Thaer Sabri reflected on the UK Open Banking initiative

Reflections on the UK Open Banking initiative

The UK Open Banking initiative is gathering pace, and is looking to deliver a first version of its read/write API specifications for testing early July 2017. This is welcome, and is a significant milestone in creating a single set of APIs that UK banks can adopt to enable the delivery of payment initiation (“PIS”) as well as account information services (“AIS) by authorised providers.

The benefits the initiative delivers are tempered however by the limited scope of the work, addressing consumer and SME bank current accounts, being restricted to UK Sterling currency, and being subject to a number of limitations to the technical design work, driven by the January 2018 Competition and Markets Authority (“CMA”) deployment deadline. Notably the solution only caters for single immediate payment transaction initiation – so a user is required to separately authorise each payment transaction with their PIS provider, and cannot for example authorise multiple transactions in a single step.This means that it continues to be easier to authorise a service provider to access funds through a credit or debit card than to initiate PIS payments. Secondly, the specifications require customer authentication to be undertaken directly with the ASPSP (Bank or PI or EMI), and does not provide for authentication to be undertaken through the PIS provider.

This means that a separate parallel communication channel has to be created and the user redirected to their ASPSP before returning to PIS platform to complete the transaction. This results in a poor customer experience, and one which restricts business models, limits the roles played by different parties in the value chain and can inhibit the deployment of innovative technical solutions.

The initiative does not cater for the AIS obligations relating to cards, to the needs of ‘decoupled’ card issuers (PSD2 Article 65) or to electronic money products.

The Open Banking Implementation Entity (IE) employs a steering group to advise the Trustee on decision making, but does not have decision making power. The objectives of the IE were set by the UK CMA and are directed at the 9 banks that were subjects of its competition review. The banks are also required to fund the work of the IE as part of the CMA remedy.

This has created a limitation that the Open Banking initiative is struggling to overcome. This would be merely a shortcoming had this not been the only significant ongoing UK based standardisation effort in this space. It is funded and run by the CMA 9 banks and required to deliver a CMA remedy, rather than a PSP wide (bank, PI and EMI) solution, taking into account the needs of the wider constituency. It furthermore falls far short of the requirements of PSD2, and would not therefore deliver PSD2 compliance for participating PSPs.

In creating the IE, the CMA has galvanised the UK payments community to work together to create a common standard. In setting out the terms of the remedy and the deliverables it may have inadvertently laid the ground for the next wave of anti-competitive behaviour. This could not have been contemplated by the CMA, but now that the impact is clearer, I believe that an adjustment is necessary.

The design of the specification is being driven by the CMA 9 banks, and other parties have little or no influence on the direction, decision making or priorities of the initiative. This is formalised in the terms of reference of the IE steering group which excludes a decision-making role for the body. Similarly, the Project Management Group and Technical Design Office, the two bodies with meaningful decision-making roles have only CMA 9 representation and do not provide for non-CMA 9 payments industry participation.In the context of the delivery of a CMA remedy for the 9 banks, this is entirely reasonable; it is run by them, funded by them and is operated for their benefit.

In the context of delivering a meaningful Open Banking initiative however, a PSD2 compliant industry solution that can benefit all PSPs, FinTech providers and the wider payment user community, this is entirely inappropriate.

There needs to be a change; and the change needs to happen while the different parties remain engaged within the current process. Quite soon alternative standardisation initiatives, driven by EU institutions that aim to deliver a more inclusive outcome, will start to deliver draft PIS API specifications and the restrictions of Open Banking will be set in stark contrast.

I believe the CMA needs to urgently review the initiative and consider whether it delivers the outcomes it had intended in the new world of AIS and PIS services, and not just for competition in ‘current bank accounts’. This is a world driven by use cases and technologies that mostly reside with non-bank participants, it promises significant user benefits and enhanced competition, but only if the entire value chain is able cooperate in its delivery.

In the immediate term, a binding commitment by Open Banking to broaden the scope of the work to include the interests of other payment industry participants is needed, accompanied by a change to corporate governance to give all participants a say in decision making. This is so, even if outcomes cannot be delivered until after January 2018.

Article written by Dr Thaer Sabri, CEO of the EMA published on LinkedIn Pulse

Join in the conversation and also voice your views or comment on twitter and LinkedIn.

We like to hear what you think.



