Annual Review 2018 Contents

Message from the Chairman 3

Highlights 4

Reviewing the Australian Payments Plan 5

Security & Trust 6

Managing the Payments Mix 9

Enabling the Future 9

Our Community 10

Australian Payments Council meets the Payments System Board at RBA headquarters, August 2018

2 / Australian Payments Council Message from the Chairman

We encourage all sections of the This work included developing community to get involved. principles for data-sharing, holding a hackathon in 2017, and making Cheques Research submissions that assisted the 2018 marked a major milestone, with Government to understand the the Council’s work on managing the potential uses for open banking. changing payments mix becoming With the project now moving to an the first project that has moved from implementation phase, the Council strategic analysis to implementation. will take a watching brief. Consumers are continuing to rapidly move away from cheques. Cyber Security Recognising that cheques will Building on our momentum from the eventually disappear from the previous year, we held a number of payments landscape, the Council workshops with representatives of Robert Milliner funded extensive research into the Council members and government Chairman, Australian changing payments mix, with the aim agencies. Payments Council of ensuring that as more and more consumers move to digital payment The primary focus areas have been methods, remaining cheque users the sharing of actionable information I was delighted to join the Council in are not left behind. and generating cyber awareness. September this year. This is a time The outcome of this research has We are in the process of identifying of significant change and innovation now been passed to Australian user requirements for an information and I look forward to helping shape Payments Network (AusPayNet), sharing framework, and any the future of payments through which is leading implementation of possible legislative implications for Council initiatives. key recommendations. participation of such a model. Payments Plan Review Digital Identity The Australian Payments Plan, “Recognising that the In January this year, we agreed published in December 2015, has on an Action Plan to create a trust guided the strategic direction of the payments system framework that will support portable, Council over the last three years.The economy wide digital identity. changes and work programs that it touches everyone, outlined have been prescient. everyday, and that Seventeen organisations from the Council and the wider Payments Data-sharing is rapidly becoming a our needs continue Community are now delivering on reality, following the Government’s this Action Plan and have selected announcement to introduce open to evolve, the Council a model that will lead to the creation banking. The Council’s work on will be conducting a of an open and contestable managing the changing payments framework to support a wide range mix has positioned industry to public consultation of interoperable identity services. support the consumer-led decline in early 2019.” We are very pleased that the Digital of cheques, which continues to Transformation Agency (DTA) is also accelerate. We have also made good participating in this work. progress on digital identity. Data Availability We are part way through the With the payments landscape, in With the Government’s announcement implementation of the Action Plan and Australia and globally, changing at of the consumer data right (CDR), anticipate that the development of the a rapid pace, it is fitting that we now open banking has moved from framework will complete in mid-2019. review the Payments Plan to ensure strategy to implementation. the payments system continues I thank the Payments Community for to meet the needs of the digital Data-sharing was one of the core its work in progressing our collective economy. focus areas of the Payments Plan goals and look forward to another in 2015 and the Council is pleased year of collaboration. Recognising that the payments with our role in shaping the national system touches everyone, everyday, conversation. and that our needs continue to evolve, the Council will be conducting a public consultation in early 2019.

Annual Review 2018 / 3 Council endorsement of the Digital Identity Action Plan

Highlights The Digital Identity Action Plan outlines a program of work that will lead to the establishment of a trust framework. The framework will enable individuals and organisations to safely interact digitally, preserving privacy while ensuring each Appointment of new Chairman party has accurate and verifiable information about the other. Participating organisations have The Council announced the appointment met to progress work to deliver on the Plan of Robert Milliner as independent non- throughout 2018. executive Chairman effective 10 September 2018. The Council thanks former Chairman Mark Birrell for his valuable three-year contribution to leading the Council.

Joint workshop with Joint Cyber Security Centre (JCSC) Successful transfer of the cheques on information sharing strategy from the Council to AusPayNet for operational implementation The Council’s Cyber Security Task Force co-hosted a workshop with the The Council oversaw the transfer of the cheques strategy Government’s JCSC on 7 May on to AusPayNet for implementation by its cheques issuing ‘Actionable Intelligence’. More than 30 members. This is the Council’s first project that has SMEs from the task force, community moved from strategic analysis to implementation. members, and federal, state and agency government representatives attended the workshop.

