Australia’s foot-dragging retail banks are set to be stung with steep fines by the end of this year over their persistent sluggishness to implement key functionality from the New Payments Platform (NPP), with the Reserve Bank of Australia (RBA) on Thursday finally sparking-up its regulatory cattle prod.
The recommendation for the sharp jolt is contained in a highly anticipated report on the road ahead for the NPP, with the RBA finally coming good on years of escalating warnings that bank lethargy over plugging-in real time and data rich functionality will not be accepted.
“The Bank believes the NPPA Board should have the power to mandate that changes to the central infrastructure or native capabilities of the NPP must be supported by participants within a specific timeframe, backed up by an enforceable sanctions framework (including possible financial penalties) for participants that do not comply,” the RBA blasted.
The reality is the new punishment regime will be meted out via powers granted to the infrastructure holding company NPP Australia (NPPA) so it could directly hit participants (essentially members) for not meeting functionality or go-live deadlines it mandates.
Banks are mutual owners in the NPPA, so fines the practical application of fines should be a robust discussion.
The proposed penalties regime broadly mirrors existing compliance instruments in a range of payment schemes, like Mastercard and Visa, that are used (usually as a threat) to spur upgrades for unpopular and costly infrastructure upgrades like PCI-DSS.
Those fines are typically in the millions.
The big headache so far for the NPP and its regulatory backer, the RBA, is that while banks have signed onto and connected to the NPP’s infrastructure, they have all done it in different ways and fired-up different functionality hobbling the desired uplift from ‘network effect’.
In simple terms the result has been the equivalent of a dozen half-built and un-rideable bikes rather than six built ones and six unbuilt ones.
It’s also arguably squandered the consumer ‘wow’ factor of real time payments through a combination of initial resistance, legacy system dependency and competing technical priorities like other compliance requirements.
“Even where NPP services have been enabled, some major banks still have significant functionality gaps in terms of the ways that payments can be initiated or the limits that are placed on NPP payment amounts,” the RBA said.
“The incomplete reach of the NPP and the partial functionality offered by some of the major banks has disappointed end-users that have been keen to utilise the NPP and has also likely delayed the development of new services that would extend the NPP’s capabilities.”
Sometimes slow change, especially very slow change, doesn’t feel like much change at all.
“The slow roll-out of NPP services by some larger banks has been disappointing and overall NPP volumes have grown more slowly than was initially hoped. While it was always expected that financial institutions connected to the NPP would roll out customer services according to their own schedules and priorities, this roll-out has occurred more slowly than anticipated,” the RBA said.
“While the major banks have now largely completed the roll-out of NPP services to their retail customers, the roll-outs to business and corporate customers are ongoing and some banks have yet to provide NPP services to their subsidiary brands.”
The biggest laggards, predictably, are the biggest banks which hold the biggest legacy overhead.
Westpac CEO Brian Hartzer has already been interrogated in front of a parliamentary committee over his institution’s well-known issues problems plugging into the NPP’s functionality.
Westpac then again came a cropper on the NPP last week after it was revealed the institution failed to detect the brute force farming of PayID addresses via compromised bank accounts using the addressee look-up system.
But it’s in good company.
“The delays experienced by some of the major banks point to the complexity of their internal systems, the fact that they have many other projects underway, and the challenges for security and operational reliability of moving to real-time and 24/7 payments,” the RBA said.
“Some of the banks appear to have significantly underestimated or underfunded their internal projects in this regard and there may also have been insufficient oversight of projects by senior executives and boards of financial institutions.”
Let’s just pause there for a moment to reflect on who is saying what, and who they’re saying it to.
The realpolitik of the RBA’s observations is Australia’s central bank telling the retail banks – at CEO and board level – that they have failed and are about to cop it.
“Given that there remains significant work to be done to realise the full potential of the NPP, the Bank will be continuing to push the major banks to prioritise the roll-out of services to their customers and ensure that significant functionality gaps are addressed as quickly as possible,” the RBA said.
And in case the brisk stinging sensation of fines has become slightly dulled by familiarity for some banks (thanks AUSTRAC), the RBA is happy to remind institutions there are further options that might sound a little more boring but are much more unpleasant than writing a cheque.
“If the Bank assesses that there has been insufficient progress in addressing the recommendations made in this report, it will closely consider the case for regulation via standards mandating functionality or an access regime imposed on the NPP and its participants,” the RBA said.
“The Bank has a number of powers to pursue these goals, including the ability to ‘designate’ a payment system as being subject to its regulation and then to impose standards and/or an access regime on that system or on participants in that system if warranted on public interest grounds.”
Now the Royal Commission is over, the real fun begins. The Australian Banking Association has been contacted for comment.
