This slide deck was used comprehensively discuss 'OpenBanking' based on PSD2 standard and touch on GDPR. Discuss the technologies to be used to cater for PSD2 requirements. Finally it looks at the Sri Lankan financial industry and how PSD2 concepts can be applied there.

1. The Role of IAM in Open Banking
&
Where Do We Stand?
Colombo IAM User Group - 2nd Meetup
Pushpalanka Jayawardhana
Financial Solutions Team - WSO2

2. “Banking is necessary; banks are not”
- (Bill Gates, 1990)

3. International Financial Industry
Concerns
➢Contribute to a more integrated and
efficient European payments market
➢Improve the level playing field for PSPs
(including new players)
➢Make payments safer and more secure
➢Online shopping without a credit card
➢Better protection against fraud
➢Help lower charges for consumers on
card payments

4. Ref : https://www.pcisecuritystandards.org/pdfs/webinar_100519pci_pts_3.0.pdf
Payment Card Industry Security Standards
For protection of cardholder payment data,

5. Payment Services Directive 2
EU Directive that applies to
all Banks operating in the EU
that regulates payment
services throughout the EU,
with a compliance deadline of
January 2018

6. Open Banking
1 : Possible central view
Banks expose their customer payment and account data, with customer consent, to
Third party Payment Providers (TPPs) via APIs.
TPP
PISP/AISP
Bank A
Bank B
Bank C
Merchant
Now PSD2
Bank A
Bank B
Bank C
Merchant

7. Open Banking
2 : No Involvement of Card Network
7
➢ Less hops
➢ Lower fees for transactions
➢ Easy to track the path

8. Aggregated View of Accounts (AISP
Flow)

9. Payment Flow (PISP)
Credits to Dinosoft Labs from Noun Project
Checkout
Item
Login Page
2 Factor Authentication
Customer Consent
Initiation
payment info
1
2
3
4
PISP
302
5
Token 6
Payment
Complete
7
Settlement

10. PSD2 Compliance Requirements
➢ API Specification
○ API Definitions
○ Secured API invocation
○ API Usage Monitoring
➢ Strong Customer Authentication
○ 2 Factor Authentication (SMSOTP, FIDO, Duo, MePin)
○ Adaptive Authentication
○ Consent Management
➢ Incident Reporting
○ Security Incident Reporting [Transactions affected,server downtime, Economic

11. Strong Customer Authentication
Ref : https://cdn-images-1.medium.com/max/1200/1*cqJ3MUF-vOG9IVTLOOQQTQ.gif

12. Ref : Accenture Payment Services & Accenture Technology Advisory, PSD2 & Open Banking Security and Fraud Impacts on Banks
Strong Customer Authentication Ctd..

13. Adaptive Authentication
➢ Authentication flow is defined by risk level
➢ PSD2 define several exemptions for SCA applications
○ Not to kill user experience for small transactions and bulk transactions
➢ Security level can be decided based on,
○ The amount of transaction
○ Time elapsed from previous SCA
○ Transaction patterns on user
○ Role of user - Cooperate or private

14. Consent Management
➢ Defined by PSD2 RTS on SCA and secure communication and GDPR
➢ Safeguard right of the user on personal data to,
○ be informed - Inform user of personal data collection
○ access - Validate information processing at any time
○ rectification - When user feels data is incomplete or accurate
○ restrict data processing - Just store, don’t process
○ data portability - Transfer data to another party
○ forgotten - Request removal of personal data
○ be notified on a data breach - Report to user within 72 hours

15. No Screen Scraping

16. Technology Requirements
“Draft Regulatory Technical Standards, explicitly mentions to be based on
known standards”
● User authentication (with SSO)
○ SAML 2.0
○ OpenID Connect
● Access delegation - OAuth 2.0
● Fine grained authorization - XACML
● Multifactor authentication - SMSOTP, FIDO, DUO, MePin
16

17. Ref : https://www.abe-eba.eu/downloads/knowledge-and-research/EBA_May2016_eAPWG_Understanding_the_business_relevance_of_Open_APIs_and_Open_Banking_for_banks.pdf
Other Standards
ISO 27001 - for information security management systems
ISO20022 - remove ambiguity in messages relevant to payments, securities, FX, Trade services & Cards

18. Inside Story - Open Banking

19. DEMO
With https://openbanking.wso2.com/

20. Open Banking: The opportunities
Bank A
Bank B
Bank C
Merchant Bank A
Consolidated
customer account and
payment info across
multiple Banks
TPPTPP

21. App Development

22. Ref : Deutsche Bank Global Transaction Banking - Payment Services Directive 2
1. One-leg Out – in EEA currency: EEA currency sent from the EEA to a non-EEA country
e.g. EUR payment from France to Sri Lanka
1. One-leg Out – in non-EEA currency: Non-EEA currency sent from the EEA to a non-EEA country
e.g. LKR payment from UK to Sri Lanka
1. One-leg in – in EEA currency: EEA currency payment sent from a non-EEA country to an EEA country
e.g. EUR payment from Sri Lanka to France
1. One-leg in – in non-EEA currency: Non-EEA currency sent from a non-EEA country to an EEA country
e.g. LKR payment from Sri Lanka to UK
PSD2 Impact
on Us

23. Banking Industry in Sri Lanka
➢ Sri Lanka Interbank Payment System (SLIPS)
○ Same day electronic fund transfer
○ Established in 2010, being first in South Asia
➢ LankaPay Common Electronic Fund Transfer Switch (CEFTS)
○ For real-time payments
○ Initiated in 2015
➢ JustPay - From LankaClear (pvt) Ltd
○ Applies 2FA
○ For real time retail payments under Rs. 10 000/=
○ Central Bank of Sri Lanka (CBSL) approved security standards
➢ Have already thought on AISP like applications
➢ Have the foundation of collaboration among banks in real time
JustPay© - http://www.lankaclear.com/product_service/42-overview

24. Ref : Accenture Payment Services & Accenture Technology Advisory, PSD2 & Open Banking Security and Fraud Impacts on Banks

25. Monetization of applications will be made
easy...

26. Q & A
Twitter : @Pushpalanka
LinkedIn : https://www.linkedin.com/in/pushpalanka/
WSO2 Open Banking : https://openbanking.wso2.com/

27. Thank You!