andrew eppich vp sales emea - open banking excellence · customer data with third party providers...
TRANSCRIPT
Andrew Eppich VP Sales EMEA
16 May 2019
Helping everyone by spotting the playground bullies
Making Open Banking Safer
©20
18 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l
Public
What’s the problem?
MASTERCARD OPEN BANKING 4
“We are not confident that our customers’ data will be protected from hackers and thieves. We cannot refuse to hand over data because that’s what the legislation says, but we will have to try to educate people to understand the vulnerability.”
— Howard Davies, Chair, RBS
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public MASTERCARD OPEN BANKING 5
Mastercard Open Banking Protect
TPP
Open Banking Protect
1. Request via API
4. Internal monitoring & decision
2. Check of TPP’s request
3. Check of a regulatory license, eIDAS certificates
and fraud assessment
5. Report back of decision and any subsequent fraud
Transaction fraud profiling and real
time scoring
TPP licence and certificate
validations with real time response
Open Banking Protect provides additional security to Financial Institutions when they have to share customer data with Third Party Providers (TPPs).
Public
NuDetect – Combining capabilities to power enhanced fraud prevention
6
Device, Connection, and Location IdentificationAnalyze the device and connection interacting with the environment. Trust that the real consumer is using the device.
Behavioral AnalyticsContinuously verify the consumer is who is expected. Trust the behavior.
Passive (Invisible) Biometric VerificationAllow trust in the human, not just the device, using sensory inputs from the real-world. Trust the consumer based on natural behaviors.
Real-Time Trust ConsortiumAggregate data from all behavioral interactions across the NuDetectnetwork. Trust the consortium.
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public MASTERCARD OPEN BANKING 7
Open Banking Protect
NuDetect
Anti Money Laundering Insights
Protecting customers using your Open Banking APIs against compromised and unlicensed Third Party Providers
Protecting customers using your Logon and Payment journeys against account takeovers and bad actors
Protecting against the movement of illicit funds across entire payment networks
Mastercard’s Solution: Triple Protection
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public MASTERCARD OPEN BANKING 8
MobileOnline Open Banking APIBranch Telephone
Mastercard’s Triple Protection
Fraud Decision Engine
Faster Payment Systems
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public MASTERCARD OPEN BANKING 9
MobileOnline Open Banking APIBranch Telephone Open
Banking Protect
NuDetect
Mastercard’s Triple Protection
1st Line Protection
2nd Line Protection
AML Insights
Fraud Decision Engine
Faster Payment Systems
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public MASTERCARD OPEN BANKING 10
Branch Telephone
Mastercard’s Triple Protection
1st Line Protection
2nd Line Protection
MobileOnline Open Banking APIOpen
Banking Protect
NuDetect
Fraud Decision Engine
Faster Payment Systems
AML Insights
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public MASTERCARD OPEN BANKING 11
Next Steps - Extending Open Banking Protect to TPPs
TPP
Open Banking Protect
Digitally identify the customer based
on their online interactions
Financial Institution
©20
19 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l.
Public 12
Mastercard Open Banking Protect
• Interested in hearing more? Please let us know via [email protected]
• Thank you!
13
Open Banking Excellence16 May 2019
Paul Meadowcroft, Chief Product Officer
14
A RegTech company to support ASPSPs in delivering PSD2 open banking compliance
Offices in the UK in Reading and London
Highly experienced leadership team
Focused on significant open banking opportunity across Europe whilst the broader
global open banking market develops
Konsentus provides Third Party Provider identity verification, using eIDAS certificates,
TPP regulatory checking, against National Competent Authority registers, and OAuth2
token generation and verification to control access to PSD2 APIs. These services are
provided to financial institutions through a RESTful API on a SaaS platform, enabling
them to provide open banking services to their customers, confident in the knowledge
that they are only providing data to TPPs who are authorised or registered and who
have obtained the customer's consent to access their data.
About Konsentus
15
Brand reputation and risk
Do I do the legal minimum?
Or
Do I protect my customers’ data and manage my business risk?
Today’s topic
PSD2 Open Banking
Protecting your customers’ dataAnd your brand reputation
17
What does PSD2 open banking mean to us?
Customers or Payment Service Users (PSUs) have a legal right to use payment initiation services and account information services provided by Third Party Providers (TPPs) with respect to certain payment accounts
So “account servicing payment service providers” (ASPSPs) must allow TPPs access to these payment accounts (with the customer’s consent) through either their modified customer-facing interface or a “dedicated interface” (API)
ASPSPs can be banks, building societies, and non-bank account providers such as payment institutions and e-money institutions
TPPs can be PISPs (Payment Initiation Service Providers), AISPs (Account Information Service providers) and CBPIIs (Card Based Payment Instrument Issuers)
How does an ASPSP know when to hand customer data over to a TPP or not?
The Second Payment Services Directive (EU) 2015/2366 (PSD2) was implemented by EU member states on 13 January 2018
18
What does the EBA RTS for SCA and CSC say?
Article 30 (1)
ASPSPs that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements: a) AISPs, PISPs and CBPIIs are able to identify themselves towards the ASPSP; b) AISPs are able to communicate securely to request and receive information on
one or more designated payment accounts and associated payment transactions; c) PISPs are able to communicate securely to initiate a payment order from the
payer's payment account and receive all information on the initiation of the payment transaction and all information accessible to the ASPSPs regarding the execution of the payment transaction.
