- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 31 Aug 2017 11:59:41 -0400
- To: Web Payments IG <public-webpayments-ig@w3.org>
Hi WPIG, (bcc: WPWG - just as a heads-up) This is a super-delayed status report from a presentation I did in late May to the US Federal Reserve's Secure Payments Task Force. It includes food for thought around the future direction of the Web Payments and Verifiable Claims work at W3C. My presentation ran from around 75 minutes to 80-100 security-related management-level folks (CISOs / VPs, mostly) on W3C's Web Payments, Verifiable Claims, and CG work in Blockchains and "identity". You can get an idea of the participant organizations here: https://fedpaymentsimprovement.org/payments-security/about-the-task-force/roster/ The goal of this presentation was to get more engagement from the banking industry in all three work streams culminating in new W3C members and increased participation. The presentation that I gave can be found here: https://docs.google.com/presentation/d/10l7SKWDPuQmvzuY3Ivsv2K345Kok3FMu6kt2gGalq4g/edit Here are the takeaways: * The value proposition of Web Payments to banks is not clear enough for employees to take it to their boards. * The value proposition of Verifiable Claims is clear, but there is a question around liability that has remained unanswered for 10+ years. * The value proposition of Anti-Fraud Blockchains is clear, but understanding on it is limited and it's "10 years away". * It is unlikely that the US banks will engage more deeply until we put more work into a solid value proposition and executive summary for them (or talk them through it). Here are the opportunities: * Several bank executives said that they're willing to work with us on the value proposition for Web Payments and Verifiable Claims. * Two US banks were identified as the banks that may be the best to reach out to after we have our banking value prop nailed down. Two other EU banks also came up as ones that may be willing to engage. I have identified these banks to W3C Management. * The US Fed seems willing to move on something related to Anti-Fraud Blockchains and open standards, but in 2018 or beyond. * There is a tremendous amount of buy in to the US Fed's Faster and Secure Payments framework, principles, and use cases. That should inform W3C's technology road map in Web Payments, Verifiable Claims, and Blockchain. Here are the action items: * Reach out to the two Tier II banks to see if they want to engage on Web Payments or Verifiable Claims AFTER we've ironed out the value proposition with more risk averse big banks. * Engage with BITS to see what it would take to get their public support for the W3C Web Payments and Verifiable Claims work. * Work with US Fed in 2018 to create a business/joint group between Secure Payments Task Force and W3C. * Align the ISO Blockchain initiatives and "identity" initiatives with the W3C initiatives. * Increase focus on anti-fraud use cases and security as they seem to be what the US banks are most concerned about right now (granted, this was a security focused gathering). --------------------------------- The rest of this is LONG, apologies, but I wanted to provide more raw data so that others could come to conclusions of their own. I quick polled the room as I went through the presentation. Around 60% of the room knew about the W3C. Around 50% of the room knew about the Web Payments work, but only around 40% of them felt that it affected them. Around 20% knew about the Verifiable Claims work and around the same amount felt that it would affect them. Less than 5% knew that W3C CGs were doing anything in the Blockchain space. I'm told that the presentation was very well received. There were a constant stream of clarifying, non-aggressive questions throughout the presentation that demonstrated a basic understanding of what was being presented and acceptance of W3C's leadership in this space. The US Fed folks said that hallway discussion also indicated that the people in the room appreciated the debrief. I remain slightly sceptical as even though the above is true, my hallway conversations with several individuals demonstrated that they barely grasped how the work being done at W3C applied to their bank. Some of them viewed the Web Payments work as "a pretty screen to help people checkout" rather than something that applied more deeply to their business. Keep in mind that my sample size is around 15-20 individuals over two days, so the following isn't the whole picture, but should be used with other information that we have to inform future engagement in the banking sector. "Why do you think we don't have more engagement from the banking industry?" was a question I asked most everyone, and here are the sorts of responses I received: Top 10 bank exec: "We know about what W3C is doing in this (Web Payments) space and we don't think W3C knows that they're playing with fire. We see the browser manufacturers at the table wilfully trying to dis-intermediate us. We're not going to help them do that. We do want to participate, but on our terms, the tables are not tilted in our favour." When I underscored that we support 3rd party payment handlers and banks could have their own digital wallets, he responded that while that's the future they want, bank-based digital wallet (native apps) have largely failed and so there is very little appetite at the board level to pursue that again right now. This person said that they've personally started $1.2B in projects at their bank over the past 25 years, so money isn't the issue... it's the value prop to the bank and the danger of being disintermediated. Top 10 bank exec: "The Verifiable Claims work is interesting, but who holds the liability? If I use a credential that someone else issued to do my onboarding process, and the credential is fraudulent, who is fined? If it's me, then that's no different than today, so what's the value prop? That people can defraud me faster than they do today? The