Tom Hay – Head of Payments at Icon Solutions
The wait is over. The European Banking Authority (EBA) has recently published its ‘final’ draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and common and secure communication under PSD2. PSD2 and particularly the SCA aspect has the potential to dramatically change not just the payments sector but the wider banking market and has been the subject of heated discussions and aggressive lobbying.
The market has therefore been waiting with bated breath to view and digest the finalised standards. The final RTS provides clarity on a number of ambiguities contained in the draft version and covers a great deal of ground. However, like a Christopher Nolan movie it still leaves you hanging with unanswered questions at the end.
With the document standing at more than 150 pages it can be difficult to identify the major points and key changes from the draft version. To help, here’s a distillation of the paper, covering ten points we believe the market needs to heed:
- Banks to define their own interfaces
The RTS does not provide definitions of the interfaces needed. Luckily some industry groups (e.g. Berlin Group) have come together to define common standards, and the European Retail Payments Board (ERPB) has convened working groups to facilitate this process. It’s up to the banks to define their own interfaces, but at least they will have some de-facto standards to base them on.
- APIs, not screen scraping
Rationale 32 says that “screen scraping will no longer be allowed”, but something that looks a lot like screen scraping is still allowed. TPPs using this interface must digitally sign the messages to identify themselves, which is at least a step forward; however, other security holes associated with screen-scaping remain. Note that if a bank provides a “dedicated” (API) interface, TPPs must use it.
- Payment security up to the banks
It is up to the bank to authenticate their customer. Recital 14 now says that “PIS Providers have the right to rely on the authentication procedures provided” by the bank, there is no right in the opposite direction. Therefore, PISPs (Payments Initiative Service Providers) must pass control to the bank to authenticate the customer – the PISP can’t apply its own authentication, then tell the bank to “just do it”.
- Authentication codes
Article 4.1 says that “The authentication code shall be accepted only once”. This is fine for a single payment initiation, but the RTS allows TPPs to initiate a series of payments, and to retrieve account information, with SCA applied only the first time. Presumably the original authorisation code must be presented for all subsequent accesses, but this is not compatible with the “only once” provision in 4.1.
For payment transactions, the authentication code has to be dynamically linked to the transaction details. There’s a possible gap because the amount and payee are dynamically linked, but not the payment reference. In cases where the reference determines the beneficiary, such as credit card payments, this could become a security vulnerability.
- Exemptions from Strong Customer Authentication
This is the area of the RTS that has changed most, and has become more practical. Changes include:
- For contactless card payments, the single transaction value is raised to €50, and the option to count five consecutive non-SCA transactions has been added to provide balance to the previous impractical requirement to just accumulate payment values.
- A vital exemption is added for unattended transport and parking terminals has helpfully been included
- No SCA is required for payments to trusted beneficiaries. Comment 79 also clarifies “The exemption for trusted beneficiaries only applies to payment transactions made on an online account by the payer. The PISP cannot create a list of trusted beneficiaries.”
- The low value payment exemption is raised from €10 to €30, with a cumulative value of €100 or a cumulative count of 5, aligned to the contactless exemption
- Real Time Fraud Detection and Prevention
Whereas the previous draft mandated real time fraud detection to prevent, detect and block fraudulent payments, the final draft allows for a more nuanced risk analysis approach, with high risk transactions being blocked for suspected fraud, and low risk transactions potentially bypassing SCA. There is also a specific approach with clearer reporting and processing procedures.
- Sensitive payment data
The final draft still says that ASPSPs (account servicing payment service providers), effectively banks, must provide AIS with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly accessing the information, “provided that this information does not include display of sensitive payment data”. “Sensitive” is still not defined, leaving it to the bank to decide what to redact.
- Use of eIDAS authorities
The EBA has put aside its doubts and firmly mandated the use of Digital Certificates (or “qualified certificates for electronic seals or website authentication”, as the regulation would have it) issued under Regulation 910/2014, aka eIDAS. Given the extended timeline for enforcement of the RTS – November 2018 being the earliest date, with serious discussion of April 2019 – there is still time for organizations to step up and put the required infrastructure in place to move eIDAS from dream to reality.
