psd2 és az api gazdaság a bankszektorban psd2 event... · psd2 overview and impact szabó jános...

© 2017 IBM Corporation

Threat or opportunity?

PSD2PSD2 és az API gazdaság a bankszektorban

© 2017 IBM Corporation

Szabó János

Industry Solution Architect+36 20 823 [email protected]

Rainer Pirker

Bluemix Sales Leader CEE

[email protected]

© 2017 IBM Corporation2017.03.03.

Agenda

08:30 – 09:00 Registration

09:00 – 09:15 Introduction

(Peter Rehus – Country Leader, IBM Hungary)

09:15 – 10:00 PSD2 Overview and impact

10:00 – 10:30 PSD2 Use cases and examples

10:30 – 10:50 Coffee break

10:50 – 11:15 Instant payment and real-time fraud detection

11:15 – 12:00 API Economy – new way to work for business

12:00 – 13:00 Lunch

PSD2 Overview andimpact

Szabó János



CO

MPE

TITI

ON

CO

MPE

TITI

ON

TRA

NSP

AR

ENC

YTR

AN

SPA

REN

CY

INN

OVA

TIO

NIN

NO

VATI

ON

SEC

UR

ITY

SEC

UR

ITY

Principles

Background, Objectives & Principles for PSD2

Contribute to a more integrated and efficient Europeanpayments market Improve the level playing field for payment service

providers (including new entrants) Make payments safer and more secure Protect consumers Encourage lower prices for payments

2014


Allow users to initiate online payments directlyfrom their bank accounts via third-partyproviders.

Aggregation of payment account informationfor users whom can get all of their transactionhistory and balances from one portal.

Standardization of surcharges on card-basedtransactions across EU.

New security requirements for electronicpayments and account access.

Beyond EU and in the definition of “PaymentInstitution”

What is Payments System Directive 2 (PSD2)?

Extension of scope

Third-party payment initiation

Third-party account access

Prohibition of paymentsurcharges

Security and authentication

1

2

3

4

5


European Commissioncreates proposal

Parliament adoptsproposal

European BankingAuthority specifies

implementationguidelines [RTS]

Member governmentspass laws (compliance

over 2 years)

>18 monthtransitionperiod

RTS not inforce despitecompliancewith PSD2

Misalignmentbetween RTS &

compliance

Security & TechnicalStandards

Timeline of PSD2

RTS = Regulatory Technical Standards

Changed in 27/02/2017


ProvidersServicesBanks

PSD2 abbreviations (there are too many TLAs)

AccountInformation

Service (AIS)

Payment InitiationService (PIS)

$£€Account ServiceProvider

(ASP/ASPSP)CustomerThird Party

Provider (TPP)

APIS

Security

Payment InitiationService Provider

(PISP)

AccountInformation

Service Provider(AISP)

Access To Account (XS2A)


• Push based account info• Real-time account info (request on demand)

TodayPSD2

Scope of PSD2: Account Information Services (AIS)

Banks will be mandated to provide aspects of accountinformation to 3rd party providers (TPPs) via APIs Account information service providers (AISPs) will not

have full access to the account of the customer They will receive the information explicitly consented by

the customer and only to the extent they are necessaryfor the service provided to the customer A dynamically generated code only valid for that specific

transaction will have to be used in the authenticationprocess

Account owner

ASP BASP A ASP C

Account Information Service Provider(AISP)


Buyer

Buyer’s Bank Credit transfer Merchant’s Bank

Merchant

3. Payment instruction

1. Purchase

4. Payment instruction (API)

2. Payment request

Merchant processor (PSP)

2. Payment request

Payment InitiationService Provider (PISP)

PISP = Payment Initiation Service ProviderASP = Account Service ProviderPSP = Payment Service Provider

TodayPSD2

2. P

aym

ent I

nstru

ctio

n

3. 4.

5.

5. 6.

7.

Banks will be mandated to allow payments to initiated fromcustomer accounts by 3rd party providers (TPPs) via APIse.g. card providers; device providers; app providers

Payment initiation service providers (PISPs) will not havefull access to the account of the payer

TPPs will only be able to receive information from thepayer's bank on the availability of funds (a yes/no answer)on the account before initiating the payment (with theexplicit consent of the payer)

A dynamically generated code only valid for that specifictransaction will have to be used in the authenticationprocess

Scope of PSD2: Payment Initiation Services (PIS)


Process flow - TPP permission request

Support XS2A APIs + Security TPP API calls

Processing, registration and management of TPP permission request

Account owner approval (or reject) of permission via existing customer channel of ASP

1

2

3

XS2A APIchannel

XS2Aadmin

CustomerChannel

Request to activate account forTPP service

NewPermission.rq

NewPermission.rs

Process TPP permissionrequest

Confirm receipt TPPpermission request

Request permission approval (byaccount owner)

Response permission approval

Authentication + Permisison approval

Response permission approval

UpdateStatusPermission.rq

UpdateStatusPermission.rs

Confirm TPP permisison(email, SMS, ...)

