Updates from July, 2018 Toggle Comment Threads | Keyboard Shortcuts

  • user 10:23 pm on July 4, 2018 Permalink | Reply
    Tags: , , , , ,   

    Blockchain: the disruptive technology that will make financial markets more efficient – Or maybe not 

    A lot gets published on a daily basis about the seemingly awesome, game-changing possibilities of and other distributed ledger technologies (“DLT”) applied to smart contracts, optimising payments systems and other aspects of the financial markets. A growing number of financial entities are seriously investing in it, and we keep reading and hearing that this is the future of financial markets.

    The message for financial entities being: get in the game now or risk irrelevance tomorrow.

    So what are these distributed ledger technologies all about, and are they all they’re cracked up to be? DLT, in its various flavours, is the behind and every other . The blocks necessary to put together the puzzle to complete a transaction are distributed across a decentralised computer network of users, and DLT’s main selling point is that it’s self-authenticating and very difficult to tamper with.
    Around 2016, started to get very excited about DLT because they figured that it could be applied to efficiently and quickly settle payments and securities transactions, and even to develop smart contracts: algorithm-based programmes that use DLT to automatically detect when a party performs its obligations or fails to do so, and trigger payments or penalties accordingly. It’s easy to see why financial entities get so excited about DLT: it can significantly cut down the time required to settle transactions (a process that normally takes two or three days for securities), and automate verification procedures which are currently carried out manually.

    Ever since that epiphany, financial entities’ investment in DLT has grown dramatically, whilst the rest of us wait with bated breath in anticipation of a brave new financial world any day now – only that it might not happen just yet.
    The fact of the matter is that DLT was developed for the purpose of sustaining cryptocurrencies (and smart contracts, in the case of Ethereum), and it works well in that application. But just because DLT fits the bill for cryptocurrencies, does that mean that it will also do a good job when applied to the financial market infrastructures?
    A few days ago, the Dutch Central Bank published a report with its conclusions on a series of blockchain trials conducted over the past three years to assess the actual usefulness of DLT in realistic financial market infrastructures scenarios. These trials are particularly insightful for a number of reasons:

    • they were conducted by a central bank, which means that the focus was not on commercial gain but on whether this technology is actually fit for transaction settlement purposes from a systemic point of view;
    • they were conducted over a three-year period;
    • over which four different DLT prototypes were tested in different scenarios, all of which conveys the idea that this testing exercise was thorough and reliable.

    When it comes to financial markets infrastructures, there are strict requirements in terms of authorisation, availability, capacity, costs, efficiency, legal certainty, reliability, scalability, security, sustainability and resilience, and each of them is a deal breaker. Current interbank payment systems, such as Target2 in the Eurosystem, meet all of the above requirements and, in the words of the Dutch Central Bank “are highly efficient, can handle large volumes and offer the legal certainty that a payment is completed.” It follows that any new technology must at the very least tick all boxes, and additionally show distinct advantages, if it is to replace existing systems.

    So did DLT live up to the hype? Not quite, it seems. Again, quoting the Dutch Central Bank: “The blockchain solutions we tested proved to be inefficient – in terms of both costs and energy consumption – and unable to handle large numbers of transactions. Furthermore, several consensus algorithms we used will never achieve the full certainty of a transaction, so that it cannot be undone, which the central banks&39; Target2 system offers. Other algorithms are able to withstand parties with malicious intent and have the potential of raising the [financial market infrastructures’] cyber resilience, but they currently fail to meet other [financial market infrastructures] requirements. DLT may well offer enhanced efficiency in payments that involve multiple currencies, however”.
    What does this all mean? It means that, though “the blockchain technology underlying bitcoin is interesting and promising, and future algorithms may well offer improved compliance with [financial market infrastructures] requirements” in its current form, DLT does not seem to cut the mustard.
    Undeniably, DLT is an exciting technology and, in some form yet to be developed, it might be just the ticket to improve the efficiency of financial settlement systems. Just don’t expect that to happen next week.

    [linkedinbadge URL=”https://www.linkedin.com/in/adolfo-pando-molina-5b4a7555″ connections=”off” mode=”icon” liname=”Adolfo Pando-Molina”] Adolfo Pando-Molina is CEO & General Counsel of RegBot®


  • user 7:16 am on June 1, 2018 Permalink | Reply
    Tags: archiving, mike pagani, , smarsh   

    New frontiers of RegTech archiving: interview with Mike Pagani of Smarsh 

    Fintechna caught up with , Director of Product Marketing and Chief Evangelist, Smarsh at this year’s Global Summit. Mike delivered a session on delivering superior enterprise information and support. In our interview we highlight some of his insights and reflections from the summit.


    • Fintechna: In what ways would you say organisations are responding to the growth of collaboration tools?

    Mike: The adoption and use of collaboration tools like Slack, Microsoft Teams, Workplace by Facebook, Symphony and others within the Financial Services industry is happening very quickly, because of the productivity and efficiency they provide employees with compared to email. However, the adoption of these new platforms and tools was not one that IT had planned for and is very much in response to satisfy and catch up with user demands. Rather than being ahead of the curve, most organisations are now suddenly realizing that their people are using these new platforms and tools more and more and must implement archiving and supervision systems as quickly as possible, to make them compliant as an approved means of business-related communications. Whether internal or external communications, all business-related messages must be governed the same way as email, regardless of the form they take and the chosen channel.


    • Fintechna: What are the key capabilities you think an organizations archiving solution should provide it with? 

    Mike: In our view it all boils down to 3 key capabilities. It should allow a Financial Services organization to automate the direct “capture” all of its business-related communications from the source, regardless of the type and channel being used by its workforce and retain it in a way that does not materially alter the messages, so original context is preserved for later search, insights and to be used for legal and regulatory responses. It should also provide an organization with the ability to configure the system and fine tune it so it “reveals” the riskiest and most potentially problematic messages to them, as they are captured so the organization can take appropriate action to mitigate compliance and legal risk. And lastly, the solution should enable the organization to “respond” to regulatory requests and legal events in a quick and efficient manner, with granular search capabilities to retrieve very specific information from within the archive and then package them up, so they can be used as part of a regulatory  examination or legal defense knowing that time is of the essence when responding.


    • Fintechna: How are leading financial institutions coping after MiFID II and in what areas do they need help?

    Mike: Most financial institutions saw MiFID II approaching and took swift action to establish the correct set of policies to meet compliance requirements. However, many are still in the midst of searching for and adopting the right automated systems to enforce those policies in an effective and efficient manner (such as comprehensive archiving platforms with active supervision and compliance capabilities), versus adding more and more people to compliance and legal functions to meet the new demands.

    • Fintechna: How important is it for a business to actively supervise business communications? 

    Mike: Actively supervising business communications is extremely important. Not only to discover potential compliance violations and take appropriate action on them to meet regulatory requirements, but to also spot messages and ongoing activities by its people that could cause legal, reputational and brand damage as well.

    • Fintechna: Do you have a key takeaway from this year’s Global Reg Tech Summit on the importance of social media?

    Mike: I do… Financial Services firms of all types and sizes are being forced to embrace social media in a much bigger way moving forward to adapt to significant changes taking place within the age demographics of the clients they are serving and trying to attract, as well as their own workforce. For example, millennials will favor doing business with firms that are socially active and allow them to get the information and resources they care about via the social channels they already know and like to use. For example, using Instagram for a marketing campaign targeted at younger, early in career investors, is something we are seeing a lot more of these days. The days of compliance professionals simply saying no to the use of these new channels are over and they are instead now saying yes to compete and stay relevant, but also stressing the importance of having the right systems in place to make sure that the communications over these new social channels and the resulting interaction stays compliant in the process. The good news is like comprehensive archive platforms with active compliance capabilities has now evolved to the point where it is quick, easy and cost effective to implement a solution that enables organizations to get all the benefits of social media and other new channels while maintaining compliance and mitigating the new risks that they introduce when compared to older channels like email.


