Andrew Eppich VP Sales EMEA

16 May 2019

Helping everyone by spotting the playground bullies

Making Open Banking Safer

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l

Public

What’s the problem?

MASTERCARD OPEN BANKING 4

“We are not confident that our customers’ data will be protected from hackers and thieves. We cannot refuse to hand over data because that’s what the legislation says, but we will have to try to educate people to understand the vulnerability.”

— Howard Davies, Chair, RBS

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public MASTERCARD OPEN BANKING 5

Mastercard Open Banking Protect

TPP

Open Banking Protect

1. Request via API

4. Internal monitoring & decision

2. Check of TPP’s request

3. Check of a regulatory license, eIDAS certificates

and fraud assessment

5. Report back of decision and any subsequent fraud

Transaction fraud profiling and real

time scoring

TPP licence and certificate

validations with real time response

Open Banking Protect provides additional security to Financial Institutions when they have to share customer data with Third Party Providers (TPPs).

Public

NuDetect – Combining capabilities to power enhanced fraud prevention

6

Device, Connection, and Location IdentificationAnalyze the device and connection interacting with the environment. Trust that the real consumer is using the device.

Behavioral AnalyticsContinuously verify the consumer is who is expected. Trust the behavior.

Passive (Invisible) Biometric VerificationAllow trust in the human, not just the device, using sensory inputs from the real-world. Trust the consumer based on natural behaviors.

Real-Time Trust ConsortiumAggregate data from all behavioral interactions across the NuDetectnetwork. Trust the consortium.

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public MASTERCARD OPEN BANKING 7

Open Banking Protect

NuDetect

Anti Money Laundering Insights

Protecting customers using your Open Banking APIs against compromised and unlicensed Third Party Providers

Protecting customers using your Logon and Payment journeys against account takeovers and bad actors

Protecting against the movement of illicit funds across entire payment networks

Mastercard’s Solution: Triple Protection

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public MASTERCARD OPEN BANKING 8

MobileOnline Open Banking APIBranch Telephone

Mastercard’s Triple Protection

Fraud Decision Engine

Faster Payment Systems

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public MASTERCARD OPEN BANKING 9

MobileOnline Open Banking APIBranch Telephone Open

Banking Protect

NuDetect

Mastercard’s Triple Protection

1st Line Protection

2nd Line Protection

AML Insights

Fraud Decision Engine

Faster Payment Systems

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public MASTERCARD OPEN BANKING 10

Branch Telephone

Mastercard’s Triple Protection

1st Line Protection

2nd Line Protection

MobileOnline Open Banking APIOpen

Banking Protect

NuDetect

Fraud Decision Engine

Faster Payment Systems

AML Insights

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public MASTERCARD OPEN BANKING 11

Next Steps - Extending Open Banking Protect to TPPs

TPP

Open Banking Protect

Digitally identify the customer based

on their online interactions

Financial Institution

©20

19 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfid

entia

l.

Public 12

Mastercard Open Banking Protect

• Interested in hearing more? Please let us know via openbanking@mastercard.com

• Thank you!

13

Open Banking Excellence16 May 2019

Paul Meadowcroft, Chief Product Officer

14

A RegTech company to support ASPSPs in delivering PSD2 open banking compliance

Offices in the UK in Reading and London

Highly experienced leadership team

Focused on significant open banking opportunity across Europe whilst the broader

global open banking market develops

Konsentus provides Third Party Provider identity verification, using eIDAS certificates,

TPP regulatory checking, against National Competent Authority registers, and OAuth2

token generation and verification to control access to PSD2 APIs. These services are

provided to financial institutions through a RESTful API on a SaaS platform, enabling

them to provide open banking services to their customers, confident in the knowledge

that they are only providing data to TPPs who are authorised or registered and who

have obtained the customer's consent to access their data.

About Konsentus

15

Brand reputation and risk

Do I do the legal minimum?

Or

Do I protect my customers’ data and manage my business risk?

Today’s topic

PSD2 Open Banking

Protecting your customers’ dataAnd your brand reputation

17

What does PSD2 open banking mean to us?

Customers or Payment Service Users (PSUs) have a legal right to use payment initiation services and account information services provided by Third Party Providers (TPPs) with respect to certain payment accounts

So “account servicing payment service providers” (ASPSPs) must allow TPPs access to these payment accounts (with the customer’s consent) through either their modified customer-facing interface or a “dedicated interface” (API)

ASPSPs can be banks, building societies, and non-bank account providers such as payment institutions and e-money institutions

TPPs can be PISPs (Payment Initiation Service Providers), AISPs (Account Information Service providers) and CBPIIs (Card Based Payment Instrument Issuers)

How does an ASPSP know when to hand customer data over to a TPP or not?

The Second Payment Services Directive (EU) 2015/2366 (PSD2) was implemented by EU member states on 13 January 2018

18

What does the EBA RTS for SCA and CSC say?

Article 30 (1)

ASPSPs that offer to a payer a payment account that is accessible online shall have in place at least one interface which meets each of the following requirements: a) AISPs, PISPs and CBPIIs are able to identify themselves towards the ASPSP; b) AISPs are able to communicate securely to request and receive information on

one or more designated payment accounts and associated payment transactions; c) PISPs are able to communicate securely to initiate a payment order from the

payer's payment account and receive all information on the initiation of the payment transaction and all information accessible to the ASPSPs regarding the execution of the payment transaction.

So the ASPSP needs to know who the TPP is and what they are allowed to do

Commission Delegated Regulation (EU) 2018/389 on Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS for SCA & CSC) applies from 14 September 2019

19

What does the EBA RTS for SCA and CSC say?

