Tag Archive for: PSD2

PSD2 – has it hit the ground running?

| 18-01-2018 | treasuryXL |

On the 13th January 2018, PSD2 came into force. In previous articles we have discussed the meaning of this legislation. To recap – it is a directive to regulate the payment market and payment service providers, whilst also opening the market to non-banks. This should lead to a uniformity in products, technical standards and infrastructure. PSD2 will allow customers of banks to voluntarily use third party providers to process and initiate their financial transactions.

In the UK the process has gone even further – Open Banking has been enacted. Fintech companies are now in the position of taking over the ownership of the customer relationship that banks now have – assuming this is what the customer wants. The traditional relationship between a bank and a customer is now under threat. Banks, which have traditionally applied a one shop for all your financial transactions approach, will possibly have to change and look more like an App store from which customers can choose the services that they want.

To effectively compete in this new market will mean focus on data mining and achieving an economy of scale. It is not inconceivable that tech giants such as Google, Facebook or Amazon could start offering financial services on the back of their sizeable databases. Whereas banks have invested heavily over the years in their payment processes, new technology means that the costs are far lower for a new entrant.

But will PSD2 truly open the European market for financial services? Research indicates that we very seldom interact beyond our own national borders. The cost of banking, credit cards, mortgages, car insurance etc. differ greatly within the EU. A survey that was commissioned by the European Commission concluded that 80% of Europeans would not consider purchasing a financial product from another EU member state. Any dreams of one Europe are rudely interrupted by such research and public opinion. This is not to say that public opinion could not change – rather that the current market is not very elastic.

So PSD2 is up and running – how about the banks? PwC published a report in December 2017 after conducting interviews with senior executives in European banks. Just 9% reported they were ready, despite 66% saying it would affect their operations. Furthermore, a report was published today by the Dutch Data Protection Regulator stating that the legislation does not take privacy requirements enough into account. This despite the legislation being passed more than 2 years ago.

Eventually banks that are early to design their products specifically for this legislation and bring them to market could establish a clear lead on their opposition. Also, if the public reluctance to transact cross-border was to diminish, it is possible that – in the future – we could be purchasing our mortgages in Finland, our credit cards in the UK and our car insurance in Hungary!!

If you want more information please feel free to contact us via email [email protected]

Update Fintech Belgium Summit 2017

| 29-12-2017 | François de Witte |

On 14/12/2017, Fintech Belgium organized the 2nd Fintech Belgium Summit, a one-day conference to discover the deep innovation, technological and societal impact FinTechs have on our world.  There were over 500 participants, and this was a good opportunity to meet all the stakeholders in the Belgian Fintech ecosystem.

Main messages gathered from the workshops

The first stream has been focusing on the regulatory side. PSD2 and GDPR will have in 2018 a high impact on the market. There has been a request to better harmonize the legislation in this areas. Even in the PSD2 domain, the latest version of the RTS on SCA and Secure Communication still contains some blind spots. Another recommendation is that the authorities would set up a competence center to assist the FinTechs in the myriad of the regulatory framework.

The 2nd stream has been focusing on the innovation impact: How has the financial industry reacted to innovation? Make, Buy, Join or Break…. One of the main issues encountered by the banks is that the profiles of their people are not adapted to the innovation, and hence large HR and educational efforts will be required. Banks will have to adopt flat and member centric organizations to become more agile and data driven.

The testimony of Resolut clearly demonstrated the power of new entrants in the arena, enabling companies to drastically reduce the cost to access banks. However, some banks start also interesting initiatives in this area, with forefront runners such as BBVA, Nordea, Deutsche Bank, Hello Bank, ING (ylot) and Fidor.

In the afternoon, there was an interesting workshop on open banking with BNP Paribas Fortis, Baker McKenzie and Ibanity focusing on the new ecosystem, where some banks will position themselves as API Producers, focusing on their unique value propositions, whilst some others will position themselves as API consumers, offering aggregated services and acting as “matchmakers”. Marc Lainez, CEO of Ibanity, mentioned that FinTechs are not a threat to banks. The real competition for the banks are the GAFA. Hence  Banks and Fintechs need need to work hand in hand together to develop new solutions.

