CLASH OF THE TITANS: REGULATING THE COMPETITION BETWEEN ESTABLISHED AND EMERGING ELECTRONIC PAYMENT SYSTEMS

By Jane Kaufman Winn

ABSTRACT

This article equates the providers of traditional electronic payment services with the Titans of Greek mythology, and the providers of new electronic payment technologies with the Olympians. Professor Winn concludes, however, that unlike the Titans of Greek mythology, these modern Titans appear to be winning in their battle with the upstart Olympians.

This article describes the fundamental characteristics of payment systems, reviews the applicable law, and describes the new technologies that were, until quite recently, expected to displace older electronic payment systems. Professor Winn finds that consumers and merchants, by and large, are happy with the existing regulatory structure. And, because of the failure of new technologies to gain significant market share yet, regulators have not yet been obliged to revise existing regulations to take account of these new technologies.

TABLE OF CONTENTS

I. INTRODUCTION: CLASH OF THE TITANS 676

II. CHARACTERISTICS OF PAYMENT SYSTEMS 678

A. LIQUIDITY 678

B. FINALITY 679

C. TRANSACTION RISK 680

D. SYSTEMIC RISK 680

III. TRADITIONAL PAYMENT SYSTEMS: THE TITANS 682

A. CHECK CLEARING 682

B. WHOLESALE FUNDS TRANSFERS 684

C. CREDIT CARDS 686

D. CONSUMER FUNDS TRANSFERS 688

E. SECURE ELECTRONIC TRANSACTIONS ("SET") 689

IV. PAST FAILURES: THE FIRST OLYMPIAN ASSAULT 691

A. EARLY FATALITIES: FIRST VIRTUAL AND DIGICASH 691

B. WALKING WOUNDED: MILLICENT, CYBERCOIN, MONDEX 693

V. THROUGH A GLASS DARKLY: THE NEXT GENERATION OF ELECTRONIC PAYMENT SYSTEMS 695

A. SECURE SOCKETS LAYER ("SSL") 695

B. E-CHECK 697

C. INSTABUY 698

D. PORTALS 699

E. NACHA 699

F. WHAT THE FUTURE HOLDS 700

VI. INTERESTS OF STAKEHOLDERS AND GATEKEEPERS IN ELECTRONIC PAYMENT SYSTEMS 702

A. STAKEHOLDER INTERESTS 703

B. GATEKEEPER INTERESTS 704

VII. CONCLUSION 708

Banks are dinosaurs. We can bypass them.

- Bill Gates1

The reports of my death are greatly exaggerated.

- Mark Twain2

I. Introduction: Clash of the Titans

One Greek myth tells the tale of an earlier generation of gods, the Titans, who fought with a later generation of gods, the Olympians, for sovereignty over the earth.3 The Titans were the offspring of Uranus, the sky, and Mother Earth. The Olympian gods were the children of Cronus, the king of the Titans. Mother Earth had helped Cronus overthrow his father and seize power. Cronus feared that one of his own sons would likewise dethrone him, so he swallowed each of his own children as soon as they were born. It was not until the sixth child, Zeus, was born that Cronus's wife, the Titaness Rhea, conspired with Mother Earth to find a way to save the child from his father. When Zeus was grown, with the help of his mother and his wife, he tricked Cronus into drinking an emetic potion, causing him to vomit up his first five children. They were now fully grown, and these Olympian gods joined Zeus in his battle to wrest control of the earth from Cronus and the Titans. The Olympians and Titans fought bitterly for ten years, but the Olympian gods finally won, as had been prophesied by Mother Earth.

The explosive impact of new communications and information processing technology in recent years has triggered a conflict for market dominance between established and emerging players that resembles the clash of the Titans and the Olympians in sound and fury, if not in cosmic relevance. In the marketplace for electronic payment services, the Titans are played by the regulated financial institutions and the Olympians are played by the emerging payment technology start-ups. The role of Mother Earth is played by consumers, who have not yet made the decision to throw out the Titans and bring in the Olympians. As a result, regulators have no clear mandate. Rather, they face the ambiguous and complex task of maintaining the efficacy of existing regulatory efforts in the face of changing circumstances while not discriminating unfairly between either Titans or Olympians.

In the first round of the struggle for dominance in the market for payment services supporting Internet-based commerce, the Titans have emerged victorious while the Olympians are in full retreat. While only a few years ago, it appeared that systems built to leverage new global electronic networks such as the Internet might sweep away the cumbersome older generation of electronic payment systems, this has not proven to be the case.4 Consumers have shown a profound lack of interest in the radically new electronic payment systems developed by the Olympians. U.S. consumers actually seem quite happy with the range of electronic payment options currently available. As long as the Olympians continue to neglect the interests of the consumers and other stakeholders in emerging electronic commerce markets, the less novel, but more serviceable, offerings of the Titans will continue to prevail in the market for electronic payment services.

The Olympians may yet be gearing up for a second assault. This wave, though, may focus on utilizing the existing Titan infrastructure through new, Olympian interfaces. As a countermeasure, the Titans may harness Olympian technology. Regardless of the outcome of this battle, the future seems to be one of hybrid systems, where Titan infrastructure is accessed via Olympian technology.

II. Characteristics of Payment Systems

Payments are a specialized subset of commercial transactions. Payment systems promote commerce by transferring value quickly and effectively and by imposing a minimum of additional costs or risks on the transacting parties. Payment services support transactions in goods and other services as well as transfers of value between financial institutions and their customers. Payment systems operate at the short-term end of the spectrum for financial services, providing rapid and certain transfers of value. They must be efficient, pervasive, and trustworthy in order to minimize the costs that the payment function adds. Any new electronic payment system technologies must not only offer innovative features, they must continue to meet these basic requirements. A payment system can be described in terms of liquidity, finality, transaction risk and systemic risk.