Confirmation that request hasbeen issued to ASP

1 2

3

Account Service Provider (ASP)

Customer TPP


Process flow - TPP permission request (token based)

Support XS2A APIs + Security TPP API calls

Generation TPP permission in the form of a signed token. Token is not stored

Account owner approval (or reject) of permission via existing customer channel of ASP

TPP stores token in order to include it in API request for concerning service and account

1

2

3

4

API channel XS2A ConsentCustomerChannel

Request to activate account forTPP service

SubscribeService.rq

GenerateToken.rq

ASP1

Redirect

Requestfor approval by account owner

Generate tokenSubscribeService.rs (+ token) GenerateToken.rs

Store token

Response activation accountfor TPP service

TPPCustomer

Dialogue to request approvalaccount owner

2

3

4


Bank Account

Channel appe.g. internet banking

XS2A

Payments

Account owner

Bank A

Bank Account(incl. Payments)

Account owner

Bank A

Channel appe.g. internet banking TPP

TPP = Third Party Payment ProviderXS2A = Access to account

Scope of PSD2: In simplest terms


Impact of PSD2 on ASPs

Account Service Provider(ASP)

Implementation of APIs to enable AIS andPIS access by TPPs

Security of API requests by TPPs

Register accounts for AIS and PISservices and permit TPPs

Implement technical guidelines of EBA onsecure authentication

Apply information transparency rules to thecustomer

Develop a strategy to limit the flow-out ofcustomers to TPPs


BANKBANK

PARTNERMANAGEMENT

PARTNERMANAGEMENT

ITFOUNDATION

ITFOUNDATION

COMPLIANCECOMPLIANCE

PRIVACY &SECURITY

PRIVACY &SECURITY

MONETIZA-TION

MONETIZA-TION

CUSTOMERRELATIONSCUSTOMERRELATIONS

BANK

PARTNERMANAGEMENT

ITFOUNDATION

COMPLIANCE

PRIVACY &SECURITY

MONETIZA-TION

CUSTOMERRELATIONS

What should my ecosystem look like?Who should I partner with & why? Howwill I manage the relationships?Why should others partner with me?

Does my infrastructure allow me toembrace the API Economy? What aremy technology choices & criteria formaking the long-term choice?

Are my processes and operationsready for ensuring both legal(external) and operational (internal)conformance with standards?

How will I ensure data andtransactions are secured, monitored& accurately reported?

How can I benefit from a change inmy business model? How can Iconvert my data assets into newrevenue sources?

Why does my customer need me andwhat must I do to keep therelationship intact? How can Iincrease my customers’ loyalty tomy firm? How do I analyze mycustomer?

What should banks be thinking about? …Strategically.


Impact of PSD2 on PSPs (in fact, the whole payments landscape)

Payment Service Providers(PSPs)

Disappearance of ‘monopoly’ of accountservice provider

More opportunities for non-banks (ThirdParty Providers) to provide new innovativeservices more competition

Opportunity for wallet service providers totop-up wallet instantly against low tariffs(instead of credit card)

Provide retail payment services via moreopen credit transfer schemes instead ofclosed card schemes

Fewer dependencies on banks as non-banks can also participate in paymentsystems (CSMs)

PSD2 StrategicScenarios

Szabó János



Security ITInfrastructureCulture Open BankingEcosystem

Technology

Business

Implications of PSD2


Strategic PSD2 scenarios

PSD2 only Extended

TPP Base TPP Value adding TPP

ASP Base ASP Value adding ASP

API Scope

Rol

e

Life can be predictable, so why notyour banking? The more we learnabout how you like to behave, thebetter we’ll get at keeping you onestep ahead.

Focusing on compliancy

Szabó János



The Security ImperativeWith so many strategic options and the evolution of business models, two things are certain: (1) the increasing volumeand variety of transactions; (2) the expansion of pre-determined and new sources of transactions. None of these canhave gaps in security and integrity. Opinions from all are converged on the importance of security.

2016 ACCENTURE: As significantquantities of customer data begin to

concentrate around the bank ecosystem, themonitoring and protection of this data

becomes an increasingly core aspect of abank’s operations and value proposition.

2016 ACCENTURE: As significantquantities of customer data begin to

concentrate around the bank ecosystem, themonitoring and protection of this data

becomes an increasingly core aspect of abank’s operations and value proposition.

2015 DELOITTE: New controls and toolswill likely be needed to protect unboundedpotential use cases while providing end-to-end effectiveness—according to what may

be formal commitments in contractualservice-level agreements.

2015 DELOITTE: New controls and toolswill likely be needed to protect unboundedpotential use cases while providing end-to-end effectiveness—according to what may

be formal commitments in contractualservice-level agreements.

2014 McKINSEY: As a general goal, banksmust integrate data instantaneously acrossdisparate systems for immediate insights

that increase choice and equip thecustomer to make smart, highly informeddecisions—all while maintaining security

and privacy.

