Payment Services Directive 2 PSD 2 Access to

Payment Services Directive 2 (PSD 2) Access to Accounts (XS 2 A) A Bryan Cave, Polymath Consulting Webinar May 11, 2016 Judith Rinearson, Bryan Cave, New York and London Jane Jee, Bryan Cave, London With David Parker, Polymath, London Brendan Jones, Polymath, London

Agenda 1. Introduction 2. Legal Background: PSD 2 and Access to Accounts (XS 2 A) 3. Prerequisites for XS 2 A: 1. Governance, 2. Regulatory Technical Standards (RTS) 3. APIs • UK Open Banking Standard 4. The Implications of XS 2 A 5. Strategies for XS 2 A 6. Summary 2

Welcome from Polymath and Bryan Cave • Genesis of Webinar • Goals for today • CLE and CPD Credit • Questions – submit via email – – 3 davidparker@polymathconsulting. com judith. rinearson@bryancave. com brendanjones@polymathconsulting. com jane. jee@bryancave. com

Background – Original PSD • Original Payment Service Directive 2007/64/EC adopted December 2007 • Focus on processors and other third parties who handle other people’s money. • Requires licensing, standards, security, consumer protection • Since its adoption: – – The retail payments market has experienced significant technical innovation Rapid growth in the number of electronic and mobile payments Emergence of new types of payment services in the market place Little evidence of hoped for drop in charges to Service Users (customers) • The European Parliament believes there is a large positive potential which needs to be more consistently explored by additional regulation- hence PSD 2 4

Background – EU Regulatory Framework • European legal framework – There are three sources of European Union law: primary law, secondary law and supplementary law. – The main sources of primary law are the Treaties establishing the European Union. • The Directive forms part of the EU’s secondary law. It is therefore adopted by the EU institutions in accordance with the founding Treaties. Once adopted at the EU level, it is then transposed by EU countries into their internal law for application. • The Directive is one of the legal instruments available to the European institutions for implementing European Union policies. • It is a flexible instrument mainly used as a means to harmonise national laws. It requires EU countries to achieve a certain result but leaves them free to choose how to do so. – See http: //eur-lex. europa. eu/legal-content/EN/TXT/? uri=URISERV%3 Al 14527 5

Introduction to the Payment Services Directive 2 (PSD 2)

PSD 2 – Aims & Objectives • Replaces PSD • Continue to harmonise the European payments landscape from a regulatory perspective • To establish safer and more innovative payment services across the EU • Contribute to a more integrated and efficient European payments market • Improve the level playing field for payment service providers (including new players) • Make payments safer and more secure • Protect consumers • Encourage lower prices for payments 7

PSD 2 in context PSD 2 itself is not the only “kid on the block” – Payment Accounts Directive (effective August 2016) – Interchange Fees Regulation (IFR) effective Dec 2015 (caps) June 2016 (business rules) – Cross Border Payments Regulation – Funds Transfer Regulation – SEPA End Date Regulation – SEPA Instant Payments Regulation – Consumer Rights Directive – General Data Protection Regulation – 4 th AML Directive – E-identity and Trust Services Regulation (e. IDAS Regulation) – E-money Directive (potential third E-Money Directive) 8

PSD 2 – Aims & Objectives [JJ with attribution] Transparency of Payments & Charges Liability for Payments • • Enhanced Consumer Rights “No questions asked” Refund Right for Direct Debits Allocation of Liability Between Payment Parties • • Unauthorised / Incorrectly Executed Transactions • • Disclosure of Payment Info Data Protection by Design/Default Central Register of Companies Providing Payment Services Transparent Charging Principles Framework Contracts & Single Payments Full Disclosure of Charges Prohibition of Surcharging PSD 2 Customer Authentication Access to Accounts • • Objective, Non. Discriminatory/Proportionate PISP, AISP & ASPSP • ECB to Draft Regulatory Technical Standards (API) • • Common/secure open standards ID/auth, notification and information • Regulation • • • 9 Introduction of strict security requirements for initiation & processing of payments Strong Customer Authentication procedure Greater regulatory oversight Better co-operation between Competent Authorities Stringent reporting requirements Dynamic linking Use of Multi-Factor Authentication Protect the Confidentiality and Integrity of Personalised Security Credentials

Access to Accounts (XS 2 A)

Access to accounts – care needed PSD 2 covers several types of access • 1. Access to Payment Systems (Article 35) • 2. Access to Bank Accounts for Payment Institutions (Article 36) • 3. Access for regulated entities to accounts held by Payment Service Users (PSUs) with permission and suitable security = XS 2 A (Articles 66 – 67) The primary focus of this webinar is on #3 - - Access for regulated entities to data in accounts held by banks and other account holders 11

Access to Payment Systems (Article 35 of PSD 2) • Member States shall ensure that the rules on access of authorised or registered payment service providers that are legal persons to payment systems are objective, non-discriminatory and proportionate and that they do not inhibit access more than is necessary to safeguard against specific risks such as settlement risk, operational risk and business risk and to protect the financial and operational stability of the payment system. • Payment systems shall not impose on payment service providers, on payment service users or on other payment systems any of the following requirements: – (a) restrictive rule on effective participation in other payment systems; – (b) rule which discriminates between authorised payment service providers or between registered payment service providers in relation to the rights, obligations and entitlements of participants; – (c) restriction on the basis of institutional status 12

