NPP Australia’s response to the RBA’s NPP Functionality and Access Consultation

December 3, 2018

NPP Australia’s response to the RBA’s NPP Functionality and Access Consultation

This paper is NPP Australia Limited’s submission in response to the RBA’s consultation on the New Payments Platform functionality and access.

Introduction

The New Payments Platform (NPP) has been designed to support a 24/7 modern, digital economy. It provides a fast, flexible and data-rich payments system for Australian consumers, businesses and government agencies, enabling them to make real-time data rich payments between accounts at participating Australian financial institutions. The NPP is new utility payments infrastructure commissioned and funded by NPP Australia Limited’s founding shareholders1 for and on behalf of the Australian payments industry.

NPP Australia Limited (NPPA) is a public company established to oversee the development and operation of the NPP. NPPA’s Constitution (Article 2.1) provides that the NPP is to operate as a mutually-owned utility, as an economically self-sustaining entity rather than profit-maximising or providing returns to its shareholders.

The NPP brings enormous potential for future payments innovation through its speed, data capability, open-access design and unique layered architecture. The platform is intended to support multiple products and services as well as enable more digital processes, which will deliver back-office efficiencies and cost savings to Australian businesses and government agencies.

Since the NPP launched to the public in February this year, more than 70 banks, credit unions and building societies have been rolling out real-time payment services to their customers. More than 50 million accountholders are now able to make and receive payments via the NPP and this number will continue to grow as participating financial institutions complete their respective rollouts. Volumes are growing steadily on the platform with over 50 million transactions worth over $45 billion being sent through the platform since February and over 2 million PayIDs registered.

 

Accessing the NPP

The NPP has been intentionally designed to be ‘open access’, encouraging broad participation across the payments ecosystem. One of the three stated constitutional objectives of NPPA is facilitating fair access to the NPP as mutually owned utility infrastructure.2 It is the first clearing and settlement system in Australia to be designed with access as one of its primary objectives.

Access arrangements for the NPP have been deliberately structured to be inclusive and to maximise the opportunities for different types of entities with different business objectives to access the capabilities of the NPP. NPPA has established graduated, risk-based, eligibility criteria, with relevant ACCC authorisation, for a range of different access points to the infrastructure. These access points are intended to meet the needs of different organisations, ranging from APRA-regulated Authorised Deposit-taking Institutions (ADIs) through to corporates and fintechs, whilst simultaneously ensuring the safety and security of a real-time payments system in which Australians must feel confident.

There are five different ways an organisation can access the NPP:

  1. NPP Participant

NPP Participants are organisations that connect directly to clear and/or settle payments via the NPP. All ADIs (of which there are more than 150 licensed by APRA), whether fully or conditionally licensed, or a Restricted ADI, are eligible to become NPP Participants. A directly connected Participant also needs to meet the technical requirements of standing up and maintaining an NPP Payment Access Gateway (PAG) in a real-time environment. There is also the option for a Participant to be indirectly connected to the NPP for clearing (whilst providing their own settlement services) by outsourcing their technical connectivity to one of the other directly connected Participants. Currently there are 8 directly connected Participants and 2 indirectly connected Participants.

Becoming an NPP Participant requires an organisation to become a shareholder in NPPA and subscribe for shares. The requirement to subscribe for shares reflects the design of the NPP as mutually-owned industry infrastructure; dispersed ownership and associated governance rights ensure the NPP is operated and evolves to meets the diverse needs of users of the payments system. New Participants also bring capital that enables NPPA to fund the continuing development of central core capability and investment in future functionality which will drive further innovation. New Participants subscribe for shares at the same level of investment as current Participants, according to their size. It is possible that over time, and as the NPP matures and is fully developed in terms of its technical capabilities, NPPA’s technical roadmap will be fully sustained by operating revenues and less dependent on capital contributions, in which case the current subscription levels might be expected to trend towards the direct and indirect costs of connectivity.

The requirement for a Participant, who clears and settles funds in real time, to be a regulated ADI is deemed necessary to ensure prudential safeguards for the platform, in line with well-established international standards for payments systems (as set out by the Bank for International Settlements3). The ADI licensing regime managed by APRA covers extensive and ongoing prudential obligations, including standards for: capital adequacy; securitisation; risk management including liquidity, credit quality, large exposures and business continuity management; prudential reporting and disclosure of prudential information; governance including ‘fit and proper’ criteria for responsible persons operating that particular institution. In particular, an ADI is required to meet standards with respect to operational risk management, including Information Security risk, and is required to hold capital against operational losses. APRA regulated institutions are subject to a rigorous program of ongoing inspection, surveillance, and enforcement activities. An organisation that is not an ADI, and that is not prudentially supervised by APRA, does not provide the same level of counterparty assurance and comfort to NPPA and the NPP Participants that it has the technical, operational or legal capability to perform the required NPP functions or manage data security or fraud risks and to meet associated liabilities.