2014 McKINSEY: As a general goal, banksmust integrate data instantaneously acrossdisparate systems for immediate insights

that increase choice and equip thecustomer to make smart, highly informeddecisions—all while maintaining security

and privacy.

What bankshave to secure

MEME MONEYMONEY

IdentityBehavior

AssetsTransactions

TRUSTPRIVACY• Base relationship• Expected & given• Undifferentiated• Utilitarian

• Base relationship• Expected & given• Undifferentiated• Utilitarian

• New & enhanced• Conditional• Differentiating• Dynamic

• New & enhanced• Conditional• Differentiating• Dynamic

How banks needto adapt

Esse

nce

of th

eCU

STO

MER

REL

ATIO

NSH

IP

The GAP is the difference between a customers’ subjective expectations versus the actual experience.

PoV | ‘Mind the Gap’


Overview APIs required for XS2A compliancy (indicative)

Permission Admin APIs• New Permission (TPP -> ASP)

• Permission Adjustment (TPP -> ASP)

• Permission Cancellation (TPP -> ASP)

• Permission Status Update (ASP -> TPP)

Payment Initiation APIs• Payment Transfer Instruction (TPP -> ASP)

• Payment Reservation Instruction (TPP -> ASP)

• Payment Cancellation (TPP -> ASP)

• Payment Status Update (ASP -> TPP)

Account Information APIs• Get Account Balance (TPP -> ASP)

• Get Account Statement (TPP -> ASP)


Challenges with absence of API standards

End-users(consumers/businesses)

TPPs(AISP/PISPs)

ASPs

x00 – x,000 TPPs

x,000 ASPs


Standardisation PSD2 APIs

No official pan-European initiative for standardisation PSD2 APIs

• Banks in UK have decided to create an Open Banking Standard tostandardise bank APIs including the XS2A APIs

• CAPS: Initiative from several market participants to define common PSD2standards

• Vendor initiated ‘open’ API initiatives, such as:– Open Bank Project (Tesobe)

– Open Bank (Apigee/Google)


Scope of PSD2 : Functional component overview

TPP = Third Party ProviderXS2A = Access to account

Customer Channel

Account owner

Accounts Payments

Account info Payment info

Accounting

FraudDetection

APIChannelCustomer Channel

Account owner

Accounts Payments

Account infoPayment

info

Accounting

XS2AConsent

TPP

FraudDetection


Key impact areas XS2A for ASPs


Account owner

Accounts Payments

Account infoPayment

info

Accounting

XS2AConsent

TPP

FraudDetection

1 2

4

3

65

1 3 5

2 4 6

• Implementation of XS2A APIs• Security of APIs requested by TPP

• Approval by account owner for TPPaccess

• Real-time balance check/debit posting• 24x7 availability

• TPP permission management &validation

• Real-time payment processing (inparticular debtor side). Also for allcross-border payments.

• 24x7 availability

• Real-time fraud check• 24x7 availability

Different business models

CLEARING HOUSE

ASP

TPP

CUSTOMER

RETAILER


Overview PSD2 related IBM offerings

Infrastructure

Strategy

Innovation&

Delivery

Security

Software&

Accelerators

IndustrySolutions

PSD2

• API Connect

• PSD2 accelerator APIs

• Industry models

• Payment Gateway + Wallet

• Financial TransactionManager

• Safer Payments

• PSD2 Impact and Readiness Assessment

• Strategy Development

• Digital Thinking & Design

• MobileFirst and Apple + IBM

• Digital Integration Factory

• Architecture Development

• Cloud (IaaS, PaaS, SaaS)

• IBM Bluemix

• IBM Technology Labs

• Device Management & Security


Solutions


Account owner

Accounts Payments

Account infoPayment

info

Accounting

XS2AConsent

TPP

FraudDetection

IBM API Connect

IBM FTM IBM SaferPayments

ShadowAccounts

Focusing onopportunities

Rainer Pirker


[email protected]


Do you remember them?Do you remember them?Do you remember them?


This is where they are nowadaysThis is where they are nowadaysThis is where they are nowadays


Business challengeYES BANK sought to differentiate its brand and its products in the face ofgrowing competition and the Indian customers’ growing demand foranytime-anywhere banking capabilities.

TransformationThe bank leverages IBM API Management software to create aframework for its own business ecosystem and drive its digital strategy,securely and transparently connecting customers with merchants via YESBANK APIs.

Headquartered in the Lower Parel Innovation District of Mumbai, YES BANK isthe fifth largest private sector bank in India, with over 18,000 employeesacross the country’s 29 states and 7 union territories. As of September 30,2016 the bank operates more than 900 branches and 1700 ATMs nationwide.

