An efficient payment system is a collaborative effort
Speech by Executive Director Torbjørn Hægeland at Finance Norway’s Payments Conference, 10 November 2022.
Good afternoon and thank you for inviting me today. It is a pleasure for me to be here. This conference is an important venue for discussing current issues and for keeping abreast of the latest developments in the area of payments.
Norges Bank’s task is to promote an efficient and secure payment system. An efficient payment system is essential for a well-functioning economy and for economic stability, which are the primary objectives for Norges Bank’s activities. In a market-based economic system, payments are essential for a well-functioning economy.
The payment system in Norway is sound. Most users find that payment services are secure, relatively fast and tailored to their needs. The overall economic costs of payments in Norway are relatively low.
But what is considered to be an efficient payment system changes over time. New technology facilitates new and more efficient payment methods. We also note examples where new products and production methods have been developed on the basis of new payment instruments and new ways to pay.
New participants are entering the market. The payment system needs to evolve to meet changing customer needs. This evolution will enable us to make the most of the opportunities technological developments offer. The payment system also needs to evolve to safeguard its security in the face of new attack surfaces and changing threats.
The payment system may be regarded as a collective good. The market alone cannot produce an efficient and secure payment system. In addition, the authorities must exercise adequate governance and control given their responsibility for the whole payment system. This is achieved partly through regulation and partly by performing operational functions in the financial infrastructure.
Nor can an efficient payment system be imposed by legislative or administrative fiat. It is the result of a collaborative effort between Norges Bank and other authorities on the one hand, and banks and other payment system operators on the other. Norges Bank’s settlement system (NBO) provides risk-free settlement in central bank money. This is the foundation of the payment system. Banks and other payment service providers must be responsible for the development of end-user payment services. Our task is to facilitate the evolution of the payment system as technology advances. At the same time, we must ensure that the risks inherent in new payment methods can be managed. We call this responsible innovation.
The optimal division of responsibility between the authorities and the banking sector may change over time. Nevertheless, we are dependent on cooperation and collaboration, which is why this conference is an important forum for Norges Bank.
2. Security and the payment system’s contingency arrangements
Security and adequate contingency arrangements are fundamental to an efficient payment system. The payment system must function without interruption. The operation of the financial infrastructure in Norway has been consistently stable. The Norwegian payment systems’ uptime is almost 100 percent. Faults and disruptions are rare, which we should be proud of. But this does not happen on its own.
Resilient payment arrangements with effective solutions in place to deal with disruptions and faults are the first line of defence in the payment system’s contingency arrangements. The right to operate a bank also entails obligations. Customers should be able to have access to their deposits and payment services in both good and bad times. Payment system resilience is in the interest of the system owners.
The availability of several alternative payment services also helps improve contingency preparedness. If a system failure prevents the use of one type of payment card, another card linked to a different payment platform may be an alternative. Often, cash may also be used.
Norges Bank’s latest cost survey shows that the total cost of each individual cash payment has risen as cash usage has declined. Nevertheless, cash continues to be part of contingency arrangements if other payment solutions fail. Cash will have this role for some time ahead.
Banks have a responsibility for contingency arrangements for cash distribution if their primary systems fail. In the event of a more widespread failure of critical infrastructure, Norges Bank believes that appropriate cash contingency arrangements need to be developed. Also, the division of responsibilities for the contingency solutions should be clarified.
Threats to fundamental national interests and critical infrastructure are increasingly cyber-related. As the use of digital solutions increases, attack surfaces expand. Cyber-attacks are employed by individuals and nation-state threat actors and may be used as a tool in wars and armed conflicts. Successful attacks against critical functions in the financial infrastructure may threaten financial stability and impair the ability to make payments. Fundamental societal functions that serve private individuals, firms and public bodies may be affected.
A cyber-attack initially impacts the entity under attack. Individual payment system operators have an independent responsibility to secure their own systems. The ability of the individual payment systems to resist and respond to attacks is the most important part of defence against cyber incidents. But an attack on an individual system may quickly have consequences for other parts of the financial infrastructure.
Therefore, collaborating on contingency planning is vital. A good example is the sharing of information about vulnerabilities and incidents, where Nordic Financial CERT plays a key role. The Financial Infrastructure Crisis Preparedness Committee brings together authorities and private entities and is mandated to prevent and coordinate the management of incidents that may cause major disruptions to the financial infrastructure.
We must expect sophisticated cyber-attacks directed specifically at the financial sector. Cyber22, the contingency exercise held this past spring, shows the importance of an effective joint response. Norges Bank wishes to develop this collaboration further to improve the payment system’s security and contingency arrangements.