    Mike Pagani is Senior Director of Product Marketing and Chief Evangelist at Smarsh. With more than 25 years’ experience working with new and emerging technologies, he is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security, virtualization and information archiving. In his current role, Mike is a frequent industry event speaker, and contributes regularly to trade publications and online media outlets. Prior to joining in November 2014, he held senior technology evangelist positions with Dell Software, Quest Software and NComputing.


  • user 7:17 am on May 18, 2017 Permalink | Reply
    Tags: , , kyc, risk burden,   

    Effectively dealing with regulatory and risk burden in the financial services industry 


    It is no surprise that with ever more stringent legislation, especially in the realm of anti-money laundering and beyond, all-too-often one-size-fits-all policies and regulations are stifling growth and exponentially increasing the onus on business across sectors and industries, but ever more so in the financial services provision industry.

    Regulatory burden is regularly cited as the main problem area for and financial services providers across both sides of the Atlantic, and beyond, with 3 of the top 5 reasons all being directly interlinked with the shifting up of gears by regulatory bodies, namely , transaction monitoring and the ensuing reporting requirements.

    Equally unsurprisingly, this situation has two direct and immediate effects in the banking world: a) the gradual and relentless disappearance of community banks and smaller banking operations, with over 25% of all outfits with capitalisation of less 100 million USD disappearing over the course of the past 20 years as reported by the American Banking Association, and b) regardless of size, the increased aversion to risk by financial services provider across the board.

    While the former can be partially explained away through mitigating factors such as conglomerate mergers and turbulent market conditions over the past two decades, the latter is a consequence of the continued inability to effectively adapt and comply efficiently with legislative requirements, the demands posed by which are hardly going to be alleviated and will only see thresholds lower and the net widening.

    As clearly shown by the findings of the 2016 Thomson Reuters survey, the average cost for KYC and CDD compliance by financial firms is approx. 60 million USD, shooting up to 9 times that in a number of cases. The industry’s response to the increased demands posed is an almost disingenuously simple one: throw more resources and money at the problem and pray it sorts itself out.

    In reality, the opposite has been found to be true: onboarding times are on a steady increase, estimated to take 50% longer in 2017 than they did in 2015, with customers’ responses directly contradicting the banks’ belief that correct, timely and full ongoing information was being provided (hence putting into question the veracity and therefore validity of the exercise itself).

    Struggling to keep up with requirements at onboarding stage, it is even more worrying to note that financial services providers of all sizes and types are further unable to keep abreast, efficiently or otherwise, with the ongoing vetting and risk assessment due on past approved applicants.

    As a consequence, the industry’s inability to keep up and to manage the additional impositions has seen the appetite for exposure being directly impacted, with all the snowball effects that this has on bottom lines, the economy and the future.

    Effectively financial service operators are increasingly becoming more akin to information warehouses, and no amount of increased human resource spend will ever be sufficient to manage the volumes of data requiring processing. The increased reliance (if not total dependence) on ever growing specialised risk and fraud teams has created an inevitable bottleneck and a false sense of security that an acceptable minimum is slipping through the cracks, when the facts and figures spell otherwise.

    While financial providers are having to allocate a growing percentage of their non-interest expenses (estimated by the Federal Reserve to be around 9% in most cases, down to around 3% for outfits with asset valuations between 1-10 billion USD) to cover specialist resource costs, make up for losses incurred through miscalculated risk and fines levied for regulatory non-compliance, facts and figures squarely point that the situation is entirely untenable.

    The latest developments in the and RegTech universe however offer a clear and cost-effective solution that allows for specialised efforts to be refocused, automating a huge portion of both the new customer onboarding process as well as the maintenance and ongoing assessment of client portfolios, enabling risk and fraud efforts to be redirected where it really matters – the upper percentage of customer accounts that are to be considered of medium-high risk.

    In a world full of customer onboarding tools, data analysis software and customer screening services, the Aqubix KYC Portal stands out squarely by uniquely providing a fully tailored and customised platform through which true automation can be achieved. KYC Portal simplifies and delivers efficiency gains across the entire prices, from the initial acquisition of customers through to the automatic determination of the exposure posed according to the currently prevailing risk appetite internal to the organisation or department, the full KYC and AML compliance, irrespective of the operation’s jurisdictional requirements and the fully automated ongoing assessment of all clients.

    Connecting independently and seamlessly to any third-party service providers of choice (be they screening services, document verification providers, external data warehouses etc) and internal data sources alike, KYC Portal opens up a previously untapped realm of data management and analysis opportunities that directly impacts operational efficiencies (with improvements of over 60%, by the most conservative of estimates) through the significantly reduced time frames required to onboard new clients, the drastic reduction of touch points during the process and the delegation of the initial data collection away from the specialised risk and fraud core.

    Through a trigger and alert notification system, KYC Portal effectively sifts through new customers and automatically (based on predefined parameters reflecting the organisational procedures and practices) segment applicants based on their risk value, removing the need for intervention on the low risk or the ones beyond acceptable risk thresholds. In this manner specialist attention is refocused exclusively where it is needed – the high value but equally higher risk accounts.

    Even at extended due diligence stages, KYC Portal offers a plethora of unique tools easing, speeding up and further securing the process, not least amongst which are the in-built, plug-in free face-to-face video interview recording and storage , facial recognition and customer overview dashboard tools ensuring that human bias and limitations are totally done away with at all points in the process.

    Following onboarding, KYC Portal automatically queries all existing customer records on a continuous basis, against any number and type of external and internal data sources, to ensure that any changes in status and background of all accounts is immediately flagged and notified to the correct personnel, as are any changes in documentary validity and requirements.

    Operating on a highly notification logic, KYC Portal’s infinite customisability not only ensures that no single trigger goes unalerted, but equally that no resources are wasted on unnecessary investigations and account queries.

    Building on an infinitely scalable and modular architecture, and married to a pure risk-based logic set, KYC Portal offers a plethora of additional modules which include transaction monitoring and assessment, with automatic notifications occurring in real-time whenever preset rules and ranges are triggered on an individual basis.

    KYC Portal will be presented this June, 7th and 8th at the Harnessing FinTech Innovation in Retail Banking conference in London, where Aqubix are the event’s Lead Partner and main exhibitors. Aqubix CEO Kristoff Zammit Ciantar’s keynote speech “Automating compliance – the problem, the solution, the innovation” will open the 2-day event, where Aqubix will also be hosting 2 round tables on the operational impact of the innovation and potential offered by KYC Portal.

    [linkedinbadge URL=”https://www.linkedin.com/in/kristoff-zammit-ciantar-7668681a/” connections=”off” mode=”icon” liname=”Kristoff Zammit Ciantar”] is CEO of Aqubix and the author of this article

    For further information ahead of the event, or to discover how KYC Portal can help solve your organisation’s Compliance, AML and Risk problems, contact Adrian Darmanin, Chief Commercial Officer on [email protected].

