Jorke KAMSTRA

IT Supervision, National Bank of Belgium

PSD2 Implementation in Belgium

IMPLEMENTATION IN BELGIUM

► Transposition deadline : 13 January 2018

► Maximum harmonisation

► New law replacing Books 1 & 2 of law of 21.12.2009

● more clarity (structure)

● useful information in explanatory works

● level 2 taken into account

2

CHANGES IN STRUCTURE (1)

► Payment institutions – two regimes

1. Licensed Payment institutions – full regime

Payment services 1 to 6

+ NEW Payment initiation service

2. Registered Payment institutions – light regime

= Exempted from the application of certain articles

“small” Payment institution

+ NEW Account information service provider

3

New market players

► Account Servicing Payment Service Providers

(ASPSP)

► Payment Initiation Service Provider (PISP)

► Account Information Services Provider (AISP)

► Card-based instruments Service Provider (CISP)

4

► NEW - notification required for :

● “limited network” : payment services based on specific payment

instruments that can be used only in a limited way (subject to

specific conditions)

notification required if total value of payment transaction over preceding

12 months exceeds EUR 1 million (description of services + evidence

that conditions are met)

decision of BNB

● “telco” : execution of payment transaction by provider of electronic

communication networks or services provided in addition to

electronic communication services for a subscriber to the network or

services (subject to specific conditions)

prealable notification

CHANGES IN STRUCTURE (2)

5

PI : Applications for authorisation /

Licensing requirements / Activities requirements (1)

► Application file - New BNB memorandum

► Licensing requirements

● existing requirements still in place but more detailed

● NEW :

Organisation requirements (AML CCP, PSD CCP…)

Professional indemnity insurance for PISP

Procedure in place for managing sensitive payment data

(authentication, access to payment account by PIS ….)

Procedure in place for secured communication

Security policy document (protection of users, management of

operation and security risks)

Procedure in place for security incident management &

complaints

Business continuity arrangements …

6

PI : Applications for authorisation /

Licensing requirements / Activities requirements (2)

► Activities requirements (conditions d’exercice)

● Existing requirements still in place but more detailed

● NEW :

Collection of statistical data on performance, transaction

and fraud

Modification in shareholding structure (qualifying

participation, threshold)

Management of sensitive payment data (secured access

to payment account, authentication …)

Security measures (protection of users, management of

operation and security risks).

….

7

Amazon Go

LEVEL 2 IMPLEMENTATION

Security

► Strong customer authentication

● Dynamic linking of payment amount and payee

when signing transactions

► Operational risk guidelines

► Security incident reporting

10

Transposition

► Member States shall not forbid legal persons

that have performed in their territories, before

12 January 2016, [..]to continue to perform the

same activities in their territories during the

transitional period [..] in accordance with the

currently applicable regulatory framework.

Transposition

► Member States shall ensure that until

individual account servicing payment service

providers comply with the regulatory technical

standards [..] ,account servicing payment

service providers do not abuse their non-

compliance to block or obstruct the use of

payment initiation and account information

services for the accounts that they are

servicing

Regulatory expectations

► NBB Circular Financial Services via Internet

● notification to NBB if security of Internet services or

used IT infrastructure is circumvented via Internet

► Circular on outsourcing

● Institution remains responsible for security

► Circular letter on cloud computing

● Notification of cloud projects to NBB

► New circular regarding protection of critical FIs

► European reporting expectations

● EBA/ECB Statistics

● NIS Directive

● Privacy Regulations GDPR

14

15

Q&A