NPP Functionality and Access Consultation: Conclusions Paper 3. Functionality and Overlay Services

As noted earlier, with the exception of corporate entities connecting as either identified or connected institutions, end-users (including households, businesses and government entities) access NPP functionality through the services offered by their financial institutions. These services are provided on a commercial basis and there are no requirements on what NPP services financial institutions must provide. As with any banking product, however, one would expect there to be competitive pressure on financial institutions to provide the services that are valued by their customers.

At this point, Osko is the only overlay service available on the NPP – it provides basic account-to-account fast payment functionality through the mobile and internet banking applications of NPP-connected institutions. However, as was noted earlier, BPAY is planning to expand Osko's services to include the ability to send a document with a payment and the ability to make and receive payment requests. The design of the NPP envisaged that, over time, a range of other overlay services, developed by different parties, would utilise the NPP to offer payment solutions tailored to particular contexts and addressing a range of other customer needs. NPP participants will have the option of subscribing to these overlay services if they wish to provide them to their customers.

NPPA is also working to enhance the ‘native’ capabilities of the NPP by building additional services and capabilities as part of the core infrastructure. These capabilities, such as a planned ‘consent and mandate service’ (see Box A: The NPP's Evolving Functionality), could provide functionality that might alternatively be provided by an overlay service. In other cases, the enhanced native capabilities could be used to improve the functionality of, or make it easier to develop, overlay services.

The consultation sought stakeholder views on the current functionality of the NPP, whether it was meeting their needs and what functionality gaps may exist. This chapter summarises the stakeholder feedback received in relation to NPP functionality and overlay services and provides an assessment and a number of recommendations.

3.1 Issues and stakeholder views

In the written submissions and consultation meetings, there were a range of views on NPP functionality. Some stakeholders (mainly NPPA and NPP participants) highlighted the capabilities the NPP already offers or that are being developed. Other stakeholders (mainly corporates, payment service providers and fintechs) were critical of the current functionality and the services offered by NPP participants to their customers.

Some stakeholders expressed disappointment that they did not have access to fast payments functionality because their financial institutions had not yet rolled out these services to all customers. In particular, as some participants prioritised the roll-out of their NPP services to retail customers, many business and corporate customers had faced, and in some cases were continuing to face, delays in having NPP functionality enabled for their accounts.

One submission suggested that the slow roll-out of NPP services may have exacerbated some of the concerns relating to access to the platform (discussed in Chapter 4). For example, entities that were not receiving the NPP services they wanted from their financial institution may have felt compelled to connect to the NPP themselves, but then encountered the various eligibility requirements. Stakeholders suggested that the slow roll-out of NPP services was also undermining the positive network effects that come from broad account reach, resulting in disappointing user experiences with the platform and acting as a disincentive for entities to invest in developing overlay services.

Some submissions to the consultation also expressed disappointment about the current inability to make direct debits (‘pull payments’) through the NPP. This appeared to be a particular issue for businesses wanting to use the NPP to facilitate recurring payments from their customers. A number of stakeholders expressed doubts about the commitment of the NPP participants to deliver on the additional BPAY overlay services (payment-with-document and request-to-pay) despite these being seen as providing useful functionality, particularly for businesses and government.

The Productivity Commission, in its 2018 report on Competition in the Australian Financial System, also had concerns regarding functionality, which prompted it to recommend that the ACCC and the Payments System Board investigate different ways to improve the functionality of the NPP as a way to promote competition and innovation. The Commission argued that the initial ‘push’ payments offered by the NPP were a very limited use of its potential functionality, which should also include the ability to set up recurring and ‘pull’ payments. It also suggested investigating the feasibility of expanding the use of PayIDs to different payment types, including recurring payments, which it believed would make it easier for customers to switch bank accounts, thereby promoting competition.

A number of stakeholders, particularly fintechs, highlighted the need to facilitate greater use of application programming interfaces (APIs). In this context, APIs are software protocols published by a bank, which third-party systems can use to communicate in a standardised and secure way with that bank's systems to access NPP functionality.[19] While NPPA has developed an API framework (see Box A), some stakeholders called on NPP participants to make APIs available as soon as possible for third parties to use to initiate, confirm and query NPP payments, rather than going through participants' regular internet or mobile banking channels.

