3

Dispelling theMyths around UKPayments

www.accesspay.com

A guide to current and future changes to UK payments legislation.

4

www.accesspay.com

2

www.accesspay.com

ContentsIntroduction 03

Acknowledgement 03

Open Banking 04

The Myths 05

TheBenefitsofopenbankingforthecorporatecustomer 06

Isopenbankingsecure? 07

Whatdotheexpertssay? 07

PSD2 and financial security 08

The Myths 09

IsPSD2secure? 10

Whatdotheexpertssay? 11

New Payments Architecture 11

TheMyths 12

RequesttoPay 13

Whatbenefitscanthesechangesbringtothecorporatecustomer? 14

Confirmation of Payee 15

Whatbenefitscanthesechangesbringtothecorporatecustomer? 16

3

Introduction

For decades, the UK’s payments processes have been owned and controlled by a select few banks. Whilst this worked well for many years, technology in other sectors has advanced and financial services have struggled to keep up. This has resulted in a lack of competition and innovation in the market, hindering progress and limiting choice for the corporate customer.

Widespread adoption of tech has driven developmentswithin the B2C space, with the focus on removing the friction from payments – meaning we can all pay for our shopping with a smartphone. But it’s been a slower journey for business payments.

With the emergence of fintechs and new financial offeringsentering the market, there is a perpetual expectation fromcorporates for value-added services, unencumbered by legacy systems and supported by new legislation. And as a fintech, we’re right at the centre of the biggest changes in payments for a generation.

Many organisations want to understand what industrychanges such as open banking and the New PaymentsArchitecture (NPA) will mean for them; AccessPay sees these developments for the opportunities and possibilities that they offer. Finding out about their potential and takingadvantage of it now is the best way to ensure that youfuture-proof your finance function.

www.accesspay.com

Acknowledgement:

Nadeem HaqueGlobal Head of Cash

Management at Barclays

Jonathan WilliamsPSD2 Consultant

Paul HorlockChief Executive of Pay.UK

Jacob ToseProduct Manager at Pay.UK

4

Open Banking

In an increasingly mobile-driven society, the ability to have instant gratification and total control at your fingertips is something we’ve come to expect. In the blink of an eye, it is now possible to compare anything from restaurant deals to insurance premiums, all in one place. It was only a matter of time before there was the same offering for financial services.

In place since January 2018, open banking is a game-changing piece of financial legislation, with the goal of offering businesses and consumers a secure way to access the best financial products in the marketplace.

Ultimately, this change was driven by the Competition and Markets Authority (CMA), believing that the nine largest banks in the UK needed to offer a greater choice for both consumers and corporate customers. Previously, the primary offerings of financial services have been held tightly by the banking industry. But not anymore.

The banks providing open banking API access to third-party fintechs and financial services providers will allow corporates to manage who has access to their account data. Unbundling data through the opening up of these APIs, provides a wider ecosystem of options in financial services, particularly in payments, as well as giving more detailed access to account information and bank statements.

But isn’t there a risk of some unscrupulous character, hacking into the API and finding all that juicy personal financial data for themselves? Well no, but don’t just take our word for it.

www.accesspay.com

Read on to find out more from open banking expert; Nadeem Haque, Global Head of Cash Management at Barclays

5

www.accesspay.com

The Myths

1. Open banking means that I won’t have control of my data…

In fact, it’s quite the opposite. Open banking is all about putting you in control of your own data, ensuring full visibility of who can access what, and what you want them to do with it. If anything, it puts data protection under the microscope, to ensure that it is boxed off and only available to those that genuinely have a right to see it. And don’t forget that rigorous GDPR rules mean that consent to use data is more essential to businesses than ever before.

2. There is a huge security risk when it comes to open banking…

Whilst this mindset is based around ‘openness’, the reality is any technology provider wanting to make use of open banking API’s must be fully authorised or registered with the FCA and required to work with the same level of security as your bank. There are stringent security requirements for any third-party fintech organisation or nonbanking financial services provider wanting to get involved with open banking. And rest assured, it will have no impact on the security of Bacs or any other payments method.

