Cash in a flash

How Payments Canada balances innovation and regulation to help streamline (and safeguard) transactions for Canadians.

If you’ve ever scanned a QR code to buy coffee, paid your subway fare with a smartwatch or tapped your smartphone at the grocery-store checkout, you have Payments Canada to thank — and based on the stats, a growing number of Canadians owe the organization a debt of gratitude. Payments Canada is responsible for the infrastructure that powers these contactless transactions, which have increased by 42 percent over the past nine years as people abandon cash, cheques and even carrying a wallet.

As CEO Tracey Black jokes, “if you haven’t heard of us, that’s not a bad thing.” A seamless digital commerce experience means the company’s systems — which process payments that can amount to hundreds of billions of dollars each business day — are functioning. Payments Canada makes sure that Canada is keeping pace with other G7 nations and manages the potential risks that crop up as digital payments become more and more common. For up-and-coming fintech ventures, their API sandbox provides a hub for access to all of the organization’s developer services.

Here, Black offers insights on biometric transactions, balancing innovation and regulation, and the exciting new payments messaging standard on the horizon.

In a nutshell, what are biometric payment systems?

When you use Apple Wallet or your fingerprint on your phone, you’re authenticating yourself to the device, which then says, “Hey, let’s spend money.” In lieu of a PIN, it’s using biometric authentication to validate you as the holder of that payment credential, and then it’s using near-field communication (NFC for short) or contactless capability to support the payment. The payment itself is travelling in the same way whether I use a PIN, my eyeball or my fingerprint.

According to your recent survey, 45 percent of Canadians — nearly half of us — are open to or already using this method of payment. Why has it become so popular?

Biometric authentication is very frictionless. It’s much easier than having to remember or enter a code. Canadians have confidence because they trust the suppliers of payments in Canada, which is critical to the adoption of these sorts of new payment experiences and methods.

How do you balance the demand for innovation and frictionless experiences with the need for regulation, safety and security?

We own and operate the core infrastructure, but our legal framework — bylaws, rules and standards — determines who can use our systems and how they can be used: we leverage our capability to support safe and secure payment transactions through these rules. Payments are evolving faster than ever, and we occasionally need to upgrade our infrastructure to accommodate a new payment experience or method. More typically, we can do that through modification of our rules or bylaws, which involves getting approval from our regulators, the Bank of Canada and the Department of Finance. We work with our members to define which changes are necessary, and then we work with our regulators to get approval of those rules. So there’s a bit of checks and balances in the process, with safety and security always top of mind.

The checks and balances help give us confidence in Canada’s financial system, although the pace can be frustrating. I have a Garmin watch with a payment feature, but it still won’t work in Canada.

I know it feels easy as a consumer to get that card into your Apple Wallet, to take a picture and then boom — it’s done, but there’s a whole process behind that. When the credential is loaded on your phone it requires approval from the issuer of that credential. Let’s say you bank at Bank X: Bank X has to approve the loading of that credit card credential onto your Apple phone and before they do that, they need to have confidence in that Apple device. The Garmin device has not been as thoroughly investigated, tested or approved by issuers in Canada, which is why you can’t load credentials onto your Garmin watch…yet.

Right. It’s no small thing.

This is the conundrum of payments. They feel so easy and so frictionless but there’s a lot of work done by the participants in the payment ecosystem to make sure that transaction is safe and secure. As a consumer, you probably have very little sense of all the processes required to maintain the security of your transaction.

You mentioned scanning people’s eyes — is that something you’re seeing on the horizon?

I think biometric has been of interest for quite some time. With multi-factor authentication the biometric piece is something you can layer on to create an even more secure process. Initially people were a little skeptical that their fingerprint could be used to pay [securely] — there were stories of hot glue and Scotch tape and things like that — but the technology has improved. It’s now proven that the fingerprint you put on your device is unique and can’t be compromised or copied by somebody else.

Consumers have become more comfortable with facial recognition. Retina scanning is a bit harder to do. There are pay-by-palm experiments, but fingerprint and facial recognition are probably the least invasive as well as being quite difficult to duplicate. We may see different flavours of biometric authentication, but if we had gone straight to retina, which is something that can feel a bit invasive, I don’t think we would have the kind of adoption that we’ve seen.

Are you implementing any new innovations right now?

We have a kind of technology called the ISO 20022 message standard, which allows information about a payment to travel with the transaction. For example: if you go into your online banking, you could hover over the transaction and it would give you a bit of information about which vendor, which order or whatever it is. Think about your paycheque: all the information from your pay stub could be included in the payment itself. Or if you get a traffic ticket, specific details could be provided.

This ISO standard will also help with the reconciliation of payments for large and small businesses. With widespread adoption of the standard, data-rich payments can circle the globe, adding value for all kinds of participants.

With increasing risks of fraud through AI or other technologies, say through the impersonation of someone’s voice or face, what is needed to protect consumers?

When videos are posted on YouTube, AI can potentially be used to take voice prints and create requests that sound convincingly like the subjects in those videos. These could be sent to people who would get a message saying, “I’m short on cash and need you to send $100, $500, $1000.” We need to focus on not just authenticating the sender of the payment, but educating the receiver of the payment. If I receive a message from you, how can I have confidence that you are actually requesting funds? We have to think more holistically and validate both ends of that transaction.

This interview has been edited for length and clarity.

Hear Tracey Black in conversation with Joy Macknight, editor of The Banker at the Financial Times, at Sibos, which runs Sept. 18–21 at the Metro Toronto Convention Centre. For more information, visit sibos.com.

Photography: Courtesy of Payments Canada.