Challenges and solutions. related to Digital Transformation Training & workshop

Size: px

Start display at page:

Download "Challenges and solutions. related to Digital Transformation Training & workshop"

Buck Wilkinson
5 years ago
Views:

1 Challenges and solutions related to Digital Transformation Training & workshop

2 Agenda 09:00-09:30 Registration, coffee 09:30 11:00 Trends in digitalization Regulatory challenges (PSD2 & other) Business opportunities Q&A 11:00-11:20 Coffee break 11:20-12:50 IT solutions for PSD2 and digital transormation 12:50-13:00 Final remarks Lunch

3 Changes

4 Disruptive technologies Changing customer behaviour FinTechs New competitors PSD 2 regulations initiating changes INSTANT PAYMENT

5 Business challenges

6 FinTech services Account Information Services (a.k.a. PFM) Payment Initiation Services Money transfer Social Lending Crowdfunding Private banking Other (blockchain, insurance etc.)

7 Why FinTechs are successful? Concentrating on particular services Exclusive use of electronic channels (Internet) Simple, highly ergonomic user interfaces Operating processes are automated, optimized for the given service They work with low costs (no branch network, minimal human work required)

8 What BigTechs are successful? Single account Openness User experience

9 xtechs disrupting net income

10 INTEGRATION LAYER FRONT- END BACK- OFFICE FRONT-END BACK-OFFICE FRONT- END BACK- OFFICE xtechs disrupting client relations Client relations Shop front-end BANK 1 Client relations FINTECHs BANK 2 BIGTECHs BANK 3

11 The fintech market in 2015

12 The FinTech market today

13 Growth of the Fintechs today Source: FinTech Global, 2018 (

14 Fintech adoption rate Source: EY, FinTech Adoption Index 2017

15 The rise of the influence of FinTechs

16 The attitude of banks towards FinTechs Source: EBA risk assessment questionnaire 2017

17 How banks react to FinTech challenge Digital transformation Digital disruption BANK

18 Banks adopting FinTech innovation

19 Strategies for adapting FinTech innovation 1. Partnering with new entrant FinTech firms 2. Investing in new entrant FinTech firms 3. Collaborating with other stakeholders 4. Developing FinTech solutions internally Source: EBA report on the impact of fintech on incumbent credit institutions business models, 2018

20 Top EU Banks investing in FinTechs Source: CB Insights, 2018

21 OK, but what about Bosnia and Herzegovina? Montenegro s population (2013): Mobile telephone penetration(2017): 90% Population above 20 (2018): Market share of Android (2018): 84,8% No. of clients potentially disrupted:

22 From first crack to shipwreck NOKIA has the biggest share on mobile phone market. NOKIA is still the biggest (43%), but the first crack appeared. NOKIA s share dropped below 20% & leading position lost. NOKIA s share under 5% & the branch is sold to Microsoft

Time is required to change: The typical IT of banks https://i.

23 Time is required to change: The typical IT of banks

24 Regulatory challenges

25 Instead of building walls..

26 Regulators accelerate changes

27 The PSD2 challenge

28 and it is only the beginning

29 The FinTech Action Plan PSD2 & GDPR Compliant API Regulatory sandbox & innovation hub Supporting the uptake of technological innovation Removing obstacles to cloud services EU FinTech Lab

The FinTech Action Plan PSD2 & GDPR Compliant API The Commission encourages and will support joint efforts by market players to develop, by mid-2019, standardised application programming interfaces

30 The FinTech Action Plan PSD2 & GDPR Compliant API The Commission encourages and will support joint efforts by market players to develop, by mid-2019, standardised application programming interfaces that are compliant with the Payment Services Directive and the General Data Protection Regulation as a basis for a European open banking eco-system covering payment and other accounts. Regulatory sandbox & innovation hub The Commission invites competent authorities at Member State and EU level to take initiatives to facilitate innovation on the basis of these best practices and invites the ESAs to facilitate supervisory cooperation, including coordination and dissemination of information regarding the innovative technologies, establishment and operation of innovation hubs and regulatory sandboxes, and consistency of supervisory practices