- Card Not Present requires Strong Customer Authentication
Unless a card transaction falls under one of the exemptions, it must go through SCA. Vendors have rushed out solutions such as Dynamic CVV, where the CVV on the card changes regularly. Using this as one of the SCA components proves possession, which along with knowledge satisfies the ‘two-factor’ requirement. It looks like 3d-Secure 2.0 will be sufficient to allow SCA exemptions to be applied, but if the transaction is not exempt, it’s up to the issuer to drive the SCA process.
- Trusted Execution Environments for multi-purpose devices
The previous draft specified that multi-purpose devices (mobile phones and the like) had to use a Trusted Execution Environment (TEE) for security. TEE is a well-defined, tried and tested standard, but it seems the EBA has caved into pressure from organizations lobbying for non-standard (and in some cases less secure) solutions. The RTS now mandates a ‘Secure Execution Environment’ which has no current industry definition, so mobile security effectively becomes a free for all again. Caveat emptor!
The RTS has yet to be adopted by the European Commission, so there is still an opportunity for lobbying by Member States and industry groups and organizations. Be that as it may, it’s clear that no further significant clarifications will be forthcoming from the EBA. It’s now up to banks, TPPs and other payment service providers to get on with implementation, guided by national authorities, industry groups, compliance officers and technology experts. The “access to account” services specified in PSD2 Articles 65-67 have to be available from Jan 2018, and even though the security and communications standards in the RTS do not become mandatory until the end of the “transitional” period, there’s sufficient clarity to start moving in that direction prior to the mandate.
If you would like more information on the matter, you can read our ‘Fast Track to PSD2’ whitepaper.
Boost for consumers as banks recognise room for improvement on service and delivery
- 42% of banks are looking to improve service provision and boost customer satisfaction in the year ahead
- Less than half of banks (47%) are happy with their current ability to manage and process payments
- Majority (55%) see open banking as the solution to their efficiency concerns
An international study of over 1,000 senior professionals in banks, lenders, PFMs, investment companies and retailers, by leading open banking provider Yolt Technology Services (YTS) has revealed that 42% of banks recognise the need to improve their service offering and boost customer satisfaction levels in the year ahead.
In particular, bankers noted shortcomings in their organisation’s ability to manage and process payments, with just 47% currently happy with their abilities in this space.
Banking professionals’ dissatisfaction with current services comes during the COVID-19 pandemic, which has seen millions of customers start to use digital financial services in the absence of branches, causing banks to face more online requests and applications than ever before. Naturally, customers still expect an accessible and convenient service from banks, who are competing with neo-banks better equipped to keep up with customer demands during the pandemic, largely due to being designed to offer super-fast digital services.
As a result, adoption of open banking technology is well underway among banks, who see it as a solution to stay competitive and deal with the accelerated digitisation of financial services. Banks led adoption among previously analogue sectors when it comes to investment in at least one form of open banking technology, with nearly two thirds (63%). Only personal finance management tools were higher with 68%, which is expected given their strong fintech credentials.
The research also revealed how banks expect to deliver the much-needed improvements. A majority (55%) recognise open banking’s ability to improve efficiency overall, a much-needed enhancement given the concern over processing speeds. In areas such as applications and payments, widespread adoption of open banking by banks would allow consumers to know about whether a loan or mortgage had been approved in minutes, rather than days or even weeks.
Alongside this, 44% of bankers expect open banking to improve the customer experience, a boost for consumers who can expect more personalised offerings and the ability to find out more about their finances in one place through services such as data enrichment.
To support these businesses and the remaining 37% who are yet to adopt, in delivering the required improvements through open banking, Yolt Technology Services has recently launched a series of guides to Unlocking the Value of Open Banking, available to download here: https://yts.yolt.com/whitepapers/value-open-banking
Leon Muis, Chief Business Officer at Yolt Technology Services comments:
“What consumers and businesses look for from their financial service providers has transformed dramatically in recent years, and many of the larger banks have been blindsided by the pace of change and as a result now find themselves out of step with what their customers need. The COVID pandemic and resulting lockdown period has served to bring this growing gap into sharp focus and, as our research shows, the banks themselves are increasingly recognising the need to change.
