how psd2 provides access to payment accounts
TRANSCRIPT
How PSD2 provides access topayment accounts
Arno Voerman
4 April 2017
1
PSD2 as driver for APIs/open banking
Targeting developers
PSD2 is the tipping point for API technology to break through into the financial sector. At first glance, they may seem innovative, but open APIs have been an established feature outside the financial sector for quite some time. In fact, a real API economy exists which banks are only now entering gradually. Besides the mandatory PSD2 APIs, banks such as BBVA, Capital One and Crédit Agricole are unveiling other products and services via APIs. APIs have long been more than mere IT interfaces, and now represent a new product and channel catering for new and existing clients such as developers.
From closed to open banking
PSD2 marks the beginning of a wider transformation in the financial sector, and signals a shift towards a more open financial sector with more APIs than just those required by PSD2 – it’s a new trend popularly known as open banking.
(PSD2 is not just about PSD2 any more, Blog Laurens Hamerlinck - 30 June 2016)
2
PSD2: Revised Payment Services Directive
EU Directive
• 25 November 2015
• Requires transposition in national laws
• Ultimately 13 January 2018
• Netherlands:
• Dutch Financial Supervision Act (Wft)
• Dutch Civil Code (BW)
• But application RTS 18 months after the date of entry into force …
3
PSD2: XS2A
Access to online payment accounts
Payment Service User =
Account Holder
ASPSP =
Account Servicing Payment Service Provider
PISP =
Payment Initiation Service Provider
AISP =
Account Information Service Provider
TPP =
Third Party Service Provider
Payment Initiation =
a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider;
Account Information =
a service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider
4
Access to …
… online Payment Accounts
‘payment account’ means an account held in the name of one or more payment service users which is used for the execution of payment transactions;
‘payment transaction’ means an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee;
FCA (UK):
“payment account” means an account held in the name of one or more consumers through which consumers are able to place funds, withdraw cash and execute and receive payment transactions to and from third parties, including the execution of credit transfers, but does not include any of the following types of account provided that the account is not used for day-to-day payment transactions: savings accounts; credit card accounts where funds are usually paid in for the sole purpose of repaying a credit card debt; current account mortgages or e-money accounts.
5
Payment Initiation
6
Payment Initiation
Fact Sheet EC:Payment initiation services providers typically help consumers to make online credit transfers and inform the merchant immediately of the payment initiation, allowing for the immediate dispatch of goods or immediate access to services purchased online. For online payments, they constitute a true alternative to credit card payments as they offer an easily accessible payment service, as the consumer only needs to possess an online payment account.
7
Account Information
8
Account Information
Fact Sheet: European Commission:Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different current accounts they may have with one or more banks and to categorisetheir spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning
9
Key elements XS2A …
• PIS and AIS regulated services under PSD2
• PISP requires PI-license
• AISP requires registration
• Also for (existing) banks and payment institutions
• PSU has the right to use the services of a PISP or AISP
• Civil law right of PSU
• Not right of PISP or AISP
• Consent PSU required
• ASPSPs must allow access to the account
• ASPSPs may not require a contract
• Reliance on authentication procedures provided by ASPSPs
10
Challenge: technical aspects of XS2A
RTS SCA and CSC
• ASPSPs shall have in place at least one interface which meets each of the following requirements …
• ASPSPs shall establish the interface(s) referred by means of a dedicated interface or by allowing use by the PISPs or AISPs of the interface used for authentication and communication with the ASPSP’s PSUs.
• ASPSPs shall ensure that their interface(s) follows standards of communication which are issued by international or European standardisation organisations.
• If dedicated interface, the ASPSP shall ensure that the dedicated interface offers the same level of availability and performance, including support, as well as the same level of contingency measures, as the interface made available to the payment service user for directly accessing its payment account online.
11
Impact on market entry by PISPs and AISPs under PSD2?
Requirements for PISP/AISP:
• Professional indemnity insurance
• Business plan
• First three financial years
• … operate soundly
• Security Policy Document
• Detailed risk assessment
• Description of IT systems
• Logical security measures and mechanisms
12
Challenge: identification of TPPs
29 draft final RTS and 14 under 2 PSD2
13
Challenge: account information – SCA and consent
• Mandatory Strong Customer Authentication (knowledge, inherence, possession)
• Exemption for payment account information
• Balance
• Payment transactions <90 days
Except first time or more than 90 days
• Rights of AISPs
• AISPs shall be able to access information from designated payment accounts and associated payment transactions held by ASPSPs for the purposes of performing the AIS in either of the following circumstances:
(a) whenever the PSU is activelyrequesting such information;
(b) where the PSU is not actively requesting such information, no more than four times in a 24 hour period, unless a higher frequency is agreed
Consideration 18 final draft RTS:
In accordance to Articles 65, 66 and 67 PSD2, TPPs will only seek and obtain the necessary and essential information from the ASPSP for the provision of a given payment service and only with the consent of the PSU.
This consent may be given:
• individually for each request of information; or
• for each payment to be initiated; or
• for AISPs, as a general mandate for designated payment accounts and associated payment transactions as established in the contractual agreement with the PSU.
TPPs shall only request information on behalf of the PSU with his/her consent.
Challenges:
• Evidence of consent to ASPSP?
• Withdrawal of consent, what if only to ASPSP?
14
Challenge: mandatory XS2A earlier than application RTS?
Article 115 PSD2
1. By 13 January 2018, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.
2. They shall apply those measures from 13 January 2018 …
4. By way of derogation from paragraph 2, Member States shall ensure the application of the security measures referred to in Articles 65, 66, 67 and 97 from 18 months after the date of entry into force of the regulatory technical standards referred to in Article 98.
6. Member States shall ensure that until individual ASPSPs comply with the regulatory technical standards referred to in paragraph 4, ASPSPs do not abuse their non-compliance to block or obstruct the use of payment initiation and account information services for the accounts that they are servicing.
15
Challenge: consent and personal data
Article 94 under 2 PSD2:
Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user.
Challenges:
• What is explicit consent?
• How to deal with silent-party data?
• Joint accounts?
• Alignment with GDPR?
16
Contact
Arno Voerman
Partner, Payments & FinTech
t +31 20 6789 250
m +31 61 1388 538
AMSTERDAM
Van Doorne N.V.
Jachthavenweg 121
1081 KM Amsterdam
P.O. Box 75265
1070 AG Amsterdam
The Netherlands
t +31 (0)20 6789 123
www.vandoorne.com
ASSOCIATION WITH
VANEPS KUNNEMAN VANDOORNE
ARUBA I BONAIRE I CURACAO I ST. MAARTEN
DUTCH CARIBBEAN DESK (AMSTERDAM)
www.ekvandoorne.com
LONDON
Van Doorne UK B.V.
125 Old Broad Street
London EC2N 1AR
United Kingdom
t +44 20 7073 0465
www.vandoorne.com