31 The FinTech Action Plan Supporting the uptake of technological innovation The Commission will set up an expert group to assess by Q whether there are unjustified regulatory obstacles to financial innovation in the financial services regulatory framework. Removing obstacles to cloud services In this context, the Commission shall encourage and facilitate the development of standard contractual clauses for cloud outsourcing by financial institutions, building on the cross-sectorial cloud stakeholder efforts already facilitated by the Commission, and ensuring financial sector involvement to this process. This work should be undertaken by a balanced mix of companies from the financial sector and cloud service providers, and should address in particular audit requirements, reporting requirements or the determination of materiality of the activities to be outsourced. EU FinTech Lab The Commission will host an EU FinTech Lab where European and national authorities will be invited to engage with technology solution providers in a neutral, non-commercial space during targeted sessions on specific innovations starting in Q

32 Strategic optionss for banks PASSIVE REACTIVE PROACTIVE Source: Seizing the Opportunities Unlocked by the EU s Revised Payment Services Directive, Accenture, 2016

33 Our vision: Digital banking

34 Great things are not done by impulse, but by a series of small things brought together. Vincent Van Gogh

35 What should the strategy of innovation? Getting compliant with regulation Finding opportunities beyond

36 GETTING COMPLIANT WITH PSD2

37 The game of PSD2 Article 66 Article 65 Article 67

38 Improving market integration Extending regulation scope Restricting the opportunities for exclusions Regulating passporting and authorization rules

39 Enhancing competition New entrants AISPs, PISPs Open APIs for all payment services Non-discriminative service for TPPs

40 Ensuring security Requirements for TPPs Strong Customer Authentication Fraud management framework

41 Customer protection Information prior contracting Unconditional refund Obligation to respond complaints

The status of regulating PSD2 Source: EBA s homepage (https://www.eba.

42 The status of regulating PSD2 Source: EBA s homepage (

43 The RTS SCA

44 Services available through APIs PSD2 Availability of funds Article 65 SCTInst Payment initiation Article 66 Payer s ASPSP Payee s ASPSP Account information Article 67 PSU TPP Bank

45 Requirements for PSD2 APIs Establish interfaces and ensure secure communication Provide access to core PSD2 services Identify TPPs, check TPP s authorization and permissions Use SCA & manage exemptions from SCA Monitor transactions and prepare monitoring reports Have fallback mechanism Provide full testing facility (developer portal, sandbox)

46 API technical INITIATIVES

47 Expected PSD2 API landscape in Europe

48 and the schemes we should compete with

49 GOING BEYOND PSD2 - DIGITAL TRANSFORMATION

50 Business services built on the top of PSD2

51 New business models Digital Disruption Finance - 5% -10% -9% -7% -9% Pay with credit! 7/24 loans Instant payment Deposit opening

52 Show me the money!

53 New business models Merchant Processor Issurer Aquirer Card scheme ~2% Merchant FinTechs Banks PSD2 scheme ~0,4%

55 IT SOLUTIONS FOR PSD2 AND BEYOND

56 Overview of abbreviations ASPSP Account Servicing Payment Service Provider Bank, can act as any type of TPP TPP Third party provider External service user of a Bank (Provider) AISP Account Information Service Provider Type of TPP, introduced by PSD2 PISP Payment Initiiation Service Provider Type of TPP, introduced by PSD2 CBPII Card-based Payment Instrument Issuer Type of TPP, introduced by PSD2 PSU Payment Service User The end user of the services, the client of the bank

57 Seems to be a simple IT issue Availability of funds (Article 65) Payment initiation (Article 66) Core Banking System Account information (Article 67) PSU TPP ASPSP

