WHITE PAPER

PSD2 complianceFinding a silver lining in the Regulatory Technical Standards (RTS)

axway.com 2

At a minimum, RTS compliance will require:

• Strong customer authentication — two-factor customer authentication for access to payment accounts and online payments

• Common and secure communication interfaces for account access — APIs, not “screen scraping”

To meet the deadline while modernizing infrastructures to support future digital initiatives, banks must take a thoughtful approach to managing the API-related tasks and cross-functional constituencies involved in satisfying the RTS.

As a company that combines a rich history of data integration with API management tools for user engagement and business ecosystem expansion, Axway provides a unique perspective on the digital business value chain overall, and the new payments value chain being created by regulation and the industry’s move toward open banking.

The Axway AMPLIFY™ platform optimizes the entire digital business value chain

Turning a regulatory burden into a business opportunity

With PSD2 now in effect, banks, third-party providers (TPPs), and others in the payments value chain have until September 2019 to comply with the secure communication and customer authorization requirements laid out in the PSD2 Regulatory Technical Standards (RTS). The silver lining is that, with the right API management strategy and technology in place, all affected parties can turn this regulatory burden into an opportunity to compete, innovate, and grow with a modern IT infrastructure built for open banking.

The RTS bottom line

To become RTS-compliant, banks and other institutions will have to provide TPPs — including payment initiation service providers (PISPs) and account information service providers (AISPs) — with access to customer account information via open banking APIs. In addition, they need to implement security measures to protect account and payment information.

User App Developer API API Team Services Integration Team Enterprise Systems

App and Edge Development

API Lifecycle Management

Secure Integration Foundation

Metrics, Analytics, and Insight

3axway.com

The Axway AMPLIFY data integration, engagement, and collaboration platform includes API Management, Managed File Transfer, Analytics, App Development, B2B Integration, and Content Collaboration/EFSS solutions. This flexible and holistic API-centric approach does not limit you to a single-purpose solution, and can support your continuous digital journey as regulatory requirements change, and the banking landscape continues to shift and evolve.

Speed and simplify RTS compliance

AMPLIFY API Management provides a complete end-to-end set of services and capabilities that can simplify and speed compliance with the RTS for authentication and open access.

AMPLIFY API Management simplifies access to enterprise data, integrates with full API lifecycle support, and streamlines app building to speed delivery of value to the business.

Mobile Application Account Aggregator Platform (AISP/PISP)

• Service Provider • Data Provider

Bank Platform

Powered by AMPLIFY App Development

Analytics and Predictive Insights

Consumer Registry API Catalog

Threat Protection

Auth N/Auth Z Mediation

Rapid Creation

axway.com 4

Partner onboarding and user enrollment

A major component of PSD2 is open access to customer accounts (XS2A), which requires banks and other institutions to share payment account information with TPPs via open APIs. Under PSD2 RTS, all TPPs will have to follow the same rules and go through the same processes for registration, licensing, and supervision by authorities.

AMPLIFY API Management enables you to define and manage authorization methods for partner and customer onboarding to meet the various types of API access a TPP would look for with a PSP (i.e. account information access or payment initiation).

API catalog and developer portal

Whatever the API implementation (following Berlin Group, Open Banking or other group recommendations), API definitions can be imported to the API catalog using their swagger files.

The customizable API developer portal makes it easy to quickly expose APIs in the API catalog and engage app developers in a self-service development process where they can discover, consume, build. and test APIs.

Strong customer authentication

To make digital payments safer, PSD2 RTS specifies enhanced security requirements (with some exceptions based on context) to be implemented by all PSPs, including banks, payment institutions, and TPPs.

AMPLIFY API Management enables you to implement both one-time password authentication and two-factor authentication that will comply with RTS strong customer authentication requirements. It offers:

• Out-of-the-box integration with leading identity providers: Okta, Ping Identity, Microsoft AD, Kerberos, IBM SDS and IBM Tivoli AM, CA SSO (formerly SiteMinder), Oracle AM/ES, RSA AM

• Support for Open Authentication/Authorization Standards: LDAP, OAuth 2.0, OpenID Connect, AWS style API keys, and others

TPPs include payment initiation service providers, such as Sofort in Germany, IDeal in the Netherlands and Trustly in Sweden, and account information service providers that aggregate customer information from multiple accounts and make it accessible from a single portal.

5axway.com

Threat protection

AMPLIFY API Management includes multiple protection features to prevent attacks (sniffing, oversized payloads, SQL injection, etc.). Elastic Beam API Behavioral Security complements AMPLIFY API Gateway with additional levels of protection using Artificial Intelligence (AI).

• AI-powered cyberattack detection with automated API Gateway blocking. Elastic Beam provides deep API traffic inspection, backed by a scalable and powerful artificial intelligence engine capable of determining API behavior and identifying new and changing cyber threats. Elastic Beam also provides a deception environment that inserts decoy APIs to instantly recognize hackers. Elastic Beam software interfaces with the AMPLIFY API Gateway to automatically block hackers’ access to APIs.