Thaer Sabri reflected on the UK Open Banking initiative Read More »

Slipped unnoticed, 4MLD record keeping obligations

4MLD record keeping obligations

The EMA spent a good deal of time negotiating the provisions of 4MLD, but concentrated most of its efforts on CDD provisions. It is again focusing on CDD in the amendments to 4MLD which are expected to be published on the 7th of June 2016. This is because CDD is customers’ gateway to new products and services; and unnecessary friction results in abandoned registrations.

It therefore came as a bit of a shock to discover a small change in the wording in the obligation to keep records of transactions in Article 40 4MLD (see below). The current obligation is to keep transaction records for a minimum of 5 years from the date of the transaction; and this has now been amended to 5 years from the end of the business relationship. (Member states can of course exceed this requirement, but few do, and none beyond 10 years).

This change may have also taken the rest of the financial services sector by surprise, at least in the UK.

In effect, the obligation would require a financial institution including banks to keep records of transactions from the beginning of a customer relationship for the entire duration of that relationship, perhaps for 60 years, and then for 5 additional years.

Apart from being disproportionate, it will have significant consequences in relation to data protection, security and the cost of data storage.

The current amendments being drafted to 4MLD, may provide just the opportunity to review this obligation, as long as of course, the concern is shared by others in the regulated sector.

For reference:

1. Recommendation 11 of the FATF Forty, requires transaction records to be kept for a minimum of 5 years from the date of execution:

“11. Record-keeping: Financial institutions should be required to maintain, for at least five years, all necessary records on transactions, both domestic and international, to enable them to comply swiftly with information requests from the competent authorities. Such records must be sufficient to permit reconstruction of individual transactions (including the amounts and types of currency involved, if any) so as to provide, if necessary, evidence for prosecution of criminal activity.”

2. Article 40(1)(b) of 4MLD provides:

“(b) the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.”

3. Article 30(b) of the current 3MLD provides:

“(b) in the case of business relationships and transactions, the supporting evidence and records, consisting of the original documents or copies admissible in court proceedings under the applicable national legislation for a period of at least five years following the carrying-out of the transactions or the end of the business relationship.”


The article “Slipped unnoticed, 4MLD record keeping obligations” was written by Dr Thaer Sabri, EMA CEO

The article is also published on EMA LinkedIn and twitter.

Slipped unnoticed, 4MLD record keeping obligations Read More »

PSD2 Newly regulated services

One of PSD2’s most contested provisions during the negotiation process related to “third party payment service providers”, later redefined as (i) Payment Initiation Service Providers (PISPs) and (ii) Account Information Service Providers (AISPs).

These are not new services, but they will now be subject to regulation for the first time, and through regulation could achieve the stability to enable a new wave of innovation based on the additional functionality.

PISPs include providers such as Sofort and Trustly, and also bank-led initiatives such as the Dutch iDEAL. They essentially enable a user to initiate a payment transaction from their own bank account, to the bank account of the merchant, over existing banking networks. PISPs add value by facilitating the payment from the merchant’s checkout, populating the payment instruction page with transaction and payee data.

AISPs on the other hand include Yodlee as well as Intuit’s Mint; both offer services that enable users to aggregate data from different financial services providers using . This is done by logging into a user’s account and “scraping” the relevant data, and doing so again for the various financial products: bank accounts, loan accounts, credit cards etc. The user is then able to review their financial information at a single location; and more significantly, may be offered tools to analyse the data, compare prices, make suggestions on service providers and perhaps be offered additional products – all tailored to the user’s specific needs.

During the negotiation process, banks proposed that PISPs and AISPs enter into legal contracts with “account servicing payment service providers” (ASPSPs)- such as banks, before they could access users’ accounts. This might have also created a framework for cost sharing or for fees to be applied. This was rejected by legislators who feared it would act as a barrier to take-up, and set out provisions for unencumbered access wherever there was an online banking interface. Similarly, legislators provided that ASPSPs could not prohibit customers from using their ASPSP account authentication credentials with third party service providers.

PSD2 has also tasked the EBA with developing regulatory technical standards on “secure open standards of communication” between the various parties. This falls short of mandating an API, and was welcomed by PISPs who feared that the development of more detailed specifications could be used as a proxy for limiting bank account and information access.

