pragmatic psd2 - capital3 •responsible for oversight of architecture and standardization in asseco...
TRANSCRIPT
Pragmatic PSD2
Finance Tech Forum, April 12th 2018, Sofia 2
Solving the Compliance Puzzle in Cost Effective MannerAleksandar MiloševićChief Software Architect, Asseco SEE
3
• Responsible for oversight of architecture and standardization in Asseco SEE
• Member of architecture comitee and API WG of BIAN
• Contributed to Berlin Group specification in market comments phase
• Familiar with details of PSD2 Directive, EBA RTS, BG Implementation Guidelines, UK Open Banking specification, OAuth2, OIDC protocols
• Designed or contributed to hundreds of banking APIs
• Currently writing an e-Book that attempts to demistify PSD2 in technical terms
About me
Bank’s choice Bank’s choice
4
The New Rules for TPP (Fintech or another bank) to Access Customer’s Accounts
PSD2 Compliance in a Nutshell
Customer
Grants TPP access to his/her bank
account
TPP
Executes customer’s orders.Makes payments,
aggregates account data,
gives overview of finances.
TPP
Bank
provides Fintech access to custome’saccount(s)
Dedicated 3rd
party interface
Adapted customer interface
TPP asks bank to access customer’s
account(s)
STEP❶
STEP❷
STEP❸
CSC
SCASCA
CSC
5
Disruption disguised as a regulation
PSD2 impact – What is affected?
Impacts on bank’s business
• Compliance costs
• Loss of card transaction fees
• Loss of quality customer interactions
• Staying relevant for customers
• Digital transformation
Impact on IT systems
• SCA with self-service channels
• Exposing API for TPP access
• Providing sandbox for TPPs
• Monitoring and keeping SLAs
• Reporting fraud and incidents
• AISP and PISP solution
• Solutions for digital transformationP
SD2
++
6
Countdown to PSD2
PSD2 Regulatory Timeline
18 months
PSD2EC publishproposals
Jan-16
PSD2comes into
force in Europe
Aug-16
DiscussionRTS paper published
Feb-17
Final draftRTS paper published
Mar-18
RTS adopted by EC
Sep-19
RTS application
in force
TO
DA
Y
Jan-18
PSD2 in national
laws
May-18
ETSI TS 119 495
published
Mar-19
Testing facility
available
?
Banks ready for testing
Jun-19
Dedicatedinterfaceavailable
6 months
3 months
7
• SCA
→ Exemptions
→ confidentiality and integrity of credentials
→ dynamic linking
→ independence of the elements
• TMM
→ Transaction monitoring
→ Transaction risk analysis
→ Fraud reporting
Requirement Areas of PSD2
• API for AIS, PIS, FCS
→ Testing facility
→ Documentation
→ SLA monitoring
→ Explicit consent
• Common and secure communication
→ mutual TLS
→ eIDAS compliant certificates
→ tracing
8
Berlin Group Emerging as Broadly Supported PSD2 Standard
9
• BG API endpoints
→ Consent management
→ Errors
→ Hypermedia links
→ Headers
• SCA flows
→ Redirect
→ Embedded
→ Decoupled
→ OAuth2
Berlin Group Specification
• Products and formats
→ SEPA, SEPA ICT
→ Local: BISERA & RINGS
→ JSON, ISO20022 XML
• Security
→ mutual TLS
→ HTTP signing
→ eIDAS certificates
10
noun
1. An excess of something beyond what is required or suitable for a given purpose.
Example"So, Bob, are you ready to tear down that fence?" "Yeah, Chuck, the plastic explosives are all wired up!" "Wait a minute Bob, isn’t that an overkill“
Overkill [oh-ver-kil]
PSD2 example"So, Bob, are you ready to expose those 7 API endpoints for PSD2 XS2A?" “Yeah, Chuck, the API Management platform is getting all wired up!" "Wait a minute Bob, isn’t that an overkill“
11
Don’t Fall for “API Management” Marketing
The Hold ring is for things that are getting attention in the industry, but we don't think are ready for use. Sometimes this is because we don't think they're mature enough yet: sometimes it means we think they're irredeemably flawed. We don't have an "avoid" ring, but we do throw things in the Hold ring that we wish our clients wouldn't use.
