EBICS 3.0 in the home stretch

By 22 November this year at the latest, the time will have come. From that day on, German payment service providers are obliged to offer their corporate customers EBICS 3.0, to be precise EBICS 3.0.1, alongside the previous version 2.5. For Switzerland, SIX has also issued a recommendation for the support of EBICS 3.0 from November 2021, and in France, EBICS 3.0 can already be officially offered by financial service providers since January 2018.

The Deutsche Bundesbank has announced that it will switch completely to EBICS 3.0 from 22 November 2021 for a transitional period of one year. EBA CLEARING has a similar position regarding its EBICS services.

What does the EBICS changeover mean for all those involved in EBICS?

Financial institutions and financial service providers are preparing for November 2021. EBICS 3.0-capable systems are already in use in many cases. It is possible that EBICS 3.0 has merely not yet been activated.

For the transition period from EBICS 2.x to EBICS 3.0, the specified or agreed BTF and order type mappings must be stored on bank side and corporate customer side. They can be discontinued later if no order types or FileFormat parameters are specified for new EBICS business transactions in the future. 

All parties should consider the crypto life cycle (see crypto life cycle on https://www.ebics.org/en) for EBICS before migrating to EBICS 3.0. This includes minimum key lengths, key procedures, and TLS requirements that must be met. Due to the key procedures it defines, EBICS 2.3 will automatically expire on 22 November.

All this requires the latest EBICS software. Corporate customers should therefore arrange for an EBICS 3.0 update of their EBICS clients at an early stage so that they can react to the EBICS changeover of the financial institutions. In order to avoid a time-consuming reinitialisation, corresponding EBICS and key updates should already be completed on client side before the bank-side shutdown of key procedures and lengths as well as EBICS versions. The key updates may be required to migrate to EBICS 3.0.

Since the text-based customer protocol (order type PTK) is no longer specified for EBICS 3.0, financial institutions may no longer offer it for EBICS 3.0. If the customer protocol monitoring of corporate customers is still based on the PTK, an early changeover to the XML-based HAC is recommended for them.

Corporate customers can also look forward to a few new functions that EBICS 3.0 provides. These include the technical double submission check, the optional specification of the original file name when uploading and the EDS flag (EDS= electronic distributed signature), with which the corporate customer can directly control whether the submitted order should undergo the EDS process or be checked directly. 

Those are some of the relevant points that I would like to share with you to help you cross the finish line successfully. Ultimately, it is important to be prepared for the approaching EBICS changeover and to take the necessary precautions.

And what about you? Have you already started your final sprint to EBICS 3.0?


Author: Michael Lembcke

Request to Pay – a revolution without revolutionaries?

Technically, the European payments market could be in a mood for celebration - after all, the first concrete regulation for a pan-European electronic payment request came into force on 15 June 2021. The SEPA Request to Pay (SRTP) Scheme Rulebook defines the parameters for all participating financial institutions. Once this system is set up, companies simply send their customers a digital data record with the details of the payment request. The payers can transfer the included information such as IBAN, sum or remittance information into their banking system with a mouse click and then only have to authorise the transaction. 

Few reactions

Experts see RTP as a potential revolution in the European payments market. However, the participants for the revolution have been lacking so far. Efforts to launch products based on RTP are hardly discernible. The question arises as to the reason for this reluctance. Are financial institutions worried about a lack of demand? Is the implementation too complicated or too expensive for them? And what can help financial institutions if they want to launch SRTP products?

There is no lack of interest

The demand is there among the ultimate addressees, i.e. the private and corporate customers of the banks, at least on the business customer side. A survey by the European Banking Association (EBA) in cooperation with PPI clearly shows this. Regardless of which potential application scenario European companies were asked about, the willingness to use RTP in their own company was generally well over 80, sometimes over 90 per cent.

Manageable effort

Of course, a new payments standard does not come for free and cannot be implemented overnight. If a corresponding project is approached with the classic waterfall methodology, a duration of 18 to 24 months is to be expected. With modern means such as agile development, however, this period can be shortened. The key is to have a clear strategic idea of what an RTP product should be able to do. Furthermore, it must fit into the long-term business plans of the financial institution. The actual costs depend on the specific circumstances. But they are likely to be similar to those of an instant payments introduction. Institutions that have already introduced this service have advantages, because some of the important aspects for RTP have already been taken care of. They then only have to apply about 30 to 40 per cent of the mentioned cost framework.