• Complete visibility into new API attacks via dashboards and reports. Using AI, Elastic Beam accelerates the gathering of evidence after an attack, tracks compliance, and gives organizations full visibility into all activity. This complements Axway’s Embedded Analytics for AMPLIFY API Management with visibility into new API threats.

• Blocking cyberattacks in multi-cloud environments. The Elastic Beam and Axway solution supports deployments on-premise and in private and public clouds, and propagates attack information across the customer’s clouds to prevent attackers from reconnecting.

API Traffic API Traffic

Polic

y

Back End Services

AI-Powered Cyberattack Protection

Elastic Beam API Behavioral Security

6axway.com

Operational intelligence and analytics

At its core, PSD2 is about giving consumers direct access to cheaper, more convenient, and highly secure digital payment options. AMPLIFY API Management enables payments operations teams to monitor transactions across TPPs and PSPs and proactively identify emerging issues before they impact service level obligations to consumers and to partners.

Embedded Analytics for AMPLIFY API Management delivers predictive insights for IT and business users, with personalized dashboards that enable them to drill down into different aspects of the analytical data to identify API trends, detect and resolve issues, and achieve API strategy objectives

API Health Customer EngagementAPI Usage API Infrastructure

Health

Ready-to-use services for compliance and engagement

Beyond implementing the required APIs, banks and TPP need to provide new PSD2-related business services such as:

• Consent management of the consumer (PSU)• Authentication management for customers,

ASPSPs, and TPPs• Audit trails for AIS and PIS to support

dispute resolution

In addition to these ready-to-use services, the Digital eXperience Platform (DxP) from Sopra Banking Software enables quick and cost-effective creation of innovative digital customer experiences to better engage your customer with:

• Relationship management. Manage customer data to support a seamless digital journey.

• Sales and servicing. On-board customers and propose services based on their current life situations.

• Product offering. Easily customize, standard internal and external services to improve distribution.

The DxP microservices architecture integrates with AMPLIFY API Management and is delivered in a cloud/SaaS platform.

Learn more at soprabanking.com

axway.com

Copyright © Axway 2018. All Rights Reserved.

axway_wp_psd2_compliance_en_041218

go.axway.com/PSD2

Will you simply comply, or will you go beyond?

GET STARTED TODAY

Going beyond compliance to create the rich experiences customers expect

Around the world, the combination of new banking regulations and rising consumer expectations are presenting both a great challenge and a great opportunity. On one hand, customers are demanding relevant, timely, and personalized engagement — or else. On the other, directives like PSD2 are creating an expanding open banking ecosystem that plays a critical role in delivering the valuable experiences customers expect.

AMPLIFY API Management is ideally suited for both the challenge and the opportunity. It not only accelerates PSD2 RTS compliance with simplified access to data and advanced security options, but also enables banks to create new ecosystem-driven value and growth.

As the foundation of an open banking platform, you can use it to:

• Create a variety of innovative new products and services by partnering with the very organizations for which PSD2 is mandating open access

• Build digital “mash ups” that use APIs to combine your existing internal data and services with TPP services

• Improve the customer experience with frictionless interactions across all physical and virtual channels

• Gain real-time visibility into digital services and channels

Why Axway, why now?

Truth be told, few financial institutions are eager to meet PSD2 regulatory requirements just for the sake of compliance. Instead, banks are much

By 2020, it’s estimated that 16% of online retail payments will be handled by PISPs.1 In addition, the threat posed by new service providers offering account-to-account-solutions could potentially place €50 million to €100 million of bank revenues at risk.2 As the regulatory and competitive landscape continues to evolve, each bank must decide how far they will take open banking. Is basic compliance the goal, or will you go beyond?

Source:

1 Accenture Payment Services: “Seizing the Opportunities Unlocked by he EU’s Revised Payment Services Directive” 2016

2 McKinsey: “PSD2: Taking advantage of the open-banking disruption,” January 2018

more motivated to satisfy today’s tech-savvy digital consumer. Strong customer relationships equate to loyalty, which translates to business growth — that’s the silver lining of the RTS for PSD2 implementation.

For nearly 20 years, leading financial institutions have looked to Axway for help addressing industry standards and regulatory challenges, from SEPA, Faster Payments, High Value Payments, RTGS, and PCI, to modern digital enablement capabilities like those specified by the PSD2 RTS. In parallel, many of these same use cases have enabled our customers to rapidly deploy new services to external customers, end users, channels, geographies, and markets without impacting business-as-usual activities — all while ensuring extremely high levels of security.

AMPLIFY API Management streamlines the entire API lifecycle process that is central to not only complying with PSD2 RTS, but delivering digital value through the deployment, improvement, and operations of digital initiatives. By integrating payments with other services outside the traditional banking ecosystem, banks and other institutions can build on PSD2 to become disruptors themselves — ensuring they will not only remain relevant, but take the lead in the new payments value chain by putting customers at the center of everything they do.