Outgoing Square CEO Alyssa Henry
While the Reserve Bank contemplates forcing payments disruptor Square to report quarterly data on systems outages in line with domestic banks and other merchant acquirers, leading payments experts say they are mystified why it took the company’s protracted global service meltdown earlier this month for the regulator to act.
Square’s global payments platform suffered a material failure on Friday 8 September (Australian time) that took at least four days to fix.
Merchants subscribed to the service were unable to transact on the platform for most of the day and many tens of thousands in Australia were unable to view account details such as balances and transaction records until 12 September.
With class actions forming in different jurisdictions, the outage was an unmitigated calamity that yesterday forced the resignation of Square’s California-based chief executive, Alyssa Henry.
However, the RBA’s push to get Square to report outage data through its official disclosure process could almost be considered a red herring given that past problems with the company’s systems are already disclosed and known to merchants and other stakeholders in the Australian and international payments industries.
Since Square’s Australian launch in March 2016, merchants have been notified of outages and other service incidents impacting the processing of payments on its platform.
Square self-discloses outage information as it occurs on its website at the following link: https://au.issquareup.com/history
The information is comprehensive and probably represents industry best practice in Australia given that Square archives each incident report for customers to view at any time.
Australian banks have equivalent pages on their websites but remove each incident report as soon as an outage has been resolved.
Square’s self-disclosure also goes well beyond the parameters of the RBA’s reporting requirements for local bank acquirers.
In the last 18 months, Banking Day has highlighted significant shortcomings in the RBA’s disclosure criteria, which require domestic banks to only report service outages that affect ten per cent of their national customer base for 30 minutes or more.
The RBA dataset is prone to never recording protracted service outages in rural and regional parts of the country, as was evidenced in the March quarter last year when three of the major banks reported material improvements in their outage performance even though they could not deliver digital banking for several weeks to flood-affected parts of NSW and Qld.
Under the RBA’s benchmarks, outages that don’t affect ten per cent of a bank’s customer base are not reportable.
The RBA should not be too concerned about precisely when Square is made to report outage data under the regulator’s deficient reporting model.
Instead, it should consult the company’s publicly accessible website to study the extent to which Square’s service availability has deteriorated this year.
According to Square Australia’s published data, the number of incidents affecting the firm’s services has more than doubled this year.
In the nine months to the end of September 2022, Square reported only 69 service incidents, but this blew out to 175 cases for the period from January to September 17 this year.
An issue of greater concern is that the severity and duration of service outages at Square has also ballooned in 2023.
The platform has seized more often this year following an increase in the frequency of what the company describes as “disruptions to multiple services” lasting many hours.
A precursor to the mega-meltdown earlier this month occurred on 18 June when multiple services failed for more than six hours.
That incident also prevented merchants from viewing balances in their accounts – a problem that was not resolved until two days later.
Anyone monitoring Square’s incident archive in the last 12 months would have detected that operational risks have been progressively building across its systems.
The regulator should have noticed the warning signs by the end of March when the number of service incidents at Square tallied a monthly record of 29 cases (compared to 10 incidents in March 2022).
Square’s commercial success in Australia is well documented.
Along with another US-based start-up Stripe, it has eroded the historical dominance of the four major banks in the local merchant acquiring market.
The growth of these payments fintechs in Australia has been so significant that their combined market share is estimated to account for around a quarter of the acquiring market.
Leading payments experts are now asking why has the RBA waited so long to regulate a cohort that is - by the numbers - systemically important?
“I think the Reserve Bank has misunderstood fintechs,” said Melbourne-based payments consultant, Grant Halverson.
“Fintechs, according to my estimation, account for 28 per cent of the merchant acquiring market in Australia and to have them unregulated is inexcusable.
“There is also an inherent design flaw in their cloud-based systems and extensive use of APIs.
“These design flaws have added to operational risk of the payments system.
“So, where is the regulator?”