Tag Archive for: regulations

PSD2 – Update and new developments

| 17-8-2017 | François de Witte |

Early 2017, I published a post about PSD2, a lot of opportunities, but also big challenges. Now half a year later, I would like to update you on some developments in this area. PSD2 still needs to be transposed in the national legal system of all the member countries, and according to my knowledge several countries, including Belgium, have not yet released the draft laws. This creates quite some uncertainty in the market, as there will be several country-specific specifications. Hence one can expect that Fintech’s and other TPPs might already have started their certification application in countries that already enacted PSD2 in their local legislation.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

2FA: Two-factor authentication
API:  Application Programming Interface.
EBA: European Banking Authority
PSP: Payment Service Provider
PSU: Payment Service User
RTS: Regulatory Technical Standards (final draft issued by the EBA on 23/2/2017)
SCA: Strong Customer Authentication
TPP: Third Party Provider

Main updates on the regulatory framework

On 23 February 2017, the EBA published the final draft on the SCA (Strong Customer Authentication) and Secure Communication.
In this final draft, the EBA clarifies the new rules to be followed for customer authentication, applicable both for operations performed in traditional channels and over the new API (Application Programming Interfaces) services. The key clarifications concern the following:

The 2 factor authentication

Following systems would comply:

1. The 2-device-authentication, where the user has two independent devices:

  • one device to access the banking website or app
  • another device to authenticate himself or a payment: the authentication device, usually a hardware authentication token, a combination of a smart card and smart card reader, or a dedicated app on a mobile device.
    The authentication device generates one-time passwords (OTPs) over transaction data

2. The 2 app authentication:

This approach does rely on two different apps running on the same mobile device.

  • Banking app : when a user wants to make a payment, he opens the banking app and enters the transaction data.
  • Authentication app: When the user has submitted the transaction, the banking app opens the authentication app. After verification and confirmation of the transaction data by the user, the authentication app generates an OTP (One Time Password) linked to the transaction data and sends it back to the banking app, which submits it to the banking server for verification

The dynamic linking

In order to dynamically link the transaction, the draft RTS states the following requirements must be met:

  • the payer must be made aware at all times of the amount of the transaction and of the payee;
  • the authentication code must be specific to the amount of the transaction and the payee;
  • the underlying technology must ensure the confidentiality, authenticity and integrity of: (a) the amount of the transaction and of the payee; and (b) information displayed to the payer through all phases of the authentication procedure (the EBA hasn’t specified the nature of this “information”);
  • the authentication code must change with any change to the amount or payee;
  • the channel, device, or mobile application through which the information linking the transaction to a specific amount and payee is displayed must be independent or segregated from the channel, device or mobile application used for initiating the electronic payment transaction.

The exemptions from the SCA

The exemptions from the SCA including also:

  • Transactions between two accounts of the same customer held at the same PSP
  • Low risk transactions: Transfers within the same PSP justified by a transaction risk analysis (taking into account detailed criteria to be defined in the RTS),
  • Low value payments or contactless payments < 50 euro, provided that that the cumulative amount of previous consecutive electronic payment transactions without SCA, since the last application, of the SCA < 150 euro
  • Unattended transport and parking terminals

The draft RTS (not finalized, not approved yet) also states that Screen scraping is no longer allowed. Screen scraping is a method to take over remotely the data on the screen of the user. This creates a lot of opposition in the financial community, in particular the Fintech’s, as this complicates the interaction between the bank, the TPP, and the PSU. On the other hand, the both the EBA and the EBF (European Banking Federation) are against it. There is a power game ongoing.

Main developments

Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.

Although PSD2 does not specifically mention the API (Application Programming Interfaces), most technology and finance professionals assume that APIs will be the technological standard used to allow banks to comply with the regulation.

An API is a set of commands, routines, protocols and tools which can be used to develop interfacing programs. APIs define how different applications communicate with each other, making available certain data from a particular program in a way that enables other applications to use that data. Through an API, a TPP application can make a request with standardized input towards another application and get that second application to perform an operation and deliver a standardized output back to the first application. For example, approved third parties can access your payment account information if mandated by the user and initiate payment transfer directly.

In this framework, the challenge is to create standards for the APIs specifying the nomenclature, access protocols, authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this.

At this stage, following working groups were constituted to further elaborate on these standards:

  • UK’s Open Banking Working Group (OBWG). This initiative of UK Treasury aims to deliver a framework for open banking and data sharing via APIs for the UK’s banking industry. The joint industry/government initiative recently released its report on establishing the framework for an Open Banking Standard for the UK alongside a timetable for implementation.
  • The Berlin Group, a-European payments interoperability coalition of banks and payment processors, is pushing for a single standard for API access to bank accounts to comply with new regulations on freeing up customer data under PSD2. The aim is to offer operational rules and implementation guidelines with detailed data definitions, message modelling and information flows based on RESTful API methodology. It will be published for consultation in Q4 2017
  • STET has also released of a RESTFUL API standard which will allow TPPs to access payment accounts. This API has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs

In the meantime, several providers are developing their services, including in the Benelux Equens Worldine, Capco, Sopra Banking and Isabel.

Along with the arrival of open API banking, there is also clear momentum for providing real-time services such as “instant payments”. This requires banks to shift their entire product and service mindset towards immediate delivery and to make fundamental changes to their legacy systems. While this is a challenge, it also presents opportunities (see also my article in TreasuryXL on this topic: SEPA Instant Payments – a catalyst for new developments in the payments market (https://www.treasuryxl.com/news-articles/francois-de-witte/sepa-instant-payments-catalyst-new-developments-payments-market and https://www.treasuryxl.com/news-articles/francois-de-witte/sepa-instant-payments-a-catalyst-for-new-developments-in-the-payments-market-part-ii/).

The large banks have already started working on being PSD2 compliant and on building for the opening of their banking architecture to the TPPs. However, several small or medium sized banks only started recently on this project. Hence a lot has to be done, and I do expect some shortages in resources in the next coming months.

With regard to the access to TPPs, article 113.4 of PSD2 explicitly states that the member states shall ensure the application of the security measures with the 18 months following the entry in force of the Hence, we might expect that this part of PSD2 needs only to be implemented by mid-2019. Given the strategic importance and the IT act, I recommend starting this exercise much earlier.

