Alternative authorisation concepts for EBICS – complementary signature classes & co.

What authorisation options does EBICS offer today?

The EBICS specification regulates the type and process of authorisation for payment submissions. For this purpose, various parameters are specified that allow different authorisation models to be defined.

But is all this enough to comprehensively cover market requirements? Apparently not, because only recently, with EBICS 3.0.2, the optionally usable complementary signature classes X and Y were specified for a new authorisation model. This extension comes with new EBICS schemes. Do new wishes and requirements in this field necessarily have to be accompanied by changes to the EBICS specification? 

Not really, because there is another way. As is known, the basic structure in EBICS is formed by the signature classes T, E, A and B with different values and the option of choosing the number of required electronic signatures. In combination with signature class T, authorisations can even be instructed outside EBICS. With the electronic distributed signature (EDS) functions, it is also possible to decouple transport and authorisation.

The basic construction kit for extended authorisation models in EBICS is thus available. 

Very diverse and heterogeneous requirements 

For example, the German Banking Industry Committee (DK) has specified a special form of an authorisation model with existing EBICS means for the use of the SDC procedure under EBICS. This takes into account the separation of transfers by a service provider and authorisation by the original customer using the existing EBICS options; there is another use case with the trustee model. In addition, there are always market requirements which can certainly be mapped without adjustments to the EBICS protocol. Such requirements concern, for example, authorisation sequences and the delegation of authorisations, but also authorisations in group assignments. These models can generally be implemented with existing EBICS means on the bank server or in the customer client.

Precisely because the variety of requirements is potentially large and in part very individual, and in order to avoid compatibility problems, it makes sense to implement these concepts outside the EBICS specification where possible. 

The solution to all problems

A versatile solution model is the group concept. EBICS users are divided into any groups on the bank server. The groups can also be customer-specific. The business transactions, signature classes and number of signature classes apply unchanged. For authorisation, it can be selected whether the final authorisation should only be carried out with users from different groups or only from one common group when using the concept. A group sequence for visibilities in the EDS query is also possible. The configured model can then be documented for the customer in the BPD sheet. This way, many authorisation models can be defined in an EBICS version-compatible and interoperable manner, including the complementary signature model. How about that?

Author: Michael Lembcke

Read more

One-Leg Out Instant Credit Transfer rulebook – the starting signal for cross-border instant payments

Real-time payments are already widely used in many parts of the world. In the SEPA area, instant payments have been available since 2017. A legislative initiative of the European Commission now also envisages making it obligatory first to receive real-time payments and then, a few months later, to send them. Real-time payments systems are also already in use in other regions. Brazil, India and Singapore, for example, have systems with high transaction numbers. However, there is still no possibility to transfer money across borders in real time. Cross-border transfers are often still associated with long execution times and non-transparent fees. That can change now.

Instant payments goes international
In the area of cross-border instant payments there are already many initiatives that want to enable international real-time payments. Examples are immediate cross-border payments (IXB), Nexus and SWIFT Go. The developments in the area are not by chance; international politics is also pushing for efficient and cost-effective cross-border payments. The G20 countries have set themselves the goal of making cross-border payments cheaper, faster and more transparent and have developed a roadmap for this. The European Commission is pursuing the strategic goal of strengthening the role of the euro in the international context – an important component here is also real-time payments.
The European Payments Council (EPC), as the interest group of European payment service providers, is also involved in the international discussions. The EPC manages the SEPA schemes and thus, since its introduction in 2017, also the SCT Inst scheme. With the One-Leg Out Instant Credit Transfer (OCT Inst) rulebook the EPC now goes one step further.

The One-Leg Out Instant Credit Transfer rulebook
In November 2023 the new OCT Inst rulebook will come into force. It provides rules and formats for real-time cross-border payments in euro – but concrete technologies for implementation still need to be developed. There is still no obligation for payment service providers to subscribe to the OCT Inst rulebook and offer this form of international real-time payments. The rulebook covers the following scenarios:

• International instant payments: instant payments where one participating PSP is located in the SEPA area and one in the non-SEPA area and where at least the SEPA part of the transaction is denominated in euro. This includes, for example, euro payments to the USA.
• Cross-currency instant payments within the SEPA area: instant payments within the SEPA area between euro and non-euro currencies (e.g. GBP, CHF).

