Tag Archive for: Update

PSD 2 Summer 2018 Update

| 30-08-2018 | François de Witte | TreasuryXL |

In June 2018, I published a Spring Update on PSD2 (Payment Service Directive 2). Since then, things have moved, and hence I found it the right moment to provide an update you on some developments PSD2 and open banking.

Main updates on the regulatory framework

Several member states have experienced in the transposition of PSD2 in the national law. The status (28/8/2018) is as follows:

  • Full transposition measures communicated: Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Slovakia, Slovenia, Sweden, United Kingdom, Belgium, Luxembourg, Poland
  • Partial transposition measures communicated: Lithuania, Malta, Romania, Latvia
  • No transposition measures communicated: Croatia, Netherlands, Portugal, Spain

Source : https://ec.europa.eu/info/publications/payment-services-directive-transposition-status_en, as updated by information, which I gathered.

The RTS (Regulatory Technical Standards) on SCA (strong customer authentication) and CSS (Common Secure open Standards of communication) will apply in as from September 13, 2019, leaving 18 months to the payment industry to get ready for this new state of play. The EBA (European Banking Authority) has published in the meantime on 13/6/2018 its Opinion on the implementation of the RTS on SCA and CSC, as well as a Consultation Paper on Draft Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC).

The Contingency Measures impose that the ASPSP (Account Servicing Payment Service Provider) must provide a fall back mechanism, i.e. measures that should be taken to restore access to the customer payment account, in case that the API happens to be unavailable. Exemptions can be granted if all the following conditions are met:

  • The API meets the quality requirements defined in the RTS
  • The API has been successfully tested by the market
  • The API has been approved by the competent authority (in Belgium the NBB and in the Netherlands the DNB), which itself should have consulted the EBA, to ensure a consistency of quality criteria for APIs

This is a hot topic, as the cost of a fall back mechanism is quite high, and we expect that the ASPSP will ask exemptions.

 Main challenges

Up to now, some banks had published their APIs (Application Program Interface). We observe that banks remain slow in opening their APIs to TPPs (Third Party Providers), and this for various reasons, e.g. APIs are not yet ready technically, chicken and egg situation with other banks, etc. As a result, some API aggregators screen scraping or reverse engineering to enable to provide for the TPPs (including banks) access to the accounts held at the ASPSPs.

Furthermore, the standards are not yet harmonized throughout Europe. A few working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET.

Although the adoption of the RTS has provided a degree of market certainty, some articles are still open to interpretation.

The permissible methods of strong customer authentication remain unclear. One-time passcodes sent via SMS are not explicitly allowed or disallowed by the RTS. There is also debate about the dual factor requirement for such an authentication method. This is particularly if the mobile device to which this is sent is already serving as an authentication factor. Would the consumer be required to have an additional device?

It also remains unclear if the exemptions for PISPs on low-value credit transfers (30 EUR and 100 EUR accumulated, up to five transactions) and contactless payments (50 EUR, 150 EUR accumulated, up to five transactions) must be counted together or separately per channel.

National competent authorities will have to balance the convenience, familiarity and inclusiveness of the method against its known vulnerabilities to certain types of attack.

There are also uncertainties on how what the EBA calls TRA (Transaction Risk Analysis) will work in practice. This risk-based approach gives exemptions to strong customer authentication for low-risk transactions, if the Payment Service Provider operates within certain thresholds as to fraud by value bands.

Main opportunities

We see increasingly new business opportunities popping up. PSD2 allows the existing banks to source valuable partnerships pursuing multiple potential objectives. During my contacts in the market, I identified following interesting use cases.

  1. Use cases to improve the consumer banking experience and increase customer control:
  • Offer new payment solutions based on smartphones and apps
  • Facilitate reloading of prepaid cars
  1. Increase customer attraction and retention:
  • Offer loyalty cards and potential gains based on actual spending
  • Offer tools for expense and budget control
  1. Retain clients with multiple banking relations
  • Permit access to all banks’ information through a single user interface
  • Allow clients to deposit cash through TPP’s network
  1. Provide a complete asset overview
  • Provide integrated view beyond PSD2
  • Give overview of all assets (real estate, crypto, cars…)
  1. Optimize internal processes
  • Automate and enhance credit scoring based on data integration
  • Monitoring of loans – Early Warning signals in case of credit deterioration

Conclusion

The banks are slow in opening their APIs, and open banking is not taking off as quickly as expected. Market players need also to agree on common standards for the interfaces. However, there the deadline of 14/9/2019 is approaching and there is no way back

Open banking is a new way of approaching the delivery of financial services for customers, and as such, it requires a new way of thinking and new ways of working. However, I see any new opportunities and use cases.

For your information, there will be on 20/9/2018 in Brussels an interesting conference on “Recent Trends in Payments” organized by IFE. The conference will be chaired by Joan Carette, Partner at Osborne Clarke, with several prime speakers including Begoña Blanco Sánchez, Gert Heynderickx, Cédric Nève, Sébastien De Brouwer and myself. For more information, please go to www.ifebenelux.be/nl/opleiding/actualiteit/services-de-paiement-etat-des-lieux-et-nouvelles-tendances-betalingsdiensten-stand-van-zaken-en-nieuwe-trends.html.