A. Liquidity

Liquidity is commonly defined as the ease with which an asset can be bought or sold for money.5 With the exception of the FedWire,6 electronic payment systems are not themselves money, but represent a private substitute for money that is acceptable to the transactors. A private payment system substitute for legal tender has liquidity if other types of assets can be converted into and out of that payment medium without causing significant distortions in the market value of the asset solely attributable to the choice of payment device. This type of payment device liquidity can be achieved when there is a sufficiently large number of transactors in the market and transactors can settle transactions in the payment device without making major modifications in other terms of the transaction in order to do so.

B. Finality

Payment systems differ widely in the degree of finality associated with their use. Final payment is the moment when the payment may no longer be revoked.7 The rules governing finality of a particular payment device must be clear and universally applied in order to minimize the transaction costs associated with the choice of the payment device. Certainty about the degree of finality, whether great or small, is an essential element of established payment systems.8 Although the importance of finality of payments is obvious when payment transactions are viewed in aggregate as a payment system, rules governing finality may be difficult to enforce in practice because of competing concerns at the level of individual transactions. A payer will normally prefer less finality because it can enjoy the float while the payment is processed, and it can reverse payment in the event of a dispute with the payee.9 Merchants obviously prefer a system with more finality, as it gives the merchant the benefit of the float and reduces the risk that settlement will be revoked once made.10 In addition, the party providing the payment service may wish to make exceptions to finality rules for established clients or in other hard cases.11 Thus, unless supported by clear legal rules that leave parties little room for discretion, finality of payment will be difficult to enforce consistently and fairly.12

C. Transaction risk

When payment is not in the form of a proffer of legal tender, there is an element of credit risk for the party accepting the payment. Even with a payment of legal tender, there is a risk of error in processing the transaction, or of fraud such as forgery. Transacting parties make choices about which forms of payment are acceptable in part based on these transaction risks. Credit cards may have the lowest form of finality of any major modern form of payment; however, they also have the lowest credit risk for the merchants accepting them, provided the merchant obtains prior authorization for a charge. This is because under credit card system rules, card issuers, not merchants, bear the risk that the cardholder cannot pay.13 Paper-based payment systems incorporate processes to reduce fraud losses that historically have kept forgery losses within manageable levels. These include the use of magnetic ink printing, comparison of signatures with specimen signatures, and paper stock variations that are hard to reproduce.14

D. Systemic risk

What is recognized as money in modern economies is rarely legal tender. It is instead a complex fabric of claims on private organizations that circulate with almost the same degree of acceptance as legal tender. Given the large amount of payments made in reliance on the creditworthiness of private parties, the safety and soundness of participants in the payment system is a paramount concern of regulators. Failure of a major component of the payment system would cause disruption throughout the economy, imposing unforeseen losses on unprepared parties. If the failure is large enough to affect liquidity, it could cause a contraction in the level of economic activity generally. As a result, regulators must evaluate not only the degree to which participants in the payment system observe the system rules but also the likelihood that a system participant would fail to meet its obligations to other system participants. The regulators should also evaluate whether the system could withstand the failure of a major participant.

There is no major payment system in the U.S. today that is not subject to a significant level of supervision.15 Radically new payment systems may fall outside the purview of existing payment system regulations, so they pose a potential threat to the safety and soundness of existing payment systems if the interface between new and old payment systems is not managed carefully.16 Furthermore, it is unclear whether regular consumers of regulated financial services are in a position to understand and evaluate the risks of new payment systems, even if existing payment services can be sheltered from the risk of insolvency or illiquidity associated with new payment systems. Because failure of any payment device widely accepted in the market may impose unacceptable levels of costs (even on those market participants who did not accept the payment device directly), the model of self regulation and government restraint advocated in the Framework for Global Electronic Commerce ("Magaziner Report")17 must be viewed with some skepticism in the context of payment systems.

III. Traditional Payment Systems: The Titans

Consumer payment systems in the U.S. are still dominated by traditional paper-based services; only a tiny proportion of total payments are currently electronic. Furthermore, these proportions are expected to change only slowly. In 1997, paper-based payment systems still dominated the market for consumer payment services in the U.S.18 Wholly electronic payment systems currently account for a trivially small proportion of the total market for consumer payment services.19

A. Check clearing

Banks in the U.S. have been anticipating the advent of the "checkless society" for decades, hoping to replace expensive check processing services with more efficient electronic funds transfer services.20 Yet checks remain the largest segment of the U.S. payment system, and the volume of checks used continues to increase, although the rate of increase is slowing down. No one anticipates that checks will be displaced by electronic payment systems as the dominant form of payment in the U.S. in the near future. As long as checks are the payment device of choice for both consumers and businesses, regulated financial institutions will have to maintain a considerable investment in the equipment and services required to process huge numbers of pieces of paper.

Businesses and consumers remain committed to checks as a payment device because they are more flexible than electronic payment devices in many respects. Any name can be written on the payee line of a check, including the name of a complete stranger. In principle, checks can be written for any amount, no matter how large or small. The drawer of the check enjoys the float until the check finally clears, and may stop payment until it does.21 The bank must normally absorb the cost of forged checks, provided the customer has not contributed to the forgery through his or her negligence.22 Because the volume of data captured during the processing of transactions in the check collection system is minimal,23 personal data regarding checking account customers and their transactions is less likely to be exploited for secondary uses than the more substantial personal data generated or stored in electronic payment systems such as credit card and debit card systems. Finally, U.S. banks did such a brilliant job of marketing the canceled check as the best record of a transaction that many bank customers will not permit their banks to stop sending canceled checks with their monthly statements. The legacy of this marketing campaign has come back to haunt the banks as they struggle to wean their customers from their dependence on pieces of paper in payment transactions. Before U.S. bank customers will willingly surrender their checking accounts for wholly electronic payment services, they will have to be persuaded that the newer, more efficient electronic services offer an equivalent combination of low price, convenience and insurance against risk of loss.

The development of check guarantee services such as TeleCheck24 have increased the willingness of merchants to accept checks, reducing transaction risks associated with accepting checks and making checks an even more liquid payment device for both consumers and businesses. Systemic risks do not normally arise in the context of the check collection system because of the small average amount of payments made by checks relative to the net worth of the banks providing the service and because of the "midnight deadline" rule, which gives banks more than twenty-four hours to make the decision whether to honor a check25.

