Posts

Best read articles of all time – PSD 2: a lot of opportunities but also big challenges (Part II)

| 16-05-2018 | François de Witte |

After having examined the detailed measures of the PSD2 in my first article, in the 2nd part we will examine the impact of PSD 2 on the market. In order to help you read the text we will once more start with a list of abbreviations.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

2FA    :   Two-factor authentication
AISP  :    Account Information Service Provider
API :       Application Programming Interface
ASPSP : Account Servicing Payment Service Provider
EBA :     European Banking Authority
PISP :    Payment Initiation Service Provider
PSD1:    Payment Services Directive 2007/64/EC
PSD2  :  Revised Payment Services Directive (EU) 2015/2366
PSP :     Payment Service Provider
PSU:      Payment Service User
RTS :     Regulatory Technical Standards (to be issued by the EBA)
SCA :     Strong Customer Authentication
TPP :     Third Party Provider

Impact on the market

A major implementation journey:

The ASPSP (mostly banks) will have to make large investments in order to comply with the PSD2, in the following fields:

  • Implementing  the infrastructure enabling the application of the PSD2 scheme to the currency transaction in the EU/EEA area, and to the one leg transactions.
  • Ensuring that they can respond to requests for payment initiation and account information from authorized and registered TPPs (third party providers), who have received the explicit consent of their customer for to this. They will have to develop interfaces that enable third party developers to build applications and services around a bank. Internal banking IT systems might need to be able to cope with huge volumes of requests for information and transactions, more than they were originally designed for.
  • Ensuring their security meets the requirements of the SCA (strong customer authentication). This will be a big challenge both for the banks and for the other payment service providers).

PSD2 will make significant demands on the IT infrastructures of banks. On the one hand the IT infrastructure has to be able to be interact with applications developed by the TPPs (PISP and AISP). On the other hand, banks have to develop their systems in such a way that they don’t have to do this from scratch every time a TPP approaches them. This will require a very flexible IT architecture. The banks have to have a middleware that can be used by their internal systems, but also by the applications of the PSP’s.

Although PSD2 does not specifically mention the API (Application Programming Interfaces),  most technology and finance professionals assume that APIs will be the technological standard used to allow banks to comply with the regulation.

An API is a set of commands, routines, protocols and tools which can be used to develop interfacing programs. APIs define how different applications communicate with each other, making available certain data from a particular program in a way that enables other applications to use that data. Through an API, a third party application can make a request with standardized input towards another application and get that second application to perform an operation and deliver a standardized output back to the first application. For example, approved third parties can access your payment account information if mandated by the user and initiate payment transfer directly.

In this framework, the real challenge is to create standards for the APIs specifying the  nomenclature, access protocols and authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this. The EBA (European Banking Authority) will develop RTS (Regulatory Technical Standard) with more detailed requirements regarding the interface between ASPSPs and TPPs. While these are expected to be published early 2017, based on the EBA’s recent draft RTS, the question is whether they will define the interface’s technical specifications.

Emergence of new players and business models

By integrating the role of new third party payment service providers (TPPs) such as the PISP and the AISP, the PSD2 creates a level playing field in the market. Several market experts expect that this will foster innovation and creating new services. For this reason PSD2 should increase competition.

This might lead to a unique open race between traditional players, such as the banks and newcomers for new services and a possible disintermediation of banking services, as illustrated in the figure down below:

Source: Catalyst or threat? The strategic implications of PSD2 for Europe’s banks, by Jörg Sandrock, Alexandra Firnges – http://www.strategyand.pwc.com/reports/catalyst-or-threat

PSD2 is likely to give a boost to the ongoing innovation boom and bring customers more user-friendly services through digital integration. One can expect that the automation, efficiency and competition will also keep the service pricing reasonable. PSD2 will foster improved service offerings to all customer types, especially those operating in the e-commerce area for payment collection. It will enable a simpler management of accounts and transactions. New offerings may also provide deeper integration of ERP functions with financial services, including of their multibank account details under a single portal, and smart dashboards.