second the regulators come out with a Verifiable Claim that I can use that absolves me of liability when using that credential, I will be there in a heartbeat with a pile of money." The upside to this conversation is that he wants a follow up call to discuss the value proposition to the bank, so I'll be following up with him. He was more interested in the Verifiable Claims work than the Web Payments work, most likely because he deals w/ bank security more than customer products. I offered to put him in touch w/ W3C, but he declined until we talk in more detail about it. Top 25 bank exec: "You haven't made the Web Payments value proposition clear. How does this save me money? How do banks make money on this stuff? I need that when I go to my board for approval. What product am I going to build with this technology and why are my customers going to use it? My vendors are going to bring this to me when it becomes important, until then, I don't have a strong incentive to move on it. I'm just going to wait for some other bank to pick it up and run with it." Top 25 bank exec: "You're working at a layer that's far below what banks work at... our vendors care about this stuff, we don't. If this stuff is important, they'll build it into the products that they sell us." Top 100 bank exec: "Banks make very little money on customer experience these days. Most of the big banks make money on trading/investing, so they don't really care about the customer experience as long as it's not that much more terrible than their competitors." Ex top-10 exec: "You need to focus on banks that are more aggressive with this stuff like [very specific Tier II banks redacted]. They're the leaders in this area. The big banks aren't going to do anything until those two do something. The smaller banks don't have the bandwidth to participate. These aren't technology companies, their vendors are, and even they wait for things to shake out in other industries before jumping on board. This industry is really good at locking innovation out if they don't want it... innovation leads to horribly expensive upgrades in our industry." 20+year industry veteran (retired): "These folks don't have to work very hard to make money. The stuff you're asking them to do seems like a heavy lift to them. It's also a culture thing. Many of these folks are 2nd or 3rd generation bankers. The solution isn't coming from their community and they're used to being able to lock that sort of stuff out of their systems. Even worse, you've allied yourself with people that have consistently tried to disintermediate them over the past 20+ years. You need to get a few credible folks in our community saying that what you're doing is beneficial and the others will follow." Small bank CEO: "You may want to talk to the [redacted state] DMV about Verifiable Claims - they are leading the US in digital identity initiatives. I wish you weren't supporting card number in the clear payments. That's exactly what's wrong with the industry today and you're just reinforcing that absolutely broken security model. I'm also dismayed that you're talking with [redacted tokenization group]. [redacted] is useless, they're not going to help you on security. [redacted] are out for themselves, don't trust them. I get that you need to do that politically, but you're not winning any points with me by working with them." (note that this CEO was one of the most opinionated and aggressive in the room, but was also one of the most well respected). I've passed the redacted names on to the Chairs and W3C Management. Small vendor: "Take the Financial Services Technology Council logo off of your slides, that's hurting your credibility. They were bought by BITS during the 2008 recession. Have you talked to BITS? Get them to agree that what you're doing is a good thing, that'll get you into the board room, most everyone in here will adopt if BITS says that this is the future." Medium vendor and payment network operator: "We'd love to bring our tokenization technology, patents and all, to W3C and provide it as the basis for your tokenization work." I'm following up with them as they also didn't want to talk with W3C until they understood the process and what was involved. I'll be pushing them to participate. David Ezell's name came up numerous times when talking w/ the X9, ISO, and TG1 folks. They mentioned that they've talked with him on a number of occasions about this stuff and said his engagement on all of this was very helpful and appreciated. There was also a general sense of frustration in the group as they've been engaged with the US Fed's Faster Payments and Secure Payments work now for 3+ years and they're still working on framework, principles, and use cases. The banks want solutions and US Fed has no real mandate to provide the solutions (a new faster and more secure payments network) that the banks want. The banks want to know who is going to pay for faster or more secure, especially if there is no new regulation mandating it. So, most everyone is stuck in a wait and see cycle. The US Fed is waiting for industry to step up and take the lead now that they've spelled out the desired outcome that the banks want. The banks are waiting for the US Fed to hint at the right way forward or to stand up a new faster and more secure payments network. There is a tremendous amount of buy in to the US Fed's Secure Payments framework, principles, and use cases. That should help inform W3C's technology road map in Web Payments, Verifiable Claims, and Blockchain. That's more or less all I can remember for now. ----------------- I passed this on to W3M in early June. My contact w/ the banks since then shows no real change wrt. the above. Hopefully this information can help us guide the next steps of the work we'll do via the WCIG. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Rebalancing How the Web is Built http://manu.sporny.org/2016/rebalancing/
Received on Thursday, 31 August 2017 16:00:07 UTC