Pragmatic PSD2

Finance Tech Forum, April 12th 2018, Sofia 2

Solving the Compliance Puzzle in Cost Effective MannerAleksandar MiloševićChief Software Architect, Asseco SEE

3

• Responsible for oversight of architecture and standardization in Asseco SEE

• Member of architecture comitee and API WG of BIAN

• Contributed to Berlin Group specification in market comments phase

• Familiar with details of PSD2 Directive, EBA RTS, BG Implementation Guidelines, UK Open Banking specification, OAuth2, OIDC protocols

• Designed or contributed to hundreds of banking APIs

• Currently writing an e-Book that attempts to demistify PSD2 in technical terms

About me

Bank’s choice Bank’s choice

4

The New Rules for TPP (Fintech or another bank) to Access Customer’s Accounts

PSD2 Compliance in a Nutshell

Customer

Grants TPP access to his/her bank

account

TPP

Executes customer’s orders.Makes payments,

aggregates account data,

gives overview of finances.

TPP

Bank

provides Fintech access to custome’saccount(s)

Dedicated 3rd

party interface

Adapted customer interface

TPP asks bank to access customer’s

account(s)

STEP❶

STEP❷

STEP❸

CSC

SCASCA

CSC

5

Disruption disguised as a regulation

PSD2 impact – What is affected?

Impacts on bank’s business

• Compliance costs

• Loss of card transaction fees

• Loss of quality customer interactions

• Staying relevant for customers

• Digital transformation

Impact on IT systems

• SCA with self-service channels

• Exposing API for TPP access

• Providing sandbox for TPPs

• Monitoring and keeping SLAs

• Reporting fraud and incidents

• AISP and PISP solution

• Solutions for digital transformationP

SD2

++

6

Countdown to PSD2

PSD2 Regulatory Timeline

18 months

PSD2EC publishproposals

Jan-16

PSD2comes into

force in Europe

Aug-16

DiscussionRTS paper published

Feb-17

Final draftRTS paper published

Mar-18

RTS adopted by EC

Sep-19

RTS application

in force

TO

DA

Y

Jan-18

PSD2 in national

laws

May-18

ETSI TS 119 495

published

Mar-19

Testing facility

available

?

Banks ready for testing

Jun-19

Dedicatedinterfaceavailable

6 months

3 months

7

• SCA

→ Exemptions

→ confidentiality and integrity of credentials

→ dynamic linking

→ independence of the elements

• TMM

→ Transaction monitoring

→ Transaction risk analysis

→ Fraud reporting

Requirement Areas of PSD2

• API for AIS, PIS, FCS

→ Testing facility

→ Documentation

→ SLA monitoring

→ Explicit consent

• Common and secure communication

→ mutual TLS

→ eIDAS compliant certificates

→ tracing

8

Berlin Group Emerging as Broadly Supported PSD2 Standard

9

• BG API endpoints

→ Consent management

→ Errors

→ Hypermedia links

→ Headers

• SCA flows

→ Redirect

→ Embedded

→ Decoupled

→ OAuth2

Berlin Group Specification

• Products and formats

→ SEPA, SEPA ICT

→ Local: BISERA & RINGS

→ JSON, ISO20022 XML

• Security

→ mutual TLS

→ HTTP signing

→ eIDAS certificates

10

noun

1. An excess of something beyond what is required or suitable for a given purpose.

Example"So, Bob, are you ready to tear down that fence?" "Yeah, Chuck, the plastic explosives are all wired up!" "Wait a minute Bob, isn’t that an overkill“

Overkill [oh-ver-kil]

PSD2 example"So, Bob, are you ready to expose those 7 API endpoints for PSD2 XS2A?" “Yeah, Chuck, the API Management platform is getting all wired up!" "Wait a minute Bob, isn’t that an overkill“

11

Don’t Fall for “API Management” Marketing

The Hold ring is for things that are getting attention in the industry, but we don't think are ready for use. Sometimes this is because we don't think they're mature enough yet: sometimes it means we think they're irredeemably flawed. We don't have an "avoid" ring, but we do throw things in the Hold ring that we wish our clients wouldn't use.