Some stakeholders raised concerns about the challenges of deploying overlay services on the NPP, arguing that this could discourage innovation and constrain future functionality. One specific concern was that an overlay service would need to be supported by all or most NPP participants to be viable, and that it would be a costly and time consuming process for a prospective overlay service provider to bilaterally negotiate with each participant. In this context, it was suggested that BPAY had an advantage in implementing Osko because it is owned by the major banks, which are also the largest shareholders of NPPA. Another concern was that a prospective overlay service provider would have to expose its business plan and intellectual property to NPPA in the process of applying to be an overlay provider, and that this information could be accessed by their potential competitors on the Board of NPPA who are involved in assessing overlay services. It was suggested that concerns such as these have made some entities reluctant to engage directly with NPPA on establishing new overlay services. Suggestions put forward to address these concerns included having an NPPA Board committee of independent directors involved in assessing new overlay services and for NPPA to clarify how access to information on new overlay services would be controlled in order to deal with potential conflicts of interest.

The Productivity Commission has also raised concerns about overlay service providers that are not NPP participants being at a competitive disadvantage relative to NPP participants that offer overlay services because of a lack of access to valuable transaction-level data. It recommended that all NPP participants that use an overlay service be required to share de-identified transaction-level data from that service with the overlay service provider. However, this issue of access to data on transactions going through overlay services was not raised by stakeholders during the Bank's consultation.

In its submission to the consultation, NPPA argued that the NPP currently has extensive capabilities that meet many organisations' business needs and use cases. The NPP presently offers real-time movement of funds on a 24/7 basis, extensive data capabilities, and simpler addressing via the PayID service. One stakeholder, which is also an NPP participant, argued that the NPP's current functionality meets all of the objectives that were identified by the Bank in its 2012 Strategic Review of Innovation. Moreover, NPPA and a number of NPP participants emphasised that a range of additional functionality is being developed or is planned to further extend the capabilities of the NPP (see Box A). They highlighted a central ‘consent and mandate service’, which will store payment authorisations by consumers and businesses and enable the platform to support recurring payments, providing an alternative to the current direct debit options provided by the Direct Entry system and supporting competition by making it easier to move payment authorisations from one financial institution to another.

Box A: The NPP's Evolving Functionality

As discussed earlier, the NPP was designed to operate as a distributed layered architecture. The Basic Infrastructure (BI) comprises a network of payment gateways, hosted by participants, as well as a central Addressing Service. By contrast, overlay services are products, services or schemes that use and extend the core capabilities of the BI in a customised way to provide value-added payment services or processes.

Over the past year, NPPA has identified a number of opportunities to take a coordinating role in providing additional functionality through the BI. By developing native NPP capability, such as defined payment message data elements, which could be used by participants or built upon and commercialised by an overlay service provider, NPPA intends to optimise the utility of the BI. This would enable participants and others to meet the needs of a range of end users without necessarily relying on a dedicated overlay service to do so.

NPPA has an ambitious agenda for extending the functionality of, and increasing transaction volumes through, the NPP. Some of its more noteworthy plans include:

  • Extending its API framework
  • Quick response (QR) code standards[20]
  • Consent and mandate service
  • Data and message usage guidelines
  • Third-party payment initiation.

API framework and sandbox

NPPA announced the NPP API framework in September 2018. The framework provides guidance on the design of APIs for the NPP. It establishes the recommended technical approach for APIs and mandatory data elements, removing the need for participants and third-party service providers to build customised APIs. NPPA does not mandate use of the API framework; however, it is encouraged as a way to increase consistency and interoperability between APIs offered by different providers.

The first version of the framework contains three sample APIs that could be used by authorised third parties to: (i) look up a PayID in the Addressing Service, (ii) send a payment initiation request, and (iii) confirm that a payment has been completed. The second version of the framework, released in May 2019, will extend the sample APIs to different NPP functions: (i) cancelling a payment, (ii) requesting the return of a payment, (iii) notification of a payment, and (iv) notification of the return of a payment. NPPA intends to further extend the API framework over time.

To encourage use of the API framework, NPPA and SWIFT have established an API sandbox: a secure, cloud-based facility, for developers to test API solutions for the NPP in an independent environment. This capability will extend over time in line with the API framework and will be enhanced to become more dynamic in nature.

Initially, the range of API solutions offered by participants is likely to vary due to the staged approach taken in individual NPP roll-outs. Importantly, it is NPP participants (or identified institutions) who must provide the API services for their customers to access the NPP, not NPPA itself.

QR code standards

NPPA released a standard for the use of QR codes to generate NPP payment messages in June 2019. The NPP standard is based on the widely used EMVCo QR code specifications and defines the mandatory data elements that are required for NPP payments initiated by a QR code. The standard can be used for both static and dynamic QR codes. This capability has potential application in a range of use cases including bill payment, invoices, e-commerce and even point-of-sale payments.

