Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Services Directive 2 (PSD2) Access to Accounts (XS2A)

Similar presentations


Presentation on theme: "Payment Services Directive 2 (PSD2) Access to Accounts (XS2A)"— Presentation transcript:

1 Payment Services Directive 2 (PSD2) Access to Accounts (XS2A)
A Bryan Cave, Polymath Consulting Webinar May 11, 2016 Judith Rinearson, Bryan Cave, New York and London Jane Jee, Bryan Cave, London With David Parker, Polymath, London Brendan Jones, Polymath, London

2 Agenda Introduction Legal Background: PSD2 and Access to Accounts (XS2A) Prerequisites for XS2A: Governance, Regulatory Technical Standards (RTS) APIs UK Open Banking Standard The Implications of XS2A Strategies for XS2A Summary 2

3 Welcome from Polymath and Bryan Cave
Genesis of Webinar Goals for today CLE and CPD Credit Questions – submit via 3

4 Background – Original PSD
Original Payment Service Directive 2007/64/EC adopted December 2007 Focus on processors and other third parties who handle other people’s money. Requires licensing, standards, security, consumer protection Since its adoption: The retail payments market has experienced significant technical innovation Rapid growth in the number of electronic and mobile payments Emergence of new types of payment services in the market place Little evidence of hoped for drop in charges to Service Users (customers) The European Parliament believes there is a large positive potential which needs to be more consistently explored by additional regulation- hence PSD2 4

5 Background – EU Regulatory Framework
European legal framework There are three sources of European Union law: primary law, secondary law and supplementary law. The main sources of primary law are the Treaties establishing the European Union. The Directive forms part of the EU’s secondary law. It is therefore adopted by the EU institutions in accordance with the founding Treaties. Once adopted at the EU level, it is then transposed by EU countries into their internal law for application. The Directive is one of the legal instruments available to the European institutions for implementing European Union policies. It is a flexible instrument mainly used as a means to harmonise national laws. It requires EU countries to achieve a certain result but leaves them free to choose how to do so. See 5

6 Introduction to the Payment Services Directive 2 (PSD2)

7 PSD2 – Aims & Objectives Replaces PSD
Continue to harmonise the European payments landscape from a regulatory perspective To establish safer and more innovative payment services across the EU Contribute to a more integrated and efficient European payments market Improve the level playing field for payment service providers (including new players) Make payments safer and more secure Protect consumers Encourage lower prices for payments 7

8 PSD2 in context PSD2 itself is not the only “kid on the block”
Payment Accounts Directive (effective August 2016) Interchange Fees Regulation (IFR) effective Dec 2015 (caps) June 2016 (business rules) Cross Border Payments Regulation Funds Transfer Regulation SEPA End Date Regulation SEPA Instant Payments Regulation Consumer Rights Directive General Data Protection Regulation 4th AML Directive E-identity and Trust Services Regulation (eIDAS Regulation) E-money Directive (potential third E-Money Directive) 8

9 PSD2 – Aims & Objectives [JJ with attribution]
Liability for Payments Enhanced Consumer Rights “No questions asked” Refund Right for Direct Debits Allocation of Liability Between Payment Parties Unauthorised / Incorrectly Executed Transactions Disclosure of Payment Info Data Protection by Design/Default Transparency of Payments & Charges Central Register of Companies Providing Payment Services Transparent Charging Principles Framework Contracts & Single Payments Full Disclosure of Charges Prohibition of Surcharging PSD2 Access to Accounts Objective, Non-Discriminatory/Proportionate PISP, AISP & ASPSP ECB to Draft Regulatory Technical Standards (API) Common/secure open standards ID/auth, notification and information Customer Authentication Introduction of strict security requirements for initiation & processing of payments Strong Customer Authentication procedure Dynamic linking Use of Multi-Factor Authentication Protect the Confidentiality and Integrity of Personalised Security Credentials Regulation Greater regulatory oversight Better co-operation between Competent Authorities Stringent reporting requirements 9

10 Access to Accounts (XS2A)

11 Access to accounts – care needed
PSD2 covers several types of access 1. Access to Payment Systems (Article 35) 2. Access to Bank Accounts for Payment Institutions (Article 36) 3. Access for regulated entities to accounts held by Payment Service Users (PSUs) with permission and suitable security = XS2A (Articles 66 – 67) The primary focus of this webinar is on #3 - - Access for regulated entities to data in accounts held by banks and other account holders 11

12 Access to Payment Systems
Access to Payment Systems (Article 35 of PSD2) Member States shall ensure that the rules on access of authorised or registered payment service providers that are legal persons to payment systems are objective, non-discriminatory and proportionate and that they do not inhibit access more than is necessary to safeguard against specific risks such as settlement risk, operational risk and business risk and to protect the financial and operational stability of the payment system. Payment systems shall not impose on payment service providers, on payment service users or on other payment systems any of the following requirements: (a) restrictive rule on effective participation in other payment systems; (b) rule which discriminates between authorised payment service providers or between registered payment service providers in relation to the rights, obligations and entitlements of participants; (c) restriction on the basis of institutional status 12