I will also give a one-day training on the subject at Febelfin Academy on 21/11/2018. For more information, please go to: www.febelfin-academy.be/nl/opleidingen/detail/psd2-and-the-open-banking-architecture-addressing-.

 

François de Witte

Founder & Senior Consultant at FDW Consult

 

 

PSD2 Spring Update

| 18-06-2018 | François de Witte | TreasuryXL

During the fall of 2017, I published a Summer Update on PSD2. Since then, a lot of things have moved, and hence I found it the right moment to provide an update you on some developments PSD2 and open banking.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

AISP:            Account Information Service Provider
API:              Application Programming Interface
ASPSP:         Account Servicing Payment Service Provider
EBA:             European Banking Authority
PISP:            Payment Initiation Service Provider
PSP:             Payment Service Provider
PSU:             Payment Service User
RTS:             Regulatory Technical Standards
SCA:             Strong Customer Authentication
TPP:             Third Party Provider

Main updates on the regulatory framework

Several member states have experienced in the transposition of PSD2 in the national law. The current status (27/5/2018) is as follows:

• Full transposition measures communicated: Austria, Bulgaria, Cyprus, Czech Republik, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Slovakia, Slovenia, Sweden, United Kingdom
• Partial transposition measures communicated: Belgium, Lithuania, Malta, Poland
• No transposition measures communicated: Croatia, Latvia, Luxembourg, Netherlands, Portugal, Romania, Spain

Source : https://ec.europa.eu/info/publications/payment-services-directive-transposition-status_en

The EC has launched an infringement proceeding is against the states who did not or only partially transposed PSD2 in their national law.

The Regulatory Technical Standards on strong customer authentication and secure open standards of communication have been published on 13/3/2018 in the Official Journal of the European Union. They will apply in as from September 13, 2019, leaving 18 months to the payment industry to get ready for this new state of play.

The EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. As of 13/9/2019, the existing practice of third party access without identification (at times referred to as ‘screen scraping’) will no longer be allowed. In order to address the concerns raised by a few respondents, the final RTS now also require that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.

The banks need already to prepare some steps as from early 2019 onwards. The following timetable illustrates the deadlines:

The finalization of the RTS is an important milestone which will give banks and TPPs much more clarity and certainty on how to push forward their PSD2 compliance and strategic programs.

13/1/2018, the date of implementation of PSD2 appeared to be nonevent. Over one third of the member states failed to implement PSD2. Only very few banks had published their APIs. We observe that banks are much slower in opening up their APIs to TPPs, and this for various reasons, e.g. APIs are not yet ready technically, chicken and egg situation with other banks, etc. As a result, the API aggregators need to use screen scraping or reverse engineering to enable to provide for the TPPs (including banks) access to the accounts held at the ASPSPs.

Furthermore, the standards are not yet harmonized throughout Europe. A number of working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET. Experts seem to agree that the Berlin Group Standard is the most elaborate ones, as it incorporates the most relevant use cases and has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs However the UK Open Banking standards also provide interesting insights. The UK has already a much larger experience in open banking. In my view it’s essential to create a set of common, industry standard APIs that can be used by all.

Another challenge is the implementation of the multi-factor authentication. There also some interesting initiatives took place. Gemalto the world leader in digital security, has enabled Belgian mobile ID scheme ITSME to enroll 350,000 users and securely process one million transactions per month for both private and public online services – making it one of the most successful mobile ID applications in Europe within one year of launch.

Real-time payments can be the catalyst for a new wave of innovative corporate banking, payments and cash management services. The SEPA Instant Credit Transfer, will offer in combination with PSD2 interesting new use cases for Open Banking. However, it will take time to take off, as it requires huge investment from the banks, and also a change in the mentality of the consumers.

Conclusion

Although PSD2 should have been enacted by the member states, some states are still lagging behind. The banks are slow in opening their APIs, and open banking is not taking off as quickly as expected. Market players need also to agree on common standards for the interfaces.

However, there the deadline of 13/9/2019 is approaching and there is no way back. The clock is ticking in the PSD race. “If you cannot beat them, then you better join them”.

Open banking is a new way of approaching the delivery of financial services for customers, and as such, it requires a new way of thinking and new ways of working. This will also require a new mindset and a different team set up. Teams are going to be more agile and have a mix of skills and people. This is a big challenge for several institutions.

For your information, I will give a one-day training on the subject at Febelfin Academy on 21/11/2018. For more information, please go to: https://www.febelfin-academy.be/nl/opleidingen/detail/psd2-and-the-open-banking-architecture-addressing-.

François de Witte – Founder & Senior Consultant at FDW Consult; Managing Director and CFO at SafeTrade Holding S.A.

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]