B. Wholesale funds transfers

The largest segment of the U.S. payment system, when measured by dollar volume transferred, is the wholesale funds transfer market, which transfers trillions of dollars a day.26 By contrast, the market for electronic funds transfers by individuals is much smaller in dollar volume, though the number of individual check and credit card transactions dwarfs the number of wholesale funds transfers.27 It was in the formation of electronic funds transfer systems that regulated financial institutions first developed the business processes necessary to support the secure electronic transmission of customer instructions regarding funds transfers.28

Although funds transfers conducted over funds transfer facilities maintained by the Federal Reserve Banks were subject to the regulation of the Federal Reserve Board, many funds transfers took place over private systems, such as the Clearing House for Interbank Payment Systems ("CHIPS").29 The entire wholesale funds transfer system was not governed by a clear body of law until U.C.C. Article 4A was promulgated in 1989 and adopted by the states shortly thereafter.30 The Article 4A drafting process resulted in many innovations, even though it drew heavily on the practices that had developed among banks and their customers during the 15 years before the drafting committee was established. While a consensus was not easy to achieve, the community of interests shared by both the banks and their customers permitted the drafting process to find workable compromises on many thorny issues.31

Wholesale funds transfers in general, and the FedWire system in particular, are highly liquid payment media with a high degree of payment finality and low transaction risks. Transfers of funds over the FedWire are irrevocable when received and settlement is immediate.32 Systemic risk issues are raised when wholesale funds transfers are accomplished outside the FedWire system, such as through the CHIPS system where net settlement occurs at the end of the trading day. CHIPS maintains a series of controls to minimize the risk that one financial institution may fail to settle its obligations at the end of the trading day, triggering a chain reaction of failures that could cause the collapse of the national financial system.33 Although U.C.C. Article 4A recognizes the possibility that a funds transfer system like CHIPS might fail to settle,34 in fact CHIPS has never failed to settle since it began operation in 1972.35

C. Credit cards

Credit cards are more than simple payment devices-they provide direct access to a line of credit. While the credit is important in its own right, it has larger implications as well. The financial institutions that sign up either cardholders or merchants are functioning as financial intermediaries, and by providing that intermediating function, minimize the risk to the transacting parties. The intermediaries charge for these services through a discount rate charged to merchants and through interest charges and service fees charged to cardholders. Because the credit card system is a closed system, in which no one can participate as a cardholder, merchant, card issuer or financial intermediary without agreeing to be bound by the system rules, the fact that a merchant accepts credit cards provides consumers with a guarantee of recourse in the event of a dispute in the underlying transaction. Similarly, the card issuer screens cardholder's creditworthiness for merchants.

The market for credit cards gained momentum in the 1960s when some major banks started marketing them aggressively. The banks that were most aggressive sought to minimize their own risk associated with wholesale distribution of credit cards through the use of overreaching form contract terms. This lead to a widespread perception that cardholders needed protections in law. The result was Regulation Z,36 which represents a high water mark in U.S. consumer protection law. Regulation Z prohibits the mailing out of unsolicited credit cards,37 limits cardholder liability for unauthorized transactions that occur before the card issuer is notified of the problem to a flat $50,38 requires the issuer to send periodic statements to the cardholder and requires the issuer to provide certain dispute and error resolution services.39 The result of these regulations is that credit cards have less finality than almost any other payment device.

The Federal Reserve Board has exercised considerable initiative in maintaining this level of consumer protection in new markets, including mail order and telephone order ("MOTO") transactions.40 Under Regulation Z, before a card issuer may charge the cardholder for a transaction, the card issuer is first required to provide a means of identifying the cardholder, such as a signature, photo, or fingerprint on the card itself.41 In MOTO transactions, which provide the model for Internet retail commerce, the card is not present for inspection by the merchant. Because one of the conditions that the card issuer must establish to charge a cardholder cannot be met, the card issuer may not contest a cardholder's claim that a charge was not authorized.42 The card issuer will not be left with the loss, however, because under the system rules of the credit card association, the card issuer will be allowed to charge the transaction back to the merchant who presented it.43

The high level of protections mandated for consumers using the credit card system, as well as the access to credit and the risk intermediation performed by the system, help to explain the current dominance of credit cards as the payment device of choice for retail Internet services. The lack of finality created by the Regulation Z right to contest charges when the cardholder is not satisfied with a purchase44 is highly favorable to consumers, as is the right of a consumer to contest a charge as unauthorized.45 These rules minimize the transaction risks assumed by consumers in Internet transactions by shifting the risks back onto the merchant, the merchant's bank or the card issuer. The popularity of credit cards among U.S. consumers creates liquidity for merchants accepting credit cards as a form of online payment.46 The credit card system provides a form of introduction between two parties who otherwise may have no way to evaluate each other's bona fides. The sophisticated security systems that merchants have developed during decades of MOTO transactions to keep fraud and error losses to a minimum have been transferred to manage risks with Internet-based commerce. Although credit cards have higher transaction costs stemming from the lack of finality and come bundled with a paternalistic risk-management system, these negatives are apparently more than offset by a larger volume of completed transactions and the significant transaction cost savings to merchants and consumers who do not have to research each other's suitability as a counterparty.

