Analysis of the European Commission Directive PSD2 Threat to States

Fintech

Payment Services Directive PSD2
Comprehensive Analysis and Countermeasures


Before studying the material, it is recommended to familiarise yourself with the “cheat sheet” from the PSD2 directive, as well as the abridged version of this analysis. For ease of understanding the concept, the style of presentation is figurative colloquialism. It is strongly recommended that this text be disseminated by all possible means with a mandatory link to the source.

Payment Services Directive revised (PSD2)

On 13 January 2016, the second Payment Services Directive of the European Union – Revised Directive on Payment Services (PSD2) – came into force. Despite its name, this directive is not an incremental development of PSD1. On the contrary, it limits the possibilities of existing institutions and rigidly directs the development of the financial sector in one single direction.

The directive regulates payment services, key consumer rights, principles of interaction between market participants and lays the foundation for a completely new financial system in the sense that the old one is completely “terminated”.

A foundation is being created for excellent payment services that will greatly appeal to end consumers. In this universal consumer WOW! lies the power of this undoubtedly American plan to replace the outdated US Federal Reserve with “something” that does not yet have a name.

Below are some of the most relevant provisions of the document.
Provision №1

The Directive introduces new types of institutions into the regulatory perimeter – financial intermediaries. The new licences are not intended for the development of the old system, a new institutional hierarchy is being created – service providers are coming to the fore, and the system of contractual relations is being replaced by cybernetically enshrined rules of interaction established by law.

Below are some of the most topical provisions of the document. Considering that all this is so grandiose, however, at the same time, banks are not affected by the Directive at all, by analogy with mobile operators, which, with the development of “messengers”, have turned from service providers into teams of equipment maintenance technicians, upon further analysis, it becomes clear that banks are left with only one function – “vaults of money” and nothing more. So, two new licences are being introduced:
First Licence:
Payment initiation service providers (PISPs) provide interfaces for making payments and act as intermediaries between the consumer and the holder of the funding source. PISPs are entitled to debit funds from ANY account in ANY financial institution without the latter’s consent.

It is worth mentioning a client who approached us a couple of years ago with a proposal to create a “browser extension” that would allow payments to be made anywhere with “one click”, without worrying about the account used, payment method or security – the system would choose everything itself and, in addition, protect its client from fraudsters, up to and including communication between the control service and the police.

This fantastically attractive idea had a problem – the system was NOT beneficial to all other service providers. Therefore, for its implementation, it was planned to start with the weakest and smallest providers and gradually entice larger players.

In this case, the Americans, as owners of the largest players, are coming from the other end and simply taking over everyone at once. A super-aggregator of all payment instruments will be created.
Second Licence:
Account information service providers (AISPs), at the behest of the customer, request information about the customer’s accounts (e.g., balance) from financial institutions and consolidate it in one place. The key words here are “at the behest of the customer” – such consent for the transfer of information may be included in any of the general offers that the end consumer usually signs without reading. For example, in the mobile phone offer, which the user sees when they first turn on the phone and is forced to agree to in order to continue working with the system.
Here, it’s interesting to ask why this separation into two licences – two different financial institutions – is required? The answer is simple: the 1st is incomplete without the 2nd, and the 2nd, in its most powerful form, through offers from technological IT companies, such as Apple, Microsoft, will only be available to the Americans themselves.

Provision No. 2
The directive obliges financial organisations to provide information to financial intermediaries even without a separate agreement. Since financial intermediaries are purely IT companies, it can be said that the directive obliges “bankers” to transfer their main functions to “programmers”. As you know, it is impossible to compete with software companies on their field, plus the latter are given almost two years to prepare.

