Fundamentele wijzigingen in de financiële sector - uitdagingen voor de Internal Auditor
Paul Koetsier
Agenda
Open Banking PSD2
Requirements for Audit Payment Services
Directive 2
© 2018 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, and a member firm of theKPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
3
The name KPMG and logo are registered trademarks of KPMG International.
“PSD2 could
change banking forever”
Anne Boden, CEO Starling Bank, Jan. 2018
Source: https://www.reuters.com/article/us-eu-payment-regulation/european-banks-braced-for-slow-burn-payments-revolution-idUSKBN1EZ2CU
Main changes imposed by PSD2
Payment Services Directive 2
Account Information Service Provider (AISP)
Customer
AISP
Payment Accounts Third Party
Payment Initiation Service Provider (PISP)
Payment Accounts Customer
PISP Third Party
Potential Third Parties
Fintech
Social Networks Telcos
Challenger Banks Online Retailers
Aggregators/Comparators
Traditional Banks Utilities
Network Disruptors Tech Companies Traditional Retailers
1 New payment services to be provided by (new) Third Parties
2 Heightened security for payment services through Strong Customer Authentication requirements
© 2018 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, and a member firm of theKPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
5
The name KPMG and logo are registered trademarks of KPMG International.
Regulatory pieces of the puzzle
Payment Services Directive 2
Guidelines on major incident
reporting
Regulatory
Technical
Standards
Uncertain timelines
Payment Services Directive 2
Feb 2017
EBA Draft Final RTS issued
2017
Summer 2017
Discussion on RTS and finalisation Guidelines
Fourth Money Laundering Directive
(AML/ATF) June 2017
March 2018
EU Commission to approved final RTS submission
2018
General Data Protection Regulation (GDPR) May 2018
Electronic
Identification and Trusted Services (eIDAS)
September 2018 13 January 2018
Deadline for PSD2 implementation
September 2019
RTS Strong Customer Authentication applies
2019
XYZ 2018?
Dutch
transposition
© 2018 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, and a member firm of theKPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
7
The name KPMG and logo are registered trademarks of KPMG International.
Direct audit requirements
PSD2 – Requirements for audit
Fraud rate determination
methodology and model Third party
interfaces Confidentiality
and integrity of personalised
security credentials
Transaction Monitoring
Security measures
Strong Customer Authentication
Proportionality
Governance, incl. outsouring
Risk assessment
Protection
Detection Business continuity
Testing Situational
awareness &
continuous learning User relationship
mgmt 2 Factor
authentication
(Dynamic) authentication code
Exemptions
Delivery
Association
Creation
Renewal De-activation
Performance Contingency
eIdentification
Exemption Transaction Risk
Analysis
Reference rates
Real-time Factors
Detection
A game changer
Open Banking
Own production
Others’
production Own
distribution channels
Others’
distribution channels
Traditional financial services domain
Financial Services
Platforms & aggregators
Emerging financial services domain
Beyond Financial Services
Other
services
© 2018 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, and a member firm of theKPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
9
The name KPMG and logo are registered trademarks of KPMG International.
Potential propositions
Open Banking
R ole sco pe A S P S P (“B an k”) A IS P P IS P A IS P & P IS P
Payments services (Compliance scope)
Other banking services Beyond banking
— Comply to XS2A requirements
— Remote payment initiation
— Multi bank dashboard
— Payment account Aggregator
— Accounting package / ERP integrator
— Multi bank cash management
— PSP services
— Merchant one stop shop
— Personal finance management
— Multi bank dashboard
— Banking account aggregator
— Treasury management solutions
— Financial services portal, incl. lending,
FX, MM
— Working capital solutions
— eBilling / eInvoicing
— Active cash management from other accounts to
perform payment
— Open banking
— Google / Facebook (financial) services’
— Loyalty
— Crowdfunding
— Invisible banking
— Open banking platform
— Monetised API’s
— Open banking platform
— Monetised API’s
EVA
ABN AMRO
Retail
SME
Large corporates
Breadth of services scope
PSD2 survey results – Comply, Compete & Innovate
Open Banking
87%
expects that the PSD2 will meet one of its objectives ‘to stimulate innovation’
80%
expects that the introduction of PSD2
stimulates or accelerates a shift to
‘Open Banking’
73%
of the respondents sees privacy as one of the three main risk
categories
60%
of the respondents sees misuse of consent as a main
concern
60%
expects 100 – 1,000 TPP license applications in 2018
& 2019 across Europe
40%
expects most
competition from
BigTech platforms
© 2018 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, and a member firm of theKPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
11
The name KPMG and logo are registered trademarks of KPMG International.