BANFICO - ENABLING PSD2 COMPLIANCE

BANFICO - Enabling PSD2 Compliance2

14 Mar 2019

14 Jun

14 Jul

14 Sep

Banks need to publish test systems of all their APIs they intend to publish.

Banks applying for exemption from providing Client Interface should make their application to relevant National Competent Authorities (NCA). Market test should involve live transactions testing.

NCAs (esp FCA/UK and BaFin/Germany) will decide to provide such fallback exemption.

Complete PSD2/RTS implementation to be completed.

DEADLINESThere are various deadlines that banks need to meet to comply with PSD2. We provide “quick deployable sandbox provided for Open Banking UK, NextGenPSD2 & STET API standards.”

CHALLENGESThere had been many challenges for banks in this compliance program. Most importantly banks with legacy infrastructure & lack of cloud adoption, which makes adopting new changes on a tight schedule really difficult. All this attributes to a higher cost for a compliance project with no return on investment unless banks look at becoming TPP themselves or publish extra premium APIs.

REGULATORYCOMPLEXITY

TIME

The RTS mandated to banks are highly technical & complexity. It addresses Secure framework involving Strong Customer Authentication (SCA) and Secure Communications (CSC)

Many banks are late to kick-start their PSD2 Implementation, which lead to tight deadlines.

INFRASTRUCTURECOMPLEXITY

QUALITYSKILLS

Legacy infrastructure within banks is major barrier to PSD2 API program

Banks are embarking on Secure API programmes, which they have limited experience. It involves holistic changes to their infrastructure. For all these work, there is shortage of PSD2 subject matter experts

As per PSD2 regulation, banks need to provide an API interface for the functionalities offered to their clients (retail or corporate) on their existing e-channels. Banks need to comply with the Regulatory Technical Standards (RTS) and also choose API Specifications at their own discretion – even their own proprietary version of API is compliant. Mostly the banks are choosing API specifications from the standards of Open Banking UK, NextGenPSD2 from Berlin Group or STET from the French market.

PSD2 implementation in essence is an “API Program with strong emphasis on Identity, Authentication, Privacy & Security”. The trust model to participate in the ecosystem involves industry standard communication protocols which are addressed in RTS’s CSC while customer Identity & authentication are addressed by articles relating to “Strong Customer Authentication”. Consent management also plays a critical role in how a bank customer shares their consent & authorisations. Consent Management puts power into the hands of the end customer, as it allows customer to control who can access information and for how long. Consent can be interpreted as Terms & Conditions dictated by the Customer.

BANFICO - Enabling PSD2 Compliance3

In addition to it, there are various other aspects pertinent to PSD2 Implementation

1. Transaction monitoring & risk analysis2. Regulatory Reporting on Fraud rates & Service levels3. Credit/Debit card PSD2 Compliancy4. Logging and Traceability of events, consent, access5. Different Access Methods implementation - Redirect, Decoupled, Embedded6. Non-functional Requirements – Security, Scalability, Availability7. Business process to support TPPs8. Business process to support Customers9. Support IT Security Audits10. Deployment of PSD2 Solution – on premise or cloud

We will support all of the above items in our PSD2 Implementation program. We would help with continuous ongoing compliance in the evolving PSD2 regulation and its technical interpretation. We use enterprise grade modern products in API management - IBM API Connect & Identity & Access Management namely Ping Identity. We will hand over the implementation of the PSD2 stack to your IT team with the required knowledge transfer and training but will continue to provide professional support for technical problems and upgrades.

SCOPEThe implementation is a major program to be done over a long time period. It covers a wide range of aspects. Most important ones are :

ConsentManagement

Identity & Authentication

API Implementation

DeveloperPortal

TPPValidationCore Banking Integration

BANFICO - Enabling PSD2 Compliance4

One of the critical paths in delivering successful PSD2 implementation is Core banking integration – which is or has always been completely underestimated in terms of complexity and ends up being overspent based on our experience. Banks infrastructure has traditionally been an aging estate without an easy to integrate interface. Main integration points are

1. Customer Authentication2. API to core banking3. Consent management

Customer authentication will involve integration with existing authentication systems but PSD2 also mandates Strong Customer Authentication if not already present to provide OAuth2 standard based authorization exposure. API integration will involve exposing core banking systems which can mostly be legacy. Finally, consent management will involve exposing consents on existing channels like internet banking, mobile banking or even branch banking CRM.