D. Consumer funds transfers

Banks and other regulated financial institutions began to offer electronic funds transfer services to customers through automated teller machines ("ATM") in the 1970s.47 At the same time, efforts were made to introduce the use of debit cards at point-of-sale ("POS") payment terminals, although these did not capture any significant market share until the late 1990s.48 Following the controversy associated with the aggressive and irresponsible marketing of credit cards and the subsequent consumer protection regulations adopted by the Federal Reserve Board to control those abuses, both consumer protection advocates and financial service providers approached the question of consumer protections for ATM card use with definite agendas. The resulting political confrontation produced the Electronic Fund Transfer Act of 197849 and Regulation E.50

These two provisions strike a different compromise between consumer and financial institution interests than Regulation Z. The final outcome was a loss allocation rule that progressively placed more of the risk of loss on the consumer when the consumer does not promptly notify the financial institution after learning that the ATM or debit card had been lost. In marked contrast to the flat $50 limit on consumer liability under Regulation Z, Regulation E contemplates that a consumer who completely fails to notify a financial institution after losing the card may be exposed to losses without any statutory cap.51

While banks were able to negotiate a lower level of consumer protection for electronic funds transfers than for credit cards, they later found themselves under considerable public pressure to waive the benefits of that lower level of protection. In the late 1990s, banks began aggressively marketing debit cards as an alternative to credit cards. These cards, marketed with a credit card brand name, had the same convenience for the consumer as credit cards, but very different consumer protections. Consumers and consumer advocates were shocked by the magnitude of the disparity in consumer protection provisions for debit and credit cards. One fundamental disparity is that while fraud and error losses in credit card transactions take place, initially, at the card issuer's expense, while these losses in debit card transactions take place at the cardholder's expense. The cardholder's account at a financial institution may be depleted and remain depleted while the financial institution makes a decision whether or not to recredit its customer's account. In 1997, Visa USA and MasterCard International announced they would not rely on the full protections accorded debit card issuers under Regulation E, but would voluntarily narrow the gap between the treatment of unauthorized or erroneous transactions for debit and credit cards to bring their business practices more closely in line with consumer expectations. They agreed to limit consumer liability for unauthorized transactions to the same $50 that applies to credit cards, and to shorten the time a financial institution is permitted to make the decision whether to recredit a customer's account for an allegedly unauthorized withdrawal.52

E. Secure Electronic Transactions ("SET")

Standardization is an essential element of any widely distributed system for electronic commerce, and the development of technical standards for interoperability between vendors of electronic payment services has been no exception. Titans such as Visa and MasterCard have attempted to seize the initiative in innovative electronic payment systems by controlling the development of technical standards. This, in turn, would guarantee a continued role for the Titans' proprietary payment services in the electronic commerce markets of the future. The vast financial resources that the Titans can command have been poured into the development and marketing of the Secure Electronic Transactions ("SET") standard, which, if widely adopted, would permit the use of advanced encryption technology in credit card transactions and would help preserve the dominance of credit cards among electronic payment services.

The promise of asymmetric cryptography, in the form of digital signatures, to resolve some of the new security issues raised by conducting business over open, public computer networks was widely recognized in the technology community a decade ago.53 Without standards to facilitate the adoption of cryptography, however, there was no way for application developers to realize its promise. Visa and MasterCard initially began work on separate standards for the use of public key cryptography in connection with electronic funds transfers, but in 1996 decided to join forces in developing a single standard for secure electronic transactions, or SET.54 In 1997, SET was widely expected to make the Internet safe for electronic commerce by resolving some of the uncertainty that prospective transactors felt about the security of Internet transmissions. SET would require each cardholder, financial intermediary and merchant to use a digital signature certificate in Internet transactions. Consumers would send their signed orders to Internet merchants together with encrypted credit card information that would be passed on, unread, to the financial intermediary. The intermediary would process the credit card authorization and notify the merchant, who would then complete the transaction with the consumer.

The SET system ran into problems almost from the outset, and by early 1999 was no longer in the forefront of discussions about Internet commerce security.55 While SET may be a very sophisticated system for improving the security of electronic funds transfers over open networks such as the Internet, it is also a complex and cumbersome one. The specifications for SET were initially driven by technological concerns associated with establishing what would have been the first large-scale public key infrastructure using existing financial networks and the Internet. As a result, the operation of SET procedures seemed likely to be too demanding of existing computers and networks. These problems might occur at the level of the individual consumer's home PC or at the level of the merchants and financial intermediaries who were trying to prepare for large volumes of message flow accompanied by large numbers of complex computations required for cryptographic functions.56 When merchants appeared reluctant to invest in the reengineering required to support such demands on their computer resources and networks, SET was marketed as a solution to the problem of consumer fraud through false claims of unauthorized use of a card as well as to the problem of merchant fraud. SET marketing materials never explained how the use of a digital signature certificate would be analyzed in light of Federal Reserve Board opinions interpreting Regulation Z, however.57 Notwithstanding the outpouring of support for SET, by early 1999 it had still failed to garner any significant share of the U.S. market and achieved only a few isolated implementations outside the U.S.58

IV. Past Failures: The First Olympian Assault

When the Internet was still something of a blank slate upon which one could project all manner of utopian or dystopian notions at will, it seemed obvious that major innovations in payment system technology would be needed to support Internet commerce. None of the early pioneers in this field have yet enjoyed the market success that their radical and innovative approaches would seem to have indicated a few years ago, and quite a few have ceased operations altogether.

A. Early fatalities: First Virtual and DigiCash

In 1994, First Virtual was established to offer secure payments technology to support Internet commerce. In 1996, First Virtual enjoyed a successful initial public offering, positioning itself as an Internet payments company.59 Individual subscribers authorized First Virtual to charge their credit cards for an initial allocation of funds to spend. Then subscribers could visit the websites of merchants who have signed up with First Virtual and authorize the merchants to debit their balances by using a PIN number. The success of alternatives such as SSL eroded demand for the First Virtual service, which never achieved a critical mass of individual or merchant subscribers. In 1998, First Virtual announced the cessation of its payment services and the refocusing of the company on electronic messaging services only. 60

In the 1980s, David Chaum obtained patents for blind signature cryptographic protocols that might support the development of much more novel and significant alternative payment systems.61 These protocols permit the creation of electronic tokens that can circulate as money in an online environment without revealing the identity of purchasers using the tokens.62 Chaum founded DigiCash in an effort to exploit the commercial potential of this technology as a form of online electronic money, and licensed the system to Mark Twain Bank in the U.S. and to various banks in other countries.63 Individuals wishing to use e-cash to make Internet purchases could draw on their account balances at the licensee bank to download e-coins for safekeeping in a "wallet" on the hard drive of their personal computer. When the individual wished to make a purchase, the software would deduct e-cash from the wallet and transfer it to the merchant.64 Although Chaum's system is not premised on the use of a conventional system for clearing and settlement to support it, the Mark Twain application allowed the merchant to transfer the e-cash back to the bank to confirm that it had not been double spent. The bank would cancel the e-coins and credit the merchant's account with the bank.65 In November 1998, DigiCash announced that it was seeking Chapter 11 bankruptcy relief in order to reorganize its business activities. Mercantile Bank, Mark Twain Bank's successor organization, had earlier discontinued the service, although some overseas banks were still marketing e-coins.66

