1

The Human Chain Payment Services Directive 2

The Human Chain Ltd www.thehumanchain.com

PaymentsServicesDirec0ve2

•  OriginalPaymentServiceDirec0ve2007/64/ECadoptedDecember2007•  Sinceitsadop0on:

•  Theretailpaymentsmarkethasexperiencedsignificanttechnicalinnova0on•  Rapidgrowthinthenumberofelectronicandmobilepayments•  Emergenceofnewtypesofpaymentservicesinthemarketplace

•  Market developments have given rise to significant challenges from a regulatoryperspec0ve

•  Significantareasofthepaymentsmarket(e.g.internet/mobilepayments)remainfragmentedalongna0onalborders

•  Manyinnova0vepaymentproductsorservicesdonotfallwithinthescopeofDirec0ve•  Elementsexcludedfromoriginalscope,suchascertainpayment-relatedac0vi0es,hasproved

insomecasestobetooambiguous,toogeneralorsimplyoutdated•  Resulted in legal uncertainty, poten0al security risks in the payment chain and a lack of

consumerprotec0onincertainareas•  Proven difficult for payment service providers to launch innova0ve, safe and easy-to-use

digitalpaymentservices•  TheEuropeanParliamentbelievesthereisalargeposi0vepoten0alwhichneedstobe

moreconsistentlyexplored

2

PSD2-Aims&Objec0ves

3

•  Con0nuetoharmonisetheEuropeanpaymentslandscapefromaregulatoryperspec0ve

•  Toestablishsaferandmoreinnova0vepaymentservicesacrosstheEU

•  ContributetoamoreintegratedandefficientEuropeanpaymentsmarket

•  Improvethelevelplayingfieldforpaymentserviceproviders(includingnewplayers)

•  Makepaymentssaferandmoresecure

•  Protectconsumers

•  Encouragelowerpricesforpayments

PSD2-Overview

4

PSD2

Liability for Payments

Transparency of Payments & Charges

Strong Customer Authentication

Access to Payment Accounts

Greater Regulatory Oversight

Regulation on Interchange Fee for Card-based Payment Transactions – Dec 2015

PSD2–Impacts&Implica0ons

5

BusinessasUsual Development

LiabilityforPayments•  EnhancedConsumerRights•  “Noques0onsasked”RefundRight

forDirectDebits•  Alloca0onofLiabilityBetween

PaymentPar0es•  Unauthorised/Incorrectly

ExecutedTransac0ons•  DisclosureofPaymentInfo•  DataProtec0onbyDesign/Default

AccesstoAccounts•  AccesstoAccounts

•  Objec0ve,Non-Discriminatory/Propor0onate

•  PISP,AISP&ASPSP•  ECBtoDra]RegulatoryTechnical

Standards(API)•  Common/secureopenstandards•  ID/auth,no0fica0onand

informa0on

TransparencyofPayments&Charges

•  CentralRegisterofCompaniesProvidingPaymentServices

•  TransparentChargingPrinciples•  FrameworkContracts&Single

Payments•  FullDisclosureofCharges•  Prohibi0onofSurcharging

CustomerAuthen:ca:on•  Introduc0onofstrictsecurity

requirementsforini0a0on&processingofpayments

•  StrongCustomerAuthen0ca0onprocedure•  Dynamiclinking•  UseofMul0-Factor

Authen0ca0on•  ProtecttheConfiden0alityand

IntegrityofPersonalisedSecurityCreden0als

PSD2RegulatoryOversight

Impact on system

s, processes & docum

entation

Developm

ent, testing, auditing & reporting

PSD2–AccesstoAccounts

6

•  AccesstoAccountswilldrivedisrup0on(innova0on)inpayments•  Anacceleratorfortechnologydrivendisrup0onofincumbentbanksbyflexibleandinnova0ve

serviceproviders•  Openthemarkettonewentrants(Challengers,FinTech’setc.)•  Drivenewbusinessopportuni0es(exis0ng&newmarketentrantsandacombina0onthereof)•  Drivenewbusinessmodelsandservices

•  WhatisAccesstoAccounts•  Itisanenvironmentinwhichpar0cipantscansharecustomerdata,whenexplicitconsenthas

beengranted,witheachotherinasecure,automatedfashion

•  EBADiscussionPaper(preconsulta0on&RTS)

•  “Therequirementsforcommonandsecureopenstandardsofcommunica0onforthepurposeofiden0fica0on,authen0ca0on,no0fica0on,andinforma0on,aswellasfortheimplementa0onofsecuritymeasures,betweenaccountservicingpaymentserviceproviders(ASPSP),PISproviders,AISproviders,payers,payeesandotherpaymentserviceproviders”

•  ThisallneedstobeoverlaidbyHMTreasurypublisheda“Callforevidenceondata

sharingandopendatainbanking”