Consent and mandate service

NPPA is planning a consent and mandate service (CMS) to facilitate the creation and secure centralised storage of standing payment authorisations given by consumer and business customers of different financial institutions. For example, the CMS could be used to store pre-authorisations for regular bill payments, such as rent or utility payments. The CMS will enable the NPP to be used for a range of additional payment types, including recurring payments and third-party initiated payments, and will give customers more visibility and control of their payment authorisations. The CMS will allow the NPP to be used as an alternative to the direct debit system. It will support third-party payment initiation and ‘on-behalf-of’ payment functionality for use by a range of third-party payment service providers including payroll service providers. NPPA has made an assessment that the broad range of potential applications make it more efficient for the CMS to be provided through the BI as native capability, similar to the Addressing Service. It is expected that the CMS will make it easier for customers to switch banks by allowing them to manage their payment authorisations and link them to a new bank account.

Message usage guidelines

The NPP was designed using the ISO 20022 standard for payment messaging, which can carry much richer information than the 18 characters available for direct entry payments. In addition to the payment instruction, the standard provides for a clearing message to contain more than 1,400 data fields.

NPPA has identified payroll, superannuation and pay-as-you-go (PAYG) tax instalments as areas that are likely to benefit from additional data being carried with the payment in a structured manner. These high-volume payments are often initiated from businesses' accounting or payroll systems and received by the ATO and superannuation funds, without manual processing. The carriage of structured data with these payment types ensures that they are processed efficiently. NPPA began consulting with industry stakeholders on the development of industry-specific message usage guidelines in early 2019 with the aim of releasing these message usage guidelines later this year.

These guidelines differ from an overlay service in that they do not set a posting standard or define the end-user experience. However, the guidelines are likely to enable use of the NPP for payroll, superannuation or PAYG tax instalments without the need for a specific overlay service designed for these payment types. However, an overlay service provider would have the option of building on top of these message usage guidelines developed by NPPA and incorporating them into its own product or service offering. NPPA has indicated that it also intends to develop message usage guidelines for e-invoicing and insurance payments at a later date.

Third-party payment initiation

While the NPP has to date only been used for credit or ‘push’ payment messages, another payment message within the ISO 20022 standard is the ‘payment initiation’ message. Using payment initiation messages, an authorised third party can initiate a payment on behalf of customers of a financial institution or request payments to be made by a customer. The NPP was designed to support payment initiation messages; however, these messages were not certified or tested in the lead-up to the initial launch, and are not currently being used by participants across the BI (although some participants are offering payment initiation messages to customers outside of the BI). The full implementation of payment initiation messages will enable the NPP to cater for a wide range of use cases, such as authorised service providers initiating payroll, superannuation, tax or invoice payments on behalf of their business customers, or as an alternative to the existing direct debit system.

Enabling third-party payment initiation has the potential to substantially increase transaction volumes on the NPP. Customer authorisations will be able to be managed centrally through the planned CMS or bilaterally through arrangements between participants or third parties. The CMS will provide customers with control over their payment authorisations and permit authorised third parties, via APIs, to manage customer authorisations to which they are a party. NPPA's assessment is that the implementation of payment initiation messages with CMS-managed customer authorisations would effectively enable authorised third-party payment initiation on customers' accounts; this would correspond to ‘write access’ to customer accounts, and could be an element of the future evolution of Open Banking in Australia.

3.2 Assessment

The central infrastructure of the NPP is now providing functionality that has largely filled the gaps identified in the Bank's 2010–12 Strategic Review of Innovation. In particular, the ability to send and receive retail payments in real-time on a 24/7 basis, with immediate funds availability to the payee, richer data and the ability to address payments using the PayID service is a significant enhancement to Australia's retail payment system.

However, the slow roll-out of NPP services by some larger banks has been disappointing and overall NPP volumes have grown more slowly than was initially hoped. While it was always expected that financial institutions connected to the NPP would roll out customer services according to their own schedules and priorities, this roll-out has occurred more slowly than anticipated. While the major banks have now largely completed the roll-out of NPP services to their retail customers, the roll-outs to business and corporate customers are ongoing and some banks have yet to provide NPP services to their subsidiary brands. This stands in contrast to many of the smaller institutions, which connected to the NPP via the aggregators and were able to provide NPP services to their entire customer bases at (or quite soon after) the NPP launch.

