Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
PSD2Meeting with CEFTAS
January 19th 2017
www.pwc.cz/tc
www.pwc.cz/psd2
CONFIDENTIAL
PwC
Our Topics
1. Current status of PSD2 implementation
1. PSD2 changes in nutshell
2. PSD2 roadmap
3. PSD2 documentation overview
4. Current status of Czech Market (banks, FTs, standards)
5. Other activities influencing Czech payment market
2. Current status of EBA technical standards
3. Archetypes of PSD2 market players
4. Way forward
1
1
2
3
4
2
3
4
5
PwC 3
Current status of PSD2 implementation
1
PwC
PSD2 establishes a regulatory framework that harmonises, increases competition and sets new rules of play in FS space
4
1 PSD2 changes in nutshell1
PSD2 aims
1. Harmonization of the heterogeneous framework of payments in EU
2. Regulation of new market players and incentive to develop innovative tools
3. Expansion of competitive space
4. Greater transparency and consumer protection: the expansion of the operations’ platform and
the possibility for the Payment Service Provider (PSP) and other players to offer different payment
solutions turns into lower costs for users and provides an incentive to innovate alongside with
stricter complaints management
5. Uniform fees
PwC
PSD 2 is a key catalyst of change as it targets payments being easier, efficient, secure and bringing new players
5
1 PSD2 changes in nutshell1
THIRD PARTY PROVIDERS (TPPs)
Key changes
NEW SECURITY REQUIREMENTS
POSITIVE SCOPE
A major part of the Commission's reform plans include new rules designed to open up access to payment account information to third parties.
The proposals reflect the growing number of account aggregators that enable customers to access different online banking accounts including credit cards, current and savings accounts, using a single online portal and other financial technology companies moving into the payments sphere.
Strong Customer Authentication (SCA): ensures full compliance with the ECB safety standards required. A SCA system includes the use of two out of three traditional authentication tools. Those are the biometric recognition, a pin or a password and a token.
E-Identity (eIDAS): ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries and to create a European internal market for public electronic trust services.
Broadening scope to :
• One-leg transactions • All currencies• New payment services Payment Initiation: online payments initiate by a third party
(even non-banking) platform;
Account Information: provide to the user information on one or more aggregated online payment accounts;
Funds Checking: the possibility to receive confirmation of funds availability via the online interface.
Tightened exemptions:
PSD 2 outlines the conditions under which the directive will not apply. • Commercial agent exemption only applies to commercial agents
which act on behalf of either the payer or the payee;
• Limited network exemption applies to large networks involving high payment volumes and ranges of products and services;
• Telecom exemption allows telecom operators to sell digital contents for cell phones (applied only to transactions not higher than 50 euro, cumulative 300 euro in any billing month).
NEGATIVE SCOPE
PwC
European bankers take PSD2 seriously. What do they think?
6
1 PSD2 changes in nutshell1
expect PSD2 to have an impact on their
business
Foresee strategy changes
due to PSD2 Are concerned about losing control of their
customer interface Feel they will be
weakened as a result of PSD2
Think there
will be a risk of
liability problems
88%84%
68% 68%52%
PwC
The current timeline shows the PSD2 will be most probably fully implemented at the start of 2019 (i.e. 2 years from now!)
7
EU
Le
gis
lati
on
2016 2017 2018 2019 2015
PSD2 etablishedRTS SCA & CSC
definition
Jan. 12th: Member States have 2 years to transpose PSD2 into national legislation
PSD2 available
Jan. 13th: Deadline for transposition of PSD2 to national legislation
Q3/Q4.: Earliest possible date for EBA SCA & CSC RTS to come into force
Regulation/legislation defined
RTS SCA & CSC acceptance
Cz
ec
h R
ep
ub
lic
Le
gis
lati
on Oct. 8th: Adoption of
PSD2
Dec. 8th: EBA works on RTS SCA & CSC
Dec. 23rd: Directive in the EU Official Journal
Jan. 12th: PSD2 enters into force
Feb. 8th: Deadline for RTS Discussion Paper
Oct. 12th: Deadline for RTS Consultation Paper
Jan/Feb.: Final draft of RTS SCA & CSC
Q2/Q3: EC approval of RTS (in force in +18 mo.)