Solution components• IBM API Management software• IBM® DataPower® Gateway• IBM Integration Bus software• IBM Mobile First software

Share this

Business benefits

Extendsmarket reach by exposing services tomillions of India’s unbanked population onmobile devices

Exposescore business data and services securelyto multiple strategic partners through APIs

Reducestime required to add new strategicpartners and exploit emerging revenuegenerating channels

YES BANKBuilding an API ecosystem toenhance service and expandmarket reach

“In the API economy, any company isfree to create customized, secureecosystems that optimize the value oftheir services and data.”

—Anup Purohit, Chief Information Officer,YES BANK

BXP03021-USEN-00


Rabobank | APIs for rapid innovation

Strategic IntentTo respond to changing market conditions, competition and the coming regulatory environment,Rabobank decided to launch into the API Economy and renew its value proposition to a newgeneration of bankers.

Strategic IntentTo respond to changing market conditions, competition and the coming regulatory environment,Rabobank decided to launch into the API Economy and renew its value proposition to a newgeneration of bankers.

Needs & Solution An API solution to expose existing and new business services. Prepare for PSD2 regulations and a rapid innovation platform to meet changing requirements. Create a model to supply business services to trusted partners.

Needs & Solution An API solution to expose existing and new business services. Prepare for PSD2 regulations and a rapid innovation platform to meet changing requirements. Create a model to supply business services to trusted partners.

Why IBM IBM’s guidance and implementation skills for security, API Connect, and technicalities. Options for implementing API management for core business functions and on Bluemix to

further innovation, rapid development, and hackathons.

Why IBM IBM’s guidance and implementation skills for security, API Connect, and technicalities. Options for implementing API management for core business functions and on Bluemix to

further innovation, rapid development, and hackathons.

Food &agriculturefinancing; retailbank

Founded 1972Netherlands

Worldwide 1000locations

€13 billionrevenues

2.5 million Dutchcustomers


Citibank Worldwide | Prime and first mover

Strategic IntentSoon after the financial crisis of 2008, Citibank saw an opportunity to become a ‘digital’ bank inthe persona of a fintech. Citi pioneered a strategic move into mobile banking, then into adoptingAPIs, and inviting external developers to contribute to its digital strategy. Citi chose to driveinnovation through APIs and therefore is better prepared than most to comply with regulationsand meet expectations.

Strategic IntentSoon after the financial crisis of 2008, Citibank saw an opportunity to become a ‘digital’ bank inthe persona of a fintech. Citi pioneered a strategic move into mobile banking, then into adoptingAPIs, and inviting external developers to contribute to its digital strategy. Citi chose to driveinnovation through APIs and therefore is better prepared than most to comply with regulationsand meet expectations.

Needs & Solution Expose APIs to consumers and business partners to simplify digital interaction with the bank. Provide credit/debit card capabilities in a mobile phone. Create customer loyalty programs for partners and consumers. Link transactional data with key partner promotions (with location based offers). Expand mobile banking services including account look-up, transfer funds, bill payment.

Needs & Solution Expose APIs to consumers and business partners to simplify digital interaction with the bank. Provide credit/debit card capabilities in a mobile phone. Create customer loyalty programs for partners and consumers. Link transactional data with key partner promotions (with location based offers). Expand mobile banking services including account look-up, transfer funds, bill payment.

Why IBM Citi was an early customer of IBM API Management and has graduated to API Connect,

showing its confidence of, and dependence on IBM’s API vision and product roadmap. As a DataPower user, it was easy for Citi to decide on another IBM solution that built on and

extended the value of DataPower. IBM’s solution met Citi’s need to scale and securely manage up to thousands of transactions

per second.

Why IBM Citi was an early customer of IBM API Management and has graduated to API Connect,

showing its confidence of, and dependence on IBM’s API vision and product roadmap. As a DataPower user, it was easy for Citi to decide on another IBM solution that built on and

extended the value of DataPower. IBM’s solution met Citi’s need to scale and securely manage up to thousands of transactions

per second.

Full service

Founded 1812New York City

220,000 groupemployees

Worldwideoperations

$69.87 billiongroup revenues

>100 millionconsumers


Societe Generale | Engaging creative developers

Strategic IntentExecute a comprehensive API strategy for internal and external developers. Fence anecosystem of developers and APIs which already generate over 250 million API calls per dayacross 80 APIs for mobile and web retail banking.

Strategic IntentExecute a comprehensive API strategy for internal and external developers. Fence anecosystem of developers and APIs which already generate over 250 million API calls per dayacross 80 APIs for mobile and web retail banking.

Needs & Solution Link current APIs for the banks Open Banking Initiative with PSD2 directives. The bank continues to nurture and expand their B2B affiliations using micro-services with

accompanying requirements for security and transaction integrity. Validate OAuth2 protocols using DataPower and external token generators. API solution for full life-cycle creation and management of APIs.

Needs & Solution Link current APIs for the banks Open Banking Initiative with PSD2 directives. The bank continues to nurture and expand their B2B affiliations using micro-services with

accompanying requirements for security and transaction integrity. Validate OAuth2 protocols using DataPower and external token generators. API solution for full life-cycle creation and management of APIs.

