spf psd2 presentation january 2016 v1.1
TRANSCRIPT
1
The Human Chain Payment Services Directive 2
The Human Chain Ltd www.thehumanchain.com
PaymentsServicesDirec0ve2
• OriginalPaymentServiceDirec0ve2007/64/ECadoptedDecember2007• Sinceitsadop0on:
• Theretailpaymentsmarkethasexperiencedsignificanttechnicalinnova0on• Rapidgrowthinthenumberofelectronicandmobilepayments• Emergenceofnewtypesofpaymentservicesinthemarketplace
• Market developments have given rise to significant challenges from a regulatoryperspec0ve
• Significantareasofthepaymentsmarket(e.g.internet/mobilepayments)remainfragmentedalongna0onalborders
• Manyinnova0vepaymentproductsorservicesdonotfallwithinthescopeofDirec0ve• Elementsexcludedfromoriginalscope,suchascertainpayment-relatedac0vi0es,hasproved
insomecasestobetooambiguous,toogeneralorsimplyoutdated• Resulted in legal uncertainty, poten0al security risks in the payment chain and a lack of
consumerprotec0onincertainareas• Proven difficult for payment service providers to launch innova0ve, safe and easy-to-use
digitalpaymentservices• TheEuropeanParliamentbelievesthereisalargeposi0vepoten0alwhichneedstobe
moreconsistentlyexplored
2
PSD2-Aims&Objec0ves
3
• Con0nuetoharmonisetheEuropeanpaymentslandscapefromaregulatoryperspec0ve
• Toestablishsaferandmoreinnova0vepaymentservicesacrosstheEU
• ContributetoamoreintegratedandefficientEuropeanpaymentsmarket
• Improvethelevelplayingfieldforpaymentserviceproviders(includingnewplayers)
• Makepaymentssaferandmoresecure
• Protectconsumers
• Encouragelowerpricesforpayments
PSD2-Overview
4
PSD2
Liability for Payments
Transparency of Payments & Charges
Strong Customer Authentication
Access to Payment Accounts
Greater Regulatory Oversight
Regulation on Interchange Fee for Card-based Payment Transactions – Dec 2015
PSD2–Impacts&Implica0ons
5
BusinessasUsual Development
LiabilityforPayments• EnhancedConsumerRights• “Noques0onsasked”RefundRight
forDirectDebits• Alloca0onofLiabilityBetween
PaymentPar0es• Unauthorised/Incorrectly
ExecutedTransac0ons• DisclosureofPaymentInfo• DataProtec0onbyDesign/Default
AccesstoAccounts• AccesstoAccounts
• Objec0ve,Non-Discriminatory/Propor0onate
• PISP,AISP&ASPSP• ECBtoDra]RegulatoryTechnical
Standards(API)• Common/secureopenstandards• ID/auth,no0fica0onand
informa0on
TransparencyofPayments&Charges
• CentralRegisterofCompaniesProvidingPaymentServices
• TransparentChargingPrinciples• FrameworkContracts&Single
Payments• FullDisclosureofCharges• Prohibi0onofSurcharging
CustomerAuthen:ca:on• Introduc0onofstrictsecurity
requirementsforini0a0on&processingofpayments
• StrongCustomerAuthen0ca0onprocedure• Dynamiclinking• UseofMul0-Factor
Authen0ca0on• ProtecttheConfiden0alityand
IntegrityofPersonalisedSecurityCreden0als
PSD2RegulatoryOversight
Impact on system
s, processes & docum
entation
Developm
ent, testing, auditing & reporting
PSD2–AccesstoAccounts
6
• AccesstoAccountswilldrivedisrup0on(innova0on)inpayments• Anacceleratorfortechnologydrivendisrup0onofincumbentbanksbyflexibleandinnova0ve
serviceproviders• Openthemarkettonewentrants(Challengers,FinTech’setc.)• Drivenewbusinessopportuni0es(exis0ng&newmarketentrantsandacombina0onthereof)• Drivenewbusinessmodelsandservices
• WhatisAccesstoAccounts• Itisanenvironmentinwhichpar0cipantscansharecustomerdata,whenexplicitconsenthas
beengranted,witheachotherinasecure,automatedfashion
• EBADiscussionPaper(preconsulta0on&RTS)
• “Therequirementsforcommonandsecureopenstandardsofcommunica0onforthepurposeofiden0fica0on,authen0ca0on,no0fica0on,andinforma0on,aswellasfortheimplementa0onofsecuritymeasures,betweenaccountservicingpaymentserviceproviders(ASPSP),PISproviders,AISproviders,payers,payeesandotherpaymentserviceproviders”
• ThisallneedstobeoverlaidbyHMTreasurypublisheda“Callforevidenceondata
