PSD2

THE PSD2 DIRECTIVE, A STRATEGIC TURNING POINT FOR THE BANKING SECTOR

The PSD2 Directive on Payment Services updates the first EU Payment Services Directive published in 2007 (PSD1), which created a single market for payments at EU level. PSD2 is applicable from January 13, 2018, by which time member states must have adopted and published the measures necessary to implement it into their national laws. However, the Regulatory Technical Standards (RTS) which define how FinTechs will connect to Banks, will become applicable only in September 2019.
PSD2 goes further by extending the scope of PSD1 to payments in all currencies, and to payments where only one provider is located in the EU/European Economic Area.
PSD2 defines a new group of actors, the Third Party Providers (TPPs) that are permitted to provide certain types of services connected to payments. Customers will be allowed to initiate payments at their financial institution via authorized TPPs, to whom financial institutions will be obliged to open up their application interfaces and data.

WHY PSD2 ?

The retail payments market has experienced significant technical innovation since the introduction of PSD1 with a rapid growth in the number of electronic and mobile payment solutions as well as new types of providers and services.
Many innovative payment products and services have been introduced in particular in cards, e-commerce and mobile payments.
The objective of PSD2 mainly consists in protecting citizens and controlling the development of these new services by:

  • Increasing the safety of payment transactions and payment services,
  • Promoting payment innovation and adjusting legal requirements to all stakeholders.

NEW PLAYERS IN THE PAYMENTS SECTOR

PSD2 introduces two new types of TPPs: the Payment Initiation Service Providers (PISPs) and the Account Information Service Providers (AISPs).
A payment initiation service is defined as a service to initiate a payment order at the request of a PSU with respect to a payment account held at any bank in the European Union. Payment initiation services enable the PISP to give the payee the comfort that the payment has been initiated, confirming to the payee to release goods or deliver a service without undue delay.
An account information service is an online service to provide consolidated information on one or more payment accounts held by a PSU with another PSP or multiple PSPs. These aggregators have been widely developed in Europe (Linxo and Bank’in in France, Tink in Sweden, Spiir in Denmark and Fintonic and Eurobits in Spain, Figo in Germany). In order to stand out, these platforms develop other valuable services such as the management of personal finances (budgeting and spending analysis), or document management (invoices, expense reports, etc.). The client is at the center of the strategy of these new players, with a goal to facilitate the user experience through innovative and intuitive new apps.

MORE ABOUT THE “WEB-SCRAPING”

Currently the AISPs and PISPs use the technique known as “web-scraping” to aggregate information from multiple banks.
This technique of “web-scraping” is a technique of extraction of the website content via a script or a program that will read the html code, in order to transform it to allow its use in another context. This method is used, for example, by the price comparison sites (trivago.co.uk, liligo.com).
In this case, a TPP will ask the client (PSU) their credentials to connect to the bank online banking application). It will then integrate them into a program that will act as a robot, simulating the connection action to the customer.
The web-scraping leads to several problems:

  • For ASPSP, the robot can trigger many connections, saturate the servers of the bank or consume expensive resources (e.g. mainframe MIPS)
  • For TPPs, one program per bank should be developed. When a web page changes, the robot must be adapted
  • The technique does not work when the Bank has set up a secured connection with OTP (One-Time Password)
  • For the user, by giving their code and password, the TPP has access to all their accounts and banking information, not just their payment accounts
  • Finally, the major problem of the webscraping” technique lies in the sharing of responsibility and the principle of proof.
  • API, THE EBA AND BANKS’CHOICE

    Through APIs, banks will make available certain features of their information systems accessible to external developers.
    These APIs define constraints and an interface that will determine how, when and what other platforms will have access to.
    Building an API does not mean that everyone will have uncontrolled access to your data; It just means that you provide them with a well-designed method to access particular items and services. You have control!
    These APIs constitute a new channel for banks in the same way as websites and mobile. They will enable banks to generate new revenues based on the data provided.

    SECURITY, A MAJOR ISSUE

    PSD2 introduces two major requirements about security: secure connection with the TPP and strong customer authentication (SCA).

    SECURE COMMUNICATION

    The bank must clearly authenticate the sender of the request, in other words check that the sender is the one he claims to be. This will be achieved through EBA register of TPPS and certificate authorities called QTSP (Qualified Trust Service Provider). The exchanged messages must be encrypted between the different entities. The bank must also check that the sender is authorized to access customer data.

    STRONG CUSTOMER AUTHENTICATION

    PSD2 requires a strong or 2-factor customer authentication (2FA) using two or more elements out of the following three:

    • Knowledge: something only the user knows (e.g. a password or PIN),
    • Possession: something only the user holds (e.g. a card or a token), and
    • Inherence: something only the issuer is (e.g. a finger print or voice).

    The elements must be independent of each other, so that a breach of one does not compromise the reliability of the others, and they must be designed in a way to protect the confidentiality of the authentication data.
    The SCA will be systematically implemented for any request that doesn’t fall into the list of SCA exemptions.