  • user 10:00 am on February 6, 2017 Permalink | Reply
    Tags: , , , ,   

    Will the API Economy breed a Credit Card/ACH hybrid after PSD2? 


    is creating a new distinct species for retail digital payments in the EU. Shared by account servicing and third party payment initiators, there will be a customer-triggered Credit Transfer for transferring funds from a customer’s account to that of the Merchant providing the goods or services. Upon receipt of payment, the merchant ships the goods/releases the service. By relying on bank security, this method of payment is hard for fraudsters to replay elsewhere, the speed is moving to “immediate,” and there is an irrevocable payment to the merchant. Unlike a credit card, the method does not offer any repudiation mechanism and does not facilitate reversals or refunds. This new species will only live in the EU. Much of the underpinnings for PSD2 comes from the SEPA elements of the Economic and Monetary Union project in the EU.

    This newly bred species faces entrenched competition from a dominant older Card species that has ruled the consumer payments Savannah globally for over 50 years. The DNA of this species is from the US. There are US firms in leading positions globally in the main elements of the payment card value chain. US-born VISA and Mastercard as Card Schemes are effectively the franchisors of the card payment ecosystem.

    Although banks across the globe issue payment cards to customers, the highest volume issuers are typically US banks. Issuers introduce consumers into the card payments ecosystem, under license from the card payment schemes. Acquirers are responsible for capturing the POS transactions and submitting these transactions to the card scheme for authorisation. If the consumer has the funds or the credit, this process leads to the merchant receiving the value of the goods or services sold. There is also an extensive and distinctive value chain supporting Merchants.  Acquiring Processors provide sub-supply for Acquirers, and US firms are global leaders in this activity. There is a deep sub-supply value chain for Acquirers, with US expertise often to the forefront. The Point of Sale (POS) or Gateway providers offer hardware and software services for the secure capture of payment card details. POS or Gateway providers often innovate in adjacent categories to card payments such as retail inventory management and cash register software. US-led investment is also to the forefront in this area.

    Within all these moving parts, there are processes that are relatively unique to the card schemes, such as , rules, penalties, standards, procedures, brand guidelines, financial settlement platforms, security protocols, chargebacks, holds, stand-in processing, reserve accounts, minimum monthly payments, interest-free periods, etc.

    It is interesting to speculate about what Merchants would ask for if they could pick and choose their best possible combination of features from both species.  Here are a dozen simple and crude requests that a Merchant might make if they could define a hybrid payments collection service between ACH and Cards:

    1.      “If the customer pattern moves to bank-to-bank credit transfers after PSD2, as a Merchant I want to see the same share of my sales being funded by unsecured consumer credit as when I saw a Debit Card/Credit Card split. I want customers to have still the same opportunity to buy on credit if some or all of my product range is priced at high values. “

    2.      “Even if banks start to provide credit through unfunded bank accounts rather than card limits, I want my customers to have still the type of structured credit agreements that they liked with Cards, such as minimum monthly payments and interest-free periods. Ideally, they should get to choose the optional elements of their credit agreements.”

    3.      “I reluctantly accept that I have to carry the overhead of a trusted dispute resolution mechanism for higher value purchases. I want my provider to educate the customers properly on when this protection exists and when it does not exist. “

    4.      “I do not want any repudiation mechanism for the consumer for small value transactions. I have my statutory obligations built into my complaints and refund processes.”

    5.      “I want the low-value purchases made without credit paid to me immediately.”

    6.      “I want the simplicity and predictability of ACH pricing, not an array of fixed, variable, tiered and once-off card charges.”

    7.      “I do not want “holds” put on my money if the business is unexpectedly good compared to projections nor do I want to have money retained in “reserve accounts” in case of chargebacks. My bank should do all the due diligence on my activities, and that should be enough.”

    8.      “I do not want to store the digital credentials of my customers, and I do not want to have to comply with a “PCI” security standard that could bankrupt my business with fines and penalties. I am a retailer, not a professional cyber-security company or a bank.”

    9.      “If the customer is buying from me remotely on a mobile phone, I want minimal delays and friction but also strong customer authentication with the minimum of variation for transaction size and payment type. These security controls should be so elegantly designed that only thieves and fraudsters abandon transactions.”

    10.  “I want value-added services that come with my point-of-sale payment collection services, such as inventory management software, cash drawers, and an App Store, especially for retailers. I want these value added services to work with all payment types.”

    11.  “I want working capital finance opportunities that capture all my trading process delivered seamlessly to my business at POS. I don’t want offers of finance that are specifically confined to Cards traffic or some other specific payment mechanism ”

    12.  “I want payment schemes with great brands that are recognised globally and entice consumers from all locations, not just EU.”

    Producing a hybrid scheme of this agility and desirability is a very tall order, given that the most important suppliers tend to have their capital, infrastructure and knowledge tied up in one of the two models. The biggest EU banks that will handle most of the PSD2 payment initiation volumes are very mature organisations with monolithic software platforms. The major card processors and platforms are also large and mature organisations with monolithic software platforms. They also have very distinctive knowledge bases, focused on either Cards or ACH. They look out at the world from within this history, with a perspective of customer needs influenced by their current model.

    Given these rigidities, is a hybrid model that might delight Merchants a pipedream? Perhaps not, if the theoretical promise of the “ ” becomes a reality. The API Economy is a set of business models and channels based on secure access to functionality and exchange of data between businesses through Open APIs.   An Open API is a publicly available application programming interface. It provides third-party developers with programmatic access to a proprietary software application. APIs can also be used within businesses to clearly define automated methods of communication between various software components.

    API advocates make many claims about their usefulness. They argue that APIs lower barriers to entry for programmers. They make designing complementary programs easier and faster. Modular design, enabled by APIs, allow software designers to create, modify and remove components. Modularity combines the standardisation needed for high volume processes with customisation required for bespoke design. APIs also enable measuring and metering the third-parties that are accessing and using these resources.

    Both Banking and Card Processing specialists are in mature industries with many monolithic systems and divisional organisational structures. All mature industries face a range of challenges adapting to Open APIs. They will have to modify performance management and measurement systems. They have complicated and expensive investments to make to develop modular software with a microservices architecture. Open APIs are entirely different to own-brand products in mature industries. The monetisation goals for Open APIs will have to reconcile with the goals of own-brand products. Mature industries with very established patterns of pursuing profits at divisional level might struggle to see where they will capture value from Open APIs. Older businesses that were not born in the networked economy can be excessively focused on the downside risk of data travelling out to third-parties.

    By definition, all of the service domains required for the market to assemble the Merchants wish list for “the ideal hybrid ACH/Card scheme” must already exist. In general, these services are locked inside the software architecture of the respective service providers, either banks or major card specialists.  These service domains have Machine to Machine and Human to Machine interactions.  Machine to Machine interactions has content suitable for data fields that can be passed between applications. The level of detail in the interactions influence the potential for Open APIs. These interactions contain identifiers and depictions that can be explicitly mapped to a data structure. The standard of detail is very high. Human to Machine interaction includes structured forms of information that are completed by a person during a service exchange. The API Economy has the potential to capture the Human input through more applications and more convenient applications.

    In crude conclusion, notwithstanding the difficulties for mature firms in changing their business models, Open APIs could revolutionise how data and services are distributed. Given the regulatory intervention, the Card specialists in particular seem to have an incentive to make some or all of their characteristic and value adding service domains available to all models, whether there are 3 or 4 parties involved in a scheme. It could be a 2-model world with tighter margins, so they need to profit from both models. If the reality of the API Economy matches the theory, we could see some hybrid species in the future.

    [linkedinbadge URL=”https://www.linkedin.com/pulse/api-economy-breed-credit-cardach-hybrid-after-psd2-paul-rohan” connections=”off” mode=”icon” liname=”Paul Rohan”] is Author, “PSD2 in Plain English” at Rohan Consulting Services Ltd.

