A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs).

White paper December 2018

Time to get

practical

A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

Photo by Christopher Burns on Unsplash

Ready to discuss how to develop your payment services under the PDS2 directive? Please contact: infoWL@worldline.com

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 3

Table of contents

1

Introduction 4

2

From PSD to PSD2 6

3 4 5 6

PSD2 - the most important news

7

Step-by-step guide for the TPPs 11

The Worldline PSD2 services for TPPs 15

Closing remarks 17

4 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

1

Guernsey Scenery

Introduction It is close to a year since the European Commission’s revised Payment Service Directive – or PSD2 – came into force on January 13 2018. The impact of the innovative regulatory framework is being felt not only within Europe but across the globe, where a wave of open banking initiatives inspired by PSD2 is currently transforming the payments landscape as we know it. One of the objectives of the mandatory directive was to enhance innovation and competition in the European payments industry, by introducing two new roles as Third-Party Providers (TPPs) in the banking ecosystem: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). Both roles are open to current and new players in the ecosystem, and the banks are required to support these new service providers if their customers want to grant access to their (payment) accounts as described in the directive’s Article 66 and Article 67. This new practice is commonly referred to as “Access to Account” or XS2A. At this point, the European payment industry is busy implementing the regulations – most recently the Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure communication – and figuring out how to make PSD2 work in practice. Until now, 5 of the 28 European members states have failed to communicate full transposition measures to the European Commission, while infringement procedures by the Commission are pending against 16 member states “due to the lack or delay of the notification of national transposition measures or their incompleteness […]”¹.

1. https://ec.europa.eu/info/ publications/payment-servicesdirective-transposition-status_en

In turn, this is creating a degree of uncertainty within the industry, both regarding the implementation timeline going forward but also regarding the legal status and operational capabilities of TPPs in the countries that have yet to implement PSD2 completely.

Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 5

2. It should be noted that it is up to the relevant national regulator – or FSA – to decide how “ready” the APIs of the test environment need to be.

Arguably, the reactions to PSD2 amongst the European banks fall into two categories; some banks choose to adopt a minimum compliance approach, where they direct customers to a multipage web browser to authenticate; others recognise the regulations as a unique opportunity to augment services and redefine their value proposition towards their customers by engaging in mutually beneficial relationships with the TPPs through open APIs. No matter the approach, the deadline for PSD2 RTS compliance is fast approaching. By March 2019, banks must have their open APIs ready for testing by approved AISPs and PISPs, so that the TPPs can successfully integrate by September 19 2019², where the RTS become mandatory. Practical step-by-step PSD2 guide From our recent discussions with a wide range of market players, we know that many would-be TPPs feel uncertain about why they should become a TPP and if so, what they need to do to best prepare for PSD2, and about whom they can turn to for strategic, as well as technical, assistance. To accommodate the need amongst TPPs for qualified advice and support, this whitepaper sheds some light on possible opportunities and includes a practical stepby-step guide to PSD2 for TPPs. The guide encompasses preliminary questions that TPPs need to consider as soon as possible to understand sufficiently their own potential positions and roles going forward. Being a European leader in the e-payments and transactional services sector, Worldline possess the necessary competencies and the technological and industrial capacity to help TPPs meet the challenges and seize the opportunities presented by PSD2 and Open Banking. They include a single API for connecting to banks in Europe, full end-to-end management of the new eco-system, as well as support for competitive offerings. However, whether a TPP – at some stage – chooses to turn to Worldline as PSD2 provider or decides to try to go all the way alone, the same questions apply as part of the preparation process. Before the step-by-step guide, we will give a very brief introduction to the key elements of PSD2. If you are already familiar with PSD2 and you have made the choice to become a TPP, you can directly move to chapter 4.