The conference finished with a stream dedicated to the technological impact. Blockchain and cryptocurrencies were high on the agenda. There was a clear consensus that Blockchain technology will be leading, also for Regulators. A lot of use cases were mentioned, e.g. in the area of trade finance and the document handling. Regulation will be key to further increase the adoption of this new technology. On the ICO (Initial Coin Offering) the opinions were more mixed, as there are quite some challenges to overcome, such as the setup of supervisory controlling institutions and the volatility of the cryptocurrencies.

Conclusion

This conference was a good forum to get an insight in the Belgian FinTech market. I saw a lot of interesting initiatives, and am a strongly believer of the increased cooperation between banks and FinTechs, the so-called Fin-Integration. 2018 will be challenging for all of them.

François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

2018 new regulations – collaboration between corporate treasury and internal departments

| 27-12-2017 | treasuryXL |

Collaboration

2018 is looking to be one of the busiest years for new regulations. Among the new regulations will be MIFID II – which will have an affect on many different aspects of trading; PSD2 – which will allow agreed third parties to access your bank accounts; GDPR – which defines our rights to have our personal data deleted and how personal data is stored; BEPS – which aims to reduce the movement of profits to more tax efficient locations and will affect internal reporting; IFRS9 – which brings new rules for hedge accounting. All these new regulations will require collaboration between many departments – not just treasury.

Information and Knowledge

To be able to work together, and improve existing efforts at collaboration, there must be a free flow of information and knowledge to all stakeholders. This will entail storing all relevant data in a centralized point with access for all stakeholders, whilst meeting the security requirements as to who can view, edit and contribute the information. By sharing the information, a mutual respect of the needs for each department can be better appreciated and existing inter-departmental walls can be torn down.

Define tasks and workflow

In any project environment managing the workflow and monitoring all the requests can be labour intensive and time consuming. Requests need to be managed with a clear structure and be transparent to all participants. Tasks need to be assigned and workflow needs to be consistent allowing everyone to see the status of all work activities. This should increase efficiency with the group and allow for a good quality control, ensuring that all work complies to the regulations.

Risk awareness

Whilst one department might own the project, assessing potential risks should be actively promoted within all departments. Allowing participants to identify risks and announce these should be encouraged. Sometimes, a solution can from another department – perhaps they had encountered a similar problem in another project. If a risk is detected, sharing it with others can lead to a quicker solution.

Feedback

By reporting constantly on the progress within the project to everyone, it allows others to follow its progress whilst also enforcing on them a need to also supply constant updates. When all information is held at one point and only distributed in a collated form once every so often, collaboration can quickly slow down as it becomes unclear to everyone what the value of their contribution is to the group. By publishing data regularly and assigning permission levels and access rights to everyone, they are also able to retrieve information when they need it – leading to a greater feeling of being a part of the project.

Recognition

Realise and acknowledge the contribution of all participants – both as departments and individuals. Try to learn from mistakes and understand that your needs as a treasury department are not always clearly understood or known within the rest of the organisation. Explain the benefits that can be achieved – less time spent on time consuming issues, clarity of data, better reporting and compliance standards, monetary savings etc.

Implementing new regulations via technology can lead to greatly increased collaboration between internal departments. This can include more intensive daily contact, better ability to identify risks, taking decisions that increase efficiencies for the company, and fostering a more open and healthy relationship with colleagues outside your own department. Successful projects can empower people to seek solutions that deliver positive change.

True collaboration will enable you to achieve results, accelerate delivery, create value and add strength. So, whilst 2018 is a challenge with all the new regulations, the potential results via collaboration can be seen.

