No one remembers the IT department until it crashes… and crashes. The collapse of Redsys (Saturday the 18th and Thursday the 23rd) has revealed that the payment system in Spain has a weak point: the switch. It is nothing other than the process of authorization, exchange and settlement of operations with payment service providers such as debit cards, credit cards, virtual POS terminals, dataphones, ATMs and also supports systems such as Bizum, as has been seen. It is something like a two-way digital lock, which identifies the payer and collector when purchasing a good or service so that this transaction can then be compensated between the banks of both parties.
It always works and opens – with 99.9% availability – but this week it was not like that and a good one was created. It is estimated that several million users have been affected by the incidence of these days of record commercial activity, which, like Black Friday, saw 61 million successful operations recorded in one day or 2.5 million per hour. According to data from Redsys, the failure could have affected up to 2.5% of operations on Saturday the 18th and 1.7% on Thursday the 23rd. They have been days of tragicomic moments between buyers and sellers. The customer eager to defend the honor of their payment method and solvency; The merchant anxious about not letting a sale or service slip away without paying. Amazon, Aliexpress and all ecommerce have generated enormous contact notices with your bank.
Has it been that serious, doctor? So much so as to inconvenience the Government, the Bank of Spain (aka, the regulator), the banking G-3 (Santander, BBVA, Caixabank and Sabadell), the competition authority (CNMC) and millions of customers alike. With such pressure on the Redsys team, the ‘fintech’ has given a brief explanation: “The root cause of the problem has been identified, together with the manufacturer involved.” Once the cyberattack hypothesis has been ruled out by both the regulator and the company itself, the resolution of the serious incident does not hide the issue of the excess concentration that Redsys represents for the financial system in Spain, a fact that invites reflection and review of the risk.
Between them, for the sake of efficiency, cost savings or cyber resilience, more than 90% of the aforementioned ‘switching’ or payment processing in Spain falls on the shoulders of a single system after successive absorptions and mergers during the last decade such as Redy, Euro6000, 4B, Sermepa, Servired… Banco Santander, Caixabank and BBVA, which controlled 24.9% of the capital of Redsys at the end of 2022, although the rest of the entities are shareholders to a greater or lesser extent. This large fintech SME has about 600 employees, its turnover is around 150 million euros and it earns just 4 million. Its rates are the cheapest by far, hence its massive implementation in both ATMs and physical and virtual POS terminals.
De facto, there is no alternative. The CNMC, the authority on the matter, approved the first major merger of 2011 (Redsys and Redy) despite admitting that a dominant operator was created “leaving the CECA and, in the best of cases, the commercial processors as competitors, barely significant.” In 2018, he also gave birth to the union of the payment method systems Servired, 4B and Euro 6000, although he considered it “necessary to assess the effects” on the card processors Redsys and Cecabank since both had the same owners. For this reason, it was warned that banks “would have no incentive” to issue payment instruments that competed with their own and alternative applications from international companies would be discriminated against in domestic operations.
Beyond the discovery of the bottleneck that a single centralized technological system can generate in commerce in Spain, the surprise has come from the reactions to the crisis. Redsys describes itself and defines itself (2022 report) as an internal supplier to banks to justify that it does not have a customer service channel to resolve problems that its services may generate: “The consumer is understood as a user, not as a client. , since financial institutions are Redsys’ clients.” Many banks simply issued automatic error messages, please come back another time, or imitated the chirping of a cricket.
The other finding of the Redsys crisis is that one of the critical and vital parts of the infrastructure of the financial sector – remember, the majority in the domestic processing of card payments – does not have greater weight and presence of the Bank of Spain, As is the case with Iberpay, a platform with a different focus because it is specialized in transfers, settlement between entities and interoperability with the SEPA system and international operators. At the threshold of the design of the digital euro and CBDCs (cryptocurrencies backed by central banks), the redefinition of contingency and cybersecurity plans must be a priority task. Nearly 8 billion annual POS operations (230 billion euros) and about 900 million ATM transactions (120 billion euros) depend on it. What cannot be is that an entire economy is turned off for minutes or hours from a single switch.
THE NAIS IS OFFICIAL EDITOR ON NAIS NEWS