Conclusion

The PSD2 creates challenges. Several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces.
However, there are initiatives, such as the Berlin Group, the UK’s Open Banking Framework and the STET group, which help give further clarity and direction in the absence of specific technical detail.
Consequently, there is no justifiable reason for any bank to delay starting these projects.
The clock is ticking in the PSD race.

If you want  further update on this topic, you can join the 1 day training session on this topic, which I will give on 22/11/2017 at Febelfin Academy.

 

François de Witte – Founder & Senior Consultant at FDW Consult

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

Please read my earlier articles on PSD2:

PSD 2: A lot of opportunities but also big challenges (Part I)

PSD 2: A lot of opportunities but also big challenges (Part II)

Sepa instant payments – A catalyst for new developments in the payments market (Part I)

Sepa instant payments – A catalyst for new developments in the payments market (Part II)

[separator type=”” size=”” icon=””]

From Fintech to Regtech… from potentially disruptive to leaner compliance opportunities

| 31-5-2017 | François de Witte |

On 18/5/2017, I attended a seminar covering the topic “From Fintech to Regtech… from potentially disruptive to leaner compliance opportunities” organized by The Finance Club of Brussels, the Free University of Brussels (ULB), the Solvay Finance Society and Thomson Reuters.

Introduction

Fintech describes a wide range of innovation in financial technology, going from payment systems to lending and trading platforms.
Fintechs are seen in many cases as potential disruptors of the traditional intermediation of heavily regulated banks and other financial institutions See also my articles on PSD2 further down.
However Fintechs can also be enablers, helping banks and financial institutions to streamline their regulatory reporting and compliance, or help the disruptors in coping more easily with compliance in the future.

Setting the scene

Fintechs are playing an increasing role. The investments in Fintechs exceeded EUR 25 billion in 2016, and they bring a real digital revolution. Fintechs are perceived to foster the Digital Revolution, but equally to increase the digital divide in our society between the skilled and/or wealthy and those who are not.

Regulatory compliance is time-consuming and expensive for both financial institutions and regulators. The volume of information that parties must monitor and evaluate is enormous. The rules are often complex and difficult to understand and apply. There is a lot of data to be analyzed. Much of the process remains highly labor-intensive, or still depends heavily on manual inputs.

The Regtechs can be considered as an outgrowth of Fintec. Regtech use digital technologies— including big data analytics, cloud computing, robotics, behavioral analysis, blockchain technology and machine learning to facilitate regulatory compliance. Amongst  other things, Regtech applications automate risk management and compliance processes, enable companies to stay aware of regulatory changes around the world, facilitate regulatory reporting and support strategic planning.

In recent years banks have seen opportunities to ask Fintechs to solve their large regulation and compliance issues. They can change the paradigm of banks from heavy IT releases to agile sprints, from integration to standardizing protocols, from static functions to workflows.

Hence financial institutions are more willing to consider using Fintechs for getting more efficiency. During the seminar, somebody of the panel mentioned: “Collaboration is the best innovation”. Banks can also help Fintechs thanks to their experience in managing large databases, managing risks and providing the required critical mass.

We have seen some applications recently in areas such as the KYC (Know Your Customer) domain.

Regtech – some other considerations

However, as mentioned during the seminar by Antonio Garcia Del Riego, Head of EU Corporate Affairs at Banco Santander, in Europe there remain obstacles in using Fintechs. The Bank Regulators in Europe expect the banks to deduct the goodwill from the core capital of the banks. This implies that software investments cannot be capitalized and need to be written off immediately in the P&L. A second challenge is the ability to attract digital talent, given the fact that the regulators limit the way in which the remuneration can be paid, whilst startups can be very creative here.
For the regulators, there also remain challenges. Once banks will have automated their reporting, the regulators will have to follow. They also will have to attract digital talent, to treat all these data in an automated way. If they do not succeed in this, they might challenge the use of Regtechs, and this is not what we want.

Regtechs can potentially offer similar benefits to regulators as they do to financial institutions. We recently observed that some (quite few) Regtech providers have emerged to serve the significant needs of regulators. There have seen recently some examples in Fintechs bringing behavioral models to the regulators, or new cognitive technology or the use of Blockchain technology (smart contracts), to trigger automatic alerts for the regulators when the banks exceed some thresholds.

Some regulators are taking initiatives to foster innovation. In 2016, the FCA (US) created its “regulatory sandbox,” a space where financial services companies are encouraged to test new products without regulatory consequences. Recently the Australian Securities and Investment Commission also created its regulatory sandbox, suggested to establish a new regtech liaison group, comprising industry, technology firms, academics, consultancies, regulators and consumer bodies, and announced that it would host a Regtech hackathon later in 2017.

Other countries have also taken steps to support Fintech and Regtech innovation. The Monetary Authority of Singapore is in the process of developing a regulatory sandbox. We might expect other regulators to also take similar initiatives.

Conclusion

Thanks to their digital technology, Regtechs enable banks and other financial institutions to reduce the burden of compliance. However some steps need to be taken to create a level playing field and some topics will have to be clarified.
One can ask oneself the question how far these innovations can become game changers, awakenings for the banks, or even force them to more transparency and predictability towards regulators.

 

François de Witte – Founder & Senior Consultant at FDW Consult

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

 

More articles on this subject:

PSD 2: A lot of opportunities but also big challenges (Part I)

PSD 2 : The implementation of PSD 2: A lot of opportunities but also big challenges (Part II)

[separator type=”” size=”” icon=””]

 

 

Nieuwe spelregels voor valutahandelaren

| 30-5-2017 | Erna Erkens | treasuryXL |

Wij hebben onze valuta-expert Erna Erkens gevraagd om te reageren op een artikel in Het Financieele Dagblad over de nieuwe gedragscode voor valutahandelaren. Zij geeft een reactie in de voor haar zo typische manier zonder een blad voor de mond te nemen.