If you are interested in learning more, please contact us via email at [email protected]

PSD2 – Fall update and new developments

| 28-11-2017 | François de Witte |

PSD2In 2018, when PSD2 comes into force, banks will lose their monopoly on payment services and customer’s account details. Bank customers will be able to use third-party providers (TPP) to administer their payments. When a customer agrees on using the services of a TPP, then their bank has to give access to TPPs to their accounts. TPPs are then able to build and offer services that compete with the existing bank services. During the summer 2017, I published a Summer Update on PSD2. Since then, a lot of things have moved, and hence I found it the right moment to provide an update to you on some developments on PSD2, in this area.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

  • 2FA: Two-factor authentication
  • API: Application Programming Interface.
  • EBA:  European Banking Authority
  • PSP: Payment Service Provider
  • PSU:   Payment Service User
  • RTS: Regulatory Technical Standards (final draft issued by the EBA on 23/2/2017)
  • SCA: Strong Customer Authentication
  • TPP:  Third Party Provider
  • OTP: One time password

Main updates on the regulatory framework

Some member states have already advised that they expect delays in the transposition of PSD2 in the national law, e.g. Belgium (by March 2018), the Netherland (by June  2018), Sweden, Poland, Spain and France.
Following countries already announced that they will be on track, e.g. Italy, Finland, Ireland, Czech Republic, Germany and Bulgaria.
By end November the EBA should publish the revised draft on the SCA (Strong Customer Authentication) and Secure Communication. We expect that a number of points, raised by the market participants, will be incorporated in the text.
With regard to the access to TPPs, article 113.4 of PSD2 explicitly states that the member states shall ensure the application of the security measures within18 months following the entry in force of the law. Hence, we might expect that this part of PSD2 needs only to be implemented by Q3 2019. However, in some countries, the authorities are pushing for an earlier implementation (e.g. in Belgium by end Q1 2018). Given the strategic importance and the IT act, I recommend starting this quite soon.

Main developments

Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.
The challenge is to create standards for the APIs specifying the nomenclature, access protocols, authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this.

A number of working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET. Experts seem to agree that the Berlin Group Standard is the most elaborate one., as it incorporates the most relevant use cases and has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs

As Marc Lainez, CEO of Ibanity, part of Isabel Group (developing API and PSD2 solutions for the XS2A and beyond) pointed out: “We can already see a fragmentation on the market. Several groups publishing specifications that are on many points different. With the RTS still being a moving target at the moment, those specifications are also incomplete as some details still need to be clarified. Some banks also choose to implement their own specifications without following closely any of those already published. In engineering, a standard is usually something that emerges through the best practices of an industry, it is not something that can be thought off entirely before it is actually used. At Ibanity, we are convinced that fragmentation will be a reality and several formats and specifications will co-exist on the market for some time. Looking at them from a pure software engineering point of view, we can say that those that seem the closest to what TPPs are actually expecting in terms of API quality are the specifications from the Open Banking Working Group and the Berlin Group. They still need, of course, to be challenged by the market with real use cases.“

The large banks have already started working on being PSD2 compliant and on building for the opening of their banking architecture to the TPPs. However, several small or medium sized banks only started recently on this project.
PSD2 has numerous interdependencies with other regulations (such as GDPR and eIDAS Regulation), promising a complex implementation with multiple stakeholders. For many banks, compliance by 2018 will be a challenge. Moreover there is a strong technology impact, adding to the complexity of the project. The following graphs of a market survey of PWC are a good illustration of the current state of the project with the European banks:

Conclusion

The PSD2 creates challenges. Several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces. Moreover there are some unclarities in the text.
However, there are solutions in the market to withdraw the hassle for Banks and TPPs. The clock is ticking in the PSD race. Consequently, there is no justifiable reason for any bank to delay starting these projects.

