Abdul Rasheed Ghaffour: Reimagining the regulatory landscape for payment systems

Keynote address by Mr Abdul Rasheed Ghaffour, Deputy Governor of the Central Bank of Malaysia (Bank Negara Malaysia), at the Global Payments Week 2018 "Reimagining the regulatory landscape for payment systems", Kuala Lumpur, 4 December 2018.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Central bank speech  | 
06 December 2018

Making a payment used to be an ordinary affair. You'd fill up your cart, head on to the cashier, and reach for your wallet. Today, that cart could be a screen, the cashier a machine, and the wallet a phone. In a span of about 10 years, digital innovation has radically transformed payments. Digital technologies now enable payment services to be easily replicated and rapidly scaled, often at a small incremental cost and increasingly by new and non-traditional players. Geographical and time constraints are becoming less relevant when transferring funds especially with the advent of real-time payment services. Mobile money and e-wallets have brought millions more individuals into the financial fold. 'Super apps' combined with payments functionalities have created entirely new ecosystems - these enhance user convenience and offer new opportunities for businesses beyond the area of payments. Cash and cards are no longer the only ways to pay - soon, we may no longer even need to present our physical or digital wallet. Last year, a global fast food chain started accepting facial recognition as a mode of authorising payment in China. This is - quite literally - the new face of payments.

It is thus an opportune time to be gathered at this year's Global Payments Week (GPW). Indeed, Bank Negara Malaysia is deeply honoured to host the first GPW in Asia-Pacific. This is fitting for the times, given the growing pervasiveness of digital payments in Asia in recent years. The 2018 World Payments Report estimates that the growth of non-cash transactions in emerging Asia has outpaced Europe and North America by at least four to five times between 2012 to 2016. The trend is expected to continue - emerging Asia is forecasted to record roughly 250 billion non-cash transactions by 2021, making this region the market leader by volume of electronic payments for the first time.

Indeed, the future of payments look brighter than ever. Digital payments adoption is growing. The technological advancements supporting it show no signs of slowing down. Yet, no matter how optimistic everyone else is - it is in our DNA as regulators to think about what could go wrong.

For today's keynote address, allow me to therefore highlight the key challenges and risks that may lie ahead. I will then share a few perspectives that I believe are crucial for the regulatory agenda for payments going forward.

The first key challenge is the evolving landscape of technologies and the resultant risks for payment systems. The rapid development and adoption of technology in recent years has brought about greater efficiency and productivity.

However, the pace of change itself can be a key challenge, if not managed well. Not too long ago, the advent of the Internet heralded a new era for payments by enabling transactions to be conducted remotely using online banking services and payment cards. Today, payment technologies have evolved rapidly to include an alphabet soup of different modes of payment - for example RFID, NFC and QR just to name a few. At the same time, new use cases leveraging on biometrics, open API, artificial intelligence and blockchain are also being developed. While such technological innovations demonstrate great potential, the full impact and resultant risk may yet to be fully understood.

Cyber security is also a fast-growing area of concern, given the sophistication of cyber threat actors and as more consumers and businesses are plugged into digital payments. This is further compounded by the interconnectedness of payment systems which heightens contagion risk. While sources of risks are borderless, the non extra-territorial nature of most payment regulation and supervision presents a key challenge to effective regulatory oversight. 

Concentration risks also require close attention, given the largely centralised model of prevalent payment systems. Network effects are a double-edged sword. As a payment system becomes more widely used, the implications of operational disruption would also be more far-reaching. In 2018, we have seen two global card networks face service disruptions, affecting at least five million transactions in Europe and the US. If the frequency and magnitude of such disruptions increase, there is a real risk that public confidence in digital payments would be undermined.

The second challenge is market fragmentation. Across domestic markets, incumbent banks, technology companies and telco firms - among others - are all vying for a share of the pie, leading to a proliferation of payment service providers. Although a more diversified market can reduce some of the concentration risks that I highlighted earlier, there are trade-offs that need to be managed. In 2018 alone, the UK saw its number of e-money players increased from roughly 400 to 600 companies. A country that has a high number of proprietary networks is likely to face challenges for interoperability across payment providers. This in turn could weaken network effects and economies of scale for domestic payments. Meanwhile, on the ground, merchants may cope by putting up a dizzying array of signs and stickers to indicate the range of accepted payment options. The sheer amount of choice - each with differing benefits and limitations - could be confusing for consumers, and frustrating for merchants especially when it comes to reconciliation. For countries striving to encourage the adoption of e-payments, these issues could be a major stumbling block.

Similarly, market fragmentation is a growing challenge at the international level, especially as individual countries and firms embark on their respective initiatives in the payments landscape. This could lead to substantive cross-border differences, such as in the technical standards, business rules and regulatory requirements. While these differences are not insurmountable, overcoming them can entail significant costs - such as when a web of intermediaries is needed to facilitate a cross-border transaction.