Proceed with caution

Beyond complianceAsseco PSD2 Enabler

12

Identity &

Access

Developer

Portal

API

Gateway

API

Sandbox

Strong

Authentication

Mobile

Token

Core

Connector

Fraud

Monitoring

xSP

Module

Asseco

APIs

Mobile

BankingWeb

Banking

Asseco PSD2 Enabler Solution8 key components to meet key requirements, plus 4 to go beyond compliance

13

Covering Key PSD Requirements

Dedicated interface for AIS, PIS, FCS ✔ ✔

Explicit consent ✔

Common and secure communication – mutual TLS, eIDAS ✔

SCA exemptions ✔

SCA – confidentiality and integrity of credentials ✔ ✔ ✔

SCA – dynamic linking, independence of the elements ✔ ✔

Transaction monitoring ✔

Transaction risk analysis ✔

Fraud reporting ✔

Testing facility ✔

Documentation ✔

SLA monitoring ✔ ✔

DEMO

14

15

Identity &

Access

Developer

Portal

API

Gateway

API

Sandbox

Strong

Authentication

Mobile

Token

Core

Connector

Fraud

Monitoring

AISP Consent AuthorizationHow components work together?

❶ AISP initiates consent authorization

❷ User authenticates against directory

❸ User selects account to authorize

❹ User views consent details

❺ User confirms consent with push message

❷❶ ❸❹ ❺

❷

❸

❸ ❺❺

16

Identity &

Access

Developer

Portal

API

Gateway

API

Sandbox

Strong

Authentication

Mobile

Token

Core

Connector

Fraud

Monitoring

PISP Payment InitiationHow components work together?

❶ PISP initiates payment

❷ Transaction monitoring analyses risk

❸ SCA exemptions check

❹ User confirms payment with push message SCA

❺ Core connector initiates payment and returns

status

❶❸ ❹

❷❺ ❹

17

Lightweight API gateway with batteries included

API Gateway

Unlike overambitious API gateways, it implements the essential set of API gateway capabilities:

→ Reverse proxy

→ Traffic control with request rate limiting and request size limiting

→ API access protection with JWT, OAuth2 token validation

→ OWASP Top 10 security hardening

→ Logging

→ Health endpoint for SLA monitoring

→ Chargeable activity records for monetization

18

Lightweight API gateway with batteries included

API Gateway

Unlike generic DIY gateways, comes with PSD2 specific plugins:

→ BG API proxy endpoints, hypermedia and header handling

→ SCA integration, flow and exemption rule handling

→ TPP authentication with QWAC based mutual TLS

→ Message signing and validation with eIDAS QSEAL certificates

19

Managing user’s consent to TPP applications

Identity & Access

• OAuth2 and OpenID Connect protocol endpoints

• Provide customers with total control in giving and revoking consents for access to their accounts

• Store customer identity, consent and policy data

• Password credential management flows

• Linking of 2nd factor credentials

• Enrolment of TPP client applications

20

Testing facility for TPP developers

API Sandbox

• Pre-configured endpoints according to Berlin Group specification

• Preloaded set of customers and their accounts data

• CBS simulator for payment transactions and accounts

• Comprehensive test cases as Postman collections

• Hosted on cloud or on-premise

21

Self-service environment for TPP developers

API Developer Portal

• Lean set of features that implement the capabilities essential for PSD2:

→ Documentation content that follows Berlin Group implementation guidelines

→ API catalogue explorer

→ Interactive API console

→ TPP onboarding and self-service

→ OAS 2 (Swagger) API descriptions

22

Reduces effort to connect Berlin Group API endpoints to CBS

Core Banking Connectors

• Connector kit for WSO/2 ESB:

→ Simple integration calls thanks to challenges solved by API gateway

→ Fully implemented integration flows for all APIs that call into simulated core banking stored procedures