For that reason, Norges Bank has, in collaboration with Finanstilsynet (the Financial Supervisory Authority of Norway), invited key players in the payment system to participate in a Threat Intelligence Based Ethical Red-teaming (TIBER) group. A Norwegian implementation guide has been prepared for independent threat-based security testing in line with the TIBER-EU framework. The guide provides a “recipe” that institutions can follow when conducting red team tests of critical parts of the payment system. Some entities have already started testing, and more are in the pipeline. The value of this type of advanced cyber testing of critical infrastructure is considerable. The responses from entities participating in the group have been very positive.
The group will also serve as a forum for sharing experiences from testing. This is a key tool for strengthening cyber resilience and preparedness.
3. The role of cash
Norges Bank issues notes and coins. Cash is the only means of payment available to private individuals that is a claim on Norges Bank. Cash is also legal tender in Norway. For Norges Bank, use of cash is not a goal in itself, but cash is an instrument to promote an efficient payment system. Cash plays an important role in the payment system, even though cash usage has declined.
I have already mentioned the importance of cash for contingency preparedness. In addition, some persons do not have access to, or have problems using, electronic payment instruments. These may include the elderly, children, or persons with disabilities. In an efficient payment system, such groups must also be able to make payments in a satisfactory manner, using cash, for example.
To fulfil its function in the payment system, cash must be available and easy to use. The authorities have seen that some measures to ensure this are necessary.
Norges Bank has noted that some points of sale do not accept cash payments. In order for cash to be easy to use, Norges Bank believes that the right to pay cash should be clarified. The Ministry of Justice and Public Security has circulated for comment a proposed amendment to the Financial Contracts Act’s rules on payment settlement. The proposal is intended to strengthen consumers’ right to pay in cash.
To ensure availability, banks’ obligations related to cash distribution have recently been clarified in the Financial Institutions Regulation. This will safeguard the ability of account holders to deposit and withdraw cash.
The Government announced in the Financial Market Report for 2022 that it intends to appoint a public commission to explore the future role of cash. Norges Bank looks forward to contributing to this effort.
4. Central bank digital currencies
Cash has certain characteristics that current electronic payment instruments lack, and that promote an efficient payment system. These characteristics are worth preserving. Introducing a central bank digital currency (CBDC) may be a way to preserve important characteristics of cash and widen the range of use of central bank money. A CBDC can also help to ensure that Norwegian kroner will continue to be an attractive and safe means of payment in the future.
Norges Bank and many other central banks are now exploring whether to introduce a CBDC. Falling cash usage, new technological opportunities, and prospects for the establishment of new private money and payment systems are an important motivation driving this exploration.
We are told that crypto assets can meet requirements in new areas, such as in decentralised finance and in the so-called metaverse. So far, one might, however wonder whether developments in some of these areas are instead being driven by a desire to create needs that crypto assets just happen to satisfy.
The technology underlying crypto assets can provide opportunities to design money with different characteristics and functions than we are accustomed to today. These can both provide efficiency gains and lay the foundation for the development of new services.
However, there are many obstacles to overcome before this technology can be fully utilised. The value of means of settlement has not been sufficiently stable, and the technology has not been secure enough to be used in critical financial infrastructure. Moreover, the premise of distributed ledger technology (DLT), namely that users can forgo dependence on a trusted third party, has often proved to fail.
Regulation enhances the security and ease of use of crypto assets. The EUs forthcoming Markets in Crypto-Assets Regulation (MiCA), which is also relevant for Norway, will establish a regulatory regime that fosters responsible innovation. MiCA covers many services and known risks but not all of them. Continued efforts are needed to design rules that also address new services and new risks.
The technology underlying crypto assets can also be employed for a CBDC. Some of the functionalities of crypto assets could then be combined with the trust and stability associated with central bank money.
Norges Bank is now conducting experimental testing of CBDCs with the aim of finding out whether different technological solutions can deliver the required characteristics of a CBDC. Moreover, we learn about experimental testing itself.
One functionality that we are currently testing is programmability, which implies, among other things, that transactions can be automated and need not rely on a trusted third party. Testing may also uncover regulatory and economic issues that need to be resolved.
Our testing has generally been highly transparent, and we have made use of a variety of service providers. Furthermore, we use open-source code to increase participation. A prototype CBDC infrastructure has already been made publicly available. Some banks and other entities are participating in the testing – and more are welcome. However, I would like to emphasise that we have not taken a position on which technology is the most appropriate. The choice of technology in the test cases also reflects our most pressing needs for further research.
If Norges Bank decides to introduce a CBDC, both preparations and a successful launch will depend on effective cooperation with financial and non-financial sector entities and across areas of expertise.
A CBDC can have characteristics that may be useful for different public service providers. To study user scenarios where a CBDC may be used to improve service efficiency and user friendliness, we have launched a project together with the Agency for Public Management and eGovernment, the Norwegian Labour and Welfare Administration (NAV), the Norwegian Tax Administration and the Brønnøysund Register Centre, among others.
In October, we were in Bergen as co-organisers of the first CBDC conference in Norway. Participants included experts from the business sector and academia. I attended the conference and found the discussions to be interesting and useful.