To avoid confusion: For instant payments within the SEPA area in euro, the familiar SCT Inst scheme continues to apply; the OCT Inst rulebook does not apply here. The following table illustrates the scope of OCT Inst in contrast to SCT Inst and other schemes:

For participation in the OCT Inst scheme the rulebook provides for different roles. Financial service providers who decide to participate can individually decide which offer they want to provide on the basis of OCT Inst and then take on the corresponding roles. A financial service provider must at minimum take on the role of a SEPA-based payee's PSP. This means that the provider must be able to process incoming OCT Inst. In addition, a financial institution may decide to offer OCT Inst to its own outgoing customers. For this, it must also become a SEPA-based payer's PSP. Euro Leg Entry PSPs and Euro Leg Exit PSPs act as a link between the SEPA Euro Leg and other legs of the transaction. In addition, as an OCT Inst processor you can provide other services. The following overview illustrates the interaction of the different roles:

The advantages of OCT Inst as a procedure for international payments are obvious. End customers can benefit from more efficient payments procedures with higher STP rates. Financial institutions can win back business lost to other providers in cross-border payments or also open up new business models and associated revenue opportunities. Moreover, an OCT Inst payments procedure does not have to be implemented completely from scratch from the ground up – the format is based on the SCT Inst rulebook and is internationally compatible as it is based on CBPR+ and IP+.

The race is on – what should financial service providers do now?
Currently, there is still uncertainty about the implementation, although the possible launch date is only a few months away.  Moreover, the rulebook only regulates the SEPA side of the transaction. For the non-Euro Leg, corresponding specifications are required, which are outside the scope of the EPC.
The coupling of real-time payments systems is a promising approach to enable international instant payments. OCT Inst forms the basis for international real-time payments on the SEPA side.
Due to the lack of clarity and the voluntary nature of the scheme, most financial service providers are still taking a wait-and-see approach. However, every financial institution should address the strategic implications at an early stage and conduct an impact assessment.

• What is my business model in international payments?
• What offers do I have and what revenues are associated with them?
• Which areas could be replaced by OCT Inst?
• What services can I offer to open up new business areas?

In the future, cross-border instant payments will also become the standard in cross-border payments. It is still open who will benefit and who will be burdened by this. Financial service providers should set the strategic course to be on the right side. The race is on!

Author: Ann Kristin Mundt, Lukas Schlotfeldt

Read more

PSD3/PSR

The EU Commission recently published its proposals for Payment Services Directive 3 (PSD3), as a supplement to the previous PSD2. The proposals have implications for players in the payments sector and are controversially discussed. We would therefore like to briefly explain the most important points.

Regulation effective immediately
The PSD2 has been reviewed and the EU Commission has revised its contents. The result is a PSD3 and a PSR (Payment Service Regulation). While the PSD3 is a directive that the respective member states must transpose into national law, the PSR is "only" a regulation. It is effective immediately and does not require separate incorporation into the respective national laws.
Some of the contents of the PSD2 are migrated to the PSR. This should lead to a more uniform implementation within the EU. While there is additional room for interpretation in the case of a transposition into national laws, the same wording applies to all countries in the case of a regulation – with the restriction that this wording is also translated into 24 languages. The overall scope is nevertheless more limited.

No further accounts
The PSD3 as well as the PSR continue to be limited to payment accounts. The much discussed access to further accounts, such as savings accounts, was outsourced to another regulation (Regulation on a framework for financial data access, Open Finance).

Better sooner than later
PSD3, PSR and the Open Finance directive are available as proposal, i.e. draft. Following this draft by the EU Commission, the further legislative process will now take its course. The EU Parliament and the EU Council will be involved. A final draft is not expected until the end of 2023 at the earliest, more likely not until next year. With EU Parliament elections due in June 2024, publication could be further delayed. In addition, there is an implementation period of 18 months and for the directives also the transposition into national laws. The topic will therefore accompany our industry for some time to come. Irrespective of this, all those affected should already deal with the drafts and assess possible effects on their own business model.

It gets more extensive
While PSD3 takes care of payment service provider authorisation issues and their supervision, the requirements for the execution of payments are outsourced to the PSR. The latter is also twice as extensive in draft form as the PSD3 draft. At least going by the number of pages. 

