IT Challenges & Solutions for PSD2 implementation€¦ · PSD2 Article 65 Confirmation on the...
Transcript of IT Challenges & Solutions for PSD2 implementation€¦ · PSD2 Article 65 Confirmation on the...
IT Challenges & Solutions
for PSD2 implementation
Workshop, Hotel Kempinski Corvinus, 6th October, 2017
http://www.regionalobala.si/data/albums/novice_albums/b/2_afbe7ca585f03d897995eeb1399c1eb7.jpg
Changes
http://assets.nydailynews.com/polopoly_fs/1.3080139.1492705454!/img/httpImage/image.jpg_gen/derivatives/gallery_1200/newfoundland-canada.jpg
Overregulation
http://static.chicagotribune.com/media/catalog/product/cache/1/image/9df78eab33525d08d6e5fb8d27136e95/c/h/chi-_54827845.jpg
Drivers of Changes
Changing
customer
behaviour
FinTech vállalatok
New
competitors
Disruptive
technologies
The world of Fintechs
http://lh3.googleusercontent.com/-q0S5vz9ZtbU/VdIG4rMf5tI/AAAAAAABFu0/0mhJcnDBFMY/SAIL-Amsterdam-2%25255B2%25255D.jpg?imgmax=800
FinTech services
Account Information Services (a.k.a. PFM)
Payment Initiation Services
Money transfer
Social Lending
Crowdfunding
Private banking
Other (blockchain, insurance etc.)
Characteristics of FinTechs
Concentrating on one particular service
Exclusive use of electronic channels (Internet)
User interface simple, highly ergonomic
Operating processes are automated, optimized for
the given service
They work with low costs (no branch network,
minimal human work required)
Growth of the FinTech market
0
5000
10000
15000
20000
25000
2010 2011 2012 2013 2014 2015 2016
FinTech investments worldwide, M$
USA Europe Asia Other
Forrás: Accenture, The Future of FinTech and Banking, 2016 and other sources
FinTechs + BigTechs = ?
FinTechs
FOCUSED
SIMPLE
ERGONOMIC
AUTOMATED
CHEAP
BigTechs
UNIFIED
OPEN AND
INTEGRATIVE
BIGTECHs
INT
EG
RA
TIO
N
LA
YE
R
FINTECHs
Disruption of client relationship
Client contact
FR
ON
T-E
ND
BA
CK
-OF
FIC
E
BANK 2
FR
ON
T-
EN
D
BA
CK
-
OF
FIC
E
BANK 3
Shop
front-end Client contact
FR
ON
T-
EN
D
BA
CK
-
OF
FIC
E
BANK 1
The Pace of Changes
2008
NOKIA is still the biggest (43%),
but the first crack appeared.
2011
NOKIA’s share dropped below
20% & leading position lost.
2013
NOKIA’s share under 5% &
the branch is sold to Microsoft.
2000
NOKIA has the biggest share on
mobile phone market.
WHAT BANKS COULD DO?
https://i.ndtvimg.com/i/2017-04/canada-ferryland-iceberg_650x400_51492682673.jpg
Problem: The typical IT of banks
https://i.pinimg.com/originals/73/3f/74/733f74c7c56d220917a7097eacb0b050.jpg
Option 1: Complete renewal
http://ecomnewsmed.com/uploads/Ecomnews%20Med/Maroc/Janvier/aeronautique.jpg
Option 2: Progressive renewal
https://upload.wikimedia.org/wikipedia/commons/thumb/5/5e/Hearst_Tower_%28Manhattan%2C_New_York%29_002.jpg/1280px-Hearst_Tower_%28Manhattan%2C_New_York%29_002.jpg
What is digital banking?
Characteristics of digital banking:
• availability of ALL banking services 7/24
• use of electronic channels
• providing ‚user experience’
• customized solutions
• custom tailored marketing
Objectives of PSD2
1. Improve market efficiency and integration
2. Enhance competition
3. Ensure the security of payments
4. Protect customers
Improving market integration
Extending regulation scope for all payment in the
European Economic Area (EEA) including
non-EEA currency between Payment Service Providers
(PSPs) in the EEA
one-leg transactions in any currency between PSPs in the
EEA and in the external regions
Restricting the opportunities for exclusions (eg.
limited networks, low-value digital purchase)
Regulating passporting and authorization rules
Enhancing competition
Allowing registered Third Party Providers (TPPs) to
provide:
Payment Initiation Services (PISPs) and
Account Information Services (AISPs)
on the consent of the clients through accessing client
accounts at Account Servicing PSPs (AS PSPs).
All currently available online services should be
opened for TPPs
AS PSPs should treat data requests of TPPs without
any discrimination
Ensuring security
PSPs should fulfil requirements for authorization (eg.
initial fund, own fund etc.)
PSPs should establish a framework to protect clients
from fraud:
Assessing security risks
Collecting statistical data on fraud
Classifying major incidents
Reporting incidents to authorities
TPPs can rely on AS PSPs authentication
AS PSPs and TPPs should use Strong Customer
Authentication (SCA)
Protecting customers
Providing information for clients on services prior
contracting
Unconditional refund rights of 8 weeks
Obligation to respond complaints within 15 days
Member States should monitor compliance and
handle disputes
Overview of the PSD2 module
Availability of funds (Article 65)
Payment initiation (Article 66.)
