the digital agenda for payment services nilixa devlukia financial conduct authority 30 september...
TRANSCRIPT
The Digital Agenda for Payment Services
Nilixa DevlukiaFinancial Conduct Authority
30 September 2015
80 BC 17891000-600 BC
1200 BC
A really long time ago
1966 1967 2012 2015
Applepay
Coins made from base metals appear in China
Bank of England first issues a £10 note
First cash machine in the world installed by Barclays
Contactless payments introduced on London buses
Barter
How We Pay?
What is Digital?
Replacement of cash?
Replacement of bricks and mortar?
Mobile money?
Benefits Potential Pitfalls
Inclusion Exclusion
Ease of use Consumer understanding/ protection
Speed Security
Access Behavioural changes
Tailored services Complexity Cost
The Wider Galaxy (not far far away!)
PSD II -Timeline
Compromise text published in June.
Publication in OJ expected late
2015 – Enters into force 20 days
later
Transposition deadline 24 months after
publication (late 2017)
NB.– EBA RTS on SCA and secure communication
subject to a different timeline
! EBA RTS on strong customer authentication & secure communication expected to take effect in 2018
What’s changed- ScopePSD1 EEA Currency: conduct of business requirements apply intra EEA (both legs in EEA)
PSDII EEA and non EEA Currency: conduct of business requirements apply intra EEA (both legs in EEA)
PSD2 EEA and non EEA currency: conduct of business requirements apply for that part in the EEA (one leg) X
X
Some information requirements excludedExecution time
What’s changed- Reporting –more more and more……………….
Note – interaction with NIS directive
• Mandates regular assessment and reporting of security risks to CAs
• Annually - an updated and comprehensive assessment of the operational and security risks associated with the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to these risks
• Obligation to report individual incidents and upward reporting by the competent authority
• When the incident could impact the financial interests of users, the PSP shall inform them too
• Annually - statistical data on fraud related to different means of payment to their competent authority
Two New Payment Services • PSD2 regulates two new payment services:
1. Account Information Services (AIS) - account aggregation2. Payment Initiation Services (PIS)
• Mandates third party access with user consent to payment accounts accessible online
• Introduces a liability regime for AIS and PIS
• Obligation to indemnify ASPSP losses
• Lighter touch supervision regime for AIS
• Note - Specific provision for instrument issuers (Article 57a) – clarity required for e-money providers
EBA RTS for Strong Customer AuthenticationSCA requires at least two of the followingwhenever a payer:• Accesses their payment
account• Initiates a remote payment• Carry's out any action with a
risk of fraud or other abusesthrough a remote channel
Elements must be independent so that breach of one does not compromise the integrity of the others
EBA RTS for Secure Communication
• Emphasis on AIS/PIS but standards will apply to all communication sessions between all parties
• Will also protect integrity and confidentiality of user’s personal security credentials
• Standards will cover:1. Identification2. Authentication3. Notification4. Information5. Security measures
Role of the EBA
• 14 PSDII Mandates
• Tight timelines
• Running alongside UK implementation
• Top tip! Respond to EBA consultations
Next steps
Publication of the final text in late 2015
2016 onwards: EBA work on its mandates
2016: UK transposition
2017: UK transposition
Thank You