IAPP CIPT – GDPR and Payment Services Directive (PSD2) Part 2

5. New types of service providers – TPPs

Hi, guys. In this lesson, we’ll discuss about rules for new types of payment service providers. What are payment initiation services? The PSD two opens the European Union payment market for companies offering consumer or business oriented payment services based on the access to the information from the payment account, so called, payment initiation services providers and account information services providers.

Payment initiation services providers typically help consumers to make online credit transfers and inform the merchant immediately of the payment initiation, allowing for the immediate dispatch of goods or immediate access to services purchased online. For online payments, they constitute a true alternative to credit card payments as they offer an easily accessible payment service, as the consumer only needs to possess an online payment account.

What are account information services? Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different payment accounts they may have with one or more banks and to categorize their spending according to different topologies food, energy, rent, leisure, et cetera, thus helping them with budgeting and financial planning. What is payment instrument issuing? The issuing of a payment instrument is one of the payment services that falls within the scope of PSD One and of PSD Two. Any authorized payment service provider, be it a bank or a payment institution, can issue payment instruments.

Payment instruments do not only cover payment cards, such as debit cards and credit cards, but any personalized device or set of rules agree between the issuer and the user used to initiate the payment. PSG two allows payment service providers that do not manage the account of the payment service user to issue card based payment instruments to that account and to execute card based payments from that account. Such third party payment service provider, which could be a bank not servicing the account of the payer, will be able, after consent of the user, to receive from the financial institution where the account is held, a confirmation as to whether there are sufficient funds on the account for the payment to be made. What opportunities will these providers offer to consumers and enterprises?

The payment initiation service providers allow consumers that shop online to pay for their purchases through a simple credit transfer from their payment account. In some countries, these services are already used by providing a proper legal framework in which these services can be offered. PSE.

Two opens possibilities for providers of these services to operate across the European Union and to compete on an equal basis with other regulated players in the market, such as banks. Account information service providers already exist today and offer tools that allow companies and consumers to have a consolidated view of their financial situation.

Nowadays, these services are not regulated, at least at European Union level. PSD two will provide for a common framework with clear conditions under which these providers can access the financial information on behalf of their clients. This will allow these services providers to operate without hindrance and to reach a broader audience which normally doesn’t make use of such account managing services.

Today, account holders are not obliged to use payment instruments offered by the same payment service provider with which they hold their account. For example, credit cards are not only provided by the bank where the user holds its account, but also by third party providers. This does not work, however, in the case of debit cards where payment service providers have found it very difficult to offer such payment service in connection to accounts not held by them.

The source of these difficulties is the fact that these third party providers do not have access to feedback information on the availability of funds on the account held by other financial institutions. PSD two lifts this obstacle, which is likely to see consumers benefit from competitive card services offered by third party providers. Will these providers be subject to the same rules as other payment institutions? Authorization and Security the PSD two requires all that payment services providers be authorized and regulated.

The inclusion of new payment providers within the scope of PSG two will allow compatent authorities to better monitor and supervise the activities of these new players. PSD two also fully clarifies the liability issues between bank servicing the account of the Payer and the payment initiation service. When a payment initiation service provider is used by a Payer to initiate a payment, it will be liable for any payment incidents within its fear. In particular, the bank of the Payer shall not be held liable for payment incidents that can be traced back to the initiator.

To what extent will these providers have access to information on my payment or bank account? These new providers will only be allowed to provide the services the Payer decides to make use of. In order to provide these services, they will not have full access to the account of the Payer. Those offering payment instruments or payment initiation services will only be able to receive information from the Payer’s bank on the availability of funds a yes or no answer on the account before initiating the payment with the explicit consent of the Payer.

Account information service providers will receive the information explicitly agreed by the Payer and only to the extent they are necessary for the service provided to the Payer. The security credentials of the payment service users shall not be accessible to other third parties and will have to be transmitted through safe and efficient channels to the bank servicing the account. A dynamically generated code only valid for that specific transaction and linked to the amount and recipient will have to be used in the authentication process.

6. Impact of PSD2 to financial services industry

Hi guys. In this lesson, we’ll discuss about the impact of these new regulations that affect the financial industry. There are some terms that we’ll use in this lesson RTS regulatory technical standards SCA strong customer authentication PISP payment initiation service provider RBA riskbased Authentication and TPA third party Processors so let’s first discuss about banks. The responsibility for authentication and payment is definitely on banks payment initiation. Service providers PISPs have the right to rely on the authentication procedures provided by the bank. Unless there is some substantiated reason for the bank to object. This authentication must include real time fraud detection and prevention.

The final RTS calls for SCA on higher risk transactions and many low risk transactions parking methods, tool booths, recurring subscriptions to use riskbased authentication. RBA consumers may appreciate the added level of protection, but in general, RBA has been shown to increase transaction volume up to 4% for banks and merchants. Banks will want to enable SCA and RBA that afford as little friction as possible. Given the specific role and the potential for disintermediation and customer loss.