“Many banks understand that open banking offers substantial opportunities for them, including cutting costs, and for their customers, particularly the ability to provide a more personalised and faster user experience that allows them to access more of their financial footprint in one place.
“The specific issues banks have identified within their operations, such as weaknesses in the management and processing of payments, can be tackled with open banking technology. Payment Initiation Services (PIS) have the power to transform banks’ ability to cost-effectively execute and analyse payments on behalf of consumers, and are made possible thanks to PSD2 open banking legislation.
“Whilst some may be hesitant of investment during these times, open banking technology can boost efficiency, create a smooth digitisation process and cut costs at a time when these things have never been more important for businesses and their consumers.”
5 ways social listening is transforming the banking sector
By Michalis Michael, CEO of DigitalMR
Social media has impacted the banking sector significantly over the last decade and, particularly in recent years, tools like social listening have played a leading role in revolutionising banking businesses and their customer relationships.
Also known as ‘social intelligence’, social listening is the monitoring of a brand’s social media channels for any customer feedback, direct mentions, or relevant discussions, followed by an analysis to gain insights and act on emerging opportunities.
Banks today are facing immense pressure from ever-increasing customer expectations. In fact, a recent social intelligence report compiled by DigitalMR analysed customer sentiment and conversation drivers amongst 11 leading global banks during the period of February 2018 to April 2020 and found customer relationships hit an all-time low during the peak of the coronavirus pandemic.
As a result, traditional financial institutions have a lot of work to do to rebuild their reputations while at the same time competing with countless challenger banks, and embracing digital tools like social listening will be key for them to stand out against competition and draw customers back in.
Here are 5 of the main ways social listening is transforming the banking sector and becoming paramount for organisations to optimise their marketing and growth strategies and, ultimately, get ahead.
- Customer experience
Social media isn’t just about communicating a brand – it’s about learning what consumers want, and what they don’t want. It plays a key part in customer experience, which directly affects the way every business is perceived.
Many banking customers turn to social media to talk about their experiences with a brand and will sooner tweet the bank or post a scathing review on Google than call customer service about any issues.
Using social listening to monitor what customers think about everything, from their marketing campaigns to product quality and in-branch service, banks can uncover valuable information which allows them to positively impact a customer’s experience and commitment to their brand.
- Marketing campaigns
Banks’ marketing teams spend a lot of time coming up with new campaigns to launch but lack the insight into whether or why their campaigns have succeeded, and how to improve or build upon those efforts.
However, using social listening, they can identify ways to improve the value of their marketing campaigns by tracking changes in the volume of their brand’s mentions before, during and after. This will ultimately help determine how well they are working and highlight areas that need to be modified and improved.
Not only that, banks can use social listening to gather qualitative insight and decipher the reasons why specific campaigns have done well [or not so well]. Social listening allows them to quickly gather sentiment around specific campaigns and find out which aspects of the campaign are resonating with customers the most.
- Competitive analysis
Social listening enables banks to gather insight not only into their own brands, but into their competitors’ brands, too. Using semantic analysis, they can analyse what people say about one company compared to another and evaluate the share of conversation that takes place online about a given brand. Social listening can also make it easier for traditional banks to understand how their brand is doing compared to FinTech start-ups [challenger banks], which are becoming a growing threat to many banks and taking their customers away.
Social listening analytics reveal what customers like and dislike when it comes to challenger bank service features and give traditional banks the opportunity to upgrade their products and services to catch-up or [if they are really determined] gain a competitive edge, as well as understand how to market to customers interested in innovative app features.
- Identifying crises
With how fast-moving social media is, it takes no time at all for something to go ‘viral’, and therefore banking institutions need to monitor closely for negative press at all times. Unhappy customers can post anything they wish online to try and hurt their bank’s brand, regardless of whether their claims are based on fact, and their comments can quickly gain attention and be seen by thousands.
Banks can use social listening to catch potential crises as they emerge and shut down a problem in the early stages, so they don’t end up with a full-blown crisis management situation on their hands.
