Protect and Detect

Staying Ahead of Payments Regulations, Sanctions, and Fraud

Regulators are busy laying the groundwork for wholesale payments to become faster, cheaper, and more transparent. With the roll-out of ISO 20022, PSD3 on the horizon, SEPA Instant Payments becoming mandatory, and the UK’s New Payments Architecture replacing Faster Payments and eventually BACS, European treasury teams are facing significant change. Meanwhile, corporate sanctions management remains in one of its most complex phases from the past decade. And fraud prevention continues to be a critical concern, as fraudsters evolve at least as quickly as the safeguards developed to keep them out. Here, three specialists from NatWest examine the essential payments developments for treasury teams to prepare for.

Nothing is certain but death and taxes – or so the saying goes. But regulation could arguably be added to the list, especially in the world of payments. As innovation continues to hot up, with everything from variable recurring payments to CBDCs in the spotlight, regulators are working hard to ensure the framework around payments matches the pace and direction in which the industry is travelling. And always with an eye on balancing consumer and business protection against commercial needs, economic drivers, and competitive innovations.

But payments regulation isn’t always a case of playing catch-up with tech and behavioural trends. In fact, PSD2 (and the corresponding UK Payment Services Regulations – PSRs) was the catalyst for arguably one of the most significant shifts in the payments arena in recent times – open banking. Today, discussions are happening around PSD3, and the latest developments will inevitably impact corporate treasury teams.

David Malley, Product Development & Innovation, Payments Centre of Excellence, NatWest, outlines: “In May 2022 the European Commission [EC] issued a public consultation to gather evidence for its review of PSD2. Then, in February 2023, the EC presented a study on the application and impact of PSD2. This outlines whether the objectives of the original directive have been met and explores what improvements should be made in the next iteration. And in the UK, HM Treasury has been asking similar questions through its ‘Call for Evidence’ on the PSRs.”

Then, in late June, the European Commission published its legislative proposal for PSD3^[1], it does give a clear indication of the direction of travel. According to Malley, the key areas of focus relevant to corporate treasury teams are:

1. Open banking and the transition to open finance
2. Strong customer authentication requirements – and striking the right balance
3. Combatting fraud more effectively

Open banking turns up a level

The open banking story is often cited as a slow burn, certainly in mainland Europe. After several years of usage, 2021 stats showed that less than 5%^[2] of consumers in the EU were leveraging open banking. But the UK surpassed seven million^[3] users for the first time in January 2023, indicating an ongoing growth trend (see box 1).

Malley believes that EU adoption could be increased much further, and more rapidly, with the simplification that PSD3 promises. He explains: “There is broad recognition that the PSD2 provisions on access to accounts were effective in opening up the market, doing what was always intended in terms of authorised third-party access to information or payment initiation.”

But, without doubt, open banking can be improved and expanded, he believes. “Some of the open banking requirements under PSD2 are contradictory, particularly where they interface with strong customer authentication [SCA]. There is some welcome clarification under PSD3 and we hope that any future changes to the UK PSRs will simplify the regimen.”

Elsewhere, Malley also sees a need for the development of more standards around APIs, which are one of the core technologies underpinning open banking. In fact, APIs already enable users to easily trigger single payments and create mandates for variable recurring payments (VRPs). Open APIs have also already empowered A2A payments by removing the barriers of fragmented legacy rails and introducing pay-by-bank capabilities. And as open banking evolves into open finance, enabling a much broader range of data to be shared and creating opportunities for more tailored financial offerings^[4], more APIs will enter the mix, hence the growing need for standardisation.

Although the final text, and indeed timeline of PSD3 is still to be determined, corporate treasurers should benefit from the clarification, evolution, and standardisation that is anticipated around open banking. Malley elaborates: “In terms of collecting payments, improvements to open banking will ensure that PISP [payment initiation service provider] payments are truly competitive. This should then give treasurers some leverage in their negotiations with card providers, for example. More innovative financial solutions should also be able to be plugged directly into bank and corporate systems, thanks to standardised APIs.”

