IT Challenges & Solutions

for PSD2 implementation

Workshop, Hotel Kempinski Corvinus, 6th October, 2017

http://www.regionalobala.si/data/albums/novice_albums/b/2_afbe7ca585f03d897995eeb1399c1eb7.jpg

Changes

http://assets.nydailynews.com/polopoly_fs/1.3080139.1492705454!/img/httpImage/image.jpg_gen/derivatives/gallery_1200/newfoundland-canada.jpg

The environment of banks

Unfavorable

Macro

environment

More strict

regulations

Overregulation

http://static.chicagotribune.com/media/catalog/product/cache/1/image/9df78eab33525d08d6e5fb8d27136e95/c/h/chi-_54827845.jpg

Drivers of Changes

Changing

customer

behaviour

FinTech vállalatok

New

competitors

Disruptive

technologies

The world of Fintechs

http://lh3.googleusercontent.com/-q0S5vz9ZtbU/VdIG4rMf5tI/AAAAAAABFu0/0mhJcnDBFMY/SAIL-Amsterdam-2%25255B2%25255D.jpg?imgmax=800

FinTech services

Account Information Services (a.k.a. PFM)

Payment Initiation Services

Money transfer

Social Lending

Crowdfunding

Private banking

Other (blockchain, insurance etc.)

Characteristics of FinTechs

Concentrating on one particular service

Exclusive use of electronic channels (Internet)

User interface simple, highly ergonomic

Operating processes are automated, optimized for

the given service

They work with low costs (no branch network,

minimal human work required)

Growth of the FinTech market

0

5000

10000

15000

20000

25000

2010 2011 2012 2013 2014 2015 2016

FinTech investments worldwide, M$

USA Europe Asia Other

Forrás: Accenture, The Future of FinTech and Banking, 2016 and other sources

BigTechs – The GAFAA

Friend to friend

What characterizes BigTechs?

Openness User experience Single account

FinTechs + BigTechs = ?

FinTechs

FOCUSED

SIMPLE

ERGONOMIC

AUTOMATED

CHEAP

BigTechs

UNIFIED

OPEN AND

INTEGRATIVE

How disruptive are xTechs?

Source: PWC, Global FinTech Report, 2017

Disruption of net income

BIGTECHs

INT

EG

RA

TIO

N

LA

YE

R

FINTECHs

Disruption of client relationship

Client contact

FR

ON

T-E

ND

BA

CK

-OF

FIC

E

BANK 2

FR

ON

T-

EN

D

BA

CK

-

OF

FIC

E

BANK 3

Shop

front-end Client contact

FR

ON

T-

EN

D

BA

CK

-

OF

FIC

E

BANK 1

The Pace of Changes

2008

NOKIA is still the biggest (43%),

but the first crack appeared.

2011

NOKIA’s share dropped below

20% & leading position lost.

2013

NOKIA’s share under 5% &

the branch is sold to Microsoft.

2000

NOKIA has the biggest share on

mobile phone market.

WHAT BANKS COULD DO?

https://i.ndtvimg.com/i/2017-04/canada-ferryland-iceberg_650x400_51492682673.jpg

Solution: IT innovation

IMPLEMENTATION INNOVATION IDEAS

Sources of Ideas

Forrás: World FinTech Report 2017, CapGemini

And what about implementation?

Problem: The typical IT of banks

https://i.pinimg.com/originals/73/3f/74/733f74c7c56d220917a7097eacb0b050.jpg

Option 1: Complete renewal

http://ecomnewsmed.com/uploads/Ecomnews%20Med/Maroc/Janvier/aeronautique.jpg

Option 2: Progressive renewal

https://upload.wikimedia.org/wikipedia/commons/thumb/5/5e/Hearst_Tower_%28Manhattan%2C_New_York%29_002.jpg/1280px-Hearst_Tower_%28Manhattan%2C_New_York%29_002.jpg

Our mission: Digital banking

What is digital banking?