Vrijwillige gedragscode

Ik schaam me inderdaad dat dit nodig is maar ik schaam me er niet voor dat ik 35 jaar als valutahandelaar met veel passie gewerkt heb. Gedeeltelijk voor rekening en risico van de bank, maar meer als sparringpartner van klanten. Zoals ik dit nu nog ben. De genoemde gedragscode is een vrijwillige en ik denk niet dat deze snel invloed zal hebben. Eigenlijk is het zoiets als de eed die bankiers moeten afleggen.

Mindset

Het moet een begin zijn van een mindset verandering. Maar als we nu kijken dat banken teveel boeterente rekenen bij de oversluiting van hypotheken, dan blijkt dat bij alles wat niet transparant is voor klanten de mindset ‘klant centraal’ even wordt vergeten. Dit moet veranderen. Er moet een andere motivatie komen om dingen te doen en vooral om dingen te laten. Dus geen focus meer op….. aandeelhouderswaarde. Hoge budgetten die gekoppeld zijn aan extra salaris in de vorm van bonussen. Maar, dit moet komen van bovenaf. Dus moeten het bestuur en de commissarissen het goede voorbeeld geven. Zij bepalen de richting van de bank. Mensen zijn hebberig en dit gedrag wordt nog steeds gestimuleerd. Maar niets doen is ook niet goed. Dus het is een zeer bescheiden begin.

Taak voor het bestuur

Dit begin moet samengaan met de besturing van de banken (of bedrijven). Besturen moeten budgetten vaststellen en bonussen uitdelen als collega’s eerst elkaar en dan klanten helpen. Het bestuur moet beginnen om te zorgen voor een veilige arbeidsomgeving waar wordt aangeven dat werkzaamheden zullen/ kunnen veranderen, maar dat er niemand ontslagen zal worden.  Dat managers instaan voor hun afdeling (mensen) en niet aan de kant van hun bazen uit angst. Zorgen dat de afdeling een goedlopende machine is met als centrum een gezamenlijk belang en geen individueel belang. Verzet tegen kennis is macht en politiek gedrag. Samen staan we voor onze club en we zorgen voor elkaar. Dat staat bovenaan. Het klinkt misschien soft, maar dat is het niet. Als mensen zich veilig voelen geven ze bloed zweet en tranen en heb je weinig ziekteverzuim en voelt iedereen zich goed. Mensen werken harder en zo krijg je vanzelf meer en beter resultaat en veel loyaliteit voor elkaar en het bedrijf. Mensen zijn dan trots op waar ze werken. Als er angst is of onveiligheid dan werken mensen voor hun geld en van 9 tot 5 met geen of weinig loyaliteit.
Zonder politiek gedrag en als mensen eerst voor elkaar zorgen en mensen voelen zich veilig gaan ze automatisch voor de klanten zorgen. Verkopen is transfer of trust. En dit begint in de top van de organisatie.

Mening

Dus wat vind ik ervan? Bestuurders van valutahandelaren: Schaam jullie dat jullie de omgeving maken waarin de menselijke behoefte van hebberigheid belangrijker wordt dan collega’s en klanten.  Jullie moeten beginnen met het geven van het goede voorbeeld. Laat dit een begin zijn, maar vooral bij de bestuurders. Ik heb altijd discussie gehad over dat ik teveel op de stoel van de klant ging zitten. Ik ben daar tot op de dag van vandaag trots op. Dat is wie ik ben. En zo zal ik altijd zijn.  Dat heet empathie en dat geeft vertrouwen. ‘Practice what you preach’ niet alleen op papier in missie en visie maar in gedrag. Altijd! Eventueel tijdelijk ten koste van winst nooit van mensen. Dan komt het met de aandeelhouders ook goed.

 

Erna Erkens

 

Erna Erkens

Owner at Erna Erkens Valuta Advies (EEVA)

 

 

 

Andere artikelen van deze auteur:

Valuta ontwikkelingen en rente – Verwachtingen voor 2017

Valutabewegingen van Euro, Britse Pond en US Dollar: Altijd reuring op de markten

 

MIFID II – a short excursion into the MIFID landscape

| 10-5-2017 | treasuryXL |

MIFID II – you read about it frequently. And there are more abbreviations: you will also find MIFIR and MIFID I.  As a banker you will know what we are talking about.  As a treasurer or financial professional you are supposed to understand what MIFID II will bring you. We think it is time to zoom in on this subject and present a short summary.

MIFID

MIFID, short for ‘Markets in Financial Instruments Directive’ (2004/39/EC) and applicable since November 2007 has been a cornerstone of the EU’s regulation of financial markets  since then. It aims to improve the competitiveness of EU financial markets by creating a single market for investment services and activitities. To ensure a high degree of harmonised protection for investors in financial instruments.

MIFID or MIFID I set out the conducts of business and organisational requirements for investment firms, authorisation requirements for regulated markets, regulatory reporting to avoid market abuse, trade transparency obligation for shares; and rules on the admission of financial instruments to trading.

MIFIR

MIFIR short for Markets in Financial Instruments Regulation is more than a directive. It is a European law and needs to be implemented as written. The member states have to comply with this regulation and the aim is to protect end consumers and markets. It unifies for example reporting and ensures that the reporting format is consistent.

The Markets in Financial Instruments Regulation and the Directive on Markets in Financial Instruments repealing Directive 2004/39/EC, commonly referred to as MiFID II and MiFIR, were adopted by the European Parliament on 15 April 2014, after heavy discussions that lasted more than two years.

MIFID II

MIFID II and MIFIR are building on the rules of MIFID I, already in place. The new rules are designed to take into account developments in the trading environment since the implementation of MiFID in 2007 and, in light of the financial crisis, to improve the functioning of financial markets making them more efficient, resilient and transparent.

MIFID II will be transposed into the national laws of Members States on July 3rd, 2017 and will apply within Member States from January, 3rd, 2018.
(Source: European Securities and Markets Authority (ESMA)

MIFIR reporting list

Implementing MIFID II and MIFIR will be a real challenge, as it brings enormous complexity for enterprises throughout the industry in terms of generating, collecting and processing financial data. We found a MIFIR reporting list, published by the London Stock Exchange Group, which is applicable not only in the United Kingdom.