François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

PSD2 – new opportunities but an issue of trust

| 07-11-2017 | Lionel Pavey |

PSD2PSD2 (Payment Services Directive) is an extension on the existing PSD within the EU. The objective is to increase competition in the payments industry, whilst increasing access from non-bank firms. This should lead to standard payment formats, infrastructure and technical standards – at first glance an improvement for consumers. However, there appears to be a particular threat to privacy and the threat of third parties gaining excessive access to personal data.

What are the objectives of PSD2?

  • Standardising, integrating and improving payment efficiency across EU states
  • Harmonise pricing and improve security of payment processing across the EU
  • Providing better consumer protection
  • Encouraging innovation and reducing costs
  • Create a level playing field and enable new entrant payment service providers
  • Incorporate emerging payment methods such as mobile payments
  • Bring new and emerging payment services under regulatory control

For the fintech industry this is a welcome development – they are focused on providing alternative platforms for standard bank products.

 What changes will take place because of PSD2?

  • Third party Access to Accounts (XS2A) – E-commerce companies can take online or mobile payment directly from a consumer’s bank account without going directly through PCI intermediaries (Payment Card Industry); this process will be known as Trusted Third Party (TTP) Account Access.
  • The ability of API’s to take payment – The ability of an Application Programming Interface (API) enabling payment by directly connecting the merchant and the bank
  • The ability to consolidate account information in a single portal – An API enables a new type of financial services company – an Account Information Service Provider or AISP – which aggregates account information to let consumers with multiple banks view all bank details in one portal

A Dutch television programme that informs on consumer issues (AVRO/TROS RADAR) recently broadcast a report on the potential dangers of PSD2 with regard to issues around personal privacy. By granting access to TTPs they are able to access your bank account and retrieve all the data from the last 90 days. This will enable them to provide consumers with a better overview on products and services. However, it also means that they gain a valuable insight into how much you earn, how you spend your money and which companies you transact with. In theory they could offer you alternatives which are cheaper and more tailored to your individual requirements.

But to be able to do all this, they will also need access to your verification methods – in other words they will need to know your PIN numbers. We have always been told, especially by the banks, that this information is strictly confidential and should never be given out. There is also the possibility that they could offer you a special discount that can only be obtained if you give away your personal access codes.

This opens up the payments market to potential fraud – how do we know our personal data will be protected; how will the companies guarantee that the data is only used for a specific product or service; who can ensure that our data is not sold to data mining companies; how can we be sure that our personal data is erased if we decide to opt out in the future?

Commercial banks are subject to numerous directives to ensure they conform to all legislation regarding banking and data protection. How can we get the same guarantee from a fintech solutions provider who might be tempted to increase its revenue by selling data?

However advanced our technology becomes, finance is an industry that has always relied on trust. Banks can only thrive if customers trust them with their money. We assume that if we deposit money into a bank, the bank acknowledges our position as a debtor and will repay us when we demand it. We expect them to exercise a duty of confidentiality and not disclose information about us. When that trust is broken, confidence in the bank is lost and this can quickly escalate to a run on the bank as mistrust leads to customers wanting their money back.

Do we feel the same level of trust for non-bank parties who gain access to our bank data?

 

Lionel Pavey

Cash Management and Treasury Specialist

 

Top 3 articles third quarter of 2017

| 10-10-2017 | treasuryXL |

The fourth quarter of 2017 has started, time to look back on the last three months.
Which topics are interesting and attract visitors?
These are the three most read articles of the third quarter of 2017.

 

 

1. Saving on FX deals often neglected but potentially a pot of gold

Written on 28-08-2017 by Patrick Kunz
Doing business internationally often means dealing with foreign currency (FX). This poses a risk as the exchange rate changes daily, basically every second. To mitigate this risk a company can hedge the position via FX deals (discussed in a previous article). But what are the costs of those deals to companies?