There are benefits for customers generally, but also for payment service providers looking to offer new payment products. The first is in lowering the cost of funding for these products. E-money issuers for example have an acquiring cost associated with enabling consumers to purchase e-money and funding their accounts or prepaid cards. Direct bank transfers would lessen dependence on debit and credit card funding, lowering the cost of acquiring, and in turn enabling more competitive consumer and merchant fees.

Secondly, and as trailed within PSD2 text, the Commission foresees the migration of these services to the physical world. PISPs could issue “debit cards” linked to users’ own bank accounts, triggering payments over the banking network, and bypassing card schemes. This could save on interchange and other card related fees, but will of course be subject to the PISPs’ own fees.

AISP services have a distinct appeal. They have the potential of concentrating value and creating a single reference point for users. Aggregating user data, mining this information, providing users with tools to better understand their finances, and presenting money saving choices and offers, perhaps in a PSP agnostic environment, have the potential to build consumer trust and to provide a gateway to financial services.

The article “PSD2 Newly regulated services” was written by Dr Thaer Sabri, EMA CEO

PSD2 Newly regulated services Read More »

European Payments Regulators Call for the End of Single-Factor Authentication

On December 19, 2014, citing an increase in fraud, the European Banking Authority (EBA) published its Final Guidelines on the Security of Internet Payments. These guidelines detail minimum security requirements that payment services providers (PSPs) supervised by financial services regulators in the EU were expected to satisfy by August 1, 2015.

As of the end of May 2015, 24 national regulatory authorities in the E.U. stated that they would comply with these guidelines, two (Cyprus and Sweden) indicated partial compliance, while three (Estonia, Slovakia and the U.K.) indicated they would not comply.

The payment services that fall within the scope of these guidelines include all Internet payment services, irrespective of the access device used, that involve:

  • The use of most payment cards, including card registration for use in digital wallets;
  • The transfer of funds out of customers’ bank accounts (through credit transfers or the issuance of direct debit mandates); and
  • E-money transfers between two e-money accounts.

These guidelines do not apply to mobile payments where a payment instruction is provided through a dedicated payment application executing on the customer’s mobile device or to the use of short message service (SMS) technology.

The impact of some of these requirements on the operational processes of many payment service providers (PSPs) will be significant. Many will have to deploy additional security controls, revise user-facing processes and require that their online merchants and third-party service providers can satisfy these requirements.

Further complicating the regulatory landscape for PSPs is the impending adoption of the final text of the Revised Payment Services Directive (PSD2) later in 2015. PSD2 also includes specific security requirements on customer authentication that are similar (but not identical) to the requirements in the EBA guidelines.

The impact of some of these requirements on the operational processes of many payment service providers (PSPs) will be significant.

The expectation is that after adoption by the EU the PSD2 will be transposed into national legislation over a period of 24 months. At that time, PSD2 requirements will supersede the EBA guidelines in the supervisory frameworks of national regulators that have chosen to comply with them.

End of the line for single-factor authentication?
To attain strong customer authentication under EBA guidelines PSPs must deploy procedures that use a minimum of two independent authentication elements – categorised as knowledge, ownership and inherence. Furthermore, authentication procedures are required to incorporate at least one element that is non-reusable and non-replicable and not “capable of being surreptitiously stolen via the internet.” Importantly, inherence-based authentication elements like biometrics are excluded from this requirement.

The impact of this requirement is compounded by the EBA’s apparent adoption of a loose definition of sensitive payment. A wide range of the personally identifiable information (PII) held by PSPs falls within the scope of this definition.

The introduction of these guidelines is expected to further accelerate the ongoing migration of PSP customer authentication processes from single-factor authentication (SFA) to multi-factor authentication (MFA) procedures. The use of static password/user ID credentials will likely be limited to controlling access to less sensitive account overview/profile.

Using the mobile communications channel
Since many PSPs are unlikely to distribute hardware tokens/cards to their customers, wider use of the mobile communications channel to support a MFA customer authentication procedure should be expected. Many PSPs already offer their customers dedicated mobile applications for most mobile device operating systems.

Extending the use of such applications to generate a one-time password (OTP) that is subsequently entered by the customer as part of a multi-factor authentication procedure may be an approach favoured by many PSPs regulated in the E.U. The use of SMS-based solutions to deliver an OTP to a registered customer mobile device could be an alternative approach.