In short they propose the following to firms to help them be in the best possible position for MiFIR reporting go-live:

  • Preparing your data to the wider scope of MIFID II with a project tool that allows to not only find data but also access it
  • Know what you are doing about data protection
  • Select your ARM (Approved Reporting Mechanism) and APA (Approved Publication Arrangement)
  • Identify which transactions to report by sourcing a reliable list of instruments that are eligible for MiFIR transaction reporting
  • Train your staff
  • Reconcile your data with the help of an ARM
  • Implement appropriate governance –  ensure best practice in effectiveness and appropriate accountability.
  • Give management business insight

More details can be found in the MIFIR reporting list of the London Stock Exchange Group.

There is little time left until the implementation, still much to do in the industry and it will involve considerable human resources and IT costs. The trading landscape will change significantly.

 

Annette Gillhart – Community Manager treasuryXL

[button url=”https://www.treasuryxl.com/about/” text=”View more” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

 

 

 

Regulatory demands: compliance required!

| 20-4-2017 | Olivier Werlingshoff | Sponsored content |

 

Complying with regulatory demands is a must, and banks know it. In practice, however, the majority still can’t manage to meet all requirements. Manual solutions prove to be insufficient and important rules are often overlooked. But how does one ensure that all regulatory demands are complied with?

Facilitating screening

Today, most banks offer apps that customers can use for online banking purposes, such as opening an account. However, there are two important aspects when onboarding a customer. First, you need to have adequate controls and procedures in place to know the customer with whom you are dealing. Adequate due diligence on new and existing customers is a key part of these controls – which can be done using advanced software that is linked to different sanction lists. Second, all customer transactions should be monitored for AML – which is done after the settlement of a transaction and live transaction screening, which happens in real time. The moment a payment is made and a beneficiary bank receives it, sanction lists are instantly scanned to check if there is a hit or not. This is done for every transaction, ensuring that regulatory demands are met.

Compliance: points of attention

Some banks still don’t comply with regulatory demands. They merely check sanction lists for the customer’s name – often manually –, which is by no means sufficient! For example, one should also verify whether the customer’s name appears in any media or lawsuits, and a customer’s partner needs to be checked as well. So what you need is a comprehensive solution that takes all these different aspects into account.

Implementing a solution

Proferus helps banks and corporates opt for a proper automated solution based on the demands involved. We assist in choosing the right software and support teams that have to learn to work with it. Basically, we help them in two respects: we provide consultancy – by conducting business analyses – and we implement the technical solution!

Olivier Werlingshoff - editor treasuryXL

 

Olivier Werlingshoff

Managing Consultant at Proferus

Blockchain regulation in the securities industry: Still many unanswered questions!

| 24-3-2017 | Carlo de Meijer |

One of the obstacles for massive adoption of blockchain technology is the lack of clarity from regulators. Regulators world-wide have long time taken a wait-and-see attitude towards blockchain and distributed ledger technology (DLT) (see my Blog “Blockchain and Regulation: do no stiffle …. April 4, 2016). But that is changing. Regulators across the globe have turned their attention and are now considering how existing regulations may (or may not!) accommodate the development of new distributed ledger technologies. This growing interest shows that it is becoming all the more serious for regulators in the securities industry that blockchain is coming to reality and that this asks for a more closer look a this technology.

Since the start of 2017 a number of regulatory organisations including ESMA (EU), FINRA (US) and IOSCO (Global) have launched reports asking for answers to meet the various challenges of blockchain or distributed ledger technology in the securities industry.

“Regulators prepare to address perceived weaknesses or potential risks relating to blockchains in their regulatory frameworks, and be ready to voice any concerns to, or discuss potential DLT benefits with the relevant authorities”.   

What have regulators been doing up till now

To keep pace with the developments in the DLT space some regulators have already established dedicated Fintech offices, contact points and hubs. Others launched regulatory sandbox frameworks that enable innovators to experiment with Fintech solutions for financial services (see my Blog, “Blockchain: playing in the Sandbox September 7, 2016”). And there are regulators that have set up labs and accelerator programs to explore how new technologies including DLT can help them better achieve their regulatory objectives.

To give some examples:

  • Regulators, such as the US Commodity Futures Trading Commission (CFTC) and the US Securities Exchange Commission (SEC), have attempted to incorporate DLT innovations into existing legal and regulatory frameworks. Also, the French Parliament last June approved a law that lets some securities vouchers be issued and exchanged on a DLT.
  • Others, such as the UK Financial Conduct Authority (FCA), the Swiss Financial Market Supervisory Authority (FINMA), and the Monetary Authority of Singapore (MAS), have created regulatory sandboxes for companies utilizing innovative technologies.

But, as FINRA, ESMA and IOSCO all note in their recent reports, integrating novel DLT products into existing regulatory regimes may prove challenging as DLT continues to develop.

FINRA Report

Early January this year, the US Financial Industry Regulatory Authority (FINRA) published a report titled “Distributed Ledger Technology Implications for the Securities Industry. The FINRA report provides, while structured as only a “request for comments”, an overview of DLT, highlights applications and gives a detailed review of how blockchain technology may impact existing securities regulations affecting dealers and marketplaces.

The report thereby gives a clear picture of the many regulatory considerations for broker dealers that (it says) “market participants may want to consider and regulators will want to have worked out before such infant technologies can be allowed to leave their sandboxes.
US regulatory considerations include issues such as governance, operational structure, network security and regulatory considerations, customer data privacy, trade and order reporting requirements, supervision and surveillance, fees and commissions, customer confirmations and account statements and business continuity planning.

This report is intended to be an “initial contribution to an ongoing dialogue with market participants” about the use of DLT in the securities industry. Accordingly, FINRA is requesting comments from all interested parties regarding all of the areas covered by this paper.

“FINRA welcomes an open dialogue with market participants to help proactively identify and address any potential risks or hurdles in order to tap into the full potential of DLT, while maintaining the core principles of investor protection and market integrity”. FINRA Report

  • More questions than answers!

The FINRA report doesn’t provide specific guidance for many questions, but it does represent something of a practical checklist of issues that will need to be addressed by regulated securities businesses considering implementing DLT networks more broadly.