sharingandopendatainbanking”
PSD2-Poten0alOpportuni0es
7
CustomerBankDMortgage
CustomerBankCInvestments
CustomerBankBSavingsAccount
CustomerBankACurrentAccount
CustomerBankAAISP
DirectAccountAccessThirdPartyAccess
Customer
DataAggrega4onModel
Merchant
CustomerBank
iDeal(PISP)
Customer
InterBankPaymentNetwork
Merchant’sBank
PaymentIni4a4onServiceProvider
PSD2-Poten0alOpportuni0es
8
Customer
CustomerBankDMortgage
CustomerBankCInvestments
CustomerBankBSavingsAccount
CustomerBankACurrentAccount
CustomerBankAAISP
DirectAccountAccessThirdPartyAccess
SocialMediaNetworks
ForeignExchangeServices
NewsFeeds
DeliveringFinancialServices&RelevantContent
PSD2–StrongCustomerAuthen0ca0on
9
• EBADiscussionPaper(preconsulta0on&RTS)–StrongCustomerAuthen0ca0on
• Ar0cle97(1)&(3)strongcustomerauthen0ca0onappliesto:• Accesstopaymentaccountsonline• Ini0a0onofanyelectronicpaymenttransac0on• Anyac0onthrougharemotechannelthatmayimplyariskofpaymentfraudorotherabuses,
includingonlineormobilepayments
• Ar0cle97(2)providesthat,withregardtotheini0a0onofelectronicremotepaymenttransac0ons,PSPsshallapplystrongcustomerauthen0ca0on,whichincludeselementsthatdynamicallylinkthetransac0ontoaspecificamountandaspecificpayee
• Ar0cle4(29)‘authen0ca0on’meansaprocedurewhichallowsthepaymentserviceprovidertoverifytheiden0tyofapaymentserviceuserorthevalidityoftheuseofaspecificpaymentinstrument,includingtheuseoftheuser’spersonalisedsecuritycreden0als
• PSD2definesauthen0ca0onasanyprocedurewhichallowsthePSPstoverifytheiden0tyofaPSUorthevalidityoftheuseofaspecificpaymentinstrument,includingtheuseoftheuser’spersonalisedsecuritycreden0als(PSC)
PSD2–StrongCustomerAuthen0ca0on
10
• Ar0cle4(30)providesthatstrongcustomerauthen0ca0onmeans:• Knowledge(somethingonlytheuserknows)• Possession(somethingonlytheuserpossesses)• Inherence(somethingtheuseris)• Thatareindependent,inthatthebreachofonedoesnotcompromisethereliabilityofthe
others,andisdesignedinsuchawayastoprotecttheconfiden0alityoftheauthen0ca0ondata
• Ar0cle98.3specifiesthatexemp0onsforstrongcustomerauthen0ca0onshallbebasedonthefollowingcriteria:• Levelofriskinvolvedintheserviceprovided• Amountand/ortherecurrenceofthetransac0on• Paymentchannelusedfortheexecu0onofthetransac0on
• Thingsarenotyetclearandmanyissuestobeworkedthroughbeforeclarifica0onandunderstandingofStrongCustomerAuthen0ca0on
PSD2-Timescales
11
• PSD2hasbeenpublishedintheOJEUandenteredintoforceon12January2016
• MemberStatesmusttransposePSD2intona0onallawby13January2018
• However,asdirectedbytheEuropeanCommission,theEBAhas12monthstodefinetheRegulatoryTechnicalStandards(RTS):
• SecureAuthen0ca0on• SecureCommunica0ons(AccesstoAccounts)• OtherRTStobepublished
• TheRTSwillapply18monthsa]eradop0onofthestandardsbytheCommission(i.e.noearlierthanOctober2018)
PSD2-Summary
12
• PSD2publishedintheOJEUandenteredintoforceon12January2016• Transposi0onintoNa0onalLawJanuary2018• RTStransposi0onOctober2018onwards
• Programmeofworktoachievecompliance:• Systems,processesanddocumenta0on• Development,tes0ng,audi0ngandrepor0ng
• AccesstoAccounts• Needtotakeintoconsidera0onHMTOpenBankingini0a0ve
• Regula0ondrivinginnova0on• Openthemarkettonewentrants(Challengers,FinTech’setc.)• Drivenewbusinessopportuni0es(exis0ng&newmarketentrantsandacombina0onthereof)• Drivenewbusinessmodelsandservices
WhitePaperpublishedonPSD2andOpenBanking:www.thehumanchain.com
13
Brendan Jones The Human Chain Limited Magdalen Centre The Oxford Science Park Oxford OX4 4GA United Kingdom Mob: +44 7785 388 867 Tel: +44 1865 784 386 Fax: +44 1865 784 387 E-mail: [email protected] Web: www.thehumanchain.com
www.digitalservicestoolkit.com
13
how can we help - what we do
14
technology consultancy
business consultancy
digital service realisation
test and learn, PoC and demo toolkit
DST