PSD2 brings significant changes to the payments industry in Europe by opening up payment systems and requiring banks to provide third party providers access to payment account information and initiation services through APIs. Some key points:
- PSD2 goes into effect in 2019, requiring banks to comply with new regulations around open banking and strong customer authentication.
- It allows third party providers to offer payment initiation, account information services, and confirmation of fund availability services through bank APIs.
- This opens up competition but also brings new fraud risks around access to payment data that banks will need to address through tools like real-time analytics and dynamic authentication.
- PSD2 also establishes new liability rules and security requirements like strong customer
Regression analysis: Simple Linear Regression Multiple Linear Regression
PSD 2 - REGULATORY REQUIREMENTS FOR PAYMENTS IN 2018
1. NORMAL
PSD 2 – OCEAN OF
REQUIREMENTS
Marko Marijanović, Compliance
Department
Zagreb, 27th September 2018
2. NORMAL
LEGISLATIVE PICTURE ON PAYMENTS IN 2018
2
PSD2
Interchange
Fee
Regulation
SEPA Instant
Payments
Initiative
SEPA Projects
(Direct Debit,
Credit Transfer,
Cards,
Mobile) +
Directive on
payment accounts
PSD2
To allow new-comers to
typically banking territory while
creating a regulatory
framework and requirements • IF caps;
• Abolished HACR&
• Card ID;
• co-badging forced;
• cross-border ACQ/ISS
3. NORMAL
3
• Regulates payment
services and payment
service providers
• Increase pan-European
competition and
participation in the
payments industry also from
non-banks
• Harmonizing consumer
protection and the rights
and obligations for payment
providers and users
Goal
• Strong impact on business
of banks due to entry of
new players - third party
payment service providers
(TPPs)
• Requires banks/processors
to „open up” their APIs/Web
services to TPPs
Impact
• 12th January 2018 –
deadline for national
governments to transposes
PSD2 into national laws
• Q3 2019 – final Regulatory
Technical Standards (RTS)
on strong customer
authentication and secure
communication will come
into force (exeptions
Hungary, Slovakia with
earlier dates)
Deadline
PSD2 KEY FACTS!
4. NORMAL
Initiate online payments to an e-
merchant directly from the payer’s
bank account via an online
portal—enables new payment
solutions.
Extract a customer’s various account
information data including transaction
history and balances in one app
On request of a service provider
issuing card-based payment
instruments” („e.g. loyalty card
issuer/merchant”), bank to
immediately confirm whether an
amount is available on the payment
account of the payer
Payment Initiation
Services (PIS):
„Confirmation on the availability
of funds” (CAF):
Account Information
Services (AIS):
THIRD PARTY PAYMENT PROVIDERS
4
TPPs are service providers that will offer services via so-called „Access to Account” provisions in PSD 2 („XS2A”):
Prerequisite no 1 for XS2A : Consent from customer to TPP’s for all these services;
Prerequisite no 2 for XS2A : Develop open standards for communication between AS PSP and TPPS
Prerequisite no 2 for XS2A : Build APIs (or ScreenScraping – as temporary solution)
If said prerequisites are met then such TPPs can make use of the online banking infrastructure provided by banks to their
customers to deliver their services.
5. NORMAL
PAYMENT INITIATION SERVICES (PIS)
MODEL COMPARISION
5
*Accenture
Comparison of typical Merchant Service Charge components (based on UK market) for card transactions vs PISP transaction
Existing payment model for debit card transactions –
total merchant service charge of 0.68%
Updated payment model including a PISP –
total merchant service charge of – 0.2 – 0.86%
Customer Merchant
Acquirer Bank
/ Processor
Processor Fee 0.04%
Acquiring Margin 0.2%
Card
Network
Network fee
0.24%
Issuer Bank
Interchange Fee 0.2%
Customer Merchant
Merchant
Bank
Interbank
Infrastructure
Customer
Bank
PISP
API
PISP Fee – 0.2% - 0.68%
Standard Credit Transfer
Fee charged to payer*
Standard Credit Transfer
Fee charged to payer*
* The bank cannot discriminate in pricing between credit
transfers initiated via a PISP or directly by the payer. Many
banks currently do not charge any fees in these instances
6. ACCOUNT INFORMATION SERVICES
(AIS) MODEL COMPARISION
6
NORMAL
Bank information aggregators provide their clients with one ´dashboard´ to gain an overview of multiple bank accounts
Current
Bank
information
aggregator
One dashboard
application
7. NORMAL
ACCOUNT INFORMATION
SERVICES (AIS)
7
Your accounts, together
End the multiple app juggling and view your UK
accounts and credit cards together in one clear place.
We´re harnessing the power of Open Banking too,
meaning this is becoming even more frictionless.
8. NORMAL
NEW THREATS OF FRAUD IN OPEN BANKING
8
• Copycat websites could pretend to be third-party providers
• A fraudster could hack into a third party to gain access to information held in
current account statements
• Fraudster pose as a third party in correspondence to extort information
• Allow fraudster them to access customers’ money fraudulently
APIs vs Screen-scrapping
• Open banking to be built on trusted application program interface (APIs)
• Inferior method called „screen-scraping” still in use, in which the third party
essentially imitates a user and goes via the consumer login.
