RTGS time limit for the transaction

Recent developments in payment transactions from the perspective of the Deutsche Bundesbank

Transcript

1 Recent developments in payment transactions from the perspective of the Deutsche Bundesbank ABK Systeme GmbH, 85th Usermeeting, Dreieich, Anja Prescher, The explanations reflect the personal point of view of the presenter and do not necessarily have to match the position of the Deutsche Bundesbank.

2 Agenda 1. Vision Technical regulatory standards for strong customer authentication and secure communication

3 Recent developments in payment transactions from the perspective of the Deutsche Bundesbank 1 Vision 2020

4 Vision 2020 Subject matter and goals Vision 2020 = strategy for the further development of the Eurosystem market infrastructure service offering in payment transactions, securities settlement and collateral management The goals are efficiency by consolidating the technical infrastructure and optimizing existing services for market participants (including reducing operating costs) Innovation by improving the range of services with a view to market needs, new business developments, technical innovations as well as increased (regulatory) legal requirements and the contribution to further market integration and harmonization within the framework of the capital markets union planned by the EU Commission page 4

5 Vision 2020 project portfolio consisting of three projects Vision 2020 TARGET2 / T2S Consolidation of Instant Payments (real-time bulk payments) Eurosystem Collateral Management System page 5

6 TARGET2 / T2S consolidation scope TARGET2 / T2S consolidation Technical consolidation of T2 and T2S - A re-use / upgrade of existing technical components and software development standards, as well as the review of the current business contingency arrangements Vision 2020 Instant Payments (Real-Time - Bulk payment) Consolidation and harmonization of connectivity - The implementation of common connectivity and security components would lead to the emergence of a single gateway for Eurosystem market infrastructure services functional convergence - The functional convergence into a single platform will allow the sharing of common services. In addition, it will also allow the extension of RTGS services developed by the Eurosystem to other non-euro Central Banks in Europe by introducing multi-currency capability for RTGS services Neue RTGS-Services - Consultations with market participants have shown that there might be a need for new service enhancements Eurosystem Collateral Management System page 6

7 TARGET2 / T2S consolidation In connection with technical consolidation TARGET2 / T2S consolidation Vision 2020 Instant Payments (real-time bulk payments) Eurosystem Collateral Management System Harmonized, standardized access (gateway) for market participants to the Eurosystem's market infrastructures Participants Standardized access Master data Identity and access management Web portal T2S TARGET2 Other MIs page 7

8 TARGET2 / T2S Consolidation Business Case TARGET2 / T2S Consolidation Vision 2020 Instant Payments (real-time bulk payment) Eurosystem Collateral Management System Use of uniform technical solutions as well as connection and security components for payment transactions and securities processing Cost reduction (investment and operating costs) Functional consolidation of TARGET2 and T2S Use of common functionalities (e.g. in cash settlement), but still separate service for payment transactions and securities processing Improvement of IT security and resistance, especially against cyber attacks Page 8

9 Instant Payments Explanations of TARGET2 / T2S Consolidation Vision 2020 Instant Payments (real-time bulk payments) Eurosystem Collateral Management System Requirements of the Euro Retail Payments Board (ERPB) Electronic bulk payment system in Euro 24/7/365 - availability Immediate or almost instant interbank clearing or guarantee models Immediate or almost immediate credit to the recipient's account Immediate or subsequent settlement No restriction on payment instrument: transfer, direct debit, card payment Clearing modality: bilateral interbank clearing; Clearing via clearing houses or real-time gross settlement systems Settlement modality: commercial bank or central bank money; Pre-financing; Maximum amounts; Guarantees page 9

10 Instant Payments Explanations TARGET2 / T2S Consolidation Vision 2020 Instant Payments (real-time bulk payments) Eurosystem Collateral Management System Payment and information flow according to SCT Inst Scheme of the European Payments Council (EPC) Availability 24/7/365 Immediate availability of funds for the payee ( Positive confirmation messages) Immediate rejection of unsuccessful payments Currently under discussion: - Time limit for transactions: 10 seconds from receipt of the order by the payment service provider, timeout and rejection after 20 + 5 seconds - Amount limit of the Scheme: Euro Page 10 SCT Inst Scheme in November 2016 final

