psd2 és az api gazdaság a bankszektorban psd2 event... · psd2 overview and impact szabó jános...
TRANSCRIPT
© 2017 IBM Corporation
Threat or opportunity?
PSD2PSD2 és az API gazdaság a bankszektorban
© 2017 IBM Corporation
Szabó János
Industry Solution Architect+36 20 823 [email protected]
Rainer Pirker
Bluemix Sales Leader CEE
© 2017 IBM Corporation2017.03.03.
Agenda
08:30 – 09:00 Registration
09:00 – 09:15 Introduction
(Peter Rehus – Country Leader, IBM Hungary)
09:15 – 10:00 PSD2 Overview and impact
10:00 – 10:30 PSD2 Use cases and examples
10:30 – 10:50 Coffee break
10:50 – 11:15 Instant payment and real-time fraud detection
11:15 – 12:00 API Economy – new way to work for business
12:00 – 13:00 Lunch
© 2017 IBM Corporation2017.03.03.
CO
MPE
TITI
ON
CO
MPE
TITI
ON
TRA
NSP
AR
ENC
YTR
AN
SPA
REN
CY
INN
OVA
TIO
NIN
NO
VATI
ON
SEC
UR
ITY
SEC
UR
ITY
Principles
Background, Objectives & Principles for PSD2
Contribute to a more integrated and efficient Europeanpayments market Improve the level playing field for payment service
providers (including new entrants) Make payments safer and more secure Protect consumers Encourage lower prices for payments
2014
© 2017 IBM Corporation2017.03.03.
Allow users to initiate online payments directlyfrom their bank accounts via third-partyproviders.
Aggregation of payment account informationfor users whom can get all of their transactionhistory and balances from one portal.
Standardization of surcharges on card-basedtransactions across EU.
New security requirements for electronicpayments and account access.
Beyond EU and in the definition of “PaymentInstitution”
What is Payments System Directive 2 (PSD2)?
Extension of scope
Third-party payment initiation
Third-party account access
Prohibition of paymentsurcharges
Security and authentication
1
2
3
4
5
© 2017 IBM Corporation2017.03.03.
European Commissioncreates proposal
Parliament adoptsproposal
European BankingAuthority specifies
implementationguidelines [RTS]
Member governmentspass laws (compliance
over 2 years)
>18 monthtransitionperiod
RTS not inforce despitecompliancewith PSD2
Misalignmentbetween RTS &
compliance
Security & TechnicalStandards
Timeline of PSD2
RTS = Regulatory Technical Standards
Changed in 27/02/2017
© 2017 IBM Corporation2017.03.03.
ProvidersServicesBanks
PSD2 abbreviations (there are too many TLAs)
AccountInformation
Service (AIS)
Payment InitiationService (PIS)
$£€Account ServiceProvider
(ASP/ASPSP)CustomerThird Party
Provider (TPP)
APIS
Security
Payment InitiationService Provider
(PISP)
AccountInformation
Service Provider(AISP)
Access To Account (XS2A)
© 2017 IBM Corporation2017.03.03.
• Push based account info• Real-time account info (request on demand)
TodayPSD2
Scope of PSD2: Account Information Services (AIS)
Banks will be mandated to provide aspects of accountinformation to 3rd party providers (TPPs) via APIs Account information service providers (AISPs) will not
have full access to the account of the customer They will receive the information explicitly consented by
the customer and only to the extent they are necessaryfor the service provided to the customer A dynamically generated code only valid for that specific
transaction will have to be used in the authenticationprocess
Account owner
ASP BASP A ASP C
Account Information Service Provider(AISP)
© 2017 IBM Corporation2017.03.03.
Buyer
Buyer’s Bank Credit transfer Merchant’s Bank
Merchant
3. Payment instruction
1. Purchase
4. Payment instruction (API)
2. Payment request
Merchant processor (PSP)
2. Payment request
Payment InitiationService Provider (PISP)
PISP = Payment Initiation Service ProviderASP = Account Service ProviderPSP = Payment Service Provider
TodayPSD2
2. P
aym
ent I
nstru
ctio
n
3. 4.
5.
5. 6.
7.
Banks will be mandated to allow payments to initiated fromcustomer accounts by 3rd party providers (TPPs) via APIse.g. card providers; device providers; app providers
Payment initiation service providers (PISPs) will not havefull access to the account of the payer
TPPs will only be able to receive information from thepayer's bank on the availability of funds (a yes/no answer)on the account before initiating the payment (with theexplicit consent of the payer)
A dynamically generated code only valid for that specifictransaction will have to be used in the authenticationprocess
Scope of PSD2: Payment Initiation Services (PIS)
© 2017 IBM Corporation2017.03.03.
Process flow - TPP permission request
Support XS2A APIs + Security TPP API calls
Processing, registration and management of TPP permission request
Account owner approval (or reject) of permission via existing customer channel of ASP
1
2
3
XS2A APIchannel
XS2Aadmin
CustomerChannel
Request to activate account forTPP service
NewPermission.rq
NewPermission.rs
Process TPP permissionrequest
Confirm receipt TPPpermission request
Request permission approval (byaccount owner)
Response permission approval
Authentication + Permisison approval
Response permission approval
UpdateStatusPermission.rq
UpdateStatusPermission.rs
Confirm TPP permisison(email, SMS, ...)
