Even before Apple Pay burst onto the scene last year as an enabler — and, in many ways, a competitor — of bank mobile wallets, U.S. banks have been told by investors, industry experts and customers to develop their own payment apps.
Some have been more aggressive than others in rolling out various mobile technologies, but U.S. banks have generally been bystanders to companies like Barclays and Royal Bank of Canada, which have established themselves as role models for banks that want to keep their branding front-and-center as mobile payments mature.
Capital One made a bold move last week in becoming one of the first U.S. banks to establish its own tap-and-pay Android app, putting it up against the brand-new Android Pay and Samsung Pay wallets on Google's smartphone platform. The issuer already considered its mobile app a step up from the standard Apple Pay experience, and marketed it as such when Apple Pay debuted a year ago.
Many financial institutions, as well as Visa and MasterCard, will be watching Capital One's mobile wallet implementation closely, especially because it incorporates Host Card Emulation technology, said Tim Sloane, director of emerging technologies advisory services for Boston-based Mercator Advisory Group.
Host Card Emulation, introduced as a feature to Android in late 2013, allows developers to enable contactless payments without access to the phone's secure element. Because the carriers typically control access to the secure element, they effectively blocked independent wallet developers from distributing their apps on major mobile networks.
"Cap One is the first to jump in with an HCE implementation, which has a different way of preventing fraud," Sloane said. Since HCE wallets can't access the secure element, the apps typically protect data in the cloud.
Capital One has not communicated any type of transaction value limitation, Sloane said. "As far as I know, it equals an 'open to buy' concept in its wallet," Sloane added. "If you look overseas where each HCE implementation came into the market sooner because of the void where Apple Pay is not available, there were limits between 30 and 100 pounds ($154 U.S.) per transaction."
Capital One executives were not available for comment prior to deadline.
RBC moved even faster in mobile wallet development, and has steadily updated its app as Google added features to Android. Its app for Android 6.0, the latest version of Google's mobile operating system, will allow alternatives to password authentication, such as using the phone's lockscreen PIN to also unlock the mobile wallet.
RBC was the first bank in North America to adopt Host Card Emulation in early 2014. The rollout of HCE meant that more RBC clients could use the RBC Wallet anywhere in the world, without worrying about being on a specific mobile network or having the right SIM card.
"While NFC adoption has certainly accelerated the widespread adoption of mobile payments, HCE has made it easier for our clients to use the RBC Wallet, and has accelerated the adoption of the wallet," said Jeremy Bornstein, head of payments innovation at RBC. "The launch of HCE is just the beginning for us, and we’re continuing to grow our suite of capabilities for mobile solutions."
Customer confidence is high at RBC because the bank's wallet is powered through RBC Secure Cloud, making it the first mobile payment service in Canada to keep sensitive customer data in the cloud, Bornstein added.
So far, the bank is not seeing use of the RBC Wallet concentrated only on younger customers. "The wallet is widely used by clients across all socioeconomic and demographic groups," Bornstein said.
Capital One may see the same kind of confidence lift and demographic spread, but must not let its attention to security waver, Mercator's Sloane said.
When announcing its Android capability through the Cap One mobile app, the bank said MasterCard and Visa will handle the tokenization services (which guard account data) for the wallet security.
But Capital One faces a significant challenge in certifying all of the different devices that are HCE-enabled because many will have different features, Sloane added.
"There are devices with no security, there are those put in by a network operator, some with secure elements and some without," Sloane said. "But in a trusted execution environment, every combination represents a different level of trust in that handset."