PSD2 also enables a simplified processing chain in which the card network can be  disintermediated. The payment can be initiated by the PISP directly from the customer’s bank account through an interface with the ASPSP. In  this scheme, all interchange fees and acquirer fees as well as all the fees received by the processor and card network could be avoided. The market expects that new PISPs will be able to replace partly the transactions of the classic card schemes. A large internet retailer could for example ask permission to the consumers permitting direct account access for payment. They could propose incentive to encourage customers do so. Once permission is granted then the third-parties could bypass existing card schemes and push payments directly to their own accounts.

On the reporting side, the AISP can aggregate consumer financial data and provide consumers with direct money management services. They can be used as multi-bank online electronic banking channel. One can easily imagine that these services will be able to disintermediate existing financial services providers to identify consumer requirements and directly offer them additional products, such as loans and mortgages.

The PSD2 is for banks a compliance subject, but also an opportunity to develop their next generation digital strategy. New TPPs can provide their innovative service offerings and agility to adopt new technologies, enabling to create winning payments propositions for the customer. In turn, traditional players like banks can bring their large customer bases, their reach and credibility. Banks have also broad and deep proven data handling and holding capabilities. This can create winning payments propositions for the customer, the bank and the TPP.

Banks will have to decide whether to merely stick to a compliance approach, or to leverage on the PSD2 to develop these new services. The second approach will require to leave behind the rigid legacy structures and to change their mindset to ensure  quicker adaption to the dynamic customer and market conditions. A first mover strategy can prove to be beneficial.  Consumers and businesses will be confronted with the increased complexity linked to the multitude of disparate offerings. There also, the incumbent banks who will develop new services  can bring added value as trusted partners

Essentially, PSD2 drives down the barriers to entry for new competitors in the banking industry and gives new service providers the potential to attack the banks and disintermediate in one of their primary customer contact points. New players backed by strong investors are ready to give incumbents a serious run for their business. This is an important battle that the incumbent banks are not willing to lose.

The biggest potential benefits will be for the customers, who can access new value propositions, services and solutions that result from banks and new entrants combining their individual strengths or from banks becoming more innovative in the face of increased competition. Market experts also foresee an increased use of online shopping and e-procurement.

Several challenges to overcome

The PSD2 will be transposed in the national legal system of all the member countries. The involved market participants will have to examine the local legislation of their country of incorporation, as there might be some country-based deviations.

The authentication procedure is also an important hot topic. PISPs and AISPs can rely on the authentication procedures provided by the ASPSP (e.g. the banks)  to the customer but there are customer protection rules in place. Hence, they must ensure that the personalized security credentials are not shared with other parties. They also may not store sensitive payment data, and they are obliged to identify themselves to the ASPSP each time a payment is initiated or data is exchanged.

ASPSPs are required according to PS2 to treat payment orders and data requests transmitted via a PISP or AISP “without any discrimination other than for objective reasons”. A practical consequence for credit institutions will be that they must carry out risk assessments prior to granting payment institutions access – taking into account settlement risk, operational risk and business risk. One of  the main issue is the handling of the customer’s bank credentials by third party payment service providers. The bank needs to be able to perform strong authentication to ensure that the authorized account user is behind the initiation message

There are concerns about security aspects related to PSD2. An example hereof is the secure authentication. All the PSPs will have to ensure that they can demonstrate compliance with the new security requirements. How it will be achieved and monitored ? How will TPPs  interact with banks, since there is no need for a contract to be signed?

If something does not work correctly, there will also be discussions on the liability side. The PSD2 states that the TPP has to reimburse customers quickly enough that they are not bearing undue risk, but one will have to determine which TPP had the problem and work with them to resolve it. This will require further clarifications from the regulators.

In addition the PISP and the AISP vulnerable for to potential frauds. Web and mobile applications could become easy target for cybercriminals for various reasons, including the inherent vulnerabilities in the APIs that transfer data and communicate with back-end systems. The openness of the web could allow hackers to view source code and data and learn how to attack it. APIs have been compromised in several high-profile attacks that have caused significant losses and embarrassment for well-known players and their customers. The PSD2’s ‘access to account’  increases not only the number of APIs, but adds layers of complexity to the online banking/payments environment, adding to the risk of fraudulent attacks.