→ Integration development service from ASEE

• Pre-built connectors for 3 ASEE core systems

23

Flexibility to authenticate accross channels and devices

2nd Factor Authentication

• Vendor independent, no vendor lock in

• Smooth integration or migration from any hardware token or SMS/OTP pool

• Admin and customer self-management

• Support for variety of hardware and software authentication methods

Hardware tokens EMV card + PCR Mobile token Display card SMS OTP

24

Minimize friction in compliant manner

Mobile Token

• Push message and QR code authentication and transaction signing for reduced friction

• What you see is what you sign

• Mobile SDK for IOS and Android

• Cloning protection

• White label branding

• RASP for separate execution environment, detection of altered software*

* Android from May, IOS from July release

25

Holistic monitoring and prevention with proven fraud detection solution

Fraud Monitoring

• Monitoring authentications, transactions and account activity across channels

• High performance engine for real-time risk analysis and transaction scoring

• Risk factors include geolocation, malware, known fraud

• Preloaded with 30+ well-known fraud scenarios

• Monitoring of disputed transactions

• Reporting according to EBA guidelines

Delivery approach

26

27

Predefined interfaces to speed up integration

Identity &

Access

API

Gateway

API

Sandbox

Strong

Authentication

Core

Connector

Fraud

Monitoring

Developer

Portal

Mobile

Token SDK

Core

Banking

Online

banking

Mobile

banking

Developers

AISP, PISP,

PIISP

Applications

Multichannel

Asseco PSD2 Enabler

1. BG API test endpoints

2. BG API production endpoints

3. OAuth2 API endpoints

4. SCA API endpoints

5. Fraud event and profile ingestion

6. Core connector integration

7. Logging feeds

8. Mobile token SDK for IOS & Android

❶

❷

❸❹ ❺

❻

❽❸

❼

❺

Central

Log

Management

28

10 Steps to Deliver Turnkey Solution

Discover bank’s specific needs

Verify API Security

Tailor API definitions

Develop Integrations

Setup InACT

Setup DE Hub

SetupSxS

Perform E2E testing

Perform pen testing

Go Live

• Proven products, resources and the know-how to deliver the turnkey solution.

• Compliant and ready for open banking, quick, cost effective and future proof.

❶ ❷ ❸

❹ ❺ ❻

❼ ❽ ❾ ❿

Budget estimates:

Effort: 150-200 md

Duration: 3-6 m

29

Comprehensive pre-integrated solution for PSD2

Benefits of Asseco PSD2 Enabler

Full compliance with relevant PSD2 requirements

Lower cost of compliance

Less risk in integrations

Less risk in vendor management

Lower effort

Shorter implementation

Identity &

Access

Developer

Portal

API

Gateway

API

Sandbox

Strong

Authentication

Mobile

Token

Core

Connector

Fraud

Monitoring

Schedule your free consulting

session and get a complementary

PSD2 Regulatory Guidance paper!

30

Aleksandar Milošević (aleksandar.milosevic@asseco-see.com)

Nikolay Dramov (nikolay.dramov@asseco-see.com)

31

Legal disclaimerThe content presented in this presentation is subject to copyright protection and has the ownership title. Texts,graphics, photographs, sound, animations and videos as well as their distribution in the presentation are protectedunder the Copyright and related rights Law. Unauthorized use of any material contained in the presentation hereinmay constitute an infringement of copyright, trademark or other laws. The materials in this presentation may not bemodified, copied, publicly presented, executed, distributed or used for any other public or commercial purposes,unless the Board of Asseco SEE S.A. gives consent in writing. Copying for any purpose, including commercial use,distribution, modification or acquisition of the contents of this presentation by third parties is prohibited. Moreover,this presentation may contain reference to third-party offers and services. Terms of use for such offers and servicesare defined by these entities.

Asseco SEE S.A. assumes no responsibility for the conditions, contents and effects of the use of offers and services ofthese entities. The data and information contained in this presentation are for information purposes only.Presentation was prepared with the use of Inscale company products.

The name and logo of Asseco SEE S.A. are registered trademarks. Use of these marks requires prior expressagreement of Asseco SEE S.A.

2018 © Asseco SEE SA