- Product development
Banks can power their product and service development by intelligent listening to social media and monitoring customer reviews. This allows them to gain additional input and ideas on how to better improve their existing offerings to suit the preferences and expectations of their customers, as well as to identify which new product lines to prioritise launching first. They can use social listening to test the waters before a new launch or roll-out, and reduce the risk involved in bringing new products or services to market.
The finance industry was slow to embrace social media, but the institutions that did take the plunge are reaping the benefits. Social intelligence will continue to transform the sector in years to come, and now is a critical time for the rest of the industry to follow suit if they want to remain competitive and drive stronger, profitable and mutually beneficial relationships in this new social reality.
Cloud in Banking: An Opportunity That Can’t be Ignored
By David Rimmer, Research Associate at Leading Edge Forum
Originally offered as a better way to build IT systems, cloud itself did not transform the business. Fundamentally, Infrastructure-as-a-Service (IaaS), as its name suggests, represented a new service model. IaaS brought a radical change in the commercial model for IT (rent vs. buy) and in the time taken to provision IT (instant self-service vs. the months of a standard procurement cycle), but ultimately the same system was still operating in a datacentre somewhere. ‘Lifting and shifting’ systems to the cloud delivered no discernible value for customers. At best, cloud enabled enterprises to provide value indirectly through ability to develop capabilities faster, for example by re-engineering and migrating systems to the cloud to harness its flexibility and speed.
This is absolutely not the case now. Cloud today is as much about delivering business capabilities as it is about IT. The hyperscalers are rapidly building out the range and number of services that they offer. For instance, at the end of 2017, AWS offered around 90 services; today the number is 225. The hyperscalers have expanded their portfolio of tools for developers to build cloud-native applications, thereby enabling more rapid development and testing, but the crucial departure from around 2017 onwards has been the addition of value-adding business components. In particular, the hyperscalers are building specialist services targeted at the major technology trends – for example: blockchain, Internet of Things, edge computing, immersive real-time experiences through 5G, streaming and visualisation, machine learning and artificial intelligence, unstructured data extraction and analysis, digital identity management, marketing analytics and automation.
The hyperscalers are also adding industry-focused solutions – for instance in banking: fraud APIs, payment services, financial data services and solutions optimised for specific core banking systems. Yet, for many, this mental transition has not yet been made, with people continuing to think that cloud is all about IaaS, when today it is as much about business components, and, in future, this will be even more so.
Developing your cloud strategy – it’s not just about IT, it’s about shaping the business
You can capitalise on the hyperscalers’ huge investment by intercepting their development path,
gaining momentum in the market by exploiting the newest cloud services and avoiding investment
in custom-building capabilities that will soon be available as a utility. At a higher level, you will want
to understand which components with rich business value will soon be forthcoming so that you can
short-cut the traditional product development cycle and afterwards ride a wave of future upgrades and enhancements.
Wardley mapping is a valuable aid in developing a strategy that makes optimal use of external capabilities and focuses a bank’s resources on the areas that will deliver the greatest return. In the Wardley map below, we have picked out just a fraction of the public cloud services now available for the banking industry to illustrate how cloud components can directly transform customer products and services, or provide capabilities for internal customers (developers, data scientists, UX designers, analysts, etc.). The vertical axis of the map reflects the degree to which a capability adds value to end customers: the horizontal axis shows the evolution of technology as it passes through stages from genesis, to custom-built, product and utility.
Capabilities that are new to the market (such as voice banking and blockchain-enabled asset management) feature in the genesis stage of the map. Under the custom-built stage come capabilities that are more mature but still highly unique to an individual enterprise, such as development of models and analytics on unstructured data. In the product column, capabilities are very similar from one bank to another, with a less direct yet still significant scope to impact end-customer services – for example, through faster product iteration.
