting returned.

3. I have been trying to remove the name of a former director as a signatory to a company bank account. The bank kept asking for various forms and “proof” that this signatory was no longer a director and no longer authorised to access the account. Even though I have done this (and had to pay for an accountant to sign a letter confirming the director has resigned their position), if the bank had bothered to look up the ASIC company register, they would see that this person was no longer a company officer. Meanwhile, the bank statements keep arriving addressed to the ex-director. Apparently, the bank’s own “systems” don’t talk to one another (a common refrain when trying to navigate legacy corporate behemoths).

In each of the above, the use of a Digital ID system would streamline the process for updating customer records, and reduce the risk of data vulnerabilities. But that requires effort on the part of the entities concerned – clearly, the current fines for data breaches and for misconduct in financial services are not enough.

Next week: AI vs IP