A conditional or restricted ADI may not be fully licensed by APRA as compliant to all of these requirements but will be required to meet certain minimum prudential and operational standards. If at any point in the future, the APRA licensing regime changes, say for example with the introduction of a new class of regulated non-bank entities called “Payment Service Providers” (as suggested by the Productivity Commission report), then at that time, NPPA would consider including these within the NPP access framework, just as we have done recently for organisations with Restricted ADI licences.

 

  1. Identified Institution

An Identified Institution can offer their customers real-time data-rich payments via a directly connected NPP Participant who can clear and settle those payments on their behalf (using that institution’s own BSB and SWIFT BIC code but the NPP Participant’s ESA for settlement). A commercial arrangement is required between the NPP Participant acting as the sponsoring direct connector and the organisation seeking indirect access as an Identified Institution. An Identified Institution does not need to be an ADI or a RADI, it does not need to subscribe for shares in NPPA and nor does it need to install and support an NPP Payment Access Gateway.

This has been the most popular way of accessing the NPP as organisations do not need to meet either the technical requirements required for direct connectivity nor the capital required to be an NPP Participant. The platform went live with over 50 Identified Institutions at launch, including many small financial institutions who were able to offer NPP payment services to their customers from day one. There are now approximately 65 organisations currently accessing the NPP this way and more are scheduled to come on board in coming months.

 

  1. Overlay Service Provider

An Overlay Service is a product or service that uses the NPP infrastructure’s capabilities, potentially in a customised way to define a bespoke payment service or process. The first overlay service launched from the platform is Osko by BPAY. Through Osko, BPAY has defined the ‘messages’ or ‘rules’ that decide how an Osko payment will travel along the NPP in regard to speed, the type of information that goes with the payment and what the end customer experience is. Any organisation can become an Overlay Service Provider as long as it can demonstrate a sound business plan backed by the required expertise for their proposed product or service. Overlay Service Providers offer their product or service to NPP Participants and Identified Institutions to distribute to their customers. However, it is important to note that in our experience, many payments innovation or processes will not require an Overlay Service to be established but rather will be able to leverage the existing service and capabilities of the platform.

 

  1. Connected Institution

Connected Institutions can connect to the NPP directly by installing an NPP Payment Access Gateway in their own environment in order to be able to send payment initiation and other non-value messages. This could include payroll providers, share registries, retailers, large corporates, fintechs or organisations like Amazon, Facebook and Google. Because these organisations are not directly processing or clearing payments they are not required to be an ADI or RADI. However, given a Connected Institution is directly connected to the NPP, and may also have direct access to the NPP Addressing Service, they are required to comply with the same technical requirements for connecting directly as apply to NPP Participants, including resilience, 24/7 availability, security and the ability to meet performance SLAs.

 

  1. End user

Businesses, corporates and fintechs, just like individuals, can use the NPP to make and receive payments. There are currently more than 70 organisations offering services via the NPP. Participating financial institutions are gradually rolling out their NPP product and service offerings to their business and corporate customers (with retail customers largely complete) which will provide more organisations with the ability to make and receive NPP payments.

 

NPP access eligibility criteria and governance

The eligibility criteria for the different NPP access points are clear and transparent and are provided for in the NPP Regulations (with the exception of being an end user which is determined by individual participating institutions in terms of their specific customer offerings) and are published on our website (www.nppa.com.au). The key requirements are summarised below:

NPP ParticipantIdentified InstitutionOverlay Service ProviderConnected Institution
ADI or RADI licence
Exchange Settlement account
Incorporated company
Required to meet technical, operational and security requirements for direct connectivity

NPP access decisions for new Participant, Connected Institution and Overlay Service Provider applications, are in most instances determined by NPPA Management under a delegated authority to the NPPA CEO. Importantly, the administrative process for admitting new Participants and Connected Institutions is phased, with the assessment of initial eligibility and the entitlement to be given NPP Componentry, and assistance with installation, being a Management function. Having provisioned and installed NPP Componentry new Participants and Connected Institutions are required only to test and certify that their connectivity is compliant with NPPA’s technical requirements. The NPPA Board is expected to be involved in the determination of new NPP Participant and Connected Institution participation applications as a final step, and is in any event bound to accept each new Participant and Connected Institution that satisfies the technical requirements.