Proceed with caution
Beyond complianceAsseco PSD2 Enabler
12
Identity &
Access
Developer
Portal
API
Gateway
API
Sandbox
Strong
Authentication
Mobile
Token
Core
Connector
Fraud
Monitoring
xSP
Module
Asseco
APIs
Mobile
BankingWeb
Banking
Asseco PSD2 Enabler Solution8 key components to meet key requirements, plus 4 to go beyond compliance
13
Covering Key PSD Requirements
Dedicated interface for AIS, PIS, FCS ✔ ✔
Explicit consent ✔
Common and secure communication – mutual TLS, eIDAS ✔
SCA exemptions ✔
SCA – confidentiality and integrity of credentials ✔ ✔ ✔
SCA – dynamic linking, independence of the elements ✔ ✔
Transaction monitoring ✔
Transaction risk analysis ✔
Fraud reporting ✔
Testing facility ✔
Documentation ✔
SLA monitoring ✔ ✔
DEMO
14
15
Identity &
Access
Developer
Portal
API
Gateway
API
Sandbox
Strong
Authentication
Mobile
Token
Core
Connector
Fraud
Monitoring
AISP Consent AuthorizationHow components work together?
❶ AISP initiates consent authorization
❷ User authenticates against directory
❸ User selects account to authorize
❹ User views consent details
❺ User confirms consent with push message
❷❶ ❸❹ ❺
❷
❸
❸ ❺❺
16
Identity &
Access
Developer
Portal
API
Gateway
API
Sandbox
Strong
Authentication
Mobile
Token
Core
Connector
Fraud
Monitoring
PISP Payment InitiationHow components work together?
❶ PISP initiates payment
❷ Transaction monitoring analyses risk
❸ SCA exemptions check
❹ User confirms payment with push message SCA
❺ Core connector initiates payment and returns
status
❶❸ ❹
❷❺ ❹
17
Lightweight API gateway with batteries included
API Gateway
Unlike overambitious API gateways, it implements the essential set of API gateway capabilities:
→ Reverse proxy
→ Traffic control with request rate limiting and request size limiting
→ API access protection with JWT, OAuth2 token validation
→ OWASP Top 10 security hardening
→ Logging
→ Health endpoint for SLA monitoring
→ Chargeable activity records for monetization
18
Lightweight API gateway with batteries included
API Gateway
Unlike generic DIY gateways, comes with PSD2 specific plugins:
→ BG API proxy endpoints, hypermedia and header handling
→ SCA integration, flow and exemption rule handling
→ TPP authentication with QWAC based mutual TLS
→ Message signing and validation with eIDAS QSEAL certificates
19
Managing user’s consent to TPP applications
Identity & Access
• OAuth2 and OpenID Connect protocol endpoints
• Provide customers with total control in giving and revoking consents for access to their accounts
• Store customer identity, consent and policy data
• Password credential management flows
• Linking of 2nd factor credentials
• Enrolment of TPP client applications
20
Testing facility for TPP developers
API Sandbox
• Pre-configured endpoints according to Berlin Group specification
• Preloaded set of customers and their accounts data
• CBS simulator for payment transactions and accounts
• Comprehensive test cases as Postman collections
• Hosted on cloud or on-premise
21
Self-service environment for TPP developers
API Developer Portal
• Lean set of features that implement the capabilities essential for PSD2:
→ Documentation content that follows Berlin Group implementation guidelines
→ API catalogue explorer
→ Interactive API console
→ TPP onboarding and self-service
→ OAS 2 (Swagger) API descriptions
22
Reduces effort to connect Berlin Group API endpoints to CBS
Core Banking Connectors
• Connector kit for WSO/2 ESB:
→ Simple integration calls thanks to challenges solved by API gateway
→ Fully implemented integration flows for all APIs that call into simulated core banking stored procedures
→ Integration development service from ASEE
• Pre-built connectors for 3 ASEE core systems
23
Flexibility to authenticate accross channels and devices
2nd Factor Authentication
• Vendor independent, no vendor lock in
• Smooth integration or migration from any hardware token or SMS/OTP pool
• Admin and customer self-management