Go back to table of contents>>

6 PSD2 - The Nordic Way - a PSD2 whitepaper from Worldline Nordic

2

From PSD to PSD2 To the surprise of a great many Europeans, who used to believe that the EU system was far too bureaucratic to ever take the lead on innovation, PSD2 has turned out to be more disruptive than anything any bank would expect from any FinTech start-up. Clearly, the new directive, conceived by the European Commission and adopted by the European Parliament and the Council of The European Union, did not come out of thin air. PSD2 is an enhancement and further development of PSD, which was adopted by the EU in 2007. In a press release on 8 October 2015, the Commissioner of Competition, Margrethe Vestager, said:

We have already used EU competition rules to ensure that new and innovative players can compete for digital payment services alongside banks and other traditional providers. Today’s vote by the Parliament builds on this by providing a legislative framework to facilitate the entry of such new players and ensure they provide secure and efficient payment services. The new Directive will greatly benefit European consumers by making it easier to shop online and enabling new services to enter the market to manage their bank accounts, for example to keep track of their spending on different accounts”.³ Legal platform for SEPA For many years, a successful realisation of The Single Market Strategy has been one of the most important overall goals of the European Commission and the European Union. The strategy has been divided into separate sub-strategies: the Single Market for Goods, the Single Market for Services and the Digital Single Market. As part of the latter, the Single Market strategy for Payments materialised for the first time in 2007 in the form of the first Payment Services Directive or PSD (Directive 2007/64/EF) which became law in November 2009 and – among other things – provided “the necessary legal platform for the Single Euro Payments Area”A or SEPA. 3. h ttp://europa.eu/rapid/ press-release_IP-15-5792_ en.htm?locale=en A. http://ec.europa.eu/finance/ payments/framework/index_ en.htm B. http://www. europeanpaymentscouncil. eu/index.cfm/newsletter/ article/?articles_uuid=D21AD9455056-B741-DB50AEA554CA2789 C. http://europa.eu/rapid/ press-release_IP-03-1641_ en.htm?locale=en D. http://europa.eu/rapid/ press-release_IP-03-1641_ en.htm?locale=en E. http://europa.eu/rapid/ press-release_IP-07-1914_ en.htm?locale=en F. http://smartalwayswins.kpmg.be/ assets/brochure/psd2.jpg

The idea behind SEPA was not at all new in 2007. In fact, it was already part of the Lisbon Agenda launched in 2000, and, later that year the Commissioner for Internal Market, Frits Bolkestein, stated that: ”There is a clear need for a change. [...] The Commission’s political objective is exactly that: a modern Single Payment Area for the entire EU where there is no frontier effect for cross-border payments.”B Cost reduction of up to 28 billion Euros In a later speech, Bolkenstein said that ”a Single Payments Area will mean lower costs for payments, an end to unnecessary delays and much greater certainty over security and legal responsibility.”C Furthermore, he emphasised that a Single Payment Area would also be “crucial for the competitiveness of the EU economy.”D Stronger competitiveness was one of the very reasons for the launch of the first Payment Service Directive. In December 2007, the EU Commission stated its ambition of generating a reduction in costs of up to 28 billion Euros a year thanks to the new directive. “Currently each Member State has its own rules on payments, and the annual cost of making payments through these fragmented systems is as much as 2-3% of GDP. Payment service providers are effectively blocked from competing and offering their services throughout the EU. Removal of these barriers could save the EU economy €28 billion per year overall.”E These significant economic benefits and the synergies of this type of European consolidation paved the way for new pan-European legislation.F

Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 7

3

PSD2 - the most important news The PSD2 (Directive 2015/2366/EU) starts out with 113 introductory recitals setting the scene and explaining the reasoning behind the new directive. The main reason for updating PSD1 was the immense development and growth within the retail payment market and the related digital technologies – such as mobile payments - since the first directive in 2007. The development has “given rise to significant challenges from a regulatory perspective. Significant areas of the payments market, in particular card, internet and mobile payments, remain fragmented along national borders.”4 This fragmentation, in combination with rapid technological advancement (resulting in many new products and solutions which fall outside the scope of the old directive) had, according to the EU Commission, led to “legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas.”5 The Commission’s conclusion was that the PSD1 framework was no longer adequate and an update was necessary to take the next steps towards full integration across the EU:

The continued development of an integrated internal market for safe electronic payments is crucial in order to support the growth of the Union economy and to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to benefit fully from the internal market.”6 Access to Account (XS2A) The most talked about, and most important, innovation in the new directive is that banks are required to provide access to payment accounts for Third Party Providers (TPPs) – on the condition that the TPP has received a permission from the bank customer to whom the accounts belong. This new requirement is stated in the directives’ Article 66 for Payment Initiation Services (PIS) and Article 67 for Account Information Services (AIS):