Confirmation that request hasbeen issued to ASP
1 2
3
Account Service Provider (ASP)
Customer TPP
© 2017 IBM Corporation2017.03.03.
Process flow - TPP permission request (token based)
Support XS2A APIs + Security TPP API calls
Generation TPP permission in the form of a signed token. Token is not stored
Account owner approval (or reject) of permission via existing customer channel of ASP
TPP stores token in order to include it in API request for concerning service and account
1
2
3
4
API channel XS2A ConsentCustomerChannel
Request to activate account forTPP service
SubscribeService.rq
GenerateToken.rq
ASP1
Redirect
Requestfor approval by account owner
Generate tokenSubscribeService.rs (+ token) GenerateToken.rs
Store token
Response activation accountfor TPP service
TPPCustomer
Dialogue to request approvalaccount owner
2
3
4
© 2017 IBM Corporation2017.03.03.
Bank Account
Channel appe.g. internet banking
XS2A
Payments
Account owner
Bank A
Bank Account(incl. Payments)
Account owner
Bank A
Channel appe.g. internet banking TPP
TPP = Third Party Payment ProviderXS2A = Access to account
Scope of PSD2: In simplest terms
© 2017 IBM Corporation2017.03.03.
Impact of PSD2 on ASPs
Account Service Provider(ASP)
Implementation of APIs to enable AIS andPIS access by TPPs
Security of API requests by TPPs
Register accounts for AIS and PISservices and permit TPPs
Implement technical guidelines of EBA onsecure authentication
Apply information transparency rules to thecustomer
Develop a strategy to limit the flow-out ofcustomers to TPPs
© 2017 IBM Corporation2017.03.03.
BANKBANK
PARTNERMANAGEMENT
PARTNERMANAGEMENT
ITFOUNDATION
ITFOUNDATION
COMPLIANCECOMPLIANCE
PRIVACY &SECURITY
PRIVACY &SECURITY
MONETIZA-TION
MONETIZA-TION
CUSTOMERRELATIONSCUSTOMERRELATIONS
BANK
PARTNERMANAGEMENT
ITFOUNDATION
COMPLIANCE
PRIVACY &SECURITY
MONETIZA-TION
CUSTOMERRELATIONS
What should my ecosystem look like?Who should I partner with & why? Howwill I manage the relationships?Why should others partner with me?
Does my infrastructure allow me toembrace the API Economy? What aremy technology choices & criteria formaking the long-term choice?
Are my processes and operationsready for ensuring both legal(external) and operational (internal)conformance with standards?
How will I ensure data andtransactions are secured, monitored& accurately reported?
How can I benefit from a change inmy business model? How can Iconvert my data assets into newrevenue sources?
Why does my customer need me andwhat must I do to keep therelationship intact? How can Iincrease my customers’ loyalty tomy firm? How do I analyze mycustomer?
What should banks be thinking about? …Strategically.
© 2017 IBM Corporation2017.03.03.
Impact of PSD2 on PSPs (in fact, the whole payments landscape)
Payment Service Providers(PSPs)
Disappearance of ‘monopoly’ of accountservice provider
More opportunities for non-banks (ThirdParty Providers) to provide new innovativeservices more competition
Opportunity for wallet service providers totop-up wallet instantly against low tariffs(instead of credit card)
Provide retail payment services via moreopen credit transfer schemes instead ofclosed card schemes
Fewer dependencies on banks as non-banks can also participate in paymentsystems (CSMs)
© 2017 IBM Corporation2017.03.03.
Security ITInfrastructureCulture Open BankingEcosystem
Technology
Business
Implications of PSD2
© 2017 IBM Corporation2017.03.03.
Strategic PSD2 scenarios
PSD2 only Extended
TPP Base TPP Value adding TPP
ASP Base ASP Value adding ASP
API Scope
Rol
e
Life can be predictable, so why notyour banking? The more we learnabout how you like to behave, thebetter we’ll get at keeping you onestep ahead.
© 2017 IBM Corporation2017.03.03.
The Security ImperativeWith so many strategic options and the evolution of business models, two things are certain: (1) the increasing volumeand variety of transactions; (2) the expansion of pre-determined and new sources of transactions. None of these canhave gaps in security and integrity. Opinions from all are converged on the importance of security.
2016 ACCENTURE: As significantquantities of customer data begin to
concentrate around the bank ecosystem, themonitoring and protection of this data
becomes an increasingly core aspect of abank’s operations and value proposition.
2016 ACCENTURE: As significantquantities of customer data begin to
concentrate around the bank ecosystem, themonitoring and protection of this data
becomes an increasingly core aspect of abank’s operations and value proposition.
2015 DELOITTE: New controls and toolswill likely be needed to protect unboundedpotential use cases while providing end-to-end effectiveness—according to what may
be formal commitments in contractualservice-level agreements.
2015 DELOITTE: New controls and toolswill likely be needed to protect unboundedpotential use cases while providing end-to-end effectiveness—according to what may
be formal commitments in contractualservice-level agreements.
2014 McKINSEY: As a general goal, banksmust integrate data instantaneously acrossdisparate systems for immediate insights
that increase choice and equip thecustomer to make smart, highly informeddecisions—all while maintaining security
and privacy.
2014 McKINSEY: As a general goal, banksmust integrate data instantaneously acrossdisparate systems for immediate insights
that increase choice and equip thecustomer to make smart, highly informeddecisions—all while maintaining security
and privacy.
