The impact of PSD2 on payment transactions

| 07-10-2019 | TIS |

This September the new EU directive PSD2 (Payment Services Directive 2) came into force. It is an extension of the Payment Services Directive, which was intended to harmonize the rules for payment products and services. Although this amendment affects every consumer who uses online payment services, and although sufficient notice has been given in advance of the amendment, few people know what the new EU Directive is all about. For this reason, it is not uncommon for bank customers to be confronted with an account blockage after the changeover, when logging into their online bank account, which causes a lot of confusion between banks and customers. As a result, several questions arise:

  • What has changed for the customer as a result of the changeover?
  • Can the new regulation keep the promised security standards?
  • To what extent are companies – especially Treasury- affected?
What is PSD2?

PSD2 is intended to regulate payment services and payment service providers in the European Economic Area (EEA) and throughout the European Union (EU). It aims to make cashless payments more secure, customer data better protected and data transmission over the Internet more reliable. In addition to the changes for customers, who are to experience more security through increased authentication, there are also significant changes for banks. From now on, banks will be obliged to provide third party service providers with access to customers’ account information via a standardised interface (PSD2 API) if the customer gives the consent. For banks, this means that they must surrender a large part of their power of disposal. For customers, this means that they can now make all their payment transactions without having to log into their online bank account. This is convincing for the customers, because specialised fintechs are ahead of banks and offer solutions that allow all your financial transactions – even within different bank accounts – to be carried out with only one application. This is nothing  new in the world of B2B, where corporates use payment solutions with the exact same purpose for years now.

Is PSD2 safe?

A change in the conditions of payment transactions often raises the question of whether it can actually meet the promised security standards. Especially in this case, where customer information is passed on to a third-party service provider. If lacks in security arise, there is a higher risk to become a target for cybercrime, which automatically puts bank customers’ confidential account information at risk. The European Banking Supervision and BaFin are taking it very seriously. In order to make the customers’ choice for the right third-party service provider easier, they provide a directory of reliable, registered and licensed third-party service providers.

Find out what makes TIS particularly safe!
PSD2 for Treasury?

Consumers demand real-time, round-the-clock payment services and this demand is growing. This brings changes in payment transactions that have an impact on the businesses, especially on corporate treasury which looks after cashflow. Most up-to-date account information becomes more crucial for a treasurer. The new PSD2 API interfaces could help, since it enables more direct communication with the bank and access to real-time account information.

About TIS
TIS (Treasury Intelligence Solutions GmbH) is the leading cloud platform for managing corporate payments, liquidity and bank relationships worldwide. The company delivers SMART PAYMENTS to help customers make BETTER DECISIONS.

TIS enables companies to make more efficient, more secure and more cost-effective payment transactions. In addition, TIS enables customers to make better decisions when analysing financial and operational performance based on real-time payment flows. All mission-critical processes related to payment transactions are integrated into a multibank-capable, audit-proof cloud platform. This is a single point of contact for enterprise customers when managing and analysing their payment flows across the organisation. TIS take care of managing various payment formats, communication channels with banks, and ERP-agnostic integration. Offered as Software as a Service (SaaS), the ISO certified TIS solutions are quickly up and running without the complexity and cost of a long IT project.

Enigma begeleidt MoneyMonk in verkrijgen PSD2 vergunning

| 20-8-2019 | treasuryXL | Enigma Consulting

Boekhoudsoftware MoneyMonk kreeg op 26 juli een PSD2 vergunning van toezichthouder De Nederlandsche Bank (DNB). Na Cobase (ING) en Peaks (Rabobank) is MoneyMonk de eerste Nederlandse organisatie die een vergunning als rekeninginformatiedienstverlener verkrijgt, die niet gelieerd is aan een grootbank. Enigma Consulting heeft MoneyMonk begeleid in het traject van de vergunningaanvraag.

De Utrechtse FinTech en Scale-up MoneyMonk, opgericht door de broers Jasper en Jorgen Horstink, ontwikkelt online bedrijfsadministratie software voor ondernemers. Met hun product ‘MoneyMonk – online boekhouden’ richt het bedrijf zich sinds oprichting in 2013 op de administratie van dienstverlenende ZZP’ers.