Read the full article

[separator type=”” size=”” icon=””]

2. PSD2 – update and new developments

Written on 17-08-2017 by François de Witte
Early 2017, I published a post about PSD2, a lot of opportunities, but also big challenges. Now half a year later, I would like to update you on some developments in this area. PSD2 still needs to be transposed in the national legal system of all the member countries, and according to my knowledge several countries, including Belgium, have not yet released the draft laws. This creates quite some uncertainty in the market, as there will be several country-specific specifications. Hence one can expect that Fintech’s and other TPPs might already have started their certification application in countries that already enacted PSD2 in their local legislation.

Read the full article

[separator type=”” size=”” icon=””]

3. Impact of Basel III on notional cash pooling

Written on 17-01-2017 by Arnoud Doornbos (A golden oldie!)
Since the start of the financial crisis a growing need for more bank independency with companies has arisen. Bank counterparty risk became an issue. A large cash management bank announced in 2015 to stop their transactional banking services for continental Europe. What will happen with current cash pools running with banks in the UK? Increased regulations (Basel III) may stop certain banking products.
All types of events where companies feel a growing need for more bank independency.

Read the full article

[separator type=”” size=”small” icon=””][actionbox color=”default” title=”Interested in becoming an author for treasuryXL?” description=”” btn_label=”Contact us for more information” btn_link=”mailto:[email protected]” btn_color=”primary” btn_size=”” btn_icon=”” btn_external=”1″]

World Payments Report 2017

| 21-9-2017 | François de Witte |

Each year, during the summer, Cap Gemini publishes with BNP Paribas the World Payments Report, aiming at providing a preview of the global payments landscape. In the following I present you a short summary with what I consider the main findings. If you want to access the full report please click on this link.      

Introduction

2017 is a quite exciting year, with new regulatory initiatives having a big impact on the payments industry. In the EU, the most important one being PSD2, which  opens the market to new players (third party providers), and which needs to be transposed on the national legislation of the EU member states by 13/1/2018. We also have the AML Directive, which had to be transposed in the legislation of the different member states and the GDPR Directive which needs to be transposed by  6/5/2018. The report is giving attention to these new developments, in particular the ones linked to PSD2.

Main findings

The World Payments Report reported that global non cash transaction volumes grew 11.2% during 2014-15 to reach 433.1 billion transactions, the highest growth of the past decade, and slightly above last year’s prediction. Overall global non cash transaction volumes are expected to continue to grow, due to the rising adoption of these payment instruments, the growing inclusion, the increasing financial literacy and the enhance payments infrastructure, in particular ion the developing markets.

Source: World Payments Report 2017, page 6

 

When looking at the breakdown of the non-cash transaction (see following chart), we see some interesting trends:

Source: World Payments Report 2017, page 11

Debit cards and credit transfers were the leading digital instruments in 2015, while the check usage continues to decline globally.
Despite the increased adoption of digital payments, cash continues to keep an important role, in particular for low value transactions. Key factors contributing to the persistency of cash include the anonymity associated with cash transactions, lack of a modern payments infrastructure, and limited or no access to the banking system in developing markets. However in some countries (e.g. Scandinavia), the usage of cash was reduced drastically.

When looking at Europe, during the coming years credit card transaction volumes are expected to be affected by the interchange fee cap in Europe and by the less proactive policy of banks in this respect.

Conclusion

The ongoing increase of the non-cash transactions and the reduction of the checks is encouraging. We move towards more efficient payment instruments. The next years will bring new challenging new regulatory and industry initiatives, which will have to be implemented by the banks. This will require huge investments, and in my view, some more regulatory coordination will be needed.

François de Witte – Founder & Senior Consultant at FDW Consult

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

The Paypers releases the Open Banking & API Report 2017

| 18-8-2017 | treasuryXL | The Paypers |

The Paypers has released the Open Banking & API Report 2017, offering important insight into the nascent landscape of Open Banking in Europe. The rise of Open Banking gives banks the opportunity to work with innovative players and technologies in the growing fintech community. Although this can lead to a wave of innovation in the banking industry, there are still many hurdles to clear.