4. http://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri= CELEX:32015L2366& from=DA, recital 4, p. 36 5. http://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri= CELEX:32015L2366&from= DA, recital 4, p. 36 6. http://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri= CELEX:32015L2366&from= DA, recital 5, p. 36 7. http://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri= CELEX:32015L2366& from=DA, p. 92 and p. 93

Article 66. Rules on access to payment account in the case of payment initiation services. 1. Member States shall ensure that a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I.” And:

Article 67: Rules on access to and use of payment account information in the case of account information services. 1. Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I.”7

Go back to table of contents>>

8 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

Definitions AISP – Account Information Service Provider 
 An AISP is a Third-Party Provider (TPP) which, with access via a standardised interface (e.g. an API), can draw information from a customer’s (payment) account in a bank. For example, this could be PFM tools which aggregate data and create an overview, or lending companies using the access to create a precise credit score for a customer. ASPSP – Account Servicing Payment Service Provider 
 An ASPSP is “a payment service provider providing and maintaining a payment account for a payer.” For the time being the role of ASPSP is covered by banks. PII – Payment Instrument Issuer 
 Not only ASPSPs issue payment instruments. There is an increasing number of merchant or airline issued payment instruments. PII can utilise AISP or PISP (see below) to conduct fund checks and/or transactions. PI - Payment Instrument The directive defines the PI as “a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order.” PISP – Payment Initiation Service Provider 
 A PISP is a Third-Party Provider (TPP) with an access via a standardized interface (e.g. an API) and which can carry out payments directly from a customer’s account through the banks’ own A2A infrastructure. Examples of this kind of services are Sofort (owned by Klarna) and Trustly. PSP – Payment Service Provider This category covers all providers that offer services for accepting electronic payments. This includes card based payments (credit/debit) as well as account based (real-time) transfers. PSU – Payment Service User 
 A PSU is a legal entity – e.g. an individual or a corporation – with an ASPSP account “making use of a payment service in the capacity of payer, payee, or both.” TPP – Third Party Provider 
 A TPP is a third party, which is granted access to a bank account either as an AISP or a PISP. Not to be confused with the concept of a TTP – Trusted Third Party – as used in cryptography.

The two XS2A articles, written and proposed by the European Commission and adopted by the European Parliament and the Council of The European Union, are nothing less than historical in terms of their perspective and potential impact on the entire European financial sector. Concern among bankers The “Access to Account” requirement is disruptive in several ways: It imposes operational risks and costs on the banks, since they are responsible for finding secure and efficient ways of communication to provide access for the potentially huge number of diverse TPPs. Furthermore, the banks continue to be liable for all transactions and are expected to react promptly to all customer complaints. If a TPP finds itself involved in a compromising transaction, it will need to proof its innocence. At the same time, Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 9

the banks must give the TPPs – which can include innovative FinTechs, global tech giants, and competing banks – access to their customers’ accounts. This means that banks face the risk of losing the direct relationships with their customers and therefore of being reduced to the role of basic infrastructure providers – and this will mean a drastic cut in their revenues. Seen from this perspective, it came as no surprise that 88 % of all bank senior executives in a survey conducted by PWC in 2016 expressed concerns about the possible direct consequences of these new requirements for the European banking industry.8 New opportunities Despite these reasons for concern, PSD2 primarily represents a unique strategic opportunity for would-be TPPs, including the banks who have the courage and the innovative power to seize and unfold it. PSD2 regulation fuels the deeper trend of ”Open Banking” Loan Comapny PSP, Telco, Retailer

Account holder

De Banks must allow access to accounts

by registered third parties

Third Parties can initiate payments/access accounts AISP/PISP

but are more tightly regulated

Strong authentication is required

Data enrichment & analysis party

Account data Software vendors

Mortgage/loans Data sources

Insurances Investment portfolio Customer’s Banks

All types of companies can become a TPP if they so desire and as long as they fulfill the national requirements for TPP approval. This means that many different types of TPPs are currently entering the market. Some TPPs come from the financial services sector and include FinTech companies like the current “direct access” players Klarna and Trustly. Banks can become TPPs themselves to tap into competing banks’ accounts if they want to launch payments solutions themselves (as a PISP) or launch information/ data aggregating services in the role of an AISP. It is also a logic step for existing payment service providers offering acquiring and acceptance solutions to become TPPs. Finally, some TPPs come from outside the traditional financial services players – here we find telecom operators, transport operators, insurance companies, clubs, schools, utility providers, public authorities, merchants and many more. 8. I n Q1 of 2016 PWC made a survey amongst senior executives in 30 European banks revealing “a mixed, but mostly negative, perception of PSD2.” 88% of those interviewed believed that PSD2 would impact their business, but only a minority had a PSD2 strategy. https://www.strategyand.pwc. com/media/file/Catalyst-orthreat.pdf, p. 12 and p. 22.