The market is waiting for the RTS (Regulatory Technical Standards) to give guidance on how some remaining security issues will be solved. These include:

  • Treatment of PSU’s (payment service user)security credentials
  • Requirements for secure communication between the PSP and banks
  • Full details and definition of strong authentication
  • Safety of the PSU funds and personal data
  • Availability of license registry for real-time identification of the PSP (PISP or AISP)

It is important that the required clarifications are published soon, in order to avoid a time lag between the implementation of PSD 2 in the national legislations and the real move in the market.

Conclusion

The PSD2 creates challenges, such as the huge investments to be made by the banks, compliance issues and protection against fraud and cybercrime. However several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces. The clock is ticking in the PSD race.

Traditional players such as the banks appear to have a competitive disadvantage vis-à-vis the new emerging third party payment service providers. However, the Directive opens up new forms of a collaborative approach that can overcome this. New players can provide their innovation and resilience, whilst banks can add value thanks to their large customer base, credibility, reach and ability to cope with high volumes.

The biggest potential benefits might be for customers, who will benefit from new value propositions, services and solutions from new entrants, from banks and new entrants combining their individual strengths, or from banks becoming more innovative in the face of increased and agile competition.

François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

Best read articles of all time – PSD 2: a lot of opportunities but also big challenges (Part I)

| 15-05-2018 | François de Witte |

The Directive 2015/2366 on payment services in the internal market (hereinafter PSD2) was adopted by the European Parliament on October 8, 2015, and by the European Union (EU) Council of Ministers on November 16, 2015. The PSD2 updates the first EU Payment Services Directive published in 2007 (PSD1), which laid the legal foundation for the creation of an EU-wide single market for payments. PSD2 came into force on January 13, 2016, and is applicable from January 13, 2018 onwards. By that date the member states must have adopted and published the measures necessary to implement it into their national law.

PSD 2

PSD2 will cause important changes in the market and requires a thorough preparation. In this article, we are summarizing the measures and highlighting the impact on the market participants. In today’s Part I we will focus on abbreviations and main measurers introduced by PSD2.

List of abbreviations used in this article

2FA    : Two-factor authentication

AISP  :  Account Information Service Provider

API : Application Programming Interface

ASPSP : Account Servicing Payment Service Provider

EBA :  European Banking Authority

EBF :  European Banking Federation

EEA :  European Economic Area

PISP :  Payment Initiation Service Provider

PSD1:  Payment Services Directive 2007/64/EC

PSD2  :  Revised Payment Services Directive (EU) 2015/2366

PSP : Payment Service Provider

PSU:   Payment Service User

RTS : Regulatory Technical Standards (to be issued by the EBA)

SCA : Strong Customer Authentication

TPP :  Third Party Provider

Main Measures introduced by PSD2:

The  PSD2 expands the reach of PSD1, to the following payments:

  • Payments in all currencies (beyond EU/EEA), provided that the two PSP (Payment Service Provider) are located in the EU /EEA (two legs)
  • Payments where at least one PSP (and not both anymore)  is located within EU borders for the part of the payment transaction carried out in the EU/EEA (one leg transactions)

A second important measure is the creation of the Third Party Providers (TPP). One of the main aims of the PSD2 is to encourage new players to enter the payment market and to provide their services to the PSU (Payment Service Users). To this end, it creates the obligation for the ASPSP (Account Servicing Payment Service Provider – mainly the banks) to “open up the bank account” to external parties, the so-called, third-party account access. These TPP (Third Party Providers) are divided in two types:

·        AISP (Account Information Service Provider) : In order to be authorized, an AISP is required to hold professional indemnity insurance and be registered by their member state and by the EBA. There is no requirement for any initial capital or own funds. The EBA (European Banking Authority) will publish guidelines on conditions to be included in the indemnity insurance (e.g. the minimum sum to be insured), although it is as yet unknown what further conditions insurers will impose.