  • user 6:00 am on August 4, 2016 Permalink | Reply
    Tags: , cro, , open banking,   

    Where are the likely “banana skins” for bank CROs from PSD2 and Open Banking? 


    In general, Chief Risk Officers (CROs) and Boards of Directors of traditional probably lose a lot more sleep over the health of bank balance sheets rather than the security and agility of daily payments and accounts processes.   A failure to control the quality of loans on the balance sheet is an existential risk for a credit institution.  A failure to maintain depositor confidence, leading to a cataclysmic outflow of funds from the liabilities side of the balance sheet, is also an existential threat.  While significant frauds, security failures and data privacy breaches may tarnish bank brands, slow business growth and lead to very large regulatory fines, these events have to be incredibly large and systemic to suddenly wipe out a bank’s equity or cause a loss of a banking license.

    Although banks may have ultimately adopted progressive API Strategies over time, banks are being compelled by to adopt API-driven business objectives and processes against a fixed deadline.   Without regulatory intervention, the timing of this change would have been commercially driven.  In more normal circumstances, the Boards of these banks could have approved new API Strategies (covering API provision and consumption) with a defined appetite for risk.    This is the level of risk that a bank is willing to accept in order to deliver these business objectives.   It will be important that the mandatory nature of PSD2 does not inhibit banks from carrying out these important disciplines.  Even a “comply only” API business strategy prompted by PSD2 does not mean that bank Boards are not ultimately responsible for the risk profile of these business activities. 

    To try to avoid adverse outcomes, bank management and Boards of Directors spend much time defining their appetite for risk.  To inform the process of defining risk appetite, banks invest much time and effort in developing risk models.  Many of these risk models are devised and prescribed from the “top down” by Regulators and prescribed to a class of banks, in order to compare risk profiles.  Risk models are also devised and implemented from the “top down” by and specialist risk management staff.     For example, banks model the adequacy of capital levels and loan loss provisions in adverse economic conditions (often under regulatory supervision, such as the recent Stress Tests conducted by the European Banking Authority). These models help inform CRO responses – can and should risks be avoided, reduced, shared or accepted? 

     [linkedinbadge URL=”https://www.linkedin.com/in/paulrohan” connections=”off” mode=”icon” liname=”Paul Rohan”] , the author of this post, is also author of “PSD2 in Plain English”.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

    PSD2 and is not a matter of a faster growth rate or a diversification into new market segments, using established business processes and risk models.   In broad terms, PSD2 is extending and blurring the boundaries of a bank.  With PSD2 and Open Banking, there are now new risks to a bank’s risk profile outside of contractual arrangements that the bank has chosen to enter.   It could be difficult for bank CROs to fully understand and fully embrace the lessons from risk management problems inside PSD2’s “Third Party Providers (TPPs)”.

    Does a bank’s CRO have a big blind spot in this new Open Banking environment?  As the layer of overlay Payment Initiation and Account Information services grows into an ecosystem, the capability of the CRO to quickly identify where a fraud could happen or how a fraud was executed will fall.  The possible points of weakness increase as more and more payment initiation is captured by the risk management and security of TPPs.   There may be many TPPs for a certain type of payment or a certain device or security protocol that is breached across many TPPs.   Calls from puzzled customers to a bank’s Call Centres will have many more scenarios to plan for and many more scenarios to try to understand. Call Centres will ideally have to know exactly the TPPs, current and lapsed, that a customer has granted PSD2 access to.  Call Centres and Client Education will probably have to prepare and plan for the emergence of imposter TPPs.  The normal patterns of API calls on a bank’s payments hub will have to be tracked as accurately as the normal pattern of customer instructions through proprietary channels,

    The initial risk model prepared for PSD2 and Open Banking will have to come from the “bottom up”.   Staff managing business units with expert knowledge of a certain set of products and processes can model their risk profiles from the “bottom up”.   These models are used across a range of risks to help banks identify and manage the risks that they are running.  A very common model is a “Risk Matrix”.  It is a simple mechanism to increase visibility of risks and assist management decision making.  The severity of an event could be classified as Catastrophic, Critical, Marginal or Negligible.  The probability of an event occurring might be categorised as ‘Certain’, ‘Likely’, ‘Possible’, ‘Unlikely’ or ‘Rare’.  It is likely that the technical function that physically manages the Private, Partner and Public APIs will be documenting new risks from newly published APIs on their unit Risk Matrix.  The commercial function or functions that have line of business responsibility for API Monetisation and PSD2 compliance will probably be documenting different PSD2 risks a different Risk Matrix from a commercial perspective.  

    The initial risk model will have to correctly identify and maintain the correct number of Payment Accounts that must be exposed by law. Banks will need to ensure that new controls are designed and effectively implemented so that TPP Permissions can be revoked by End Users who hold accounts at the bank. API Related Complaints by End Users or by API Developers will need to be monitored as potential indicators of risk.   Managing data and privacy (both of customers and API Developers) appropriately in an Open Banking environment is a risk.  If an API is temporarily or permanently withdrawn, a bank will need to understand the implications of that action.    When significant actions or first-time processes are triggered by the end users, banks will need to be sure that Out of Band Challenges will go to End Users.  API Permissions with an expiry date will need to expire on the time limit. If there is a dispute over a potentially unauthorised payment through a Payment Initiation Service, banks will need to be sure that PSD2 is being observed and an immediate refund is triggered.  In the early days after PSD2, there is no “typical” or “average” number of risk events to guide a bank’s risk responses or risk appetites.  Banks will also be required under PSD2 to share information on security threats.   There will be guidelines for managing security incidents and the EBA will set guidelines on how to handle complaints.

    In the early stages of Open Banking, volumes will be low.  A key driver of the “severity” weighting that bank staff will use on a “Bottom Up” Risk Matrix will be both the volume and the value of the transactions that are traveling through this process.  Relative to the volumes that currently travel through a bank’s proprietary channels and the enormous values of payments through a bank’s Treasury function, the initial Open Banking traffic is likely to be initially classified as “Marginal”.  CROs may not see Amazon, Apple, Google, Facebook and Microsoft appear in the Overlay layer of TPPs in the first few months of the PSD2 and Open Banking regime.  However, it is probably a mistake to assume that all “Fintechs” are small and undercapitalised, thus unlikely to trouble a bank’s infrastructure with a surge of volume.  “Silicon Valley” TPPs will have pan-EU ambitions and have potentially large appetites for API consumption.  Crucially, EU banks could find that 80% of their installed base of customers already trust and actively use services from these giants. 

    We can reasonably speculate that the crooks and fraudsters that exploit opportunities in digital services could have their own “PSD2 projects”.  What sort of new attack vectors for fraudsters could exist in this new, more complex environment?  Fraudsters can read the new PSD2 legislation just as well as anyone else.  The fraudster knows that a bank has only one working day after a disputed payment to refund any unauthorised payment transactions generated by a TPP.    Fraudsters will know that banks will have to deal with potential payment reversals within the TPP process while an impatient customer has launched a fresh effort at the same payment through a traditional channel.   eCommerce or Mobile Commerce transactions that historically only appeared as Card transactions will start to appear as Faster Payment Scheme Credit Transfers, disrupting and confusing customer payment profiles held by banks. Fraudsters could start to watch for authentication and control differences between TPP processes and traditional processes, building up a trusted profile for subsequent exploitation on the other process.  Fraudsters will know that sensitive personal or authentication data extracted from unsuspecting TPP customers could later be used in a bank’s proprietary channels without the account servicing bank being aware of the initial breach.    