Jasper Horstink (CEO) van MoneyMonk: “Wij zijn enorm blij dat wij als eerste boekhoudprogramma in Nederland de vergunning toegekend hebben gekregen door DNB. De vergunning stelt ons in staat om onze klanten nog beter te kunnen helpen. Zo hebben ze een actueler beeld van hun financiële situatie en kunnen ze nog meer tijd besparen op hun administratie. Het aanvragen van een PSD2 vergunning bij de DNB is geen sinecure. De adviseurs van Enigma Consulting met lead consultant Geert Blom hebben ons tijdens het gehele traject begeleid, zowel op juridisch, organisatorisch als op procedureel gebied. Juist het samenwerken met een adviesbureau met uitgebreide ervaring in al deze aspecten van de aanvraag is ons erg goed bevallen.”

Paul Jans, managing director van Enigma Consulting: “De betaalrevolutie komt in de tweede helft van dit jaar volledig tot wasdom met PSD2 in september en de verdere ontwikkeling van Instant Payments de komende maanden. Op dit moment begeleiden we een vijftiental organisaties bij hun vergunningaanvraag. Ik feliciteer de heren van Moneymonk dat zij met hun enthousiasme en daadkracht als eerste boekhoudsoftware de vergunning hebben gekregen.”

PSD 2 Summer 2018 Update

| 30-08-2018 | François de Witte | TreasuryXL |

In June 2018, I published a Spring Update on PSD2 (Payment Service Directive 2). Since then, things have moved, and hence I found it the right moment to provide an update you on some developments PSD2 and open banking.

Main updates on the regulatory framework

Several member states have experienced in the transposition of PSD2 in the national law. The status (28/8/2018) is as follows:

  • Full transposition measures communicated: Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Slovakia, Slovenia, Sweden, United Kingdom, Belgium, Luxembourg, Poland
  • Partial transposition measures communicated: Lithuania, Malta, Romania, Latvia
  • No transposition measures communicated: Croatia, Netherlands, Portugal, Spain

Source : https://ec.europa.eu/info/publications/payment-services-directive-transposition-status_en, as updated by information, which I gathered.

The RTS (Regulatory Technical Standards) on SCA (strong customer authentication) and CSS (Common Secure open Standards of communication) will apply in as from September 13, 2019, leaving 18 months to the payment industry to get ready for this new state of play. The EBA (European Banking Authority) has published in the meantime on 13/6/2018 its Opinion on the implementation of the RTS on SCA and CSC, as well as a Consultation Paper on Draft Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC).

The Contingency Measures impose that the ASPSP (Account Servicing Payment Service Provider) must provide a fall back mechanism, i.e. measures that should be taken to restore access to the customer payment account, in case that the API happens to be unavailable. Exemptions can be granted if all the following conditions are met:

  • The API meets the quality requirements defined in the RTS
  • The API has been successfully tested by the market
  • The API has been approved by the competent authority (in Belgium the NBB and in the Netherlands the DNB), which itself should have consulted the EBA, to ensure a consistency of quality criteria for APIs

This is a hot topic, as the cost of a fall back mechanism is quite high, and we expect that the ASPSP will ask exemptions.

 Main challenges

Up to now, some banks had published their APIs (Application Program Interface). We observe that banks remain slow in opening their APIs to TPPs (Third Party Providers), and this for various reasons, e.g. APIs are not yet ready technically, chicken and egg situation with other banks, etc. As a result, some API aggregators screen scraping or reverse engineering to enable to provide for the TPPs (including banks) access to the accounts held at the ASPSPs.

Furthermore, the standards are not yet harmonized throughout Europe. A few working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET.

Although the adoption of the RTS has provided a degree of market certainty, some articles are still open to interpretation.

The permissible methods of strong customer authentication remain unclear. One-time passcodes sent via SMS are not explicitly allowed or disallowed by the RTS. There is also debate about the dual factor requirement for such an authentication method. This is particularly if the mobile device to which this is sent is already serving as an authentication factor. Would the consumer be required to have an additional device?

It also remains unclear if the exemptions for PISPs on low-value credit transfers (30 EUR and 100 EUR accumulated, up to five transactions) and contactless payments (50 EUR, 150 EUR accumulated, up to five transactions) must be counted together or separately per channel.

National competent authorities will have to balance the convenience, familiarity and inclusiveness of the method against its known vulnerabilities to certain types of attack.

There are also uncertainties on how what the EBA calls TRA (Transaction Risk Analysis) will work in practice. This risk-based approach gives exemptions to strong customer authentication for low-risk transactions, if the Payment Service Provider operates within certain thresholds as to fraud by value bands.