Why IBM Societe Generale needed an enterprise grade solution which could be rolled out beyond the

retail division. Successful PoC with DataPower to meet critical security requirements. Long time user of DataPower as a secure gateway, extended to the API use cases.

Why IBM Societe Generale needed an enterprise grade solution which could be rolled out beyond the

retail division. Successful PoC with DataPower to meet critical security requirements. Long time user of DataPower as a secure gateway, extended to the API use cases.

InternationalRetail,corporate,investmentbanking

Founded 1864Paris

146,000employees

€25.6 billionrevenues

31 millioncustomers


PSD2 Use Cases – Retail payments

• Continuous digital interaction with customer

• Customer specific promotions and offerings

• Stronger customer intimacy through loyalty points

• Payment seamlessly integrated in customer buyingexperience

• Omni channel experience• Online• Store• App

Payment becomes integrated part of digital shopping experience



• Mobile ordering (avoid queueing)• Pay with phone• Earn and spend loyalty points (stars)



Video : New York Times - How China Is Changing Your Internet (http://nyti.ms/2b4n4ew)

Battle of Digital Touchpoint

Instant Payments

Szabó János



Key challenges of Instant Payments for Banks

Functional (application) related

Real-time processing is fundamentally different frombatch processing that is still applied by many legacysystems within banks. As a result, existing systems need tobe modernized / replaced.

The following bank applications/systems are most impactedby this real-time aspect:

Channels and order management applications

Payment (engine) application

Fraud screening application

Current account application

A different approach to the modernization for SEPAcompliancy is needed for IP processing.

Non-functional related

Instant payments has much higher non-functionalrequirements in comparison with traditional batch-based(SEPA) payments processing :

Latency (< 2 seconds)

24/7 availability

Absence of maintenance windows

Scalability (unpredictable peaks with high volatility)

Fail-over and resilience

Transactional integrity (commitment points)

Many of the legacy applications banks can’t apply to theserequirements and have fundamental shortcomings to beadjusted to meet these requirements.

These are the same(nothing has changed) Going to real-time


Instant payments implies high non-functional requirements

NoteThe draft EPC SCT Inst rulebook proposes an end-to-end latency of 10 seconds.Individual countries may apply more strict timelines fore the domestic instant payments.

Key non-functional requirements

• 24x7x365 availability

• Continuation of service duringmaintenance windows and upgrades

• Low latency with payment timeout ifexceeded

• High peaks in volumes expected (morethan cards) up- and downwardsscalability

• Support of multiple service levels (=latency) (Netherlands and possiblyother countries will follow)

Originator Debtor PSP

Originatepayment

CSM Creditor PSP

Debit sideprocessing Interbank

processing Credit sideprocessing

InterbankprocessingConfirmation

processingReceive

confirmation

3 sec1 sec

2 sec

1 sec1 sec

0.5 sec

0.5 sec

0.5 sec

0.5 sec

= Start timing service = End timing service

10 sec


Sample process flow in FTM (outbound instant payments transfer)

Data Repository(configurations, master data, files/messages, payments/transactions, activity log, reports, …)

Process Manager

Payment Business Services

Integration Layer

CustomerChannel

1

Customer

2 db

AccountMgnt.

Fraudscan

CSM

3 4 8 9 11 12 13 146

db

AccountMgnt.

CustomerChannel

1. Receipt payment instruction fromcustomer channel

2. Determine process flow3. Start process flow4. Mapping into internal format5. Validation of payment, registration in

repository and start of executionprocess

6. Fraud check (performed by externalsystem)

7. Check disposition and reserve funds8. Determine clearing & settlement

mechanism (CSM)9. Submission payment to CSM10. Process response from CSM11. Update status in repository12. Generate and post accounting entries13. Submit notifications to debtor14. End process flow

1. Receipt payment instruction fromcustomer channel

2. Determine process flow3. Start process flow4. Mapping into internal format5. Validation of payment, registration in

repository and start of executionprocess

6. Fraud check (performed by externalsystem)

7. Check disposition and reserve funds8. Determine clearing & settlement

mechanism (CSM)9. Submission payment to CSM10. Process response from CSM11. Update status in repository12. Generate and post accounting entries13. Submit notifications to debtor14. End process flow

5 7 10

= Exception process flow

= Registration/update data in repositorydb

Customer

IBM Financial Transaction Manager


FTM’s agility makes it applicable for multiple areas in bank’s paymentdomain

• Simplification (less applications and interfaces)• Less duplication of data and functionality• Easier to integrate and deploy• Re-use of (service) interfaces (APIs)• End-to-end visibility and control

• Better omni-channel customer experience• Higher quality of service• Faster time to market• Lower IT TCO (change and run)• Improved operational efficiency