    In crude conclusion, the initial risk profile of PSD2 and Open Banking looks quite benign compared to some of the existential risks that banks face every day.   However, as PSD2 and Open Banking starts to gain market acceptance and volumes start to ramp up, the “banana skins” will come quite quickly.  CROs and Bank Boards will have to recognise that a new business strategy like exposed APIs has to be rigorously scrutinised for risk, whether this new business strategy is enforced by an EU regulation or not.  Banks will have to prepare for the new PSD2 and Open Banking regime without any tested and mature risk models. The blurring boundaries of the organisation make a “top-down” identification of material PSD2 risks a difficult challenge for the CRO.  Risks related to PSD2 and Open Banking will not be confined to one business unit, making the “bottom up” risk profile more blurred. At an industry level, there will be a period of time before a “sensitivity level” is established for the risk profile of Open Banking processes. The addition of 5% of a bank’s total payments volumes through TPPs in immature processes may be a “marginal” change in payments volumes but it probably does not represent a marginal change in the bank’s overall risk profile.  The structure of PSD2 means that Silicon Valley giants could arrive with very large volumes and effectively unannounced, without having any prior relationship with the API publishing bank. Fraudsters will know that the addition of new overlay services managed by TPPs is a radical change in business model and is completely different to the incremental addition a new proprietary bank channel (such as tablet, mobile or kiosk) using the same proven customer profile and control processes.

    In crude conclusion, the primary risk control for banks in this environment can only be a risk-aware culture.   Bank management will have to seize growth opportunities from APIs while managing risk, just as in all other processes.   The immaturity of risk classification models, industry norms and fraud detection models will mean that bank management will have to approach this arena from “first principles”.   As API volumes grow, clear and active communication within banks and within industry bodies about the various “banana skins” will be crucial.   innovators seeking to build partnership relationships with banks in the Open Banking era should also welcome tough questions from banks about their risk control capabilities.  If a bank is asking tough questions and paying good attention to likely risks in the TPP overlay layer, that bank is far more likely to be serious about building an ecosystem out of its payment

    [linkedinbadge URL=”https://www.linkedin.com/in/paulrohan” connections=”off” mode=”icon” liname=”Paul Rohan”] , the author of this post, is also author of “PSD2 in Plain English”.


    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

  • user 7:38 am on June 11, 2016 Permalink | Reply
    Tags: , Buyers Club,   

    Will PSD2 and APIs fuel the growth of Buyers Clubs? 

     or Buying Club is a club organised to pool members’ collective buying power, enabling them to make purchases at lower prices than are generally available, or to purchase goods that might be difficult to obtain independently.  These Buyers Clubs can also describe themselves as “consumer networks” or “cost of living” clubs.

    These Buyers’ Clubs or consumer networks use combined people power to unlock group discounted offers on various household bills.  The clubs focus on arranging group discounted offers on recurring expenses such as household energy, home broadband and telephone calls.  We can also see some examples of financial customers pooling their collective buying power to source offers for financial products e.g. mortgages, credit cards and life, home and car insurance.

    The effort for the consumers to enter the process is low. Joining is obligation and cost free.  The consumer registers to demonstrate their support. It only takes a few moments, it costs them nothing and they are not obliged to take up any offers that the Buyers Club negotiates.  The consumers that become members are free to merely use the Club offers as leverage to shop around or to see if they can get a better deal from their existing providers. 

    The Club deals may not beat the consumers’ current deals.  Some consumers are on legacy deals and special deals that are not available cost-free to the general public. Other providers could also be compelled to compete with Buyers Club offers by offering more competitive offers. The Buyers Clubs differ from Price Comparison Websites in that they effectively create products and prices rather than compare them. They generate offers for Club members that are not available to individuals. The Buyers Club earns a fee from the businesses that earn customers through specific campaigns.

    At this stage of their evolution, there are many things about the registered buyers that the Buyers Club does not know.  The Club does not specifically know the current vendors that each individual buying consumer or household uses for the typical utility or mass-market financial products. Obtaining the legal entitlements of an Account Information Service Provider (AISP) under would allow the Buyers Club (with individual buyer consent) to identify the actual vendors from Payment Account narratives.  Buyers Clubs could inform themselves about their collective negotiating power with individual vendors by data-mining aggregated Payment Account data.

    There will be limitations in the Payment Account data.  Many individual vendors have a standard range of products, services and pricing packages that a buyer can choose from.  It will not be instantly clear from Payments Account data which product or product variant that the consumer or household is currently using. However, the information available on the precise products and services in use in a household is also growing and is increasingly likely to be accessible in the API Economy.  Buyers Clubs could begin (with buyer consent) to gather data on the precise products and usage patterns of consumer services.

    Domestic robots are emerging to control household utility services.  An increasing number of people monitor and change temperature settings in their home remotely from their smart phone. Smart meters will form the first smart interface between the utility grids (such as electricity, gas, drinking water) and the local utility system within households. Smart meters make it feasible for utility customers to have very flexible contracts based on greenness, time of day and day of the week. This data can be connected to actual spending in Payment Accounts after PSD2.

    Smart appliances seem likely to become part of the household in the future. The smart fridge, dish washer, washing machine and so on will start communicating with the smart grid and find the greenest or the cheapest time to use power and water. Smart fridges may even keep track of consumables and order supplies at the local super market using a PSD2 Payment Initiation API.  We can conceive of an environment when the owners of these smart appliances are sharing data on their usage patterns and their financial purchasing patterns in an aggregated services layer.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

    While PSD2 will make the data in every Payment Account in every Account Servicing Payment Service Provider (AS PSP) in the EEA available to an aggregation layer (with client consent), there is a reasonable possibility that EEA consumers could be using a predictable range of smart home devices in tandem.  Alphabet offers both Google Home and Nest.   Like Amazon Echo, these are always-listening devices that can answer queries, check schedules and work with third-party smart home devices.  Apple seems likely to follow with HomeKit.  Data on the devices and services being used in the home seem likely to be concentrated on a small number of platforms.  In crude terms, Buyers Clubs will probably be able to use this small number of buying platforms to understand and reconcile the devices and services being used with the amounts and narratives in the Payment Accounts.

    Buyers Clubs may also become able to connect spending on health insurance premia with the actual health of the insured.   An increasing number of connected systems are used to monitor health. Pacemakers and insulin pumps can have a wireless interface. Health monitoring and other medical equipment in hospitals is increasingly connected to the hospitals’ core network.  In the face of high costs of specialist drugs and health insurance for people with known conditions, there will be significant incentives for patients to aggregate their spending patterns and health indicators into a Buyers Club structure.

    The Payment Accounts of consumers and households can hold extensive data on significant transport expenditure (insurance, fuel, tax, maintenance etc.).   In the case of private transport, modem cars contain an enormous amount of code in an increasing number of electronic control units.  Cars are now “computers on wheels.” The code modules monitor an increasing number of sensors and control and activate many actuators from lights to collision avoidance systems. As many manufacturers develop modules, the interfaces between them need to be open.  This suggests that data on motoring expenses and data on motoring patterns could be open to be shared by buyers in an aggregated Buyers Club.

    Of course, there are more than a few details to be sorted out before this connected future becomes a safe and mature reality.  This level of connectivity between devices, payment service providers, buyers and suppliers could be a hacker’s paradise during the immature phase of its development.

    From a cyber-security perspective, there is a sharp contrast between the introduction of the PSD2 and the evolution of the connected devices described above.  In broad terms, the security standards on the PSD2 APIs are being centrally planned, centrally designed and collectively implemented.  There will be obligations on registered participants under PSD2 to report security incidents, follow rulebooks and stay compliant with new risk management measures to counter evolving security threats.

