Tom Hay – Head of Payments at Icon Solutions
The wait is over. The European Banking Authority (EBA) has recently published its ‘final’ draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and common and secure communication under PSD2. PSD2 and particularly the SCA aspect has the potential to dramatically change not just the payments sector but the wider banking market and has been the subject of heated discussions and aggressive lobbying.
The market has therefore been waiting with bated breath to view and digest the finalised standards. The final RTS provides clarity on a number of ambiguities contained in the draft version and covers a great deal of ground. However, like a Christopher Nolan movie it still leaves you hanging with unanswered questions at the end.
With the document standing at more than 150 pages it can be difficult to identify the major points and key changes from the draft version. To help, here’s a distillation of the paper, covering ten points we believe the market needs to heed:
- Banks to define their own interfaces
The RTS does not provide definitions of the interfaces needed. Luckily some industry groups (e.g. Berlin Group) have come together to define common standards, and the European Retail Payments Board (ERPB) has convened working groups to facilitate this process. It’s up to the banks to define their own interfaces, but at least they will have some de-facto standards to base them on.
- APIs, not screen scraping
Rationale 32 says that “screen scraping will no longer be allowed”, but something that looks a lot like screen scraping is still allowed. TPPs using this interface must digitally sign the messages to identify themselves, which is at least a step forward; however, other security holes associated with screen-scaping remain. Note that if a bank provides a “dedicated” (API) interface, TPPs must use it.
- Payment security up to the banks
It is up to the bank to authenticate their customer. Recital 14 now says that “PIS Providers have the right to rely on the authentication procedures provided” by the bank, there is no right in the opposite direction. Therefore, PISPs (Payments Initiative Service Providers) must pass control to the bank to authenticate the customer – the PISP can’t apply its own authentication, then tell the bank to “just do it”.
- Authentication codes
Article 4.1 says that “The authentication code shall be accepted only once”. This is fine for a single payment initiation, but the RTS allows TPPs to initiate a series of payments, and to retrieve account information, with SCA applied only the first time. Presumably the original authorisation code must be presented for all subsequent accesses, but this is not compatible with the “only once” provision in 4.1.
For payment transactions, the authentication code has to be dynamically linked to the transaction details. There’s a possible gap because the amount and payee are dynamically linked, but not the payment reference. In cases where the reference determines the beneficiary, such as credit card payments, this could become a security vulnerability.
- Exemptions from Strong Customer Authentication
This is the area of the RTS that has changed most, and has become more practical. Changes include:
- For contactless card payments, the single transaction value is raised to €50, and the option to count five consecutive non-SCA transactions has been added to provide balance to the previous impractical requirement to just accumulate payment values.
- A vital exemption is added for unattended transport and parking terminals has helpfully been included
- No SCA is required for payments to trusted beneficiaries. Comment 79 also clarifies “The exemption for trusted beneficiaries only applies to payment transactions made on an online account by the payer. The PISP cannot create a list of trusted beneficiaries.”
- The low value payment exemption is raised from €10 to €30, with a cumulative value of €100 or a cumulative count of 5, aligned to the contactless exemption
- Real Time Fraud Detection and Prevention
Whereas the previous draft mandated real time fraud detection to prevent, detect and block fraudulent payments, the final draft allows for a more nuanced risk analysis approach, with high risk transactions being blocked for suspected fraud, and low risk transactions potentially bypassing SCA. There is also a specific approach with clearer reporting and processing procedures.
- Sensitive payment data
The final draft still says that ASPSPs (account servicing payment service providers), effectively banks, must provide AIS with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly accessing the information, “provided that this information does not include display of sensitive payment data”. “Sensitive” is still not defined, leaving it to the bank to decide what to redact.
- Use of eIDAS authorities
The EBA has put aside its doubts and firmly mandated the use of Digital Certificates (or “qualified certificates for electronic seals or website authentication”, as the regulation would have it) issued under Regulation 910/2014, aka eIDAS. Given the extended timeline for enforcement of the RTS – November 2018 being the earliest date, with serious discussion of April 2019 – there is still time for organizations to step up and put the required infrastructure in place to move eIDAS from dream to reality.