Assembling cloud services to deliver cloud-native business capabilities in the banking environment
The increasing availability of business components opens up the prospect of cloud-native business capabilities that from the very start are conceived, designed and delivered through the cloud. Cloud-native business capabilities represent a higher level of abstraction than cloud-native applications. As a result, cloud-native business capabilities go that much further in enabling the speed, experimentation and ability to scale that underpin the competitiveness of a 21st Century Bank as it strives to bring new products and services to market in ever shorter cycles. In addition, cloud-native business capabilities change the role of the IT Function from developer-intensive build to more automated assembly of components
So, what does this look like in practice? The Fundamental Review of the Trading Book (FRTB) is a set of rules, introduced under Basel III, to standardise the treatment of market risk and impose stricter capital requirements. In order to comply with FRTB, the main steps that banks need to take are develop enhanced risk models; populate models with bank positions and market data, such as prices and credit ratings; and run the models.
Banks can assemble capabilities from the cloud to meet FRTB in a faster and more effective manner than is possible using traditional solutions:
- Faster model development cycles allow “strats” to tune their models to reduce the amount of capital that the bank needs to hold.
- Common real-time reference data removes the need for the disparate reference data and interfaces to be found in most banks. The result is reduced cost, less complexity and standardisation between different parts of the bank.
- Since FRTB requires an increase in the number of models and their complexity, greater compute capacity is necessary (some experts project a twenty-fold increase). Moreover, risk models are run only on an occasional basis to provide internal and regulatory reports, the burst capacity of cloud compute is a natural fit for running FRTB models. In contrast, traditional infrastructure would be sized for the peak, with substantial capacity remaining idle for most of the time.
By adopting a cloud delivery model to address FRTB, banks not only minimise their upfront investment and speed implementation, but going forward have greater flexibility, with ability to scale to meet new demands and capitalise on future investment by the cloud providers in model development and data services.
All this potential to exploit cloud for new products and services comes with a colossal proviso. Today’s catalogue of public cloud solutions can make a direct contribution to new products and services, but fundamentally what they offer is a basket of much more sophisticated components. These components still have to be assembled and configured. Business capabilities have to be built: processes redesigned, staff trained in new skills, culture aligned, new KPIs put in place, new organisation structures set up. Of course, for anyone with experience of business transformation this is no surprise.
The changing roles of business and IT leaders
At this point, it is clear that the transformation from build to assembly is of such a wide-ranging and fundamental nature that the active intervention of CEOs, COOs, CFOs and other business leaders is essential. However, the success in driving a cloud business strategy (as opposed to a cloud IT strategy) entails major changes in the roles of business and IT leaders.
CEOs, COOs & Boards
- Cloud business strategy – Once a cloud strategy has the potential to become a business-shaping strategy rather than an IT strategy, responsibility clearly needs to sit at the top of the enterprise. Here, vision and imagination in how and where to combine components that bring differentiation will be vital. Of equal importance will be championing this new perspective on how business capabilities can be built and challenging where traditional custom-build approaches are being applied without sound reasoning.
- Vendor strategy – As the richness of capabilities and the ease of integration between them increases, so critically does vendor dependence. This greatly raises the importance of vendor strategy. When you needed a vendor strategy for each level of the stack or each significant component, this responsibility sat in IT and procurement. If you are buying the entire stack and non-interchangeable modules with rich business capability – potentially across huge spans of your business – then these vendor strategies and relationships will sit at CEO or Board level.
- Operating model and culture – Some of the biggest barriers to strategy execution will be your existing operating model and culture. Both will require transformation in order to harness the potential to assemble business components from the cloud, rather than build systems and capabilities in-house using traditional tools and processes. Without drive from the top to change culture and operating models, any cloud strategy will remain still-born.
Business unit leaders & their IT partners
- Market insight – A critical role of business leaders and their IT partners is to understand where genuine differentiation can be gained in the market and how the current and future products of the cloud vendors can be assembled to enable this differentiation; or, alternatively, where custom-build and niche industry capabilities are the answer. In this process, it will be essential to understand the wider cloud strategy of your organisation so that you can see what capabilities have been or will be adopted elsewhere. This will drive re-use and simplification, which in turn bring lower costs and greater speed. Finally, business unit leaders and their IT partners will need close relationships with niche industry software companies and other IT firms to see where they can bring unique capabilities or act as partners in developing new solutions.
