Australia’s New Payments Platform (NPP) went live in February this year, enabling participating banks to send, clear and settle payments within the country in seven to 10 seconds. That capability has CFOs and businesses intrigued, although the transactions the platform is handling at the moment are only person-to-person payments.
“It can grow to P2B [person-to-business], B2B [business-to-business], G2P [government-to-person] and other various opportunities and use cases,” says Philippe Dirckx, Managing Director Asia Pacific at the banking cooperative SWIFT, which built NPP’s core infrastructure.
Creating a platform that is able to have an end-to-end process of a payment from the moment you send it to the moment it is received and acknowledged by the recipient in seven to ten seconds . . . It’s a very different ball game
Dirckx spoke to CFO Innovation’s Cesar Bacani about real-time payments in Australia and how other jurisdictions are looking to replicate its philosophy, SWIFT’s new gpi service, cybersecurity safeguards and other issues. Edited excerpts:
I know SWIFT as the provider of technology and infrastructure that allows member banks and corporates to send cross-border payment and other messages to each other in a secure way. The New Payments Platform (NPP) that SWIFT built for Australia seems like a very different product.
It's different without being different. It is similar in a sense that we have built an infrastructure that connects and delivers messages, so we have interfaces and messaging channels. What is different is that this is an infrastructure which is domestic, real-time and distributed.
Basically, participant institutions [in Australia] clear the transactions bilaterally before sending the settlement instructions down to the settlement engine. On top of that, we have incorporated an addressing database into the infrastructure.
The infrastructure has been built based on our core competencies, and based on what we've been doing over the past 40 years. But we have adapted our interfaces and messaging channels to cater for the requirements of the Australian community.
And this is a real-time payments system, right? Seven seconds . . .
We're working in real-time, and in that aspect, it is new to us. Creating a platform that is able to have an end-to-end process of a payment from the moment you send it to the moment it is received and acknowledged by the recipient in seven to ten seconds . . . It’s a very different ball game.
[The message] has to go to the addressing database for alias lookup, it has to go back from the addressing database, it needs to go to the receiving bank for clearing – i.e., verifying that the name linked to the alias [in the instruction] has indeed an account, that the account exists and that it can accept that amount of money – and then go back to the initiating bank saying okay all good, you can send the money.
And then when the instruction is sent, send it to the Fast Settlement System, which is run by the central bank, settle line-by-line in real time, send it back to the initiating bank and the receiving bank, and then confirm to the sending person that his/her payment has been sent and received by the beneficiary . . . That, overall, takes between seven to ten seconds.
I can see how a payments platform like the NPP will make life so much easier for CFOs and treasurers, because the payments they make to and receive from customers, suppliers and so on can be processed so much faster.
The early use case [in Australia] has been for P2P [person-to-person payments], but it can grow to P2B [person-to-business], B2B [business-to-business], G2P [government-to-person] and other various opportunities and use cases.
The first overlay [branded as Osko] is provided by [electronic bill payment company] BPAY in conjunction and co-labeled with the banks. If you have an account with the Commonwealth Bank of Australia, the OskoCBA app will enable you to send money [in real-time 24/7] to your friend banking with Westpac or NAB or any other participant bank through the app.
The way the Australians have looked at it has raised a lot of interest in other markets. The philosophy that Australia has taken is providing the basic infrastructure on top of which third parties can build overlays, new applications
For businesses, B2B and P2B payments would be the most relevant services.
SWIFT is not in charge of the NPP roadmap in terms of what's going to come on top of the basic infrastructure, but the way it has been designed will enable fintech or any application vendor to provide these applications.
One promising use case is the Australian Stock Exchange being able to pay corporate action proceeds in real-time directly to the end users. The funds go straight to the beneficiary owner’s account in real-time.
You could have a corporate paying salaries to their employees in real-time as well, channeling the instructions to an overlay that will split the bulk payment in the hundreds of individual payments and routed on NPP.
Are there other places that have deployed a real-time payments platform like Australia? Have these business use cases been applied there? And are these use cases working?
There are no infrastructures today like the one in Australia. What you have are relatively closed systems that do not really enable these innovations to be plugged in the way you would use the apps on your iPhone.
The way the Australians have looked at it has raised a lot of interest in other markets. The philosophy that Australia has taken is providing the basic infrastructure on top of which third parties can build overlays, new applications to cater to P2P, B2P, B2B, G2P and other use cases.
It aims at fostering innovation by opening the platform to developers to come up with solutions for individuals, for corporates, or for whoever is interested.
Assuming the B2B and B2P overlays are up and running, will CFOs also be able to have visibility into the information streams around their transactions in real-time, for control, analytics, planning, forecasting and other purposes?