The NPPA Board has 11 voting directors, including four major banks, four representatives from small to medium banks and aggregators, two independent directors with no links to the banking sector, and a director representing the Reserve Bank of Australia. The CEO of NPPA also sits on the Board as a non-voting director. Unlike other similar payment organisations in Australia, the voting rights of directors are equal, and are not proportionate to shareholding. Proportionate rights at the Board would typically give directors representing larger shareholders a significant influence over board deliberations, however, in the context of the NPPA Board this is not the case.4

 

Facilitating third party access

Many organisations are seeking to leverage the NPP for different use cases and business objectives. What an organisation wants to achieve using the NPP will largely determine the most appropriate access option for them. Some organisations incorrectly assume they need to connect directly to the NPP to access the platform’s benefits, but this is not the case (as is the case with other payment streams today).

Using the platform’s existing capabilities and the Osko message to make and receive payments, is likely to meet the business needs of many organisations. This requires a commercial relationship with only one participating financial institution given messages injected via any one NPP access point can access the entire NPP ecosystem and reach all available accounts. Based on our experience in handling enquiries from over 350 fintechs and other interested organisations, the vast majority simply want to be able to use the NPP in some manner (similar to the way that they access existing payment systems today). This enables these organisations to develop their core offering outside of the platform according to their business objectives.

Many interested parties seeking access to the NPP do not want to connect directly because of the technical requirements that this entails, and the complexities involved in connecting to a real time payments infrastructure. Hence ensuring a competitive secondary access market to the NPP is important. Two groups of NPP participating organisations are currently playing a critical role in facilitating secondary access to the NPP for third party entities:

 

1)   Wholesale payment service aggregators

Three directly connected organisations, Cuscal, ASL and Indue, act as aggregators, who are providing wholesale payment services to their customers (i.e. they have no end retail customers of their own). The business model of these organisations is to provide access to different payment clearing streams (RTGS, Direct Entry, BPAY and cheques), as well as other payment products and services such as cards, mobile payments, ATM access and fraud prevention and management. Aggregators help to promote competition in the payments industry by providing the technology, scale and licensing required that enables smaller players to compete alongside the largest players in the industry. Collectively, these aggregators provide services to a diverse range of organisations, including building societies, credit unions, mortgage originators, smaller and regional banks, neo- banks and other fintechs (including brands such as Acorns, Square, Spriggy, Mint Payments and Adyen), as well as non-financial service organisations such as government bodies, airlines and retailers.

These aggregators are actively providing access to the NPP and are collectively connecting more than 60 smaller financial institutions, thereby enabling those organisations to offer NPP payment services to their customers without having to contribute any capital to NPPA that would be required if they connected directly.

We anticipate from market enquiries that there are a number of organisations providing similar services in overseas jurisdictions which are considering establishing a presence in Australia to provide NPP connectivity services, either directly or in partnership with other organisations.

 

2)   Agency service providers

A number of NPP Participants, such as the major Australian banks, are also providing (or plan to provide) third party agency services and indirect connectivity to the NPP for a number of organisations such as smaller financial institutions. It is anticipated that over time, these banks will also offer agency services to other non-bank entities such as large corporates and fintechs.

Indirect access has been provided to a range of fintechs and other non-bank entities, including www.carsales.com.au, a number of cryptocurrency exchanges, and a major cross-border money transfer organisation. The recently publicised example of Assembly Payments and www.carsales.com.au5 who are accessing the NPP via Cuscal, one of the directly connected NPP Participants, is an excellent example of how indirect connectivity is working to provide third parties with access to the NPP, as illustrated below:

We anticipate seeking more such examples of indirect access emerging over time. To our knowledge, approximately 70 non-bank entities including fintechs, payment gateway providers, mortgage originators and large corporates are in active discussions with various NPP Participants regarding indirect access to the NPP.

 

Extending access via APIs

APIs will play an important role in supporting third parties who want to be able to leverage the NPP’s capabilities. NPPA has released version 1.0 of an API Framework which defines the key technical approach and mandatory data attributes for NPP APIs, aligned to ISO 20022 standards6. This API framework is intended to drive inter-operability, standardisation, and consistency in how organisations can use APIs to access the NPP.

The initial version of the API framework focuses on standardised third-party payment initiation messages and PayID resolution requests which can be used by third parties to initiate NPP payment messages. Samples of three APIs illustrate how the framework can be used:

  • PayID Resolution Request
  • Payment Initiation Request
  • Payment Status Request

The API framework will be extended over time to add additional transaction types and features and to align with the domestic implementation of REST/OAuth 2.0 open banking APIs as they are developed. Work on version 2.0, which will cover additional sample APIs related to payment notification and payment return requests, is already underway and is expected to be released in early 2019. APIs for use on the NPP are currently available from some NPP Participants and are being developed by others in line with the NPPA API framework.