In any case, the investment should pay for itself quite soon. After all, RTP products and services strengthen customer loyalty and can help institutions win back market shares. Especially since at least no major player has yet announced plans to enter the RTP market. 

Launch the first projects soon

Financial service providers should definitely take advantage of this. Minimum Viable Products (MVP) are suitable for a quick market entry. An alternative is cooperation with one or more business customers. Companies in particular should have a strong interest in RTP, as the use of the standard can save considerable sums in billing process costs.

Sooner or later, an entire product world will emerge around RTP – that much is foreseeable! Institutions that enter the new market early on can look forward to this development with joyful anticipation. We are happy to support financial service providers with the implementation. We have summarised the basics in the latest white paper "How Request to Pay becomes a success story for financial service providers", which is available for free download here.

Authors: Eric Waller, Anuschka Clasen

Digitisation of the account life cycle? Simple with eBAM and EBICS!

B07? B13? Though these designations may look like airport gates for an upcoming flight, they mean something else.

Perhaps you have already seen them in the planned changes for the BTF to order types mapping table of DK (Deutsche Kreditwirtschaft). They refer to two of the business transactions for Electronic Bank Account Management (eBAM) newly introduced in 2021. In a previous article, we already discussed the topic eBAM in general and argued in favour of standardised use within the framework of the RDT agreement.

eBAM provides messaging for account opening, management, closure and reporting. The focus is on an existing customer relationship. Otherwise, there would be additional challenges to consider.
eBAM combines concrete potentials for account management in the corporate customer sphere. Manual activities, media discontinuities and a generally paper-based procedure are currently predominant there. Opening an account or changing a power of attorney means a great deal of effort on both the customer's and the bank's part and takes days or even weeks to complete. Not to mention the lack of standards across different banks.


Electronic Bank Account Management enables the digitisation of account management processes. As shown in the figure, the paper-based processes and media discontinuities are replaced by standardised ISO 20022 XML formats (acmt.*), which are exchanged between the corporate customer and the financial institution via an electronic channel. The prerequisite is that essential bank and account master data, powers of attorney and other documents are managed in appropriate systems of the corporate customer. Document attachments and digital signatures are also supported, as these may be required in certain cases.

There is no need for a new channel, as the eBAM messages can also be transmitted via EBICS. In addition, they are already authorised in the EBICS channel. Such processes are well-known and well-established in payments, e.g. in the transmission of credit transfers and status reports. Transfers via other channels is also conceivable.

Within the institution, the necessary processing can be carried out faster and more efficiently through automated support. 

A few financial institutions have eBAM offerings on the market, but some of them are limited to individual use cases or channels. On the other hand, corporate customers such as the treasury departments of large companies are clearly interested in precisely this kind of digital account management. In particular, they want to have a better overview and reduced processing times, and at the same time manage their accounts with ease.

There are also great advantages for the financial institutions. The complexity of IT and processes can be significantly reduced and process costs lowered. 

eBAM has various points of contact in the business and IT areas, which means that questions have to be considered holistically during concept creation and implementation. This also applies to related topics such as KYC (Know Your Customer), electronic signatures, regulations or process management.
For the implementation of eBAM in IT systems, it must be considered which tasks are to be carried out in the bank server and which in the downstream systems. What should be taken into account with the new formats and their current and future versions? How can message validation and feedback generation take place? How are eBAM messages processed and transferred to the master data systems?
Based on the TRAVIC product suite, PPI can offer financial institutions the appropriate functionalities to facilitate the introduction of an eBAM offering. This includes the acceptance of messages in the EBICS bank server TRAVIC-Corporate as well as the central processing in a specific eBAM component at the interface between TRAVIC-Corporate and the downstream systems. Web-based account management in the corporate customer portal TRAVIC-Port equally offers potential for a dedicated eBAM offering. And via real-time notifications, the TRAVIC-Push-Server could be immediately notified of important events.

By offering technical and business expertise from a single source, PPI can provide holistic support for eBAM introduction on request.

I am convinced that the importance of eBAM will continue to grow. Those institutions that act early will be able to secure timely market advantages through innovative offers.

What do you think?

Author: Thomas Stuht, D.Eng.