Open Banking & API Report 2017

The Open Banking & API Report 2017 aims to provide readers with essential information for understanding the latest developments on the topic, as well as practical examples and best practices in Open Banking. First, the report elaborates on the innovations in Open Banking and the issues that still stand in the way of universal adoption. Afterwards, we will dive into the best practices and new business models in both banking and fintech.

PSD2, and XS2A in particular, are accelerating change in payments, innovative banking applications, and respective business models by leveraging payment functionality and account information. The Open Banking ecosystem is brimming with potential, but there is still much debate on the functional scope of “access to account”, effective business- and operational models, and standardisation in terms of technology, legal, and operational matters.

The Open Banking & API Report 2017 brings together contributions from key players in the market; banks, consultants, merchants, and fintech. The most pressing issues that are being discussed in the report are:

  • Harmonization and standardization – Can collaboration in the industry lead to the adoption of a single standard?
  • Access to account – To what degree will customers and Third Part Providers (TPP) have access to the account? What are the legal issues that have to be settled between PIPSs, AIPS, PSPs and ASPSPs? What are the alternative business models based upon the open interface?
  • Interaction model between bank, customer, and third party (strong customer authentication) – To what extent should bank require Strong customer authentication, and where should one make the exemptions that PSD2 offers in certain well-defined cases?
  • The customer in control – Can Open Banking bring the customer to the center of the banking industry?

The Open Banking & APIs Report 2017 does not stop at explaining the Open Banking system and the regulations that will transform it. Instead, it goes one step further and proposes solutions for dealing with the new changes. Will banks partner with fintech companies? How will consumers respond to banking services through nonbanking channels and, most importantly, how will banks deal with new security threats that may come with the entrance of new players?

The Open Banking & API Report 2017 is a valuable tool for understanding the Open Banking business model and a must-read for banks, merchants, PSPs, and other industry players that will be affected by PSD2 regulations. Download your free copy (see button) here and learn more about the banking industry of tomorrow.

Annette Gillhart – Community manager treasuryXL

[button url=”https://www.thepaypers.com/report/download/online-mobile-banking/12/open-banking-and-apis-a-new-era-of-innovation-in-banking/r769400″ text=”Download report” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

PSD2 – Update and new developments

| 17-8-2017 | François de Witte |

Early 2017, I published a post about PSD2, a lot of opportunities, but also big challenges. Now half a year later, I would like to update you on some developments in this area. PSD2 still needs to be transposed in the national legal system of all the member countries, and according to my knowledge several countries, including Belgium, have not yet released the draft laws. This creates quite some uncertainty in the market, as there will be several country-specific specifications. Hence one can expect that Fintech’s and other TPPs might already have started their certification application in countries that already enacted PSD2 in their local legislation.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

2FA: Two-factor authentication
API:  Application Programming Interface.
EBA: European Banking Authority
PSP: Payment Service Provider
PSU: Payment Service User
RTS: Regulatory Technical Standards (final draft issued by the EBA on 23/2/2017)
SCA: Strong Customer Authentication
TPP: Third Party Provider

Main updates on the regulatory framework

On 23 February 2017, the EBA published the final draft on the SCA (Strong Customer Authentication) and Secure Communication.
In this final draft, the EBA clarifies the new rules to be followed for customer authentication, applicable both for operations performed in traditional channels and over the new API (Application Programming Interfaces) services. The key clarifications concern the following:

The 2 factor authentication

Following systems would comply:

1. The 2-device-authentication, where the user has two independent devices:

  • one device to access the banking website or app
  • another device to authenticate himself or a payment: the authentication device, usually a hardware authentication token, a combination of a smart card and smart card reader, or a dedicated app on a mobile device.
    The authentication device generates one-time passwords (OTPs) over transaction data

2. The 2 app authentication:

This approach does rely on two different apps running on the same mobile device.