13 Payment Systems in the UK
Under section 41 of the Financial Services (Banking Reform) Act 2013, a payment system is defined as “a system operated by one or more persons in the course of business for the purpose of enabling persons to make transfers of funds” UK has the relatively new Payment Systems Regulator who has a role to ensure that payment systems are operated and developed in a way that considers and promotes the interests of all the businesses and consumers that use them to promote effective competition in the markets for payment systems and services - between operators, PSPs and infrastructure providers to promote the development of and innovation in payment systems, in particular the infrastructure used to operate those systems 13

14 Access to payment account services
Access to Accounts (Article 36 of PSD2) Member States shall ensure that payment institutions have access to credit institutions’ payment accounts services on an objective, non- discriminatory and proportionate basis. Such access shall be sufficiently extensive as to allow payment institutions to provide payment services in an unhindered and efficient manner. The credit institution shall provide the competent authority with duly motivated reasons for any rejection. 14

15 Access to Account Information (XS2A)
Article “ Member States shall ensure that a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I. The right to make use of a payment initiation service provider shall not apply where the payment account is not accessible online.” Article “Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I. That right shall not apply where the payment account is not accessible online.” Explicit Consent Required 15

16 Reasons for XS2A Industry complaints Lack of harmonisation
Need for innovation Market developments have given rise to significant challenges Resulted in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas Proven difficult for payment service providers to launch innovative, safe and easy-to-use digital payment services New rules required to open up access to payment account information to 3rd parties 16

17 Aim of XS2A To facilitate innovation and development within the payments industry To open up the payments industry to new participants that offer products and services that utilise customer data to deliver better outcomes Providing a mechanism whereby customers can share their data with third party service providers By providing XS2A to customer data, new innovative products and services can be offered 17

18 Third Party Payment Providers
Two new types of third party payment providers 1. PISP – Payment Initiation Services Provider PISPs allow consumers to, for instance, make online payments without the need for a credit card by establishing a “link between the payer and the online merchant via the payer’s online banking module”.e.g. SOFORT in Germany, iDEAL in the Netherlands and Trustly in Sweden. PISPs do not require the consumer to open an account directly with them. Instead, they gather information on the consumer’s existing bank accounts and present that information in an integrated manner. However, in doing so PISPs gain possession of a significant amount of sensitive information, for instance by providing a gateway from which consumers log in to their bank accounts using their unique identifiers and credentials. As a result, these entities drew more attention from legislators and regulators. After all, the sensitive information they possess and process poses a significant risk for abuse in money laundering schemes, terrorist financing, or other illicit activities. 18

19 Third Party Payment Providers
2. AISP - Account Information Services Provider Tailored authorisation application process No capital requirements (as no funds held) Some COB rules apply – prior information, specific obligations, liability and security measures PISPs and AISPs have to be regulated as a Payment Institution – in their Host Member State - including for access and passporting Required to hold either professional indemnity insurance or a comparable guarantee Secure Access fully under the Payment Service User’s control 19

20 Current Status PSD2 has been published in the Official Journal of the EU and entered into force on 12 January Member States must transpose PSD2 into national law by 13 January 2018 PSD2 Requires Establishment of Certain New Regulatory Technical Standards (RTS): Secure Authentication Secure Communications (XS2A) Other RTS to be published In addition to the RTS, in practice XS2A will also mean the establishment of online interfaces (such as APIs) that will link the regulated entities’ systems to the banks/account holders’ systems. The XS2A provisions will NOT be implemented until after the RTS and any approved APIs have been established. The RTS will apply 18 months after adoption of the standards by the European Commission 20

21 What is an API? APIs are not mentioned in PSD2 but are nevertheless on top of mind as industry grapples with implementation APIs (Application Programming Interfaces) are standards that allow software components to interact and exchange data, particularly over the web. Put most simply, an API is a set of instructions that allows one piece of software to interact with another. As banks and other account holders consider how to implement the XS2A provisions, many believe standardized secure APIs will be a likely solution. 21

22 APIs in the UK: Open Banking Standard
To facilitate data sharing in UK banking Open Banking Standard A set of specifications and rules addressing the data, technical and security aspects to data sharing in an open API environment, supported by a Governance Model. Data Standard Rules by which Data described and recorded API Standard Specifications that inform the design, development and maintenance of an open API Security Standard Security aspects of the API specification Governance Model Governance required to operationalise the Open Banking Standard Source: © Celent 22