In addition, even where NPP services have been enabled, some major banks still have significant functionality gaps in terms of the ways that payments can be initiated or the limits that are placed on payment amounts. The incomplete reach of the NPP and the partial functionality offered by some of the major banks has disappointed end-users that have been keen to utilise the NPP and has also likely delayed the development of new services that would extend the NPP's capabilities.

The delays experienced by some of the major banks point to the complexity of their internal systems, the fact that they have many other projects underway, and the challenges for security and operational reliability of moving to real-time and 24/7 payments. Some of the banks appear to have significantly underestimated or underfunded their internal projects in this regard and there may also have been insufficient oversight of projects by senior executives and boards of financial institutions. Given that there remains significant work to be done to realise the full potential of the NPP, the Bank will be continuing to push the major banks to prioritise the roll-out of services to their customers and ensure that significant functionality gaps are addressed as quickly as possible.

As discussed in Box A, NPPA is working on an ambitious agenda to enhance the native capabilities of the platform. In addition, BPAY is still planning to extend the capabilities of Osko to allow a document to be attached to a payment and to send and receive payment requests, though progress here depends on the NPP participants being in a position to commit to the additional work that is required to deliver these services. The Bank strongly supports the development of these planned capabilities and believes that if they are fully implemented they could address many of the functionality needs that were raised by stakeholders in the consultation. While the Bank does not wish to dictate how these capabilities should be delivered from a technical perspective, we believe that NPPA and its participants should publicly commit to a roadmap for when they will be made available to end-users and to periodically update this roadmap over time.

However, while a roadmap will assist, the experience to date highlights the risk that delays in the projects of particular participants may threaten the delivery or launch of some of this additional functionality. Here, it may be useful to draw on practices of some other payment systems where the scheme operator has the power to mandate certain action or behaviour by participants; this is common in the card systems, for example. Accordingly, the Bank believes the NPPA Board should have the power to mandate that changes to the central infrastructure or native capabilities of the NPP must be supported by participants within a specific timeframe, backed up by an enforceable sanctions framework (including possible financial penalties) for participants that do not comply. We are recommending that NPPA introduce such a mandate framework by the end of 2019 and that it be used to support the timely delivery of agreed functionality. Ultimately, if additional functionality were not delivered within a reasonable period of time, the Bank could consider a regulatory approach to require the NPPA and/or its participants to provide specific functionality if it was deemed to be in the public interest to do so and was consistent with the Bank's mandate to promote competition and efficiency and control risk in the payments system.

Regarding the role of overlay services in the NPP, the consultation revealed some misunderstandings on the part of some stakeholders. The Bank notes that many fintechs and other entities that have expressed interest in becoming overlay service providers might actually be able to implement their business models using NPP functionality provided by an existing bank relationship or alternatively as an identified institution. That said, to help promote competition and innovation, the Bank believes it is important that there are no unnecessary barriers to creating overlay services. In this context, the Bank notes the concerns some stakeholders raised about sharing confidential information with NPPA, which might be seen by participants that have interests in competing overlay services. The Bank believes NPPA should put in place procedures that address these concerns. These should clarify how confidential information will be handled during the application process and the role of NPPA management and potentially the independent directors, versus the broader NPPA Board, in approving overlay services. As regards suggestions by some stakeholders that all participants must be required to subscribe to NPP overlay services, the Bank does not see a case for such a mandate. Instead, the presumption should be that participants will subscribe to an overlay service because they see value in it, just as they can choose to offer any other service that delivers value to their customers.

Recommendations:

  • NPP participants should prioritise the roll-out of NPP services to their entire customer base and address any functionality gaps that currently exist in their customer offerings.
  • Starting no later than end September 2019, NPPA should periodically publish a roadmap of the additional NPP functionality it has agreed to develop and the expected time period over which it will be delivered. The roadmap should be updated at least semi-annually.
  • By end December 2019, NPPA should introduce a power for its Board to mandate that specified NPP core capabilities must be supported by NPP participants within a specific period of time, with an enforceable sanctions regime (including possible financial penalties) to apply if participants do not comply.
  • By end September 2019, NPPA should publish its process for assessing potential overlay services, including how confidential information on the plans of potential overlay service providers will be controlled and the respective roles and responsibilities of the NPPA management, independent directors and the broader NPPA Board in approving overlay services.

Endnotes

Open APIs are also being developed in the context of Australia's open banking regime as a way for third parties to access customer data held in bank systems. [19]

A QR code is a two-dimensional barcode that contains information such as the price of the item to which it is attached. [20]