Our team will work closely with your IT team to accomplish this integration. We have gained valuable experience where we have done such integrations in last 3 years.

CORE BANKING INTEGRATION – DECIDES SUCCESS OR FAILURE

SOLUTION ARCHITECTUREWe would like to reiterate that PSD2 is an API program and also reinforce that the API is the future of banking and fintech innovations. Our architecture is implemented using best fit technology in a cost effective manner to address ongoing/future digital transformations. Our technology stack is based on loosely coupled architecture to avoid any vendor lock in for components that address specific requirements. APIs are implemented using a microservice architecture. Most importantly - our tech stack is cloud ready, although we also provide an on-premise deployment which is fully automated.

Ping Identity’s IAM suite and IBMs API Connect are great products to deliver a PSD2 program seamlessly. A lot of the technical complexity is elegantly addressed by these vendors and has been used widely in many banking implementations.

QTSP &Open Banking

Europe TPPDirectory

PingIntelligence

Consent Management

PSD2 API

Core Banking

TPPValidation

Account / Payment API

APISecurity

TokenValidation

ConsentValidation

Account/Payment API

Core Banking Integration

TPP

ASPSP

Ping Access IBM API Connect

PingDirectory

PSU Authentication

Consent

PingFederate

BANFICO - Enabling PSD2 Compliance5

We support below standards

Our partners are leaders in their own domain. Their subscription based pricing suits smaller banks to deliver robust enterprise grade implementation.

API STANDARDS

PARTNERS

Conforms to Security Profile• OAuth 2 Hybrid flow

supported• Dynamic Client

Registration supported• Signing Algorithm PS256

supported• MTLS supported

Version 3.1 Version 1.3 Version 1.4

Conforms to Security Requirements• OAuth protocol with “dynamic

scopes” supported• TPP validation with

OpenBankingEurope supported• eIDAS/MTLS supported

Conforms to Security Requirements• OAuth protocol with

appropriate “scopes”supported

• TPP validation withOpenBankingEuropesupported

• eIDAS/MTLS supported

Open Banking UK NextGenPSD2 / Berlin Group STET / France

Identity & Access Management API Management Edge Security Audit, Log & SIEM

BANFICO - Enabling PSD2 Compliance6

SANDBOXWe have built PSD2 solution that could help banks to meet the Mar 14th deadline. This well architected design could also be extended for full implementation by addressing the core banking integration.

FEATURES

CLOUD BASED STANDALONE SANDBOXQuick provisioningCost effectiveManaged SupportNo need to integrate with current bank’s systems

FULL IDENTITY & ACCESS MANAGEMENT SUPPORTCustomer self-registrationFull Identity & Access Management MFA mobile app used for SCA

REFERENCE BANK SUPPORT (MOCK BANK) Provided with customizable test data

- Accounts, Balances, Transactions, etc.

FULLY FEATURED API MANAGEMENTDeveloper PortalAPI DocumentationAPI Testing using Swagger UI & Postman scripts

CONSENT MANAGEMENTCustomer can manage their consent on mock bank Consent validation on TPP requests

AUDIT & LOGAggregates all logs & eventsProvides Audit trails

SYSTEM MANAGEMENTBanks get their own clusterFull admin access to all components

DEVOPS FRIENDLY DEPLOYMENTRuns on CloudDeploy all components within minutes

SUPPORT

24/7 managed support

We are PSD2 experts across domains - Identity & Access Management, API, Regulatory, Payments & Project Management. Unlike other consulting partners, we are a boutique firm focused on delivering PSD2 Consulting & Implementation. We have all worked on Open Banking Programmes in UK’s top 9 banks in the last 3 years.

We have also signed partnership with most of our COTS stack providers. We work closely with them to accomplish our commitment to banks.

BANFICO - ABOUT US