The PSD3/PSR will be merged with the e-money regulation.
Payments made exclusively with cash are still not affected by this regulation.

Access to payment accounts, but how?
The PSR addresses information requirements for payment services, permissible fees, access to payment systems, rules for account information services (AIS) and payment initiation services (PIS) and how they can be accessed. The interface requirements for third-party service providers have also been clearly specified. But here, too, there will be a more far-reaching Regulatory Technical Standard (RTS), as we know from PSD2.
For account information services, access to data should be significantly facilitated and thus the customer journey offered by them optimised. So far, this has often been very cumbersome in practice, as a variety of authorisation procedures and deadlines are mixed when consolidating payment accounts at different financial institutions. These service providers also often combine information from payment accounts (regulated by the PSD2) and other financial information such as savings accounts, custody accounts and credit accounts. This is where the new regulation on Open Finance comes into play, which is also available as a draft. Access to payment accounts should continue to be regulated in the PSD or, more specifically, in the PSR.

Account check
A major change is likely to be the IBAN/name check for all payments, as it is currently being discussed for instant payments. The aim is to combat fraud. As surveys have repeatedly show, many consumers assume that such matching already takes place today. However, the IBAN/name check is different from the account number/name check known before the SEPA introduction in Germany. At that time, the recipient institution checked whether the account number and name matched for incoming payments (but not all of them).

Out with the new
The PSD2 introduced the role of third-party providers. It was one of the biggest novelties and was intended to regulate services that had already emerged on the market unregulated. Account information services and payment initiation services exist in practice and provide services to consumers. The ominous third-party card issuer or "payment service provider issuing card-based payment instruments" was described in Article 65 of the PSD2. The market spent a long time speculating about which service this could be. Now the legislator has provided clarity and completely deleted the article on confirming the availability of a sum of money.

About regulation
The German Banking Industry Committee (GBIC) generally welcomes the EU's proposals on PSD3 and the associated goal of strengthening consumer protection and improving security in payments. However, the GBIC expresses concerns about the more extensive scope of information to be shared via the third-party service provider interface and the planned extension of liability rules. According to the GBIC, too far-reaching liability for payment service providers could lead to higher costs for consumers. In addition, there is a danger that smaller payment service providers will be overburdened by the additional liability and forced out of the market.

The PSD3 is the next step towards a more regulated payments landscape. It aims to improve security and consumer protection while maintaining innovation and competitiveness in the payments sector. It remains exciting to see how the discussion will develop and which regulations will ultimately be adopted.

Author: Swaantje Anneke Völkel

Read more

EBICS payment receipt in real time – utopia or reality!?

Payments with FTAM or EBICS have been characterised by contradictions for over 25 years. Eve-ry form of communication was a one-way street, there was always only a technical acknowledge-ment and you could only be sure that everything had really worked when you had manually down-loaded and read through the customer log with a time delay. A comparison for the process could be a postal letter sent in a non-transparent envelope with the receipt of the answer by postal letter in any envelope. Even though the transmission was of course much faster than the classic postal letter.

Well, time marches on, the need for an answer within seconds and, above all, a qualitatively meaningful answer is taken for granted today. EBICS must also slowly (finally!) meet this demand and offer new mechanisms.

However, the previous procedure of reciprocal transmission of the order and its response must not simply be ignored or even discarded. Existing process sequences in EBICS have their proven right to exist, especially when it comes to transmitting very large amounts of data, which even today require several minutes for complete processing. It is precisely this capability that is still the out-standing feature of EBICS.

In spite of everything, it must also be possible in the future in the EBICS protocol to be able to send smaller amounts of data faster and above all with an immediate business response.

To be able to consider these future requirements, the EBICS protocol was extended to include the EBICS real-time messages. In this, a second bidirectional communication channel is set up between the customer product and the EBICS bank server. In the current specification this chan-nel is initially only used for ad-hoc messages from the bank server to the customer product.

In the future, this now existing communication channel can also be used for submissions and in-stant business processing in the banking environment. This instant processing can then also gen-erate the necessary return messages and immediately – similar to the online banking – display a qualitative return message to the user.

Currently, this submission format is still being piloted with special EBICS systems and is not gener-ally established in the market.

