How will the SMA affect your operational risk framework and RWA?
By Péter Endre Kovács, Director Risk Advisory Services
and Kristian Lajkep, Regulatory Compliance Officer
Think of the change e-mail brought to (international) correspondence in speed and cost. Now imagine a similar change in international payments led by technological and business innovation. The second Payment Services Directive (PSD2, 2015) provides the legal background for this change. This article aims to give an overview of these changes as the PSD2 enters into force on January 13, 2018.
An IMF staff paper (SDN17/05) compares the current change in the international payments system to the change e-mail has brought to international correspondence. Under the prior regime, letters were delivered and paid for efficiently within countries, but the cross-border exchange of messages was cumbersome. Still today, sending physical mail abroad may be subject to significant cost, delay and almost arbitrary rules. International carriers offer overnight delivery services conveniently, though for an even higher price. On the other hand, e-mail takes a standard format of addressing and delivery within seconds anywhere in the world.
National banks offer a fast and efficient clearing and settlement for domestic transactions. The user experience of international bank transfers is much less appealing; they take longer and are more complicated and expensive than domestic transfers. This is partly due to the risks inherent to clearing and settlement, which usually involve bilateral correspondent banking relationships. Effectively, banks must balance the liquidity risk in gross settlement versus the counterparty credit and exchange rate risk in net settlement. On the other hand, rivals of the banking system already offer international peer-to-peer funds transfer and exchange often real time and at a lower cost even without the need to open a payment account. FinTech companies offer a similar service online. They take on some additional risk and offer the flexibility and speed of rivals using mainstream payment instruments such as bank transfers and payment card transactions as their core internal settlement mechanism. Even major international banking groups fail to provide such cross border services for retail payments between their subsidiaries in different countries. As a result the mainstream banking services are under pressure from regulators, who see this as an inefficiency that hinders economic growth.
The first driver of these changes is a technological development in communication mentioned earlier. This development led to the second driver: changes in customer expectations through innovations and services that are now part of our everyday lives. Economic policy initiatives constitute the third main driver. SEPA and SEPA Instant Payment scheme to support the digital single market.
Technologies that enable the fast exchange of information for the purpose of agreeing on the purchase and delivery of goods and services, can also help initiate and track the transfer of funds between the two parties and instruct the holders of these funds to carry these out. As the development of communication brings people and companies closer to one another, it also raises the demand for goods, services and payments to be exchanged between these actors in a fast and efficient manner.
Entrepreneurs experiment with technology and services to improve the customer experience in all three functions of money: as a medium of exchange, store of value and unit of account. A record amount of venture capital is being invested globally into financial technology companies (FinTechs) with the hope of finding scalable business models with strong customer appeal.
Incumbents have acted on this change and today there is hardly a major bank without a FinTech incubator, laboratory or partnership program that is expected to secure a leading role for the bank in this competition and build the potential for successful products developed for its clients and tailored to the bank’s own systems. The readiness of these institutions to provide cross-border services is hindered by regulatory obstacles that are being progressively lightened.
|SEPA, a practical application built on the first PSD|
|The SEPA directive (EC 260/2012) provides the standards and requirements that have allowed the development of the Single Euro Payments Area (SEPA) for the most popular types of non-cash payment methods: credit transfers, direct debit payments and card payments. Non-Eurozone countries are free to extend this directive to their national currencies, like Sweden and Romania did.|
|Since November 2017, under the SEPA Instant Credit scheme, qualifying payments have been processed within 10 seconds for amounts up to 15 000 EUR in the first wave of implementation in 8 EU Member States: Austria, Estonia, Germany, Italy, Latvia, Lithuania, The Netherlands and Spain. This allows cross-border bank transfers at speeds comparable only to card transactions. Speed in this case reduces cost and risk to participants, which is expected to encourage cross-border transactions throughout the European Union.|
In an effort to improve the payment services to support the (Digital) Single Market, the European Union began removing regulatory obstacles in the path of this change while maintaining safeguards to the security of the financial system and customer protection.
This series of legislative steps may seem like a regulatory disruption for incumbents; a necessary adjustment to a new reality for legislators; and an overdue upgrade to an “archaic infrastructure” for the innovators.
The first Payment Services Directive (PSD, 2007/64/EC) entered into force in 2009 and helped align the definitions, safety and institutional standards for payment services in the European Economic Area. It covers electronic and non-cash payment methods: credit transfers, direct debit payments, card payments, mobile and online payments. The directive also introduced regulation for non-bank payment service providers in order to increase competition and choice for customers.