Banks will need to leverage their reach and team with third party processors TPPs to roll out new applications of their own. For most institutions, this will require a realignment of strategy, culture, skill sets and infrastructure. This is also an opportunity for banks to build on existing margins by streamlining their internal processes through open infrastructures. Regarding fintechs PSD Two will further accelerate innovation in the fintech sector by arming new entrants with the tools they need to offer compelling new apps and services. However, all that open access comes with a cost largely unregulated until now. Providers will now face more regulatory scrutiny.

For example, they will no longer be allowed to engage in screen scrapping, which is susceptible to many in the middle attacks and other forms of fraud. While customer account information is now open, access to it is narrowly defined. What’s more, they will potentially face market saturation, making it harder to gain a foothold. To maximize the benefits of PSG Two, providers will likely gravitate toward collaborating with more well known and trusted banks, embracing competition if not full cooperation or even outright capitulation to partner mandates. Payments and Commerce for payment service providers PSPS, the RTS puts them in new territory. With authentication squarely in the bank hands, PSPS are forced to cede to them to facilitate transactions. Should there be complaints made to PSPS or retailers, the banks can decline the authentication altogether.

Merchants are allowed to maintain recurring charges to registered users as well as payee initiated payment methods such as direct debit. Cross border payments represent an area where PSPS may have dodged a bullet. Previous versions of the standard stipulated both sides of a transaction needing to use SCA. Now, as long as the EU based PSP has it, transactions can go through. The catch is that fraudulent transactions will no doubt reflect on the PSP, which could cause future transactions to be rejected by banks. In conclusion, it’s worth noting that the RTS must still be ratified by the European Commission. That means the standards may still be amended before final approval. But once that happens, they will become low as early as November 2018. As anyone undergoing a massive transformation effort will tell you, the days are long, but the months are mercilessly short. So for those in the financial industry, it’s time to get started.

7. New risks associated with the TPPs

Hi, guys. In this lesson, we’ll discuss about new risks associated with third party processors, or TPPs. As we discussed before, PSE Two is currently the hot topic across the payment industry in Europe. One of the main changes is the creation of new payment actors, third-party providers, TPPs. We will soon witness several nonbanking entities enter the payment space as TPP ease for example, social media platforms and other fintechs. In a digital world in which 50% of buying decisions are initially researched via social networks or other online and mobile applications, this will be a game changer for traditional banks and financial organizations. These changes will undoubtedly open new channels and offer a wider range of value added services, but they can also contribute to increased risk of fraudulent activities. Traditional financial organizations have so far enjoyed a bilateral relationship with their customers. Things will soon change when TPPs enter the market with new services.

Consequently, as custodians of the customer counts, banks will see an even higher volume of transactions. This will be on top of requests through their existing digital channels, already challenged with growing consumer demand for mobile payments, but soon to include new requests made via TPPs. As banks cannot deny access to TPPs as per PSD Two mandate, their existing fraud detection systems will be under pressure to cope with the new payment channels. Banks will require robust, powerful and scalable fraud management platforms to sustain the high data throughput and the velocity of requests in real time.

The window for investigations will be significantly reduced, and banks will need to rely on advanced analytics and automation to mitigate the increased fraud risks. Following the release of the final regulatory technical Standards RTS scheduled for the fourth quarter of 2018, account information service Providers and Payment Initiation service providers will be geared up to offer their services to consumers, acting as intermediaries between the end customers and their banks. The banks will remain the custodians of funds in the customer accounts, and the onus will therefore be primarily on them to ensure that the incoming requests are not fraudulent. Banks already face an existing challenge to secure online transactions as it stands after the PSD takes effect.

This problem will be further exacerbated as the requests could be made via third parties through which the bank will not have direct interactions with consumers. Requests made via TPPs may be susceptible to third party fraud powered by malware or social engineering techniques, and fraudsters could use the TPPs as an obfuscation layer to confuse the bank’s fraud defenses. A major change introduced by the PSD Two is the access to banks data infrastructure and customer accounts through APIs application program interfaces. Any new digital channel carries inherent fraud risks, and fraudsters could size the opportunity to impersonate genuine customers, harvest information on them through account information service providers, and use the same to open fraudulent credit accounts on their behalf.

Access to account can also be an attack vector for data breaches for which banks could be liable for heavy fines under regulations such as GDPR, standard business rules or even existing predictive models might not be effective against such risks. There is also concern that banks may not receive all of the relevant data through TPPs device information session data, and this could reduce the effectiveness of existing customer profiling tools and existing predictive models. One way to tackle this conundrum is to use forward-looking analytical techniques such as anomaly detection. For example, deviations from the peer group pattern foreign account information service provider can be indicative of malware harvesting customer information. Likewise, a high value transfer to a foreign account made through a payment initiation service provider can be deemed anomalous for a customer with no such history.

There is a common misconception that the PSD Two mandates the need for Instant Payments. As much as this will benefit consumers, it is not the case. The Instant Payments initiative is driven by a separate but related initiative, SCT Sepa Instant Credit Transfer, which goes live November 2017. So it’s already there. Countries such as Sweden, Denmark and UK already have such schemes. Example faster payments in the UK. But soon the Sepa Instant Credit Transfer will roll out Instant Payments across the whole region, making instant European crossborder payments a reality. .

