Can banks benefit from spreading the net?

How convenient would it be if your alarm clock could tell your coffee machine to brew a drink before you have even left your bed? If you could read a personalised selection of the news on your bathroom mirror while you brush your teeth? If you could pick up grocery items and walk out of the supermarket door without queuing, because sensors in the store connected to your mobile wallet and charged your bank account.

Better yet, think of the convenience if your fridge or cupboard could order items such as milk and coffee when you are running low. If your mobile banking app suggested ways to save you more money. Or, if your car could give you alternative routes when it picked up signals over the internet that there is a traffic jam on your usual route. This might also mean that your mobile wallet blocked you from spending money when you reached a certain limit. Or, that your car reported you to the police when you drove through a red traffic light.

These are just a handful of the opportunities and risks that are emerging as more and more devices connect to the internet and to each other. They represent a transition into a life fully enabled by a concept called the Internet of Things (IoT); where devices and machines can communicate with each other, interpret information and make autonomous decisions. It may seem far-fetched. But it is not.

Early stages

Insurance company State Farm and car manufacturer Ford, for example, have paired up to offer safe drivers discounts on their insurance, thanks to Ford’s in-car voice and mobile device connectivity system Sync. Sync diagnoses the driver’s performance and the car’s maintenance needs, and automatically feeds this information to State Farm.

In the utilities sector, a thermostat called Nest requires users to operate the device for a few days before it ‘learns’ from the user's habits and can automatically control room temperatures accordingly. It also has sensors in place to detect if there is nobody at home – so it can autonomously lower the temperature. And, it can be controlled remotely: the user just needs to connect Nest to their home Wi-Fi network and can then control it from a laptop, smartphone or tablet.

In the retail sector, sports brand Nike has developed a so-called 'fuel band' that tracks the user's daily activity and the amount of calories they have burnt, acting like a personal trainer on the user's wrist. The same concept could be utilised by financial institutions, according to Deniz Guven, senior vice-president of digital channels at Garanti Bank in Turkey, a country where many banks are leap-frogging their Western peers in terms of technological innovation, thanks to the absence of legacy networks and systems.

Tracing the digital trail of customers’ habits in real-time could empower banks to become financial life coaches, says Mr Guven. Banks could, for instance, link their system to the customer’s fridge and analyse which brands they buy. When the customer is running out of a certain product, the bank’s applications could then search for relevant offers at retailers and send relevant coupon offers to the customer's smartphone.

“Banks will benefit from the IoT thanks to better transparency of consumer spending behaviour. It is not about encouraging them to spend more money but providing better services so they can spend their money on relevant items,” says Mr Guven.

Eventually, the IoT could impact all aspects of banking, including retail, supply chain and inventory efficiency, and trade finance. Research and consulting firm Machina Research predicts that the total revenue generated by connected devices such as PCs, tablets and mobile data and other so-called machine-to-machine (M2M) services – plus the revenue from the sale of associated devices – will peak at $1800bn in 2020, up from $560bn in 2010. 

But with opportunities comes risk. Many bankers and other industry stakeholders are concerned that when devices are connected, it may be difficult to trace where the data comes from, who has access to it, where it is kept and who does what with it. It is an issue that is facing regulators, bankers, telecommunications companies and retailers but none, as yet, have been able to come up with a solution. Technology is developing faster than necessary regulation and standards.

Trust anchor

The IoT is a network of objects that communicate with each other directly or through central servers, explains Georg Steimel, head of M2M for western Europe at information and communications technology solutions provider Huawei. Each object has a sensor or chip embedded in it with which it communicates. In business terms, the IoT could unlock the silos in banking systems, effectively transitioning banks from an intranet of things to the IoT.

The mobile device is emerging as a key sensor, with mobile networks enabling the carriage of signal, says Vipul Shah, the global head of strategy and business development for JPMorgan's treasury services. As a result, smartphones are likely to become an extension of identity. Mobile identification could thus prove to be the basis of advanced behavioural analysis.

Mobile phones could become the trust anchor for mobile authentication, such as mobile signatures. This was the argument used by Sabine McIntosh, global head of electronic bank account management and identity services for Citi's global transaction services at this year’s Mobile World Congress.

Ms McIntosh said that there was already a “great demand” for the IoT, but called for government mandates and partnerships between private and public companies. “We need both regulation and a framework to deal with when things go wrong. [Consumers] will continue to have multiple digital identities [on different websites], but we need to make sure we can protect them."

This will be crucial as, in terms of banking, the IoT is set to have the most influence in the payments space.

Joining up

Increasingly, industry stakeholders are working together in the payments space, rather than operating on closed-loop systems. MasterCard, Visa, PayPal and Google, as well as lesser-known firms specialising in mobile advertising and m-payments, have already developed services to respond to the market opportunities. Partnerships for services such as mobile wallets – including one between Citi, MasterCard and Google – are common.

Most recently, MasterCard unveiled its online checkout service MasterPass. MasterPass will appear as a ‘button’ on a website just before check-out, similar to the PayPal payment option, but the novelty of MasterPass is it can support various digital wallets and cards, including those of rival networks Visa and American Express. This eliminates the need to register several cards individually and represents a break with the closed-loop systems that the payments world traditionally tends to launch.