58 PSD2 services in detail Availability of funds Article 65 Confirmation of fund request Initiation of single payment Initiation of future dated single payment Payment initiation Article 66 Initiation of multiple / bulk payment Initiation of recurring payment Establish account information consent Account information Article 67 Get list of accessible accounts Get account details Get balances of the given account PSU TPP Get transaction inform. of the given account Bank

IT components of PSD2 E-channels Mobile banking Transaction monitoring Identity & Access Management TPP certificates Internet banking Live

59 IT components of PSD2 E-channels Mobile banking Transaction monitoring Identity & Access Management TPP certificates Internet banking Live APIs API Gateway PSD2 Business logic ESB Core banking system (s) API Manager Sandbox Developer portal Data warehouse Regulatory reporting ASPSP

60 Technical standards: where and how can they help? E-channels Mobile banking Transaction monitoring Identity & Access Management TPP certificates Internet banking Live Sandbox ASPSP APIs API Gateway API Manager Developer portal Technical API standards Core banking PSD2 Business ESB system (s) Define the logic interface between TPPs and ASPSP Define core PSD2 services payment initiation account information confirmation of funds Data warehouse Regulatory reporting Enable extended services and variants of the XS2A interface Technical DOES NOT define ALL necessary components of PSD2!!!

61 Traditional Front Solutions

62 Intelligent front solutions

63 Our solution

64 External interfaces Internal interfaces Concept of DigiTie Customer e-channels Mobile bank TPP Internet bank Service provider e-channels Account management Loan management Deposit management PSD2 Instant Payment Additional services ASPSP Sales front Product development Fees and commissions Core banking system ASPSP

65 RESTful, Oauth, OpenID Open Banking, NextGen PSD2, STET Existing or new interfaces Our solution for PSD2 Availability of funds (Article 65) PSD2 Payment initiation (Article 66) Mobile App Customer Core TPP rights Document management TPP APIs SCA Reporting Account information (Article 67) SMS interface Core system interface Exemptions management Order manangement Account management Limit management Workflow System administration Fraud Core Banking System PSU TPP ASPSP ASPSP

66 How does it fit to the PSD2 architecture E-channels Mobile banking Transaction monitoring Identity & Access Management TPP certificates Internet banking Live APIs API Gateway PSD2 Business logic ESB Core banking system (s) API Manager Sandbox Developer portal Data warehouse Regulatory reporting

67 How does it fit to the PSD2 architecture E-channels Mobile banking Transaction monitoring Identity & Access Management TPP certificates Internet banking Live APIs API Gateway ESB Core banking system (s) API Manager Sandbox Developer portal Data warehouse Regulatory reporting

Live APIs API Gateway ESB Core banking system (s) API

68 Providing full scale solution with partners Transaction monitoring Identity & Access Management TPP certificates Live APIs API Gateway ESB Core banking system (s) API Manager Sandbox Developer portal Data warehouse Regulatory reporting

69 Operation models On-site Cloud based

70 EBA Opinion on API requirements Enable TPP-s to access data Conform to (widely used) standards Enable transport of sensitive data through safe and efficient channels Allow payment transaction authorisation and consent via a PISP Enable TPP identification, use eidas certifications 90-day reauthentication of AISP-s Count access requests during a given period Change control process Allow cancelling of initiated transaction Error messages that are informative Support access of TPP via technology service providers Allow use of authentication methods of the bank Give same information as available on other channels Instant response to availability of funds requests Dynamic linking to a specific amount and payee Allow to use same SCA exceptions as on other channels Enable the use of SCA based on two different elements Secure data exchange, mitigate misdirection risk Security at transport and application levels Fraud risk mitigation, audible exchanges, monitoring Traceability Same availability and performance as user interface

71 Treat TPP-s as equals Enable TPP-s to access data Allow payment transaction authorisation and consent via a PISP Allow cancelling of initiated transaction Give same information as available on other channels Same availability and performance as user interface Instant response to availability of funds requests