Is it necessary to make drastic and expensive changes to your business payments software in order to take advantage of APIs through open banking?

Open banking doesn’t affect the efficiency or workability of your business payments software. It is purely a legislation change to provide access via consent and will have no impact or dictate any change in your system – speak to your bank or speak to us here at AccessPay and we will put your mind at ease. And rest assured, it will have no impact on the security of Bacs or any other payments method.

“People think that because it’s transactional data, the bank owns it. In reality, what you send and what you receive is up to you, and you control it. The banks are obligated to ensure that there’s a high level of control on your data.”

“Don’t be worried about open banking, it’s done in a verysecure environment. The end user, be it consumer or a corporate customer, must give explicit consent to any third-party. This can also be revoked at any time.”

Nadeem Haque, Global Head of Cash Management at Barclays

Nadeem Haque, Global Head of Cash Management at Barclays

6

www.accesspay.com

WhataretheBenefitsofopenbankingforthecorporatecustomer?

1) Full visibility over your incoming and outgoingtransactions, as well as all other banking and financial data, all in one place.

Open banking offers easy management of multiple accounts and transactions, from across the sphere of banks and other financial services. And don’t worry, all third-party PISPs (Payments InitiationService Providers) or AISPs (Account Information Service Providers) that you choose, are authorised or registered with the FCA.

“If you are multi-banked, open banking gives you the

opportunity to see all of your accounts in one single

place. The opportunities it brings could cause a big

shift in customer behaviour, perhaps the biggest

since online banking.”

Nadeem Haque, Global Head of Cash Management at Barclays.

2) Nothing is done without permission, and thatconsent can also be revoked at any time.

You make the decision to allow secure third-party access to your organisation’s bank account information, typically information like account balances and transactions. Once you’ve given the go-ahead, they will use that data to tailor the experience with a personalised scope, depending onyour needs.

4) Opportunities are plentiful.

Open banking offersan exciting way to redesign the way that people view financial services. The focus on security means that it can easily increase offerings for both business and consumers, driving innovation within the banking and financial services industry. This, in turn, increases competitionas both banks and other financial service providers enhance their offering to attract new customers and retain existing ones.

“The aim of open banking is to increase

competition. By allowing these third-parties

access to this financial data, it is possible to

create a layer of services on top of normal

banking. That creates innovation and brings new

solutions to market.”

Nadeem Haque, Global Head of Cash Management at Barclays.

3) Convenience, speed and simplicity will providealready busy finance and treasury professionalswith some much-needed time – the possibilities are seemingly endless!

Many corporate customers have multiple accounts across several banks, and with openbanking, it’s now possible for AISPs to link those bank accounts together so you can avoid logging in through many different portals – Yay! You won’t need to walk around with a bag full of security keys.

“For corporates, we’ve been working like this for

a while. If you are multi-banked as a corporate,

you can use SWIFT to link those bank accounts

together. And you can log on to your banking

portal and see your financial position across

multiple banks. So open banking really isn’t a

huge change for big business, rather it’s

something we’ve already been doing for a while.”

Nadeem Haque, Global Head of Cash Management at Barclays.

7

Isopenbankingsecure?

Whatdotheexpertssay?

As mentioned, security tends to be the main worry that customers have when it comes to open banking. And that’s fair enough. With any legislative change, there will always be questions and concerns regarding the fool-proof nature of a new development, whilst people adjust to the new way of working.

Of course, it’s always good practice to keep a handle on who exactly you are sharing your organisation’s information with, but the possibilities far outweigh the risks. And rest assured that security measures are in place, to ensure that every third-party offering any open banking options has regulation safeguards.

Ensuring that the third-party is regulated is the job of the Financial Conduct Authority (FCA). And you don’t want mess with the FCA – they can dish out huge fines, or step in and terminate a company’s license if they feel you are operating risky practices and not protecting customers – similarly the people that use open banking can revoke a third-party provider’s security certificate instantly, in real-time, disabling their ability to access, or act on your data.

To further this point, there is a list of legitimate FCA-regulatedcompaniesontheirwebsite.