IT leaders & their teams
- Advice – With cloud strategy becoming a business issue, CIOs and their teams will play a vital role in educating and advising their colleagues about cloud capabilities and the individual cloud vendors. The industrialisation of IT through assembling rather than building components is a far cry from traditional models, so the extent of education and explanation that will be required should not be underestimated.
- Orchestration – As focus moves from build to assembly, the CIO and his or her team will become orchestrators of change. This is both in a literal sense by laying the technical foundations to assist assembly and inter-operation of cloud across the enterprise, and in a figurative sense through shaping and combining strategies from across the enterprise to ensure standards and re-use that are essential to low costs and flexibility. In fulfilling this role, definition of business and technical architectures will be essential, as these architectures will describe components and how they are combined.
- Vanguard of change – CIOs and their teams will play an essential role in galvanizing the organisation and acting as the vanguard for change. They will need to be cheerleaders for the changes in operating model and culture that are key to transformation. In addition, CIOs will on occasion need to recognise when traditional functions of the IT function (such as build and control) are a hindrance and they need to step aside to let business units take the lead.
Some practical steps to building your cloud strategy
So, what is your public cloud strategy? Here are some of the key questions that you will need to answer:
- What are the new products and services that will add most value to our internal and external customers?
- Which components are available from the cloud to support new products and services?
- How does the map look for each of the hyperscalers – they each have very different strengths and strategies – and which will provide the best fit for our business?
- How many cloud providers will we use? Will we go deep with one to drive fast and transformational change? Or will we partner with several to tap into different streams of innovation and maintain leverage in negotiations?
- In which areas will we want to devote our own resources to custom-build differentiating capabilities that cannot be sourced from elsewhere?
- Where will we use partners to assemble and manage cloud components because they bring distinct experience and skills, and/or the capabilities in question do not deliver meaningful difference in our customers’ eyes?
- What changes are required in the enterprise’s operating model to take advantage of potential to build cloud native applications and assemble (rather than build) cloud-native business capabilities?
- What does our composite map look like?
- Where do we begin?
Ignore it at your peril
The failure to see cloud for what it is and what it has to offer is currently widespread. However, experience shows that banks that can define a strong cloud strategy, and act on the business transformation needed in order to make it a reality, open up the potential for a market-leading competitive advantage. Building new products and services and replacing aging infrastructure, they are able to respond rapidly to market demands with low technical, regulatory and financial risks. Cloud is ready for banking. Banks now just need to decide whether they can really afford to ignore the opportunity.
Satisfaction with Credit Card Issuers in Canada Remains Flat Amid COVID-19, J.D. Power Finds
Tangerine Bank Ranks Highest in Overall Credit Card Customer Satisfaction for Second Consecutive Year With 73% of credit card customers...
The benefits of automated pension plans
While many people will prefer to speak to fellow human beings when discussing their investments, automation is already part of...
Pandemic risks eclipse treasury priorities as businesses diversify investments to mitigate impact
The Covid-19 pandemic has shunted aside existing challenges to sit atop treasurers’ priority lists, according to “The resilient treasury: Optimising...
Boost for consumers as banks recognise room for improvement on service and delivery
42% of banks are looking to improve service provision and boost customer satisfaction in the year ahead Less than half...
By Paddy Osborn, Academic Dean, London Academy of Trading Whether you’re negotiating a business deal, playing a sport or trading...
The impact of the Accounts Payable risk landscape
By David Thorley, Director of Customer Development, FISCAL Technologies The current economic climate has never been so uncertain. Not since...
The Viral Return On Investment
By Sabine Saadeh Author of Trading Love Investment Pitch It was around August 2018 when a friend of mine approached...
How AI and ML are changing insurance for good
By Alan O’Loughlin, Director of Analytics and Statistical Modelling, International and John Beal, Senior Vice President of Analytics at LexisNexis®...
How Assistive Learning Technology Is Making Online Learning Inclusive
By Sandra Goger is Learning Technology Analyst at Iflexion, Denver-based software development company. The global online learning market is expected...
Can your company data make you famous?
By Kerry Gould, Associate Director, Speed Communications Businesses gather and generate reams of data every day on everything from purchasing...