If not managed well, cross-border differences may hamper efforts to support bilateral or regional integration, such as where local payment companies look to expand or integrate to enable cross-border connectivity.

Shifting market expectations is the third key challenge, which can lead to a gap between customer demand and payment services available. Consumers today are increasingly used to on-demand services that are instant and seamless. To this end, retail payments are making good progress - increasingly, more countries have developed real-time payment infrastructure that support instant peer-to-peer (P2P) payments. However, the same experience is increasingly expected - but not necessarily delivered - for other segments, such as in consumer-to-business (C2B) and business-to-business (B2B) payments. Gaps also remain on the cross-border front in terms of speed, transparency and cost.

The growing complexity and depth of global financial markets, such as in securities and derivatives markets, also has implications on large value payment systems. Financial institutions and large corporates are gradually facing more difficulties in handling multiple types of financial instruments across multiple jurisdictions and across multiple functions within their organisations.  Perhaps there may be demand going forward for payment systems to support greater sophistication in user functionality, such as liquidity optimisation facilities for banks and automated treasury services for corporate clients.

Keeping in mind these challenges, a few questions come to mind. First, what is the appropriate role for regulators when it comes to digital innovation in payments? Second, should regulators be proactive in leading the agenda of change or keep an active watching brief and intervene only when necessary? Third, how do we balance between oversight and developmental objectives? And the fourth, what are the right set of guiding principles?

I would like to turn to these questions for the second half of my speech. Importantly, I believe that regulators have to play a driving role to foster an enabling environment for an efficient and vibrant payment landscape, whilst actively managing the associated risks. Innovation should be industry-led. Regulators should instead focus on building the right preconditions for the payment systems to develop in a resilient and progressive manner. In this regard, I would like to share four key focus areas for the payments regulatory agenda moving forward:

  • First, to preserve trust to safeguard the resilience and integrity of payment systems;
  • Second, to apply proportionate regulation to effectively manage risk, whilst not stifling innovation;
  • Third, to enable connectivity through collaboration towards greater standardisation and interoperability; and
  • Fourth, to promote efficiency and innovation through greater competition.

Preserving trust

Let me start with the first focus area of preserving trust. Trust is at the heart of any effective payment system. Consumers, businesses and governments must be able to trust that a payment made is final, that it reaches the intended beneficiary, and that the value transferred is accurate.

Without these elements, a payment system or service cannot serve its purpose. To that end, regulations must seek to ensure that payment systems are secure, reliable and resilient.

Given the increasingly unpredictable sources of risk, regulatory initiatives would benefit from an 'assumed-breach' philosophy. Systemically important payment systems must be set up to be able to withstand disruption. This would entail requiring adequate financial buffers and robust business continuity arrangements to preserve the continuity of key payment services under stressed conditions.

With increasing digitalisation, cybersecurity incidences have the potential to not only cause significant business disruptions and monetary losses, but also undermine the trust and confidence in the global financial system. Due to the interconnectedness of the global economy, cyber resilience is only as good as the strength of the weakest link. It is important therefore for regulators to formulate and promote the adoption of holistic cybersecurity strategies that are constantly enhanced. This should be complemented by strong public-private collaboration at both domestic and international level to strengthen collective resilience.

With payment systems becoming more efficient and interconnected, it is also important to prevent their abuse by illicit actors, such as for money-laundering and terrorism financing (ML/TF). Notably, the availability of instant payments poses challenges to traditional AML monitoring tools that operate on a batch mode, rather than on a real-time basis. Regulations should thus focus on continuous enhancement of AML controls among industry players, supported by improved AML compliance procedures and more advanced monitoring approaches. This may include the use of machine learning and artificial intelligence capabilities to mitigate ML/TF risk, while preserving the speed and convenience of faster payment systems.

Proportionate regulation

Let me now turn to the next regulatory priority, which is proportionate regulation. Importantly, efforts to strengthen the regulatory and supervisory framework for payments oversight must seek to uphold a key principle: proportionality. More than ever, regulators will have to make tough judgment calls on the appropriate trade-offs between competing regulatory demands. For example, open data initiatives that seek to democratise access to customer information would need to consider implications to data security as well as cultural attitudes to data privacy. Providing a seamless user experience to on-board customers for digital payments could also run counter to AML/CFT controls that are traditionally held up as best practice. These are but a few of the examples of the dilemmas that we will have to grapple with.

In this regard, a 'one-size-fits-all' approach is tempting because it is simple. But its simplicity is precisely why regulators must avoid it. Effective regulation today demands differentiated regulatory requirements that cater for a spectrum of risk profiles.

This should be ascertained after undertaking a granular assessment of these risk profiles, and identifying the necessary areas that continue to require risk mitigation measures. Of note, this goes beyond having sandboxes, which are already more common in the regulator's toolkit. In Malaysia, for example, the regulatory regime for e-wallets is differentiated by size. This is supported by a tiered approach to managing AML/CFT risks, where limits on account functionalities serve as safeguards where more simplified customer due-diligence (CDD) methods are applied. This reflects the differentiated level of risks across different types of e-wallet accounts.

