It’s 2022 And The Check Is Still ‘in The Post.’ Seriously… We Need To Upgrade How Our Applications Communicate

Responses from applications should be digitally signed. If this were to happen, we could revolutionise payments.

I flew internationally the other week. At the border, the guard asked to see my passport. I wanted to say:

“You don’t need to see my passport. I can assure you I’m English.”

It might have worked! I can be pretty socially awkward, so most people realise I’m a Brit within a few seconds of meeting me. But killjoy border guards always want to see the passport for some reason.

You might have experienced something similar the last time you applied for a job. Did the new employer ask to see proof of your qualifications? Why wouldn’t they just take your word for it?

At least you and I had documents we could hand over to prove that we were telling the truth. All things considered, it’s not too much of a hardship to hand over a ‘certificate’ of some sort in these situations.

Indeed, the real problem is all those situations where you need to prove something, but you don’t have a ‘certificate’ to prove it.

For example, I once bought a used-car from somebody who advertised in the local newspaper. I made the payment with my mobile banking app and showed the confirmation screen to seller. But the seller didn’t hand over the keys at that point. They first checked on their own banking app that the money had arrived.

They were wise to do this. I could have been showing him anything! It’s still pretty hard to fake things in the real world – like passports – but its trivial to make your smartphone display anything you like on its screen. So the seller took out his own phone to check his own bank account.

Provable payments should be table stakes in 2022

This isn’t really an article about passports and used-cars. It’s about modern business, and the problems that still exist when transacting online. Specifically, I want to talk about how it’s 2022 and there is still literally nothing I can show somebody online to prove that I’ve made a payment.

Sure… I can tell a supplier that the metaphorical digital cheque is ‘in the post’. But I can’t prove it. This may seem trivial, but really it’s not. Businesses spend so much money dealing with this problem. Companies usually have an entire department to check that inbound payments that should have been received really did arrive.

And this is only the visible cost. The invisible cost is the opportunities that go un-seized because the lack of a proper ‘trust’ infrastructure makes them impossible. Ultimately, any time I need to know if somebody else has done something electronic, I have to verify for myself because there’s always that small chance that they could be lying when they tell me they’ve done it, and any information they send to me could have been faked.

If only there was some sort of digital technique for proving that some information genuinely came from a particular source, and that it hadn’t been tampered with!

Happily, and of course, such a thing does exist. Indeed, some forms of this technique are called… digital certificates!

But… they’re never there when you need them! In particular, there’s a place where their use could be massively valuable, and yet they are entirely absent. This place is when computers communicate with each other.

Any time two computers need to communicate they have the same problem you do when you pick up the phone to talk to your bank: how do you know it really is your bank? And how does your bank know it really is you?

This is the problem of authentication.

So whenever two computers want to talk to each other for some purpose – a session – they authenticate each other, so that each of them knows that the information they’ll receive from the other really did come from where they think it did.

But, just as when humans are involved, the provenance and authenticity of this information can’t be passed on to anybody else. The magic of that ‘authenticated session’ vanishes the second you try to do anything with this information. Think back to when I bought my car. My bank had authenticated me, and I knew I was connected to my bank through its app – we had authenticated each other. But the car seller wasn’t part of that little clique… as far as he was concerned, I could have been using an entirely fake app.

Retaining authenticity across time and space

The key to solving this dilemma is to make it possible for the information you receive from another computer to retain its authenticity across time and space: we need it to be verifiable not just now but in the future.

Going back again to the car dealer, if I’d shown him a letter from my bank confirming the money had been transferred, he’d have trusted that, right? I think he probably would.

The online equivalent to this is digital certificates and signatures. In short, we need to start insisting that responses from computers over a network be signed.

Why do I say this?

Well, imagine if a company making a payment to a supplier received a digitally signed confirmation from its bank when the money had been moved. They could electronically send this signed confirmation to the supplier, whose accounting system could automatically update to reflect that the ‘account receivable’ had been settled.

No more need to go check and ‘reconcile’. No more lies about the check being in the post. All that mess eliminated thanks to a simple, signed, digital message from the bank.

Trusting your counterparty as much as an intermediary

This could get very big, very quickly. Think about the high-value transactions that banks enter into every day, where they buy one asset in exchange for another. Perhaps they buy shares in exchange for cash. Or they swap one currency for another. These types of transactions – “Delivery versus Payment” or “Payment versus Payment” – can be extremely tricky because nobody wants to be left looking stupid if they give away the asset they’re selling but the other side doesn’t follow through with their side of the deal.

The traditional solution to this is to enlist the services of a trusted intermediary, which temporarily takes ownership of both assets, and then sends them back out again. You’re betting that the intermediary is more trustworthy than your counterpart. In sophisticated institutional settings, this service is often offered by heavily regulated ‘central counterparties’ who are needed for many other services too. But even their lives could be made easier with this seemingly small upgrade to how we build computer interfaces.

Interestingly, regulators and central banks around the world are seeking opportunities to modernise or improve these processes (e.g. Project Meridian being driven by the Bank of International Settlements from its London Innovation Hub). So it feels like the time is right for a proper study of this concept.

It would be ironic – but also insanely amazing – if the key to reducing a huge amount of cost and error in today’s commercial landscape is to start equipping communication interfaces with the modern equivalent of a signed paper certificate!