    In parallel to the controlled PSD2 introduction of payment and payment data APIs, the next broad innovation cycle is likely to be the Internet of Things (IOT), where the devices that people buy/rent and use become connected.   Almost any device will have an internet address, communicate what it senses and may activate its actuators. Innovators will conceive interesting new functions and bright technical people will implement them. However, cyber security lessons identified about threats and risk to current and previous innovation cycles sometimes do not make their way into the next innovation cycle. People with the bright innovative ideas are often not educated in cyber security and neither are many of the programmers who implement their ideas. They can neglect the old threats which provide attack paths to cyber criminals.  

    In crude conclusion, PSD2 will allow consumers and households to decide to share data on how they spend their money both with their peers and with a wider range of service providers.  PSD2 could allow Buyers Clubs to play a far more incisive role in identifying, assembling and empowering peer groups of consumers to negotiate collectively with vendors.  The emerging ability of the Internet of Things to inform the buyers on their usage patterns of devices and services will strongly reinforce the economic value of this process.  However, the use of device APIs to add data into an aggregation layer by a PSD2 AISP could cause new cyber-security risks that will need to be identified and considered.

     [linkedinbadge URL=”https://www.linkedin.com/in/paulrohan” connections=”off” mode=”icon” liname=”Paul Rohan”] , the author of this post, is also author of “PSD2 in Plain English”.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

  • user 10:00 am on June 7, 2016 Permalink | Reply
    Tags: , , q, , ,   

    RegTech: Building A Regulatory Tool Kit for the 21st Century 

    [Transcript of Keynote given at FinnovAsia on May 30th 2016]


    Since the 2007 financial crisis, we have witnessed a series of scandals ranging from PPI mis-selling to the LIBOR rigging scandal. The direct consequences of this has been the implementation of a more stringent regulatory regime increasing overall compliances costs. Indeed, since 2007, financial fines have increased 45-fold, incurring additional compliance costs of multiple billions of dollars. Indirectly, the financial instability that is being generated impacts the population with most recent reports estimating that cancer mortality has increased by 500’000 and 50%+ of Americans cannot afford an unexpected expense of US$400.

    In my opinion, Regulatory () represents a dual opportunity. Economically, it resolves compliance cost concerns of CEOs, whilst socially it delivers a direct add-value to regulators to enhance market stability and consumer protection.

    In other words, while in advanced economies early developments (e.g. P2P lending) appear to be a re-action to the symptoms of the previous financial crisis (e.g. credit shortage), RegTech appears as a more mature approach that may limit the severity of the next crisis.


    Similarly to FinTech, the benefits of automatizing reporting and compliance processes are not new, as demonstrated by the introduction of pattern analysis or the work done by the SEC in the US in 2000. Furthermore, most of the post-crisis reforms focus on data transparency (e.g. Central OTC clearing), openness (e.g. PSD2) and standardization (e.g. unique entity identifier) However, whilst not new RegTech as a term has increasingly been used in the last 6 months. This uptick of activity warrants the necessity to start re-conceptualizing RegTech and set a foundation of understanding across the industry, regulators and policy makers.

    Establishing a topology of the sector, RegTech covers four key areas:

    • AML/KYC – Anti-Fraud
    • Risk Management
    • Data Management
    • Compliance

    As it currently stands, the most visible RegTech innovation seems to be in the e-KYC space, similarly to how payments and alternative lending used to define the bulk of FinTech innovation. The pain points encountered by given their current AML/KYC process and relative simplicity of developing a certified third party authentication platform (versus implementing a wide scale use of smart contracts to identify contractual liability of a firm in real time) explains the immediate focus given to this specific sub-sector. However, the digital AML/KYC process represents a superficial (i.e. customer-facing) use of RegTech similarly to how certain digital banking propositions are simply a better UX skin on top of an outdated core banking engine.

    In my mind the real long term value (both from an investment and social perspective) is embodied in solutions that redefine the way is being created so that risk identification and compliance can leverage on data and automation to really be proportionate (e.g. to actual risk) and real time (e.g. as opposed to batch reporting). In that respect, the development of Regulatory Sandboxes represents an initial step for regulators to deploy and learn how to use RegTech as part of their regulatory toolkit.

    In that regard, the FCA (in the UK) has, once again, championed the promotion of this objective with the announcement of a “regulatory sandbox” in Nov 2015 (e.g. currently accepting applications and will go live with 10 participants in September 2016). This approach has so far been positively echoed in other jurisdictions with ASIC in Australia and MAS in Singapore holding consultations. The benefits of sandboxes are diverse. For external stake holders (e.g. start-ups), they reduce time to market and compliance costs. For internal stakeholders (e.g. regulators) they add an interaction method with start-ups as well as a transition tool towards a more data-driven supervisory model.


    However, these developments are currently very much in experimental phase. The fact that access to the sandbox is limited to a handful of participants and the scope of experimentation constrained by EU laws (e.g. exclusion of credit institutions, insurance or alternative fund managers as well as base line regulatory capital for some activities irrespective of portfolio/market size) shows that only specific FinTech start-ups will benefit. The counter to that being considered, given the current Brexit discussion. Was Brexit to materialize, the FinTech eco-system in the UK (heavily driven my EU regulatory requirements) would lose its appeal (and VC funding in EU is already down 40%+ in Q1), making the rationale of a sandbox a moot point. In other words, a Brexit would leave the sandbox with not enough kids to play inside!

    I therefore see the current sandboxes (e.g. virtual, umbrella, regulatory) as the first building block towards a reconceptualized regulatory regime that is truly real-time and proportionate. This means that the parameters of the sandbox also need to be conceived with an end objective in mind and leverage a true opportunity to change the current paradigm of market supervision/regulation and firms’ compliance and reporting processes. An illustration of this shift would be as follows:


    This is very much an ongoing conversation and a very rare occasion where the interest of FinTech, FinServ and Regulators fell easily aligned.

    [linkedinbadge URL=”https://www.linkedin.com/in/jbarberis”off” mode=”icon” liname=”Janos Barberis”] is Millennial in FinTech | HKU Law | Founder FinTech HK & SuperCharger | Co-Editor The FinTech Book

  • user 10:41 pm on June 2, 2016 Permalink | Reply
    Tags: , , ,   

    PSD2 Use Cases 


    I have been involved in many conversations over the past few months which have included a number of potential ideas around how will revolutionise the customer experience. Having thought about it a bit more, I have concluded that there are 4 primary use cases for PSD2 and that all of the ideas fit into one or more of these use cases:

    1) Aggregation & Cash Management/Payments Management

    Whether such aggregation and initiation is managed through an existing banking relationship or an external entity such as a Google etc. this can be seen as a key use case for the consumer and corporate to manage their cash in a real time manner and initiate payments between accounts as well as to third parties.

    In the corporate space, this can see the demise of the SWIFT cash management services which have prevalent over the past 30+ years and a migration from the overnight/intraday MT940/MT942 messages and use of realtime balances and transaction data enabling realtime reconciliation

    2) Checkout

    Today we see the likes of Amazon, Paypal etc use the credit/debit card as the means to effect checkout settlement – PSD2 offers the opportunity to display realtime account balances and initiate the push payment for goods and services. For the likes of Amazon, this could lead to incentives similar to those offered to Prime customers who are willing to sacrifice the next day service and receive a £1 credit to the digital wallet to be used against MP3 or Kindle purchases.

    There is a down side to this approach that consumers will need to be aware of which is the consumer protection that is afforded from using credit cards.