EBA finishes other RTS and GL
Certification of parties involved into PSD2 started
PSD2 certification starts
Transitional process of the PSD2 in Czech Parliament and local authorities
National transition
Bu
sin
es
s
Definition period
PSD2 definition, EBA documents definition
Preparation period
PSD2 exists & RTS on SCA & CSC
approved
Early adapters
Law in force & RTS on SCA & CSC exists
Full implementation
Law in force & RTS on SCA & CSC in force
Q1: Most probable date for EBA SCA & CSC RTS to come into force
Regulation/legislation effective
2 PSD2 roadmap1
PwC
Document 01/2017 01/2018 01/2019
Coordination
Register
Consumer protection
Authorization
Security
Security
Framework
Strong customer authentication and secure communication
Central Contact Points
EBA Register
Passporting notifications
Passporting compliance
EBA Register technical requirements
PI Insurance for PSPs
PI Authorization
Security measures
Incident reporting
Complaints procedures
RT
SG
uid
eli
ne
s
01/2016
PSD2 in force PSD2 in force + 12 mo.
Application date of PSD2 (in force + 24 mo.)
Adoption of RTS by the EUCommision (final version forapproval not published yet)
Application of securitymeasures from 18 monthsafter RTS comes into force
CP Document available for consultation which identifies possible problems to be mitigated
CPDocument not yet issued Adoption period
EB
A
EU Directive 2015/2366
Document relevant for current GAP analysisXYZ
PSD2E U
Other EBA documents arestill in progress phase / donot exist we do not plan toinvolve them to currentreview phase
8
Detailed assessment will be delivered based on current versions of by EU Directive and key EBA document - RTS SCA&CSC
Further delay
3 PSD2 documentation overview1
PwC
Banks & Consumer finance companies
PSD2 driven activities in Czech banks are mostly in very initial phase which is corresponding with current status of detailed inputs
PSD2 Regulation compliance
Technology impacts
Operations impacts
Legal impacts
PSD2 business strategy
Defensive
Core business supporting
New business
PSD2 technology & communication standards
CBA led cross-bank workgroup to define communication standard
Initial discussions
Only few banks advanced in specific topics(e.g. CS –Technology)
Initial discussion started
Questionable if one standard is achievable
FinTech companies
PSD2 Regulation compliance
PSD2 business strategy
PSD2 technology & communication standards
Establishing standard if banks failed
Let’s see now
Initial discussion started
Business models
CS & PPF start-ups
Communication / Technology standards
Trying to influence banks to introduce common standards
Banks & FinTech
4 Current status of Czech Market (banks, FTs, standards)1
PwC
Instant Payments will shake up local payments in next year
Key characteristics
Benefits
CZ SEPA
Consumer Businesses
Payment Service Providers
Max Amount
Processing Duration
No. of Infrastructure Providers
400 000 CZK 15 000 €
20 s 10 s
1 > 1
• Make and receive payments 24/7/365 with immediate transfer of funds
• Enable immediate person-2-person mobile payments
• Facilitate futureinnovative paymentproducts via smart devices
• Improve cash flow and process of payment reconciliation
• Increase efficiency of e-invoicing and e-billing
• Optimise working capital management and minimiseneed for external financing
• Speed up check-out processes at a physical point-of-sale
• Leverage for new business opportunities
• Strengthen the relationship with current customers
• Provide a competitive advantage in the market place
• Establishment of future-proof coreinfrastructure
5 Other activities influencing Czech payment market1
PwC
Instant Payments Timeline
2017 2018
ČNB + ČBA + Commercial
banks discussion
Trial operation Instant paymentsin operation
Instant payment schemeenters into effect
SEPA
CZ
PSPs can adhere to the scheme
Onboarding of other financial
institutions
Instant paymentsin operation
January
21st November
2017
5 Other activities influencing Czech payment market1
PwC 12
Phase I
December 1st 2016
Accommodation and food services
Phase II
March 1st 2017
Wholesale and retail businesses
E-businesses
Phase III
March 1st 2018
Liberal professions
Everything that isnot present in phases I, II or IV
Phase IV
June 1st 2018
Crafts
ImpactsPayment methods under EET
Cash
Cards (debit, credit)
Payment Gates (PayPal, PayU…)
Mobile payment (Premium SMS…)
Instant payment button (or QR cd…)
Cash on delivery
Regular bank transfer
ElectronicRecord
OfSales (EET)
E-business
PSPs
Increase of bureaucratic burden
High implementation investments
Operating costs increase
Possible changes in payment methods portfolio (most likely more uncomfortable for customers)
Risk of loosing customers
Possible shift from cards to instant payment methods
Offered services redefinition
Electronic Record of Sales (EET) and its impact on Payment ServiceProviders (PSP)
5 Other activities influencing Czech payment market1
PwC
Current status of EBA technical standards
13
2
PwC 14
2 Current status of EBA technical standards
Current draft of EBA regulation is not that harmonizing and innovation supporting as some expected (1/2)
Regulation Impacts
Banks’Interfaces
‘‘Account servicing payment service providers shall make sure that
the technical specification of their communication interface is
documented, the documentation made available for free a publicly
on their website.” (Article 19.4)
Each bank can define its own interface
No definition of any governing entity
It’s up to individual banks whether they will join standard (if one is defined)
APIs, noscreenscraping
‘‘… each ASPSP shall offer at least one communication interface…
which shall be documented and freely available on the ASPSP’s
website… it shall use ISO 20022 elements, components or approved
message definitions” (Rational 69)
Exclusion of existing e-banking interfaces (which generally don’t use 20022 data elements & hard to document)
“Screen scraping” is still valid technique (although not best practice)
Banks define paymentsecurity req.