Characteristics of digital banking:

• availability of ALL banking services 7/24

• use of electronic channels

• providing ‚user experience’

• customized solutions

• custom tailored marketing

HOW DOES REGULATION

ACCELERATE CHANGES?

https://wallscover.com/images/ice-breaker-4.jpg

Objectives of PSD2

1. Improve market efficiency and integration

2. Enhance competition

3. Ensure the security of payments

4. Protect customers

Improving market integration

Extending regulation scope for all payment in the

European Economic Area (EEA) including

non-EEA currency between Payment Service Providers

(PSPs) in the EEA

one-leg transactions in any currency between PSPs in the

EEA and in the external regions

Restricting the opportunities for exclusions (eg.

limited networks, low-value digital purchase)

Regulating passporting and authorization rules

Enhancing competition

Allowing registered Third Party Providers (TPPs) to

provide:

Payment Initiation Services (PISPs) and

Account Information Services (AISPs)

on the consent of the clients through accessing client

accounts at Account Servicing PSPs (AS PSPs).

All currently available online services should be

opened for TPPs

AS PSPs should treat data requests of TPPs without

any discrimination

Ensuring security

PSPs should fulfil requirements for authorization (eg.

initial fund, own fund etc.)

PSPs should establish a framework to protect clients

from fraud:

Assessing security risks

Collecting statistical data on fraud

Classifying major incidents

Reporting incidents to authorities

TPPs can rely on AS PSPs authentication

AS PSPs and TPPs should use Strong Customer

Authentication (SCA)

Protecting customers

Providing information for clients on services prior

contracting

Unconditional refund rights of 8 weeks

Obligation to respond complaints within 15 days

Member States should monitor compliance and

handle disputes

IT SOLUTIONS FOR PSD2 AND

DIGITAL BANKING

Overview of the PSD2 module

Availability of funds (Article 65)

Payment initiation (Article 66.)

Account information (Article 67.) E

xis

tin

g o

r n

ew i

nte

rfa

ces

Op

en

Ba

nk

ing

sta

nd

ard

PSD2 Solution – Main system

Exemptions management

Limit management

Fraud

Core system interface

SMS interface

TPP APIs

Account management

Order management

System administration

Workflow

SCA Riporting

Mobile App Customer Core /

TPP rights Document

management

PSD2 Solution – Test system (sandbox) RTS 27 (6)

RE

ST

ful,

OA

uth

2.0

, O

pen

ID C

on

nec

t

Core Banking

System

Development roadmap for PSD2

Phase 1

-2018.01

• Already in progress:

• Open API

• SCA

Phase 2

-2019.01

• Exemptions management

• Fraud

• Already in progress:

• Open API

• SCA

What is being implemented?

PSD2 Article 65

Confirmation on the availability of funds

PSD2 Article 66

Payment initiation services - single, immediate, domestic

payments

PSD2 Article 67

Account information services – account balance and history

PSD2 Article 97-98

Strong customer authentication

How is it implemented?

Standard open APIs for easy access

State of the art SCA solution – Android and iOS

mobile application

Easily expandable business functionality

365/7/24 uptime

Shadow balance functionality

Custom tailored implementation

Custom interfaces to core and any other related system

SCA provided or local SCA solution integrated (OAuth)

Customer core migration

Product migration

Open Banking (UK)

www.openbanking.org.uk

What is FIDO?

