PSD2 Implementation in Belgium - Home - Creobis · PDF filePSD2 Implementation in Belgium....
Transcript of PSD2 Implementation in Belgium - Home - Creobis · PDF filePSD2 Implementation in Belgium....
Jorke KAMSTRA
IT Supervision, National Bank of Belgium
PSD2 Implementation in Belgium
IMPLEMENTATION IN BELGIUM
► Transposition deadline : 13 January 2018
► Maximum harmonisation
► New law replacing Books 1 & 2 of law of 21.12.2009
● more clarity (structure)
● useful information in explanatory works
● level 2 taken into account
2
CHANGES IN STRUCTURE (1)
► Payment institutions – two regimes
1. Licensed Payment institutions – full regime
Payment services 1 to 6
+ NEW Payment initiation service
2. Registered Payment institutions – light regime
= Exempted from the application of certain articles
“small” Payment institution
+ NEW Account information service provider
3
New market players
► Account Servicing Payment Service Providers
(ASPSP)
► Payment Initiation Service Provider (PISP)
► Account Information Services Provider (AISP)
► Card-based instruments Service Provider (CISP)
4
► NEW - notification required for :
● “limited network” : payment services based on specific payment
instruments that can be used only in a limited way (subject to
specific conditions)
notification required if total value of payment transaction over preceding
12 months exceeds EUR 1 million (description of services + evidence
that conditions are met)
decision of BNB
● “telco” : execution of payment transaction by provider of electronic
communication networks or services provided in addition to
electronic communication services for a subscriber to the network or
services (subject to specific conditions)
prealable notification
CHANGES IN STRUCTURE (2)
5
PI : Applications for authorisation /
Licensing requirements / Activities requirements (1)
► Application file - New BNB memorandum
► Licensing requirements
● existing requirements still in place but more detailed
● NEW :
Organisation requirements (AML CCP, PSD CCP…)
Professional indemnity insurance for PISP
Procedure in place for managing sensitive payment data
(authentication, access to payment account by PIS ….)
Procedure in place for secured communication
Security policy document (protection of users, management of
operation and security risks)
Procedure in place for security incident management &
complaints
Business continuity arrangements …
6
PI : Applications for authorisation /
Licensing requirements / Activities requirements (2)
► Activities requirements (conditions d’exercice)
● Existing requirements still in place but more detailed
● NEW :
Collection of statistical data on performance, transaction
and fraud
Modification in shareholding structure (qualifying
participation, threshold)
Management of sensitive payment data (secured access
to payment account, authentication …)
Security measures (protection of users, management of
operation and security risks).
….
7
Amazon Go
LEVEL 2 IMPLEMENTATION
Security
► Strong customer authentication
● Dynamic linking of payment amount and payee
when signing transactions
► Operational risk guidelines
► Security incident reporting
10
Transposition
► Member States shall not forbid legal persons
that have performed in their territories, before
12 January 2016, [..]to continue to perform the
same activities in their territories during the
transitional period [..] in accordance with the
currently applicable regulatory framework.
Transposition
► Member States shall ensure that until
individual account servicing payment service
providers comply with the regulatory technical
standards [..] ,account servicing payment
service providers do not abuse their non-
compliance to block or obstruct the use of
payment initiation and account information
services for the accounts that they are
servicing
Regulatory expectations
► NBB Circular Financial Services via Internet
● notification to NBB if security of Internet services or
used IT infrastructure is circumvented via Internet
► Circular on outsourcing
● Institution remains responsible for security
► Circular letter on cloud computing
● Notification of cloud projects to NBB
► New circular regarding protection of critical FIs
► European reporting expectations
● EBA/ECB Statistics
● NIS Directive
● Privacy Regulations GDPR
14
15
Q&A