“… the authentication procedure will remain fully in the sphere of
competence of the ASPSP” (Rational 19a)
“… only situation when transaction would be authenticated within
PISP sphere…would require a prior contractual agreement
between the PIS and the ASPSP…” (Rational 19a)
Banks define security procedures of third party initiated payment
Model based on customer authentication by PISP (e.g. Paypal – card payment) cannot be used for PSD2 payments unless there contractual agreement with relevant ASPSP
Authenti-cation codes& SCA validation
“… the authentication procedure shall result in the generation of an
authentication code that is accepted only once by the payment
services provider. (Article 1.1)”
“… where the PUS is not actively requesting…no more than 2 times
a day” (Article 22.5b)
Currently not clear approach OTPs vs Tokens as draft confuses authentication and authorization
AISP allowed to access customer account information twice a day, while SCA required once in 30 days
PwC 15
2 Current status of EBA technical standards
Current draft of EBA regulation is not that harmonizing and innovation supporting as some expected (2/2)
Regulation Impacts
Dynamic linking
“Any change to the amount of payee shall result in a change of the
authentication code” (Article 2)
“Nightmare scenario” for PISs - Customer would have to go through their bank’s authentication/authorisation process in each payment
Exceptions from SCA
“The application of strong customer authentication… is exempted
where…contactless electronic payment <50€ … payee is included in
list of trusted beneficiaries …remote electronic payment <10 €
Chapter 2)
Exempted contactless cards payments under € 50, card not present transaction under € 10 and payer whitelisted payments from payee
No discretion for PISPs to differentiate themselves
Sensitive payment data
“… the same information from designated payment accounts and
associated payment transactions made available to the payment
service user when directly accessing the information online,
provided that this information does not include display of sensitive
payment data” (Article 22)
Least-risky strategy for ASPSS is to redact all data classified as “sensitive” (e.g. name of party to whom payments were made)
Card not present requires SCA
“…card acquiring PSPs should require payees to support secure
customer authentication for all payment transactions, in order to
allow the payer’s PSP to perform SCA in compliance with PSD2”
(RTS CP Rationale Article 19)
Threat to one-click models without like 3D Secure system
“Possible intention” to level inconvenience of use of card and non-card payments
PwC
Archetypes of PSD2 market players
16
3
PwC 17
Shark
Whale
Killer whale
Sea lion
PSD2 banking archetypes
Hig
hL
ow
AP
I b
us
ine
ss
de
ve
lop
me
nt
OpenProtective
API Strategy
Piranha
AligatorRemora fish
PSD2 FinTech archetypes
GlobalLocal
Origin
Co
op
er
ate
Att
ac
k
Re
lati
on
sh
ipw
ith
ba
nk
s
PSD2 Archetypes of Banking and FinTech Sectors
Archetypes of PSD2 market players3
PwC
Way forward
18
4
PwC 19
We believe that the way how to become part digital banking world is through effective cooperation of FinTechs and Banking world
Become Remora fish - find the business model which is beneficial for bank and you as well
Define common technology and communication standards
Join your forces – show to the banks that you are group of remoras,which are worth to cooperate with
Key pillars of successful FinTech – Bank relationship
Round table of Banks and FinTechs (business and technology discussions)
Potential next move where we would love to help
4 Way forward
PwC 20
Thank you!