Main opportunities

We see increasingly new business opportunities popping up. PSD2 allows the existing banks to source valuable partnerships pursuing multiple potential objectives. During my contacts in the market, I identified following interesting use cases.

  1. Use cases to improve the consumer banking experience and increase customer control:
  • Offer new payment solutions based on smartphones and apps
  • Facilitate reloading of prepaid cars
  1. Increase customer attraction and retention:
  • Offer loyalty cards and potential gains based on actual spending
  • Offer tools for expense and budget control
  1. Retain clients with multiple banking relations
  • Permit access to all banks’ information through a single user interface
  • Allow clients to deposit cash through TPP’s network
  1. Provide a complete asset overview
  • Provide integrated view beyond PSD2
  • Give overview of all assets (real estate, crypto, cars…)
  1. Optimize internal processes
  • Automate and enhance credit scoring based on data integration
  • Monitoring of loans – Early Warning signals in case of credit deterioration

Conclusion

The banks are slow in opening their APIs, and open banking is not taking off as quickly as expected. Market players need also to agree on common standards for the interfaces. However, there the deadline of 14/9/2019 is approaching and there is no way back

Open banking is a new way of approaching the delivery of financial services for customers, and as such, it requires a new way of thinking and new ways of working. However, I see any new opportunities and use cases.

For your information, there will be on 20/9/2018 in Brussels an interesting conference on “Recent Trends in Payments” organized by IFE. The conference will be chaired by Joan Carette, Partner at Osborne Clarke, with several prime speakers including Begoña Blanco Sánchez, Gert Heynderickx, Cédric Nève, Sébastien De Brouwer and myself. For more information, please go to www.ifebenelux.be/nl/opleiding/actualiteit/services-de-paiement-etat-des-lieux-et-nouvelles-tendances-betalingsdiensten-stand-van-zaken-en-nieuwe-trends.html.

I will also give a one-day training on the subject at Febelfin Academy on 21/11/2018. For more information, please go to: www.febelfin-academy.be/nl/opleidingen/detail/psd2-and-the-open-banking-architecture-addressing-.

 

François de Witte

Founder & Senior Consultant at FDW Consult

 

 

PSD2 – new opportunities but an issue of trust

| 07-11-2017 | Lionel Pavey |

PSD2PSD2 (Payment Services Directive) is an extension on the existing PSD within the EU. The objective is to increase competition in the payments industry, whilst increasing access from non-bank firms. This should lead to standard payment formats, infrastructure and technical standards – at first glance an improvement for consumers. However, there appears to be a particular threat to privacy and the threat of third parties gaining excessive access to personal data.

What are the objectives of PSD2?

  • Standardising, integrating and improving payment efficiency across EU states
  • Harmonise pricing and improve security of payment processing across the EU
  • Providing better consumer protection
  • Encouraging innovation and reducing costs
  • Create a level playing field and enable new entrant payment service providers
  • Incorporate emerging payment methods such as mobile payments
  • Bring new and emerging payment services under regulatory control

For the fintech industry this is a welcome development – they are focused on providing alternative platforms for standard bank products.

 What changes will take place because of PSD2?

  • Third party Access to Accounts (XS2A) – E-commerce companies can take online or mobile payment directly from a consumer’s bank account without going directly through PCI intermediaries (Payment Card Industry); this process will be known as Trusted Third Party (TTP) Account Access.
  • The ability of API’s to take payment – The ability of an Application Programming Interface (API) enabling payment by directly connecting the merchant and the bank
  • The ability to consolidate account information in a single portal – An API enables a new type of financial services company – an Account Information Service Provider or AISP – which aggregates account information to let consumers with multiple banks view all bank details in one portal

A Dutch television programme that informs on consumer issues (AVRO/TROS RADAR) recently broadcast a report on the potential dangers of PSD2 with regard to issues around personal privacy. By granting access to TTPs they are able to access your bank account and retrieve all the data from the last 90 days. This will enable them to provide consumers with a better overview on products and services. However, it also means that they gain a valuable insight into how much you earn, how you spend your money and which companies you transact with. In theory they could offer you alternatives which are cheaper and more tailored to your individual requirements.

But to be able to do all this, they will also need access to your verification methods – in other words they will need to know your PIN numbers. We have always been told, especially by the banks, that this information is strictly confidential and should never be given out. There is also the possibility that they could offer you a special discount that can only be obtained if you give away your personal access codes.

