Payment Services Directive(PSD2)

The following is a brief overview of PSD2 and the implications it has for Credit Unions in Ireland.

img

What is PSD2?

The main scope of PSD2 is to encourage new players to enter the payment market by mandating banks to “open up the bank account” to external parties. These Third Party Players (TPP) are divided in two types:

Account Information Service Providers (AISPs)

  • AISPs are providers that can connect to bank accounts and retrieve information from them. To do this the account holder (member) will authorise the third party to access this data. The third party can then, through a secure connection where banking credentials are not required, be able to authenticate with the relevant bank(s) and download the transactional information of the member.

Payment Initiation Service Providers (PISPs)

  • PISPs are players that can initiate payment transactions. Currently we only have (SEPA) Credit Transfers and debit cards, which are both offered only by the account holder’s own bank. In the future we will probably see several different payment options that can move money from the account, without the need of using a wallet (eg: Paypal)

Additionally, you also have the Account Service Payment Service Provider (ASPSP) who are the party that provide the account upon which payments can be instructed, typically the bank today.


Accessing data at financial institutions: What do I need to know about authentication, security & the general process

The Regulatory Technical Standards (RTS) governing the API use & processes have been published and are expected to be formally adopted in the coming weeks (May 2017). The Credit Union, as an AISP, will have a secure access to the API provided by the financial institution (ASPSP) for accessing payment transaction data.

As part of the member on-boarding onto the platform (whether for loan underwriting specifically or use of the member engagement tool) a member will be prompted to identify which banking institutions they have accounts with and an identifier & authentication upfront for each one (it is not their internet banking credentials but rather a new authentication method – see appendix below).

In the case of AISPs, consent is asked for only once as a general mandate for access to a designated payment account. This is done in the form of a Strong Customer Authentication (SCA) linked to the relevant API for a given bank and only needs to be done again if there has been no request to access the account information (balances or recent transaction details) in the last 90 days. The AISP can then refresh that data at least 4 times a day automatically.

Data Quality

ASPSPs shall provide account information service providers (AISPs) with the same information from designated payment accounts and associated payment transactions that are made available to the payment service user when they directly access the account information.

Can you give me more details on the API?

Some key features of the API include:

  • A common format for exchanging data is enforced (ISO20022)
  • Authentication codes are used to make secure requests between the AISP (credit union) and an ASPSP (bank).
  • Authentication is based on at least 2 factors, one of which is dynamic or one-time
  • Currently it is down to each ASPSP to decide how to implement the specifics of the strong customer authentication (adhering to the macro principle of dynamic codes and risk levels)
  • They are also free to decide whether to provide one single API to AISPs, PISPs & PSPs or a dedicated one for each type of service.
  • Secure encryption communication is enforced/li>
  • No human can read or access credentials or authentication codes

Can you give me more details on the SCA?

SCA (strong customer authentication) is governed by the following principles:

  • Timeout of 5 mins maximum for an authentication code (only relevant for payment initiation)
  • 5 consecutive failures max to attempt to authenticate
  • On failure no indication of what piece of information is wrong should be provided to the user
  • Authentication code should be impossible to reconstruct from previous ones
  • The authentication code should also contain the amount and be linked to it for payment initiation

Are there Regulatory Exemptions for Credit Unions?

Indemnity is in place at the moment for loan and savings (share account) data for Credit Unions

After PSD2 all Credit Unions can become AISP’s, can have access to member’s payment transaction data at other financial institutions with their consent, and if not providing current account services should be exempt from having to share data outwards

For Credit Unions that only have share/loan accounts, but there are payment transactions on the account (such as a DD) there is some verification with the regulator being sought to confirm that this will remain exempt from having to provide an outward feed of payment transaction data.