    Advertisements

    7 examples of how AI and machine learning are changing the arts — Technology and Design

    GINETTE METHOT, VAULT ANALYTICS @GINETTEMETHOT Image Credit: Shutterstock / Hetmanchuk Serhiy Data, artificial intelligence, machine learning (ML), and deep learning (DL): These make up the zeitgeist of our current times. We read these words constantly. We also hear they will leave no area or industry untouched. But what about the arts? How have they influenced or […]

    via 7 examples of how AI and machine learning are changing the arts — Technology and Design

    General Data Protection Regulation (GDPR) and challenges faced in Blockchain

    GDPR

    The General Data Protection Regulation (GDPR) in Euro land comes into effect on 25th May 2018. The new EU regulation GDPR has several requirements on Data protection, but few important guidelines very relevant to social networking & blockchain technology are listed below for academic discussion

    1. Business processes that handle personal data must be built with data protection by design and use the highest-possible privacy settings, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately.
    2. No personal data may be processed by ‘data controller‘ or ‘data processor‘ unless explicit opt-in consent taken from the ‘data owner‘. The data owner has the right to revoke this permission at any time.
    3. Data owner have the right to request a portable copy of the data collected by a processor and the right to have their data erased under certain circumstances.
    4. And many more requirements regulating Data management…

    So how GDPR & Blockchain related?

    In simple terms, Blockchain is a distributed database that maintains a continuously growing list of records which is called Blocks. Each block contains data, could be personal or financial or any data, that has a link to a previous block like a chain. By virtue of the design, each node in the blockchain has a copy of the data. Not just the block that node was processing, it would have the copy of all other blocks generated by every other node in the network. This is the exact way any Distributed Ledger Technology (DLT) using Blockchain would function.

    Not just the cryptocurrencies, the large financial institutions & corporates started using blockchain technology in every possible way to innovate their service to go an extra mile. There is no doubt that the benefits are huge and this disruptive technology is rapidly transforming all old school business models. Greater transparency, more accurate and consistent than paper-heavy processes, improved traceability, increased efficiency, reduced cost, and the list goes on and on…

    Then what is the concern now?

    • Blockchain transactions are immutable. It is not possible to delete any information from a blockchain record. This may contradict the GDPR data owner’s right to erase specific personal data on the need basis.
    • Each node in the blockchain has a copy of the data. This raises issues of complete erasure of data, the principles of minimal data and spreading data in the network.
    • Depending on the type of Blockchain used, parties who were not involved in processing particular block, but as part of DLT Eco-system can decrypt the hash algorithm and gain access to data. This could lead to immense data privacy issues.
    • Role identification as Data controllers or Data processors is difficult in any DLT framework. In many DLT systems, there are no central operators and administrators exists and the whole system functions with the peer-to-peer network environment. For example, Cryptocurrency #Bitcoin endured a hard fork event in Aug2017 and gave birth to Bitcoin Cash. Reasons might look like some sort of technological upgrade and certain enhancement in the product lifecycle. But deep inside, these hard fork incidents do reveal the lack of administration in the DLT platform. ie. a single or group of end users can get together and do enterprise level change in the product features and there is no central body to administer the product changes.

    Solution?

    Blockchain adoption is on rising. Now #FinTech & #RegTech companies to start reviewing what data goes inside their blockchain capsule, consider reviewing demography of each node subscribed in the DLT. More and more regulatory sandbox frameworks are expected to come up. It is time to go back to drawing board and make Compliant Technology!!

    Comments and suggestions are always welcomed 🙂

    Why EU General Data Protection Regulation – GDPR, an important article to read?

    We all would have noticed every web page, every social networking apps prompting you to accept cookies policy or forcing you to review the privacy settings. You would be prompted with several links and contents to read which would be thicker than the Bible. We all can go thru that if we have time and energy, or simply press accept button and get on with your intention to visit that site or app 🙂

    Question. Ever wonder why this wave of user consents taken from all web pages and apps? Is it something important which they forgot to ask you earlier? If yes, why now??

    Some stats before we get to the topic. Everything on the internet is free of cost. Be it free email account with a lot of gigabyte capacity, social networking sites with automatic friends suggestion, productivity tools in the smartphone such as single email app to see all your emails in different domains. All these ultra-modern features given free of cost!

    What about the cost to the company? According to 2012 statistics, 2.5 exabytes – that’s a billion gigabytes of data get generated every day in 2012. Google researchers in 2016 point that users upload over 400 hrs of video every minute, which means 1 petabyte – that’s 1 million gigabytes of data center storage capacity every day. In 2013 Facebook’s data center deploys 7 petabytes of storage every month. That is the size of Big Data rolling in the world wide web. Today in 2018, you get 1 terabyte cloud space for $1500 a month for personal cloud computing.

    If everything is at a cost to run a business, then how are they offering free service. In any business model, be it traditional or new age, all business services are for some benefits. If ultramodern services are offered free of cost, then you need to understand you are the commodity. You are the Data. Your personal information, preference, social networking habits, what you share, what you like, your contacts in the email account, your contacts in the smartphone – all of that form components of data, which you are giving to the social networking company in return.

    Now back to the topic. Regulators worldwide are closely working towards the development of personal data protection, and the urgent need for enforcing policies guiding data management. You may recollect Mark’s US Senate Committee hearing in Apr2018 & all those grilling questions from US Senators. In May2018, it was European Union’s turn. EU parliament members crushed Mark with harshest questions. On 25May2018 EU mandates GDPR – General Data Protection Regulation on data protection and privacy for all individuals within European Union.

    To know more about the effect of GDPR on the first-day, read here Effect of GDPR on day1

    Happy to hear comments and suggestion 🙂