Biometrics going mainstream
The growing availability of biometric-based authentication on consumer mobile devices provides an opportunity for mobile application developers to use them as part of a MFA process. As stated previously, the use of a biometric authentication element in an MFA process allows a PSP to satisfy these EBA guidelines without needing to bear the cost/complexity of deploying an infrastructure that generates and distributes one-time passwords over an alternative channel.

The EBA guidelines introduce explicit requirements for PSPs that issue payment cards to register their cards for use with strong customer authentication services; digital wallet providers are required to support the use of such services for card registration and subsequent payments. PSPs that acquire card payments are also required to support the use of strong customer authentication services.

The language used appears to point to the use of solutions based on the 3D Secure extended cardholder authentication protocol for online payments. It must be noted that legacy 3D Secure variants that use static passwords do not meet the EBA definition of strong customer authentication. In the past, PSPs have been wary of the deployment of 3D Secure solutions since they are perceived to increase friction in the customer experience and lead to increased numbers of failed/abandoned transactions.

Transaction risk analysis
The EBA guidelines allow PSPs to use alternative customer authentication solutions for low-risk transactions. To limit the scope of strong customer authentication sessions, PSPs are increasingly using automated transaction risk-analysis tools to monitor and assign risk ratings to attempted transactions on a real-time basis. A number of these tools offer a dynamic reconfiguration capability coupled with enhanced “learning” abilities.

Impact on customer experience
The impact of the adoption of these guidelines by EU financial services regulators on Internet payment interactions of non-EU customers could be significant. Global PSPs that are regulated in the EU are expected to change customer authentication procedures, their website design and a number of back-office processes to comply. Over a period of time, such changes are likely to be extended to instances of their payment services offered to non-EU customers to maintain a consistent customer experience.

This article was written by Dimitrios Markakis, Senior consultant at Flawless Money Ltd 

First published in n>genuity journal-

European Payments Regulators Call for the End of Single-Factor Authentication Read More »

Good news on bitcoin and a mixed consultation from the EBA on risk factors for SDD and EDD

1. The CJEU published its findings on the Hedqvist v Swedish Supreme Administrative Court (C264/14) today; which was consistent with the earlier opinion from the advocate general. The question was whether the sale of bitcoin fell within the scope of VAT, and if so, whether it could benefit from any of the exemptions to the regime. The answer is that bitcoin can benefit from the same exemption that is available to cash, meaning that bitcoin can be used as an effective means of payment. Had VAT been chargeable on bitcoin itself, it would have made its use as a currency impossible. This is because, for example the purchase of £10 worth of bitcoin would cost £12 in the UK, if the VAT rate was 20%, but leaving the user with just £10 of bitcoin to spend. There would in effect be a double Charge of VAT, first on the bitcoin and then on the chargeable item being purchased.

It is likely that other similar digital currencies could also benefit from this treatment. This is a great result for providers across the European Union as the judgment does not only apply to Sweden but also to all other Member States.

Congratulations to David Hedqvist for seeing this through, and the bitcoin companies that supported him in the case.

2. The EBA published its draft Guidelines on the risk factors that have to be taken into consideration when considering whether to apply simplified due diligence (SDD) or enhanced due diligence (EDD) to a customer.

The SDD provisions are of particular importance, and whilst most of the provisions are balanced and well informed, there is an exception. Currently e-money issuers are able to postpone verification of identity until a cumulative (annual) spend threshold of EUR 2500 had been reached – subject to other conditions. The draft Guidelines, (which are open for consultation until the 22nd of January) leave the limit open, and should offer significant flexibility depending on the approach of the national member state regulator.

It can in fact be argued that higher limits better address law enforcement concerns, as they encourage cash substitution while providing far more visibility and traceability of users. This is the case even when relying on SDD provisions.

Postponement of CDD is not only a matter of convenience or cost, it is one of access to customers. New innovative payment service providers who need to build their user base must ensure low barriers to entry.

The EMA will respond to the consultation and represent the views of e-money issuers. This is a matter of significant importance, and is worthy of attention.

The above article was written by Dr Thaer Sabri, EMA CEO

Good news on bitcoin and a mixed consultation from the EBA on risk factors for SDD and EDD Read More »

PSD2 Exemptions

The current PSD sets out ‘negative scope’ provisions that list a range of services that would be considered out of scope of payments regulation. Many of these followed pre-existing legal and commercial practice, while others simply draw a distinction between electronic and paper based payment products.

