/ ˈpeɪ dɛntɪti/
The convergence of payments and identity, incorporating payment instrument verification and customer identification, in order to remotely link an electronic payment with a persons identity, usually for the purpose of satisfying Anti Money Laundering (AML) or Anti Fraud, or both requirements.
As a result of increasing regulatory convergence, online payment service providers (PSP) and merchants are being required to satisfy a myriad of ever increasing and complex regulations.
In order to do business online and remain competitive, many merchants will need to be able to both identify customers remotely and accept payments from the widest possible sources.
What is rapidly changing is the requirement for monitoring of customers on an ongoing transactional basis, together with far more stringent AML rules, and ever lowering trigger and reporting thresholds.
For example, eMoney operators and prepaid card issuers will soon be required to KYC customers after a € 250 'lifetime' aggregate is passed, rather than the annual targets of circa € 2500.
PSP's will need to authenticate ALL payment transactions, or be liable themselves for the cost of fraud on their network. It appears reasonably clear that this liability cannot be avoided by contracting it out to the merchant (as is presently the case). However, a merchant may choose not to implement Strong Customer Authentication (SCA) if it accepts liability (as is currently the case), provided that transactions are below the payment threshold value set in the Payment Services Directive 2 (PSD2).
The industry as a whole is seeing increasingly complex requirements come through very strongly in the European Supervisory Agencies (ESA) draft "Risk Factors" Guidelines, which provide the regulatory guidance for the 4th AML/CTF Directive. Additionally, the European Banking Authority's (EBA) 'Security of Internet Payments' Guidelines, which have now been given the force of EU wide law via the passage of the PSD2, raises additional areas.
So what does it all mean for the payments industry and merchants?
A clear strategy will be required for all SEPA based actors offering services in the payment chain, including:
- PSP's, who are managing payment authentication across all merchants and all payment types. Whilst 3D Secure covers the major card schemes in Europe, it is not the only means now available under the PSD2. It doesn't cover eMandates and cards issued outside the SEPA (as a general rule), and it isn't very helpful in returning a marketing ROI and customer conversion.
Merchants, who will need to update their electronic verification processes to accomodate the transactional and ongoing requirements of the 4th Directive. This includes updating your KYC on a regular basis, and not just at the point of original on boarding.
- eMoney and Wallet providers, such that they can ensure that customer on boarding, transactional authentication and transactional analysis are linked. SecuRE Pay regulations mean that cards will no longer be able to be onboarded to wallets using historic approaches such as the Apple Pay 'Green Path'.
- Tokenisation services will need to ensure that they comply with remote identification of customer prior to remote issue of tokens (i.e. PSP driven card 'vaults' or tokenisation of merchant's customers cards)
- Meeting the compliance requirements of the PSD2 and 4th AML/CTF directive, whilst trying to devise means that don't impose additional friction on customers, or introduce new, fragmented, costly back end systems.
- Those PSP based in the UK, Gibraltar, Estonia and/or Slovakia which may have relied on the July 2015 opt out of the EBA's Security of Internet Payments & Strong Customer Authentication by those jurisdictions, until passage of supporting legislation was in place. The subsequent passage of the PSD2 in November 2015 has now provided the necessary legislative framework.
- PSP's and merchants located in any other FATF legislative model jurisdictions, who face similar challenges, as payment and AML regulations converge not just between sectors, but also between jurisdictions.
- And, of course, of your business currently relies on static/historic PII lookups in order to KYC customers, then you may wish to reconsider. According to ITGovernance UK, over 485m PII records were exposed in 2015 alone. That may explain part of resigning behind the ESA's draft 'Risk Factor' Guidelines in seeking dynamic approaches to KYC.
If you are a PSP or an AML Obligated merchant, the #iSignthis team would be delighted to discuss how #paydentity can help you solve these impending challenges, all via a single, straight forward integration.
Marc Bongers - Amsterdam
Chris Henry - London
Andrew Karantzis - Melbourne