Business value


Overview FTM architecture with Instant Payments module

FTM Base

Technology Foundation

Technical Components

WS Integration Bus WS TransformationExtender

WS BusinessActivity Monitor

DB2(or Oracle)

WS ApplicationServer Cognos Rational Software

ArchitectWS MQ

Process/StateManager Data Repository End User Console

(UI) Integration Layer Parameterisationframework

Dash Boardtemplates

Operational DataStore

Reportingtemplates

FTM ConfigurationsProcess Flows Business Rules Data

TransformationsDash Boards Reports & BI

If …then …else …

Interfaces Parameters Master Data

FTM Payment Modules

SEPA Instant Payments CorporatePayments ACH Checks Swift Order

Management …


Unique differentiator of FTM : Best-of-both-worlds

Out-of-the box functionality of FTM• UIs (configuration, track & trace, exception handling, …)• Data repository (master data and transactional data)• Process flows• Data transformations (mappers)

• Business rules (e.g. validations)• Dash boards• Integration• Reports

FTM Instant Payments offersfunctional richness andcompleteness of packagesolution…

… while at the same time keepthe flexibility and openness of abuild solution with no vendorlock-in.

Source : Gartner’s Buy-Assemble-Build continuum for payment system modernisation (Gartner, September2013)


IBM Payment and FTM References

IBM payments solutions are being deployed worldwide for payments initiatives at industry-leading FI’s

Executing 40% of the UK’s credit transfers at a single bank

Processing of instant payments for UK Faster Payments as well as Singapore G3/FAST payment scheme

Processing over 25% of the worldwide SWIFT volume

Proven scalability to over 4,000 transactions per second FTM products process over 1.2 billion transactions per month

FTM is currently implemented at Federal Reserve Bank in US to process 50% of credit transfers in US with peakof 100 mio payments in one day (in production by 2018)

FTM is currently implemented by two European CSMs for the intra-bank processing and settlement of SCT Inst

Real-time FraudDetection

Szabó János



Overview IBM Safer Payments

Comprehensive fraud managementsolution (analyse, define, detect,exception, report)

On average 17% better fraud detectionrates and 3 times less false positives

Acceleration of implementation time-lines

One intuitive UI for all users andactivities

Unmatched throughput with ultra lowlatency(12,000 trx/sec with 2 milliseconds latency)

Meets highest non-functionalrequirements(availability, performance, latency,resilience)

No limitations in terms of supporteddata sources

Makes use of Cognitive technology togenerate detection rules from productiondata analysis

PCI-DSS compliantSupports all types of ‘multi-features’(entities, currencies, languages, time-zones, …)


Cognitive model generation

Statistical Analysis

Modelling

Rules


Reference case : Carte Bancaire / STET

4,000 TRANSACTIONS

PER SECOND

API Connect

Rainer Pirker


[email protected]


Create Run

ManageSecure

How PSD2 is served by APIc

TPP Self Service developer portalXS2A API CreationXS2A API SecurityXS2A API Lifecycle ManagementXS2A API AnalyticsHybrid Deployment model for maximum scalabilityFull lifecycle API managementOptional solutions for security, integration and platformservices


Banks will need APIs to support third party providers

Buyer

Buyer ASP Credit transfer CSM Merchant ASP

Merchant

3. Payment instruction

5. FI2FI transfer 6. FI2FI transfer

4. Account statement

1. Purchase

4. Payment instruction (API)

2. Payment request

Merchant processor (PSP)

2. Payment request4. Account statement

Payment Gateway

TP PISP (+ wallet SP)

PISP Payment Initiation Service ProviderASP Account Service ProviderPSP Payment Service ProviderTPP Third Party Provider

Service subscription APIs• New Subscription (TPP ASP)• Subscription Adjustment (TPP ASP)• Subscription Cancellation (TPP ASP)• Subscription Status Update (ASP TPP)

Payment Initiation APIs• Payment Transfer Instruction (TPP ASP)• Payment Reservation Instruction (TPP

ASP)• Payment Cancellation (TPP ASP)• Payment Status Update (ASP TPP)

Account Information APIs• Get Account Balance (TPP ASP)• Get Account Statement (TPP ASP)• Account Statement Report (ASP TPP)

Transaction Flow Representation under PSD2

What banks, acting as ASPs, must do to be compliant with PSD2IBM’s sample list of APIs per current EBA guidelines. The list will expand as more EBA rules are announced.


The place of API Connect


Account owner

Accounts Payments

Account infoPayment

info

Accounting

XS2AConsent

TPP

FraudDetection

IBM API Connect


DEMO


API Connect: Topology Component View

z System / Legacy Apps

Cloud Service

Application Server

ESB / Middleware

Data StoreM

icro

serv

ices

Tra

ffic

API Traffic

API Gateway3(DataPower/MicroGW)

Microservices AppComputer Runtime6

(Node.js/Java)

DeveloperPortal1

API ManagementNode2

CollectiveController5

Developer4

Toolkit

BusinessPartner Apps

Mobile &Web Apps

EnterpriseInternal Apps

Internet ofThings

External AppDeveloper

Internal AppDeveloper

Partner AppDeveloper


IBM API Connect: Capabilities

• API discovery• API, Plan & Product policy creation• API, Plan & Product lifecycle mgmt.• Self-service, customizable,

developer portal• Advanced Analytics• Subscription & community mgmt.