FIDO is the World’s Largest Ecosystem for Standards-Based,

Interoperable Authentication

FIDO alliance

Technological overview

Communication TLS 1.2

X.509

API RESTful webservice (HTTP)

JSON

ISO 20022 based

Authorization / authentication Oauth 2.0

OpenID Connect 1.0

Asymmetrical cryptography

TPP ASPSP Business front-end

server

ASPSP Authorisation

server

CORE

Request for access

Hozzáférés kérése

PSU

Checking Providing access

Posting transaction

Confirmation Redirecting

Redirecting

Request for authorisation

Providing user name

Defining type of authorisation

Authorisation

Auth code grant

Redirecting with auth. code

Request for access code Checking

Providing access

Submission of transaction

Recording transaction data

POST /payment-submissions

POST /payments

Recording tr. post PaymentID

Recording transaction PaymentSubmissionID

Example: Payment initiation service

Strong Customer Authentication

Authentication based on two of the following

elements:

possession, knowledge, inherence

Initially implemented authentication solutions

Static password (knowledge) and dynamic password sent

via SMS (possession)

Static password (knowledge) in the mobile application with

private key (possession)

Biometric identification (inherence) in the mobile application

with private key (possession)

Mobile application

Additional functions

Potential of Online solution

Central point of entry – basic checks, routing

RESTful, OAuth 2.0, OpenID Connect - Open Banking standard

PSD2 Module vX.000

Par vA.0000

PSD2 Module vX.000

Par vB.0000

PSD2 Module vX.000

Par vC.0000

PSD2 Module vX.000

Par vD.0000

MoonSol vY.000

Par vE.0000

MoonSol vY.000

Par vF.0000

MoonSol vY.000

Par vG.0000

MoonSol vY.000

Par vH.0000

Development roadmap for PSD2

• Already in progress:

• Open API

• SCA

• Exemptions management

• Fraud

• Exemptions management

• Fraud monitoring

Phase 1

-2018.01

Phase 2

-2019.01

Managing exemptions

Regulatory Technical Standards on Strong Customer Authentication and common and secure communication ….

CHAPTER 3 EXEMPTIONS FROM STRONG CUSTOMER

AUTHENTICATION

Article 10 - 18

Exemptions from SCA

Accessing the balance and payment transactions of customers’ account

(Article 10)

Contactless electronic payments (individual <50 EUR, cumulative <150

EUR or 5 consecutive payments) (Article 11)

Payment transaction at an unattended payment terminal for transport or

parking fare (Article 12)

The payee is included in a list of trusted beneficiaries previously created or

confirmed by the payer (Article 13)

The payer initiates a credit transfer where the payer and the payee are the

same person and the accounts held by the same ASPSP (Article 14)

Low value transactions (individual <30 EUR, cumulative <100 EUR or 5

consecutive payments) (Article 15)

… or the transaction is identified as low-risk transaction by transaction

risk analysis (Article 16)

Low-risk transactions

RTS SCA Article 16. (2) c)

no abnormal spending or behavioural pattern of the

payer has been identified;

no unusual information about the payer’s

device/software access has been identified;

no malware infection in any session of the

authentication procedure has been identified;

no known fraud scenario in the provision of payment

services has been identified;

the location of the payer is not abnormal;

the location of the payee is not identified as high risk

IF exemptions are used based on

risk analysis…

ASPSPs should monitor fraud rates of remote card-

based payments and credit transfers (Article 16 2.a)

If monitored fraud rate exceeds for two consecutive

quarters (180 days) the EUR 100 ETV reference

fraud rate, then SCA should be applied until the

improvement of fraud rates (Article 18 1 – 2)

Transaction monitoring WF

Blacklisted?

Payment initiation

Exact RTS

exemption?

No

Transaction rating

Deny transaction Yes

No

Big risk?

Risk evaluation

No

Yes

Perform without

SCA

Transfer data to

DWH

Yes Perform with SCA

PSD2 Module

Functionality plans

Short term

• Create „building blocks”

• Parametrize scorecards

• Create evaluation ruleset

Long term

• Pattern recognition

• Neural networks

Future development roadmap

Phase 3

until 01.2019

• GDPR

• Online account creation

• Online loans

• Instant payment

Thank You for Your

attention!

http://www.charterworld.com/news/wp-content/uploads/2011/02/Phoenicia-Sailing-Yacht-concept-by-Igor-Lobanov-3.jpg