However, much more important than the above future scenario is the generally available form of asynchronous return messages to customer systems and their users, i.e. the corporate customers, which has already been specified for two years. This EBICS real-time notification is documented in the specification "Real-time notification" and can be implemented by all manufacturers. It offers unique opportunities to inform customers, i.e. corporate customers, quickly and promptly about all kinds of changes to their various accounts.

With this new capability of the EBICS protocol it will be possible in future to send a real-time mes-sage via EBICS to the customer and the customer system already at the time of booking. The EBICS infrastructure will then provide an interface for this which can be integrated into corre-sponding booking systems or it will also be possible to use any other text-based messages from other banking systems and thus always provide corporate customers with new messages. De-pending on the performance of the customer systems, many new interesting forms of application can be realised.

For financial institutions which do not want such a close coupling between EBICS and their busi-ness applications or for which integration is too cost-intensive, another option will arouse interest.
EBICS bank servers – such as TRAVIC-Corporate – can send an immediate message to the cus-tomer system(s) assigned to the customer each time data is provided, signalling that new data, e.g. an incoming account notification, is available.

This form of notification will generate interest i.a. among customers, especially in the context of instant payments. In the future more and more – regulated – payments will be based on instant payments and thus be executed quickly. This means that the payment receipt by the corporate customer must also be indicated immediately so that the goods or services can be delivered or provided quickly.

EBICS real-time notifications are the most important element of an instant payments solution over the entire process.

These messages are also structured in such a way that customer systems – such as TRAVIC-Port – can derive actions from them internally. Automated downloads of the data provided by the fi-nancial institution become possible.

And if EBICS real-time notifications become more and more established in the market, the many "hopeful queries" from customers – 80 to 90 % of account statement queries from customers are answered with "no data" – will no longer take place. Customers will rely on this new mechanism. For the operators of EBICS bank servers this means that they only incur consumption costs when data is actually available. This is an important savings effect for financial institutions, which means that their server systems are allowed to be smaller and are actually much less frequented.

However, the whole scenario can only gain momentum if financial institutions start to offer this service; waiting for the customer product manufacturers will not work, as they always only incorpo-rate changes into their products if there are actually suppliers – i.e. EBICS bank servers.

My appeal to the EBICS banks: Start the new service to use the next generation of the EBICS protocol for yourself and, above all, for the benefit of your customers.

Author: Michael Schunk

Read more

Stablecoins blog post series – part 3: regulatory requirements

As already teased in our second blog post in the series on the topic of stablecoins, this final article will take a closer look at the regulatory aspects of stablecoins.

Fittingly, the European Union published the comprehensive MiCA regulation in the European Official Journal on 09 June 2023. It forms the European regulatory framework for crypto-based currencies and thus sets global standards for the regulation of crypto assets. While the desire for uniform regulation of cryptocurrencies in the US is growing, Europe is taking an unusual position as a driver of innovation, even though the regulation will not fully apply until 30 December 2024. It remains to be seen whether this set of rules will only be applied exclusively to the European market in the future or whether the US market, for example, will simply follow or adopt a similar set of rules.

What does the MiCA regulation bring?
First of all, the regulation is a clear signal to the market that the handling of crypto assets in the EU is not to be prohibited or prevented. Instead, a sensible legal framework will be established in which the individual market players can move more securely from now on.

The new regulations provide for new challenges exclusively for the providers of crypto services and the issuers of crypto securities. End customers will feel much less change in their daily actions. However, they clearly benefit from their strengthened rights and increased market transparency.

MiCA licences
Service providers who wish to offer various services in Europe in connection with crypto assets will need a MiCA licence in future. Depending on the service, separate requirements apply to the service provider. The services subject to authorisation under the MiCA regulation are:

• Operation of a trading platform
• Exchange of crypto assets for nominal currency or other crypto assets
• Execution of orders for crypto assets for third parties
• Consulting for crypto assets
• Custody and management of crypto assets for third parties
• Acceptance and transmission of orders for third parties
• Placement of crypto assets

Many companies see crypto currencies as a particularly lucrative business. The granting of a corresponding licence by the supervisory authorities offers companies another possibility to participate in the financial market in addition to the ZAG licence and the banking licence.

Increased requirements for issuers
In addition, the MiCA regulation also imposes requirements on issuers of "other crypto assets" and "stablecoins".
Stablecoins are divided into e-money tokens and value-referenced tokens. The value stability of e-money tokens is always based on exactly one official currency. The value of a value-referenced token can in turn arise from the combination of different goods, rights or crypto assets.
Since stablecoins are the focus of our blog series, we will refer almost exclusively to stablecoins in the following.