PSD2-Poten0alOpportuni0es

7

CustomerBankDMortgage

CustomerBankCInvestments

CustomerBankBSavingsAccount

CustomerBankACurrentAccount

CustomerBankAAISP

DirectAccountAccessThirdPartyAccess

Customer

DataAggrega4onModel

Merchant

CustomerBank

iDeal(PISP)

Customer

InterBankPaymentNetwork

Merchant’sBank

PaymentIni4a4onServiceProvider

PSD2-Poten0alOpportuni0es

8

Customer

CustomerBankDMortgage

CustomerBankCInvestments

CustomerBankBSavingsAccount

CustomerBankACurrentAccount

CustomerBankAAISP

DirectAccountAccessThirdPartyAccess

SocialMediaNetworks

ForeignExchangeServices

NewsFeeds

DeliveringFinancialServices&RelevantContent

PSD2–StrongCustomerAuthen0ca0on

9

•  EBADiscussionPaper(preconsulta0on&RTS)–StrongCustomerAuthen0ca0on

•  Ar0cle97(1)&(3)strongcustomerauthen0ca0onappliesto:•  Accesstopaymentaccountsonline•  Ini0a0onofanyelectronicpaymenttransac0on•  Anyac0onthrougharemotechannelthatmayimplyariskofpaymentfraudorotherabuses,

includingonlineormobilepayments

•  Ar0cle97(2)providesthat,withregardtotheini0a0onofelectronicremotepaymenttransac0ons,PSPsshallapplystrongcustomerauthen0ca0on,whichincludeselementsthatdynamicallylinkthetransac0ontoaspecificamountandaspecificpayee

•  Ar0cle4(29)‘authen0ca0on’meansaprocedurewhichallowsthepaymentserviceprovidertoverifytheiden0tyofapaymentserviceuserorthevalidityoftheuseofaspecificpaymentinstrument,includingtheuseoftheuser’spersonalisedsecuritycreden0als

•  PSD2definesauthen0ca0onasanyprocedurewhichallowsthePSPstoverifytheiden0tyofaPSUorthevalidityoftheuseofaspecificpaymentinstrument,includingtheuseoftheuser’spersonalisedsecuritycreden0als(PSC)

PSD2–StrongCustomerAuthen0ca0on

10

•  Ar0cle4(30)providesthatstrongcustomerauthen0ca0onmeans:•  Knowledge(somethingonlytheuserknows)•  Possession(somethingonlytheuserpossesses)•  Inherence(somethingtheuseris)•  Thatareindependent,inthatthebreachofonedoesnotcompromisethereliabilityofthe

others,andisdesignedinsuchawayastoprotecttheconfiden0alityoftheauthen0ca0ondata

•  Ar0cle98.3specifiesthatexemp0onsforstrongcustomerauthen0ca0onshallbebasedonthefollowingcriteria:•  Levelofriskinvolvedintheserviceprovided•  Amountand/ortherecurrenceofthetransac0on•  Paymentchannelusedfortheexecu0onofthetransac0on

•  Thingsarenotyetclearandmanyissuestobeworkedthroughbeforeclarifica0onandunderstandingofStrongCustomerAuthen0ca0on

PSD2-Timescales

11

•  PSD2hasbeenpublishedintheOJEUandenteredintoforceon12January2016

•  MemberStatesmusttransposePSD2intona0onallawby13January2018

•  However,asdirectedbytheEuropeanCommission,theEBAhas12monthstodefinetheRegulatoryTechnicalStandards(RTS):

•  SecureAuthen0ca0on•  SecureCommunica0ons(AccesstoAccounts)•  OtherRTStobepublished

•  TheRTSwillapply18monthsa]eradop0onofthestandardsbytheCommission(i.e.noearlierthanOctober2018)

PSD2-Summary

12

•  PSD2publishedintheOJEUandenteredintoforceon12January2016•  Transposi0onintoNa0onalLawJanuary2018•  RTStransposi0onOctober2018onwards

•  Programmeofworktoachievecompliance:•  Systems,processesanddocumenta0on•  Development,tes0ng,audi0ngandrepor0ng

•  AccesstoAccounts•  Needtotakeintoconsidera0onHMTOpenBankingini0a0ve

•  Regula0ondrivinginnova0on•  Openthemarkettonewentrants(Challengers,FinTech’setc.)•  Drivenewbusinessopportuni0es(exis0ng&newmarketentrantsandacombina0onthereof)•  Drivenewbusinessmodelsandservices

WhitePaperpublishedonPSD2andOpenBanking:www.thehumanchain.com

13

Brendan Jones The Human Chain Limited Magdalen Centre The Oxford Science Park Oxford OX4 4GA United Kingdom Mob: +44 7785 388 867 Tel: +44 1865 784 386 Fax: +44 1865 784 387 E-mail: brendan.jones@thehumanchain.com Web: www.thehumanchain.com

www.digitalservicestoolkit.com

13

how can we help - what we do

14

technology consultancy

business consultancy

digital service realisation

test and learn, PoC and demo toolkit

DST