CLICK HERE

“I think with the introduction of APIs, we’re moving from processing items on an end-of-day batch or a file basis, into a more real-time basis. We exist currently in a real-time economy. Within the corporate environment, people are now expecting to see that real-time capability in their corporate lives, just like they do in their personal lives.

It’s no longer about waiting for an end-of-day statement to come in first thing in the morning, corporate customers want it instantaneously. They just expect more these days. And when you match that with real-time payment systems, like Faster Payments in the UK and Instant Bureau when that comes out next year in Europe, it creates the perfect storm of real-timeinterfaces and real-time payment clearings.”

www.accesspay.com

Nadeem Haque, Global Head of Cash Management at Barclays

8

www.accesspay.com

PSD2andfinancialsecurity

The first Payment Services Directive (PSD1) was introduced over a decade ago, and since then, the payments technology landscape has rapidly advanced. There was a need for change, for legislation to cover the new era of financial services options. Enter PSD2.

The newer and remastered version of the original directive was implemented in January 2018. At its core, it aims to revolutionise the offering of the banking industry. How will it achieve this? By opening up account information, and allowing pre-approved, regulated third-parties access to financial data, in order to provide a wider range of services and offerings.

PSD2 has mixed up the financial services industry, threatening to take away the monopoly that has long been held by the banks. It creates a competitive environment where banks must compete with third-party providers to offer the best customer experience possible and tailor technology to customers. Driving innovation - and putting the customer first - is at the heart of this regulation.

But of course, with any new legislation comes nervousness, and people are rightfully worried about data breaches and sharing bank details with unknown third-parties. The banks have worked for years to build up that trust, so we do understand the caution. However, there are safeguards in place. It’s important to note that all third-party apps are authorised or registered (in the UK) by the same governing body as the banks themselves, the Financial Conduct Authority (FCA).

Jonathan Williams,

PSD2 Consultant

“With this legislationcomes concern thatthe increase of accessand the flow of readilyavailable financialdata. But it bringsopportunity, not theunnecessary risk.”

PSD2

9

www.accesspay.com

What is “screen-scraping” ?

The process of collecting display data from one application screen and translating it so that another application can display it. This has previously been achieved in fintech apps by handing over your online banking credentials, something which will no longer be required in the age of PSD2.

The Myths

1. PSD2 will compromise customer security

Wrong. Rest assured that stringent measures are in place to protect customer data, with fintechs and other third-parties subject to similar scrutiny and compliance requirements as banks. In the UK, the CMA open banking initiative has given rise to two types of regulated third-party providers, PISPs and AISPs.

2. PSD2 is the beginning of the end for traditional business banking

Demand, legislation and technology are changing rapidly, and have brought change into how third-parties access payments infrastructure. This has been developing for some time, but it certainly doesn’t spell the end of business banking. All it means is that the banks will have to adapt to a new environment, with more competition.Financial services is an industry that’s constantly evolving, and when legislation like PSD2 comes in, with all the potential offerings to the corporate customer, it’s easy to get left behind. Forward-thinking corporations will have the option to bank and manage their finances elsewhere, if better products are not offered by traditional banks. Cash management is key to the corporate customer. They are looking to better utilise liquidity and as such, want better visibility, where possible in real-time. Those who succeed will look to collaborate instead of seeing the newplayers as competition.

3. PSD2 is a brand-new initiative and nothinglike it exists currently on the market

In this instance, technology is way ahead of thelegislation and has been for years, especially in the consumer space. There has been ‘screen-scraping’ happening in banks for some time, with user permission of course.

“Our banks are already very secure when it comes to the transaction side of things. The challenge is, how good are we going to be at controlling how we use PSD2 and open banking, who can use it and ensuring that we have the right sets of permissions. It comes down to privileged accessmanagement and Strong Customer Authentication (SCA).”

Jonathan Williams, PSD2 Consultant

PSD2

10

www.accesspay.com

IsPSD2secure?

This ‘screen-scraping’ has always been undertaken by request and given consent from the data owner. If anything, the introduction of PSD2 legislation means that both consumers and businesses have greater protection, but the process itself has been happening for years. The difference is that PSD2 puts you back in control, giving you transparency of your own data usage. And that can only be a good thing.