The broad range of TPPs has the potential to accelerate a whole new wave of financial services innovation on top of or in collaboration with the banks. Contrary to banks, many TPPs are typically not equally challenged by regulatory requirements and complex legacy systems. Besides, they are often skilled assimilators of new technologies and prone to generating new innovative solutions that accommodate customers by delivering on convenience, speed, and value-added services. This means that they have a high value proposition to offer the banks’ customers. On the other hand, the TPPs can benefit from the banks’ extensive customer base and data pools, established brand, and scale economy. Go back to table of contents>>

10 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

Trentino Alto Adige, Italy

These new opportunities are key reasons why creative and forward-thinking banks might be in favor of the access to account requirements. But, more than this, the requirements of PSD2 is galvanizing the banks to start using open APIs more broadly (although there is no obligation in the directive for the banks to do so). Reasons to become a TPP Save costs, improve customer experience and generate new revenues

Cheaper and secure payment method Credit transfers replace card processing, direct debits and cheques

Strengthen customer experience Become one-stop shops for multi-banked customers with a consolidated account overview including loyalty and coupons

Support digital strategy

• New API propositions •N ew payment methods based on account info •M atch payments with product information to optimize product offer

Reasons to become a TPP can be quite basic, as highlighted in the diagram: I ntroduce a cheap online payment method based on the credit transfer with EU reach under your control Strengthen your customer relationship, either by: - using the customer data to get a 360-degree view and offer customized services, in an AISP role - branding the payment and connect it with loyalty programs, in a PISP role. D igitalize different processes (e.g. the onboarding process) by using account data. However, it is apparent that players in the different industries have different reasons and drivers for looking into the opportunity of becoming a TPP. elcos, being under pressure because their revenues from their traditional industry T are declining, could use this development in building up a position in the financial industry being directly connected to the end-customer via the mobile phone. I nsurers could be more interested in e.g. using the account data to further digitalize the process of providing an insurance. R etailers could use the (online) credit transfer as a cheap alternative payment method, and link it to their loyalty program. In conclusion, PSD2 opens up a number of financial services opportunities for many different players and through that points the banks in the direction of Open Banking – a concept similar to the Open API development that has accelerated the growth of industry icons like Amazon and Google.

Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 11

4

Step-by-Step Guide for TPPs Based on our market research, we know that many banks, as well as companies who intend to use the opportunity of becoming a TPP, have an immediate need for practical PSD2 guidance. In terms of PSD2 preparations, an important difference between the ASPSPs and the TPPs is, of course, that the TPPs do not face the same compliance requirements as the ASPSPs, nor do they have fixed deadlines dictated by the directive. For the TPPs, PSD2 represents a business opportunity that they can choose to pursue if they want to and when they want to. Following the latest timeline provided by the European Banking Authority (EBA) on the development and rollout of the Regulatory Technical Standards (RTS) concerning Access to Account and Strong Customer Authentication (SCA), there are still some important dates for banks and TPPs to be aware of: 14 March 2019: Deadline for banks to have their “dedicated interface” (open API) and test facility ready for PISPs and AISPs to use. 14 June 2019: Deadline for banks to provide production interface.9 14 September 2019: Deadline for banks to be fully in line with the RTS. The first step for an aspiring TPP is to identify its role in the value chain and build a business case around that. Is becoming a TPP the goal in itself, or are you looking to support or enhance your existing business through accessing the banks’ payment account infrastructure to initiate a credit transfer or retrieve account information? Is your goal to reduce cost, improve the quality of existing services, or maybe to bring entirely new services to the market? We already see for instance larger retailers planning to become a PISP to integrate payments more seamlessly into their existing shopping apps while at the same time reducing transaction costs significantly. On the AISP side, we see both data-driven companies wanting to provide aggregated financial overview through delivering a new generation of Personal Finance Management (PFM) tools but also for instance lending companies looking to improve their credit scoring processes. Five important steps to become a TPP: 1. Business case – where to play? Similar to any other type of new business, a TPP must define its business case. What do you set out to do in the first place? Your strategy as a TPP will vary greatly depending on whether you are a bank looking to aggregate account information for your customers across other banks or a FinTech startup looking to introduce a revolutionary account-based payment solution. Another possibility is that you are a merchant looking for better knowledge of your consumer clients to support your loyalty program. In most cases, scale will be of the essence, and any TPP should have a clear tactical plan for scaling to reach the banks required to gain critical mass. But also a large reach towards merchants to cross-sell and push complementary offers.

