The slew of online outages over the past several months – from Robinhood to Chime to WhatsApp – show just how interconnected various aspects of financial services, such as investing and banking, have become. And increasingly found at the center of all these financial platforms and exchanges are embedded payments. When sites go dark, the ripple effects can be significant, as transactions are in limbo. Investors can’t trade stocks (or cryptocurrencies); consumers can’t access merchants’ sites to buy what they need.
The emergence of apps, super apps and other byproducts of the digital shift promise speed, convenience and an “always-on” experience. But that can only happen when these platforms, which are rapidly becoming the cornerstones of commerce, are built and maintained with a “mission-critical” mindset.
How to make these platforms more reliable? In an interview with Karen Webster, i2c President Jim McCarthy said that we’re about to see the taming of a “wild west” of regulation and standards that have so far failed to do the job. Regulatory scrutiny is only going to deepen – and the urgency is there, he said. Headlines point to increasing cases where demand overwhelms online operators, or hackers force a denial of service. Or, quite simply, sometimes the power goes out – and the servers (indeed, the grid, as we saw in Texas) are out of commission.
The financial services arena has tens, hundreds or even thousands of players, depending on the transaction, maintained McCarthy – which means it’s critical to gain insight into how data flows. There are some hurdles to getting uniform regulatory frameworks (especially focused on reliability), as many domestic schemes have taken on a nationalist tone and have shied away from interconnectedness (at least over the short term).
That presents special challenges to newer firms, contended McCarthy. “The neobanks don’t have bank licenses – they are renting services, and cobbling together services,” he said, adding that “it’s what’s underneath that generally worries regulators, and for good reason.”
He believes it’s time to pierce the proverbial veil and reveal what financial services firms are doing. Efforts are certainly underway in Europe via the Financial Conduct Authority (FCA), the RBA in Australia and elsewhere. Those regulatory bodies want more visibility into tech stacks, getting under the hood to see which standards govern processors and other back-end functions.
The Current State
It may be true that PCI, data security and privacy regulations have been with us for a while and are evolving. But, noted McCarthy, regulators will be drawing a bead on SOC 1 and SOC 2 reports that detail a firm’s internal controls, operations and compliance efforts.
Digital-first firms, like Chime, have built their businesses on the fact that they don’t have brick-and-mortar operations, where in many cases, people don’t have tangible, plastic cards – and so their ability to shift activity from digital to other channels, to make purchases or withdraw money, are slim or nonexistent.
“They’ve bought into this idea that ‘I’m going to use my phone for everything,’” said McCarthy. “And when that fails, people go to forums where they talk about situations like ‘my husband’s stranded in an airport’ or ‘I’ve got kids to feed’ or ‘I was waiting for my stimulus payment, it didn’t post on time, the card got declined’ – and it just rips through the entire fabric of the financial services ecosystem.”
All too often, the damage is done, and then companies scramble to react. As McCarthy explained, business owners and their clients are human – they tend to make changes only when they’ve experienced an “unfortunate moment” and have to address the fallout, turning their attention away from revenue generation and new customer acquisition. Now, they must spend the time and money on bringing “three nines” of uptime to “four nines” (99.9999 percent of the time).
The Risks Of DeFi
The issues of reliability, trust and uptime are especially acute as cryptocurrencies gain ground, where users have decided to shift their allegiances away from classic financial models, opting instead to throw their support to decentralized finance (DeFi). The early adopters who have eschewed third-party intermediaries, McCarthy maintained, have thus far been proven right, because they have relatively less exposure to parties that can “fail.”
“But financial services is a long game, and there are always spikes along the way as new ecosystems are developed,” he said. Embracing DeFi means really trusting the other party on a transaction – utterly anonymous as they are – which may mean never getting what they paid for. That’s a sidestep of the Visas and Mastercards of the world, who create rules that bind both parties in a transaction.
Concerns over security and reliability have been tailwinds for tokenization, noted McCarthy, where tokens have been replacing cards on file and will scale into other areas. “We will see digital representation via tokens and encryption continue to penetrate every aspect of commerce, because otherwise, you cannot protect the underlying assets,” he explained – especially as ACH and Social Security numbers need additional levels of protection.
The regulatory environment may become a bit sharper, but standard practices and roadmaps will help improve the entire financial services ecosystem, he said. After all, McCarthy added, “when payments start to fail, people lose faith in what are supposedly trusted institutions, whether it’s the electrical utility or the financial grid.”