The promise of the e-coin technology may ultimately be realized in U.S. financial markets, but, consumers are not sufficiently motivated by privacy concerns to create the demand that DigiCash's early promoters expected. As with First Virtual, the total number of subscribers to the e-coin system never achieved a critical mass. Purchasers did not enjoy any float, and instead tied up resources in e-coin balances that did not earn interest and were at significant risk of loss should the security of the wallet on the hard drive be compromised. Merchants also faced a risk of loss due to the threat of double spending, although the clearing system provided by the bank was designed to keep such losses to a minimum. An e-coin system would only be competitive with established payment devices if consumers were willing to accept higher transaction risks and greater finality. Apparently, they were not.

B. Walking Wounded: MilliCent, CyberCoin, Mondex

Various other players in the market for innovative electronic payment services have not ceased operations, although the demand for their products remains unclear. These include "micropayment" technologies such as MilliCent and CyberCoin, and smart card payment devices such as Mondex. Micropayment technologies looked destined for greatness a few years ago based on a common forecast regarding the future of Internet commerce. Because many businesses were reluctant to distribute content free of charge over the Internet and because subscription services are uneconomical for many types of content, it seemed likely that some vendors and purchasers would be interested in small, one-shot transactions at prices below those that current electronic payment systems can easily support. Micropayment technologies, which would permit consumers to download electronic money to a personal computer that could then be spent in small increments with participating merchants, seemed almost certain to catch on.67 Millicent68 and CyberCoin69 were two products developed to exploit this market that have languished in a vacuum of consumer demand. While there may be a market one day for Internet micropayments, it is unclear when that day will arrive.70

Mondex smart card technology is another promising technology whose moment of greatness always seems to be at hand yet never quite arrives. The Mondex card is a stored-value card that can take the place of cash by permitting transfers of value onto and off of the card.71 Unlike the DigiCash system as implemented by the Mark Twain Bank, there is no requirement that transactions onto and off of a Mondex smart card be cleared through a central system. This feature reduces the transaction costs of the system while also increasing some of the risks such as forgery or money laundering. Because a smart card does not merely store data but can also perform processing functions, the electronic cash function of Mondex can be combined with other functions to enhance its appeal to consumers and merchants, such as tracking loyalty program credits.

As powerful as the Mondex technology is, this kind of smart card-based electronic payment technology has not achieved any noteworthy successes in the U.S. to date.72 Millions of dollars of smart cards were distributed without charge during the 1996 Olympic Games in Atlanta, but utilization rates were very low. In 1998, a smart card pilot on the Upper West Side of Manhattan proved to be a disappointment for the financial institutions sponsoring it. U.S. consumers of electronic financial services are apparently too satisfied with existing alternatives such as checks, credit cards and debit cards to adopt this new technology in large numbers, although smart cards are rapidly gaining popularity in other countries. Compared with smart cards, credit and debit cards offer consumers considerable benefits under existing federal regulations.73

V. Through a Glass Darkly: The Next Generation of Electronic Payment Systems

The history of commercial exploitation of the Internet is short.74 In light of the successes of radically new concepts such as the browser and the hypertext interface, it once seemed plausible that wholly new payment systems might also catch on like wildfire, completely displacing demand for existing services. As shown, however, existing payment systems are meeting the demand for new electronic payment services with only minor modifications. Novel services are finding it difficult to fulfill the conditions required to make a modern payment system function in any environment.

With major obstacles impeding the Olympians' ability to launch alternative payment systems, successful Olympian strategies may consist of finding ways to harmonize Titan and Olympian approaches to electronic commerce. One possible strategy for getting new payment technologies into the hands of large numbers of users is to create hybrid solutions that combine the best elements of both old and new payment systems technologies.75 In fact, a few examples of hybrid services currently exist, some owned by the Olympians, some by the Titans.

A. Secure Sockets Layer ("SSL")

The Secure Sockets Layer ("SSL") standard, developed by the Olympian Netscape as a simple, stop-gap solution pending the development of more sophisticated standards such as SET,76 has achieved widespread acceptance as the standard for communicating credit card information over the Internet.77 It represents an unusual situation where Olympian technology has enhanced the position of Titan payment systems in Internet commerce. SSL lacks the elegance and coherence of SET, but it has come to dominate the market for retail electronic commerce by meeting the minimum requirements of the relevant stakeholders.78

The SSL standard does not use digital signatures to bind human identities to online communications.79 Instead, it relies on the use of a digital certificate to identify a computer, the e-commerce server. The consumer's browser validates the server's certificate, and then uses the public key in the certificate to share a symmetric key with the server. For the remainder of the session, the shared symmetric key is used to encrypt communications between the browser and the server, preventing credit card or other sensitive information from being sent over the Internet in the clear.80

The SSL protocol permits payment information to be sent over the Internet, replacing a mail or telephone link between the purchaser and the vendor in the MOTO model, but maintaining an equivalent level of security.81 The SSL standard has proven highly successful because it does not place excessive demands on the average consumer's home PC and has removed what was one of the most pressing concerns associated with Internet commerce: the public nature of its communications infrastructure.82 The SSL standard does not address the security of credit card information once it is on the merchant's e-commerce server, nor does it provide any information about which human being entered the credit card information transmitted to the vendor.83

Purchasers have been happy with the level of protection provided by SSL because the normal consumer-friendly credit card system rules apply. The risk that the merchant may misuse consumer credit card information is not borne by the consumer but by the merchant's bank.84 Vendors have been happy with the level of protection provided by SSL because the risks of accepting credit card charges over the Internet can be brought in line with the risks of accepting MOTO credit card charges.85 A merchant can decide whether to do business over the Internet by estimating both the likely return on Internet business (in light of these higher charges) and the likely total volume of chargebacks.