9. I f ASPSP is applying for an exemption on the fall back option.

Basic questions Is my basic strategy in place? What problem am I solving for my costumers? Do I fulfill the regulatory requirements to be a licensed TPP? D o I have a clear overview of my target banks per country? – it will most likely not be possible to connect to all at once. How many – and which – will be required to get my services up and running? Go back to table of contents>>

12 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

W ill my needs for transactions or data be covered by the basic APIs, or will I rely on the offering of premium services from the banks? W hat kind of relationship do I want with the banks? Will I simply ‘consume’ the banks’ PSD2 services, or will I deliver value to the bank through collaboration? W hat is my business model? Where do I expect to make money? New services, increased operational excellence, or reduced costs? A ll these questions can be reversed to get in touch with merchants as well: What is my positioning with merchants, because as a TPP I am in the middle of the relationship between ASPSPs and merchants. Needs of TPPs to create Value for Account holders Based on PSD2/XS2A building blocks Validated and accurate data

Buy it now with fast delivery

Online/real-time available data TPPs

Aggregated data

Single overview/insight on financial situation immediately

Account holders

Get customized offer Low cost payment Trusted system Payment to all banks in Europe Easy to use

Short time to market ...

...

2. APIs – How to get API definitions from the banks and how to ensure performance? To realize the business case, a TPP must rely on certain key factors from the banks: F irst and foremost, the quality, reliability and stability of the interfaces/APIs towards the banks and the underlying infrastructure. S econdly, the scalability of these interfaces (again including the underlying infrastructure). Banks are experienced in operating stable and resilient platforms, but might not be experienced in delivering APIs to the outside world. This means that a TPP will rely on a given bank’s capability or choice of strategic supplier of the APIs. As banks need to provide the documentation for the APIs, an aspiring TPP must put in place a structured approach of how to plan the initial integration and testing. Subsequently, the TPP will need to have processes in place to ensure the ongoing adjustment of the APIs. 10. D uring a fall-back solution, TPPs still need to authenticate when ’logging in’ to a bank’s API, and solutions might vary from bank to bank. The fall-back solution is also only to be activated when a bank’s API has not performed sufficiently well over a period of 14 days. As banks typically prefer access via APIs to reduce fraud, it is unlikely that a fallback solution is ever needed.

Basic questions What kind of performance do I need to deliver my service? Am I prepared for managing the potentially hundreds of different bank APIs? Should I work through an integrator or aggregator? How do I plan to test the performance of the APIs? How do I monitor the performance and availability of the APIs? W hat are my fall-back options?¹0 Will I develop and maintain a direct access/screen scraping solution as well?

Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 13

3. Target scope – Do I target a specific country, sector, or just go for the biggest possible scale? Does my strategy depend on cross-border interoperability? Arguably, one of the best things about PSD2 is that it applies to all EEA countries. It would be a daunting task for any TPP to connect to all of Europe’s 4,000 banks. An aspiring TPP would need to define its target scope and expansion plans – be that geographical or other. Either way, it will be an important exercise for a TPP to map out the integration points needed to fulfill its targets. With PSD2, different hubs or aggregators are likely to position themselves in a way that allows for a certain degree of standardization in access across many banks. Properly identifying the best integration route to the target banks will be extremely important, both in terms of time to market and integration costs. Basic questions D o I need cross-border interoperability to realize my business case? H ow do I go about mapping the capabilities of the different aggregators? I f my business idea relies on data collection, do I have an overview of how payment account information is typically structured across different geographies? I f my business idea relies on payment initiation across borders, how do I handle the differences in cross-border payments concerning versioning and cataloging of APIs? H ow do I plan to manage different (consumer) charges for cross-border payments across different banks and countries? 4. Working out how to register as a TPP as well as how to passport a TPP license to other member states. Up until today, there is no single formalized procedure on how to register as a TPP. While the TPP register – on a European level – will be supervised by the European Banking Authority (EBA) through its Guidelines on authorization and registration under PSD2, the national financial supervisory authorities (FSA) are responsible for the registration of the TPP as well as for setting up practices and procedures for TPP approval. To be approved, all TPPs need to comply with the regulatory requirements under PSD2, e.g. a requirement for specific insurance. Once approved, the licensee can passport its license via the FSA to other EU/EEA member states, allowing it to operate in those countries. After the approval, the actual integration needs to be put in place, including both identification and authentication towards the bank. Basic questions: W hat are the requirements to register as a TPP in my home state? H ow do I ensure, verify and document compliance with the requirements? H ow do I passport my license to other member states? D o other member states have additional requirements that I need to consider? H ow do I properly identify and authenticate myself towards the banks? >>

Go back to table of contents>>

14 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

Sunset in Ålesund - Norway

5. Working out how to connect to merchants While the processes for identification and authentication between TPPs and ASPSPs leave a lot of questions unanswered, some elements – as defined through RTS – are already in place. However, if the aspiring TPP wants to provide its services to e.g. a merchant that does not plan to be a TPP itself, how does the TPP go about handling this integration? It should be noted that working out how to connect to a merchant is outside the scope of PSD2, which means that there will be no regulatory guidance fort the TPPs to rely on the matter. Basic questions: How do I properly identify and authenticate myself towards the merchants? Can I integrate with the Point-of-Sale terminals? Can I integrate with the merchants’ ECR systems? How do I handle reconciliation of transactions? W hich distribution channel should I prioritize at the beginning – online, in-store or mobile? Which services should I propose to merchants – PIS or AIS? What will be my business case to monetize this new business?

Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 15

5

The Worldline PSD2 services for TPPs When targeting the TPP role, the main challenge for you is to avoid much of the complexity brought on by the lack of standardization and evolving legislation in order to concentrate on developing the innovative services enabled by PSD2 Access to Account in a growing competitive environment. Today, equensWorldline deploys its solution WL Access2Account TPP services to support TPPs with these challenges and provide: A single API to connect to the banks in Europe. With the implementation of the current known standards in the market, reach to many banks is provided. A solid roadmap and a streamlined implementation process ensure the reach required for the TPP. M anagement of the new eco-system. Via our partnering program, we can offer you a full end-to-end solution for your specific use case. S upport for your competitive offering. With a modular portfolio, you can pick and choose the elements you require. Our solution can be up and running within 4 months. In combination with other Worldline assets and/or assets of our partners, we will be able to provide you with a competitive edge. These services are provided by the following elements: A developer portal where the documentation of the APIs is published for your and/or your clients. The portal provides access to a sandbox environment, enabling you and your client to perform tests on APIs.

11. Current platform processes over 500 million e-transactions a year.

A multi-service platform with a 24/7/365 processing window with high service levels and the ability to handle large volumes11. The platform contains all the required elements, including an administration portal, required reports, self-service onboarding facilities, and consent management functionalities.>>

Go back to table of contents>>

16 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

TPP role is different across industries The way you will define your role as TPP will differ per industry. Whether you are a bank searching for an improved credit scoring for mortgage applications, a retailer looking for a cost-efficient account-based payment or a corporate searching for effective cash management, we have the expertise of the different markets and experience in the financial industry to handle the challenges. The way forward The development continues and while standards are evolving, volumes are growing and number of use cases are expending, we keep supporting you in your strategy to provide the new services based on the payment initiation and account information services with up to date interfacing, a scalable platform and increasing number of services and partners..

Barcelona Waterfront

Go back to table of contents>>

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 17

6

Amsterdam

Closing remarks Long before any European bank started thinking about Open Banking, companies like Amazon (2002), Twitter (2006), LinkedIn (2009), and IBM (2013)12 realised the value of opening (some of) their APIs to the outside world.