We also cooperate internationally on CBDC studies. Norges Bank is a member of the BIS Nordic Innovation Hub in Stockholm. The Centre assesses how the use of new technology may strengthen the financial system. In a collaborative project with the BIS Nordic Innovation Hub, Sveriges Riksbank, and the Bank of Israel, we are testing how interoperability between CBDCs can improve the efficiency of cross-border payments.
A CBDC can be a relevant tool but like cash it is not a goal in itself. A CBDC can be seen as a collective good that secures an alternative and stable means of payment. By providing an underlying infrastructure, a CBDC enables private and public sector innovations “on top of” the payment infrastructure.
Our CBDC project has been ongoing for some time. Introducing a CBDC would raise many complex issues. We have not yet seen an immediate need to issue this type of money, but we want to be prepared for an eventuality where introducing a CBDC becomes necessary to maintain an efficient payment system. In our view, the relevance of a CBDC is greater now than when we initiated the project. Also, other central banks are progressing in their explorations of CBDCs.
Nevertheless, any decision to introduce a CBDC will be made at some point in the future and would need the endorsement of the political authorities. We will also continue the fruitful dialogue we have had with the banking industry and other stakeholders.
5. The evolution of the settlement system
Payment system innovation is often driven by the desire to meet a user need. At the same time, the core of the payment system, which includes the settlement system and other shared infrastructure for payment services, must continue to function securely and efficiently.
In 1898, and without much IT support, Norges Bank became the settlement bank for Norwegian banks. The settlement system’s digital journey started in the 1970s with an internally developed batch-based IT system. Banks’ account balances were only available after overnight processing had taken place and all reports and account statements were printed out. Following extensive development projects in the 1990s, NBO became a fully-fledged real-time gross settlement system in 1999. The current settlement system became operational in 2009.
An operational service provider that is subject to strict security requirements is responsible for the operation of the system. The result has been an efficient, stable and secure settlement system.
But much has changed since 2009. As critical infrastructure, the settlement system faces an altered risk and threat landscape. Technological advances have also been considerable, and the provider market has changed. The Norwegian financial system is largely dependent upon, and integrated into, the global financial infrastructure. Furthermore, we depend on infrastructure such as telephony, digital networks, computing power and data storage. Some are owned and operated by companies in Norway. Others by foreign companies.
Many central banks are considering large extensions of the settlement system’s operating hours. Increased use of instant payments with settlement around the clock poses a challenge to the classical model of central bank settlement. Norges Bank is currently in formal discussions with the Eurosystem on participation in its TIPS service.
A greater focus on IT security and the increased resource use in this area are taking place at the same time as the introduction of the new ISO 20022 messaging standard. This impacts almost all segments of the global financial infrastructure. The new messaging standard provides opportunities for automation and more efficient payment processing, which will simplify messaging across FMIs and satisfy regulatory requirements on money laundering. Implementing the standard is important for meeting future needs for efficient and secure payments. At the same time, the transition is proving to be a complex and very resource-intensive process, something we also note in the “small” corner of the payment system that Norges Bank operates.
The payment system is evolving in many areas, and we must ensure that our part of the payment system continues to be secure and efficient. NBO’s software and structure must also be assessed. We must clarify the requirements that must be satisfied by the next generation settlement system and how they can best be met.
The payment landscape is evolving and is marked by globalisation, new players and new payment methods.
The Payments Conference is an important arena for all who are interested in, and contribute to, the further evolution of the payment system in Norway. The programme reflects the time we live in, where the development potential within payments is considerable.
At the same time, the backdrop for this year’s conference is darker than on previous occasions. The geopolitical situation is changing. After a long period of peace and stability in Europe, we are now facing an aggressive threat landscape. A greater focus on contingency arrangements is needed. The payment system also needs to function during crises, and contingency arrangements must be adapted to the threat landscape. We must challenge ourselves and ask how resilient we are to an extraordinary situation that not long ago was considered as an unrealistic worst-case scenario. We must also be prepared to follow up with necessary measures if the answers we receive warrant them. This will require all of us to make a greater effort and make this effort a priority. It may also require us, in some aspects to think differently about the focus of our contingency arrangements than we have done before.
Contingency arrangements are expensive, but the costs associated with inadequate contingency arrangements may be much higher. Without security and contingency arrangements, the foundations of an efficient payment system disappear.
Creating and maintaining an efficient payment system is a collaborative effort. This is especially true for contingency arrangements, where sound solutions depend on cooperation between the authorities and industry participants. Our arenas for collaboration are good ones. But just as important: experience from exercises and actual incidents shows that our working relationships have proven to be solid in demanding situations. Not only do we have a common interest in fostering and further developing these relationships, but we have an obligation to the society we serve and operate in. We at Norges Bank are confident that we have the industry with us in the important work to strengthen security and contingency arrangements and for the further development of the payment system as a whole.
Thank you for your attention.