4. PSD2 means that I have to upgrade my payments software

This is totally wrong. PSD2 has no direct impact on your payment operations, it is simply a legislation change that seeks to open up competition in the financial services market. There is no reason to migrate from your existing payment system or pay for a costly upgrade to a new one, because thislegislation will not change anything in your existing software.

Putting legislation such as PDS2 in place, and helping to spread mainstream adoption, increases API standards in the long run and therefore provides better security during consented data sharing. It also gives the data owner better control and transparency over who has access to the information. But how is this achieved within PSD2?

It uses an identification process called Strong Customer Authentication (SCA). This is invaluable when it comes to financial security within PSD2 and open banking.

SCA requires that to prove their identity, users will have to provide two out of three, either:

• Knowledge: something you know (such as a password)

• Inherence: something you are (such as a fingerprint)

• Possession: something you have (such as a physical security token)

Jonathan Williams,

PSD2 Consultant

“PSD2 has brought about a fundamental shift, in the waythat the financial services ecosystem operates. It has the potential to eliminate the friction that fintech firms, partners and end customers face when accessing their own financial services through the banks and through an app.

Like the UK’s open banking legislation change, we areushering in the new era of opening up customer data andpayments infrastructure tothird-party providers.”

“PSD2 allows you banking access, whatever you need and wherever you are. It doesn’t matter which bank or account you’re with, or what app or financial service you are using. And with SCA, a bank or payment service provider will know for sure that it really is you who is trying to log in to your bank and access the data, trying to change your address or make a payment. Some people think PSD2 is purely about protecting businesses and fighting financial crime, but it’s not. There is a balance, and a big role for businesses and banks to play.”

Jonathan Williams, PSD2 Consultant

PSD2

11

Whatdotheexpertssay?

www.accesspay.com

are regulations on how theyshould do that, and what kind of things they should be looking for when monitoring fraudulent payment transactions.They should be looking for indicators of fraud, such as abnormal spend, malware on devices can sometimes be detected, all types of things which might indicate a fraudulent transaction. Banks and Payment Service Providers are meant to be looking at these things.

PSD2 sets a base framework, on which they can do this.”

“This is a huge opportunity for the businesses and banks who get it right, helping them to build loyalty and increase the range of financial services for their clients.

The key thing about security and PSD2 is authentication. But what does SCA mean?

It’s multi-factor. By using two out of the three verification methods, it’s dynamic. You can’t just rely on something that is fixed and static. There must be some sort of living element around it. Especially for online transactions, it needs to be strong.

Through PSD2 checks, we know for near-certain who is trying to make the transaction and who is involved at the bank. It is a unique way of monitoring. We know that financial crime exists, and our banks are now obligated to detect, manage and monitor fraud and financial crime. And there

Pay.UK, formerly known as the New Payment System Operator (NPSO), is the body in charge of delivering the New Payments Architecture (NPA).

This has involved the consolidation of Bacs, the Faster Payments Service (FPS) and Cheque and the Credit Clearing Company into one payment scheme, increasing efficiency and improving the current structure of UK payments. Collectively these payment bodies process £6.4 trillion worth of payments annually and were previously run as three separate schemes.

Pay.UK has changed that, building on their pre-existing success but moving forward by introducing an over-arching regulatory body. And they want to drive new initiatives, such as Request to Pay and Confirmation of Payee, providing an infrastructure that is fairer, fights fraud and drives innovation.

Jonathan Williams, PSD2 Consultant

New Payments Architecture (NPA)

Paul Horlock,

Chief Executive, Pay.UK

“Pay.UK puts theneeds of consumersand businesses at theheart of everything itdoes, making sure thatpayments sent andreceived are done sosafely, securely andefficiently.”

The Myths

www.accesspay.com

12

1. The NPA means that UK payments as we know it will end imminently

The NPA aims to improve the options provided to customers, but that doesn’t mean that things are set to drastically change. The NPA has taken over responsibility for the UK’s retail payment systems, strategically linking and regulating the three current payment schemes.