12. In the case of IBM, developers outside IBM are invited to join Watson Developer Cloud and start exploiting the fascinating world of cognitive computing - https://www.ibm.com/watson/ developercloud/ 13. https://bbvaopen4u.com/en/ actualidad/psd2-and-open-apisbanking-start-exponential-erafintech-and-online-payments

Within the payments industry, PayPal took the lead by introducing open APIs as early as 2004, when it first launched its developer portal and started inviting external developers to build new services to enrich the PayPal community. Since then, both MasterCard (2010) and Visa (2016) have opened their own developer portals. Among the banks, the use of open APIs is still relatively new and only a few banks would claim to have an implemented Open Banking strategy. Some of the current frontrunners are BBVA13, Crédit Agricole, and Denmark’s Saxo Bank. However, in an increasingly competitive and technology-driven payments market more and more banks recognize the possibilities brought on by Open Banking, both in terms of improved customer experiences and new revenue streams. Although PSD2 has applied since January 13 of 2018, some countries are still struggling to communicate full transposition measures to the European Commission. This is circulating a general sense of uncertainty in the European payments ecosystem regarding the implementation timeline while generating an ambiguous legal and operational status for TPPs in the relevant countries. The finalization of regulatory technical standards, rulebooks, and certificates are to some extent counterbalancing the uncertainty by delivering an approved framework for all industry players to navigate within. But for banks, these additions are also gradually increasing the compliance burden and raising new complex questions about how best to cope with new business requirements. Worldline believes that TPPs – being banks, telcos, retailers, insurers or any other company – can benefit greatly from the effects of PSD2, if they position themselves in a timely and proactive manner. To be a successful TPP, you will rely greatly on your integrations – not only to the banks but also to a number of ancillary services like analytics, reporting, billing etc. to further drive your business. Worldline supports TPPs in their strategy to provide new services based on payment initiation and account information services by enabling TPPs to increase their reach, manage their ecosystem, and provide them with a competitive edge. The API economy has more than anything shown that choosing your strategic partners is more important than ever. Go back to table of contents>>

18 Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs)

NOTES:

Time to get practical A PSD2 whitepaper with a step-by-step preparation guide for Third Party Providers (TPPs) 19

NOTES:

CONTACT DETAILS OF OUR KEY REPRESENTATIVES: Tom Wijnen Tom is Senior Product Marketing Manager at equensWorldline. He has extensive knowledge of the payment industry and has done work for the European Payments Council. Currently he is responsible for the eTransactions portfolio and the Access to Account (XS2A) services for Third Party Providers.” tom.wijnen@equensworldline.com Sylvie Calsacy Sylvie is Head of Payments Strategy at Worldline. She joined Worldline in 2012 where she had several positions being responsible for the SEPA product line and development of new business areas in relation with Online Banking. Before joining Worldline, she worked for Groupe Crédit Agricole, initially in investment banking then she got a position as liquidity manager and global treasurer for insurance companies. She holds a Master in Financials at the ESCE French business school and holds a graduation in financial analysis at the SFAF. sylvie.calsacy@worldline.com Michael Salmony Michael is Executive Adviser at equensWorldline SE, Europe’s largest payment provider, which processes over 17 trillion Euro per year. He is an internationally recognized leader on business innovations especially in the digital and financial services space. He is board-level advisor to major international banks, industry associations and European bodies. Previously he was IBM’s Director of Market Development Media and Communications Technologies and studied at Cambridge University, UK. michael.salmony@equensworldline.com

About Worldline Worldline [Euronext: WLN] is the European leader in the payments and transactional services industry. Worldline delivers new-generation services, enabling its customers to offer smooth and innovative solutions to the end consumer. Key actor for B2B2C industries, with over 45 years of experience, Worldline supports and contributes to the success of all businesses and administrative services in a perpetually evolving market. Worldline offers a unique and flexible business model built around a global and growing portfolio, thus enabling end-to-end support. Worldline activities are organized around three axes: Merchant Services & Terminals, Mobility & e-Transactional Services, Financial Processing & Software Licensing including equensWorldline. Worldline employs more than 9,400 people worldwide, with estimated revenue of circa 1.5 billion euros on a yearly basis. Worldline is an Atos company. For further information infoWL@worldline.com Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Bull, Canopy, equensWorldline, Unify, Worldline and Zero Email are registered trademarks of the Atos group. worldline.com Worldline is a registered trademark of Worldline SA.