This opens up the payments market to potential fraud – how do we know our personal data will be protected; how will the companies guarantee that the data is only used for a specific product or service; who can ensure that our data is not sold to data mining companies; how can we be sure that our personal data is erased if we decide to opt out in the future?

Commercial banks are subject to numerous directives to ensure they conform to all legislation regarding banking and data protection. How can we get the same guarantee from a fintech solutions provider who might be tempted to increase its revenue by selling data?

However advanced our technology becomes, finance is an industry that has always relied on trust. Banks can only thrive if customers trust them with their money. We assume that if we deposit money into a bank, the bank acknowledges our position as a debtor and will repay us when we demand it. We expect them to exercise a duty of confidentiality and not disclose information about us. When that trust is broken, confidence in the bank is lost and this can quickly escalate to a run on the bank as mistrust leads to customers wanting their money back.

Do we feel the same level of trust for non-bank parties who gain access to our bank data?

 

Lionel Pavey

Cash Management and Treasury Specialist

 

Treasury and regulations: A changing environment

| 15-2-2017 | Theo Paardekoper |

Companies need to comply to their regulatory framework in their industry. For the treasury department  a regulatory framework is applicable which is basically linked to the financial industry and not linked to the industry of the company. Because regulations in the financial industry are changing it is important for the treasurer to update.

Regulations

Important regulations and rulings for treasurers are EMIR, MIFID and MIFID II/MIFIR.

Other regulations that are applicable for the financial industry, like UCITS and AIFM (regulations for investments funds) and CRD rules (capital requirement directive as a result of BASEL III) do not effect the corporate treasury directly, but the side effect of these rules can have effects on pricing and product offering by financial institutions.

Anti Money Laundring regulations (MOT-melding in The Netherlands) are not only applicable for banks. Also corporates are mandatory to register these transactions at the Finance Intelligence Unit of the Dutch Tax autorities.
The regulations mentioned above are all linked to the European regulatory framework and are valid in addition to local laws, like the WfT (Wet Financieel Toezicht) in the Netherlands.

EMIR (= European Market Infrastructure Regulation)

This regulation is valid since August 2012 and was initiated after the Lehman Brothers bankrupty in 2008. The main goal of EMIR is to improve transpancy of the OTC market to create a clear overview of all the derivative positions. This was one of the main problems that became clear after the Lehman bankrupty. It was totally unclear to get a view on the derivate positions and risk of  a counterparty. Emir also introduced a solid clearing member (named CCP) and Trade Repository members to register your  OTC derivates. To register your positions a LEI  (Legal Entity Identifier) can be obtained at the Chamber of Commerce.
EMIR is not (yet) applicable for small pensionfunds.

MIFID (= Markets In  Financial Instruments Derivatives)

Main objective of MIFID is to increase competition in the investment industry and to protect consumers. The well-known 40/20/2 rule to define a professional or non-professional counterparty is one of the items to protect consumers and force financial institutions into a duty of care. One of the results is a direct view on the Market-to-Market pricing of the companies derivates and monitoring of margin call obligations.
Also the classification based on knowledge is an important item and can be part of discussion during a lawsuit.
Mifid increased the number of trades in the OTC market what caused a more fragmented  view on market pricing. Financial institutions are forced to provide the 5 best quotes in the market to their clients.

MIFID II

In January 2018 this new set of regulations is applicable. Mifid II made Mifid regulations also applicable for commodity and CO2-rights traders. Also market data suppliers must be registered to comply with MIFID II. Structured deposits (return is not interest based but linked to an other ratio link EUR/USD or oilprice) will also fall under the scope of Mifid. Change of classifications on behalf of Mifid II classifies local governmental entities as non-professionals. Health Institutions governmental education and housing associations are not clearly excluded as non-professional.

 

Mifid II will mainly “change the game”  of  manufacturers and distributors of financial services, but this regulations will give corporates more tools in case of a conflict about a trade. The negative side effect of new regulations is that pricing in the market will increase because of reduced competition as a result of higher entry barriers in the market.
Any action required for a corporate treasurer?

It is up to your bank to comply to MIFID II. So I would say “no”. The bank will inform you with new legal documentation and product information in the near future.

Theo Paardekoper 

Independent treasury specialist

 

 

 

 

 

More articles of this author:

Treasury education and training: what’s next?