  • Banking app : when a user wants to make a payment, he opens the banking app and enters the transaction data.
  • Authentication app: When the user has submitted the transaction, the banking app opens the authentication app. After verification and confirmation of the transaction data by the user, the authentication app generates an OTP (One Time Password) linked to the transaction data and sends it back to the banking app, which submits it to the banking server for verification

The dynamic linking

In order to dynamically link the transaction, the draft RTS states the following requirements must be met:

  • the payer must be made aware at all times of the amount of the transaction and of the payee;
  • the authentication code must be specific to the amount of the transaction and the payee;
  • the underlying technology must ensure the confidentiality, authenticity and integrity of: (a) the amount of the transaction and of the payee; and (b) information displayed to the payer through all phases of the authentication procedure (the EBA hasn’t specified the nature of this “information”);
  • the authentication code must change with any change to the amount or payee;
  • the channel, device, or mobile application through which the information linking the transaction to a specific amount and payee is displayed must be independent or segregated from the channel, device or mobile application used for initiating the electronic payment transaction.

The exemptions from the SCA

The exemptions from the SCA including also:

  • Transactions between two accounts of the same customer held at the same PSP
  • Low risk transactions: Transfers within the same PSP justified by a transaction risk analysis (taking into account detailed criteria to be defined in the RTS),
  • Low value payments or contactless payments < 50 euro, provided that that the cumulative amount of previous consecutive electronic payment transactions without SCA, since the last application, of the SCA < 150 euro
  • Unattended transport and parking terminals

The draft RTS (not finalized, not approved yet) also states that Screen scraping is no longer allowed. Screen scraping is a method to take over remotely the data on the screen of the user. This creates a lot of opposition in the financial community, in particular the Fintech’s, as this complicates the interaction between the bank, the TPP, and the PSU. On the other hand, the both the EBA and the EBF (European Banking Federation) are against it. There is a power game ongoing.

Main developments

Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.

Although PSD2 does not specifically mention the API (Application Programming Interfaces), most technology and finance professionals assume that APIs will be the technological standard used to allow banks to comply with the regulation.

An API is a set of commands, routines, protocols and tools which can be used to develop interfacing programs. APIs define how different applications communicate with each other, making available certain data from a particular program in a way that enables other applications to use that data. Through an API, a TPP application can make a request with standardized input towards another application and get that second application to perform an operation and deliver a standardized output back to the first application. For example, approved third parties can access your payment account information if mandated by the user and initiate payment transfer directly.

In this framework, the challenge is to create standards for the APIs specifying the nomenclature, access protocols, authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this.

At this stage, following working groups were constituted to further elaborate on these standards:

  • UK’s Open Banking Working Group (OBWG). This initiative of UK Treasury aims to deliver a framework for open banking and data sharing via APIs for the UK’s banking industry. The joint industry/government initiative recently released its report on establishing the framework for an Open Banking Standard for the UK alongside a timetable for implementation.
  • The Berlin Group, a-European payments interoperability coalition of banks and payment processors, is pushing for a single standard for API access to bank accounts to comply with new regulations on freeing up customer data under PSD2. The aim is to offer operational rules and implementation guidelines with detailed data definitions, message modelling and information flows based on RESTful API methodology. It will be published for consultation in Q4 2017
  • STET has also released of a RESTFUL API standard which will allow TPPs to access payment accounts. This API has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs

In the meantime, several providers are developing their services, including in the Benelux Equens Worldine, Capco, Sopra Banking and Isabel.

Along with the arrival of open API banking, there is also clear momentum for providing real-time services such as “instant payments”. This requires banks to shift their entire product and service mindset towards immediate delivery and to make fundamental changes to their legacy systems. While this is a challenge, it also presents opportunities (see also my article in TreasuryXL on this topic: SEPA Instant Payments – a catalyst for new developments in the payments market (https://www.treasuryxl.com/news-articles/francois-de-witte/sepa-instant-payments-catalyst-new-developments-payments-market and https://www.treasuryxl.com/news-articles/francois-de-witte/sepa-instant-payments-a-catalyst-for-new-developments-in-the-payments-market-part-ii/).