23 PSD timelines v Open Banking Framework*
With Thanks to Digital Baobab 23

24 The Implications of XS2A

25 Implications of XS2A It is an environment in which participants can share customer data, when explicit consent has been granted, with each other in a secure, automated fashion XS2A is as a technology disruptor for all incumbent financial service providers XS2A will drive disruption (innovation) in payments PSD2 does not specify how to implement and manage XS2A 25

26 XS2A Questions PSD2 asks more questions than answers
Major Question: At what level will the European Banking Authority (EBA) define the API(s) Management of the specifications Should the EBA recommend the use of industry APIs or define APIs that are specific to PSD2 / XS2A In addition to the technical interfaces and services there are still many areas requiring clarification 26

27 Implications of XS2A -- Credit & Payment Institutions
27

28 Implications of XS2A – Credit & Payment Institutions
Challenges Opportunities Additional regulation centered around: Liability for payments Transparency of Payments & Charges Greater Regulatory Oversight Strong Customer Authentication Access to Accounts Development and support of new emerging electronic payment methods, thereby providing greater customer choice Develop data aggregation services Launch new products & services based on a full understanding of the customer financial profile (i.e. XS2A) Through collaboration with partners, offer new financial products & services Though the use of APIs automate and streamline credit loan applications etc. 28

29 Implications of XS2A – PSPs
Challenges Opportunities Additional regulation centered around: Liability for payments Transparency of Payments & Charges Greater Regulatory Oversight Strong Customer Authentication Development and support of new emerging electronic payment methods, thereby providing greater customer choice Develop direct debit payment services directly connected to customer bank account 29

30 Implications of XS2A – Programme Managers
Challenges Opportunities PSD2 Access to Accounts for accounts managed by Programme Manager Access to cardholder account information from Account Providers, with the customers consent, to deliver new innovative services (financial & non financial) Provision of account aggregation services Provision of innovative new services, either directly or through collaboration, that utillise cardholder account information 30

31 Implications of XS2A – Schemes
Challenges Opportunities New Scheme card based payment methods (i.e. payment initiation services) that consolidate customers cards onto one payment vehicle Access to all cardholder data giving a rich view of cardholder purchasing characteristics and preferences New non-card based payment methods (i.e. payment initiation services) 31

32 Implications of XS2A – Emerging Payments
Challenges Opportunities Maybe required, dependent on business model, to be Regulated under PSD2. Development of new innovative payment methods to compete with existing payment vehicles. New products and services that utilize cardholder account information. Collaboration with incumbent financial services providers to deliver value added services, over and above, basic account offering. Launch new products & services based on a full understanding of the customer financial profile via XS2A. 32

33 Strategies for XS2A

34 Strategies for XS2A TPPs and other players (e.g. acquirers, processors, PSPs and innovative banks) are looking to take advantage of XS2A Incumbent providers should recognise that these organisations are focused on capturing revenues Organisations should be rethinking their strategy and deciding what they want to be What is your stance regarding XS2A? 34

35 Strategies for XS2A Payment Initiation Service Provider
Customer Bank D Mortgage Customer Bank C Investments Customer Bank B Savings Account Customer Bank A Current Account AISP Direct Account Access Third Party Access Customer Data Aggregation Model Merchant Customer Bank iDeal (PISP) Customer Inter Bank Payment Network Merchant’s Bank Payment Initiation Service Provider 35

36 Strategies for XS2A Delivering Financial Services & Relevant Content
Customer Customer Bank D Mortgage Customer Bank C Investments Customer Bank B Savings Account Customer Bank A Current Account AISP Direct Provision Third Party Provision Loans Foreign Exchange Services Insurance Delivering Financial Services & Relevant Content 36

37 Strategies for XS2A Customers Bank Data Internal API Customers
Bank Domain Customers Bank Data Internal API Prop Apps Customers Bank Data Prop Apps 3rd Party Public API Bank Domain Source: 37

38 Challengers PISP AISP 38

39 Summary

40 Summary PSD2 published in the Official Journal of the EU and entered into force on 12 January 2016 PSD2 will be effective as of January 2018 BUT the XS2A provisions cannot be implemented until 18 months AFTER the RTS and API standards have been established - - not known how soon we will have the RTS/API standards. So XS2A will not be available any earlier than October 2018. PSD2 is forcing Account Service Providers to open up customer data to regulated entities - regulated under competent authorities of member states Typically it can take up to one year to become a regulated entity XS2A only a stepping stone for UK market Organisations need to assess their position and decide what strategy they wish to pursue 40

41 PSD2 & Open Banking – The Future of Payments
Polymath Whitepaper PSD2 & Open Banking – The Future of Payments Download the Abridged Whitepaper at: or Full White Paper available for £750 plus VAT Please contact David Polymath Consulting for invoicing. 41

42 Thank you! Contacts - - Judith Rinearson Jane Jee David Parker
Jane Jee David Parker Brendan Jones 42


Download ppt "Payment Services Directive 2 (PSD2) Access to Accounts (XS2A)"

Similar presentations


Ads by Google