How incumbent banks, particularly Swiss, can thrive thanks to GDPR and cybersecurity, even after PSD2, but need to embrace Bitcoin

data hackers

The usual story line goes that big old slow incumbents cannot compete with agile Neobanks with their hip UX and with their low costs that are unencumbered by branch networks.

If UX is the game, banks can at best play catch up. They can buy the hip UX ventures, only to be left in the dust as a new one emerges that is even more hip. Just when you figure out mobile apps, you have to figure out ChatBots with an AI back end. Just when you figure out ChatBots with an AI back end, you have to figure out…

Doing that with a clunky backend designed in the batch era is not just hard, it is almost impossible.

Playing catchup is a lousy game.

PSD2 made the playing field level

That was really bad news for incumbent banks. In theory, banks can win on that level playing field. In reality, if the game being played on that level playing field is how to create the best UX, banks will lose.  Agility wins that game and a Neobank is more agile than an incumbent Bank. If two teams play soccer/football on a level playing field and one has an average age 25 and one has an average age 55, I am placing my bet with confidence on who will win. If the 25 year old team has a 25 degree upward slope, the odds even up.

Consumers don’t care that much about UX

That is heresy. UX is the whole deal. That is the mantra we have all been repeating, but which I will challenge. Sure consumers care about UX. But how much do they care? How much do they care compared to things like low fees, low interest rates and that simple word – security.

Before getting onto security, look at this from the POV of those hip Neobanks. Read this post by Fred Destin of Accel, one of the best VCs, working at a top tier VC firm. The Customer Acquisition Cost (CAC) for Neobanks is a real issue. This is not like getting users to engage with a free social service. When money is at stake, people take longer to commit. Fear is part of that delay. Will the venture still be around years from now? Will they lose my money?  The fear may be irrational, but even irrational fear kills your CAC metrics.

The biggest fear is, will they lose my money? Will they lose my data? This is where banks could have an advantage – if they play their cards well.

The latest hack – Equifax – creates an inflection point in the market. It could be a disaster for banks. If they don’t take urgent and decisive action it will be. Or banks can seize the opportunity that this creates.

The Equifax inflection point

The Equifax data loss is a huge problem for institutions that live on trust from consumers. It impacts consumers in such a fundamental way, causes so much work and impacts every interaction with the banking industry.

To anybody who understands a bit about cybersecurity, this was no surprise. Cybersecurity folks hold 3 truths to be self evident:

  1. Anything that is digital can be hacked. Nothing is secure. It does not matter whether you are a Fortune 500 company, Government, US Presidential candidate, mega Bank or payment network. You will get hacked. It is an arms race that the good guys are losing because every solution, no matter how clever and expensive, has a shelf life until the bad guys find a way around it (and the payoff for the bad guys is big enough and the Crime As A Service networks use the full power of digitization and Moore’s Law). Your identity can be stolen with ease and with a valid but stolen identity all the KYC & AML processes are useless.
  2. This is a Board level issue. Banks and other big companies are willing to spend whatever is needed because the cost of a breach is so high. This is an existential threat for the biggest companies on the planet. Attention is not the problem. Budget allocation is not the problem. A viable solution that does not create an awful onboarding UX is the problem.
  3. Eliminating static passwords is essential. With key loggers on mobile phones, everything you type on those phones is visible to criminal gangs. Which is a problem when we all live on our phones. If you drew a matrix with Great UX and Secure as the axes, it is obvious where Mobile phones sit.

There are only two ways out of this:

Scenario 1: everything moves to decentralised self-sovereign identity stored on a blockchain. This will make banks as we know them today irrelevant. The problem for ventures pushing in this direction is “how do we get from here to there, today?” It is a grand futuristic vision, but consumers want a solution today, not at some distant time in the future. The banks also will have trouble buying this vision. Telling a Fortune 500 board that their only hope is to move off centralised data centres to a fully decentralised Blockchain based network will get you some odd looks around the boardroom table.

Scenario 2:banks get their act together. Which brings us to the wonderful world of Cold War spy stories and the one time password.

One time password is the only answer – ask John Le Carre

If you steal the the one time password, you can steal the contents of that message/payment and only that message. And you have only a short time window to do do. This makes it theoretically possible,  but economically impossible for the thieves. That is fundamentally different from stealing data that is a key that thieves can use multiple times (such as a password, social security number, credit card number),

The one time password was extensively used during World War 2 and the Cold War. John Le Carre fans will know it as a key part of “spycraft”.

One time password uses cryptography. Don’t worry, you Bitcoin fans, we will get to that other cryptography later.

That totally messes with the frictionless UX

If you live in Switzerland, you may already use a hardware device that the banks give you (a “dongle”) that uses one time password technology. Many Banks insist upon it. But each dongle is bank specific and can be rather unfriendly to use, making onboarding harder. Once you get used to it, the dongle is fine, but the onboarding experience is lousy.

This is where the opportunity lies. The onboarding pain of a one time password dongle makes consumers reluctant to switch to a new bank if they have to adopt a totally new dongle. The incumbent bank can argue “why not keep all your accounts with us, we can do all the account aggregation and reporting that you need”.

Of course a Neobank can also use a a one time password dongle. It will make them significantly less hip and mess with the lovely UX, but it will be significantly more secure. Personally that is a trade off I am able to live with.

So how do you find early adopters to use this secure account with a harsh onboarding UX? Up to this point, incumbent banks will be doing the nodding dog act. The takeaway will be “just protect the base by being ultra secure”.

This is where incumbent banks will start getting uncomfortable because my recommendation is that they offer a secure service to Bitcoin investors.

The newbie Bitcoin investors pain point.

The Bitcoin veterans tell newbie Bitcoin investors to have hot wallet and a cold wallet and the cold wallet needs to be on a hardware device that you put in a  safe. They look with scorn on anybody who thinks this is a pain.

If you have a lot of Bitcoin on your hardware device, put it in a bank vault rather than relying on a home safe.

Does that remind you of the gold business?

The reason I wrote “particularly Swiss” in the headline is that Bitcoin is legal in Switzerland. Sure you have to ask investors/customers for AML/KYC checks, but that is not a problem. Just don’t accept Altcoins designed for the dark web. Dark web users don’t use Bitcoin so much any more because it is trackable. With a bit of work it it is quite feasible to define a service to store Bitcoin that passes AML/KYC checks.

However, once they have done this, banks do not need to give that information to anybody who comes knocking asking for the data, which brings us to GDPR and Switzerland.

Switzerland by law is already ahead of GDPR – customers have data privacy as a right.

Bitcoin investors is a tiny market today, maybe 1% of the gold market. Read Peter Thiel’s Zero To One to see the value of starting with a tiny market that nobody else cares about that may grow in future (for example PayPal started with power sellers on eBay).

Image Source.

Bernard Lunn is a Fintech deal-maker, author, investor and thought-leader.

Get fresh daily insights from an amazing team of Fintech thought leaders around the world. Ride the Fintech wave by reading us daily in your email.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.