The processing of Sepa Instant Payments will be at the transaction level and the payments will be cleared in real time. Instant Payments require instant fraud decisions, and here again, like the PSD Two TPP requests, traditional rules based fraud solutions may not cope with a huge volume and high velocity of incoming requests. As a summary, the payments world is at the crossroads at which many technologies, regulations and market drivers interact. It’s obvious that the future is being shaped to offer a wider range of easy to use, mobile and flexible payment solutions designed with consumer centricity in mind and challenging the rigid framework of traditional banking.

Whilst this happens, all payment actors need to be wary of fraud risks. Fraudsters are constantly evolving and may use this transitional state of play to their advantage by exploiting potential gaps in the payments process. Financial organizations therefore need to invest in or upgrade to a holistic fraud platform that uses a range of advanced techniques to mitigate against the early signs of fraud and derive actionable intelligence from data. In other words, they need to adopt a proactive strategy and reduce their fraud permeability through hybrid ecosystem using discovery analytics, layer detection and adaptive authentication.

8. Banks are caught between GDPR and PSD2

Hi guys. In this lesson we’ll discuss about banks and why they are trapped between GDPR and PSD Two. As we discussed before, Payment Services Directive Two is a new European Union Banking Finance regulation that is up and running from January 2018 and it is designed to somehow shake up the finance sector. The banks are considered to be too powerful and monolithic with sole and complete ownership of their customers ‘financial data. The European Bureaucrats want to introduce some competition. Their chosen route is to force the banks to provide APIs that will allow third party apps to access customer data and provide new services not currently offered by the banks. The Bureaucrats then believe third parties will array of invigorate the payments and finance markets for end users.

And again, this is a good thing and we described that in the previous section. There are enormous difficulties for the banks, for while they are required to give third party access to customer data, they will remain liable for the security of that data under the General Data Protection Regulation GDPR consider if this is done via social media organization. That organization will build an app that provides access to and uses its customers financial data. The banks can authenticate the social media organization, but the social media app authenticates the user. It is possible then that access to customer financial data will be controlled only by social media log on and that will almost certainly be less secure than the multifactor and behavioral security measures that many banks currently use. But where there are problems, there are also opportunities.

The banks that provide effective and efficient APIs could attract new customers from banks that provide pure APIs, all coming from the quality of the third party apps that use those APIs. There are two reasons, for example, for American banks and other global banks to conform to this new European regulation. Firstly, American banks with a European operation will be required to do so. Secondly, European banks with an American operation will bring their APIs with them. Since the customer will be the biggest winner in this new world of open banking, American banks not offering a similar service will be at a disadvantage. American banks should be rushing to implement open banking on their own.

It is a major step forward for banking. The GSM Association, called Gsmaa, the trade body that represents mobile operators with more than 1000 full and associate members, agrees that US banks should get involved. It should not take a law for American banks to take up PSDO principles instilling consumer confidence that money is safe. With fewer clunky security measures will mean more customers want to use their service and trust the company. GSMA believes that mobile banking is inherently secure. Operators can leverage user data such as location, account and usage history, which in turn can be used to have verified transactions. Moreover, this rich data can also help minimize instances of account takeover fraud.

So if someone tries to change the mobile number associated with the bank account. The operator can determine if the original mobile number is still in use and use it to alert the customer to any suspicious changes to their personal details. Like many regulations, PSD Two describes what must be done, but not how it can be achieved. This leads to difficulties for both the third party app developers and for the banks themselves. For the developers, it does mandate two factor authentication, but that is about all. While there are some de facto API standards, such as Rest and OAuth, there is no standard for the PSD Two banking APIs. The APIs for different banks could all be completely different in how they work, how their authentication is achieved, and so on.

The practical problems for an organization trying to consume these APIs means that the third party potentially has to build a different adapter for every different bank. For the banks, one difficulty will be in maintaining their own strict authentication requirements. PSD Two is clear that the banks are still responsible for the customer data ownership and the safety of data. So if the third party gets hold of the data and its access controls are not particularly strong, and someone else gets hold of the data, accidentally or deliberately, the bank is still liable for the third party’s failure. The only way the banks can counter this is to bring the technology and countermeasures they already have in their own apps to bear in the space and force their own authentication standards through the API so that they have direct communication with the customer before the third party can get access to the data. GSMA agrees that the banks are caught between PSD Two and GDPR.

If banks aren’t completely certain of the provenance of a request and decline a request from a service provider, they could be in violation of PSD Two. But if a data breach then takes place, they could also become liable under the rules of GDPR. PSD Two is a done deal and is already into effect. European banks cannot avoid it, and American banks with a European presence will need to comply. For those European customers, however, the global nature of big bank operations means is that PSD Two APIs will inevitably come into play in the US. When that happens us. Banks unable to take part in the new world of open banking will be at a distinct disadvantage to those that.

• Category: Uncategorized