Account information (Article 67.) E
xis
tin
g o
r n
ew i
nte
rfa
ces
Op
en
Ba
nk
ing
sta
nd
ard
PSD2 Solution – Main system
Exemptions management
Limit management
Fraud
Core system interface
SMS interface
TPP APIs
Account management
Order management
System administration
Workflow
SCA Riporting
Mobile App Customer Core /
TPP rights Document
management
PSD2 Solution – Test system (sandbox) RTS 27 (6)
RE
ST
ful,
OA
uth
2.0
, O
pen
ID C
on
nec
t
Core Banking
System
Development roadmap for PSD2
Phase 1
-2018.01
• Already in progress:
• Open API
• SCA
Phase 2
-2019.01
• Exemptions management
• Fraud
• Already in progress:
• Open API
• SCA
What is being implemented?
PSD2 Article 65
Confirmation on the availability of funds
PSD2 Article 66
Payment initiation services - single, immediate, domestic
payments
PSD2 Article 67
Account information services – account balance and history
PSD2 Article 97-98
Strong customer authentication
How is it implemented?
Standard open APIs for easy access
State of the art SCA solution – Android and iOS
mobile application
Easily expandable business functionality
365/7/24 uptime
Shadow balance functionality
Custom tailored implementation
Custom interfaces to core and any other related system
SCA provided or local SCA solution integrated (OAuth)
Customer core migration
Product migration
What is FIDO?
FIDO is the World’s Largest Ecosystem for Standards-Based,
Interoperable Authentication
FIDO alliance
Technological overview
Communication TLS 1.2
X.509
API RESTful webservice (HTTP)
JSON
ISO 20022 based
Authorization / authentication Oauth 2.0
OpenID Connect 1.0
Asymmetrical cryptography
TPP ASPSP Business front-end
server
ASPSP Authorisation
server
CORE
Request for access
Hozzáférés kérése
PSU
Checking Providing access
Posting transaction
Confirmation Redirecting
Redirecting
Request for authorisation
Providing user name
Defining type of authorisation
Authorisation
Auth code grant
Redirecting with auth. code
Request for access code Checking
Providing access
Submission of transaction
Recording transaction data
POST /payment-submissions
POST /payments
Recording tr. post PaymentID
Recording transaction PaymentSubmissionID
Example: Payment initiation service
Strong Customer Authentication
Authentication based on two of the following
elements:
possession, knowledge, inherence
Initially implemented authentication solutions
Static password (knowledge) and dynamic password sent
via SMS (possession)
Static password (knowledge) in the mobile application with
private key (possession)
Biometric identification (inherence) in the mobile application
with private key (possession)
Potential of Online solution
Central point of entry – basic checks, routing
RESTful, OAuth 2.0, OpenID Connect - Open Banking standard
PSD2 Module vX.000
Par vA.0000
PSD2 Module vX.000
Par vB.0000
PSD2 Module vX.000
Par vC.0000
PSD2 Module vX.000
Par vD.0000
MoonSol vY.000
Par vE.0000
MoonSol vY.000
Par vF.0000
MoonSol vY.000
Par vG.0000
MoonSol vY.000
Par vH.0000
Development roadmap for PSD2
• Already in progress:
• Open API
• SCA
• Exemptions management
• Fraud
• Exemptions management
• Fraud monitoring
Phase 1
-2018.01
Phase 2
-2019.01
Managing exemptions
Regulatory Technical Standards on Strong Customer Authentication and common and secure communication ….
CHAPTER 3 EXEMPTIONS FROM STRONG CUSTOMER
AUTHENTICATION
Article 10 - 18
Exemptions from SCA
Accessing the balance and payment transactions of customers’ account
(Article 10)
Contactless electronic payments (individual <50 EUR, cumulative <150
EUR or 5 consecutive payments) (Article 11)
Payment transaction at an unattended payment terminal for transport or
parking fare (Article 12)
The payee is included in a list of trusted beneficiaries previously created or
confirmed by the payer (Article 13)
The payer initiates a credit transfer where the payer and the payee are the
same person and the accounts held by the same ASPSP (Article 14)
Low value transactions (individual <30 EUR, cumulative <100 EUR or 5
consecutive payments) (Article 15)
… or the transaction is identified as low-risk transaction by transaction
risk analysis (Article 16)
Low-risk transactions
RTS SCA Article 16. (2) c)
no abnormal spending or behavioural pattern of the
payer has been identified;
no unusual information about the payer’s
device/software access has been identified;
no malware infection in any session of the
authentication procedure has been identified;
no known fraud scenario in the provision of payment
services has been identified;
the location of the payer is not abnormal;
the location of the payee is not identified as high risk
IF exemptions are used based on
risk analysis…
ASPSPs should monitor fraud rates of remote card-
based payments and credit transfers (Article 16 2.a)
If monitored fraud rate exceeds for two consecutive
quarters (180 days) the EUR 100 ETV reference
fraud rate, then SCA should be applied until the
improvement of fraud rates (Article 18 1 – 2)
Transaction monitoring WF
Blacklisted?
Payment initiation
Exact RTS
exemption?
No
Transaction rating
Deny transaction Yes
No
Big risk?
Risk evaluation
No
Yes
Perform without
SCA
Transfer data to
DWH
Yes Perform with SCA
PSD2 Module
Functionality plans
Short term
• Create „building blocks”
• Parametrize scorecards
• Create evaluation ruleset
Long term
• Pattern recognition
• Neural networks
Future development roadmap
Phase 3
until 01.2019
• GDPR
• Online account creation
• Online loans
• Instant payment