Our money must go digital

 

Imagine the following scenario for the future: a company runs out of certain material, which is only available from a supplier abroad. At the latest 24 hours later, supplies of the material must arrive, otherwise the production will be stopped. This issue is detected by a computer system. It orders new goods completely autonomously from the supplier's system, where they are immediately sent on their way, also completely automatically. Customs declaration, transport organisation, etc. – all of this is taken care of without human intervention. At customs, a computer scans the goods, concludes that everything is in order using specified parameters and requests the customs duties from the ordering computer system. The computer system would execute the payment immediately – but it can't, at least not at the moment. Finally, a person must authorise the payment and, usually, it takes at least one banking day for the customs to register the receipt of the funds.

This example illustrates the limitations of our current payment system: relatively long waiting times, complicated authorisation procedures and a lack of delivery-versus-payment functionalities. While this may have been acceptable in the past, it poses serious problems for the future. Because the future belongs – among other things – to the Internet of Things (IoT). By 2025, an estimated 75 billion devices will be linked via networks.  The potential for new business models is huge, from automatic customs clearance without human intervention, or rental charges for agricultural machinery billed according to the actual payload, to the self-ordering refrigerator.

However, many of these business models will be hard to realise if the current limits of payment systems remain. Digital currencies can lay the foundation for automation and overcome these limitations. The European Central Bank (ECB) is considering the introduction of a public digital euro – a digital form of central bank money that is to promote financial inclusion and be available to the citizens as a digital and secure means of payment. Still, even if this were to be decided in 2021, according to the assessment by the ECB's director Fabio Panetta as well such a currency would hardly be a reality until 2026 , especially since it is not yet known whether the digital euro will have the characteristics necessary for IoT business models. Given the growth of the IoT, this will be too late and too uncertain.

The solution to this dilemma lies with private initiatives. It is already possible to connect the SEPA system with an application based on distributed ledger technology (DLT) via a technical bridge solution. This method can be used, for example, to implement pay-per-use solutions: payments are triggered via the SEPA system and programmable payments can be mapped on a DLT. However, this so-called trigger solution does not eliminate the limitations of SEPA because a human authorisation is still needed. The machine or IoT device cannot bill itself. The system break in payment processing can be avoided if a digital means of payment is issued and processed directly on a DLT, instead of using conventional payments. 

A DLT-based digital currency does not necessarily have to be issued by a central bank. Banks or financial institutions can also create solutions for so-called programmable payments. One example are euro-based stablecoins – digital tokens backed by a specific monetary value. At present, there is still no regulatory basis for euro stablecoins and they have a high counterparty risk. However, with the planned EU directive "Markets in Crypto-assets" (MiCA) this is likely to change and stablecoins will become tokenized e-money. An alternative is tokenized scriptural money that financial institutions could issue. Unlike the stablecoin, it would have the advantage of not having to be 100 percent covered. Nevertheless, according to the current rules, such a currency would not be multi-bank capable and would thus entail very significant restrictions.

In whichever form this happens, the digital currency will become reality. This is the only way for the German industry to fully benefit from the potential of the IoT. Even more far-reaching automation in goods logistics or increasingly popular asset-as-a-service models are hardly conceivable in the long term without fully autonomous payments in real time. Details on the use cases and further details on the design of digital currencies can be found in the joint white paper "The future of payments: programmable payments in the IoT sector", which was written by PPI together with the partners Cash on Ledger, Digital Euro Association and Frankfurt School Blockchain Center. For a free download click here.

Authors: Anja Kamping, Philipp Schröder


EBICS key: how long is the key to success?

On 21 April 2021, an EBICS manufacturer workshop of the German Banking Industry Committee (DK) took place. In terms of content, the core adjustments to EBICS coming with version 3.0.1 were presented. However, much more interesting for me are the cryptographic adjustments presented at the same time, which will become mandatory for EBICS customer systems in November 2021. EBICS uses 3 RSA key pairs for communication: one pair for authorisation signatures, one pair for authentication of the EBICS fragment, and one pair for encryption/decryption of messages.

For EBICS V2.5, this adjustment means that authorisation signatures (A keys) must have at least a 2048-bit key length. For authentication (X keys) and encryption (E keys), a compromise of at least 1984 bits was decided. The reason for this is probably that Seccos smartcards with keys of this length still exist in the market. The so-called DS key of these Seccos cards has a 2048-bit key length and is located in the special area of the card chip protected by an alternative PIN. 