To give an idea of the many questions raised:
How would the governance structure be determined? Who would be responsible for the business continuity plan, addressing conflicts of interest? How would errors or omissions on the blockchain be rectified? What type of access will be provided to regulators? In the event of fraud, who covers the cost? How will regulated entities deal with DLT transactions? Who is the custodian? Does the DLT network itself affect the market risk or liquidity of the digital asset? How is access to the data controlled? Which entities are playing what roles. Would dealers become clearing agencies? How is customer information updated for changes? How is the process supervised and tested? And many, many more!!

  • Possible implications for existing US regulation

Many FINRA rules, as well as some rules implemented by other regulators, such as the Securities and Exchange Commission (SEC), that FINRA is responsible for examining or enforcing with respect to broker-dealers, are potentially implicated by various DLT applications.
For example, a DLT application that seeks to alter clearing arrangements or serve as a source of recordkeeping by broker-dealers may implicate FINRA’s rules related to carrying agreements and books and records requirements. The use of DLT may also have implications for trade and order reporting requirements to the extent it seeks to alter the equity or debt trading process.

Other FINRA rules such as those related to financial condition, verification of assets, anti-money laundering, know-your-customer, supervision and surveillance, fees and commissions, payment to unregistered persons, customer confirmations, materiality impact on business operations, and business continuity plans, also may to be impacted depending on the nature of the DLT application.
The head of the US Commodity Futures Trading Commission Christopher (CFTC) Giancarlo recently said that US fintech policy should take a “do no harm” approach. He added that US regulators should coordinate to “avoid stifling innovation”.

ESMA Report

Early February 2017, the European Securities and Markets Authority (ESMA) published a report regarding distributed ledger technology (DLT). In this report named ”The Distributed Ledger Technology Applied to Securities Markets” ESMA summarizes its position on DLT, with a note that it will continue to monitor this “dynamic” technology and consider whether a regulatory response may become a necessity. It sets out ESMA’s views on DLT, its potential applications, benefits, risks and how it maps to existing EU regulation.
ESMA concluded that regulatory action is premature at this stage, but may not be in the longer term. The report anticipates that early applications of DLT will focus on optimising processes under the current market structure, particularly less automated processes in low volume market segments.

ESMA “has not identified any major impediments in the current European Union regulatory framework that would need to be addressed in the short term to allow for the first applications of DLT to securities markets to emerge in a scenario where DLT would be used to optimise processes within the current market structure”.

Longer term, and based on industry responses to the discussion paper, ESMA in its report notes the potential of the technology to support clearing and settlement activities. Potential risks outlined in the report include cyber-attacks, fraudulent activity, operational risk if errors are disseminated, fair competition issues, and market volatility.

Also ESMA “appreciates that broader legal issues, such as securities ownership, company law, insolvency law or competition/antitrust law may have an impact on the deployment of DLT”.

IOSCO Report

The “IOSCO Research Report on Financial Technology”, also published in February this year by the International Organization of Securities Commissions (IOSCO), highlights the increasingly important intersection between financial technology (Fintech) and securities market regulation. It describes a variety of innovative business models and emerging technologies that are transforming the securities industry including the application of the blockchain technology and shared ledgers.

  • Risk assessment

The IOSCO report analyses both the opportunities and risks that these new technologies present to investors, securities markets and their regulators. Though the risks differ depending on the technology, certain risks are recurring across the Fintech sector, such as those arising from unlicensed cross-border activity, programing errors in the algorithms that underlie automation, breaches in cyber security, and the failure of investors to understand financial products and services. Another risk is the failure of financial firms to “know-the-client” for reasons of anti-money laundering and fraud control.

“Financial technology regulators may need to develop “highly automated” surveillance and hire technology experts if they want to closely monitor risks posed by blockchain and other distributed ledger technologies” IOSCO Report

  • Cross border challenge

And there is the cross-border challenge. While tech firms operate globally, regulation is conducted largely within national or sub-national borders. The local nature of regulation may create challenges regarding cross-border supervision and enforcement, whereas regulatory inconsistency across jurisdictions increases the potential for regulatory arbitrage.

“The global nature of Fintech therefore creates challenges that regulators should address through international cooperation and the exchange of information”,according to the report.

DLT and blockchain Regulation: not today!

Regulation of blockchain and distributed ledger technology in the securities industry is not to be expected short term. There are still more questions than answers. Before regulators will be able to address the various issues raised, they must better understand their impact. And that takes time. It is in the securities industry’s interest that they remain in an ongoing dialogue with regulators to get the best of both worlds.

 

Carlo de Meijer

Economist and researcher

 

 

 

More articles about blockchain from Carlo de Meijer:

 

Treasury and regulations: A changing environment

| 15-2-2017 | Theo Paardekoper |

Companies need to comply to their regulatory framework in their industry. For the treasury department  a regulatory framework is applicable which is basically linked to the financial industry and not linked to the industry of the company. Because regulations in the financial industry are changing it is important for the treasurer to update.

Regulations

Important regulations and rulings for treasurers are EMIR, MIFID and MIFID II/MIFIR.

Other regulations that are applicable for the financial industry, like UCITS and AIFM (regulations for investments funds) and CRD rules (capital requirement directive as a result of BASEL III) do not effect the corporate treasury directly, but the side effect of these rules can have effects on pricing and product offering by financial institutions.

Anti Money Laundring regulations (MOT-melding in The Netherlands) are not only applicable for banks. Also corporates are mandatory to register these transactions at the Finance Intelligence Unit of the Dutch Tax autorities.
The regulations mentioned above are all linked to the European regulatory framework and are valid in addition to local laws, like the WfT (Wet Financieel Toezicht) in the Netherlands.

EMIR (= European Market Infrastructure Regulation)

This regulation is valid since August 2012 and was initiated after the Lehman Brothers bankrupty in 2008. The main goal of EMIR is to improve transpancy of the OTC market to create a clear overview of all the derivative positions. This was one of the main problems that became clear after the Lehman bankrupty. It was totally unclear to get a view on the derivate positions and risk of  a counterparty. Emir also introduced a solid clearing member (named CCP) and Trade Repository members to register your  OTC derivates. To register your positions a LEI  (Legal Entity Identifier) can be obtained at the Chamber of Commerce.
EMIR is not (yet) applicable for small pensionfunds.