• Support for variety of hardware and software authentication methods
Hardware tokens EMV card + PCR Mobile token Display card SMS OTP
24
Minimize friction in compliant manner
Mobile Token
• Push message and QR code authentication and transaction signing for reduced friction
• What you see is what you sign
• Mobile SDK for IOS and Android
• Cloning protection
• White label branding
• RASP for separate execution environment, detection of altered software*
* Android from May, IOS from July release
25
Holistic monitoring and prevention with proven fraud detection solution
Fraud Monitoring
• Monitoring authentications, transactions and account activity across channels
• High performance engine for real-time risk analysis and transaction scoring
• Risk factors include geolocation, malware, known fraud
• Preloaded with 30+ well-known fraud scenarios
• Monitoring of disputed transactions
• Reporting according to EBA guidelines
Delivery approach
26
27
Predefined interfaces to speed up integration
Identity &
Access
API
Gateway
API
Sandbox
Strong
Authentication
Core
Connector
Fraud
Monitoring
Developer
Portal
Mobile
Token SDK
Core
Banking
Online
banking
Mobile
banking
Developers
AISP, PISP,
PIISP
Applications
Multichannel
Asseco PSD2 Enabler
1. BG API test endpoints
2. BG API production endpoints
3. OAuth2 API endpoints
4. SCA API endpoints
5. Fraud event and profile ingestion
6. Core connector integration
7. Logging feeds
8. Mobile token SDK for IOS & Android
❶
❷
❸❹ ❺
❻
❽❸
❼
❺
Central
Log
Management
28
10 Steps to Deliver Turnkey Solution
Discover bank’s specific needs
Verify API Security
Tailor API definitions
Develop Integrations
Setup InACT
Setup DE Hub
SetupSxS
Perform E2E testing
Perform pen testing
Go Live
• Proven products, resources and the know-how to deliver the turnkey solution.
• Compliant and ready for open banking, quick, cost effective and future proof.
❶ ❷ ❸
❹ ❺ ❻
❼ ❽ ❾ ❿
Budget estimates:
Effort: 150-200 md
Duration: 3-6 m
29
Comprehensive pre-integrated solution for PSD2
Benefits of Asseco PSD2 Enabler
Full compliance with relevant PSD2 requirements
Lower cost of compliance
Less risk in integrations
Less risk in vendor management
Lower effort
Shorter implementation
Identity &
Access
Developer
Portal
API
Gateway
API
Sandbox
Strong
Authentication
Mobile
Token
Core
Connector
Fraud
Monitoring
Schedule your free consulting
session and get a complementary
PSD2 Regulatory Guidance paper!
30
Aleksandar Milošević ([email protected])
Nikolay Dramov ([email protected])
31
Legal disclaimerThe content presented in this presentation is subject to copyright protection and has the ownership title. Texts,graphics, photographs, sound, animations and videos as well as their distribution in the presentation are protectedunder the Copyright and related rights Law. Unauthorized use of any material contained in the presentation hereinmay constitute an infringement of copyright, trademark or other laws. The materials in this presentation may not bemodified, copied, publicly presented, executed, distributed or used for any other public or commercial purposes,unless the Board of Asseco SEE S.A. gives consent in writing. Copying for any purpose, including commercial use,distribution, modification or acquisition of the contents of this presentation by third parties is prohibited. Moreover,this presentation may contain reference to third-party offers and services. Terms of use for such offers and servicesare defined by these entities.
Asseco SEE S.A. assumes no responsibility for the conditions, contents and effects of the use of offers and services ofthese entities. The data and information contained in this presentation are for information purposes only.Presentation was prepared with the use of Inscale company products.
The name and logo of Asseco SEE S.A. are registered trademarks. Use of these marks requires prior expressagreement of Asseco SEE S.A.
2018 © Asseco SEE SA