Professional Documents
Culture Documents
These new Third Party Players (TPP) can provide following key services
1. Payment Initiation Service Providers (PISP). PISPs may initiate a payment
transaction directly from the customers bank account
2. Account Information Service Providers (AISP). AISPs consolidate the customers
account and transaction details from multiple banks in one portal
In order to enable these services, EBA mandates the conventional banks to open
up their customer database and allow these new TPP to access these via APIs.
EBA has also provided limited customer liability clause under the PSD2 directive
where-in the customer liability in case of the fraudulent transaction is limited to
only EUR 50.
EBA has presented draft directive to the European Commission (EC) for approval
in Jun, 2017. Once this is approved by EC, banks have 18 months to implement
the provisions of the directive most probably by Mar, 2019.
2 India Limited Customer In an effort to keep electronic payments safe from fraud, the Reserve Bank of
Liability India (RBI) has ushered in zero liability and limited liability concepts for the Indian
banking customers (Jul, 2017). Under this act, RBI has put the responsibility on
the banks to put in place systems and procedures for reporting of unauthorized
transactions, identify customer liability, and monitor liabilities arising out of such
situations. As per this regulation, RBI has also advised the banks to set up real-
time fraud detection and prevention mechanisms for payment transactions.
RBI has brought various financial institutions under the ambit of this regulation
including commercial banks, small finance banks, and payments banks. This is
applicable for all electronic transactions viz. Remote transactions (online banking,
mobile banking), Face-to-face or proximity transactions like ATM, POS. Regulation
covers CASA, debit/credit cards, overdraft accounts and prepaid instruments.
As per the resolution Banks shall set in place processes to log customer disputes,
handle reversals, and resolve cases reported by the customers.
3 India Security and Risk In Feb, 2013, Reserve Bank of India (RBI) released guidelines to be followed by the
Mitigation banks in order to bring additional security measures in the card and electronic
Measures for payment ecosystem in India. These guidelines introduce certain minimum checks
Electronic and balances in order to minimize the impact of unpredictable cyber-attacks and
Payment to arrest/minimize the damage.
Transactions
The regulation covers two major tenets of the digital transactions at that time viz.
Card Transactions via ATM/POS and Internet Banking Transactions. All scheduled
commercial, co-operative, and card payment networks are part of this regulation.
Products covered under the ambit of regulation include debit/credit cards and
electronic payment services viz. RTGS, NEFT, and IMPS.
Guidelines regarding Card present transactions include providing EMV chip and
pin enabled cards, international usage threshold limits, PCI-DSS compliance for
the terminals etc. However, the emphasis was on framing rules/scenarios for
fraud prevention based on card usage patterns. RBI also advised the banks to
start moving towards real time fraud monitoring system.
RBI also nudged the banks to explore feasibility of implementing risk based
authentication technologies for advanced fraud prevention.
4 Europe Security of In Dec, 2014 European Banking Authority (EBA) published guidelines on the
Internet Payments security of internet payments, which set the minimum security requirements that
Payment Services Providers (PSPs) in EU will be expected to implement by Aug,
2015. With increasing fraud levels on card internet payments over the last years,
the EBA felt a regulatory response was necessary while waiting for the PSD2,
which aims at creating more secure and competitive rules for payments in the EU.
These EBA guidelines specifically require that Payment Service Providers carry out
Strong Customer Authentication (SCA) in order to verify the customer identity
before proceeding with an on-line payment. SCA is defined as a two factor
authentication based on the combination of elements of knowledge, possession
and/or inherence. They also require use of the onetime-passwords.
Guidelines also focused on the clear protection of customer data, risk assessment
documentation, risk mitigation policies, incident monitoring and reporting,
session security management etc.
Guidelines also mandate acquiring PSPs to have fraud detection and prevention
systems in place to monitor merchant activities. Guidelines also focus on real-
time decisioning with stringent SLAs in order to prevent unduly delay in the
payment execution.