MIFID (= Markets In  Financial Instruments Derivatives)

Main objective of MIFID is to increase competition in the investment industry and to protect consumers. The well-known 40/20/2 rule to define a professional or non-professional counterparty is one of the items to protect consumers and force financial institutions into a duty of care. One of the results is a direct view on the Market-to-Market pricing of the companies derivates and monitoring of margin call obligations.
Also the classification based on knowledge is an important item and can be part of discussion during a lawsuit.
Mifid increased the number of trades in the OTC market what caused a more fragmented  view on market pricing. Financial institutions are forced to provide the 5 best quotes in the market to their clients.

MIFID II

In January 2018 this new set of regulations is applicable. Mifid II made Mifid regulations also applicable for commodity and CO2-rights traders. Also market data suppliers must be registered to comply with MIFID II. Structured deposits (return is not interest based but linked to an other ratio link EUR/USD or oilprice) will also fall under the scope of Mifid. Change of classifications on behalf of Mifid II classifies local governmental entities as non-professionals. Health Institutions governmental education and housing associations are not clearly excluded as non-professional.

 

Mifid II will mainly “change the game”  of  manufacturers and distributors of financial services, but this regulations will give corporates more tools in case of a conflict about a trade. The negative side effect of new regulations is that pricing in the market will increase because of reduced competition as a result of higher entry barriers in the market.
Any action required for a corporate treasurer?

It is up to your bank to comply to MIFID II. So I would say “no”. The bank will inform you with new legal documentation and product information in the near future.

Theo Paardekoper 

Independent treasury specialist

 

 

 

 

 

More articles of this author:

Treasury education and training: what’s next?

PSD 2 : The implementation of PSD 2: a lot of opportunities but also big challenges – Part II

| 1-2-2017 |  François de Witte |

After having examined the detailed measures of the PSD2 in my first article, in the 2nd part we will examine the impact of PSD 2 on the market. In order to help you read the text we will once more start with a list of abbreviations.

 

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

2FA    :   Two-factor authentication
AISP  :    Account Information Service Provider
API :       Application Programming Interface
ASPSP : Account Servicing Payment Service Provider
EBA :     European Banking Authority
PISP :    Payment Initiation Service Provider
PSD1:    Payment Services Directive 2007/64/EC
PSD2  :  Revised Payment Services Directive (EU) 2015/2366
PSP :     Payment Service Provider
PSU:      Payment Service User
RTS :     Regulatory Technical Standards (to be issued by the EBA)
SCA :     Strong Customer Authentication
TPP :     Third Party Provider

Impact on the market

A major implementation journey:

The ASPSP (mostly banks) will have to make large investments in order to comply with the PSD2, in the following fields:

  • Implementing  the infrastructure enabling the application of the PSD2 scheme to the currency transaction in the EU/EEA area, and to the one leg transactions.
  • Ensuring that they can respond to requests for payment initiation and account information from authorized and registered TPPs (third party providers), who have received the explicit consent of their customer for to this. They will have to develop interfaces that enable third party developers to build applications and services around a bank. Internal banking IT systems might need to be able to cope with huge volumes of requests for information and transactions, more than they were originally designed for.
  • Ensuring their security meets the requirements of the SCA (strong customer authentication). This will be a big challenge both for the banks and for the other payment service providers).

PSD2 will make significant demands on the IT infrastructures of banks. On the one hand the IT infrastructure has to be able to be interact with applications developed by the TPPs (PISP and AISP). On the other hand, banks have to develop their systems in such a way that they don’t have to do this from scratch every time a TPP approaches them. This will require a very flexible IT architecture. The banks have to have a middleware that can be used by their internal systems, but also by the applications of the PSP’s.

Although PSD2 does not specifically mention the API (Application Programming Interfaces),  most technology and finance professionals assume that APIs will be the technological standard used to allow banks to comply with the regulation.

An API is a set of commands, routines, protocols and tools which can be used to develop interfacing programs. APIs define how different applications communicate with each other, making available certain data from a particular program in a way that enables other applications to use that data. Through an API, a third party application can make a request with standardized input towards another application and get that second application to perform an operation and deliver a standardized output back to the first application. For example, approved third parties can access your payment account information if mandated by the user and initiate payment transfer directly.

In this framework, the real challenge is to create standards for the APIs specifying the  nomenclature, access protocols and authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this. The EBA (European Banking Authority) will develop RTS (Regulatory Technical Standard) with more detailed requirements regarding the interface between ASPSPs and TPPs. While these are expected to be published early 2017, based on the EBA’s recent draft RTS, the question is whether they will define the interface’s technical specifications.

Emergence of new players and business models

By integrating the role of new third party payment service providers (TPPs) such as the PISP and the AISP, the PSD2 creates a level playing field in the market. Several market experts expect that this will foster innovation and creating new services. For this reason PSD2 should increase competition.

This might lead to a unique open race between traditional players, such as the banks and newcomers for new services and a possible disintermediation of banking services, as illustrated in the figure down below:

Source: Catalyst or threat? The strategic implications of PSD2 for Europe’s banks, by Jörg Sandrock, Alexandra Firnges – http://www.strategyand.pwc.com/reports/catalyst-or-threat

PSD2 is likely to give a boost to the ongoing innovation boom and bring customers more user-friendly services through digital integration. One can expect that the automation, efficiency and competition will also keep the service pricing reasonable. PSD2 will foster improved service offerings to all customer types, especially those operating in the e-commerce area for payment collection. It will enable a simpler management of accounts and transactions. New offerings may also provide deeper integration of ERP functions with financial services, including of their multibank account details under a single portal, and smart dashboards.

PSD2 also enables a simplified processing chain in which the card network can be  disintermediated. The payment can be initiated by the PISP directly from the customer’s bank account through an interface with the ASPSP. In  this scheme, all interchange fees and acquirer fees as well as all the fees received by the processor and card network could be avoided. The market expects that new PISPs will be able to replace partly the transactions of the classic card schemes. A large internet retailer could for example ask permission to the consumers permitting direct account access for payment. They could propose incentive to encourage customers do so. Once permission is granted then the third-parties could bypass existing card schemes and push payments directly to their own accounts.