Crypto whitepaper for all
All crypto assets that exceed a certain threshold in trading volume, for example, must publish a crypto whitepaper before they are issued for the first time. This is similar to a securities information sheet in a somewhat watered-down form. There, potential buyers will find information about the issuer as well as information about the underlying technology and the business purpose of the token. Companies are liable for damages for the information they publish in crypto whitepapers or marketing communications. The days of exorbitant promises of returns for questionable new coins should thus have come to an end.

Reserve assets and equity
To guarantee a stable coin, the issuer must hold the value of the token as reserve assets at a ratio of 1:1. This guarantees the token holders' right of withdrawal or claim at all times. Furthermore, the composition of these assets must be openly disclosed and must withstand liquidity requirements, whereby a portion of the assets may be invested in low-risk transactions. Equity is either 350,000 euros, 2 % of the average reserve assets or one quarter of the previous year's fixed overhead costs, whichever is the largest. The equity can be upgraded or downgraded by 20-40 % depending on the risk potential of the token or the industry.

Separation of assets
The MiCA regulation stands for a clear separation between assets of clients and those of a service provider or issuer. Whether it concerns the retention of client funds, client crypto assets or other client holdings, everything must be strictly separated from each other. The reserve assets of a stablecoin must also be strictly separated from the issuer's corporate assets and held per token issued. Thus, even in the event of a possible insolvency of the custodian, it should be guaranteed that the customers retain the claim to their assets.

Case study FTX
Examples such as the crash of FTX showed in the past the impact it can have on the whole market when issuers of large tokens misappropriate their customers' deposits. FTX had lent customers' deposits as collateral for speculative crypto trades to the related company called "Alameda". Again, as collateral for these lent deposits, they accepted the company's own FTT token. When this token lost its value and the house of cards collapsed, the investors' deposits could no longer be bought back, as a result of which they are still waiting for their invested assets today.

Significant stablecoins
So-called significant stablecoins also have a major impact on financial stability in the EU. According to the regulation, a coin is considered significant as soon as it meets three of the following criteria:

• 10 million customers (natural persons or legal entities)
• 5 billion market capitalisation (total value)
• 1 billion reserve assets
• 2.5 million trades per day or €500 million per day
• Special interconnectedness with the financial system
• Issuer is a gatekeeper according to regulation (EU) 2022/1925.
• Issuer issues at least one additional stablecoin and provides at least one crypto service.

These are automatically subject to supervision by the EBA and are subject to further duties and requirements. This includes i.a. further requirements for the reserve assets and their liquidity, which are regularly tested with the help of liquidity stress tests.

Finally, it remains to be seen how the MiCA regulation will affect the trading of stablecoins. ESMA, with the support of the EBA, will publish further specifications on the technical implementation of the regulations in the next ten months – which means that there are still many developments to come.

Authors: Benjamin Schreck, Jan Gäth

Read more

Digital euro – the draft law paves the way for the future of payments in Europe

The European Commission has published a draft law on the introduction of a digital euro. The aim of this initiative is to meet the increasing demand for digital payments and the use of private digital payment methods.

The digital euro is understood as digital cash, a central bank digital currency for retail payments, which is to be issued by the ECB. Consumers should be able to use the digital euro for payments in retail and e-commerce.

Intermediaries play an important role in enabling users to access the digital euro. Acceptance points such as merchants, businesses and public authorities are to accept the digital euro in the euro area so that it can be used as a European means of payment.

Intermediaries are defined in the draft law as payment service providers and other companies that provide services related to the issuance, distribution, exchange and custody of the digital euro. This mainly concerns payment service providers, banks and financial institutions.