• Policy enforcement• Enterprise security• Quota management & rate limiting• Content-based routing• Response caching, load-balancing

and offload processing• Message format & transport

protocol mediation

• Rapid model-driven API creation• Datasource to API mapping automation• Standards-based visual API spec

creation in Swagger 2.0• Local API creation and testing• On-cloud & on-premises staging

of APIs, Plans & Products

• Node.js & Java Microservice runtime• Node.js & Java integrated runtime

management• Enterprise HA & scaling• On-cloud & on-premises staging of

Microservice applicationsCreate Run

ManageSecure


What the experts are saying | Forrester, 4Q2016

API MANAGEMENT SOLUTIONS

• In 3Q2014, IBM was rated as a ‘Strong Performer’with an acknowledged speed to enhance itssolution capabilities.

• Until 2016, IBM had been behind leaders likeApigee, CA Technologies, and Akana.

• The inflection point in 4Q2016 is accompanied bya market presence that dominates all competitorsand a strong roster of customer logos acrossindustries and geographies.

• Today, among its competitors IBM ranks:#1 Current Offering#1 Strategy#1 Market Presence

• Forrester would like to see improvements in APIproduct definition and analytics.

• IBM is one of the leaders in portal richness, APIproduct management, and API Economy vision.


What the experts are saying | Gartner, December 2016

FULL LIFECYCLE API MANAGEMENT

• IBM has an established and powerful marketposition, with worldwide support capabilities,diversified geographical strategies across allindustries.

• API Connect’s embedded micro-gateway alongwith the stand-alone secure gateway givescustomers implementation choices across all usecases, user types, and deployment instances.

• According to a May 2016 analysis by Gartner,IBM has more licensing options than itscompetitors.

• Gartner suggests that IBM’s wide portfolio ofsoftware offerings may add to cost and complexityof integrations. [PoV - This is neither reasonable norlogical: backwards and forwards integration is requiredwith any mix of vendor applications. Second, while IBMsoftware is mostly SOA-style decoupled, integrating withIBM software is easier due to open standards, adapters,protocols, and development methods. Third, cost andcomplexity are predicated on scope and customerstrategies should play out over time.]


What the experts are saying | IDC & Ovum 2016

IDC | September 2016

• IBM growing 1.6x faster than the market• IBM is #2 in market share, just 0.3% away from top

spot• IBM growing 1.7x faster than leading vendor• IBM growing 3.5x faster than next closest vendor

OVUM | April 2016 for 2016-2017 outlook

• IBM’s compelling end-to-end API managementcapabilities

• IBM’s simple extension of integration capabilities for arange of use cases

• Only few vendors (like IBM) can provide an extensive setof capabilities for supporting digital business initiatives

API M

ANAG

EMEN

T SO

LUTI

ON

SAP

I MAN

AGEM

ENT

SOLU

TIO

NS


IBM Integration Bus: Satisfying PSD2 Requirements

IIB is designed to integrate both withAPI Connect and z/OS Connect,giving clients the flexibility and choiceto expose REST APIs for PSD2

SaaSEndpoints

Apps

Data

Process

Packages(SAP,PeopleSoft)

Adapter

SOAP/HTTP

ODBC/JDBC

MQ / JMS

LegacyFile

ExternalServices

Partners

External Developercommunities

Internaldevelopers

REST/HTTP

SOAP/HTTP

SOAP/HTTP

MQ

File

MQLight/AMQP

REST/HTTP

MQLight/AMQP

REST/HTTP

SOAP/HTTP

z/Native

CICS / IMS / Z

z Systems

REST/HTTPAPI Connect

DMZ

REST/HTTP

IBMDataPow

erGateway

IBM Integration Bus

REST/HTTP

z/OS Connect

MQ / JMS


IBM Bluemix: Integrating Banking into the Cloud ecosystem

IBM API Connect

Console to enforce runtime policies, monitor &control API traffic

Existing Bank SOAservices

Apps/Services inJava, NET, Cobol,etc.