What bankshave to secure
MEME MONEYMONEY
IdentityBehavior
AssetsTransactions
TRUSTPRIVACY• Base relationship• Expected & given• Undifferentiated• Utilitarian
• Base relationship• Expected & given• Undifferentiated• Utilitarian
• New & enhanced• Conditional• Differentiating• Dynamic
• New & enhanced• Conditional• Differentiating• Dynamic
How banks needto adapt
Esse
nce
of th
eCU
STO
MER
REL
ATIO
NSH
IP
The GAP is the difference between a customers’ subjective expectations versus the actual experience.
PoV | ‘Mind the Gap’
© 2017 IBM Corporation2017.03.03.
Overview APIs required for XS2A compliancy (indicative)
Permission Admin APIs• New Permission (TPP -> ASP)
• Permission Adjustment (TPP -> ASP)
• Permission Cancellation (TPP -> ASP)
• Permission Status Update (ASP -> TPP)
Payment Initiation APIs• Payment Transfer Instruction (TPP -> ASP)
• Payment Reservation Instruction (TPP -> ASP)
• Payment Cancellation (TPP -> ASP)
• Payment Status Update (ASP -> TPP)
Account Information APIs• Get Account Balance (TPP -> ASP)
• Get Account Statement (TPP -> ASP)
© 2017 IBM Corporation2017.03.03.
Challenges with absence of API standards
End-users(consumers/businesses)
TPPs(AISP/PISPs)
ASPs
x00 – x,000 TPPs
x,000 ASPs
© 2017 IBM Corporation2017.03.03.
Standardisation PSD2 APIs
No official pan-European initiative for standardisation PSD2 APIs
• Banks in UK have decided to create an Open Banking Standard tostandardise bank APIs including the XS2A APIs
• CAPS: Initiative from several market participants to define common PSD2standards
• Vendor initiated ‘open’ API initiatives, such as:– Open Bank Project (Tesobe)
– Open Bank (Apigee/Google)
© 2017 IBM Corporation2017.03.03.
Scope of PSD2 : Functional component overview
TPP = Third Party ProviderXS2A = Access to account
Customer Channel
Account owner
Accounts Payments
Account info Payment info
Accounting
FraudDetection
APIChannelCustomer Channel
Account owner
Accounts Payments
Account infoPayment
info
Accounting
XS2AConsent
TPP
FraudDetection
© 2017 IBM Corporation2017.03.03.
Key impact areas XS2A for ASPs
APIChannelCustomer Channel
Account owner
Accounts Payments
Account infoPayment
info
Accounting
XS2AConsent
TPP
FraudDetection
1 2
4
3
65
1 3 5
2 4 6
• Implementation of XS2A APIs• Security of APIs requested by TPP
• Approval by account owner for TPPaccess
• Real-time balance check/debit posting• 24x7 availability
• TPP permission management &validation
• Real-time payment processing (inparticular debtor side). Also for allcross-border payments.
• 24x7 availability
• Real-time fraud check• 24x7 availability
Different business models
CLEARING HOUSE
ASP
TPP
CUSTOMER
RETAILER
© 2017 IBM Corporation2017.03.03.
Overview PSD2 related IBM offerings
Infrastructure
Strategy
Innovation&
Delivery
Security
Software&
Accelerators
IndustrySolutions
PSD2
• API Connect
• PSD2 accelerator APIs
• Industry models
• Payment Gateway + Wallet
• Financial TransactionManager
• Safer Payments
• PSD2 Impact and Readiness Assessment
• Strategy Development
• Digital Thinking & Design
• MobileFirst and Apple + IBM
• Digital Integration Factory
• Architecture Development
• Cloud (IaaS, PaaS, SaaS)
• IBM Bluemix
• IBM Technology Labs
• Device Management & Security
© 2017 IBM Corporation2017.03.03.
Solutions
APIChannelCustomer Channel
Account owner
Accounts Payments
Account infoPayment
info
Accounting
XS2AConsent
TPP
FraudDetection
IBM API Connect
IBM FTM IBM SaferPayments
ShadowAccounts
© 2017 IBM Corporation2017.03.03.
Do you remember them?Do you remember them?Do you remember them?
© 2017 IBM Corporation2017.03.03.
This is where they are nowadaysThis is where they are nowadaysThis is where they are nowadays
© 2017 IBM Corporation2017.03.03.
Business challengeYES BANK sought to differentiate its brand and its products in the face ofgrowing competition and the Indian customers’ growing demand foranytime-anywhere banking capabilities.
TransformationThe bank leverages IBM API Management software to create aframework for its own business ecosystem and drive its digital strategy,securely and transparently connecting customers with merchants via YESBANK APIs.
Headquartered in the Lower Parel Innovation District of Mumbai, YES BANK isthe fifth largest private sector bank in India, with over 18,000 employeesacross the country’s 29 states and 7 union territories. As of September 30,2016 the bank operates more than 900 branches and 1700 ATMs nationwide.
