Alone at the top: RBC and the mobile payment coup

There aren't as many banks in Canada as there are in the United States, which has allowed the top ones — namely RBC Royal Bank, TD Canada Trust, CIBC, Scotiabank and BMO — to maintain a relatively large share of customers, and of regulatory influence.

But sprawling, monolithic organizations tend to get fat and lazy on their piles of presumed profit, and for years the Canadian banks didn't do much to brace for the impact of mobile computing.

Things changed in late 2011 with partnerships between two sets of Canada's leading companies in their respective categories: Rogers and CIBC; and RBC and Bell. The pilot projects were meant to bring mobile payments to Canadians at a time when few phones supported the necessary technologies, such as NFC and Secure Element SIM cards. For years, the banks relied on the carriers because there was no other way to store confidential PAN (primary account number) credentials — they had to stay on the SIM card itself.

But in late 2013, alongside Android 4.4 KitKat, Google unveiled a new initiative, Host Card Emulation, with the goal of moving those all-important credentials from a physical SIM card to the cloud. Working with Visa and MasterCard, banks like RBC could take ownership of their mobile payment strategies, removing the need for per-device certification and the need to educate the customer on these strange SIM cards that looked the same but cost significantly more.

Now, after being the first to release Host Card Emulation-based payments for all Android devices, RBC has revamped its Android app suite with new, modern designs, separating its unified banking app into two: one for core mobile banking; the other for all payment and wallet-related activities.

According to Linda Mantia, Executive Vice President of Digital, Payments and Cards at RBC, despite competitors like TD Canada Trust recently moving to HCE-based solutions for their Android mobile payments, her company is still way ahead of the pack, both in Canada and the rest of the world.

"We are the leader in North America in fraud [prevention]," says Mantia, referring to the multiple levels of security developed for the solution. The first is the mere use of Host Card Emulation, which allows for more efficient remote improvements of credential storage standards. The other is RBC's own patented dynamic tokenization method, which takes those of the payment networks, namely Visa and MasterCard, and amps the security. Tokens are numeric representatives of a customer's PAN, exposed to the merchant and network in lieu of an actual credit card number. Should that number be stolen or intercepted, the number is almost impossible to decipher.

But regular tokens, like IP leases, can last for days, months or even years if desired, depending on the needs of the issuer. RBC generates a unique token for each transaction — a one-time cryptogram, according to Mantia — that is never reused.

"We are the leader in North America in fraud prevention"

The third advantage to RBC's Secure Cloud, which encompasses the company's mobile payment environment, is the use of a so-called digital master key is generated when the RBC Wallet app is installed on an Android device. When the phone is registered with Secure Cloud, it forms a trust network between the phone itself and the payment network, protecting the dynamic token the entire way through the transaction.

These are all valuable security features, sure, but the reality is that only a small number of people in Canada care about mobile payments right now. Mantia says that number is growing quickly, and the industry is primed for services like Apple Pay, Samsung Pay and Android Pay to bolster the mindshare.

In the meantime, Mantia says that Android-based RBC customers are well served with this two-tiered app approach, which now allows customers to check balances without logging in (in the core app) and purchase gift cards directly from the Wallet app.

Mantia tells me that she sees the smartphone as the future of banking, not just payments, where customers will be able to open accounts, apply for credit, transfer money to friends, make in-store and in-app payments, and do comprehensive budgeting, in the same place.

"We are in the early innings of mobile banking"

She separates mobile payments — the physical act of paying for items using a smartphone instead of a physical credit card — from the rest of the ecosystem, because she acknowledges that Canada's payment infrastructure is already so mature, and that there needs to be a continuous benefit cycle, which involves more than just the lateral displacement of payments from plastic to phone, to entice mainstream customers.

Many millions of Canadian smartphone users engage in some form of mobile banking. According to a Canadian Banking Association survey done in mid-2015, 31% of Canadians used mobile banking in some form in the previous year, and nearly half anticipated migrating to a predominantly mobile banking future in the next five years.

For Mantia, who says that we are in the "early innings" of mobile banking, the most important place her company can be is as far ahead of her competitors as possible. That won't translate to overnight success, but in the meantime there are fancy new Android apps to peruse.

Daniel Bader

Daniel Bader was a former Android Central Editor-in-Chief and Executive Editor for iMore and Windows Central.