A cloud on the horizon indicates that SSL may not be a lasting solution for securing Internet credit card transactions.86 The volume of disputes associated with Internet purchases seem to be disproportionately large-while Internet transactions account for only 2% of card transactions, by some industry estimates they account for 50% of disputes.87 Unless the Federal Reserve Board changes its interpretation of Regulation Z regarding the inability of card issuers and merchants to contest a cardholder's claim that a charge is unauthorized in any transaction in which the card was not available for inspection by the merchant,88 merchants will have no choice but to press for improved authentication technology or revisions to Regulation Z.

B. E-Check

The established players have not completely ignored the possibility of using new technologies to gain or maintain market share. The benefits of this approach are that new technologies are harmonized with established business practices. This approach was used with the electronic check, or "e-check", developed by a consortium of major banks.89

In 1998, various banks entered into a pilot with the Department of Defense to test this new service and it will be some time before the viability of this concept for a larger market is determined.90 The e-check is an electronic equivalent of a paper check, created through the use of new technical standards and encryption technologies. The e-check standard was carefully developed to mimic the functions of check in an effort to ease burdens to bank customers of switching from paper checks to wholly electronic payment systems.91 It will remain unclear for some time whether enough financial institutions and businesses that currently transfer funds by check will be willing to invest in the technology required to make the e-check as universally acceptable as the paper check or use e-checks in a sufficiently large number so as to make them as inexpensive to process as paper checks.92

C. InstaBuy

CyberCash has developed a new service, InstaBuy, which is rapidly gaining popularity on retail Internet sites.93 The InstaBuy service permits consumers to enter their credit card information into a secure site maintained by CyberCash and then to authorize the InstaBuy service to release the information to Internet merchants who have also signed up for the service.94 InstaBuy eliminates the need for consumers to download wallet software, which is required for the CyberCoin service, or to enter their credit card information each time they wish to make a purchase, which is necessary for most Internet retail sites today. Consumers are not charged for the service, can access their credit card information maintained by InstaBuy from any computer with access to the Internet, and can only use InstaBuy with merchants that have been enrolled in the program. This service is less ambitious than the earlier CyberCoin service as it only offers consumers a simpler and more convenient way to make credit card purchases over the Internet using SSL for a secure connection to the merchant's site. Like any other endeavor, however, InstaBuy's ultimate success will depend on whether enough consumers and merchants can be signed up for the service to justify the cost of the service to merchants.

D. Portals

In 1998, portals attracted a great deal of attention as a way to permit end users to find Internet resources more easily, and to increase traffic to Internet commerce sites.95 Online financial services have been a common feature of portals.

One electronic payment system likely to be promoted through portals is Internet bill presentment and payment services. With such a service, a consumer could access all his or her monthly bills, review the contents of the bill and authorize payment of the bills using a variety of payment devices. It is unclear at this time whether the market for Internet bill presentment and payment will be a service offered primarily by banks offering Internet services, or technology firms such as CheckFree.96 Such firms provide a unified interface to the consumer, but use a variety of payment devices to execute the consumer's payment orders. The terms under which the partnering of Internet access providers, technology firms and regulated financial institutions will take place are still in flux, so it is unclear how many services will be provided by entities outside the scope of current regulations. The magnitude of changes needed in existing regulations will only become clear when the market for Internet bill presentment and payment is better defined.

E. NACHA

In 1998, in an effort to maintain the relevance of the automated clearing house ("ACH") payment system in a world of Internet-based commerce, the Internet Council of the National Automated Clearing House Association ("NACHA") conducted a pilot to determine the compatibility of the ACH system with a browser-based interface for retail Internet commerce.97 One of the workhorses of electronic payment services in the U.S., the ACH network performs functions such as direct deposit of payroll and automatic funds transfers for routine expenses such as installment loans or utilities. To date, though, it has not played a major role in the development of Internet-based commerce. The pilot program involved a variety of banks, technology vendors, and members of the NACHA Internet Council in simulated transactions. The pilot demonstrated that while it might be possible to use digital signatures and a browser interface to initiate funds transfers through the ACH system to support retail commerce, further study was needed before such a service could be offered to the public.98

F. What the future holds

The market for electronic payment services remains crowded with competing vendors and putative standard-setters, none of which have yet gained a commanding lead over the pack of aspirants. Titans may ensure their continued success in electronic payment services markets if they can persuade Olympians to join them in collaborative relationships. It is possible that Olympians will survive and prosper by licensing their innovative technologies to Titans who have the capital and established relationships with consumers needed to achieve critical market share for new technologies. Such collaborations will permit regulators to maintain current levels of safety and reliability for new products by reviewing the new technologies and their proposed uses in light of existing regulatory standards.

One opening for collaboration between vendors of new technologies and established providers may come if the existing electronic payment system security infrastructure is upgraded or replaced. Electronic funds transfer systems such as those used for retail ATM machines rely on the Data Encryption Standard ("DES") established in the 1970s.99 Groups that oppose the current U.S. policy of limiting the use of encryption in the private sector to older standards such as DES have focused on breaking DES as a way of demonstrating the inadequacy of current U.S. government policies regarding encryption.100 Financial institutions are in the process of replacing DES-based technology with higher levels of security such as double-DES, triple-DES and other encryption standards. At the same time that encryption standards are being reevaluated, it is possible that other elements of the existing payment system infrastructure may also be upgraded. Such replacements may be beneficial-for example, replacing magnetic stripe cards with smart cards would permit the use of more advanced authentication technology in electronic payment systems.