The solution also supports near-field communication (NFC) technology, which permits wireless communication between devices, in this case, between phones and payment terminals. MasterPass also supports Quick Response (QR) codes, which are square barcodes that can be used for in-store purchases. The card and other personal details used by MasterPass are all stored on the cloud.

Same old problems

For banks, perhaps the biggest issue will be integrating their legacy systems with newer technologies. This is already proving to be an issue and is set to get more complex as a growing number of devices are connected. Allan Boardman, international vice-president of the Information Systems Audit and Control Association, thinks that, with the IoT, it is becoming more complex to manage the authentication of system access because there are significantly more interconnected devices, often in highly complex and highly connected environments.

This highlights two issues, says Mr Boardman. One is that legacy systems need to be able to connect and work frictionless with newer systems. The second is that, as more connections are established, robust access controls are absolutely critical. So the key question today is, how does a user connect to other devices and ensure that the data is adequately protected?

Testing is an obvious answer to ensure production systems operate as intended. “However, because of the growing interconnectivity and complexity of systems, it is often impossible and prohibitively expensive to have an exact copy of the production environment built up in a test environment [that can] simulate the production conditions," says Mr Boardman. "This means that organisations can, and do, experience major production incidents and outages because changes have not been properly and extensively tested.”

Testing ground

The ATM market may be an inspirational playing field to work out technical discrepancies. “ATMs have had M2M connections for a long time because they need them to validate customer credentials to conduct a transaction. What is different is that more and more ATMs are connecting wirelessly [to systems], which enables their placement almost anywhere with cellular coverage,” says Dan Shey, practice director of M2M, enterprise and verticals at ABI Research.

Now, the next level of M2M communication in the ATM space seems imminent. ATM manufacturer Wincor Nixdorf has created a mobile phone app on which a user can initiate a cash withdrawal without using their bankcard. Instead, the user receives a QR code that serves as authentication when it is scanned at the ATM.

The company says that banks need to add “only a few extensions” to the configuration of their existing ATMs, such as a bar scanner for the QR code for the app to work. The company also has solutions in place that can integrate and link this service with banks’ back-end systems.

A rival manufacturer, NCR, has a similar offering, but its solution, the firm says, does not require any additional hardware or NFC readers. In an announcement in July 2012, the manufacturer stated that it could be deployed “with just a simple software upgrade”.

Niall Murphy, founder and CEO of IoT software company Evrythng, considers the "digital activation" of products through QR codes to be revolutionary. All they require is a QR code scanner app. “Phones can be connected with products. This is an augmentation of physical products. This is mass-deployable at minimal costs,” Mr Murphy said at the Technology Frontiers event hosted by The Economist in March.

Transforming trade finance

It is not just consumer products and retail banking that the IoT is set to transform. There is potentially a widespread economic benefit of utilising it in trade finance, as the ability to track the flow of goods could unlock working capital through so-called radio frequency identification (RFID) sensors.

This would improve both the physical and financial supply chain, says Mr Shah at JPMorgan, as the application of RFID tags to physical goods could correlate with trade documents such as a letter of credit. “This can potentially increase the velocity of capital. Payments could immediately accompany the flow of goods. This would be a tangible and practical economic benefit for working capital management attributable to the IoT,” he says.

Another, perhaps more subtle, benefit of the IoT may be in adjusting the assessment of risk in the transaction as goods flow through various stages, says Bruce Proctor, head of global trade and supply chain finance at Bank of America-Merrill Lynch. “RFID tags already help retailers with the transportation of goods. Benefits include control of the quality of the underlying goods, timeliness in transportation and distribution, inventory planning and management of regulatory requirements – such as customs and security,” he says.

Banks could make use of this in in-transit or 'on the water' financing to trace, in real time, the location of goods and their circumstances. This way, banks can match financial capabilities to the physical shipment of goods, which will optimise financing terms for both the banks and their clients. “Having this in-transit, pre- and post-shipment data can help us deliver financing options that can be timed to more precise durations. This has benefits for both the banks and their clients,” says Mr Proctor.

For instance, if banks can track shipments to specific points in time, they will be able to balance their exposure to clients by not having to lock in financing for any more time than necessary. “Currently, a client may have a 30-day credit with us, but actually only need it for two weeks. With the data that RFID tags could provide, we would be able to stop the financing as soon as the client no longer needs it – saving them money – while also allowing us to direct the capital to another client,” says Mr Proctor.

Security threat

In the retail segment, the combination of mobile applications such as global positioning systems (GPS) and accessible technology such as QR codes (which can be downloaded as an app) have created immense potential in the location-based and personalised advertising space. Research by technology research firm Gartner predicts that global advertising revenue from mobiles will grow by 21% in 2013 to $11.4bn. In 2016, Gartner estimates that this figure will have reached $24.5bn.

But for now, the IoT is still in its infancy. Regulatory guidelines and industry best practices need to be worked out and technical barriers overcome. There is no specific, IoT-related legislation, so for any new connection or technology, existing privacy and data protection rules apply. Meanwhile, big data is soaring – fuelling worries about security.