·        PISP (Payment Initiation Service Providers): PISPs are players that can initiate payment transactions. This is an important change, as currently there are not many payment options that can take money from one’s account and send them elsewhere. The minimum requirements for authorization as a PISP are significantly higher. In addition to being registered, a PISP must also be licensed by the competent authority, and it must have an initial and on-going minimum capital of EUR 50,000.

Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. However, payment initiation service providers will only be able to receive information from the payer’s bank on the availability of the funds on the account which results in a simple yes or no answer before initiating the payment, with the explicit consent of the payer. Account information service providers will only receive the information explicitly consented by the payer and only to the extent the information is necessary for the service provided to the payer. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.

A third important change is the obligation for the Payment Service Providers to place the SCA (Strong Customer Authentication) for electronic payment transactions based in at least 2 different sources (2FA: Two-factor authentication) :

  • Something which only the client knows (e.g. password)
  • A device (e.g. card reader, authentication code generating device, token)
  • Inherence (e.g. fingerprint or voice recognition)

 

The EBA (European Banking Authority will provide further guidance on this notion in a later stage. It remains to be seen whether the current bank card with pin code is sufficient to qualify as “strong customer authentication”. This “strong customer authentication” needs to take place with every payment transaction. EBA will also be able to provide exemptions based on the risk/amount/recurrence/payment channel involved in the payment service (e.g. for paying the toll on the motorway or the parking).

PSD2 also introduces some other measures:

  • Retailers will be authorized to ask to the consumers for permission to use their contact details, so as to receive the payment directly from the bank without intermediaries
  • There will be a ban on surcharges on card payments
  • There will be new limitations on the customer liability for unauthorized payment transactions

In a second article soon to be published on treasuryXL, François de Witte will focus on the impact PSD2 has on market participants. 

François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

 

GDPR and its effects on the bottom line

| 15-02-2018 | treasuryXL |

On the 25th May 2018, GDPR – regulation by the European union – will come into effect. It requires any company that does business within the EU to protect the privacy relating to the data held on consumers, as well as restricting the types of data that can be collected. Obviously, this will mean extra expense for companies as they have to invest in systems and procedures to meet their obligations. However, a recent report by Deutsche Bank has shown that the implications of implementing GDPR could also have an impact on revenue.

At present, large companies like Facebook and Google collate data about their users. Mainly, this data is used to present advertising to the individual based on the analysis of the data showing where they have clicked onto etc. The scope of GDPR is very large and such large companies would not be able to deny access to their users if they decide to opt out of data use.

GDPR defines a principle of purpose limitation, This states that personal data must only be collected for specified, explicit and legitimate purposes and not furthered processed in a manner that is incompatible with those purposes. This could impact on the revenue stream of such companies.

Google receives approximately 33% of their revenue from Europe. Deutsche bank concluded that if 30% of European users opted out of data sharing, this could affect revenue by 2%. Google and Facebook receive around 75% of all online advertisement spending.

At the same time, research suggests that a quarter of a billion users of news site readers have already installed ad-blockers.

The effects on revenue for websites that actively use data supplied by the actions of their users is difficult to quantify, but it will have an impact. Companies will have to look closely at their projected revenue from online advertising and ask if the figures are too optimistic in the light of this legislation.

If you want more information please feel free to contact us via email info@treasuryxl.com

 

Digital currency – to bitcoin a phrase

| 05-02-2018 | treasuryXL |

These are volatile times in the world of Bitcoin and all other cryptocurrencies. Over the last 2 months there have been large swings in the price – price opened up around USD 10,000 at the start of December 2017 and then roared ahead to over USD 19,000; this was followed by continual declines with the price dropping below USD 9,000 at the end of last week. This morning the price has gone under USD 8,000. Bitcoin has been renowned for its volatility, but are there fundamental factors at work that are affecting the price?

Theft

Yet another hack in the cryptocurrency world– this time of NEM at Coindesk – led to the theft of around USD 500 million. Security seems to be a factor and is having an effect on confidence and sustainability.