72 Treat TPP-s as equals Full scale PSD2 services Payment initiation of different types Instant, international, recurring, future-dated, national scheme Granulated AISP account access we can tailor it to make available all the data available through other user channels Own database of funds Lightning fast reply to queries High availability DigiTie was created for 7/24 service Constant service, no downtime for version change

73 Secure and seamless access Conform to (widely used) standards Error messages that are informative Enable transport of sensitive data through safe and efficient channels Enable TPP identification, use eidas certifications Support access of TPP via technology service providers Secure data exchange, mitigate misdirection risk Security at transport and application levels

74 Secure and seamless access Security by design DigiTie was created for banks, security is elementary Accessible through secure channels based on standards eidas certificates TLS 1.2 communication security Check of TPP certification on every connection Easy access Data and API structure is based on widely used standards API process is based on standards Non-restricitve on access type, technology providers welcome DigiTie can serve as such

75 SCA and exemptions 90-day reauthentication of AISP-s Count access requests during a given period Allow use of authentication methods of the bank Dynamic linking to a specific amount and payee Allow to use same SCA exceptions as on other channels Enable the use of SCA based on two different elements

76 Strong Customer Authentication Based on 2 different elements from the following categories: knowledge, possession, inherence Implemented SCA solutions Static password (1st element) and dynamic password via SMS (2nd element) Static password (1st element) and authentication via mobile app (2nd element) Fingerprint (1st element) and authentication via mobile app (2nd element)

77 Embedded SCA

78 SCA with Redirection

79 SCA exemptions Payment account information (Article 10) Contactless payments at point of sale (Article 11) Unattended terminals for transport fares and parking fees (Article 12) Trusted beneficiaries (Article 13) Recurring transactions (Article 14) Credit transfers between accounts held by the same person (Article 15) Low-value transactions (Article 16)

80 SCA and exemptions Full support of SCA Integrated solutions for PSD2 or any other e-channel Classic static password and SMS Modern mobile application capable to deliver digital signature feature Use existing SCA solution of banks SCA exemptions Support creation of seamless AISP solutions 90 day reauthentication User-less access Capable to provide all exemptions Exemptions are managed by the banks Transaction risk analysis as a basis for exemption

81 Other requirements Change control process Fraud risk mitigation, audible exchanges, monitoring Traceability

82 Other requirements API versioning Full API documentation Change process for 3 month pre-publication of APIs Fraud risk mitigation, audible exchanges, monitoring Transaction risk monitoring 3 level scoring Full logging of message exchanges API activity monitoring Traceability All activity through API-s can be traced from source to end

91 Limits (Risk mitigation) Cumulative Electronic Channel Daily Limit Daily limit for transactions on elecronic channels per account Daily Payments Service Provider Limit Daily limit for transactions on elecronic channels per account per payment service providers

92 TPP registration / validation Registration: Centrally and on EU level We expect API connection to local register TPP data is registered in DigiTie as well TPP certificate is validated on every contact TPP related consents are managed by clients

93 Consent model What is a consent? Consent is given by a PSU to a certain scope to a certain TPP A PSU may have more scopes consented for a single TPP Types of consents in PSD2 AISP consent for account information access PISP/CBPII consent for availability of funds access How is a consent given? The process of consent authorization is the same as that of a payment initation How is a consent revoked? At any given time a PSU may revoke any existing consents

94 Additional functionality on the internet/mobile bank DigiTie provides services integrable into internet banking software: Mobile app management Limit management Consent management Whitelist (trusted beneficiaries) management Password management

95 Benefits of DigiTie PSD2 One platform for many services 24/7 available Core banking facilities Extensible SaaS option

96 Online Business Technologies Founded in 1989 Specialised in banking technology 130 professionals Solutions used in 1000 branches by 8000 users Serving 3 M banking clients Quality assurance ISO 9001 ISO NATO supplier AQAP 2110 AQAP 2210

97 Our flagships

98 References Savings co-operatives Student Loan Centre Prime Minister s Office

99 Our strength

100 Thank You for Your attention!