- Card Not Present requires Strong Customer Authentication
Unless a card transaction falls under one of the exemptions, it must go through SCA. Vendors have rushed out solutions such as Dynamic CVV, where the CVV on the card changes regularly. Using this as one of the SCA components proves possession, which along with knowledge satisfies the ‘two-factor’ requirement. It looks like 3d-Secure 2.0 will be sufficient to allow SCA exemptions to be applied, but if the transaction is not exempt, it’s up to the issuer to drive the SCA process.
- Trusted Execution Environments for multi-purpose devices
The previous draft specified that multi-purpose devices (mobile phones and the like) had to use a Trusted Execution Environment (TEE) for security. TEE is a well-defined, tried and tested standard, but it seems the EBA has caved into pressure from organizations lobbying for non-standard (and in some cases less secure) solutions. The RTS now mandates a ‘Secure Execution Environment’ which has no current industry definition, so mobile security effectively becomes a free for all again. Caveat emptor!
The RTS has yet to be adopted by the European Commission, so there is still an opportunity for lobbying by Member States and industry groups and organizations. Be that as it may, it’s clear that no further significant clarifications will be forthcoming from the EBA. It’s now up to banks, TPPs and other payment service providers to get on with implementation, guided by national authorities, industry groups, compliance officers and technology experts. The “access to account” services specified in PSD2 Articles 65-67 have to be available from Jan 2018, and even though the security and communications standards in the RTS do not become mandatory until the end of the “transitional” period, there’s sufficient clarity to start moving in that direction prior to the mandate.
If you would like more information on the matter, you can read our ‘Fast Track to PSD2’ whitepaper.
UK banks face savings glut on road to pandemic recovery
By Iain Withers and Lawrence White
LONDON (Reuters) – Britain’s big four banks amassed more than 200 billion pounds ($277.52 billion) of new deposits last year as customers reined in spending through pandemic lockdowns, far outstripping extra lending to struggling businesses and households.
Full-year earnings reported by HSBC, Barclays, Lloyds and NatWest last month revealed the extent to which lenders’ finances have been upended by the crisis.
The banks now face a glut in savings, a Reuters analysis of the banks’ results show, as domestic customers of the four lenders deposited 221 billion pounds of extra cash.
By contrast, despite banks doling out billions of pounds of state-guaranteed finance to companies since the pandemic hit, their net lending growth in the UK overall was 53.4 billion pounds – a quarter of the growth in deposits.
The more limited lending growth can be explained by a fall in appetite for some lending, particularly consumer credit, where separate Bank of England data has shown Britons paid back 13.8 billion pounds in the last year.
More deposits help shore up bank finances, but are not necessarily good news for lenders when central bank interest rates are near zero, making it hard to lend profitably.
That explains the heavy focus on wealth management in banks’ strategy updates last month, as they race to earn more from fees to compensate for low lending margins.
Banks have said they expect a customer spending splurge as Britain comes out of its latest lockdown in the coming months, which may go some way to eating into the deposits pile.
Graphic: UK deposits grew much faster than lending in 2020
The bulk of UK bank profits are made on the difference between the interest gained on lending and paid out on deposits.
The crunch in consumer credit therefore severely dented lender income, compounded by the fact the Bank of England cut benchmark rates to an all-time low of 0.1%.
This double whammy can be seen in sharp drops in income at the two domestically-focused banks – NatWest and Lloyds – where income fell 24% and 16% respectively last year.
The fall was a more modest 10% at HSBC, which benefited from a more international footprint and exposure to markets in Asia that proved more resilient over the year.
Barclays bucked the trend entirely, with income overall edging up 1% thanks to a stellar year for its investment bank in pandemic-driven volatile markets that offset woes in retail.
Graphic: Bank income crunched, Barclays lifted by trading arm
The big unknown for the banks remains how severe a hit the crisis will deal to their loan books, once government stimulus packages to support consumers and businesses are phased out.
The four banks have set aside nearly 19 billion pounds worth of provisions between them for loans expected to go bad due to the crisis.
These provisions were largely front-loaded in 2020, with the bulk taken in the first half of the year – as lenders are required to book ahead of time under forward-looking accounting rules known as IFRS9.
Despite the torrid economic backdrop, the provisions in the last two quarters were back to pre-crisis levels at at least some of the banks – a reflection of the impact of ongoing government stimulus.