In addition, it was again confirmed to all participants that with the use of EBICS 3.0.1, all keys used for authentication (X00x), encryption (E00x) and authorisation signature (A00x) may no longer be shorter than 2048 bits.

For the customer product manufacturers, this means that a key extension process must start in the foreseeable future so that all customers can easily and simply switch to the new EBICS 3.0.1 version as of November. If this does not happen, a switch to EBICS 3.0.1 is not possible with the existing – too short – keys.

Customer products that do not offer key changes fall behind here; their users then have to generate new, longer keys in a time-consuming and complicated process, then have their access reset at the financial institution and then resubmit the keys and the INI letter to their financial institution. After that, it is a matter of waiting until the EBICS access is activated again.

EBICS customer products which offer their customers a key change still have to deal with the challenge that with EBICS 3.0.1, only X509 certificates may be used in EBICS communication. The customer products use completely new internal processes for this. The implementation must therefore be well planned and will generally not be easy. However, TRAVIC-EBICS-Kernel by PPI AG helps by providing the necessary functions for an easy switchover. It would be advisable to change from the previous key format (RDH2) to the PKCS#12 format (p12 file) for key files in the course of this.

A challenge arises for smartcards, because they often do not have the necessary key lengths and may have to be replaced, if this is possible at all. 


In conclusion: 

It is time to address the users of EBICS who use short keys so that they can update their keys in good time before the switch to EBICS 3.0.1 or before November 2021, generate their new keys and ideally submit them to their financial institution signed with the previous keys. Users who do not want to communicate with the key requirements applicable from November 2021 would face a fatal dysfunctionality of the EBICS access.

Author: Michael Schunk


Is the perfect wave coming?

When it comes to outsourcing in payments, I am currently somewhat reminded of a surfing competition in which the participants keep paddling around in vain, looking for the right wave. The calm seas are partly due to many financial institutions that regard payments as their core business and shy away from outsourcing at the centre of their own business activities. On the other hand, the supply side of appropriate services has been limited so far - so no dice there either. Equens Worldline is currently the only company to offer complete business process outsourcing (BPO) in payments. The banking operations centre BCB, a subsidiary of Deutsche Bank, is in the process of withdrawing from the market.

Regulation compels changes

But now the surf – i.e. the market – is starting to stir. For one, there is the pressure to change. Due to regulation and technical requirements, it has become immense. New requirements by the regulatory authorities are almost constantly rolling in towards financial service providers. Implementing them keeps the IT departments permanently on their toes, especially since they result in no small tasks. Most new regulations entail the same effort on the IT side as the implementation of a new SEPA standard, for example. The core business suffers from this, especially since IT experts are not exactly available in abundance, so staff increases are only possible to a very limited extent.

Technical requirements exceed current system capabilities

This shortage on the personnel market also indirectly plays a role in the second cause of the need for change: the technical pressure. The demands on banking IT have changed fundamentally. What is now in demand is 24/7 service and, above all, real-time capability. This "instant" phenomenon of needing to execute and track payments immediately and instantly presents banking IT infrastructures with huge challenges. Depending on which legacy systems are still working and which head monopolies possess the relevant knowledge, a technical outsourcing solution can become more and more economically appealing – and other trends are moving towards outsourcing, as well.

Technological leaps boost supply

The supply side is also making waves in the market water. Platform solutions in particular, but also connectivity technologies, have made such leaps in recent years that a number of providers are entering the market surrounding payments outsourcing. As a rule, these are specialised service providers, for example software providers like us at PPI for technical outsourcing or financial service providers like Broadridge for a complete BPO. The latter, for example, rely on their appropriate experience in the securities business. 

Regulatory authorities discover service providers

Experience and know-how are important because supervisors are also tightening the reins on external service providers for payments of financial institutions. Due to national and European regulations that have already come into force or are in the planning stage, financial institutions are forced to expand the circle of service providers to be supervised, to watch them closely in the future and to check to what extent the partner can actually guarantee their services. This goes as far as direct provisions for contract creation. Providers of outsourcing solutions could soon receive a visit from the authorities, too. In the future, the latter may want to check to what extent the companies also comply with the regulations that apply to financial institutions and whether they are in a position to fulfil their reliability assurances.