Lack of regulation

As a currency and industry that is still very young, there is a lack of proper regulation. When compared to legal tender currencies there is a distinct lack of consumer protection and regulatory framework. Losing all your savings is a high risk that is prevalent in an industry that is so lacking in clear and concise regulations. The Commodity Futures Trading Commission, a regulatory agency in the United States, recently subpoenaed Bitfinex – a cryptocurrency exchange – for possible price manipulation. Their currency – Tether – is supposed to be backed by traditional money, though it appears that Tether has been created without the backing of physical money.

Intervention

The Indian Finance Ministry has spoken about banning cryptocurrency – China is looking at blocking access to exchanges. In South Korea illegal foreign exchange trading using cryptocurrency has been discovered. Possible government intervention is detrimental to the development of digital currency.

Futures market

Whilst it is still too early to report in great detail, opinion is being voiced that the introduction of futures contracts are having an adverse impact on the pricing of cryptocurrency.

Banning

Major US banks have started banning their customers from buying cryptocurrency with their credit cards. The banks are worried about the price volatility and people purchasing investment products via credit.

Lack of commercial acceptance

Until cryptocurrency is accepted by major retailers, it will not be seen as a genuine alternative to fiat currency. Yet again, the price volatility appears to be holding back major stores in embracing the digital coins.

Obsolescence

As a pioneer in the cryptocurrency world, Bitcoin is starting to shows its age. Its file size – 1 megabyte containing about 2500 transactions – is being superseded. Bitcoin cash is 8 times larger and far quicker. It is taking a lot of time for transactions to be verified and the costs to send Bitcoin has increased dramatically – more than USD 100.

Bitcoin is still up around 700 per cent from the beginning of 2017, but the enthusiasm and positive belief seem to be evaporating as the market becomes more mature.

 

If you want more information please feel free to contact us via email info@treasuryxl.com

BEPS and its impact on Corporate Treasury

| 25-01-2018 | treasuryXL |

The BEPS (base erosion and profit shifting) initiative is an OECD initiative, approved by the G20, to identify over a period to December 2015, ways of providing more standardised tax rules globally. Phases two and three involve implementation and monitoring (together with some remaining standard setting and clarification). BEPS is a term used to describe tax planning strategies that rely on mismatches and gaps that exist between the tax rules of different jurisdictions, to minimise the corporation tax that is payable overall, by either making tax profits “disappear” or shift profits to low tax operations where there is little or no genuine activity. In general BEPS strategies are not illegal; rather they take advantage of different tax rules operating in different jurisdictions, which may not be suited to the current global and digital business environment.

Impact

Many large companies have developed funding and cash distribution strategies around tax regulations. The Netherlands is specifically known for its activity in Trust Offices. The changes envisaged by BEPS could result in the corporate structure of a company being deemed invalid. Many large international companies have Dutch registered offices whilst no physical work is done within the Netherlands.

It is not uncommon to see intercompany financing being structured purely to avail itself to the current tax regimes and advantages within different countries. Interest is a cost and is deductible against tax in many places. Structures have been put into place where a company arranges for interest to be paid at a company within a high tax regime, whilst the interest is received in a country with a low tax regime. BEPS has been designed to tackle this sort of situation.

Companies will now have to submit detailed reports on their holdings and representations on a country by country basis. Such reports will assist the tax authorities in better understanding how the global operations of a company are performed. This should lead to greater clarity on the transfer pricing policy being used by companies.

Companies need to review and outline their existing structures and investigate what the changes and impact will be once BEPS is initiated. It is quite conceivable that certain operations will be seen as not meeting the new criteria – leading to a change in the existing company strategy. This could lead to disadvantageous results, such as increases in the weighted average cost of capital that a company reports, which could affect its share price.

This means action has to be undertaken and this could lead to significant changes within some treasury departments.

 

If you want more information please feel free to contact us via email info@treasuryxl.com

PSD2 – has it hit the ground running?

| 18-01-2018 | treasuryXL |

On the 13th January 2018, PSD2 came into force. In previous articles we have discussed the meaning of this legislation. To recap – it is a directive to regulate the payment market and payment service providers, whilst also opening the market to non-banks. This should lead to a uniformity in products, technical standards and infrastructure. PSD2 will allow customers of banks to voluntarily use third party providers to process and initiate their financial transactions.