NPPA in collaboration with SWIFT have also launched a testing / sandbox environment that will allow fintechs and other third parties to start learning and testing the benefits and capabilities of the NPP using demonstration versions of APIs defined by the NPP API Framework7. This API sandbox, hosted in the cloud and protected by state-of-the-art security, will help foster innovation and open up the NPP ecosystem to third parties.

Together these two capabilities further open the door to the NPP’s infrastructure allowing organisations and developers to learn and test the platform’s capabilities in a way that promotes standardisation, inter-operability and a consistent experience. As NPP participating organisations continue to extend their NPP enabled services to their corporate customers and develop APIs consistent with this framework, we expect to see more and more fintechs, corporates and businesses using the NPP.

In a further effort to foster the ecosystem, ensure standardisation and drive volumes on the platform, NPPA are also developing structured data standards for a number of high priority areas such as superannuation, payroll and e-invoicing. This will help ensure a consistent approach to the treatment of data, thereby making it easier for third parties to utilise the platform’s capabilities. This activity, combined with the work on APIs, is intended to support the growth of business use and commercial payment volumes on the platform.

 

NPP Functionality

The NPP has extensive capabilities today, in particular:

  • Real-time movement of funds, 24 hours a day, seven days a week, 365 days of the year with no cut-off times;
  • Extensive data capabilities with the ability to carry additional data end-to-end together with the payment with the ISO 20022 message structure or via a url link to externally hosted documents. The initial service launched on the NPP, Osko, is capable of carrying up to 280 characters of remittance information;
  • Real-time line-by-line settlement which reduces systemic risk and optimises liquidity management; and
  • Simple addressing with the PayID Addressing Service which enables payments to be directed to an account using an easy to remember alias (a PayID) which has been linked to an underlying bank account. The platform also continues to support payments using BSB and account numbers.

The NPP has been designed and built in a way that it can meet the needs of an evolving digital economy with additional functionality and capability being delivered over time to further enhance the utility of the platform. Planned capability developments include:

  • Future iterations of the Osko service which will include “request to pay” functionality and the ability to attach a document with a payment or have a url link to externally hosted documents included in the message;
  • A central ‘consent and mandate service’, which is in the early stages of development, in collaboration with the industry, which will store payment authorisations by consumers and businesses. This is intended to enable the platform to support recurring payments linked to a customer consent or mandate authorising those payments as an alternative to the current direct debit process. This capability is also intended to be able to support a range of use cases including third party payment initiation and ecommerce, amongst others;
  • Use of the NPP to remit the inbound domestic leg of a cross-border payment

 

Summary

The view of NPPA is that the access framework for the NPP, balances fair and equitable access to a range of parties in various ways, with safeguards to ensure the safety and security of the payments system and the ongoing protection of deposit-holders. Over time, the number of organisations using the NPP will only continue to grow, with expected broad representation from financial institutions, corporates and fintechs. Similarly, as occurred following the creation of the new class of entity, Restricted ADI licences, NPPA will continue to review and refine its operational procedures, regulations, including those concerning access, in line with experience, feedback and market developments.

Given the underlying native capabilities of the NPP in terms of speed, reach, extended availability, addressing features, governance and processing rules, settlement model, and enhanced data capability, NPPA is confident that the NPP is capable of meeting most organisations’ business objectives and use cases today. Even so, NPPA is committed to ongoing investment in and extending the capability of the platform in order to meet the needs of participating financial institutions, payment providers and users of the wider payments ecosystem over time.

 

  1. Current shareholders: Australia and New Zealand Banking Corporation, Australian Settlements Limited, Bendigo and Adelaide Bank Limited, Citigroup Pty Ltd, Commonwealth Bank of Australia, Cuscal Limited, HSBC Bank Australia Limited, Indue Limited, ING Direct, Macquarie Bank Limited, National Australia Bank Limited, Reserve Bank of Australia and Westpac Banking Corporation.
  2. NPP Australia Limited, Constitution, Article 2.1
  3. See https://www.bis.org/cpmi/publ/d101a.pdf
  4. The composition of the NPPA Board is available at: https://nppa.com.au/the-company/board-and-leadership-team/
  5. Australian Financial Review, 3 October 2018, ‘Carsales first to put goods on New Payments Platform’
  6. NPPA, ‘NPPA API framework opens door to capabilities’