For intermediaries, the following implications and measures arise in connection with the digital euro:

1. Improved payment infrastructure: the introduction of the digital euro promotes the development of digital means of payment. Intermediaries need to adapt their systems and processes to enable transactions with the digital euro. The integration of digital wallets into their services and the development of necessary interfaces are crucial here.
2. Value-added services: the digital euro meets customers' expectations for a seamless and convenient digital payment experience. Financial institutions and businesses should offer user-friendly digital payment solutions, integrate the digital euro into their services and use innovative technologies such as mobile payments and digital wallets. Intermediaries should inform customers about the digital euro and support them in its use.
3. Partnerships and collaborations: financial institutions and corporations can collaborate with FinTech companies, technology providers and payment service providers to leverage expertise and drive innovation in the digital euro ecosystem. Close cooperation with central banks and the ECB is also important to ensure coordinated implementation.
4. Cost reduction and improved transparency: using the digital euro can reduce transaction costs for financial institutions and companies, especially for cross-border payments. The exact fee structure has yet to be determined. The digital euro also simplifies cross-border payments within the euro area and offers increased transparency.

When introducing the digital euro, intermediaries must observe relevant regulations and data protection requirements. Security and data protection measures must be reviewed and adapted to ensure the integrity and confidentiality of transactions.

An active role in the public discussion is important to add the perspectives and concerns of intermediaries.

The digital euro proposal offers an exciting opportunity for innovation and growth in the financial industry. By taking these action points into account, it can be ensured that the advantages of the digital euro are utilised and customers are supported in the best possible way.

We should use this opportunity – not only as payments industry players, but especially as future users – to actively participate in shaping the digital euro and to help shape the future of payments in Europe.

The draft law still has to be adopted by the European Parliament and the Council before the law can be passed and enter into force. The final decision on whether to introduce the digital euro lies with the ECB and is expected to be made at the end of the year.

From our point of view, the question is not whether the introduction will come, but when and within what framework that will be.

Source: Proposal on the introduction of a digital euro.

Author: Anja Kamping

Read more

The digital euro gets a rulebook

The ECB's two-year investigation phase on the digital euro will end this autumn. Subsequently, it will be decided whether and in what form the digital euro will be implemented. The ECB plans to organise the distribution of the digital euro through a scheme that will set rules and guidelines for its introduction and distribution. Earlier this year, the ECB established a Rulebook Development Group (RDG) to produce a first draft of a scheme rulebook. This first draft could be particularly interesting for commercial banks and payment service providers, as the ECB would like to process the distribution of the digital euro through them.

Composition and tasks of the RDG
The Rulebook Development Group's task is to create a preliminary scheme rulebook for a potential digital euro. It is composed of 22 experienced professionals from the private and public sectors. This includes 8 Eurosystem representatives and 14 representatives from various payment market stakeholder organisations, ensuring that the different perspectives and needs of all stakeholders are considered.

Contents of the rulebook
The rulebook provides a framework to which all intermediaries involved in the introduction and distribution of the digital euro are bound. It includes the following aspects:

• Basic characteristics of the scheme
• Functional and operational model
• Compliance (adherence)
• Technical requirements
• Risk management
• Scheme management

In developing the rulebook, the Research Development Group is guided by the design options endorsed by the Governing Council, which are explained in the so-called progress reports during the investigation phase. These are accessible via the ECB's website digital euro publications.

Importance of a scheme rulebook for the digital euro
A scheme rulebook creates uniform standards for the introduction and distribution of the digital euro, which can improve the interoperability and efficiency. It provides clarity and transparency to intermediaries and also to the users of the digital euro, which reduces misunderstandings and uncertainties during the implementation and strengthens trust in the digital euro. The design of the rulebook can also be crucial for a smooth introduction and distribution. To this end, flexible rules and a low level of bureaucracy are particularly important to enable an uncomplicated onboarding for all intermediaries.

Potential for innovative services
The rulebook also influences the development of additional and innovative services that can be offered with the digital euro. Depending on its design, the rulebook can be an important basis for commercial banks and licensed intermediaries to develop additional services beyond the original scope of application. In this respect, the inclusion of stakeholders from different sectors of the private sector raises hope. Innovative services could be decisive for the future success of the digital euro. This is because there is still a lack of clear unique selling points that distinguish the digital euro from existing payment instruments such as card payments with commercial bank money.

We now have to wait about six months for the decision on the introduction of the digital euro. Important announcements are still expected in this final stage of the investigation phase. In order to prepare in the best possible way, it is advisable to deal with the topic intensively now and not just if the introduction is imminent. One thing is certain: PPI will continue to follow the developments on the digital euro with enthusiasm and will continue to keep you informed of the most important developments.

Author: Alois Brügge, Philipp Schröder

Read more