Tagged: Impacts Toggle Comment Threads | Keyboard Shortcuts

  • user 1:23 pm on July 24, 2017 Permalink | Reply
    Tags: , Impacts, , Scoping,   

    PSD2: Scoping out the impacts of the RTS 

    The regulatory technical standards for strong customer authentication (SCA) and secure communication (SC) are proving difficult to finalize. Circulated in draft in 2016 for consultation, the EBA published its final draft in February 2017, followed by amendments requested by the European Commission, subsequently rejected by the EBA in June 2017.

    The key sticking point is the use of screen scraping. Although PSD2 is -neutral, the EBA banned screen scraping in its final draft, whereas the EC wants to allow it (on a contingency basis).

    As it stands, agreement on the final text for the RTS between the EBA, EC and European Parliament may extend into August or September 2017, and with RTS coming into effect 18 months later, now Q1 2019 is the earliest.

    PSD2 itself comes into force on 13 January 2018, and while there has always been a well-flagged gap from this date to when the RTS for SCA/SC come into force, the confusion over finalizing the RTS has led some PSPs to question if PSD2 itself will be delayed.

    However, PSD2 is still slated to become law across the EU in January 2018, and PSPs have to be compliant with it by then. In the EC’s amendments to the draft RTS, their accompanying explanatory notes state that the RTS and security aspects of PSD2 articles 65 (confirmation of funds), 66 (access for payment initiation), and 67 (access for account information) are applicable from the same date as the RTS, which may have led some to believe the EC wants these key articles on account access to be delayed.

    However, the EBA’s rejection of the EC amendments notwithstanding, it is only the RTS and security aspects of these PSD2 articles that the EC wants to apply from 2019, not the whole of each article—the rest of the provisions in these articles would still be mandatory from 13 January 2018.

    In fact, the reality is that the final draft of the RTS is not law until the EC, EBA and EP (parliament) are in agreement, so as it stands now, all provisions in all PSD2 articles are applicable from January 2018.

    Banks and other PSPs therefore need to be PSD2-compliant from 13 January 2018, with the following implications:

    1. Effective January 2018, they need to allow TPPs (AISPs and PISPs) access to online accounts without any contractual agreements.
    2. The method of access is the bank’s decision—realistically, it can be either through open APIs or through allowing TPPs to screen scrape (up to the RTS implementation date, and beyond if screen scraping is allowed after that).
    3. The security, authentication, fraud monitoring and secure communication methods (covered in the RTS) are the bank/PSP’s choice, between January 2018 and the RTS date (in 2019).

    /PSPs may have bilateral agreements with TPPs after January 2018, but they must also allow access to TPPs without a contract as well.

    Banks/PSPs therefore have two choices beginning January 2018:

    1. Do nothing, except allow screen scraping on their online accounts. If the final RTS text does eventually allow screen scraping from the RTS date, then they can choose to continue this method indefinitely.
    2. Implement an API management system and publish APIs. We encourage banks and PSPs to go this route if they are to be relevant and active in an API and Open Banking economy.

    If a bank is not ready with APIs by January 2018, it’s OK—provided they allow screen scraping. But they risk being excluded from TPP services that only use APIs, giving an advantage to competitors who do provide APIs.

    PSPs face further challenges:

    1. in developing automated mechanisms in their communities to validate authorized and regulated third parties who request access to their accounts;
    2. in authenticating customers and managing their consent, both with open APIs and with screen scraping (including long term solutions if screen scraping is allowed in the final RTS text); and
    3. in making TPPs accountable and liable for any breaches of consent or data access, or fraudulent payments that are the fault of the TPP.

    However, PSD2 compliance is independent of these challenges, which do not impact the need to be compliant in January 2018.

    To request a copy of our detailed report on the impact of PSD2 RTS, please contact Lakshmi Kv or Jeremy Light.

    The post PSD2: Scoping out the impacts of the RTS appeared first on Accenture Banking Blog.

    Accenture Banking Blog

     
  • user 1:47 pm on April 2, 2017 Permalink | Reply
    Tags: , , effectively, , Impacts, ,   

    How banks can deal effectively with the security & fraud impacts of PSD2 

    With the introduction of , a new era of secure payments has begun in the European Union. The new regulation is aimed at enhanced customer protection against , with stringent liability and accountability requirements and strong customer authentication features.

    Read the report

    PSD2 requires European and other payment service providers to allow customers’ accounts to be accessed via
    application programming interfaces (APIs). Their customers are able to initiate payments from their accounts directly from third-party apps and websites, and to share transaction and balance information with third parties.

    The directive provides measures to protect the confidentiality and integrity of personalized credentials. Banks will now be authorized to block third-party access to accounts if they detect unauthorized or fraudulent activity. At the same time, providers who fail to authenticate a transaction appropriately will now be held liable for any resulting breaches.

    So, what does all this mean for the incumbent players in the European financial services landscape?

    Accenture has identified key challenges that banks will need to deal with in the short term:

    • After PSD2, many customers may start relying on Third-Party Payment service providers (TPPs) for banking transactions, making it more difficult for banks to detect fraud.
    • By providing their APIs to TPPs, banks open up a significantly greater attack surface to potential cyber adversaries, and can no longer hide critical applications behind perimeter firewalls.

    With the new directive also come opportunities:

    • PSD2 encourages banks to embed security up front in the new systems and APIs, thus turning security into a business asset.
    • Creating systems with open APIs gives banks the opportunity to strengthen their fraud prevention capabilities—by blocking attacks high up the stack and protecting the intelligence located on lower layers.

    Accenture recommends five actions for banks to deal effectively with the challenges and opportunities of PSD2:

    1. Make API security an integral part of PSD2 implementations, and ensure that security controls for APIs are at par with digital banking.
    2. Adopt a user-driven authentication framework that doesn’t disclose user credentials to TPPs.
    3. Use biometric technologies for authentication, as that will not only address the PSD2 requirement for more accurate validation, but will also provide a better consumer experience.
    4. Assess customers’ location and behaviour against their usual patterns to gain a clearer view of the risks and the level of authentication required.
    5. Follow these principles while designing APIs:
        • Show respect for user privacy and design in consent management controls.
        • Embed privacy into design and use maximum privacy as the default setting.
        • Maintain transparency of operations of the IT systems.
        • Deny access to information that isn&;t absolutely necessary, or that the user has not agreed to share.
        • Strive to detect and prevent privacy-invasive events before they happen.

    Read more about this in our latest report, PSD2 & Open Banking | Security and fraud impacts on banks: Are you ready?

     

    The post How banks can deal effectively with the security &038; fraud impacts of PSD2 appeared first on Accenture Banking Blog.

    Accenture Banking Blog

     
  • user 12:55 pm on June 27, 2016 Permalink | Reply
    Tags: , , , Impacts, Negative,   

    Fintech after Brexit: 3 Positive and 3 Negative Impacts 

    While the overall balance of on is clearly , this article takes a look at the positives too.
    FinTech – Finance Magnates | Financial and business news

     
c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel
Close Bitnami banner
Bitnami