Solution components• IBM API Management software• IBM® DataPower® Gateway• IBM Integration Bus software• IBM Mobile First software
Share this
Business benefits
Extendsmarket reach by exposing services tomillions of India’s unbanked population onmobile devices
Exposescore business data and services securelyto multiple strategic partners through APIs
Reducestime required to add new strategicpartners and exploit emerging revenuegenerating channels
YES BANKBuilding an API ecosystem toenhance service and expandmarket reach
“In the API economy, any company isfree to create customized, secureecosystems that optimize the value oftheir services and data.”
—Anup Purohit, Chief Information Officer,YES BANK
BXP03021-USEN-00
© 2017 IBM Corporation2017.03.03.
Rabobank | APIs for rapid innovation
Strategic IntentTo respond to changing market conditions, competition and the coming regulatory environment,Rabobank decided to launch into the API Economy and renew its value proposition to a newgeneration of bankers.
Strategic IntentTo respond to changing market conditions, competition and the coming regulatory environment,Rabobank decided to launch into the API Economy and renew its value proposition to a newgeneration of bankers.
Needs & Solution An API solution to expose existing and new business services. Prepare for PSD2 regulations and a rapid innovation platform to meet changing requirements. Create a model to supply business services to trusted partners.
Needs & Solution An API solution to expose existing and new business services. Prepare for PSD2 regulations and a rapid innovation platform to meet changing requirements. Create a model to supply business services to trusted partners.
Why IBM IBM’s guidance and implementation skills for security, API Connect, and technicalities. Options for implementing API management for core business functions and on Bluemix to
further innovation, rapid development, and hackathons.
Why IBM IBM’s guidance and implementation skills for security, API Connect, and technicalities. Options for implementing API management for core business functions and on Bluemix to
further innovation, rapid development, and hackathons.
Food &agriculturefinancing; retailbank
Founded 1972Netherlands
Worldwide 1000locations
€13 billionrevenues
2.5 million Dutchcustomers
© 2017 IBM Corporation2017.03.03.
Citibank Worldwide | Prime and first mover
Strategic IntentSoon after the financial crisis of 2008, Citibank saw an opportunity to become a ‘digital’ bank inthe persona of a fintech. Citi pioneered a strategic move into mobile banking, then into adoptingAPIs, and inviting external developers to contribute to its digital strategy. Citi chose to driveinnovation through APIs and therefore is better prepared than most to comply with regulationsand meet expectations.
Strategic IntentSoon after the financial crisis of 2008, Citibank saw an opportunity to become a ‘digital’ bank inthe persona of a fintech. Citi pioneered a strategic move into mobile banking, then into adoptingAPIs, and inviting external developers to contribute to its digital strategy. Citi chose to driveinnovation through APIs and therefore is better prepared than most to comply with regulationsand meet expectations.
Needs & Solution Expose APIs to consumers and business partners to simplify digital interaction with the bank. Provide credit/debit card capabilities in a mobile phone. Create customer loyalty programs for partners and consumers. Link transactional data with key partner promotions (with location based offers). Expand mobile banking services including account look-up, transfer funds, bill payment.
Needs & Solution Expose APIs to consumers and business partners to simplify digital interaction with the bank. Provide credit/debit card capabilities in a mobile phone. Create customer loyalty programs for partners and consumers. Link transactional data with key partner promotions (with location based offers). Expand mobile banking services including account look-up, transfer funds, bill payment.
Why IBM Citi was an early customer of IBM API Management and has graduated to API Connect,
showing its confidence of, and dependence on IBM’s API vision and product roadmap. As a DataPower user, it was easy for Citi to decide on another IBM solution that built on and
extended the value of DataPower. IBM’s solution met Citi’s need to scale and securely manage up to thousands of transactions
per second.
Why IBM Citi was an early customer of IBM API Management and has graduated to API Connect,
showing its confidence of, and dependence on IBM’s API vision and product roadmap. As a DataPower user, it was easy for Citi to decide on another IBM solution that built on and
extended the value of DataPower. IBM’s solution met Citi’s need to scale and securely manage up to thousands of transactions
per second.
Full service
Founded 1812New York City
220,000 groupemployees
Worldwideoperations
$69.87 billiongroup revenues
>100 millionconsumers
© 2017 IBM Corporation2017.03.03.
Societe Generale | Engaging creative developers
Strategic IntentExecute a comprehensive API strategy for internal and external developers. Fence anecosystem of developers and APIs which already generate over 250 million API calls per dayacross 80 APIs for mobile and web retail banking.
Strategic IntentExecute a comprehensive API strategy for internal and external developers. Fence anecosystem of developers and APIs which already generate over 250 million API calls per dayacross 80 APIs for mobile and web retail banking.
Needs & Solution Link current APIs for the banks Open Banking Initiative with PSD2 directives. The bank continues to nurture and expand their B2B affiliations using micro-services with
accompanying requirements for security and transaction integrity. Validate OAuth2 protocols using DataPower and external token generators. API solution for full life-cycle creation and management of APIs.
Needs & Solution Link current APIs for the banks Open Banking Initiative with PSD2 directives. The bank continues to nurture and expand their B2B affiliations using micro-services with
accompanying requirements for security and transaction integrity. Validate OAuth2 protocols using DataPower and external token generators. API solution for full life-cycle creation and management of APIs.
Why IBM Societe Generale needed an enterprise grade solution which could be rolled out beyond the
retail division. Successful PoC with DataPower to meet critical security requirements. Long time user of DataPower as a secure gateway, extended to the API use cases.