Payment Systems in the UK Under section 41 of the Financial Services (Banking Reform) Act 2013, a payment system is defined as “a system operated by one or more persons in the course of business for the purpose of enabling persons to make transfers of funds” • UK has the relatively new Payment Systems Regulator who has a role – to ensure that payment systems are operated and developed in a way that considers and promotes the interests of all the businesses and consumers that use them – to promote effective competition in the markets for payment systems and services - between operators, PSPs and infrastructure providers – to promote the development of and innovation in payment systems, in particular the infrastructure used to operate those systems 13

Access to payment account services • Access to Accounts (Article 36 of PSD 2) • Member States shall ensure that payment institutions have access to credit institutions’ payment accounts services on an objective, nondiscriminatory and proportionate basis. Such access shall be sufficiently extensive as to allow payment institutions to provide payment services in an unhindered and efficient manner. • The credit institution shall provide the competent authority with duly motivated reasons for any rejection. 14

Access to Account Information (XS 2 A) Article 66 - - “ Member States shall ensure that a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I. The right to make use of a payment initiation service provider shall not apply where the payment account is not accessible online. ” Article 67 - - “Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I. That right shall not apply where the payment account is not accessible online. ” Explicit Consent Required 15

Reasons for XS 2 A • Industry complaints • Lack of harmonisation • Need for innovation • Market developments have given rise to significant challenges • Resulted in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas • Proven difficult for payment service providers to launch innovative, safe and easy-to-use digital payment services • New rules required to open up access to payment account information to 3 rd parties 16

Aim of XS 2 A • To facilitate innovation and development within the payments industry • To open up the payments industry to new participants that offer products and services that utilise customer data to deliver better outcomes • Providing a mechanism whereby customers can share their data with third party service providers • By providing XS 2 A to customer data, new innovative products and services can be offered 17

Third Party Payment Providers Two new types of third party payment providers 1. PISP – Payment Initiation Services Provider • PISPs allow consumers to, for instance, make online payments without the need for a credit card by establishing a “link between the payer and the online merchant via the payer’s online banking module”. e. g. SOFORT in Germany, i. DEAL in the Netherlands and Trustly in Sweden. • PISPs do not require the consumer to open an account directly with them. Instead, they gather information on the consumer’s existing bank accounts and present that information in an integrated manner. • However, in doing so PISPs gain possession of a significant amount of sensitive information, for instance by providing a gateway from which consumers log in to their bank accounts using their unique identifiers and credentials. As a result, these entities drew more attention from legislators and regulators. After all, the sensitive information they possess and process poses a significant risk for abuse in money laundering schemes, terrorist financing, or other illicit activities. 18

Third Party Payment Providers 2. AISP - Account Information Services Provider • Tailored authorisation application process • No capital requirements (as no funds held) • Some COB rules apply – prior information, specific obligations, liability and security measures PISPs and AISPs – have to be regulated as a Payment Institution – in their Host Member State - including for access and passporting – Required to hold either professional indemnity insurance or a comparable guarantee – Secure – Access fully under the Payment Service User’s control 19

Current Status • PSD 2 has been published in the Official Journal of the EU and entered into force on 12 January 2016. Member States must transpose PSD 2 into national law by 13 January 2018 • PSD 2 Requires Establishment of Certain New Regulatory Technical Standards (RTS): – Secure Authentication – Secure Communications (XS 2 A) – Other RTS to be published • In addition to the RTS, in practice XS 2 A will also mean the establishment of online interfaces (such as APIs) that will link the regulated entities’ systems to the banks/account holders’ systems. • The XS 2 A provisions will NOT be implemented until after the RTS and any approved APIs have been established. • The RTS will apply 18 months after adoption of the standards by the European Commission 20

What is an API? • APIs are not mentioned in PSD 2 but are nevertheless on top of mind as industry grapples with implementation • APIs (Application Programming Interfaces) are standards that allow software components to interact and exchange data, particularly over the web. • Put most simply, an API is a set of instructions that allows one piece of software to interact with another. • As banks and other account holders consider how to implement the XS 2 A provisions, many believe standardized secure APIs will be a likely solution. 21

APIs in the UK: Open Banking Standard UK Open Banking Standard To facilitate data sharing in UK banking Open Banking Standard A set of specifications and rules addressing the data, technical and security aspects to data sharing in an open API environment, supported by a Governance Model. Data Standard API Standard Security Standard Rules by which Data described and recorded Specifications that inform the design, development and maintenance of an open API Security aspects of the API specification Governance Model Governance required to operationalise the Open Banking Standard Source: © Celent 22