Britain’s Finance Minister Rishi Sunak is expected to extend support again on Wednesday when he lays out his annual budget plan that is expected to pile more borrowing on top of almost 300 billion pounds of COVID-19 spending and tax cuts.
Banks know there is a great deal of delayed pain to come and it is unclear whether their provisioning to date is sufficient.
Graphic: Bad loan provisions were frontloaded in 2020
Solving this conundrum will be key to jump-starting British banks’ share prices, which have languished in recent years over fears about Brexit and near-constant restructuring that has crimped profits.
Optimism over vaccine rollouts has seen the lenders’ shares climb back towards pre-pandemic levels since the autumn, but that still leaves them near 12-year lows.
Graphic: Bank shares since pandemic hit UK
(Reporting by Iain Withers and Lawrence White; Editing by Susan Fenton)
Data: the much-needed procurement adrenaline shot, helping banks remain competitive in the race for innovation
By Toby Munyard, Vice President, Efficio Consulting
Like a flip-switch, the pandemic saw many industries pushed over the innovation tipping point, accelerating digital transformation efforts at a pace never seen before. After all, consumer behaviour has changed dramatically – a lack of face-to-face contact with businesses has meant that organisations are having to turn to digital methods in order to keep customers engaged. Meanwhile, the sudden shift to remote working has put immense pressure on organisations to digitise internal processes.
For the world of banking, the need to continuously drive innovation has been a key pressure point for many years. And now, that pressure is building. Challenger banks, such as Monzo, Revolut and Starling, continue to cause huge waves within the financial services industry, due to their digital-first approaches. These, often start-up brands, have the advantage of operating nearly solely online, with none of the legacy systems in place to hold them back from innovation. However, even these brands haven’t been immune to the vast impacts of COVID. Consumers are getting increasingly tech-savvy, and operating on a digital-first model is no longer enough in its entirety. In today’s increasingly competitive environment, banks must modernise their entire technology functions to support both the front and back ends of their businesses.
That said, in such a competitive environment with rising cost pressures, innovation of this kind can feel out of reach for banks. After all, banks are often a low-growth environment, and optimising the cost of operations can typically take at least five years or more. Another key sticking point for banks when pursuing innovation is the added complexity and costs surrounding regulation. Unfortunately, regulation is part and parcel for any financial service. And new innovations and product offerings will only increase the need for compliance.
So, with myriad challenges facing the industry, how can banks compete in the race to innovation?
To be able to invest in a digital-first future, the journey begins with the procurement function. Whilst it is impossible to have complete control over revenue, one thing a business can control is cost.
Effectively optimising operational and business costs will be key to freeing up valuable liquidity to fund new digital initiatives. But this requires a proactive approach to supplier management. Rather than relying on supplier rebates once a deal is done, the CPO (Chief Procurement Officer) must effectively influence and ensure efficiency from the beginning of a relationship to achieve significant savings.
For existing suppliers, a step change may be required in order to steer this initiative. Getting the right supplier onboard and having forward-looking conversations about new trends in the market will be pivotal. After all, these suppliers will be key to driving digital plans forward. Suppliers providing products and services where demand is declining should not be neglected. Chances are that because of the trends in the market, they are keen to maintain and gain as much business as possible, meaning preferable deals may be available.
In addition to effective supplier management, a review of internal systems is urgently needed to aid cost-reduction on a long-term basis. Traditional banks are often made up of a range of complex legacy systems that allow for very little flexibility in a new digital age. The key here will be to simplify these systems, whilst integrating solutions such as robotics, AI, and SaaS to ensure they are running as efficiently as possible.
Data – procurement’s secret weapon
To be successful on any cost-reduction mission, however, the CPO must be aided by accurate, up-to-date, intelligent data. Without it, the long-term, sustained change needed to outmanoeuvre new market entrants, simply cannot be achieved.
After all, the intelligence derived from good, high-quality data provides the CPO with much-needed visibility in which informed decisions over cost-reduction can be made. It is only with this visibility that organisations can identify opportunities and deliver efficiencies that lead to sustained cost savings.
Architecture that can effectively connect to anything, anywhere, will be an essential tool to ensure the CPO is presented with all the relevant data – for example, linking enterprise databases, data warehouses, applications, legacy systems, and Cloud services to comparable systems at partners and suppliers. Integrating with apps, wearables, and mobile devices at an individual user level, and using an enterprise mobility strategy to link to employees and contractors and third party ‘big data’ sources, will also help to provide a complete view.