Improving strong customer authentication

The second pillar likely to be addressed under PSD3, SCA (see box 2 for a refresher), also faces some current challenges, despite its effectiveness.

Malley comments: “In both the UK and EU, many market participants would likely say that the SCA requirements, while well-intentioned, are probably over-prescriptive by insisting on two-factor authentication.”

Indeed, Malley believes that “SCA can even be considered counterproductive in some situations, especially when we have new tools to predict and prevent fraud, with a focus on risk analysis. The hope is that future developments will place more of an emphasis on outcomes rather than prescriptive factors”.

Avani Patel, Head of Commercial Banking, Fraud Management, NatWest, adds that: “SCA has helped to reduce fraud losses and even eliminate certain forms of attack, but threats keep evolving and the key challenge is to find an optimum balance between the security of the journey and the user experience as PSD3 progresses.”

Fraud prevention

The third pillar Malley sees as being critical to PSD3 and the PSRs’ review is fraud – with a focus on making electronic payments safer. He says: “There are various ways to achieve this, but in the UK, HM Treasury is certainly looking at slowing down certain high-risk consumer payments as a means to introduce ‘good’ friction and enable thorough checking. Of course, we support good friction, but it has to be sparingly used.”

Fraud prevention is a particular focus for regulators given the rise of authorised push payment (APP) scams, linked to the rise of real-time payments – which are irrevocable – and evolving technology, says Patel. She comments: “APP scams happen when a person or business is tricked into sending money to a fraudster posing as a genuine payee. The criminal might pretend to be from the payer’s bank, a government entity, a utility company, or housing conveyancer, for example. Often there is a time-sensitive element to the request, and the fraudster will say that money needs to be moved ASAP, putting pressure on the payer.”

In the UK alone in 2022 there were 207,372 incidents of APP fraud with gross losses of £485.2m^[5].

“Among the tools and services UK banks offer to help fight APP fraud and reduce misdirected payments are confirmation of payee [CoP] and request to pay,” says Patel. “As David mentioned, it is also about introducing ‘good’ friction into the payment process in order to allow time to determine that a payment is ‘right’ – and we are likely to see more focus from regulators on this in the future.”

All hail ISO 20022

Alongside PSD3 and the reviewed PSRs, one initiative that will help to reduce fraud through the standardisation of payments and the proliferation of rich data is ISO 20022 XML. Malley comments: “As all treasurers will know by now, SWIFT’s ISO 20022 migration will drive better quality of outgoing messaging and ultimately improve cross-border payments and reporting.”

Although the majority of ISO 20022 work and benefits will fall on financial institutions, corporates will ultimately benefit from enriched data, believes Malley. “With improved data, as well as tracking and tracing capabilities, corporates may find themselves able to more accurately project inbound and outbound flows, in turn helping to optimise working capital. Structured remittance data should also lead to improved reconciliation and enable further automation in workflows. These are just two examples, but more use cases will become evident as the ISO migration takes hold.”

NPA and ISO

It is no surprise, then, that one of the tenets of the UK’s New Payments Architecture (NPA) is to adopt ISO 20022 as soon as possible – as a means of keeping the UK at the forefront of payments innovation. The NPA will replace the existing UK Faster Payments scheme and lays out the framework for a replacement to the BACS scheme, in time. And in April 2023, the NPA certification-testing window opened for all interested financial institutions.

Malley adds: “It’s now expected that NPA will replace Faster Payments in 2026. And Pay.UK is targeting 2028 for the BACS replacement.” In the meantime, there will be a consultation later this year on how BACS should move across to NPA. “This is something I urge corporate treasurers and their payables departments to look out for because it could be quite a significant change – certainly beneficial but it needs to happen in a measured way that corporates are prepared for.”