So the ASPSP needs to know who the TPP is and what they are allowed to do
Commission Delegated Regulation (EU) 2018/389 on Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS for SCA & CSC) applies from 14 September 2019
19
What does the EBA RTS for SCA and CSC say?
Article 34 (1)
For the purpose of identification, as referred to in Article 30(1)(a), payment service providers (PSPs) shall rely on qualified certificates for electronic seals (QSealC) as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication (QWAC) as referred to in Article 3(39) of that Regulation.
“This means that, when a TPP identifies itself towards the ASPSP via an eIDAS PSD2 certificate, the ASPSP shall grant access to the TPP to the specified account.”“ASPSPs are not legally required to rely on any other means for the purpose of identification of TPPs”(EBA answer to Issue XIII of the EBA Working Group on APIs, 26 April 2019)
So the ASPSP can rely on either an eIDAS PSD2 QWAC or a QSealC to determine the identity of a TPP
20
How does the ASPSP know that the TPP is regulated?
PSD2 states that access to account information or payment initiation services “shall not be dependent on the existence of a contractual relationship” between the ASPSP and the TPP
The TPP will have presented an eIDAS PSD2 certificate to the ASPSPBut
The regulatory status of the TPP may have changed since the certificate was issued
AndThe certificate does not provide any information about the regulated status of the TPP in Host Member States where the TPP has “passported” its services
In order to know what the TPP is allowed to do, at the time of the transaction, the ASPSP must check the regulatory status of the TPP
on both the Home and Host NCAs, as appropriate
21
ASPSP reputation and risk management
Article 68(5) of PSD2 states that an ASPSP ‘may deny an AISP or a PISP access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that AISP or that PISP’(EBA answer to Issue IX of the EBA Working Group on APIs, 26 April 2019)
ASPSPs may choose to carry out additional checks of the authorisation / registration status of TPPs in the respective EBA and/or national registers, provided that, in doing so, ASPSPs do not create obstacles to the provision of payment initiation and/or account information services, as required in Article 32(3) of the RTS.(EBA answer to Issue XIII of the EBA Working Group on APIs, 26 April 2019)
These checks should not present an obstacle to the performance of the transaction between the TPP and ASPSP or cause a delays in the ‘customer journey’ if they are provided by and industrial scale and quality service that can process the regulatory checks at high volume and high speed.
It is the ASPSP’s responsibility to manage its business and regulatory risk and perform the necessary checks and balances appropriate to its
risk appetite
22
ASPSP responsibility and accountability for customer data
ASPSPs are the guardians of their customers’ data
ASPSPs have an obligation under PSD2 and GDPR to only share that data with properly authorised and regulated TPPs who have gained the customer’s consent
Customers will look for compensation from the ASPSP if anything goes wrong
ASPSPs may face fines and regulatory sanctions under PSD2 and GDPR
Reputational damage and lack of customer trust may be of greater concern
ASPSP’s need to be customer focussed and take all reasonable steps to ensure that they only share customer data with properly authorised
and regulated third parties
23
Paul Meadowcroft+44 7340 003217
Thank You Any Questions
Konsentus Limitedwww.konsentus.com
Confidential – © 2018 Equinix Inc. Equinix.com 24
,
Confidential – © 2018 Equinix Inc. Equinix.com 25
25Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 26
26Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 27
27Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 28
28Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 29
29Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 30
30Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 31
31Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 32
32Mastercard Open BankingDecember 20, 2018
Confidential – © 2018 Equinix Inc. Equinix.com 33
33Mastercard Open BankingDecember 20, 2018
And what they might try Sandra Peaston
OPEN BANKING – WHAT A FRAUDSTER SEES
16 May 2019
Welcome
Sandra PeastonDirector of Research and Development
35
Fraud over time36
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Fraud in 201837
- 30,000 60,000 90,000 120,000 150,000 180,000 210,000
Asset conversion
Application fraud
False insurance claims
Facility takoever fraud
Identity fraud
Misuse of facility fraud
2018 2017 2016
Identity Fraud38
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
Bank Account Telecoms Plastic card Insurance Loan Online retail Other
2016 2017 2018
Who is the customer?39
• Onboarding someone who is not who they say they are• Is the customer still who they say they are?
A Phishing opportunity40
• Exploitation of a lack of understanding• Facilitation of further fraud
“That wasn’t me!”41
• Opportunists may see this is a chance to double their money• Organised groups may recruit people to facilitate first party
fraud
“Every day, we’re talking. Planning.Sharing tips and tricks to keep getting better.”
42
“And until the banks and businesses that we attack do the same, we’re always going to win."
43
44Thank you
Any Questions?
A BIG THANK YOU TO OUR ATTENDEES, SPEAKERS, SPONSORS &
PARTNERS
Tink: Strong Customer Authentication
Moving from Theory to Practice
Connecting the EcosystemStarling Bank: Major Data Breach, Payment Theft
Regulation, Fraud, SecurityMastercard: Extending Open Banking Protect to TPPs
Equinix, API Secure-Link
Regulation• SOC1 Type Type 2 Document Controls, Supporting processes, policies, procedures, personnel and operational activities that constitute the core
activities relevant to users• PCI DSS, enhance data security for payment cards• ISO 9001, Quality Management System to demonstrate ability to consistently provide products and services to meet the needs of Customers.
Fraud Protection • Minimal threat of DDOS Attacks• Dedicated Infrastructure• Tier 3 Data Centre Service
Security Enhancement • Certain customer data is best kept on soil• Enhanced Encryption • Security policy for On-premise and Cloud enabled
Open Banking Sales Director, [email protected]