Why IBM Societe Generale needed an enterprise grade solution which could be rolled out beyond the
retail division. Successful PoC with DataPower to meet critical security requirements. Long time user of DataPower as a secure gateway, extended to the API use cases.
InternationalRetail,corporate,investmentbanking
Founded 1864Paris
146,000employees
€25.6 billionrevenues
31 millioncustomers
© 2017 IBM Corporation2017.03.03.
PSD2 Use Cases – Retail payments
• Continuous digital interaction with customer
• Customer specific promotions and offerings
• Stronger customer intimacy through loyalty points
• Payment seamlessly integrated in customer buyingexperience
• Omni channel experience• Online• Store• App
Payment becomes integrated part of digital shopping experience
© 2017 IBM Corporation2017.03.03.
PSD2 Use Cases – Retail payments
• Mobile ordering (avoid queueing)• Pay with phone• Earn and spend loyalty points (stars)
© 2017 IBM Corporation2017.03.03.
PSD2 Use Cases – Retail payments
Video : New York Times - How China Is Changing Your Internet (http://nyti.ms/2b4n4ew)
Battle of Digital Touchpoint
© 2017 IBM Corporation2017.03.03.
Key challenges of Instant Payments for Banks
Functional (application) related
Real-time processing is fundamentally different frombatch processing that is still applied by many legacysystems within banks. As a result, existing systems need tobe modernized / replaced.
The following bank applications/systems are most impactedby this real-time aspect:
Channels and order management applications
Payment (engine) application
Fraud screening application
Current account application
A different approach to the modernization for SEPAcompliancy is needed for IP processing.
Non-functional related
Instant payments has much higher non-functionalrequirements in comparison with traditional batch-based(SEPA) payments processing :
Latency (< 2 seconds)
24/7 availability
Absence of maintenance windows
Scalability (unpredictable peaks with high volatility)
Fail-over and resilience
Transactional integrity (commitment points)
Many of the legacy applications banks can’t apply to theserequirements and have fundamental shortcomings to beadjusted to meet these requirements.
These are the same(nothing has changed) Going to real-time
© 2017 IBM Corporation2017.03.03.
Instant payments implies high non-functional requirements
NoteThe draft EPC SCT Inst rulebook proposes an end-to-end latency of 10 seconds.Individual countries may apply more strict timelines fore the domestic instant payments.
Key non-functional requirements
• 24x7x365 availability
• Continuation of service duringmaintenance windows and upgrades
• Low latency with payment timeout ifexceeded
• High peaks in volumes expected (morethan cards) up- and downwardsscalability
• Support of multiple service levels (=latency) (Netherlands and possiblyother countries will follow)
Originator Debtor PSP
Originatepayment
CSM Creditor PSP
Debit sideprocessing Interbank
processing Credit sideprocessing
InterbankprocessingConfirmation
processingReceive
confirmation
3 sec1 sec
2 sec
1 sec1 sec
0.5 sec
0.5 sec
0.5 sec
0.5 sec
= Start timing service = End timing service
10 sec
© 2017 IBM Corporation2017.03.03.
Sample process flow in FTM (outbound instant payments transfer)
Data Repository(configurations, master data, files/messages, payments/transactions, activity log, reports, …)
Process Manager
Payment Business Services
Integration Layer
CustomerChannel
1
Customer
2 db
AccountMgnt.
Fraudscan
CSM
3 4 8 9 11 12 13 146
db
AccountMgnt.
CustomerChannel
1. Receipt payment instruction fromcustomer channel
2. Determine process flow3. Start process flow4. Mapping into internal format5. Validation of payment, registration in
repository and start of executionprocess
6. Fraud check (performed by externalsystem)
7. Check disposition and reserve funds8. Determine clearing & settlement
mechanism (CSM)9. Submission payment to CSM10. Process response from CSM11. Update status in repository12. Generate and post accounting entries13. Submit notifications to debtor14. End process flow
1. Receipt payment instruction fromcustomer channel
2. Determine process flow3. Start process flow4. Mapping into internal format5. Validation of payment, registration in
repository and start of executionprocess
6. Fraud check (performed by externalsystem)
7. Check disposition and reserve funds8. Determine clearing & settlement
mechanism (CSM)9. Submission payment to CSM10. Process response from CSM11. Update status in repository12. Generate and post accounting entries13. Submit notifications to debtor14. End process flow
5 7 10
= Exception process flow
= Registration/update data in repositorydb
Customer
IBM Financial Transaction Manager
© 2017 IBM Corporation2017.03.03.
FTM’s agility makes it applicable for multiple areas in bank’s paymentdomain
• Simplification (less applications and interfaces)• Less duplication of data and functionality• Easier to integrate and deploy• Re-use of (service) interfaces (APIs)• End-to-end visibility and control
• Better omni-channel customer experience• Higher quality of service• Faster time to market• Lower IT TCO (change and run)• Improved operational efficiency
Business value
© 2017 IBM Corporation2017.03.03.
Overview FTM architecture with Instant Payments module
FTM Base
Technology Foundation
Technical Components
WS Integration Bus WS TransformationExtender
WS BusinessActivity Monitor
DB2(or Oracle)
WS ApplicationServer Cognos Rational Software
ArchitectWS MQ
Process/StateManager Data Repository End User Console
(UI) Integration Layer Parameterisationframework
Dash Boardtemplates
Operational DataStore
Reportingtemplates
FTM ConfigurationsProcess Flows Business Rules Data
TransformationsDash Boards Reports & BI
If …then …else …
Interfaces Parameters Master Data
FTM Payment Modules
SEPA Instant Payments CorporatePayments ACH Checks Swift Order
Management …
© 2017 IBM Corporation2017.03.03.