At the same time, the UK has been looking to build more innovative elements into its real-time gross settlement (RTGS) engine. The UK RTGS Roadmap 2024, issued by the Bank of England (BoE) in February 2023, will see the service gradually extending its hours of operation, in a phased approach, perhaps ultimately moving to 24/7 says Malley – although this will present many challenges and is a long way off.

“The roadmap also outlines plans for a new channel to send and receive payments alongside the SWIFT network. This includes considerations about providing a common contingency messaging channel – a solution available to all participants, including a protocol and an infrastructure for data transfer.”

In addition, the consultation also outlined a new approach to CBDCs and the wholesale market, which the BoE sees as being fulfilled through the RTGS, says Malley. “There is more focus on a retail CBDC at present in the UK. But the wholesale element is also important. And the key is how you can synchronise settlement so that the payment and asset exchange happen simultaneously.”

Meanwhile, in Europe, the European Commission published proposals for the regulation of a digital euro in June. And there is more progress being made in the wholesale CBDC conversation in mainland Europe than the UK, with pilots happening in France and Switzerland, for example. Malley believes this could have potential impacts for treasurers in terms of the future of payments (see section 6 of this report/this associated article for more detail on CBDCs and how treasurers can prepare).

SEPA Instant becomes mandatory

Just as the UK is revisiting its instant payment mechanisms and engines, Europe is also revising its real-time payments landscape. “The European Commission has mandated that instant payments in euro must be available to all citizens and businesses holding a bank account in the EU and in EEA countries,” says Malley.

The proposal, which amends and modernises the 2012 regulation on the Single Euro Payments Area (SEPA), aims to ensure that instant payments in euro are affordable, secure, and processed without hindrance across the EU. This will rely on increasing trust in instant euro payments, with an obligation on providers to verify the match between the bank account number (IBAN) and the name of the beneficiary provided by the payer in order to alert the payer of a possible mistake or fraud before the payment is made^[6].

In addition, the proposal requires the removal of friction in the processing of instant euro payments, while preserving the effectiveness of screening of persons that are subject to EU sanctions (see box for the latest insight on sanctions screening), through a procedure whereby payment service providers (PSPs) will verify their clients against EU sanctions lists at least daily, instead of screening all transactions one by one^[7].

According to Malley, it is likely to be the end of 2024 before sending and receiving instant euro payments is mandatory for EU PSPs in the Eurozone (who offer their customers the sending and receiving of euro credit transfers) and the end of 2026 before they also become mandatory for EU PSPs outside the Eurozone. “While there is significant work to be done to implement the changes, we believe the shift from next-day transfers to transactions being completed ‘within ten seconds’ will be broadly beneficial for all involved, including treasury teams,” he observes.

Embracing the change

Summarising the shifts in the regulatory, fraud, and sanctions landscapes, Malley comments: “Change is the way of the world. Treasurers can no longer afford to live in the past or only look at what’s happening in the present. The future is being shaped today, and there are significant cash and risk management benefits to be had by being part of those conversations early on and seizing the opportunities on offer.”

Notes

1. Please note: the June proposals actually include several elements. Much of what was in PSD2 is proposed to be in a new Payments Services Regulation, while the Payment Services Directive itself focuses on authorisation of firms including for electronic money. In this article we refer to PSD3 for convenience. The legislative process still has a way to go.
2. https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_23_1819
3. https://www.openbanking.org.uk/news/uk-reaches-7-million-open-banking-users-milestone/
4. https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_23_1819
5. https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps12-billion-stolen-through-fraud-in-2022-nearly-80-cent-app
6. https://ireland.representation.ec.europa.eu/news-and-events/news/european-commission-proposes-accelerate-rollout-instant-payments-euro-2022-10-26_en
7. https://ireland.representation.ec.europa.eu/news-and-events/news/european-commission-proposes-accelerate-rollout-instant-payments-euro-2022-10-26_en