With Neiman Marcus announcing last night that its data breach is bigger and longer than it first seemed to know, Target reeling, and the FBI warning, payment-system security is a top priority on Capitol Hill. Hearings will kick off in days, but conventional wisdom still has it that all will come to naught because the legislation is complex and interest groups differ on it. Maybe, but I know one for-sure thing about even this dysfunctional Congress: if Members of Congress or their families are affected – as surely they are – partisan rivalries dissipate into a crusade for justice, or at least pay-back. At the least, retailers will exact reputational damage on banks, with good odds that they’ll also get a costly new law on the books – think Durbin and be afraid. How to make this lemon into lemonade? Anticipate the new retail-payment system and get needed statutory change now instead of trying to regain market-share after unregulated providers finish taking it away.
Step back from each of these data-security disasters and consider the broader context: money is moving in ways no one foresaw even a few months ago. What’s happening to credit and debit cards now is that hackers are finding cracks in old technologies to turn vulnerabilities into costly abysses. In the near term, this costs retailers and banks dearly. In the long term, it equalizes old payment technology with new entrants because nothing seems safe.
What’s coming to take old technology’s place are new, speedier, flashier payment modalities – prepaid cards, smart phones, and, yes, virtual currencies like Bitcoin. Bankers loathe these systems because new entrants not only come from unregulated non-banks – think PayPal, mobile-phone providers, Google – but also because these fancy-free financial products are fraught with risk both to consumers and the payment system. But, struggling under the weight of the failures in traditional payment options, how can bankers point fingers? If bankers try to fight these new entrants by waging a war of attrition, they’ll wake up to find themselves struggling to find food in the trash can. Lost market-share is very hard to regain. If bankers simply complain about competitors, the evolution of retail payments into a new business model will just speed up without any under-girding to ensure reliable, safe, secure transactions. It won’t take cyber-criminals long to find these weaknesses. The only thing they’ll wait for is there to be enough money in the new technologies to be worth the taking.
The law will change then, but it will be too late for traditional bankers to re-enter a business line critical to their future as the nation’s go-to financial intermediaries. So, instead of complaining, what to do?
One reason markets are migrating so fast is that retail consumers think everyone pitching them is as good as a bank. FDIC stickers on teller windows mean something only to someone who remembers losing money when a bank failed, and pretty much no one did during the last few financial crises. TBTF expectations and resulting moral hazard are usually considered when talking about the nation’s biggest banks, but even the lowest-dollar retail consumer thinks everyone with whom he or she does business is just like a bank. Since there’s nothing to lose, go where the going is good.
What is the right response to this to preserve not just bank competitiveness, but also payment-system integrity? This is the question bankers must answer, and fast. Expanding FDIC insurance and other protections to new technologies is part of the answer I see, but it’s also critical that banks stop being so stodgy and learn – fast – how to innovate in this critical sector. Trying to put retail payment back into the bank box will only work if the bank box is new and vastly improved.