“A simpler, faster and safer identity experience“

1 iSignthis © 2014

ASX : ISX (listing March 2015)

EPSM March 2015 Presented by N J (John) Karantzis, B.E. LL.M. MEnt.

2 iSignthis © 2014

Who is iSignthis Ltd? We are an ASX listed identity company, providing global, remote, fully automated, KYC to assist with Anti Money Laundering / Counter Terrorism Funding compliance. We process payments in order to unlock identity, and, to verify ownership of payment instruments. We offer Identity applications for consumer and merchant on-boarding.

3 iSignthis © 2014

European Forum on the Security of Retail Payments (SecuRe Pay):

One  Leg  Out  

AML/CTF  KYC  

An1  Fraud  

Two  Factor  Authen1ca1on  

Security  

Technology  Neutral  

Online  Payments  

4 iSignthis © 2014

SecuRE Pay Members Na1onal  Regulators  &  ECB  agree  SecuRE  Pay  

Scope  2011-­‐  13  

ECB  Publishes  Guidelines  Feb  2013  

EC  accepts  Guidelines  into  PSD2  draN  Mid  2013  

EBA  accepts  Guidelines  and  regulates  PSP’  s  via  Na1onal  Regulators  Dec  

2014  

ECB  publishes  Card  Scheme  Guidelines  and  regulates  Feb  2015  

5 iSignthis © 2014

Scope : Security of Internet Payments Cards  /  Virtual  

Cards  

eWallets  &  Card  

onboarding  

Credit  Transfers  (CT)  

eMandates  /  direct  debits  

eMoney  account  transfers  

Source : ECB : ECB_SEcuREPAY_20130305_COGEPS_Item_B5

August 2015

6 iSignthis © 2014

Excluded from Scope Excluded from the scope of SecuRE Pay

– other internet services provided by a PSP via its payment website

(e.g. e-brokerage, online contracts);

–  payments where the instruction is given by post, telephone, voice mail or using SMS

–  mobile payments other than browser-based payments;

–  CTs where a third-party accesses the customer’s payment account;

–  payment transactions made by an enterprise via dedicated networks;

–  card payments using anonymous and non-rechargeable physical or virtual pre-paid cards

–  clearing and settlement of payment transactions.

Source : ECB : Page 2, RECOMMENDATIONS FOR THE SECURITY OF INTERNET PAYMENTS FINAL VERSION AFTER PUBLIC CONSULTATION

 

Bafin …..Regulatory

Fragmentation?

7 iSignthis © 2014

Legal Basis – EBA’s role & PSP’s Payment Service Providers The EBA guidelines have been issued pursuant to Article 16 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (‘the EBA Regulation’).

In accordance with Article 16(3) of the EBA Regulation, national authorities and financial institutions must make every effort to comply with the guidelines.

8 iSignthis © 2014

Legal Basis – ECB’s Role & Liability Shift Basis ECB Recommendations, Scope, Page 1 : “Unless stated otherwise, the recommendations, key considerations and best practices specified in this report are applicable to all PSPs, as defined in the Payment Services Directive 2007/64/EC , providing internet payment services, as well as to governance authorities (GAs) of payment schemes (including card payment schemes, credit transfer schemes, direct debit schemes, etc.) Card Schemes : European Central Bank (2009), Harmonised oversight approach and oversight standards for payment instruments and FEB 2015 “Guide for the assessment of such schemes against the oversight standards” Liability Shift is regulated by the ECB, not the EBA. ECB Recommendations for the Security of Internet Payments KC 7.6 & Guide 3.3.2.4 “All payment schemes should promote the implementation of strong customer authentication by introducing a liability regime for the participating PSPs in and across all European markets. “ Weakest Link Principle (footnote 22): “The liability regime should provide that a PSP must refund other PSPs for any fraud resulting from weak customer authentication. “  

9 iSignthis © 2014

What’s required – 3 key parts 1.  General control and security environment

•  Governance •  Risk assessment •  Incident monitoring and reporting •  Protection of sensitive payment data •  Risk control and mitigation •  Traceability

2.  Customer awareness, education, and communication

•  Customer education •  Provision of a secure channel for communication •  Notifications, setting of limits •  Customer access to information on the status of payment initiation and execution •  ‘Good Time’ for access of information

3.  Specific control and security measures for internet payments

•  Initial customer identification, information •  Strong customer authentication •  Transaction monitoring

}  PCI  DSS  

}  

10 iSignthis © 2014

Target Application •  Issuing Payment Service Providers (PSP) •  Acquiring Payment Service Providers (PSP)

Expanded definition of acquiring PSP : per EBA Scope Item 10 and ECB Scope Page 2

“Payment integrators offering payment initiation services are considered either as acquirers of internet payment services (and thus as PSPs) or as external technical service providers of the relevant schemes or PSPs. In the latter case, the payment integrators should be contractually required to comply with the guidelines.

Payment integrators provide the payee (i.e. the e-merchant) with a standardised interface to payment initiation services provided by PSPs.“

Policy Objective “ One Leg Out” Authentication, per ECB 2014 policy document.

11 iSignthis © 2014

Acquiring Side Specific Obligations

Three categories of requirement : Issuer, Acquirer, Common – Acquirers now have own separate responsibilities outlined. Specific Acquiring Side obligations 3.4 & 4.8 Acquiring PSPs should contractually require e-merchants …….. If a PSP becomes aware that an e-merchant is not cooperating as required under the contract, it should take steps to enforce this contractual obligation, or terminate the contract. [e-Merchant - Comply or else!]

7.4  [cards] PSPs offering acquiring services ………..perform strong authentication of the cardholder for the card payment schemes in which the acquirer participates. 7.5  [cards] PSPs offering acquiring services should require their e-merchant to support solutions ……….. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. …….involving low-value payments, as referred to in the PSD. [Some room to move?] 10.2  Acquiring PSPs should have fraud detection and prevention systems in place to monitor e-merchant activities.

12 iSignthis © 2014

Technology Neutral Approach

13 iSignthis © 2014

Solutions should conform

The ECB and EPC have been coordinating to ‘standardise’ on behalf of PSP’s

DIY may be possible, but carries risks, and may not be acceptable.

The EPC has developed the SEPA Cards Volume (SCV)……iSignthis has contributed as part of the Card Stakeholder Group

EPC public consultation > 10 March 2015 until 5 June 2015.

14 iSignthis © 2014

How can we help?

ONE low cost integration to cover 3DS and non 3DS cards

•  AUTOMATED FAST / LOW FRICTION global on-boarding

•  Support for ALL MAIN payment types and methods (incl telephone)

•  LIABILITY SHIFT for SEPA issued card transactions

•  MOBILE and TABLET friendly design

•  Further FRAUD REDUCTION for all acquired transactions (global)

•  Basis for both AML/CTF KYC and SecuRePay COMPLIANCE, incl “one leg out”

…without deterioration to your checkout conversion rate

15 iSignthis © 2014

Summary •  Acquiring side PSPs must do something by August 2015

•  Compliance as an acquiring PSP stands alone from issuer

•  Card schemes are obligated to introduced liability shift for Strong Customer Authentication

•  Policy driver includes “one leg out” transactions acquired from outside SEPA (to be introduced via PSD2)

•  A single solution across multiple payment means is preferred

16 iSignthis © 2014

EU office:

Marc Bongers marc.bongers@isignthis.com +31 624 447 841

Managing Director:

John Karantzis john.karantzis@isignthis.com +31 681 433 530

For further information contact: