Shaping the Digital Transformation –
Open banking is becoming a reality: The PSD2 regulation of the European Banking Authority (EBA) will enable not only banks to offer payment services to their customers. Any company can become a payment institution once it has been approved by the EBA. But what are the opportunities and challenges associated with the new Open Banking business models?
- What you need to know - the most important information
- Opportunities and potentials of licensing as a payment institution
- In detail: New supervisiory regulations for payment service providers
- Comprehensive requirements for the application for approval
- How we support you - the approval package of 4C GROUP AG
What you need to know - the most important information at a glance
- With entry into force of the "Payment Service Directive 2" (PSD2) of the European Banking Authority (EBA) on 13 January 2018, not only banks but all companies will have the opportunity to become providers of payment services (Third Party Providers - TPP). Companies can, for example, offer their customers new services based on their customers' account information.
- At the same time, all companies that provide payment initiation services and account information services will be placed under the supervision of the regulatory authorities (Bundesanstalt für Finanzdienstleistungsaufsicht - BaFin).
- Providers of payment services must therefore apply to BaFin for approval or registration in a separate procedure.
- The concrete application for authorization or registration can present obstacles, as the supervisory requirements are comprehensive; in addition, numerous conceptual questions have to be answered during implementation - this can become a challenge especially for non-banks, which are not already subject to banking supervisory regulations, or for small companies.
- Whether you are already a financial services provider or not - we at 4C GROUP AG support you with our approval readiness package that ensures effective and efficient compliance with supervision requirements for approval as a payment institution. This way you can quickly take advantage of the opportunities offered by Open Banking business approaches.
Opportunities and potentials of licensing as a payment institution
The specifications of the PSD2 allow companies to become payment institutions and use the opportunities offered by Open Banking to expand their business model in the future:
- This could be, for example, the analysis of customer information to tailor your own service portfolio according to customer needs. For example, you could identify gaps in your customers' insurance coverage and offer suitable products to close them.
- Next example: By using payment initiation services, providers of online shops, for example, can initiate payment transactions directly from their customers' accounts without having to integrate payment service providers such as Paypal.
- Another possibility arises from the cooperation with platform providers or service providers who enrich your existing services with added value for customers or your company. For example, an immediate, convenient credit check when taking out online loans using valid creditworthiness data.
In detail: New supervision rules for payment service providers
As part of the implementation of the second Payment Service Directive (PSD2), the European requirements were transposed into German law with the Zahlungsdiensteaufsichtsgesetz (ZAG). Accordingly, financial service providers and third-party providers with account-related services are under the supervision of the regulatory authorities if they provide payment initiation services or account information services.
The supervisory regulation simultaneously standardizes and opens payment institutions. In principle, this gives any company the opportunity to become a provider of payment services. This creates opportunities for new business models alongside traditional financial service providers and start-ups.
In order to ensure the security of end customer data when account information is used by payment institutions, they are approved and regulated in Germany by BaFin. Important: Only approved providers will be allowed access to the interfaces of banks or account-holding financial service providers.
This is also relevant for software providers: Technology providers currently use test certificates for the further development of third-party software and, in particular, for software testing. It is becoming apparent that test access will in future only be granted to approved companies.
Comprehensive requirements for the application for approval
Opportunities are accompanied by challenges. For the first time, payment service providers are subject to regulation by supervisory authorities when accessing sensitive user information. In order to be allowed to use the API interfaces supplied by banks and the account information provided, a corresponding authorization or registration with BaFin must be applied for.
In order to obtain approval for the provision of payment services, requirements regarding organizational units, processes and technical obligations must be met (excerpt):
In order to meet the licensing requirements and ongoing obligations, third-party providers may have to make organizational adjustments. Examples are
- compliance with the requirements for the prevention of money laundering
- the maintenance of adequate security systems (Money Laundering Act)
- proof of Business Continuity Management
- ensuring organizational control and security measures
- documentation of corporate management processes
- the implementation of a comprehensive risk analysis and implementation / documentation of the associated control mechanisms
In addition, there are requirements for regulatory processes:
- Compliance with the requirements for regulatory processes and reporting obligations (e.g. an incident management system)
- Transmission of regular reports to BaFin / Bundesbank
- Compliance with the requirements for emergency processes and safety concepts
IT and data security measures are also affected: From ensuring secure connections and data transfers by means of Qualified Website Authentication Certificates (QWACs) or Qualified Electronic Seal Certificates (QSEALs), to the processing of sensitive payment data and risk management as well as fraud prevention processes - IT is extensively challenged by the PSD2 approval requirements and is significantly involved in both implementation and ongoing operations.
To meet the requirements measures relating to employees (e.g. training measures, establishment of new roles if required) are needed in addition.
Amongst financial services companies that do not hold a banking licence, such as insurance companies, the requirements mentioned above are already partially anchored in existing supervisory and regulatory requirements. For example, the Supervisory Requirements for IT in Insurance Undertakings (VAIT) imposed by BaFin since 2018 already demand significant parts of the IT requirements of PSD2 Third Party Providers. Solvency II also defines extensive requirements for the risk management of insurance companies.
How we support you – the approval package of 4C GROUP AG
We write the application for approval for you: 4C GROUP AG supports you in preparing and drafting the application for approval as a payment service provider. Thanks to our many years of experience in the field of regulatory management for banks and financial service providers, you benefit from our knowledge and experience for your PSD2 approval. With us, your application for approval is in professional hands.
Licence Management:
Our project team prepares the application for approval as a payment institution to the BaFin, including compilation and, if necessary, completion and adaptation of all relevant information, individually tailored to your company and requirements. The application is prepared quickly and efficiently based on the experience, methods and tools of 4C GROUP AG. In specific there are two tools of particular importance here:
- Requirement tool: 4C GROUP AG has developed a tool for identifying the requirements in accordance with the ZAG and the EBA guidelines for approval as a payment institution.
- Application form: In addition, 4C GROUP AG has developed a template for the admission application - with numerous formulations and text modules; in the application phase, we can thus focus on the contents.
Organizational Readiness:
During the preparation of the application for approval, the relevant processes and organizational requirements are aligned with the requirements of BaFin.
Technical Readiness by |
|
Together with our implementation partner, adorsys GmbH & Co. KG, we can also realize the technical implementation in order to enable an even faster implementation of your business model as well as to guarantee the fulfillment of the approval requirements.
Our broschures on PSD2
E-booklet PSD2 - Digital Transformation, Whitepaper PSD2
+
4C GROUP AG | PSD2 - Digital Transformation
- Opportunities of the PSD2 at a glance
- Requirements of the PSD2
- The regulatory challenge: What non-banks need to consider
- Approval package of the 4C GROUP
Whitepaper on PSD2 - What the IT of Third Party Providers needs to consider when providing PSD2 services
- What should be considered when mapping PSD2 services?
- What are the service-related IT requirements?
- How should framework IT requirements be defined?
Our experts for approval as payment institution (PSD2)
Get in touch with us through Xing or LinkedIn
+
Dr. Heiko Mauterer
Senior Partner
Master of Engineering and Business Administration
Master of Engineering and Business Administration
In consulting creating benefit for a customer is considered to be a given. In practice, this is not necessarily the case. At least according to Dr. Heiko Mauterer's experience in several management positions in banking. Creating true value is a key concept for him, that determines his thinking as well as his work with his clients. If applicable, all benefit aspects - in his eyes - are to be quantified and made measurable. And that's also not self-evident.
Heiko Mauterer has outstanding experience in financial services and focuses on regulatory management, Human Resources, digitization, operations and project management.
Daniel Lovric
Partner
Diplom Business Data Processing Specialist
Diplom Business Data Processing Specialist
Customers expect today far more than project management and methodological skills from their consultant imposing modified and additional requirements on a consultant's role. Expert skills and transformational competences combined with industry experience and the mandatory overall view are capabilities Daniel Lovric actively contributes to his consulting work with great enthusiasm. These are the decisive prerequisites for a true added value and ultimately for the client's bottom-line results.
Daniel Lovric has extensive experience in the financial services sector and focuses strongly on regulatory management, including regulatory framework, regulatory IT management, risk reporting, predictive risk management and fraud detection (RegTech).
Dr. Heiko Mauterer
Senior Partner
Master of Engineering and Business Administration
Master of Engineering and Business Administration
In consulting creating benefit for a customer is considered to be a given. In practice, this is not necessarily the case. At least according to Dr. Heiko Mauterer's experience in several management positions in banking. Creating true value is a key concept for him, that determines his thinking as well as his work with his clients. If applicable, all benefit aspects - in his eyes - are to be quantified and made measurable. And that's also not self-evident.
Heiko Mauterer has outstanding experience in financial services and focuses on regulatory management, Human Resources, digitization, operations and project management.
Daniel Lovric
Partner
Diplom Business Data Processing Specialist
Diplom Business Data Processing Specialist
Customers expect today far more than project management and methodological skills from their consultant imposing modified and additional requirements on a consultant's role. Expert skills and transformational competences combined with industry experience and the mandatory overall view are capabilities Daniel Lovric actively contributes to his consulting work with great enthusiasm. These are the decisive prerequisites for a true added value and ultimately for the client's bottom-line results.
Daniel Lovric has extensive experience in the financial services sector and focuses strongly on regulatory management, including regulatory framework, regulatory IT management, risk reporting, predictive risk management and fraud detection (RegTech).
Have questions? Enquire consultation with us.
Get in touch