11 Instant Payments Background (I) TARGET2 / T2S Consolidation Vision 2020 Instant Payments (real-time bulk payments) Eurosystem Collateral Management System So far no pan-European instant payment solution available Board (ERPB) will be available from November 2017 Currently under discussion with ACH (Automated Clearing House) operators regarding adjustments to TARGET2 page 11

12 Eurosystem Collateral Management System Concept (I) TARGET2 / T2S Consolidation Vision 2020 Instant Payments (real-time bulk payments) Eurosystem Collateral Management System decentralized structure 19 different national systems Uniform Eurosystem Collateral Management System The prerequisite for a uniform functional approach is sufficient harmonization In a stocktaking exercise with the national central banks of the Eurosystem, the following framework was developed by the ECMS TF (set up by MIPC and MOC) - ECMS General principles - Specification of the high-level user needs - Identification of high-level harmonization needs page 12

13 Eurosystem Collateral Management System Concept (II) TARGET2 / T2S Consolidation Vision 2020 Instant Payments (real-time bulk payments) Eurosystem Collateral Management System ECMS will consist of - Core components (functionalities, services and processes) that have already been or are harmonized at Eurosystem level. can be harmonized - components that can only be partially harmonized. Decision by the NCB as to whether the ECMS services should be used or whether the national CMS should continue to be used. Non-harmonized functionalities, services and processes are not part of the ECMS page 13

14 Vision 2020 Current status For the envisaged projects of Vision 2020, the registration process as part of the IT Project Portfolio Update started in mid-March. ECB Council referral in July or September 2016 The objective is to achieve the Quality Review Gate1 project start - for all projects in October 2016 and to start the investigation phase - the working hypothesis is that the investigation phase starts at the same time for all projects, but each project is continued individually page 14

15 Recent developments in payment transactions from the point of view of the Deutsche Bundesbank 2 Technical regulatory standards for strong customer authentication and secure communication

16 SecuRe Pay The recommendations for secure online payments Scope of application Card payments, transfers, transfer of e-money between 2 e-money accounts on the internet Issuing electronic direct debit mandates Addressees Payment service providers Payment system operators (governance authority) Indirect: technical service providers and online merchant principles Regular risk analyzes Strong customer authentication Authorization and monitoring of all transactions Customer training and communication Contents General requirements for security management Specific security measures for Internet payments Customer training and communication Page 16

17 Recommendations for Payments on the Internet EBA Guidelines and MaSi EBA Guidelines - Adoption of recommendations for secure online payments - Addressee only banks / PSPs and no systems - + on + the + security + of + internet + payments% 29.pdf / f27bf a-4ad0- aaec-59ce52286af0 Minimum requirements for the security of Internet payments (MaSi) - EBA guideline requires implementation in national law - 1: 1 implementation of the EBA guidelines (German translation) - Additionally: reporting forms for security incidents in payment transactions included (reports to: and - rs_1504_ba_ma_internetzahlungen.html - blob = publicationfile & v = 3 (FAQ) page 17

18 Recommendations for Payments on the Internet Minimum Requirements for the Security of Internet Payments General - The basic requirements to be implemented for credit institutions and payment institutions (including institutions without public traffic) have been in effect since May 5th. Do not apply to third party payment service providers (payment initiation services, account information services, issuers of payment cards), as these are not covered by PSD1 - Many of the requirements are already covered in a general form by other legal and regulatory requirements (including KWG, MaRisk, 675c ff. BGB in conjunction with Art. 248 EGBGB, ISO 27001, BSI basic protection, data protection law) Requirements continue to apply unchanged - with regard to PSD2 and the supplementary regulatory technical standards and guidelines, BaFin expects their consistent implementation in preparation for the new PSD2 regulations page 18

19 Recommendations for payments on the Internet Minimum requirements for the security of Internet payments Affected payment services as with Secure Pay recommendations - No application to direct debit mandates issued directly to the merchant - No application to online brokerage; For transfers from / to reference accounts, the exception white listing can be used with regard to strong customer authentication - no validity for telephone banking / online banking software that communicates directly with the bank server via Fin-TS or EBICS, but MaRisk requires risk analyzes for these Services - apply to both consumers and companies, with the exception of payments via dedicated networks. Further information can be found in the questions and answers on MaSI published by BaFin on page 19