3. Bacs will be decentralised and will be a thing of the past

Bacstel-IP is the system which underpins Credits, Debits and the CurrentAccount Switching service, it is part of the critical national infrastructure,and as such Bacs payments will not change significantly until at the earliest2022, and will continue to be supported by the NPA.

Although the NPA aims to build new financial services, suitable for the 21stcentury, all existing products will continue to be available under the NPA.The Bacs network is huge, widely used, and successful, so it won’t just be“switched off”.

2. It is necessary to make drastic changes to your payment’s software or security measures due to changes arising from the NPA

This isn’t true either. The NPA is looking to provide additional payment options, not fewer. It certainly doesn’t mean that any changes are needed to your current business payments software – to ‘future-proof’ them or otherwise.

“We started working with the Payments Strategy Forum, and they have been essential in the process of building this ecosystem. As Pay.UK and Faster Payments are both non-profit organisations, we’re not trying to launch something to go to market that’s going to make us money or change the industry too drastically.”

“We want to set the standards for banks, financial services and fintech organisations,to come in and build on what we’ve done.”

Jacob Tose, Product Manager at Pay.UK

Jacob Tose, Product Manager at Pay.UK

?

13

www.accesspay.com

Request to Pay

One of the NPA’s first initiatives, due for launch in 2019, is Request to Pay. Sitting on top of our existing payment infrastructure, it offers opportunities for businesses and consumers to ‘request’ money from others.

There are options for the payer to:

• Pay in full

• Pay part

• Ask for an extension

• Decline payment

• Send a message

Request to Pay aims to introduce a more flexible payment option for businesses and consumers. This will be a big step forward in the future-proofing of UK payments, offering more opportunities than concerns for the corporate customer.

It presents a chance to change what is still a manual process for many corporates, into easily managed electronic payments. This significantly reduces the costs in processing and tracking paper invoices, and it also negates the risk of human error.

Adopting Request to Pay leads to a reduction in the unit cost of the current invoice-to-pay process, which is attributed to switching from a traditional paper-based process to an electronic one. Reconciliation, reducing credit card fees (of 2.5% plus) and meeting the needs of those who don’t want, or cannot use Direct Debits iswhat it seeks to address.

As a result of this change, not only do corporates have more payment options for their customers, which results in better customer service and better client relationships, but they can also save money per transaction.

Some aspects of Request to Pay are yet to be established, with the industry and banks still working out how the charging model will work for Request to Pay.

“Any option that Request to Pay gives you, is actually already available today, even if it is not immediately obvious. So, with any changes to come, the aim is to make it more honest, easier to use, and more accessible to the end user.”

Jacob Tose, Product Manager at Pay.UK

14

www.accesspay.com

Whatbenefitscanthesechangesbringtothecorporatecustomer?

1) Better Customer Experience

At first glance, corporates would be forgiven for believing RTP puts all the control in the hands of the consumer. Whilst this is certainly a by-product, the corporate can use this tool effectively to encourage transparency with the payee, allowing them to pay only part of a bill if needed. Corporates that offer Request to Pay will be able to provide a much slicker customer experience and will help to improve customer loyalty.

Request to Pay Use Case

One of your regular donors has recently cancelled the Direct Debit instruction as she has become unemployed. But the charity is still important to her, and she wants to re-instate the donations once her finances are more fixed.

Request to Pay gives the option for the charity to request the donation every month, and the donor has the choice to reject the payments, reduce the amount she pays, or accept the request on a flexible basis, or once she has a steady income.

You are a charity that collects monthly Debit Debits.

By approaching the payment request in this way, the charity can build a better relationship with donors, and be kept at the forefront of a supporter’s minds for the future. Rather than cancel a Direct Debit, the donator canhave a more flexible relationship with the charity and choose to pay on her own terms.

“Any app using the Request to Pay featurewill have to stick to strict guidelines. We want to change the detriments within the payments industry, like not having control and not having flexibility.”