Looking further ahead, services such as financial electronic data interchange and electronic bill presentment may finally permit electronic funds transfers to replace checks for routine business payments. This has yet to occur in large part due to the inability to include transaction information with payment information in transactions among all institutions that accept electronic funds transfers. In order for businesses to have the option to include transaction information with any funds transfer, many businesses and financial institutions will have to upgrade their existing funds transfer processes, which they have been unwilling to do. The federal government is setting a faster tempo for changes with its EFT99 initiative.101 This initiative will force many recipients of payments from the federal government and financial institutions to be able to accept funds transfers with transaction information in the very near future.102

New entrants in the market for electronic payment services may enjoy greater success outside mature markets such as the U.S. than inside them. In Europe, for instance, consumers are less accustomed to using payment devices that include an element of float for consumers.103 As a result, acceptance of smart cards as a payment device has been much greater. The dismal failure to date in the U.S. market of smart cards as a payment device demonstrates that U.S. consumers are showing a greater degree of sophistication with regard to product features and a greater resistance to change than most Olympians expected, especially in light of the success of innovative new offerings in other areas of Internet electronic commerce.104 The greatest successes for such new payment devices may ultimately come in markets in developing countries such as China, where there are virtually no alternative electronic payment technologies.105 In such markets, there may be no business case for rolling out older models of electronic payment systems where the basic infrastructure is still lacking, and consumers may accept the most up-to-date technology available quite happily.

Emerging payment technologies that gain substantial market share in Europe, Japan or developing countries may be able to leverage that market share to reenter the U.S. market on more favorable terms in the future. As U.S. financial services markets become more integrated into global markets, it is unlikely that the flow of standards and products will always be from the U.S. outward. In the near term, however, established services such as credit cards, debit cards and ATM machines that were perfected in the U.S. and other developed countries, may continue to crowd out more technologically-sophisticated alternatives.

VI. Interests of Stakeholders and Gatekeepers in Electronic Payment Systems

These larger trends in the market for electronic payment services and in the development of technology will be shaped by the degree to which the various stakeholders-the consumers, merchants, Titans and Olympians-can protect their interests. In many respects these interests are incompatible. The regulators-the gatekeepers to the market-have the ability to moderate the outcomes that competitive forces alone would produce.

A. Stakeholder Interests

By looking at the costs and benefits imposed on customers by various major payment devices, it is easy to understand why customers of regulated financial institutions still prefer checks to electronic equivalents. The benefits customers enjoy as a result of choosing checks are directly offset by the burdens they impose on merchants. Yet until payment service providers and merchants find a way to meet not just their own needs but also the genuine needs of their customers with electronic payment devices, customers will continue to resist wholesale migration to new forms of payment. While a great deal of consumer resistance may be due to poorly designed interfaces or flawed business models for new payment devices, it may also be due in part to a bias on the part of consumers in favor of payment systems with known, manageable risks. Consumers have demonstrated repeatedly that no matter how favorable a new electronic payment system is for merchants and service providers, they will refrain from using the new system unless they perceive it to be as beneficial to them as existing systems.

Internet merchants are enjoying considerable success today with minor modifications to established systems, but if disputes associated with online credit card transactions continue to grow, merchants may become more willing to pay for more sophisticated solutions such as SET. As businesses develop more integrated, comprehensive information technology systems, they will be looking for payment services that can be integrated seamlessly into those systems. In order for Internet merchants to be able to process payment information automatically, a great deal of standardization will need to take place in the way data describing the transaction is attached to the payment information. In addition, businesses would like the payment transaction information to be available for other uses, such as differentiating between valued and undesirable customers, building closer relationships with more profitable customers, and exploiting the commercial value in transaction data via other processes that cannot now be performed by the merchant.106

Regulated electronic payment service providers need to find new ways to leverage their existing investment in legacy systems, while keeping up with the rapid pace of innovation characteristic of Internet electronic commerce in general. Banks are at risk of finding their market limited to only the most commodified, low profit financial services, while customers build relationships with newer service providers who are able to capture the more differentiated and profitable front end of the payment system interface. Existing electronic payment systems such as the automated clearing house system for electronic funds transfers have complex, cumbersome interfaces but operate with a high degree of reliability and security.107 If Yahoo!, Microsoft or Amazon.com can design and retain control of a user interface that integrates automated clearing house payment functions with a customized point of entry to a complete range of Internet services, regulated financial intermediaries will not be able to reap any significant profits from the limited range of services they continue to provide. Banks want to avoid seeing their contribution to the next generation of electronic payment systems reduced to some minimal clearing and settlement service. Collaborating with new technology services may be an easy way for traditional payment service providers to give their systems a fast facelift, but such collaborations also carry the risk that the traditional service may lose its current close connection to the consumer customer or retail merchant.

Technology firms seeking to participate in the construction of new payment systems infrastructure will benefit most if they are able to gain market dominance with proprietary standards, and if they are able to establish a right to payment based on transaction volume or value. If technology firms design systems around open, public standards, they will face a much more competitive market for their services. Just as collaboration between traditional payment service providers and technology firms is perilous for the traditional providers, it is perilous for the technology firm if its partners can eventually master the new technology and internally generate the necessary infrastructure instead of outsourcing is production.

B. Gatekeeper Interests

Although wildcat banking was once a legitimate occupation in the U.S.,108 regulation of financial services at both the state and federal level is now inescapable. The will to maintain a comprehensive framework of regulation over financial markets was strengthened in the wake of the banking crisis of the 1930s, and the savings and loan crisis of the 1980s. The regulatory legacy of these crises is one of highly intrusive oversight and major restrictions on the scope of operations.

The common wisdom now generally equates such heavy handed regulation with obstacles to effective competition, and makes the regulatory calculus for government agencies considering intervention in emerging markets complex and ambiguous. At least in the case of credit cards and Regulation Z protections for consumers, however, the heavy hand of regulation may have given established payment systems the competitive edge they needed to achieve rapid dominance of the market for retail Internet payment services. If generations of intrusive government regulation have dulled the wits of consumers to the point they cannot distinguish between acceptable and unacceptable levels of risk associated with new electronic payment services, then regulators will face a difficult task in protecting consumers while not stifling competition. If years of intrusive government regulation have instead produced a generation of consumers who have a reasonably good understanding of the costs and benefits associated with existing electronic payment systems and have a marked preference for those regulated systems which treat consumers well, then market demand may push providers of electronic financial services into the arms of regulators. Before the Titans can profit from the latter scenario, however, many of their existing payment services will need something of a facelift to meet the technological demands of emerging electronic commerce markets.