“There are still many security issues surrounding the IoT – security of data, customer data, in particular. Banking data is already heavily regulated – however, the regulations around the unstructured 'big data' is not as tight,” says Brigid Whoriskey, head of research and innovation, strategy and architecture at RBS.

Ms Whoriskey says that the increasing number of companies and services accessing personal data increases the risk of storage in insecure locations. “As such, all devices must be treated as compromised. A small amount of compromised data across many services could, when aggregated, lead to the reconstruction of a customer’s identity, which could be used for fraudulent activity,” she adds.

The wild web

As the IoT combines many different technologies and is expected to bring profound changes into society, it is not possible to pinpoint specific legal principles that protect privacy or personal data in the context of the IoT, says Michael Leiser, who specialises in digital strategy and transformation for international organisations and is a member of the Internet of Things Council in Europe. 

“All of them apply and the importance of a particular principle depends on the context in which a specific technology is deployed,” he says. An EU update on data regulation could improve privacy and data protection by including some IoT elements. This may include, among other components, the right to be forgotten and to erasure, the integration of privacy by design, and privacy by default principles, Mr Leiser says.

Last year, between April and July, the European Commission (EC) initiated a consultation period on the IoT to help define a future policy. This attracted contributions from 600 people, associations, academic and civil groups, and industry participants, mostly from the EU, but also internationally, especially from North America. The EC concluded in February 2013 that there was no agreement on whether any public intervention was needed and to what extent. 

“In general, industry argued that the current data protection framework is sufficient, and that no additional rules are needed. A few respondents even called for no public intervention at all to avoid stifling innovation,” the EC stated.  However, the EC also highlighted that “a large majority of interested citizens and consumer organisations claimed the current data protection framework is not sufficient and a greater focus on privacy and data protection is needed”.

On the question of specific guidelines and standards on security and personal safety in the IoT, several industry players as well as a few members of the public argued that over-regulation could lead to unnecessary burdens as the industry is still nascent. As one academic quoted in the conclusion paper put it: “Too early guidance towards standardisation could inhibit the emergence of better architectures via trial and error in the market.”

There are ways to circumvent the privacy and data breach threat, however. Banks already have a lot of data, so using it in a better way for new business opportunities seems a conspicuous – but as yet, underleveraged – solution. One such example is Cardlytics, a company that specialises in personalised rewards, which tailors offers based on the data the bank already has. The data itself, however, still remains with the bank, says Jason Brooks, UK managing director of Cardlytics.

“There is no change in that regard. Now, we just enable rewards based on the [existing] data. Our business model does not change the banks’ business model. It is about thinking about data differently,” he says. And ‘thinking’ differently in this case means relevant and frequent offers to consumers based on their spending record.

Infrastructural needs

Besides security standards, the deployment of a new internet protocol (IP) is also crucial for the IoT, according to network specialist Cisco. Currently, the globally recognised internet protocol is called IP version 4 (IPv4). The replacement of IPv4 with IPv6 (version five was never deployed for public use) is important because every computer connected to the internet has its own protocol address. As more devices connect to the internet, the 4 billion-odd unique IP addresses that are available in the IPv4 “were completely allocated to specific geographic regions” as of February 3, 2011, according to Cisco.

So the scarcity of IP addresses “has the potential to slow IoT’s progress since the potentially billions of new sensors will require unique IP addresses”, Cisco says. IPv6, on the other hand, comes with what wireless carrier Verizon describes as “an astronomical number [of unique IP addresses], which is sufficient to dole out unique IPv6 addresses to any conceivable networkable object on earth into the indefinite future”. 

IPv6 has other benefits over IPv4, including better security features. Although IPv6 is already in use in many countries, including Brazil and Czech Republic, for the IoT to take off, it needs to be deployed globally.

Machine versus man?

Imagining a future where everyday household items are intelligent enough to make decisions, of course, bears an inherent suspicion that delegating decisions to machines could be risky. Many stakeholders acknowledge that it is impossible to guess what will happen to privacy, data sharing and data ownership. Yet, the majority concede the social and economic benefits far outweigh any potential negative impacts.

The IoT could actually enhance security on all levels, for example. There will always be a trade-off between being untraceable and sharing information, says Mr Leiser. Most importantly – in retail payments or other areas where data sharing is concerned – the individual must opt-in to use the service. But one day, opting out may not be feasible when everything is connected and the IoT is ubiquitous.

“GPS and mobile phone networks make it easier to find people. That may be a disadvantage if you do not want to be found, but if you are in a car accident, it may save your life,” says Mr Leiser.

Kevin Ashton, a technology pioneer who coined the term IoT, is convinced it is a matter of novelty versus familiarity. He believes that those who will initially opt-out of the IoT are simply late adopters. “There is a new generation of Amish who use power tools. They do that because their method of agriculture is not effective enough for them to earn a living. This is an extreme example of a community of people who have been opting out for a long time, but now the benefits of opting in are far greater than anything else,” he says.