Unique differentiator of FTM : Best-of-both-worlds
Out-of-the box functionality of FTM• UIs (configuration, track & trace, exception handling, …)• Data repository (master data and transactional data)• Process flows• Data transformations (mappers)
• Business rules (e.g. validations)• Dash boards• Integration• Reports
FTM Instant Payments offersfunctional richness andcompleteness of packagesolution…
… while at the same time keepthe flexibility and openness of abuild solution with no vendorlock-in.
Source : Gartner’s Buy-Assemble-Build continuum for payment system modernisation (Gartner, September2013)
© 2017 IBM Corporation2017.03.03.
IBM Payment and FTM References
IBM payments solutions are being deployed worldwide for payments initiatives at industry-leading FI’s
Executing 40% of the UK’s credit transfers at a single bank
Processing of instant payments for UK Faster Payments as well as Singapore G3/FAST payment scheme
Processing over 25% of the worldwide SWIFT volume
Proven scalability to over 4,000 transactions per second FTM products process over 1.2 billion transactions per month
FTM is currently implemented at Federal Reserve Bank in US to process 50% of credit transfers in US with peakof 100 mio payments in one day (in production by 2018)
FTM is currently implemented by two European CSMs for the intra-bank processing and settlement of SCT Inst
© 2017 IBM Corporation2017.03.03.
Overview IBM Safer Payments
Comprehensive fraud managementsolution (analyse, define, detect,exception, report)
On average 17% better fraud detectionrates and 3 times less false positives
Acceleration of implementation time-lines
One intuitive UI for all users andactivities
Unmatched throughput with ultra lowlatency(12,000 trx/sec with 2 milliseconds latency)
Meets highest non-functionalrequirements(availability, performance, latency,resilience)
No limitations in terms of supporteddata sources
Makes use of Cognitive technology togenerate detection rules from productiondata analysis
PCI-DSS compliantSupports all types of ‘multi-features’(entities, currencies, languages, time-zones, …)
© 2017 IBM Corporation2017.03.03.
Cognitive model generation
Statistical Analysis
Modelling
Rules
© 2017 IBM Corporation2017.03.03.
Reference case : Carte Bancaire / STET
4,000 TRANSACTIONS
PER SECOND
© 2017 IBM Corporation2017.03.03.
Create Run
ManageSecure
How PSD2 is served by APIc
TPP Self Service developer portalXS2A API CreationXS2A API SecurityXS2A API Lifecycle ManagementXS2A API AnalyticsHybrid Deployment model for maximum scalabilityFull lifecycle API managementOptional solutions for security, integration and platformservices
© 2017 IBM Corporation2017.03.03.
Banks will need APIs to support third party providers
Buyer
Buyer ASP Credit transfer CSM Merchant ASP
Merchant
3. Payment instruction
5. FI2FI transfer 6. FI2FI transfer
4. Account statement
1. Purchase
4. Payment instruction (API)
2. Payment request
Merchant processor (PSP)
2. Payment request4. Account statement
Payment Gateway
TP PISP (+ wallet SP)
PISP Payment Initiation Service ProviderASP Account Service ProviderPSP Payment Service ProviderTPP Third Party Provider
Service subscription APIs• New Subscription (TPP ASP)• Subscription Adjustment (TPP ASP)• Subscription Cancellation (TPP ASP)• Subscription Status Update (ASP TPP)
Payment Initiation APIs• Payment Transfer Instruction (TPP ASP)• Payment Reservation Instruction (TPP
ASP)• Payment Cancellation (TPP ASP)• Payment Status Update (ASP TPP)
Account Information APIs• Get Account Balance (TPP ASP)• Get Account Statement (TPP ASP)• Account Statement Report (ASP TPP)
Transaction Flow Representation under PSD2
What banks, acting as ASPs, must do to be compliant with PSD2IBM’s sample list of APIs per current EBA guidelines. The list will expand as more EBA rules are announced.
© 2017 IBM Corporation2017.03.03.
The place of API Connect
APIChannelCustomer Channel
Account owner
Accounts Payments
Account infoPayment
info
Accounting
XS2AConsent
TPP
FraudDetection
IBM API Connect
© 2017 IBM Corporation2017.03.03.
DEMO
© 2017 IBM Corporation2017.03.03.
API Connect: Topology Component View
z System / Legacy Apps
Cloud Service
Application Server
ESB / Middleware
Data StoreM
icro
serv
ices
Tra
ffic
API Traffic
API Gateway3(DataPower/MicroGW)
Microservices AppComputer Runtime6
(Node.js/Java)
DeveloperPortal1
API ManagementNode2
CollectiveController5
Developer4
Toolkit
BusinessPartner Apps
Mobile &Web Apps
EnterpriseInternal Apps
Internet ofThings
External AppDeveloper
Internal AppDeveloper
Partner AppDeveloper
© 2017 IBM Corporation2017.03.03.
IBM API Connect: Capabilities
• API discovery• API, Plan & Product policy creation• API, Plan & Product lifecycle mgmt.• Self-service, customizable,
developer portal• Advanced Analytics• Subscription & community mgmt.