Meeting with the PSB

The Council and the Payments System Board of the Reserve of Australia held their fourth joint meeting on 24th August 2018, at the RBA in Sydney. Submission to APRA on draft standard CPS 234 Information Security

Submission to the Review of National APRA’s draft standard CPS 234 aims at Arrangements for the Protection & shoring the ability of APRA-regulated Management of Identity Information entities to repel cyber adversaries or respond swiftly and effectively in the The Council provided a submission to the public event of a breach. The Council provided consultation, detailing the scope and goals of the a submission to the consultation, Council’s work in developing a trust framework. supporting the principles and intent of the draft standard and the quality of the guidance provided.

4 / Australian Payments Council Reviewing the Australian Payments Plan

The Australian Payments Plan, collaborative industry efforts to deliver • The Australian Government has published in December 2015, was a Resilient, Accessible, Adaptable announced the introduction of the first major project undertaken by and Efficient payments system. the consumer data right from the Council. The 2015 Plan set out the 1 July 2019. Over the last three years, the core areas of strategic focus for the payments landscape has continued The Council is launching the first Council and has guided our thinking to rapidly evolve. Australians have triennial review of the Payments Plan and approach in the three years increasingly adopted electronic in early 2019. Recognising that the since its publication. The Council’s payments, moving away from payments system is foundational to core areas of work – managing the cheques and cash. the Australian economy, the Council changing payments mix, digital is seeking feedback and insights identity, data sharing and cyber • In 2018, card use grew by a from all sections of the Australian security – were established by the record 12.7% year on year; 90% of community and business. 2015 Plan. Australians own a smartphone, and of those, 70% make payments on Full details on how to get involved Identifying the rapid pace of change their phone. in the review will be available on the in the payments landscape, the Council website in January 2019. Plan includes a recommendation for • The New Payments Platform review after three years of operation.• Cardcommenced payments grew operation by a record 12.7%. in 2018, 7.8 billion (2017) 8.8 billion (2018) The triennial review is intended to providing the ability to make fast, ensure the Plan remains relevant versatile and data-rich payments. and continues to effectively guide

8.8 Australians are increasingly 2018 Billion THE NUMBER adopting electronic payments OF CARD TRANSACTIONS 2013 2017 7.8 201 Billion GREW BY A RECORD CREDIT CARD 12.7% 90% DEBIT CARD OF AUSTRALIANS OWN A SMARTPHONE

Source: Reserve Bank of Australia: Figures are for Financial Years

THE NPP’S ADDRESSING SERVICE HAS MORE THAN OF THOSE 90% 2017

2,215,430 70% REGISTERED PAYIDS MAKE PAYMENTS ON THEIR PHONE Source: NPP Australia Limited Sources: Deloitte Mobile Consumer Survey; Paypal mCommerce Index 2017 Annual Review 2018 / 5 Security & Trust

Digital Identity To achieve this, the framework will Because of the availability of establish a set of principles as well standards and clear accreditation Meeting the needs of individuals as functional, operational and legal and approval services, a wide range and organisations standards that guide the behaviour of of manufacturers can produce cards One of the stand out lessons from participants in the framework. and terminals. And because there overseas is that where there is no are clear rules about how liability is On a practical level, a framework government mandate to support managed, it is easy for businesses provides a baseline for trust digital identity, it can be very hard to and individuals to understand how between participating organisations. encourage adoption of services. This they are protected by the payment It provides assurance to an is because while many people want networks terms of service. organisation (e.g. a retailer) that the privacy and security benefits that another organisation (e.g. the bank Framework completion a digital identity service can offer, or post office) has done their due they do not prioritise signing up for We anticipate that the framework diligence identifying an individual a service – because more often than will be complete mid-2019. As we or entity, and is appropriately (i.e. in not, it’s perceived as inconvenient. develop this framework, organisations line with requirements for security, are developing services that they will To ensure that we create a privacy & data structures) handling offer to businesses and consumers in framework for identity services that information for that individual or parallel. meet the needs of individuals and entity. organisations, we have committed The framework will specify the to a design led approach. Such technical standards and appropriate an approach will ensure that what governance for identity services. we develop is commercially viable, This is analogous to how payment technically feasible and most cards work today. Thanks to importantly, desirable for people and managed standards, the software organisations to use. on our payment cards is able to Digital Identity Trust Framework communicate with the software on payment terminals and this A trust framework will enable different is supported by a governance organisations to offer a range of framework that guides all parties. identity services to individuals, as well as to public and private sector entities.