20 The EBA's work in payment transactions The PSD 2 mandates for the EBA According to the current status, the EBA receives a number of mandates from the PSD 2 a. Transparency function: Register for regulated and exempt payment service providers and electronic providers (Art. 14 and Art. 30) b. Licensing of payment service providers / registration of account information services: definition of criteria for determining the minimum amount for public liability insurance (Art. 5) c. Improved coordination in the supervision of cross-border institutions by the competent authorities in the home and host country (Art. 25a and 26) d. Definition of security requirements for electronic payments - Art. 95: Guidelines for the implementation / monitoring of security measures - Art. 98: Technical regulatory standards for strong customer authentication and secure communication e. Reporting of incidents within the EU (Art. 96) - For providers of payment services: Guidelines for the classification of serious incidents as well as for the content, form and procedure of the reports - For competent authorities: Guidelines for assessing the relevance of security incidents and the content of the report other national authorities page 20

21 The work of the EBA in payment transactions Regulatory technical standards for authentication and communication - Discussion paper - Published on December 8, 2015 on the EBA website, comment deadline by February 8 p_p_auth = lk61n3mj & p_p_id = 8 & p_p_lifecycle = 0 & p_p_state =% normal & p_p_mode = view_endar & _8 2Fview_event & _8_eventId = Discussion points: Strong customer authentication Exceptions to strong customer authentication Protection of personal authentication means of payment service users Secure communication Possible synergies with the e-idas regulation Answers from all over Europe and from all areas of the market including 81 published and 10 answers from DE page 21

22 The work of the EBA in payment transactions Technical regulatory standards for authentication and communication Content of the RTS - Requirements for strong customer authentication and possible exceptions - Requirements for measures to protect the confidentiality and integrity of personal authentication means (personalized security credentials) - Requirements for common and secure Open communication standards for identification, authentication, notification, information and the implementation of security measures -... between ASPSP, PIS, AIS, payers, payees and other providers of payment services Page 22

23 The work of the EBA in payment transactions Technical regulatory standards for authentication and communication Strong customer authentication - Scope - Online access to a payment account - Initiation of an electronic payment - All security-relevant processes that are initiated via a so-called remote channel - Principle: Strong authentication for everyone Electronic payments as well as transaction links to the payee and the amount for remote payments (dynamic linking) - Authentication process: - Requirements: time out, limitation of the number of authentication attempts, protection of the communication session against data access or manipulation, prevention, detection and blocking of fraudulent transactions - Result of the authentication process: Only 1x usable authentication code - security features: algorithm specifications, length, information content, timing page 23

24 The EBA's work in payment transactions Regulatory technical standards for authentication and communication Exceptions to strong customer authentication The payer only accesses non-sensitive payment data, except: the first time it was accessed and if the last access with SCA was more than a month ago In a contactless electronic payment transaction At the POS, if: the individual amount does not exceed 50 euros and the total amount of all transactions without SCA does not exceed 150 euros For an online transfer, if: a whitelist is available (except when setting up and changing it) for a standing order (except when setting it up and change) in the case of an account transfer from the same payer within the same institution, the individual amount does not exceed EUR 10 and the total amount of all transactions without SCA does not exceed EUR 100 page 24

25 The work of the EBA in payment transactions Technical regulatory standards for authentication and communication SCA and personal. Identification features Requirements for personal identification features: Masking of the identification features Storage of the identification features and cryptographic information for encryption not in plain text Storage of the cryptographic information for encryption in a secure and tamper-proof environment Review of the authentication process and the security requirements for personal identification features: regular tests, evaluations and revisions by internal or external, independent and certified auditors Preparation of a report on request, the report must be made available in full to the competent authorities page 25

26 The work of the EBA in payment transactions Regulatory technical standards for authentication and communication Further procedure - Publication of the RTS draft for public consultation on the comment deadline by October 12th Public hearing at the EBA on September 23rd - Following the consultation, revision and finalization of the RTS - to be submitted to the European Commission by January 13th Adoption by the Commission with the participation of the EU Parliament and the Council Page 26

27 Outlook Entry into force of PSD2 RTS Art. 98 T + 12 months Guidelines Art. 95 T + 18 months Adoption of RTS Implementation of RTS * 18 months * Incl. Regulations of Art. 65, 66, 67 and 97 Implementation of PSD2 into national law ** T + 2 years ** Without regulations of Art. 65, 66, 67 and page 27

28 Thank you for your attention Anja Prescher Wilhelm-Epstein-Str Frankfurt page 28