They would need to go through a bank. Banks participating in NPP have access to a certain number of reports which can be shared with their underlying clients. It would be up to them [to do so].
If I could make a parallel to what we are doing with cross-border payments, SWIFT gpi [global payments innovation] allows end-to-end tracking of payments from a cross-border point of view. Banks are able to track every transaction through a cloud-hosted tracker reachable through API [application programming interface].
Nothing would prevent banks in the future to make the tracker visible to their corporate clients. At the end of the day, corporates would like to see if their payments are on the way, where they are and the like. If my counterparty told me that they had sent the payment yesterday or five hours ago, where is it in the chain? Is it coming? Can I see, can I track the payment coming in?
It would be up to the bank to say yes or no on providing access to that information. I would think that would be exactly the same situation for the NPP.
Let’s talk about SWIFT gpi. Can the bank give me access to the information as it happens, allowing the client to aggregate and analyze the real-time data?
The tracker is accessible via API, so banks could integrate the tracker into their applications. They could provide additional services to their client such as the status of incoming payments. So, from a technology point of view, it is possible.
It will depend on what the bank connected to SWIFT is willing or able to share with and offer to the corporate.
We have launched the Customer Security Programme (CSP) that provides the [financial services] industry with a number of security controls. Some of them have been made mandatory, others advisory
This is good to know, because as a corporate, I can tell my bank that I know technically you can do this but you're not doing it.
I am leaving that to you. Today, gpi is in its second phase of development. It's live, we have over 160 banks signed up for the service, we're talking about hundreds of millions of messages sent so far, so it’s extremely successful and growing very fast.
We are progressively building various application or functionalities that will enrich the gpi service – a stop and recall function, for example – and we are working with our clients to define the gpi roadmap. The idea, similar to the NPP philosophy, is to create rails on which you can innovate and create additional features and services.
We expect corporates to start saying, I want to see where my payment is, and I want my bank to tell me that. If I don't have access to that information, I want my bank to provide me access to the tracker, or just provide me a report that gives me that data.
Going forward, you might also see a number of vendors and developers offering applications that will be plugged into and built on top of gpi to serve the financial institutions that are connected to gpi. Instead of the financial institutions building a particular service themselves, they may outsource the development to a third party
Can you comment on cyber security in relation to NPP and other SWIFT infrastructure and services?
We have built NPP with the same discipline, rigor, and criteria that we built our core SWIFT infrastructure. We've set the same strict rules and parameters from a security point of view . . . If there are enhancements to be made, from a core infrastructure point of view, we'll do so. As technology evolves, I'm sure we'll do the enhancement that will be required, yes.
There are two levels of protection: In the client's premises, it would be the client's responsibility, in terms of physical and non-physical security. Once [the data] reaches the SWIFT network, it becomes our responsibility.
Does SWIFT help clients with security issues?
We have launched the Customer Security Programme (CSP) that provides the [financial services] industry with a number of security controls. Some of them have been made mandatory, others advisory. Our clients had to self-attest by the end of 2017, saying “yes” or “no” that they were complying with the security controls. By the end of 2018, they will have to comply with these controls.
We take security very seriously. Although some cases [of cybersecurity breaches] have been publicized in the press over the past couple of years, the SWIFT network has not been compromised. These were breaches at the client level, not on the SWIFT network.
Still, we thought it was important for us as a leader in the community, as a cooperative, to work with our clients and to put in place an infrastructure framework allowing them to have a security environment in line with best practices. That is what we've done. We've defined these security controls, we've published them and we've asked all our clients to comply with them by the end of 2018.
We don't name and shame anybody. We're just saying you need to attest, and you have the right to disclose your attestations to your counterparties
What does “comply with them” mean?
Let me give an example. Banks need to segregate their private from their public networks. Typically if you're running SWIFT Alliance Access on a computer, it should be on a dedicated server or a dedicated line, and not comingled with the Internet [connection] that anybody in the firm would be using to browse or to book tickets for a concert.
So what happens if they don't comply?
There are two parts to that. One is that banks have to comply [with CSP security controls] and two, they have to attest that they are compliant. If they don't, they will have to attest that they don't comply. This [attestation] is put only on a central database, a repository similar to our KYC [Know Your Customer] registry.
You can give your counterparty access [to the registry]. In effect you’re saying: "I'm compliant. Look at the registry” . . . It's not a question of name and shame. We don't name and shame anybody. We're just saying you need to attest, and you have the right to disclose your attestations to your counterparties.
Will you tell regulators, too, whether a SWIFT user is or is not compliant with CSP?
We reserve that right. It might be the regulator also coming to us and saying, "Can you provide the list?" But we reserve the right to provide [the list] to the regulator.
Will the registry be open to the public?
No, this is a private registry . . . But a bank can ask their counterparties if they have attested as part of their due diligence process.