The following organisations have taken part in the creation of the Digital Identity Trust Framework:

American Express Cuscal Limited Optus Australia Limited Digital Transformation PayPal Pty Ltd Australia and New Zealand Agency Reserve Bank of Australia Banking Group Limited Payments Suncorp-Metway Limited Australian Postal Australia Limited Corporation Visa AP (Australia) Pty Ltd MasterCard Asia/Pacific Bendigo & Adelaide Bank (Australia) Pty Ltd Banking Limited Corporation Coles Group Limited Limited Woolworths Limited of NPP Australia Ltd Australia

6 / Australian Payments Council Data Identity crime is estimated to cost Australia upwards of 1. billion each year, with the maority around 00 million lost by individuals through credit card fraud, identity theft and scams.

$900Million

More than 4 million estimated ongoing annual costs to industry to maintain existing YC processes.

Data Identity crime is estimated to cost Australia upwards of 1. billion each year, with the maority around 00 million lost by individuals through credit card fraud, identity theft and scams.

$900Million

More than 4 million estimated ongoing annual costs Datato industryIdentity to maintaincrime isexisting estimated YC processes. to cost Australia upwards of 1. billion each year, with the maority around 00 million lost by individuals through credit card fraud, identity theft and scams.

CREDIT CARD Card-not-present CNP fraud has a direct annual cost of over 400 million to Australia. The case for a digital identity trust frameworkP AY $900Million 2017 More than $435 million ESTIMATED ONGOING ANNUAL COSTS TO INDUSTRY Data IdentityTO crime MAINTAIN is estimated EXISTING to costKYC AustraliaPROCESSES upwards of 1. billion each year, with the maority around 00 million lost by individuals through credit card fraud, identity theft and scams.

CREDIT CARD Card-not-present CNP fraud has a direct annual cost of over 400 million to Australia. PAY More than 4 million estimated ongoing annual costs to industry to maintain existing YC processes. Million 2017 $900$900 million LOST ANNUALLY THROUGH CREDIT CARD FRAUD, IDENTITY THEFT AND SCAMS Source: The Murray Report

Source: The Attorney-General’s Department More than 4 million estimated ongoing annual costs Identity spoofing attacks in Australia and New Zealand up 1 since 201 to industry to maintain existing YC processes.

IDENTITY SPOOFING ATTACKS IN Identity spoofing attacks in Australia and New Zealand up 1 since 201 AUSTRALIA AND NEW ZEALAND ARE up 71% since 2015

Source: Cybercrime Report, Threatmetrix Q4 2017

CREDIT CARD Card-not-present CNP fraud has a direct PAY annual cost of over 400 million to Australia.

2017 2017 2017 3 2017 3 2016 201 2016 201 2015 2015

2017 Card-not-present CNP fraud has a direct CREDITCARD-NOT-PRESENT CARD (CNP) CNP FRAUD annual cost of over 400 million to Australia. FRAUD HAS A DIRECT PAY Card-not-present (CNP) fraud accounts for over 85% of all card fraud in Australia PAY 85% ANNUAL COST OF OVERPAY accounts AY PAY 85% Card-not-present (CNP) fraud accounts for over 85% of all card fraud in Australia $476 million P for 85% 2017 OF ALL FRAUD ON AUSTRALIAN CARDS