Jacob Tose, Product Manager at Pay.UK

2) Slick Reconciliation

Request to Pay is designed to help corporate customers automate their reconciliation processes – something which traditionally has suffered from a lack of visibility; the inability to forecast when payments will arrive and clunky,manual process. Corporates will be able to ‘pre-assign’ things like invoice number and attach to a request for payment, so that when it lands, even when just a part payment, it can be tracked back to the debtor. When the NPA is fully rolled-out corporates could even assign multiple references and track discounts and credit notes, meaning the job of matching receipts against debtors could be a thing of the past.

15

ConfirmationofPayee

New data from UK Finance shows that criminals gottheir hands on over £500 million in the first six months of 2018, through authorised and unauthorised fraud.So, it’s a problem and getting bigger.

Another NPA initiative, Confirmation of Payee is astep towards greater fraud prevention, addressingparticularly ‘Authorised Push Payment’ fraud, which is on the rise.

Confirmation of Payee is essentially one extra step to authenticate payments. Whenever a customer amends a payment or creates a new one, banks will be able to verify that the name on the account matches the stated name on the payment.

If the account name is correct, the bank will confirmwith the customer and the payment will be madewithout any issues. However, if there is a typo in the

www.accesspay.com

name or it is not matching, the payment will be flagged, and further checks will be implemented. However, should the name be completely wrong, the payment will be declined, and the payer will be contacted to update the recipient details.

Currently, banks do this by matching up the sort code and account number, but Confirmation of Payee wants to add another layer of security, as a protection for customers. Initially, this will only be available within online banking, but it will eventually be made available as a ‘Direct Corporate Access’ solution, where approved business payments software vendors can check details at point of entry into the payment system. The first version of Confirmation of Payee will be available to payment providers, banks, and other financial services, in early 2019.

ConfirmationofPayeeUseCase

Your professional email account, unfortunately, gets hacked by fraudsters. They send out emails to your existing and new clients, requesting immediate payment for work done, some of which is not yet completed.

You’ve been hit by a case of ‘Invoice RedirectionFraud’, and it’s on the rise as cyber criminals look forways to cleverly divert funds and exploit technology. You don’t identify the email hack until it is too late, and a large number of your database has been fraudulently contacted.

Some customers do as requested and send thousands of pounds to the unscrupulous account, which does not have your name on it and you have no way of accessing that information. Your clients are furious because the banks refuse to cooperate and chase down the money. The payment was technically authorised, after all.

You are a large scaffolding company

Both you and your customers are out of money,andthebanksarerefusingtobudge.So,whoisgoingtotakeresponsibility?

“Sending a payment with an incorrect sort code or account number is like addressing a letter with the wrong postcode. Even if you have used the correct name it won’t reach the intended destination - and fraudsters have become increasingly sophisticated in using this to trick people into sending money to thewrong account.

Confirmation of Payee will let you check you have the correct name for the person or business you’re paying, giving better protection against certain types of fraud, and helping to stop accidental mistakes too.”

Paul Horlock, Chief Executive of Pay.UK

16

www.accesspay.com

Whatbenefitscanthesechanges bringtothecorporatecustomer?

1) The obvious benefit here is fraud protection,for all involved. It places an onus on the banks, toensure that they are making checks that matterand protecting their customers. If something slipsthrough the net, under Confirmation of Payee thebanks are required to act - something they arereluctant to do at present.

2) Not only covering fraud, Confirmation of Payeealso stops human error. If you get the account orsort code wrong, without CoP the money would betransferred into an unauthorised, accidental bankaccount. The person you have sent the money to has no obligation to return it, even though it wasa mistake.

ReadytodispelthemythsaroundUKpayments?

Speak to a Payments Specialist:

International: +44 (0)161 885 0661

UK: 03300 298 520

www.accesspay.com

Get in touch and let AccessPay’s friendly, dedicated team help you draw on existing and future payment tools, both from the UK and around the world, to craft efficient payment processes.

If you’d like to dig deeper into the mechanics of business payments, find out more about what’s taking place in the industry or get answers to any other finance, treasury or banking related questions, check out the

AccessPay Knowledge Hub: www.accesspay.com/knowledge-hub

17

Get more advice