The new payment service providers may enjoy a distinct competitive advantage over regulated financial intermediaries if they are able to compete head-on without being subject to the regulatory burdens themselves. If the Olympian developers are able to establish significant market share in emerging electronic payment technologies before regulators decide to subject them to traditional financial market regulations, they will enjoy a significant competitive advantage over their regulated Titan competitors. If regulators want to avoid encouraging unregulated competitors from taking market share from regulated financial intermediaries, they will need to maintain their current agnostic position with regard to regulating innovative offerings by established electronic payment service providers.

Should regulated financial intermediaries choose not to collaborate with technology innovators, but try to compete directly with them for consumer markets, the regulated intermediaries are sure to lobby regulators to release them from some of their current legal and regulatory obligations. If regulators hold financial institutions to high standards that impose substantial costs and limit their ability to keep up with more nimble competitors but fail to maintain an equivalent level of control over those new competitors, regulated financial institutions would experience a loss of market share without any offsetting increase in the effective level of consumer protection.109

In an era of deregulation, regulators may face considerable obstacles to expanding existing regulatory regimes to cover new payments technologies. In 1996, the Federal Reserve Board ("FRB") issued proposed amendments to Regulation E to deal with new developments such as stored value cards.110 Congress responded by prohibiting the FRB from taking action to finalize any amendments to Regulation E until the FRB had determined whether Regulation E could be applied to stored value cards "without adversely affecting the cost, development and operation of such products."111 The FRB, duly chastised, delivered its report to Congress on April 2, 1997, finding that policy statements or education programs might be less costly and just as effective as regulations in protecting consumers interests.112

Until the technology innovators can mount a more credible threat to the ruling hegemony of highly-regulated electronic payment services, the wait-and-see and incremental-reform approaches currently being taken by regulators are adequate, because the magnitude of the threat posed by emerging services is negligible. If this trend continues in the future, then regulators in this field may be spared the task of finding new techniques for domesticating rapid technological innovation without stifling competition. Competitive offerings from regulated providers of electronic payment services may permit consumers to continue to rely on payment services that manage a number of the risks of electronic commerce fairly and efficiently as well as advancing the technology of market infrastructures.

Instead of resorting to regulation, the problem of competing proprietary solutions for meeting the future needs of consumers in Internet commerce might be resolved through the work of standards-setting organizations.113 For example, the current network of retail electronic funds transfers conducted through ATMs and point-of-sale terminals using debit cards operates today due to the standardization work of the American National Standards Institute ("ANSI") Accredited Standards Committee ("ASC") X9.114 The work of open standards-setting organizations might be helpful in resolving some of the current uncertainty regarding the future direction of electronic payments technologies. However, formal standards-setting organizations such as ANSI ASC X9 are competing with a wide range of private and more informal standards-setting organizations that hope to influence the future of electronic payments technologies. For example, the Financial Services Technology Consortium115 and the Banker's Roundtable Banking Industry Technology Secretariat116 are financial services industry trade associations that cater to large banks and financial services companies that have tried to establish themselves as industry leaders through projects such as e-check117 and the Bank Internet Payment System.118 In 1999, however, not many proposed standards were making headway in the market, either because they had not yet moved beyond the pilot stage or because, like SET, they were not being adopted following pilot projects. The very large number of other putative standards-setting organizations competing within the electronic payment services market has reduced the probability that any one organization's standard would achieve universal acceptance and recognition, and so enjoy the leverage that the network effects of such standardization would provide.119

VII. Conclusion

Two years after the publication of the Magaziner Report, its recommendation that regulators refrain from regulating until a need has been established appears to have been sound even when applied to electronic payment systems. The more utopian projections for the future of electronic payment systems have not yet been realized, and the more dire threats to regulated payment systems have not yet materialized. In 1999, the market is dominated by traditional financial intermediaries offering conventional electronic payment services augmented with minor innovations to adapt to the Internet.

In the original myth of the clash of the Titans, the Titans first came to power with the assistance of Mother Earth in their struggle to overthrow Uranus. The Titan Cronus's efforts to forestall his eventual overthrow were doomed to fail in the face of Mother Earth's support for the Olympians, and resulted only in postponement of the inevitable. In the battle for dominance of the electronic payment systems market, the Titans are clearly still in command and, at least in the U.S., the developers of alternative technologies have yet to establish much of a beachhead. This is far from the final outcome, however, as innovative payment technologies may become established outside the U.S. first, and then capitalize on their position in global markets to reenter the U.S. market on more favorable terms in the future. In addition, innovators may succeed in hollowing out the economic value of the basic payment system franchise, if the services provided by regulated financial intermediaries become more constrained and commodified, and competitors gain control of novel interfaces or delivery mechanisms that narrow the services the payment systems Titans offer.

Consumers have shown a high degree of rationality in their choice of electronic payment systems, and have stayed away from more risky or less favorable innovations. Regulated electronic payment systems offer incidental attributes such as float, or reversibility in the event of dispute. Consumers may migrate toward regulated systems because they provide these incidental benefits without regard to how well systemic risk issues are managed. But so long as regulators guarantee the provision of both, then consumers can migrate toward the most favorable package of rights and obligations and the system will enjoy the oversight necessary to keep systemic risk to manageable levels.

Consumer resistance to radical innovation is hard to interpret, but it is possible that this resistance is based in part on some understanding of the benefits consumers currently enjoy under existing systems and are unwilling to surrender without some equivalent benefit. New systems that provide a big boost to the electronic payment service provider, a marginal benefit to the merchant and negligible benefits to the consumer are failing, while existing electronic payment systems that preserve existing benefits are prospering with only small modifications.

If regulated financial intermediaries continue to meet the demand for electronic payment services through incremental innovations in established services developed under the scrutiny of regulators, then emerging payment systems do not pose as much of a threat to existing payment systems or the economy generally as once feared. Regulators will have the time they need to gauge the real risk posed by innovation to existing systems and to adapt existing regulations to carry forward an equivalent level of protection in new systems.