The first PSD paved the way for an efficient “shortcut” for certain types of transactions that were considered most important for the European economy, SEPA.
|Definition of new services and authentication requirements|
|• Payment initiation service – initiating payment order at the request of the payment service user with respect to a payment account held at another payment service provider|
|• Account information service – providing consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider|
|• Money remittance – a payment service where funds are received from a payer, without any payment accounts being created in the name of the payer or the payee […]|
|• Strong customer authentication – an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data|
In 2015, the second Payment Services Directive (PSD2) was issued, supplementing the first with greater focus on the safety and efficiency of online payments, to complement the regulation of digital economy. Technological developments in online sales and the supporting logistics in the real economy called for the regulation of accompanying payment services that are able to support these with speed and security.
The Directive provides the legal background for service offerings based on digital innovations - partly already available on the market - and incorporates them in a coherent regulatory framework of payment services to ensure the safety of and public trust in the payment system by
|RTS||on passporting under PSD2||Published in the Official Journal and applicable since 31 Dec 17|
|RTS||on strong customer authentication and secure communication under PSD2||Final version of the RTS submitted by EBA and awaits being published in the OJ.|
|RTS||on central contact points under PSD2||Final version of the RTS submitted by EBA and awaits being published in the OJ.|
|RTS/ITS||on the EBA Register under PSD2||Final version of the RTS submitted by EBA and awaits being published in the OJ.|
|RTS||on Home-Host cooperation under PSD2||Currently under consultation ending 5 Jan 18|
The directive enters into force on January 13, 2018 – by means of national adoption in each member state. The European Banking Authority (EBA) is required to develop several implementation and regulatory technical standards and guidelines in consultation with market participants – including national regulators. The Directive requires the EBA to prepare a total of 5 regulatory technical standards (RTS’s), one implementation technical standards (ITS) and 6 guidelines to support its interpretation and implementation. Some of these are already partly developed, but others are still in the consultation or preparation phase (see the summary table)1.
|GL||on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2||Final version published by EBA. Applicable as from 13 Jan 18|
|GL||on authorisation and registration under PSD2||Final version published by EBA. Applicable as from 13 Jan 18|
|GL||on major incidents reporting under PSD2||Final version published by EBA. Applicable as from 13 Jan 18|
|GL||on procedures for complaints of alleged infringements of PSD2||Final version published by EBA. Applicable as from 13 Jan 18|
|GL||on security measures for operational and security risks under PSD2||Final version published by EBA. Applicable as from 13 Jan 18|
|GL||on fraud reporting under PSD2||Consultation ended on 3 Nov 18. EBA currently works on the final version.|
1 - Please note that in addition to these, the EBA is bound, at the Commission's request, to produce additional RTS on the criteria and conditions for establishment, and monitoring, of security measures and is free to produce yet another one to specify the information to be provided to the competent authorities.
The PSD 2 defines new requirements for account servicing payment service providers (ASPSPs). For example, they must be prepared to share information with and accept transfer orders from third party providers (TPP’s) - a common name for AISP’s and PISP’s - at the request of their clients. PSD2 requires that banks (ASPSP’s) shall retain a significant portion of operational risks and financial liability in this process. Institutions which are already licensed to manage payment accounts (ASPSP’s) under the first PSD will not need to re-apply for their license, but will need to provide evidence to their regulator by July 13, 2018 that they comply with the new requirements.
Institutions which are already licensed to manage payment accounts (ASPSP’s) under the first PSD will not need to re-apply for their license, but will need to provide evidence to their regulator by July 13, 2018 that they comply with the new requirements.
The PSD2 extends the list of payment services with account information service providers (AISP’s) and payment initiation service providers (PISP’s), together called third party payment providers (TPP’s) (see the box for the official definition of these services).
These entities may provide access and services similar to the online and mobile banking banks offer to their own clients today. While banks will continue to be responsible for managing the deposit or credit account, the private or business customers may choose to use another bank’s platform (online bank) or a third party provider or to view and manage these accounts and maybe even connect it to the business’s own ERP system. Account holders will have a choice of platforms that allow them to view, process and even share their account history (AISP’s) and initiate transfers from these accounts (PISP’s).
The major difference with today’s bank-specific online banking platforms is the opportunity to share this information across institutions and even outside the banking sector. This is a major force behind the development of client-friendly digital interfaces aimed at improving the user experience and one reason why we see FinTech incubators and labs mushrooming alongside banks. The smallest change that should be expected is an intensified competition between internet banking and mobile banking platforms, as there will no longer be restrictions for a payment account held in one bank to be managed from the platform operated by another bank – or third party provider.
Notice that these providers are not licensed to collect deposits; rather they provide access to these deposits or access to information about these deposits. Some may choose to obtain an electronic money license.