• This means they need to know the consumer password in full and be able to
use it in an unencrypted form
9. NORMAL
REACTING TO PREVENT FRAUD
IN OPEN BANKING
9
Real-time analytics
• Detect abnormal behaviour
in requests originating from
third-party providers,
• Identify suspicious
transactions and, most
importantly,
• Detect atypical API calls
Options we hear about:
Dynamic biometrics in which
consumer voice, typing and mouse
movements are analysed for
irregular patterns
Banks cannot block screen-
scraping; however, they could
refuse to refund fraud losses if
you choose to share login details
with a firm that isn’t authorised
and regulated
10. NORMAL
LIABILITY FOR UNAUTHORISED PAYMENT
TRANSACTIONS
10
Bank refunds the payer, immediately, except where
bank has reasonable grounds for suspecting fraud
and communicates those grounds to the relevant
national authority in writing. When transaction is through a PIS, banks refunds
payer immediately, and restores the account to initial
state as no transaction has taken place.
If Pis is liable for unauthorised transaction, it must
immediately compensate the bank at its request.
It shall be on the PIS to prove that, the payment
transaction was authenticated, accurately recorded
and not affected by a technical breakdown or other
deficiency.
Basic rule
New rules on liability allocation as between the
bank and PIS PSP:
11. NORMAL
„RTS” – STRONG CUSTOMER
AUTHENTICATION (SCA)
11
Every electronic payment in Europe has to
be verified with 2 out of 3 of the following:
• something you have (i.e. a card),
• something you know (i.e. a PIN or
passcode) or
• something you are (i.e. a biometric).
For electronic „remote payment
transactions” SCA to include elements
which „dynamically link” transaction to
amount/merchant
Ensure that PSP applies SCA where the
payer:
• (a) accesses its payment account
online;
• (b) initiates an electronic payment
transaction;
• (c) carries out any action through a
remote channel which may imply a
risk of payment fraud or other abuses.
12. NORMAL
Exemption solutions SCA in RTS
12
• White list of trusted beneficiaries (Article 13) (e.g. Amazon for remote, IKEA
for card present)
• Transaction Risk Analysis -TRA (Article 18)
• Recurring transactions (Article 14 RTS) e.g. susbscription to a magazine
• Low-value remote transactions (Article 16) e.g. I buy vinyl for 25 EUR on
recordstore.co.uk - no SCA needed if cumulative amount of prievous trxs
without SCA is below 100 EUR or if this not my 6th consecutive trx without
SCA
• Contactless payments (Article 11)
• Commercial transactions (Article 17) – non consumer portocols.
• Unattended terminals for transit and parking(Article 12)
13. NORMAL
„RTS” –
STRONG CUSTOMER AUTHENTICATION (SCA)
13
SCA Liability – becomes EU Law!
• Where the payer’s PSP (issuer) does not require SCA, the payer shall not
bear any financial losses unless the payer has acted fraudulently.
• Where the payee (merchant) or PSP of the payee (acquirer) fails to accept
SCA, it shall refund the financial damage caused to the payer’s PSP (issuer).
14. NORMAL
TRA 18 – OPTION NOT MANDATE
14
No SCA if:
• I am buying a record player and speakers
bundle for 450 EUR
• Issuing bank’s fraud rate in last quarter
must be below 0,06%
• Issuing bank must preform real time risk
analysis of transaction
TRA rules:
• Fraud rate (reported by the bank to national bank), is below the reference fraud rates (0,01 %, 0,06%, 0,13%)
• The amount of the transaction does not exceed the relevant exemption threshold value (‘ETV’) (EUR 500, 250, 100)
• Performing a real time risk analysis
Overall fraud rate = total value of unauthorised or fraudulent remote transactions /
divided by the total value of all remote transactions both with SCA or exemption on rolling quarterly basis
15. 15
IMPACT FOR BANKS AND PAYMENT
INSTITUTIONS
• Set the maximum amount of funds to be
blocked on payer's payment account
and maximum time limits to be blocked
by the payee (e.g. pre-authrisation)
• Rules for DCC service to guarantee
transparency
Reserved funds and
Currency Conversion rules
• All charges must be transparent.
• Maximum loss to be borne by the payer to €50
• Bank must give supporting evidence to prove
fraud or gross negligence on part of the
payment service user
Transparency;
payer liability
NORMAL
16. 16
IMPACT FOR BANKS AND PAYMENT
INSTITUTIONS
• EBA to developed rules for the authorisation of payment
institutions (governance, internal control mechanisms,
process in place to monitor, track and restrict access to
sensitive payment data, and logical and physical critical
resources, BCM, incidents)
• Manage operational and security risk (effective incident
management, detection and classification of major
incidents),
• Obligations to notify on any major operational risk,
including security risks to local authority (who without
delay informs EBA)
• Will be allowed for non regulated transactions (commercial
transactions which are out of scope for IFR, on-us
transactions maybe)
• Each EU country will have the right to fully ban surcharging
• Rules on access of authorized or registered PSP to
payment systems shall be objective, non-discriminatory and
proportionate and those rules should not inhibit access more
than is necessary to safeguard against specific risks
• e.g. 3party scheme to open-up
Security mechanisms in detail by EBA
Surcharging - just got more complicated 3-party schemes context in PSD2
Data Breaches Notifications and Security
NORMAL
17. 17
Card Schemes Paths
• MasterCard Identity check
• Verified by Visa upgraded
to enhance and simplify
• Fear of „shopping
abandonment”
Cards Schemes’ EMV 3DS 2.0
NORMAL