    3) Comparison Websites

    Today the comparision sites provide information on utilities, credit cards etc. By allowing access to realtime information, these sites could provide the automated management of savings to the best deals available with selected institutions. The next step to that could be the virtual banking with the website as they will manage the banking current account relationship. Using CASS to move the current account to the best deals in the market. A user could indicate they bank with the comparrrison website, be assigned a virtual sort code and account number which links to the physical sort code and account where the account is presently held.

    4) Credit Management/Decisions

    Finally, when applying for a loan or other form of credit, the ability for the consumer to allow the credit insitution/provider to be granted access to latest transaction data as a basic for making the credit decision. Moving to a more ‘knowledgeable’ basis of decision making will allow for better control of credit decisions which should reduce risk and could/should lead to lending at lower cost.

    If I’ve missed anything outside of the above then please let me know, I’d be very happy to add to my list above.

    What will make these use case a reality is the adoption by various actors (, Google, Amazon, Comparision sites etc.) but also the community to develop the apps to drive and expand the horizons of what and how any or all of the use cases can bring added value to all parties.

    [linkedinbadge URL=”https://www.linkedin.com/in/bobford” connections=”off” mode=”icon” liname=”Bob Ford”] is Payment SME, Consultant at Bob Ford Associates, and this post was originally published on linkedin.

  • user 7:44 am on May 25, 2016 Permalink | Reply
    Tags: ,   

    Will Banks shift some Product Oversight obligations to Fintechs after PSD2? 


    The European Banking Authority (EBA) has developed Guidelines (GL 18) that deal with the establishment   of   product   oversight   and    governance arrangements in regulated service providers.  The Guidelines apply to both “Distributors” and “Manufacturers” of financial products.   These oversight and governance arrangements must become an integral part of the internal control systems of regulated providers.

    All of the main types of mass-market financial products are captured by the Guidelines.  Mortgages, Unsecured Credit, Deposits, Payment Accounts, Payment instruments, Bankers’ Drafts and Electronic Money are all within scope.   All the significant types of mass-market providers are in scope: Credit Institutions, Payment Institutions and Electronic Money Institutions. Consumers are explicitly in scope of the Guidelines, but the EBA has invited Competent Authorities in EU Member States to consider extending the same protections to micro-enterprises and SMEs.  These Product Oversight and Governance arrangements will be in force from January 3rd, 2017.

    A Distributor is described by the Guidelines as a firm that “offers and/or sells the product to consumers; this includes business units of manufacturers that are not involved in the designing the product but are responsible for bringing   the product to the market”. 

    A Manufacturer is described by the Guidelines as a firm that “designs (i.e. creates, develops, combines or significantly changes) products to be offered to consumers or who is involved de facto in the design of the product”.   From January 2017, established will have Manufacturer status for many hundreds of products being used by their customers.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

    What sort of “Overlay” Services might we see from ’s after PSD2 and will the Fintechs be classed as “Distributors” or “Manufacturers”?   We will probably see Consumer services (either PISP or AISP) that integrate with social media. Venmo in the US is a good example but social media giants like Facebook could also fill this role. Venmo uses the Card networks in the US but the SEPA platform could be very attractive after PSD2. 

    Services like these can be classed as “Manufacturing” i.e. Venmo or Facebook “designs (i.e. creates, develops, combines or significantly changes) products to be offered to consumers or who is involved de facto in the design of the product”.  This new type of API-enabled product manufacturing seems also likely to evolve in the SME market segment.  If a firm like Xero integrates a PISP and/or AISP service into the Cloud Accounting solution for its EU clients, it is also creating, developing, combining and significantly changing financial products to be offered to SME customers.   In API Economy, Facebook, Venmo and Zero will be Manufacturers of composable and API-enabled financial solutions, not mere Distributors of bank accounts.   The product  oversight and governance arrangements required by EBA will land squarely on these newly regulated providers.

    The Manufacturer is required to establish, implement and review effective product oversight  and governance arrangements. The arrangements should aim, when products are being designed and brought to the market, (i) to ensure that the interests, objectives and characteristics of consumers are taken into account, (ii) to avoid potential consumer detriment and (iii) to minimise conflicts of interest. 

    The Fintech as Manufacturer will be required by EBA Guidelines on Internal Governance (GL 44) to have in place a well-documented new product approval policy (“NPAP‟), approved by the management body, which addresses the development of new markets, products and services and significant changes to existing ones. The NPAP should cover every consideration to be taken into account before deciding to enter new markets, deal in new products, launch a new service or make significant changes to existing products or   services.  The Fintech’s NPAP should set out the main issues to be addressed before a decision is made. These should include regulatory compliance, pricing models, impacts on risk profile, capital adequacy and profitability, availability of adequate resources and adequate internal tools and expertise to understand and monitor the associated risks. The decision to launch a new activity should clearly state the individuals responsible for it. A new activity should not be undertaken until adequate resources to understand and manage the associated risks are available.  All actions taken by the Manufacturer in relation to the product oversight and governance arrangements should be duly documented; kept for audit purposes and made available to the Competent Authorities upon request.

    Will all of the red-tape that lands on a large and broad Bank land on a small and narrow Fintech?  The intention is that it should not.  The EBA’s GL18 requires that product oversight and governance arrangements should be proportionate to the nature, scale and complexity of the relevant business of the Manufacturer. The implementation/application of the arrangements should have regard to the level of potential risk for the consumer and complexity of the product.

    What does this mean in practical terms for the API-enabled Fintech?  EBA Guidelines 25, 26 and 28 of GL44 probably sets out this hurdle.  While a Bank will need to have a Risk Control team that is comprehensive and independent, a Fintech will certainly need a staff member with this specific responsibility.   This person should provide relevant independent information, analyses and expert judgement on risk exposures, and advice on proposals and risk decisions made as to whether they are consistent with the Fintech’s risk tolerance/appetite.  This Fintech employee is explicitly permitted by EBA Guidelines to also have a Compliance role, if the nature, scale and complexity of the Fintech business allows.   While a broad and large bank will need a permanent and effective Compliance Team, in smaller and less complex institutions this function may be combined with or assisted by the risk control or support functions (e.g. HR, legal, etc.).

    In crude conclusion, banks can avoid a lot of Product Manufacturer oversight overheads if they scale back on the size of their “own brand” applications suite. If a bank shrinks to a smaller core of own-brand products and services, it can engage with the market on less important products through API Developers.  The new players that emerge to use PSD2 APIs in composable financial services will be designated “Manufacturers” within the regulatory regime. 

    Of course, these new players are introducing potential rival brands into the consciousness and activities of banks’ existing clients. However, the threats being posed by these potential rivals are limited if these new Manufacturers do not hold a Credit Institution license.  A Payment Institution or eMoney Institution cannot offer credit nor take deposits.    In the API Economy, banks could find that they can grow their balance sheets by being loosely coupled to these new overlay services through APIs.  This growth could come without the product oversight and governance overheads that arises when a bank grows by selling directly under its own brand.

    [linkedinbadge URL=”https://www.linkedin.com/in/paulrohan” connections=”off” mode=”icon” liname=”Paul Rohan”] , the author of this post, is also author of “PSD2 in Plain English”.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

  • user 12:00 pm on May 19, 2016 Permalink | Reply

    Will PSD2 and Open Banking impact the Under 18/Youth Banking market? 


    A consumer survey in 2014 by the UK’s Competition and Markets Authority (CMA) showed that 37% of consumers had been with their main Account Servicing PSP for more than 20 years.  57% of the consumers in the survey had been with their main Account Servicing PSP for more than 10 years.  We can broadly assume that the same customer retention rates hold true across the entire European Economic Area, the scope area for PSD2.