These changes also mean that the bank managing the client’s payment account will no longer have exclusive access to the information contained in the account histories – currently used by them alone for marketing and risk management modelling, for example. On the other hand, a bank may obtain access to information currently held by its competitors and use it for similar purposes at the client’s request. A client may decide to share their information with a bank (or creditor) to obtain a better offer for services. Whether “better” means “cheaper”, “more accessible”, “simpler” or “more complex” (tailored to the client’s specific needs) is likely to be different for each customer segment and much effort will be put into distinguishing these segments fast and automatically.
The new providers need a license from the national authorities to operate in the EU, based on the rules set out in the Directive and the related standards and guidelines. Existing providers will also be expected to comply. A European passport to provide such services elevates the competition beyond the national markets – favouring countries that are more receptive to these changes. Even countries that are more conservative are exposed, as their citizens and businesses may decide to purchase such services from abroad. Imagine a small business or even an individual that opens a payment account in a neighbouring EU country to benefit from a service they perceive to be better. In the digital age with online account opening and authentication it can even be a remote EU state.
As an example, in retail banking, a complex online service would include a shift from a product-based approach to a complex offering of savings, investment, payments, loan and credit products tailored to the needs of the individual customer or family seen as a whole – potentially from several providers – similar to a good face to face premium banking experience. This type of service is usually called personal financial management (PFM) and it is a major FinTech development area.
Banks with a successful business model in one country can decide to test and provide the same service in other European countries rather than developing new services in their current market. Non-bank start-ups are well funded for the explicit purpose to develop such services with a scalable business model and IT infrastructure and prove that it can be expected to provide reasonable returns at reasonable risk before their initial investor is replaced. In an even wider, more global scope, similar patterns appear.
Established banks can benefit from a good reputation and the trust of their clients. This provides them with an advantage over newly established third party service providers to enter the same market with an innovative service offering.
This image can and should be reinforced with a pre-emptive education program about the regulatory changes, preparing the clients to take advantage of the benefits while being aware of the risks offered by new entrants and services. In the domain of online authentication (confirming the identity of the user), states and social media platforms take a leading role. Banks are in a similarly good position to offer such services to third parties (e.g. online stores, business service, investment or news platforms) to allow the client to benefit from third party services or even enter into some contracts.
For the risk management profession, this new environment means, on the one hand, changes in the risk profile of institutions and, on the other hand, new tools and information sources to manage these. The authors of this article expect that the shift in the magnitude of existing risks would outweigh the impact of new risk types, as illustrated by a few examples below.
Competition in consumer and business lending is expected to increase, as reliable transaction level data will be available about loan applicants with no prior history at the bank, and even foreign residents. Credit monitoring can also become more detailed, frequent, cheap and automated as a result of these changes. This will favour the digitally efficient creditors, who themselves can be challenged by providers who would offer to consolidate the loans and credits at better rates.
Lucrative customer segments will become even more difficult to retain, while a simple and user-friendly service and a nice interface may lure new, service-oriented customers. Institutions with a strong offering in this area should benefit from the new legislation and leverage the trust in established financial service providers to protect their clients’ sensitive financial information.
The number of access points to payment accounts will increase, based on the client’s decision, without any practical limitation, which aggravates the vulnerability of these accounts to phishing and blackmail attacks or outright online robbery. Potential secondary uses of legally obtained information magnify the client’s overall exposure. Having the customer ultimately responsible for these risks is at best a legal option that would probably be difficult to enforce. If losses materialize at many institutions, the regulator can be expected to protect the customer (‘s trust in the financial system) even if it means that the losses will be absorbed by the financial services sector, taxpayers, or most likely a combination of both.
Opportunities to mitigate these risks by operative actions may also prove to be limited, as these may appear to be an impediment to the client exercising their rights provided by PSD2 and potentially triggering supervisory action or a damaging online news cycle.
Risk management can play a significant role in educating clients about the risks inherent to the new services without deterring them from trying. For example, electronic money may behave similarly to a payment account and offer significant benefits in the payments domain, but may lack the protection from a deposit insurance scheme that makes it a bad choice for storing value. Clients should also be aware of the risks they are taking when they decide to share their account information with third party providers under PSD2 in exchange for some nice charts and a way to limit this exposure. A bank may create an ecosystem of trusted third party providers that are regularly verified, which can become a competitive advantage.
FinTech is not expected to replace traditional financial products and institutions - especially not overnight. However, fast and simple digital solutions that incorporate the technological advances and offer better service through access to information are already blooming and can gain ground fast. The banking system is still expected to provide and improve the backbone of this system and retain the stability of and confidence in the financial system as regulators codify the more established elements of the new services and providers.
A deep review of risk processes and models is recommended as a preparation for these potentially fundamental changes in the technical and business environment – especially the analysis of the expected reaction of the current financial and capital models to changes in the input data as a result of a transition to a “new normal” situation. Finalyse is looking forward to contributing to these endeavours at our clients already in 2018.