In the UK the process has gone even further – Open Banking has been enacted. Fintech companies are now in the position of taking over the ownership of the customer relationship that banks now have – assuming this is what the customer wants. The traditional relationship between a bank and a customer is now under threat. Banks, which have traditionally applied a one shop for all your financial transactions approach, will possibly have to change and look more like an App store from which customers can choose the services that they want.

To effectively compete in this new market will mean focus on data mining and achieving an economy of scale. It is not inconceivable that tech giants such as Google, Facebook or Amazon could start offering financial services on the back of their sizeable databases. Whereas banks have invested heavily over the years in their payment processes, new technology means that the costs are far lower for a new entrant.

But will PSD2 truly open the European market for financial services? Research indicates that we very seldom interact beyond our own national borders. The cost of banking, credit cards, mortgages, car insurance etc. differ greatly within the EU. A survey that was commissioned by the European Commission concluded that 80% of Europeans would not consider purchasing a financial product from another EU member state. Any dreams of one Europe are rudely interrupted by such research and public opinion. This is not to say that public opinion could not change – rather that the current market is not very elastic.

So PSD2 is up and running – how about the banks? PwC published a report in December 2017 after conducting interviews with senior executives in European banks. Just 9% reported they were ready, despite 66% saying it would affect their operations. Furthermore, a report was published today by the Dutch Data Protection Regulator stating that the legislation does not take privacy requirements enough into account. This despite the legislation being passed more than 2 years ago.

Eventually banks that are early to design their products specifically for this legislation and bring them to market could establish a clear lead on their opposition. Also, if the public reluctance to transact cross-border was to diminish, it is possible that – in the future – we could be purchasing our mortgages in Finland, our credit cards in the UK and our car insurance in Hungary!!

If you want more information please feel free to contact us via email info@treasuryxl.com

Intercompany financing – complying with procedures

| 18-12-2017 | treasuryXL |

Many businesses (not just multinationals) finance the operations of their subsidiaries/affiliates via intercompany loans. During the financial crisis external funding became more difficult to obtain, and more businesses attempted to finance their operations internally. Whilst this can be a good procedure, consideration must be given to the fact that the loans must still be proper loans, compliant with normal market practices. Below we attempt to explain the relevant procedure.

Arm’s length principle

All terms and conditions of the intercompany loan – with special consideration for the interest rate – must be consistent with independent external loan funding. A business can not adopt a more generous approach to funding its subsidiaries than could be obtained externally. The pricing of the loan must reflect the perceived credit risk of the entity that is seeking funding.

Documentation

Just as with external financing, legal documentation needs to be drawn up and signed that clearly shows the terms and conditions of the loan. Standard covenants should be included together with a schedule showing repayment of principal and interest. If a subsidiary is granted an embedded option (early repayment without a penalty) then this must be clearly noted. Whilst the documentation does not have to be as large as that used by banks, it should always contain all relevant clauses, and both parties must adhere to the signed loan agreement. Included within the documentation should be a detailed explanation as to how the price and spread was determined, along with external data proof.

Credit modelling

As most subsidiaries are small and have no independent credit rating, an approach must be taken to attempt to define their creditworthiness. Standard metrics can be used to ascertain an internal rating. Just with a normal external loan, attention should be paid to the ability to repay. Whilst tax authorities may question the integrity of the credit modelling matrix, this can at least be negotiated if a dispute arises. If no matrix is available, then problems can occur.

Pricing

As previously stated, an internal loan should replicate the general conditions of an external loan. That means that when trying to determine the interest rate, full attention should be given to the funding costs of the main company. They need to determine what price they would pay externally to fund the loan and then apply a premium to the subsidiary. Traditionally rates can be fixed or floating with a premium.

Corporate Governance

Internal loans should always be monitored. They should not be a quick substitute for proper due diligence. Problems can easily arise if tax authorities reached the conclusion that the loan is being extended to a loss-making entity that would not receive funding externally.

