The deadline for initial notification has been significantly extended from 2 to 4 hours following identification of the incident. Due to reorganization of the three notification types, it is no longer necessary to provide as much information in the initial and interim notifications. This is due to the newly introduced “completion” of the notification forms, meaning that only the final report needs to contain all information pertaining to the incident. The criteria previously referred to as “Level 1” and “Level 2” proved insufficiently self-explanatory and have been replaced by the terms “Lower Impact Level” and “Higher Impact Level.” For the Higher Impact Level criterion, the number of transactions concerned has been increased from one million to five million euros.

Continue

In August 2016, the EBA published the draft RTS for consultation, and spelled out the details in a public hearing on 23 September 2016, especially regarding the points on “Use of strong customer authentication for account access (one-month discussion)” and “Using a risk-based approach as a replacement for the second factor”. On 23 February 2017, after taking account of 224 comments received back from the market, the EBA published the final version of the RTS.

Continue

According to Article 96 of Payment Service Directive (PSD) II, payment service providers have until 13th January 2018 to implement a reporting system for major operational and security incidents relating to cash-free transactions. The EBA proposes a classification scheme with four quantitative criteria and three qualitative ones to decide whether an incident needs to be reported.

Continue

Risk management is one of the core compe-tencies of the finance industry. This sensi-tive field’s immunity against technological developments has long since evaporated, with models and methods influenced as a result. In particular, data and new ways of exploiting it (think big data and, to an in-creasing degree, artificial intelligence) are having a transformative effect and challeng-ing the previous organizational models employed by institutions. The recently pub-lished Open Source Risk Engine Platform promises to open up these possibilities to a greater number of institutions. It is based on the open-source approach, which has been successful for many years in the field of operating systems. This approach makes critical competencies available on a global scale and enables more efficient develop-ment and operating models.

Continue

The EBA public hearing on Regulatory Technical Standards, specifying the requirements on strong customer authentication and common secure communication under PSD II, took place on September 23. The public hearing is an integral part of the consultation phase and regularly provides a summary of the initial consultation phase, as well as an insight into how the RTS are likely to shape up. Starting with the main points of development concerning RTS, which are reflected in the Consultation Paper [compare “Customer Authentication for Cashless Transactions: Impacts of the New RTS (Regulatory Technical Standards) under PSD II“ post], the major points of discussion during the hearing are detailed below.

Continue

The regulator urges various initiatives for financial institutions to create access to data and information by third parties, whose seclusion is not justified. Details of this market opening in the financial industry, fostered by the Payment Service Directive PSD II, have been specified in two major points recently published as “RTS” (Regulatory Technical Standards) by the EBA: strong customer authentication and secure communication for electronic payment services. These regulations have major consequences on the current standards and established processes with cashless transactions.

Continue

The virtual payment market is in a state of flux due to the increasing importance of e-Commerce and contactless payments at the point of sale. This results from the increasing prevalence of NFC-enabled terminals and the simultaneous provision of mobile payment solutions (wallets) by technology providers. Along the conventional processing structure comprising schemes and issuers, a third kind of player is establishing itself: technology providers such as Apple, Samsung and Google are joining forces with international credit card companies to successfully provide end consumers with mobile payment solutions on their devices, and are, therefore, gaining even more ground on global markets.

Continue