PSD timelines v Open Banking Framework* With Thanks to Digital Baobab 23

The Implications of XS 2 A

Implications of XS 2 A • It is an environment in which participants can share customer data, when explicit consent has been granted, with each other in a secure, automated fashion • XS 2 A is as a technology disruptor for all incumbent financial service providers • XS 2 A will drive disruption (innovation) in payments • PSD 2 does not specify how to implement and manage XS 2 A 25

XS 2 A Questions • PSD 2 asks more questions than answers • Major Question: At what level will the European Banking Authority (EBA) define the API(s) – Management of the specifications – Should the EBA recommend the use of industry APIs or define APIs that are specific to PSD 2 / XS 2 A • In addition to the technical interfaces and services there are still many areas requiring clarification 26

Implications of XS 2 A -- Credit & Payment Institutions 27

Implications of XS 2 A – Credit & Payment Institutions Challenges Opportunities Additional regulation centered around: - Liability for payments - Transparency of Payments & Charges - Greater Regulatory Oversight - Strong Customer Authentication - Access to Accounts Development and support of new emerging electronic payment methods, thereby providing greater customer choice Develop data aggregation services Launch new products & services based on a full understanding of the customer financial profile (i. e. XS 2 A) Through collaboration with partners, offer new financial products & services Though the use of APIs automate and streamline credit loan applications etc. 28

Implications of XS 2 A – PSPs Challenges Opportunities Additional regulation centered around: - Liability for payments - Transparency of Payments & Charges - Greater Regulatory Oversight - Strong Customer Authentication Development and support of new emerging electronic payment methods, thereby providing greater customer choice 29 Develop direct debit payment services directly connected to customer bank account

Implications of XS 2 A – Programme Managers Challenges Opportunities PSD 2 Access to Accounts for accounts managed by Programme Manager Access to cardholder account information from Account Providers, with the customers consent, to deliver new innovative services (financial & non financial) Provision of account aggregation services 30 Provision of innovative new services, either directly or through collaboration, that utillise cardholder account information

Implications of XS 2 A – Schemes Challenges Opportunities New Scheme card based payment methods (i. e. payment initiation services) that consolidate customers cards onto one payment vehicle New non-card based payment methods (i. e. payment initiation services) Access to all cardholder data giving a rich view of cardholder purchasing characteristics and preferences 31

Implications of XS 2 A – Emerging Payments Challenges Opportunities Maybe required, dependent on business model, to be Regulated under PSD 2. Development of new innovative payment methods to compete with existing payment vehicles. New products and services that utilize cardholder account information. Collaboration with incumbent financial services providers to deliver value added services, over and above, basic account offering. Launch new products & services based on a full understanding of the customer financial profile via XS 2 A. 32

Strategies for XS 2 A

Strategies for XS 2 A • TPPs and other players (e. g. acquirers, processors, PSPs and innovative banks) are looking to take advantage of XS 2 A • Incumbent providers should recognise that these organisations are focused on capturing revenues • Organisations should be rethinking their strategy and deciding what they want to be • What is your stance regarding XS 2 A? 34

Strategies for XS 2 A Customer Bank D Mortgage Customer Bank C Investments Customer Bank B Savings Account Customer Bank A Current Account Payment Initiation Service Provider Direct Account Access Third Party Access Customer Bank A AISP Inter Bank Payment Network Customer Bank Merchant’s Bank Data Aggregation Model i. Deal (PISP) Customer 35 Merchant

Strategies for XS 2 A Customer Bank D Mortgage Insurance Customer Bank C Investments Customer Bank B Savings Account Direct Provision Third Party Provision Loans Customer Bank A Current Account Foreign Exchange Services Customer Bank A AISP Customer Delivering Financial Services & Relevant Content 36

Strategies for XS 2 A Customers Prop Apps Customers op Pr ps Ap ty 3 rd Par s p p A 3 rd Pa rty Apps Internal API Public API Bank Data Bank Domain Source: © 37 3 rd P Ap arty ps

Challengers PISP 38 AISP

Summary

Summary • PSD 2 published in the Official Journal of the EU and entered into force on 12 January 2016 • PSD 2 will be effective as of January 2018 • BUT the XS 2 A provisions cannot be implemented until 18 months AFTER the RTS and API standards have been established - - not known how soon we will have the RTS/API standards. So XS 2 A will not be available any earlier than October 2018. • PSD 2 is forcing Account Service Providers to open up customer data to regulated entities - regulated under competent authorities of member states – Typically it can take up to one year to become a regulated entity • XS 2 A only a stepping stone for UK market • Organisations need to assess their position and decide what strategy they wish to pursue 40

Polymath Whitepaper PSD 2 & Open Banking – The Future of Payments Download the Abridged Whitepaper at: www. polymathconsulting. com/whitepapers or https: //www. bryancave. com/en/thought-leadership/index. html Full White Paper available for £ 750 plus VAT Please contact David Parker @ Polymath Consulting for invoicing. 41

Thank you! Contacts - - • Judith Rinearson – Judith. rinearson@bryancave. com • Jane Jee – Jane. jee@bryancave. com • David Parker – davidparker@polymathconsulting. com • Brendan Jones – brendanjones@polymathconsulting. com 42