Who will ride the wave?

We hear that the first banks have already taken advantage of the stronger surf to ride the wave towards outsourcing. Others have already set foot on the board, at least to stay in the picture. Even if many of the industry's big players tend to forego riding the outsourcing wave and many public or cooperative players have already hopped aboard with their associated data centres anyway, the call of the outsourcing surf grows louder and louder. Who will answer it?

Yours,
Hubertus von Poser

Payments by card: specificities of the French market

The electronic payments ecosystem in France is made up of a wide range of players (banks, cardholders, merchants, laboratories, manufacturers, issuers, processors, card networks, regulators) with a specific payment system based on EMV (Standard Europay Mastercard Visa) technology. The multilateral cooperation agreement signed between the members allows users to access all the approved facilities (EPTs, ATMs, etc.) of the payments system members.

In France, bank card payments are transmitted to the authorisation systems via the CB, Visa or Mastercard card networks; cleared by the CORE clearing system of the French STET initiative, then settled by the settlement service of the Banque de France / European Central Bank / Bank for International Settlements. Some operations can be carried out via the domestic CB network (if the French cardholder carries out transactions in France), or via the international Visa or Mastercard networks (for international payments or for French bank cards that do not have the CB application).

 


In France, a distinction is made between immediate debit cards and credit cards (deferred debit). Somecards have systematic authorisation (online), others are offline. A French card co-branded Visa or Mastercard is accepted all over the world. Foreign bank cards co-branded with Visa or Mastercard are also accepted in France due to the principle of interoperability or agreement between the financial institutions. However, before June 9, 2016, when a French customer paid with their CB bank card supported by Visa or Mastercard, the electronic payment terminal (EPT) automatically selected the domestic network (CB). But since that date and to present day, the cardholder now has the option to choose between CB, Visa and Mastercard (European Regulation 2015/751).

The issues concerning bank card payments are expressed through several challenges (structural, organisational, technological and regulatory (1) ) that are imposed on the players, forcing them to review their organisational structures and chains of operations to make them compliant with European regulations. These challenges have led to a broadening of the scope of electronic banking and the emergence of new forms of banking activities. The bank card can now be used to carry out several types of transactions with varying levels of security: mobile payments (NFC / QR code), contactless proximity, biometric (facial recognition / fingerprint), etc.

In 2019, 54 million debit cards and 39.3 million credit and payment cards were issued, of which CB cards accounted for 27.5 million, or 70% (France Cards & Payments: Opportunities and Risks to 2024 p. 33; 52; 60). According to the same source, 77% of cards in circulation in the French market are co-branded and only 23% are purely international network cards. The top five financial institutions accounted for 86% of transaction value in 2019 (France Cards & Payments: Opportunities and Risks to 2024). In 2018, there were more than 1.8 million electronic payment terminals and almost 55 million ATMs in France (Statista, 2021).

Although card payments are still the most widely used payment method in France (2)  and will continue to grow in the years to come, PSD2-related regulations have created a technological and strategic revolution that will allow the various players (new entrants, financial institutions, etc.) to free themselves from the interbank networks and offer innovative services at lower cost. In fact, they will rely on the Internet infrastructure and not on private structures. Based on these new operational models, these new services (mobile payments in proximity, P2P (peer-to-peer), etc.) are developing to serve new use cases with a new user experience (Payments Cards and Mobile, 2021). The ISO 20022-based Request to Pay complements these payment methods as a powerful end-to-end payment tool offering an opportunity for new services and bringing more value to customers.

The proliferation of multiple channels and the increasing dematerialisation of payments could open up new opportunities for acquiring with increased competition on the acquirer side, which will undoubtedly lead to lower fees and better service. All of this will be closely linked to the ability of the solutions to operate together, because it is in the merchant's interest to have as many payment methods as possible on the same device at the lowest cost, so as to optimise the possibility of offering the customers their preferred payment solution.

 

Author: Tite-Voltaire Soupene

(1) Strong authentication (PSD2 Directive, 2018); Card payments (PCI DSS); Interchange fees (EU Regulation 2015/751). 
(2) In 2019, more than half the French population, i.e. 58,6 %, preferred to pay via bank card. (Statista, 2021)