On the reporting side, the AISP can aggregate consumer financial data and provide consumers with direct money management services. They can be used as multi-bank online electronic banking channel. One can easily imagine that these services will be able to disintermediate existing financial services providers to identify consumer requirements and directly offer them additional products, such as loans and mortgages.

The PSD2 is for banks a compliance subject, but also an opportunity to develop their next generation digital strategy. New TPPs can provide their innovative service offerings and agility to adopt new technologies, enabling to create winning payments propositions for the customer. In turn, traditional players like banks can bring their large customer bases, their reach and credibility. Banks have also broad and deep proven data handling and holding capabilities. This can create winning payments propositions for the customer, the bank and the TPP.

Banks will have to decide whether to merely stick to a compliance approach, or to leverage on the PSD2 to develop these new services. The second approach will require to leave behind the rigid legacy structures and to change their mindset to ensure  quicker adaption to the dynamic customer and market conditions. A first mover strategy can prove to be beneficial.  Consumers and businesses will be confronted with the increased complexity linked to the multitude of disparate offerings. There also, the incumbent banks who will develop new services  can bring added value as trusted partners

Essentially, PSD2 drives down the barriers to entry for new competitors in the banking industry and gives new service providers the potential to attack the banks and disintermediate in one of their primary customer contact points. New players backed by strong investors are ready to give incumbents a serious run for their business. This is an important battle that the incumbent banks are not willing to lose.

The biggest potential benefits will be for the customers, who can access new value propositions, services and solutions that result from banks and new entrants combining their individual strengths or from banks becoming more innovative in the face of increased competition. Market experts also foresee an increased use of online shopping and e-procurement.

Several challenges to overcome

The PSD2 will be transposed in the national legal system of all the member countries. The involved market participants will have to examine the local legislation of their country of incorporation, as there might be some country-based deviations.

The authentication procedure is also an important hot topic. PISPs and AISPs can rely on the authentication procedures provided by the ASPSP (e.g. the banks)  to the customer but there are customer protection rules in place. Hence, they must ensure that the personalized security credentials are not shared with other parties. They also may not store sensitive payment data, and they are obliged to identify themselves to the ASPSP each time a payment is initiated or data is exchanged.

ASPSPs are required according to PS2 to treat payment orders and data requests transmitted via a PISP or AISP “without any discrimination other than for objective reasons”. A practical consequence for credit institutions will be that they must carry out risk assessments prior to granting payment institutions access – taking into account settlement risk, operational risk and business risk. One of  the main issue is the handling of the customer’s bank credentials by third party payment service providers. The bank needs to be able to perform strong authentication to ensure that the authorized account user is behind the initiation message

There are concerns about security aspects related to PSD2. An example hereof is the secure authentication. All the PSPs will have to ensure that they can demonstrate compliance with the new security requirements. How it will be achieved and monitored ? How will TPPs  interact with banks, since there is no need for a contract to be signed?

If something does not work correctly, there will also be discussions on the liability side. The PSD2 states that the TPP has to reimburse customers quickly enough that they are not bearing undue risk, but one will have to determine which TPP had the problem and work with them to resolve it. This will require further clarifications from the regulators.

In addition the PISP and the AISP vulnerable for to potential frauds. Web and mobile applications could become easy target for cybercriminals for various reasons, including the inherent vulnerabilities in the APIs that transfer data and communicate with back-end systems. The openness of the web could allow hackers to view source code and data and learn how to attack it. APIs have been compromised in several high-profile attacks that have caused significant losses and embarrassment for well-known players and their customers. The PSD2’s ‘access to account’  increases not only the number of APIs, but adds layers of complexity to the online banking/payments environment, adding to the risk of fraudulent attacks.

The market is waiting for the RTS (Regulatory Technical Standards) to give guidance on how some remaining security issues will be solved. These include:

  • Treatment of PSU’s (payment service user)security credentials
  • Requirements for secure communication between the PSP and banks
  • Full details and definition of strong authentication
  • Safety of the PSU funds and personal data
  • Availability of license registry for real-time identification of the PSP (PISP or AISP)

It is important that the required clarifications are published soon, in order to avoid a time lag between the implementation of PSD 2 in the national legislations and the real move in the market.

Conclusion

The PSD2 creates challenges, such as the huge investments to be made by the banks, compliance issues and protection against fraud and cybercrime. However several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces. The clock is ticking in the PSD race.

Traditional players such as the banks appear to have a competitive disadvantage vis-à-vis the new emerging third party payment service providers. However, the Directive opens up new forms of a collaborative approach that can overcome this. New players can provide their innovation and resilience, whilst banks can add value thanks to their large customer base, credibility, reach and ability to cope with high volumes.

The biggest potential benefits might be for customers, who will benefit from new value propositions, services and solutions from new entrants, from banks and new entrants combining their individual strengths, or from banks becoming more innovative in the face of increased and agile competition.

François de Witte – Senior Consultant at FDW Consult

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

PSD 2: a lot of opportunities but also big challenges (Part I)

| 26-1-2017 | François de Witte |

The Directive 2015/2366 on payment services in the internal market (hereinafter PSD2) was adopted by the European Parliament on October 8, 2015, and by the European Union (EU) Council of Ministers on November 16, 2015. The PSD2 updates the first EU Payment Services Directive published in 2007 (PSD1), which laid the legal foundation for the creation of an EU-wide single market for payments. PSD2 came into force on January 13, 2016, and is applicable from January 13, 2018 onwards.

By that date the member states must have adopted and published the measures necessary to implement it into their national law.

PSD 2

PSD2 will cause important changes in the market and requires a thorough preparation. In this article, we are summarizing the measures and highlighting the impact on the market participants. In today’s Part I we will focus on abbreviations and main measurers introduced by PSD2.