Bitcoin – regulation and acceptance

| 06-12-2017 | Lionel Pavey |

 

As the price of Bitcoin reaches ever higher – more than $11,000 at the moment – Governments are starting to look at what regulation needs to be put into place. Bitcoin has gained a reputation as the currency of choice for tax evaders and drug traders due to its anonymity. It is a market with little or no regulation and, obviously, Governments are looking at lost revenue. Yesterday the UK Treasury stated the current anti-money regulations needs to be updated to encompass all virtual currencies.

It has been reported that criminals and terrorists have used virtual currencies to purchase illegal commodities via dark webs – ensuring complete anonymity. The proposal from the UK Treasury would mean that traders would be registered. At present, there are almost 100 ATM machines for Bitcoin transactions in the UK – with more than 70 in London. Cash can be entered into the machines and converted into Bitcoins. One transaction involved a customer paying in GBP 14,000 in cash.

For Governments, regulation would mean that the Treasury would be able to identify the owner of the money and investigate the source of the funds. Tax evasion would therefore be reduced. Naturally there are genuine investors who want to buy Bitcoin, but this can already be done via an electronic exchange.

To increase acceptance as a genuine alternative currency there needs to be a growth in financial products related to virtual currencies. Yesterday, the CBOE (Chicago Board Options Exchange) announced that it will start trading Bitcoin futures this coming Monday. Initial margins for trading will be 30 per cent and price limits will be put in place.

However, there are still many hurdles before complete acceptance can occur. It is still not a recognized currency – the retail outlets that accept payment in Bitcoin is still very small. In America, only 3 of the top 500 online retailers accept Bitcoin. Whilst the price of Bitcoin has surged in 2017, this very large price increase is having a negative effect on acceptance by retailers. As the currency has increased in value so much, there appears to be a reluctance among owners of Bitcoin to use Bitcoin to transact. It has become easier to speculate on its value than to trade for goods. This is a serious problem for a virtual currency to gain worldwide acceptance.

Another area of concern regards the transaction time. Confirmation of a transaction can take up to 20 minutes – if you ordered a coffee, then it would be cold before you could drink it!

Virtual currencies are certainly something that should be considered for the future, but until they are backed and trusted by the Government and residents of a country, they will only have a small niche marketplace.

 

 

Lionel Pavey

Cash Management and Treasury Specialist

 

 

PSD2 – Fall update and new developments

| 28-11-2017 | François de Witte |

PSD2In 2018, when PSD2 comes into force, banks will lose their monopoly on payment services and customer’s account details. Bank customers will be able to use third-party providers (TPP) to administer their payments. When a customer agrees on using the services of a TPP, then their bank has to give access to TPPs to their accounts. TPPs are then able to build and offer services that compete with the existing bank services. During the summer 2017, I published a Summer Update on PSD2. Since then, a lot of things have moved, and hence I found it the right moment to provide an update to you on some developments on PSD2, in this area.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

  • 2FA: Two-factor authentication
  • API: Application Programming Interface.
  • EBA:  European Banking Authority
  • PSP: Payment Service Provider
  • PSU:   Payment Service User
  • RTS: Regulatory Technical Standards (final draft issued by the EBA on 23/2/2017)
  • SCA: Strong Customer Authentication
  • TPP:  Third Party Provider
  • OTP: One time password

Main updates on the regulatory framework

Some member states have already advised that they expect delays in the transposition of PSD2 in the national law, e.g. Belgium (by March 2018), the Netherland (by June  2018), Sweden, Poland, Spain and France.
Following countries already announced that they will be on track, e.g. Italy, Finland, Ireland, Czech Republic, Germany and Bulgaria.
By end November the EBA should publish the revised draft on the SCA (Strong Customer Authentication) and Secure Communication. We expect that a number of points, raised by the market participants, will be incorporated in the text.
With regard to the access to TPPs, article 113.4 of PSD2 explicitly states that the member states shall ensure the application of the security measures within18 months following the entry in force of the law. Hence, we might expect that this part of PSD2 needs only to be implemented by Q3 2019. However, in some countries, the authorities are pushing for an earlier implementation (e.g. in Belgium by end Q1 2018). Given the strategic importance and the IT act, I recommend starting this quite soon.