• Policy enforcement• Enterprise security• Quota management & rate limiting• Content-based routing• Response caching, load-balancing
and offload processing• Message format & transport
protocol mediation
• Rapid model-driven API creation• Datasource to API mapping automation• Standards-based visual API spec
creation in Swagger 2.0• Local API creation and testing• On-cloud & on-premises staging
of APIs, Plans & Products
• Node.js & Java Microservice runtime• Node.js & Java integrated runtime
management• Enterprise HA & scaling• On-cloud & on-premises staging of
Microservice applicationsCreate Run
ManageSecure
© 2017 IBM Corporation2017.03.03.
What the experts are saying | Forrester, 4Q2016
API MANAGEMENT SOLUTIONS
• In 3Q2014, IBM was rated as a ‘Strong Performer’with an acknowledged speed to enhance itssolution capabilities.
• Until 2016, IBM had been behind leaders likeApigee, CA Technologies, and Akana.
• The inflection point in 4Q2016 is accompanied bya market presence that dominates all competitorsand a strong roster of customer logos acrossindustries and geographies.
• Today, among its competitors IBM ranks:#1 Current Offering#1 Strategy#1 Market Presence
• Forrester would like to see improvements in APIproduct definition and analytics.
• IBM is one of the leaders in portal richness, APIproduct management, and API Economy vision.
© 2017 IBM Corporation2017.03.03.
What the experts are saying | Gartner, December 2016
FULL LIFECYCLE API MANAGEMENT
• IBM has an established and powerful marketposition, with worldwide support capabilities,diversified geographical strategies across allindustries.
• API Connect’s embedded micro-gateway alongwith the stand-alone secure gateway givescustomers implementation choices across all usecases, user types, and deployment instances.
• According to a May 2016 analysis by Gartner,IBM has more licensing options than itscompetitors.
• Gartner suggests that IBM’s wide portfolio ofsoftware offerings may add to cost and complexityof integrations. [PoV - This is neither reasonable norlogical: backwards and forwards integration is requiredwith any mix of vendor applications. Second, while IBMsoftware is mostly SOA-style decoupled, integrating withIBM software is easier due to open standards, adapters,protocols, and development methods. Third, cost andcomplexity are predicated on scope and customerstrategies should play out over time.]
© 2017 IBM Corporation2017.03.03.
What the experts are saying | IDC & Ovum 2016
IDC | September 2016
• IBM growing 1.6x faster than the market• IBM is #2 in market share, just 0.3% away from top
spot• IBM growing 1.7x faster than leading vendor• IBM growing 3.5x faster than next closest vendor
OVUM | April 2016 for 2016-2017 outlook
• IBM’s compelling end-to-end API managementcapabilities
• IBM’s simple extension of integration capabilities for arange of use cases
• Only few vendors (like IBM) can provide an extensive setof capabilities for supporting digital business initiatives
API M
ANAG
EMEN
T SO
LUTI
ON
SAP
I MAN
AGEM
ENT
SOLU
TIO
NS
© 2017 IBM Corporation2017.03.03.
IBM Integration Bus: Satisfying PSD2 Requirements
IIB is designed to integrate both withAPI Connect and z/OS Connect,giving clients the flexibility and choiceto expose REST APIs for PSD2
SaaSEndpoints
Apps
Data
Process
Packages(SAP,PeopleSoft)
Adapter
SOAP/HTTP
ODBC/JDBC
MQ / JMS
LegacyFile
ExternalServices
Partners
External Developercommunities
Internaldevelopers
REST/HTTP
SOAP/HTTP
SOAP/HTTP
MQ
File
MQLight/AMQP
REST/HTTP
MQLight/AMQP
REST/HTTP
SOAP/HTTP
z/Native
CICS / IMS / Z
z Systems
REST/HTTPAPI Connect
DMZ
REST/HTTP
IBMDataPow
erGateway
IBM Integration Bus
REST/HTTP
z/OS Connect
MQ / JMS
© 2017 IBM Corporation2017.03.03.
IBM Bluemix: Integrating Banking into the Cloud ecosystem
IBM API Connect
Console to enforce runtime policies, monitor &control API traffic
Existing Bank SOAservices
Apps/Services inJava, NET, Cobol,etc.
Digital Systems
Next GenApp
Cloud-native digitalextensions
PSD2 / XS2A
Third party APIs(Fintechs)
© 2017 IBM Corporation2017.03.03.
Approaches to opening APIs to ecosystem
Private API
• Accessible withinthe bank, limited toone’s organization(scoped to LoB orenterprise)
Partner API
• Based on bilateralagreements (eg.B2B)
Member API
• Available tocommunitymembers (eg. Aregistered thirdparty provider canuse PSD2 accountinformation andpayment initiationAPIs)
Acquaintance API
• Open to everyonecomplying with a setof pre-defined reqts(eg. Retailer POSAPIs)
Public API
• Open to everyone,typically with basicregistration (eg.branch, ATM locator,product information,interest rates)
© 2017 IBM Corporation2017.03.03.