List of abbreviations used in this article

2FA    : Two-factor authentication

AISP  :  Account Information Service Provider

API : Application Programming Interface

ASPSP : Account Servicing Payment Service Provider

EBA :  European Banking Authority

EBF :  European Banking Federation

EEA :  European Economic Area

PISP :  Payment Initiation Service Provider

PSD1:  Payment Services Directive 2007/64/EC

PSD2  :  Revised Payment Services Directive (EU) 2015/2366

PSP : Payment Service Provider

PSU:   Payment Service User

RTS : Regulatory Technical Standards (to be issued by the EBA)

SCA : Strong Customer Authentication

TPP :  Third Party Provider

Main Measures introduced by PSD2:

The  PSD2 expands the reach of PSD1, to the following payments:

  • Payments in all currencies (beyond EU/EEA), provided that the two PSP (Payment Service Provider) are located in the EU /EEA (two legs)
  • Payments where at least one PSP (and not both anymore)  is located within EU borders for the part of the payment transaction carried out in the EU/EEA (one leg transactions)

A second important measure is the creation of the Third Party Providers (TPP). One of the main aims of the PSD2 is to encourage new players to enter the payment market and to provide their services to the PSU (Payment Service Users). To this end, it creates the obligation for the ASPSP (Account Servicing Payment Service Provider – mainly the banks) to “open up the bank account” to external parties, the so-called, third-party account access. These TPP (Third Party Providers) are divided in two types:

·        AISP (Account Information Service Provider) : In order to be authorized, an AISP is required to hold professional indemnity insurance and be registered by their member state and by the EBA. There is no requirement for any initial capital or own funds. The EBA (European Banking Authority) will publish guidelines on conditions to be included in the indemnity insurance (e.g. the minimum sum to be insured), although it is as yet unknown what further conditions insurers will impose.

·        PISP (Payment Initiation Service Providers): PISPs are players that can initiate payment transactions. This is an important change, as currently there are not many payment options that can take money from one’s account and send them elsewhere. The minimum requirements for authorization as a PISP are significantly higher. In addition to being registered, a PISP must also be licensed by the competent authority, and it must have an initial and on-going minimum capital of EUR 50,000.

Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. However, payment initiation service providers will only be able to receive information from the payer’s bank on the availability of the funds on the account which results in a simple yes or no answer before initiating the payment, with the explicit consent of the payer. Account information service providers will only receive the information explicitly consented by the payer and only to the extent the information is necessary for the service provided to the payer. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.

Source: PA Perspectives on Nordic Financial Services
http://www.paconsulting.com/our-thinking/perspectives-on-nordic-financial-services.

A third important change is the obligation for the Payment Service Providers to place the SCA (Strong Customer Authentication) for electronic payment transactions based in at least 2 different sources (2FA: Two-factor authentication) :

  • Something which only the client knows (e.g. password)
  • A device (e.g. card reader, authentication code generating device, token)
  • Inherence (e.g. fingerprint or voice recognition)

 

The EBA (European Banking Authority will provide further guidance on this notion in a later stage. It remains to be seen whether the current bank card with pin code is sufficient to qualify as “strong customer authentication”. This “strong customer authentication” needs to take place with every payment transaction. EBA will also be able to provide exemptions based on the risk/amount/recurrence/payment channel involved in the payment service (e.g. for paying the toll on the motorway or the parking).

PSD2 also introduces some other measures:

  • Retailers will be authorized to ask to the consumers for permission to use their contact details, so as to receive the payment directly from the bank without intermediaries
  • There will be a ban on surcharges on card payments
  • There will be new limitations on the customer liability for unauthorized payment transactions

In a second article soon to be published on treasuryXL, François de Witte will focus on the impact PSD2 has on market participants. 

François de Witte – Senior Consultant at FDW Consult

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]

Nieuw op treasuryXL: de Flex Treasurer

| 19-1-2017 | treasuryXL |

 

Wat is een Flex Treasurer?

Stel: je bent de eigenaar van of werkt in een kleine of middelgrote organisatie die geen treasurer of cash manager in dienst heeft. Je denkt waarschijnlijk dat er binnen jouw organisatie geen plaats is voor een dergelijke functie. Maar, oordeel niet te snel: ook het MKB heeft behoefte aan professionals als het gaat om treasury en cash management. Toch gaat het aannemen van iemand vaak een stap te ver.

Wij bieden je nu de mogelijkheid om een Flex Treasurer in te huren op urenbasis, als lump sum of in een abonnementsvorm. We willen met deze dienstverlening geen substituut worden voor de grote treasury consultancy organisaties maar we bieden graag ondersteuning bij vraagstukken die nu onbeantwoord blijven. Je kunt je vraag aan ons stellen en wij zullen je vrijblijvend in contact brengen met de juiste deskundige.

Wij kennen Flex Treasurers uit verschillende vakgebieden: risk, bankrelaties & technologie, regulations, non-profit, financiering, trade finance, cash management, SME & overige gebieden.

[button url=”https://www.treasuryxl.com/community/flex-treasurer/” text=”Ga naar de Flex Treasurer” size=”small” type=”primary” icon=”” external=”1″]

 

De verschillende diensten

Hieronder staat een overzicht van de diensten die we aanbieden in samenwerking met de Flex Treasurers.

[one_third]

[button url=”https://www.treasuryxl.com/community/flex-treasurer/financiele-instrumenten-en-derivaten/” text=”Financiële instrumenten en derivaten” size=”small” type=”primary” icon=”” external=”1″]

[button url=”https://www.treasuryxl.com/community/flex-treasurer/treasury-quickscan/” text=”Treasury Quickscan” size=”small” type=”primary” icon=”” external=”1″]

[button url=”https://www.treasuryxl.com/community/flex-treasurer/treasury-coach/” text=”Treasury Coach” size=”small” type=”primary” icon=”” external=”1″]

[/one_third]

[two_third]
[/two_third]

Het aanbod is in ontwikkeling en in de loop van tijd zullen er steeds meer diensten bij komen.

Meer informatie

Wil je gebruik maken van een van de aangeboden diensten of heb je een andere vraag? Of wil je je aansluiten als Flex Treasurer?

Pieter de Kiewit helpt je graag verder.

Pieter de Kiewit[email protected]
06-11119783

 

[separator type=”” size=”” icon=””]