Three of these exemptions have been much used by new payment service providers, and all have been amended in some way by PSD2 in response to competing business and regulatory policy objectives.

(i) The first and much discussed is the limited network exemption; a demarcation of three circumstances where payments regulation is disproportionate. It exempts from the PSD (and EMD2) payment schemes that are limited by geography, limited by the number of merchants participating or by the range of goods and services for which payments are made. This is a key exemption that exempts staff canteens, book tokens as well as many gift card products. Regulators have however struggled with the interpretation of ‘limited’, and continue to do so. In an effort to contain the size of such schemes PSD2 has introduced ‘very limited’ to one limb and qualified issuers as ‘professional’ in another. More significantly however, notification is now required if the turnover associated with exempt schemes exceed EUR 1m. This is likely to increase regulators’ workload significantly, without necessarily increasing clarity or pan European consistency. A new limb provides products with a specific tax or social purpose such as ‘luncheon vouchers’ with exemption now and these are also free from notification obligations.

(ii) The second exemption relates to commercial agents, and provides for some conditions to be fulfilled. The idea is that where a payment is undertaken to a party acting as commercial agent for another person, then the agent does not provide a payment service; they simply receive the payment on behalf of their principal as payee. This is an important exemption and has been relied upon by bill payment service providers for decades. It also precedes the PSD. Increasing use of this arrangement by e-commerce platforms has however prompted a change limiting its scope of application. PSD2 now prohibits such arrangements where the agent acts for both payer and payee. It is not clear however if the change achieves the intended purpose.

(iii) The third exemption, the ‘IT Operator’ exemption, widely used by mobile network operators to offer premium rate service payments has been relaxed in some ways and restricted in others. It now extends the scope of products that can be purchased under the exemption, from digital goods that are delivered to a device to the purchase of ‘tickets’ and also to charitable donations. Simultaneously however, it introduces transaction and cumulative turnover limits that apply to each subscriber.

The nature of the changes, their impact and interpretation will be another focus of discussion at next week’s EMA Conference.

The article “PSD2 Exemptions” was written by Dr Thaer Sabri, EMA CEO

PSD2 Exemptions Read More »

PSD2 – IT Security Provisions

This is the first time that EU payments legislation has sought to detail IT security requirements. They have generally been part of prudential obligations to maintain good internal controls.

The provisions can be divided into four areas: (i) strong customer authentication, meaning two factor – with a number of exemptions, which are required for most remote interactions including account access, (ii) dynamic linking of the authorisation of each remote transaction with the amount and the payee, (iii) a requirement for PSPs to establish a security risk management and mitigation framework, and to report to the competent authority periodically on such risks and mitigation strategies, and (iv) a requirement to notify competent authorities of major operational or security incidents with an information sharing process that involves the EBA, ECB and host member state competent authorities.

Whilst risk management and incident notification may be part of existing practice, new EBA guidelines are expected to elaborate on these obligations. Strong customer authentication in turn builds on current EBA guidelines on the security of Internet payment, and these would be updated to reflect amended and additional requirements.

The EMA conference next week will bring the EBA, member state regulators, and industry security practitioners together to discuss the impact on different parts of the payments sector.

The article ” PSD2-IT Security Provisions” was written by Dr Thaer Sabri, EMA CEO

PSD2 – IT Security Provisions Read More »

EBA concerns over anonymity and IT security at bitcoin conference

Amsterdam recently hosted the Bitcoin 2014 conference, which included a session on anti-money laundering on transparent networks. Dirk Haubrich of the European Banking Authority (EBA) outlined some concerns that the EBA has on digital currencies generally, including bitcoin.

Haubrich said that the EBA is concerned about: …

EBA concerns over anonymity and IT security at bitcoin conference Read More »

EU Parliament finalises vote on Payment Accounts Directive

On the 15th of April, European Parliament voted on the text for the Payment Accounts Directive. This concludes the legislative process in Brussels that started with a Directive proposal on the comparability of payment account fees, payment account switching and access to payment accounts.

The Directive lists a number of requirements with respect to using standardised terminology and facilitating account switching for all payment services providers. It also provides a regime, applicable to credit-institutions only, to ensure the proper provision of basic bank accounts in Member States.

EU Parliament finalises vote on Payment Accounts Directive Read More »