Digital Systems

Next GenApp

Cloud-native digitalextensions

PSD2 / XS2A

Third party APIs(Fintechs)

API Monetization Options

Rainer Pirker


[email protected]


Approaches to opening APIs to ecosystem

Private API

• Accessible withinthe bank, limited toone’s organization(scoped to LoB orenterprise)

Partner API

• Based on bilateralagreements (eg.B2B)

Member API

• Available tocommunitymembers (eg. Aregistered thirdparty provider canuse PSD2 accountinformation andpayment initiationAPIs)

Acquaintance API

• Open to everyonecomplying with a setof pre-defined reqts(eg. Retailer POSAPIs)

Public API

• Open to everyone,typically with basicregistration (eg.branch, ATM locator,product information,interest rates)


The Business of APIs

For Free Developer Pays Business Asset must be

of high value to theDeveloper

For example, marketinganalytics, news,

Capabilities such as creditchecks

Transactional Usage of API generates

revenue on a pertransaction or transactiontiers model

Often a freemium model:free at low volumes, withpaid tiers beyond athreshold, or Premiumquality of service

Product sell The monetization model

is dependent on the saleof the products andservices to the consumer

The revenue isgenerated by fixed fees

API Monetization Understanding Business Model Options

Facebook Login APIprovides freeauthentication for anyWeb / mobile app

Example: Example:

IBM BluemixDeveloper Cloud –No cost trials, payper use, scale up anddown

Drives Adoptions of APIs

Typically low valuedassets

Drive brand loyalty

Enter new channels

Gaining reach

Google AdSense APIspay developers whoinclude advertisingcontent into apps

Example:

Airbnb charges foroccupied inventory,duration of a stay andservices availed duringthe stay

Example:

Business cases for APIEconomy

Rainer Pirker


[email protected]


Introduction of APIs as standard-interfaces

– Self Maintenance and -documentation– IBM DataPower Gateway acts as

“First line of defence” and API Gateway– API Connect is used as standard

Development Platform for APIs– The multi-tenant API Portals make

onboarding of internal/external/PartnerDevelopers easy and fast

https://developer.rblbank.com/

Ratnakar Bank (RBL Bank)


RBL Bank – architecture


https://developer.citi.com/

Citi Developer Hub


BBVAhttps://www.bbvaapimarket.com/web/api_market/products#bbva-products


http://www.xignite.com/products


API – how Bank can use it

MobileBackend

ClientsEcosytem

ContentDistribution

PartnersEcosystem

InternalInnovation

API as abusiness

TransactionsDistribution


Legal Disclaimer© IBM Corporation 2017. All Rights Reserved.The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of theinformation contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s currentproduct plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwiserelated to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties orrepresentations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product releasedates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are notintended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, statingor implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements andprojections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending uponmany factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and theworkload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. If the text includes any customerexamples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described arepresented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performancecharacteristics may vary by customer.Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols(e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphereApplication Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviationsfor IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in yourpresentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2,PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark ofWebDialogs, Inc., in the United States, other countries, or both.If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo areeither registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. If you reference Java™ in the text, please markthe first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, othercountries, or both. If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwisedelete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. If you reference Intel® and/or any of the followingIntel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep,Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. If you reference UNIX® inthe text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and othercountries. If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of LinusTorvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. If the text/graphicsinclude screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, ZetaBank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used forillustration purposes only.


Article 97 - Authentication

77

Article 5.

Member States shall ensure that the account servicing payment service provider allows the payment initiation

service provider and the account information service provider to rely on the authentication procedures provided

by the account servicing payment service provider to the payment service user in accordance with paragraphs 1

and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3.

Article 5.





Article 5.






Scope of Application

The subject matter deals with providing the legalfoundation for the creation of an EU/EEA wide singlemarket for payments.Directive covers the following categories of paymentservice providers (“PSPs”):

• Credit institutions• E-Money and payment institutions• Post office giro institutions• European Central Bank (ECB) and national

central banksPSD II is applicable to:

• Transactions where at least one of the paymentservice providers is located inside the EU/EEA

• Transactions in all official currencies, includingnon-EU currencies

PSD II contains 117 Articles and coversa number of payment services:

• Enabling cash deposits andwithdrawals

• Execution of credit transfers,standing orders and direct debits

• Payments through cards orsimilar devices

• Issuing of payment instruments• Money remittances• Payment initiation services• Account information services


Exemptions

Exclusion of specific payment instruments:• Cash payments (direct)• Cheques• Payments between PSPs for their own account• Payments between parent companies and subsidiaries, or between subsidiaries of

the same parent (no PSP involved)• Payments within a payment or securities settlement system between PSPs,

settlement agents, central counterparties, clearing houses and/or central banks, andothers

• Payments relating to securities asset servicing, including dividends, income or otherdistributions, or to redemption or sale, or payments by investment firms, creditinstitutions, collective investment undertakings or by asset management companiesand other entities having custody of financial instruments.


Sanctions

• PSD II requires MS to align their administrative sanctions, to ensurethat the appropriate administrative measures and sanctions are inplace for breaches of PSD II provisions and to ensure that thesesanctions are duly applied.

• MS are required to lay down effective, proportionate and dissuasivepenalties.

• Competent authorities will have the right to take appropriateadministrative measures and impose administrative sanctions where aPSP breaches duties imposed by the PSD II.

psd2 és az api gazdaság a bankszektorban psd2 event... · psd2 overview and impact szabó jános...

Documents