Article 34 (1)

For the purpose of identification, as referred to in Article 30(1)(a), payment service providers (PSPs) shall rely on qualified certificates for electronic seals (QSealC) as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication (QWAC) as referred to in Article 3(39) of that Regulation.

“This means that, when a TPP identifies itself towards the ASPSP via an eIDAS PSD2 certificate, the ASPSP shall grant access to the TPP to the specified account.”“ASPSPs are not legally required to rely on any other means for the purpose of identification of TPPs”(EBA answer to Issue XIII of the EBA Working Group on APIs, 26 April 2019)

So the ASPSP can rely on either an eIDAS PSD2 QWAC or a QSealC to determine the identity of a TPP

20

How does the ASPSP know that the TPP is regulated?

PSD2 states that access to account information or payment initiation services “shall not be dependent on the existence of a contractual relationship” between the ASPSP and the TPP

The TPP will have presented an eIDAS PSD2 certificate to the ASPSPBut

The regulatory status of the TPP may have changed since the certificate was issued

AndThe certificate does not provide any information about the regulated status of the TPP in Host Member States where the TPP has “passported” its services

In order to know what the TPP is allowed to do, at the time of the transaction, the ASPSP must check the regulatory status of the TPP

on both the Home and Host NCAs, as appropriate

21

ASPSP reputation and risk management

Article 68(5) of PSD2 states that an ASPSP ‘may deny an AISP or a PISP access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that AISP or that PISP’(EBA answer to Issue IX of the EBA Working Group on APIs, 26 April 2019)

ASPSPs may choose to carry out additional checks of the authorisation / registration status of TPPs in the respective EBA and/or national registers, provided that, in doing so, ASPSPs do not create obstacles to the provision of payment initiation and/or account information services, as required in Article 32(3) of the RTS.(EBA answer to Issue XIII of the EBA Working Group on APIs, 26 April 2019)

These checks should not present an obstacle to the performance of the transaction between the TPP and ASPSP or cause a delays in the ‘customer journey’ if they are provided by and industrial scale and quality service that can process the regulatory checks at high volume and high speed.

It is the ASPSP’s responsibility to manage its business and regulatory risk and perform the necessary checks and balances appropriate to its

risk appetite

22

ASPSP responsibility and accountability for customer data

ASPSPs are the guardians of their customers’ data

ASPSPs have an obligation under PSD2 and GDPR to only share that data with properly authorised and regulated TPPs who have gained the customer’s consent

Customers will look for compensation from the ASPSP if anything goes wrong

ASPSPs may face fines and regulatory sanctions under PSD2 and GDPR

Reputational damage and lack of customer trust may be of greater concern

ASPSP’s need to be customer focussed and take all reasonable steps to ensure that they only share customer data with properly authorised

and regulated third parties

23

Paul Meadowcroft+44 7340 003217

paul.meadowcroft@konsentus.com

Thank You Any Questions

Konsentus Limitedwww.konsentus.com

Confidential – © 2018 Equinix Inc. Equinix.com 24

,

Confidential – © 2018 Equinix Inc. Equinix.com 25

25Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 26

26Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 27

27Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 28

28Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 29

29Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 30

30Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 31

31Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 32

32Mastercard Open BankingDecember 20, 2018

Confidential – © 2018 Equinix Inc. Equinix.com 33

33Mastercard Open BankingDecember 20, 2018

And what they might try Sandra Peaston

OPEN BANKING – WHAT A FRAUDSTER SEES

16 May 2019

Welcome

Sandra PeastonDirector of Research and Development

35

Fraud over time36

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Fraud in 201837

- 30,000 60,000 90,000 120,000 150,000 180,000 210,000

Asset conversion

Application fraud

False insurance claims

Facility takoever fraud

Identity fraud

Misuse of facility fraud

2018 2017 2016

Identity Fraud38

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

Bank Account Telecoms Plastic card Insurance Loan Online retail Other

2016 2017 2018

Who is the customer?39

• Onboarding someone who is not who they say they are• Is the customer still who they say they are?

A Phishing opportunity40

• Exploitation of a lack of understanding• Facilitation of further fraud

“That wasn’t me!”41

• Opportunists may see this is a chance to double their money• Organised groups may recruit people to facilitate first party

fraud

“Every day, we’re talking. Planning.Sharing tips and tricks to keep getting better.”

42

“And until the banks and businesses that we attack do the same, we’re always going to win."

43

44Thank you

Any Questions?

A BIG THANK YOU TO OUR ATTENDEES, SPEAKERS, SPONSORS &

PARTNERS

Tink: Strong Customer Authentication

Moving from Theory to Practice

Connecting the EcosystemStarling Bank: Major Data Breach, Payment Theft

Regulation, Fraud, SecurityMastercard: Extending Open Banking Protect to TPPs

Equinix, API Secure-Link

Regulation• SOC1 Type Type 2 Document Controls, Supporting processes, policies, procedures, personnel and operational activities that constitute the core

activities relevant to users• PCI DSS, enhance data security for payment cards• ISO 9001, Quality Management System to demonstrate ability to consistently provide products and services to meet the needs of Customers.

Fraud Protection • Minimal threat of DDOS Attacks• Dedicated Infrastructure• Tier 3 Data Centre Service

Security Enhancement • Certain customer data is best kept on soil• Enhanced Encryption • Security policy for On-premise and Cloud enabled

Open Banking Sales Director, Philip.brittain@eu.equinix.com