While such efforts are intrinsically more complex, they can accommodate a richer spectrum of business structures and operating models, which in turn can spur innovation. Importantly, this is not about regulations adopting a 'light touch'; it is about having the right touch, guided by the degree of risks involved.   

We also should not shy away from exploring nascent technologies that could contribute to the overall resilience of payments infrastructure. As regulators, we should explore pilot programmes to test the potential of emerging technologies. Examples of this include the EU and Japan's joint project 'Stella', as well as Canada's project 'Jasper' that aim to study the possible use cases of distributed ledger technology. Even if these programmes do not immediately deliver scalable solutions, the experience can confer valuable lessons for future initiatives.

Enabling connectivity

The third area for regulatory focus would be to enable connectivity. A payment system is only useful if it has a wide network reach, be it across products or players, within a nation's borders or beyond. In this regard, regulators can play a key role in fostering collaborative efforts towards greater standardisation and interoperability.

At the domestic level, a few initiatives come to mind - all of which seeking to leverage on a common network. The UK is undergoing a consolidation of key retail payment systems under a single New Payments Architecture (NPA), aimed at addressing the lack of a common entry point for access and different on-boarding processes for participants across the different systems. Similarly, Australia launched the New Payment Platform earlier this year, which is seen as a key payments infrastructure for the domestic market.

Of significance, these developments share common outcomes - to avoid duplication of industry resources, widen network reach and enable economies of scale.

Here in Malaysia, pooling of resources at the infrastructure level has been a longstanding strategy for the payment system. As early as 1997, Malaysia had consolidated its three ATM networks to eliminate fragmentation in that segment. More recently, we saw the formation of PayNet which serves as a shared payment infrastructure to facilitate domestic payments. Of note, PayNet will be launching the Real-time Retail Payments Platform (RPP) next week. This will be supported by a National Addressing Database (NAD) that enables users to pay seamlessly and securely using simple identifiers such as their mobile phone, national registration or business registration numbers.

At the international level, regulators should also seek to collaborate towards promoting greater harmonisation or centralisation of legal, technical and operational arrangements for payments. These include exploring the adoption of international standards such as the ISO 20022 messaging standard. These standards would enhance compatibility across different infrastructures and pave the way towards greater cross-border interoperability. To take this further and fully realise the benefits, cross-border coordination will be key to promote uniformity in how the standards are interpreted and operationalised.

Promoting competition

The fourth perspective for the regulatory agenda relates to the need to promote efficiency and innovation through greater competition.

Given the importance of scale and network effects in delivering payment services, it is no surprise that the payments industry tends towards an oligopolistic structure. These market dynamics are amplified in the digital payments market. 'Winner-takes-all' dynamics are synonymous with digital platforms, which often aim to build as large of a network as possible. After all, this facilitates a virtuous cycle of more data, leading to better and cheaper services, which in turn leads to more customers - so on and so forth.

To this end, regulators must ensure that these market dynamics do not result in perverse outcomes for the payments ecosystem as a whole. Such perverse outcomes could include the abuse of a dominant market position to erect undue barriers to entry, or to impose exorbitant prices on end-users.

Encouragingly, regulatory authorities are increasingly playing an active role in mitigating such risks. Of significance are efforts to promote open access regimes to key payment infrastructures, regardless of whether the payment service provider is an incumbent bank or a non-bank player. In Hong Kong, the Faster Payments System (FPS) was launched in September 2018 with a total of 21 banks and 10 non-bank e-money issuers participating in the scheme. The UK went even further in April 2018, with the Bank of England allowing a non-bank to access both clearing and settlement facilities in the RTGS system. Enhanced transparency expectations can also play an important role in ensuring that infrastructure suppliers and payment service providers continue to maintain high service levels and deliver services that create value for end-users. 

Slowly but surely, initiatives like these are rewriting the rules of the game in the payments industry towards heightened competition through lower barriers to entry. This is further reinforced by a gradual move towards greater sharing of customer data, such as through the EU's Payment Services Directive (PSD2), the UK and Australia's respective open banking initiatives.

Malaysia too welcomes greater openness in its payments ecosystem and the broader financial services sector.


To conclude, allow me to reiterate that regulators should uphold a commitment to support payments innovation. The focus would be to lay the foundations for market-led innovation, by focusing on the elements of trust, connectivity, efficiency and innovation of the payment system. This will ensure that the power of digital payments is harnessed towards value creation for the real economy, while navigating the emerging risks and challenges on the horizon.

Looking ahead, the pace of change in payments is only set to intensify. Payment system regulators will have to be agile in considering new ideas, while remaining steadfast in safeguarding the public interest. To this end, continuous engagement will be key - both among regulators as well as between regulators and industry players. With that, I wish you all a fruitful discussion in the week ahead and hope you have a good time in Malaysia.