Main developments

Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.
The challenge is to create standards for the APIs specifying the nomenclature, access protocols, authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this.

A number of working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET. Experts seem to agree that the Berlin Group Standard is the most elaborate one., as it incorporates the most relevant use cases and has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs

As Marc Lainez, CEO of Ibanity, part of Isabel Group (developing API and PSD2 solutions for the XS2A and beyond) pointed out: “We can already see a fragmentation on the market. Several groups publishing specifications that are on many points different. With the RTS still being a moving target at the moment, those specifications are also incomplete as some details still need to be clarified. Some banks also choose to implement their own specifications without following closely any of those already published. In engineering, a standard is usually something that emerges through the best practices of an industry, it is not something that can be thought off entirely before it is actually used. At Ibanity, we are convinced that fragmentation will be a reality and several formats and specifications will co-exist on the market for some time. Looking at them from a pure software engineering point of view, we can say that those that seem the closest to what TPPs are actually expecting in terms of API quality are the specifications from the Open Banking Working Group and the Berlin Group. They still need, of course, to be challenged by the market with real use cases.“

The large banks have already started working on being PSD2 compliant and on building for the opening of their banking architecture to the TPPs. However, several small or medium sized banks only started recently on this project.
PSD2 has numerous interdependencies with other regulations (such as GDPR and eIDAS Regulation), promising a complex implementation with multiple stakeholders. For many banks, compliance by 2018 will be a challenge. Moreover there is a strong technology impact, adding to the complexity of the project. The following graphs of a market survey of PWC are a good illustration of the current state of the project with the European banks:

Conclusion

The PSD2 creates challenges. Several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces. Moreover there are some unclarities in the text.
However, there are solutions in the market to withdraw the hassle for Banks and TPPs. The clock is ticking in the PSD race. Consequently, there is no justifiable reason for any bank to delay starting these projects.

François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

Uitgelicht: ECB strenger voor fintechbanken

| 31-10-2017 | Peter Schuitmaker |

 

Recentelijk lazen we een artikel over de verhoogde toezicht dat de ECB wil toepassen op Fintech-partijen die bancaire diensten aanbieden. (bron: FD ) De ECB schrijft in zijn eerder uitgebrachte gids Guide to assessments of fintech credit institution licence applications dat fintechs zorgen voor unieke risico’s in het financiële systeem. De ECB zegt “Fintechbanken moeten aan dezelfde standaarden voldoen als andere banken.” treasuryXL vroeg een van onze experts, Peter Schuitmaker, om zijn mening:

Is er een fintechzeepbel?

Peter SchuitmakerRegistered Advisor for Business Transfer and Succession

Door de opkomst van ICT, met name de mobiele platforms (telefoons en tablets) en de gebruikte software (apps) is de bancaire dienstverlening ook in een innovatieve stroomversnelling gegaan. Waar traditionele banken de nieuwe ICT gebruiken om hun diensten te vereenvoudigen en te verbeteren, deels ook om operationele kosten te drukken, zijn een groot aantal fintech bedrijven die juist -denkend vanuit de ICT technologie- producten en diensten aanbieden. Het zijn vaak niche producten of een producten met een beperkte functionaliteit die juist wel aansluit bij een zekere doelgroep.

De ECB heeft dat geconstateerd en wil op die fintech dienstverlening enige grip krijgen. Dat lijkt vrijwel onbegonnen werk, omdat het aanbod, zowel de functionaliteit als de onderliggende ICT, zeer divers is. Hoe dan ook, geen richtlijnen waarbinnen fintech bedrijven zich op de markt mogen begeven en ontwikkelen, lijkt ook geen optie. Vandaar deze eerste voorzichtige poging “Guide to assessement of fintech credit institutions”. De motivatie is nobel: men wel gelijke monniken, gelijke kappen. Maar hoe zaken zich zullen ontwikkelen en binnen welke termijn aanvullende of nieuwe richtlijnen nodig is laat zich lastig voorspellen. Maar erg optimistisch daarover ben ik niet!

 

Peter Schuitmaker

Registered Advisor for Business Transfer and Succession