    It is not clear whether the CMA survey question started the clock for the 10 years or 20 years of retention with a single Account Servicing PSP at the point when the consumer opened a fully featured Payment Account designed for an adult or a reduced functionality account for a child.  However, we can assume that a very large number of bank customers opened their first account as a child and did not switch suppliers until adulthood, if they switched suppliers at all.   It is reasonable to assume that these very long periods of customer retention often started in childhood.

    The first question we can ask about PSD2/Open Banking and the Youth market is whether any of the popular non-bank brands in this market segment might be attracted to the increased opportunity?  The UK market has good sample data on the preferred brands for children aged 7 to 15.  The top 10 brands are Walkers Crisps, The Simpsons, McDonalds, Coca Cola, Nintendo, YouTube, Maltesers, Haribo, Cadbury and Apple.  We can probably eliminate the confectionary brands, as being unlikely to see Open Banking as a diversification/increased share of wallet opportunity.  While “Bank of The Simpsons” has instant appeal to children of all ages, this brand also an unlikely Financial Services market entrant (the potential appointment of Chief Wiggum as Compliance Officer could also be grounds for concern).

    The “tech platform” brands focused on gaming that appear at the upper end in the Youth Brand Rankings are significantly more likely to take an interest in the financial services industry.  These platforms are already taking some margin from traditional , in the form of cash float.  Many of these youth gaming platforms have a “wallet feature”, where value transfers can be accepted from the mainstream payment platforms.  In the youth market segment, there is a flow from the “Bank of Mum and Dad” through a Card platform into the in-game/in-platform wallet for youth gaming.  Does this provide a starting point for a wider, life-long financial service?  Nintendo seems constrained to be primarily a youth brand.  Microsoft has a presence but through a subsidiary brand (Xbox).  However, Apple, Facebook and Google have brand penetration in both the youth market and onwards into the older market segments.

    Children in the 7 to 15 age bracket can have very active digital and social media lives.  However, it is rare that they have active, self-managed and trackable financial lives in their own capacity.  The “Bank of Mum and Dad” is usually the major donor, day-to-day creditor, conduct regulator and lender of last resort. Youthful account holders typically live at home, so they don’t pay rent or buy provisions.  They typically don’t have a car nor pay utility bills.  They don’t insure themselves nor have significant property to be insured.  Their mobile credit top ups may be the mainstay of their simple expenditure patterns.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

    PSD2 holds a broad promise of making financial behaviour data available from payment accounts to fuel competition and innovation.  While youthful consumers may leave a rich footprint of behavioural data and preferences directly on social media, the “Bank of Mum and Dad” probably contains and conceals most of the the financial transactions that benefit these younger economic actors.

    That said, even though the routine day-to-day account activity level is low, this does not mean that this age bracket does not have financial value.  Children can be regular savers.   Many youth bank accounts are likely to be savings accounts, rather than a Payment Account as defined by PSD2.  PSD2 defines a Payment Account as an account held in the name of one or more payment service users which is used for the execution of payment transactions.  The child who is the account holder may receive lump sum payments or recurring payments from a parent into the account, but this typically does not qualify the child as a payer using the account for a payments service.    The number of savings accounts in this market segment sharply reduces the potential scope of PSD2 and reduces the addressable market for non-banks.

    Nevertheless, again using the UK as a benchmark market, there are accounts for children that are used for payments rather than savings.  From the age of 11, accounts are available that offer Debit Cards, Cash Cards, Direct Debits and Standing Orders.  These meet the strict PSD2 definition of “Payment Account” but there is no certainty that these accounts are accessible online to the account holders.   Articles 66 and 67 of PSD2 grants the customer of an Account Servicing PSP the right to use a Third Party Payment Provider (TPP) only if the payment account is “accessible online”.  Many accounts for children are not accessible online.  Perhaps PSD2 rules will prompt banks to ensure that they stay offline.  In some cases, the child’s parent can view the account on their own Online Banking service, but they do not have a contractual right to be the payer on that account.

    Aside from the low levels of financial activity in these accounts, the service providers smoothly and automatically move this youthful population through the stages of the lifecycle.  The Youth Banking segment sets a pattern that attracts the attention of Competition Authorities because of concerns about “adverse effects on competition”.  Bank accounts for children are like accounts for adults in that they have no contract end date.   Competition Authorities can view this as a “lack of trigger points”, which means customers are not required periodically to consider if their payment account is best for them.

    It is commonplace in this market segment for Account Servicing PSPs to “auto-convert” the account service to the next payment account at the next stage of the lifecycle.  This means that a child can open an account aged 9 with features and benefits aimed at 7-14 years.  They do not close this account when they become ineligible by age to use the features and benefits of the 7-14 account.  The Account Servicing PSP will typically and automatically auto-covert this service into the 15-18 account when that birthday occurs; the same auto-convert process triggers a change to perhaps a “Student” account at age 19.

    This “auto-convert” process can be seen as making the customer very passive in their engagement with the provider. One of the remedies to this lack of “trigger points” being considered by Competition Authorities is a “prompt” to customers to review their payment account provider at times when they may have a higher propensity to shop around. There will be much discussion on the potential effectiveness and timing of prompts to customers; the content of these messages; their source; and the medium of their delivery.  The suitable times for these “prompts” being considered by Competition Authorities include an IT breakdown, a major dispute between a provider and a customer, a material change in the accounts terms and conditions, a branch closure or the expiry of a free banking period.  Interestingly, Competition Authorities have also cited a customer’s transition from a young person’s or student account to an adult account as a good time to prompt some shopping around.

    Banks may face a Conduct Risk dilemma on auto-converting Under 18 accounts to fully featured payment accounts following the implementation of the EU Payment Accounts Directive.  Will banks still be able to auto-convert to a fully featured and full fees Payment Account at a certain age and ignore the potential suitability of the new “Payment Account with basic features” being implemented under the Payment Accounts Directive?

    In crude conclusion, PSD2 and Open Banking may not have much impact on the Under 18/Youth market segment.   Many of the strongest Youth brands are not financial in nature.  Younger customers may like Apple, Google and Facebook, but their youthful financial lives are effectively managed by their parents.  Banks conveniently and automatically transition the youthful customers through the life stages to fully fledged Payment Accounts, leaving few triggers to prompt the adoption of a non-bank alternative.   Accounts for younger people can be savings accounts rather than payment accounts, moving them outside PSD2 and Open Banking. Even if they are payment accounts, they may not be accessible online, which is also outside PSD2 scope.

    The PSD2 APIs seem far more likely to be a source of value for new competitors when consumer incomes become strong and their expenditure becomes complex.  Highly active payment accounts for mature adults could show significant and diverse sources of income, which indicate a demand for savings, investments, mortgages and home improvements.  The same accounts will show significant and diverse expenditure on homes, travel, cars, utilities, insurance and household expenses.   The slim pickings of data from the Youth market would suggest that traditional banks will retain a very strong position in this segment.  However, the long-term endowment value of this Youth market position for traditional banks could have been sharply reduced by PSD2.  An Account Servicing PSP could now spend 20 years servicing a low value Payment Account from age 10, only to find a new competitor accessing data through PSD2 APIs and scooping a valuable pot of high value transactions at age 30.

    [linkedinbadge URL=”https://www.linkedin.com/in/paulrohan” connections=”off” mode=”icon” liname=”Paul Rohan”] , the author of this post, is also author of “PSD2 in Plain English”.

    PSD2 in Plain English (Payments Landscape
    for Non-Specialists) (Volume 1)

compose new post
next post/next comment
previous post/previous comment
show/hide comments
go to top
go to login
show/hide help
shift + esc
Close Bitnami banner