Source: Australian Payments Network

Annual Review 2018 / 7

Identity spoofing attacks in Australia and New Zealand up 1 since 201

Identity spoofing attacks in Australia and New Zealand up 1 since 201

2017 2017 3 2016 201 2015

2017 2017 3 2016 201 2015

PAY Card-not-present (CNP) fraud accounts for over 85% of all card fraud in Australia PAY 85% PAY Card-not-present (CNP) fraud accounts for over 85% of all card fraud in Australia PAY 85% Cyber a workshop in 2019 to consider The Council and the JCSC continue initiatives to increase knowledge, and to work to elaborate the technical In 2017, the Council identified three the importance of taking preventative user requirements for participation areas of focus for the Payments measures to increase cyber in the joint framework, developing Community: resilience across the community. a governance model and exploring • Awareness generation and potential ‘safe harbour’ requirements. Actionable Intelligence via Information education Sharing Incident Response • Timely sharing of actionable In 2017, the Council considered In June 2018, the Council lodged information a number of information sharing a submission in support of the • Development and testing of methods. These included utilising Australian Prudential Regulation incident management procedures an existing industry body, building Authority’s (APRA) draft standard a bespoke solution or partnering CPS 234 Information Security (the Collaboration with the Australian with government. The latter was Standard). The final version of Cyber Security Centre (ACSC) considered the best option. the Standard was released on 7 and the Joint Cyber Security November 2018 and is designed to In May 2018, the Council, together Centres (JCSC) forms a key part ensure resilience against information with the Sydney JCSC, held a of the Council’s engagement with security incidents (including cyber workshop to define the concept of government. By advocating for a attacks), and the ability to respond ‘actionable’ and the types of data national collaborative approach, the swiftly and effectively in the event of a that could be shared. A number of Council aims to ensure a consistent breach. Compliance with the Standard user requirements were identified to and robust approach to cyber is required from 1 July 2019. security for the Payments Community. progress a public/private framework for cyber information sharing. The Security exercises to test incident Awareness Generation workshop also highlighted that there management procedures is pending Working collaboratively with the may be legislative barriers to sharing assessment and evaluation of current JCSC, the Council plans to hold this information. similar initiatives.

The Australian Payments Council will advocate for a national collaborative approach to ensure a consistent and robust approach to combatting cyber-fraud

Workstreams Awareness Incident Information Sharing Generation Response

Options Utilise An Build A Security Exercises Partner With UK Experience Established Bespoke to Test Government Industry Body Solution Procedures

Decisions Progress a Public / Private Framework for Actionable Intelligence

Paused pending Hold a series of oint Survey industry to Identify legislation that assessment and industry and JCSC identify and agree back end may prevent participants Activities and evaluation of workshops to agree technical requirements for in sharing intelligence as Outcomes alternative cyber what form awareness portal access, processes for prequisite for agreeing testing procedures generation and sharing intelligence and principles for being undertaken collaboration the governance model for participation in outside of the could take the framework framework payment community

8 / Australian Payments Council Managing the Payments Mix

Reflecting longstanding trends, The Cheques Taskforce made A report on cheques, covering consumers continue to rapidly move recommendations to help ensure the scope and key insights from away from cheques. In 2018, cheque appropriate alternative payment the Council research will be made use fell by 20%, from 99.9 million to services are available prior to available on the Council website. 80.4 million. In its place, direct entry the disappearance of cheques. payments grew by 4.2%, to 3.9 billion Australian Payments Network is and the number of card transactions leading work on these initiatives. grew by a billion, from 7.8 billion to 8.8 billion. Likewise, the value of card 201 transactions grew 6.3%, from $596.9 201 2018 billion to $634.8 billion. CHEQUE USE 99.92018 99.9 Million 80.4 Cheque usage is in long-term Million 80.4 Million decline and cheques will eventually plunged CHEQE MilliDATE on ADDRESS CITY STATE ZIP CODE 201CHEQE DATE disappear from the payments FROM CHEQE DATE ADDRESS CITY STATE ZIP CODE AMONT ADDRESS CITY STATE ZIP CODE FROM PRPOSE CHEQE2018 DATE AMONT FROM landscape. This was reflected in ADDRESS CITY STATE ZIP CODE 0152 - 635486565 - 4526589 -60045 by 20% PRPOSE AMONT FROM 0152 - 635486565 - 4526589 -60045 PRPOSE a recent speech by the Governor 99.9 AMONT 0152 - 635486565 - 4526589 -60045 PRPOSE Million 015280.4 - 635486565 - 4526589 -60045 of the RBA, Philip Lowe, where he Million noted that “Given this trend is likely CHEQE DATE

ADDRESS CITY STATE ZIP CODE to continue, it will be appropriate at FROM CHEQE DATE AMONT ADDRESS CITY STATE ZIP CODE

PRPOSE FROM some point to wind up the cheque 0152 - 635486565 - 4526589 -60045 AMONT