Harnessing the power of data
Whilst a necessary tool for procurement, being faced with a mountain of data can be overwhelming and actually hinder performance if it is not captured and interpreted correctly. Typically, within financial services, there is a huge amount of data being captured within Enterprise Resource Planning (ERP) and other finance-based systems that is not being analysed. As a result, efficiencies are missed, and the organisation remains stagnant in the digitalisation journey. To truly harness the power of data, the procurement team must ensure it has access to the right skills and have the right talent in place. This may require additional training, or consultancy to leverage data effectively and to execute successfully in today’s agile and fast-paced environment.
Ultimately, to remain competitive, banks must put the power back into the hands of procurement. By providing the CPO with the right tools and responsibility, the procurement function can align to the strategic targets set out across the business.
Good data, when teamed with effective procurement capability, will be a much-needed adrenaline shot for finance companies. Whilst challenger brands may only be running a 400-metre sprint in terms of digitalisation, in comparison, traditional banks are running a marathon. Stamina and the need for long-term efficiencies will be pivotal to win in a race of innovation. A
Bank of Ireland limits 2020 loss with strong second half, shares rise
By Padraic Halpin
DUBLIN (Reuters) – Bank of Ireland limited its underlying 2020 loss to 374 million euros ($452 million) after a return to profitability in the second half, the bank said on Monday, sending its shares more than 5% higher.
Ireland’s largest bank by assets also announced the closure of one-third of its branches in Ireland, 10 days after NatWest said it would wind down its Irish arm Ulster Bank.
The bank set aside 1.1 billion euros to cover possible loan defaults due to COVID-19 disruption, the bottom of its forecast range and which it expects to capture the majority of credit impairment risk associated with the pandemic.
An underlying 295 million euros second half profit limited the damage as lending and business income improved, trends Chief Financial Officer Myles O’Grady said continued into 2021, even though Ireland was in a long lockdown again.
“It’s clear that there is some impact from this lockdown but the signals overall are encouraging. We do think (the second half) will be a return to a more normalised level of activity,” O’Grady told Reuters.
Shares in the bank were 5.1% higher at 3.6 euros by 0910 GMT.
The bank cut it costs by 4% year on year in 2020, meaning it achieved its 1.7 billion euro annual cost target one year early. It set a new goal of cutting costs further to 1.5 billion euros by 2023.
That will partly be achieved by branch closures, with its Irish network cut to 169 from 257 from September and Northern Irish presence more than halved to 13. It struck a deal with the Irish post office to offer customers access to banking services at An Post locations.
The head of Ireland’s Finance Services Union described the announcement of closures in the middle of a pandemic as a “shameful act” that needed to be reversed.
Bank of Ireland’s core Tier 1 capital ratio, a key measure of financial strength, stood at 13.4% versus 13.5% at the end of September. The bank said it expected capital to remain broadly in line with those levels in 2021.
The bank’s guidance for this year should support the restart of distributions to shareholders in relation to full-year 2021 results, Chief Executive Francesca McDonagh said, adding that future distributions will likely include share buybacks.
($1 = 0.8272 euros)
(Reporting by Padraic Halpin; Editing by Edmund Blair)
Wall Street edges down as investors watch bond yields and stimulus
By Suzanne Barlyn NEW YORK (Reuters) – Global equity markets were little changed on Tuesday and Wall Street opened slightly...
French Connection window shopping for offers again as suitor backs out
By Pushkala Aripaka and Indranil Sarkar (Reuters) – Fashion retailer French Connection said on Tuesday that it was seeking new...
Multi Attachment Loaders Market Is Expected to Witness Rapid Growth by 2031| AB Volvo Group, Catterpillar Inc., Komatsu Corporation, Doosan Corporation
The market report envelopes an all-in information of the global Multi Attachment Loaders market and the nature of the market...
German exports to UK fell almost a third in January as Brexit hit
By Paul Carrel and Rene Wagner BERLIN (Reuters) – German exports to the United Kingdom fell by 30% on the...
Ship Rudders Market Share, Global Industry Size, Growth, SWOT Analysis, Top Companies, Competitor Landscape, Regional Outlook 2031
The market report envelopes an all-in information of the global Ship Rudders market and the nature of the market growth...