The Business of APIs
For Free Developer Pays Business Asset must be
of high value to theDeveloper
For example, marketinganalytics, news,
Capabilities such as creditchecks
Transactional Usage of API generates
revenue on a pertransaction or transactiontiers model
Often a freemium model:free at low volumes, withpaid tiers beyond athreshold, or Premiumquality of service
Product sell The monetization model
is dependent on the saleof the products andservices to the consumer
The revenue isgenerated by fixed fees
API Monetization Understanding Business Model Options
Facebook Login APIprovides freeauthentication for anyWeb / mobile app
Example: Example:
IBM BluemixDeveloper Cloud –No cost trials, payper use, scale up anddown
Drives Adoptions of APIs
Typically low valuedassets
Drive brand loyalty
Enter new channels
Gaining reach
Google AdSense APIspay developers whoinclude advertisingcontent into apps
Example:
Airbnb charges foroccupied inventory,duration of a stay andservices availed duringthe stay
Example:
© 2017 IBM Corporation2017.03.03.
Introduction of APIs as standard-interfaces
– Self Maintenance and -documentation– IBM DataPower Gateway acts as
“First line of defence” and API Gateway– API Connect is used as standard
Development Platform for APIs– The multi-tenant API Portals make
onboarding of internal/external/PartnerDevelopers easy and fast
https://developer.rblbank.com/
Ratnakar Bank (RBL Bank)
© 2017 IBM Corporation2017.03.03.
RBL Bank – architecture
© 2017 IBM Corporation2017.03.03.
https://developer.citi.com/
Citi Developer Hub
© 2017 IBM Corporation2017.03.03.
BBVAhttps://www.bbvaapimarket.com/web/api_market/products#bbva-products
© 2017 IBM Corporation2017.03.03.
http://www.xignite.com/products
© 2017 IBM Corporation2017.03.03.
API – how Bank can use it
MobileBackend
ClientsEcosytem
ContentDistribution
PartnersEcosystem
InternalInnovation
API as abusiness
TransactionsDistribution
© 2017 IBM Corporation2017.03.03.
Legal Disclaimer© IBM Corporation 2017. All Rights Reserved.The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of theinformation contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s currentproduct plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwiserelated to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties orrepresentations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product releasedates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are notintended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, statingor implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements andprojections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending uponmany factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and theworkload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. If the text includes any customerexamples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described arepresented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performancecharacteristics may vary by customer.Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols(e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphereApplication Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviationsfor IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in yourpresentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2,PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark ofWebDialogs, Inc., in the United States, other countries, or both.If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo areeither registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. If you reference Java™ in the text, please markthe first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, othercountries, or both. If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwisedelete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. If you reference Intel® and/or any of the followingIntel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep,Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. If you reference UNIX® inthe text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and othercountries. If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of LinusTorvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. If the text/graphicsinclude screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, ZetaBank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used forillustration purposes only.
Legal
© 2017 IBM Corporation2017.03.03.
Article 97 - Authentication
77
Article 5.
Member States shall ensure that the account servicing payment service provider allows the payment initiation
service provider and the account information service provider to rely on the authentication procedures provided
by the account servicing payment service provider to the payment service user in accordance with paragraphs 1
and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3.
Article 5.
Member States shall ensure that the account servicing payment service provider allows the payment initiation
service provider and the account information service provider to rely on the authentication procedures provided
by the account servicing payment service provider to the payment service user in accordance with paragraphs 1
and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3.
Article 5.
Member States shall ensure that the account servicing payment service provider allows the payment initiation
service provider and the account information service provider to rely on the authentication procedures provided
by the account servicing payment service provider to the payment service user in accordance with paragraphs 1
and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3.
© 2017 IBM Corporation2017.03.03.
Scope of Application
The subject matter deals with providing the legalfoundation for the creation of an EU/EEA wide singlemarket for payments.Directive covers the following categories of paymentservice providers (“PSPs”):
• Credit institutions• E-Money and payment institutions• Post office giro institutions• European Central Bank (ECB) and national
central banksPSD II is applicable to:
• Transactions where at least one of the paymentservice providers is located inside the EU/EEA
• Transactions in all official currencies, includingnon-EU currencies
PSD II contains 117 Articles and coversa number of payment services:
• Enabling cash deposits andwithdrawals
• Execution of credit transfers,standing orders and direct debits
• Payments through cards orsimilar devices
• Issuing of payment instruments• Money remittances• Payment initiation services• Account information services
© 2017 IBM Corporation2017.03.03.
Exemptions
Exclusion of specific payment instruments:• Cash payments (direct)• Cheques• Payments between PSPs for their own account• Payments between parent companies and subsidiaries, or between subsidiaries of
the same parent (no PSP involved)• Payments within a payment or securities settlement system between PSPs,
settlement agents, central counterparties, clearing houses and/or central banks, andothers
• Payments relating to securities asset servicing, including dividends, income or otherdistributions, or to redemption or sale, or payments by investment firms, creditinstitutions, collective investment undertakings or by asset management companiesand other entities having custody of financial instruments.
© 2017 IBM Corporation2017.03.03.
Sanctions
• PSD II requires MS to align their administrative sanctions, to ensurethat the appropriate administrative measures and sanctions are inplace for breaches of PSD II provisions and to ensure that thesesanctions are duly applied.
• MS are required to lay down effective, proportionate and dissuasivepenalties.
• Competent authorities will have the right to take appropriateadministrative measures and impose administrative sanctions where aPSP breaches duties imposed by the PSD II.