PRPOSE system, given the high fixed costs 0152 - 635486565 - 4526589 -60045 THE VALUE OF CARD involved in operating the system. We 2018 2018 have not reached that point yet, but TRANSACTIONS it may not be too far away. Before $634.8 $634.8DEBIT CARD Billion DEBIT CARD we do, it is important that alternative Billion 201 2018 2018 grew byCREDIT 6.3% CARD 201 payment methods CREDIT CARD are available.” 2018 3.7 3.9 Billion Billion 3.7 3.9 201 Billion Billion While there is currently no end date $634.8 DEBIT201 CARD for cheques in Australia, the long Billion$596.9 201 2018 term trends are clear. Billion CREDIT$596.9 CARD Billion 2015 2016 2017 2015 2016 2017 the value of card transactions grew 6.3%, from $596.9billion to billion 3.7 3.9 $634.8 Billion Billion the value of card201 transactions grew 6.3%, from $596.9billion to $634.8DIRECTbillion ENTRY TRANSACTIONS $596.9 Billion 2015 grew2016 by2017 4.2% Source: Reserve Bank of Australia: the value of card transactionsFigures grew 6.3%, are from for Financial $596.9billion Years to $634.8 billion Enabling the Future

Data-sharing in the banking sector Government announcing a go- development of principles for data- took a major step forward this year, live date for the banking sector sharing, a payments hackathon and with the Government committing to of 1 July 2019. After banking, the submissions to government inquiries. the introduction of the Consumer CDR will be implemented in the With the open data project now Data Right (CDR). The CDR will give telecommunications and energy moving from strategic policy Australians the right to access their sector. discussions to operational data in a machine-readable format. The Council is pleased to have implementation, the Council will The CDR will be progressively played a supporting role, positioning now take a watching brief. rolled out across different industry for this shift, with work economic sectors, with the in previous years including the

Annual Review 2018 / 9 Our Community

The Council continues The Council to grow its Community In order to ensure the needs of a diverse group of payments stakeholders are reflected in the Council meetings, representation membership across is shared across members, with varying tenures. We would like a broad range of to acknowledge the following people for their participation on the Council during the last 12 months. organisations from financial institutions, card schemes, major Robert Milliner Chairman retailers and other Rob Allen PwC payments service Michael Baumann Commonwealth Bank of Australia providers. Mark Birrell Chairman (resigned June 2018)

Lindsay Boulton Reserve Bank of Australia

David Carter Suncorp-Metway Ltd

Di Challenor Westpac Banking Corporation

Robbie Cooke Tyro Payments Limited

Corrina Davison American Express Australia Limited

Nigel Dobson Australia and New Zealand Banking Group Limited

Michael Eidel Commonwealth Bank of Australia

Rob Ferguson Tyro Payments Limited

Leila Fourie Australian Payments Network

Tony Graham Macquarie Bank Limited

Craig Kennedy Cuscal Limited

Adrian Lovney New Payments Platform Australia

Jan Mason Quest Payment Systems Pty Ltd

Paul Monnington Woolworths Limited

Rocky Scopelliti Optus

Rachel Slade National Australia Bank Limited

Rachel Stocks American Express Australia Limited

Richard Wormald Mastercard Asia/Pacific (Australia) Pty Ltd

10 / Australian Payments Council We’d like to thank Members all our members for ACI Worldwide their commitment American Express Australia Limited to improving the Australia and New Zealand Banking Group Limited Australian payments Australian Payments Network system in 2018. Australian Postal Corporation Limited Bendigo & Adelaide Bank Limited Bluechain Pty Ltd BPAY Pty Ltd Citigroup Pty Limited Coles Group Limited Commonwealth Bank of Australia Cuscal Limited eftpos Payments Australia Limited Global Payments HSBC Limited IBM Australia Limited Indue Limited ING Bank Australia Ltd J.P. Morgan Chase, N.A Sydney Branch Latitude Financial Services Macquarie Bank Limited Mastercard Asia/Pacific (Australia) Pty Ltd National Australia Bank Limited NPP Australia Ltd Optus PayPal Pty Ltd Quest Payment Systems Pty Ltd Reserve Bank of Australia Suncorp-Metway Limited Swift Tyro Payments Limited Visa AP (Australia) Pty Ltd Westpac Banking Corporation Woolworths Limited

If you would like to take part in developing Australia’s future payments system, please get in touch. We’d be delighted to welcome you to our community.

Annual Review 2018 / 11 Level 23, Tower 3, International Towers Sydney 300 Barangaroo Ave, Sydney NSW 2000 Telephone +61 2 9216 4888 Email [email protected] australianpaymentscouncil.com.au