The large banks have already started working on being PSD2 compliant and on building for the opening of their banking architecture to the TPPs. However, several small or medium sized banks only started recently on this project. Hence a lot has to be done, and I do expect some shortages in resources in the next coming months.

With regard to the access to TPPs, article 113.4 of PSD2 explicitly states that the member states shall ensure the application of the security measures with the 18 months following the entry in force of the Hence, we might expect that this part of PSD2 needs only to be implemented by mid-2019. Given the strategic importance and the IT act, I recommend starting this exercise much earlier.

Conclusion

The PSD2 creates challenges. Several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces.
However, there are initiatives, such as the Berlin Group, the UK’s Open Banking Framework and the STET group, which help give further clarity and direction in the absence of specific technical detail.
Consequently, there is no justifiable reason for any bank to delay starting these projects.
The clock is ticking in the PSD race.

If you want  further update on this topic, you can join the 1 day training session on this topic, which I will give on 22/11/2017 at Febelfin Academy.

 

François de Witte – Founder & Senior Consultant at FDW Consult

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

Please read my earlier articles on PSD2:

PSD 2: A lot of opportunities but also big challenges (Part I)

PSD 2: A lot of opportunities but also big challenges (Part II)

Sepa instant payments – A catalyst for new developments in the payments market (Part I)

Sepa instant payments – A catalyst for new developments in the payments market (Part II)

[separator type=”” size=”” icon=””]

PSD2: The Disruption and Innovation of Open Banking

| 11-8-2017 | treasuryXL | The Paypers |

PSD2 is a recurring topic which is of great concern to financial institutions and other payment service providers, as well as finance professionals at corporates all over the world. We read an interesting article about the disruption and innovation of open banking at The Paypers and want to share it with you. The article is part of the Open Banking & APIs Report 2017, aimed to provide necessary insights to help readers understand the latest developments on the topic, as well as practical examples and best practices in Open Banking. Alisdair Faulkner of ThreatMetrix states that innovation, enhanced security and the drive for greater competition are the golden triptychs at the heart of PSD2.

PSD2: Game changer, opportunity and challenge

PSD2 is a game changer for digital payments and commerce in Europe and will have a significant global impact. It requires financial institutions to make changes to their platforms and systems, while making strategic decisions on how they want to play going forward. These changes will require significant investment as well as a strategic shift, as banks are forced to consider how they can safely open their banking platforms to external third parties. While this may negatively impact the revenue of large banks, it can also level the playing field for smaller fintechs, as well as provide opportunity for new product innovations.

Not only do banks and other PSPs need to work toward compliance, but they also need to define their strategy to position themselves competitively in the market. They will also need to align the somewhat competing demands of rapid innovation while maintaining vigilant security as the cybercrime war continues to rage.

Innovation and Disruption

Digital transactions have had a huge impact on the evolution of the fintech industry as niche products and services have emerged to fill the crevasses left by larger financial institutions. These include services for the unbanked and underbanked, instant insurance, crowdfunded loans and global online remittance. Fintech operators have been able to rapidly innovate for many reasons: a lack of legacy back end systems, lower regulations and less online scrutiny, for example. On the other hand, large financial institutions have unwittingly become the enablers with minimal benefit.

However, PSD2 and Open Banking regulations are set to create more opportunities as both financial institutions and new providers compete to drive smarter revenue from payments. With open banking, the financial institutions would be increasingly at risk of losing their direct relationship with the customer and becoming a back end utility. On the other hand, new providers could emerge, enabling customers to access their banking services from a common portal, without having to ever log into their bank. These portals may also enable the customer to get services à la carte from a menu of banks. As such, businesses are contemplating the path forward as they wait for new payment platforms and ecosystems that lead to new business models to emerge. It will be critical for established providers to decide how to take advantage of the opportunity and not be left behind.

What are the threats and possible solutions to navigate the future according to Alisdair Faulkner?

Please read more by referring  to the original article on The Paypers.