It is difficult to predict such processes, but the “reformatting” of financial sectors in individual states can be very fast. For the most technologically advanced countries, it can even be days (if not hours).
Possible extreme scenario: all clients are pre-onboarded, the first versions of the financial intermediaries’ software are downloaded by users (clients). The Parliament of the next country passes the law, ratification, publication. At 00:00 client applications are activated. That’s it, the legal entities and individuals of the next state that implemented the directive entered the wonderful world in which any payment is made “at the touch of a button”, all payment cards suddenly became universal, and the banks of this state at the same moment became almost “nothing”.
At the beginning of 2017, unified standards for data exchange with financial intermediaries will be prepared, mandatory for application throughout the EU. In its worst form, IT control will be implemented as a requirement for everyone to use a single certification centre and a single root security certificate. It should be assumed that since the root certificate must be held by some one corporation, the US Federal Reserve is currently deciding whether it will be Apple, Google or Microsoft (maybe ICANN, by the way). It is difficult to say. But the advantage, obviously, is with Apple, because they have produced a lot of “hardware” (phones, computers), and “hardware” is “more root” and therefore more convenient for the forced implementation of a new standard.

Considering the above, it is logical to assume that there is a conspiracy between the owners of money – the US Federal Reserve and the owners of hardware – Apple. Together, their PSD2 directive makes them virtually invincible.

Provision No. 3
A pan-European register of organisations that have the status of payment institutions, as well as their agents, will be created in the European Union.

How it will be done is written in paragraph 2, and even “unrecorded grey gateways” serving the interests of shadow businesses will be included in this register – they simply will not be able to serve websites, which will all be tied to a common root certificate for the “financial concentration camp”.

Here, by the way, an interesting thing can happen: in a good way, in order to “hook” ordinary Internet users to the root certificate, you need access to 13 root DNS servers (the basis of the Internet – owned by the American corporation ICANN), also, only by certificate. Then the one who does not use the root certificate will not be able to use the Internet.

Quote from Wikipedia: since 2010, data integrity checking tools called DNS Security Extensions (DNSSEC) have been introduced into the DNS system. The transmitted data is not encrypted, but its authenticity is verified by cryptographic means. The implemented DANE standard ensures the transmission of reliable cryptographic information (certificates) by DNS.
Blimey, this whole process kicked off at least 6 years ago! More likely even earlier – back in the 70s when they were developing the IPV4 protocol. All they had to do was make the address length in the protocol 1 byte longer and this situation would’ve been impossible. We could have had thousands of root servers. But no, they *had* to make it exactly 13 servers, stick 9 of them in the US, and make the management company American. It’s just maths. It’s impossible to believe that the people who created the Internet(!) could have made such a blunder.
Digression into IT in the context of the DNS situation:
This is where the 13 root DNS servers of the Internet come into play, containing complete copies of the array of A-records for the entire planet. At the peak of the struggle, if the Russian Federation decides to disconnect from the new system, a fork will arise: if at least one of the 13 servers is located in our country, if the array of A-records of the IPV4 protocol of the RU zone is replicated to other DNS servers from Russia, then we will be able to save our cluster of the Internet and therefore we will be able to save our internal payment system. If not, we will lose even our own Internet and the payment system along with it. Unfortunately, disconnection from European and American financial institutions and the cessation of international payments will occur in any case. The question is put “on edge”.

Without going into details: if we do not have one of the 13, but there are also “root” DNS servers, but storing records for the IPV6 protocol, then things are bad anyway, because the 6th version of the protocol was created for those “who did not have enough normal addresses”. Here the author greatly simplifies, but the general meaning is clear.

Provision No. 4
The Directive continues to allow the provision of payment services by “payment institutions” – a special category of organisations that are not banks.

Of course, the old institutions must be preserved for a transitional period, while the Americans will build a pyramid of financial intermediaries (crushing everyone at once, as in the example with the browser add-on at the beginning of the article) and create endless(!) liquidity of the Fed of its financial intermediary of intermediaries, uniting the “pay buttons” of all other financial intermediaries under the “single pay button”.

Prudential requirements for payment institutions will remain largely unchanged. The authorised capital of payment institutions is fixed at EUR 125,000. money transfer systems – 20,000 euros. payment initiation services – 50,000 euros. Participants in the payment market are also subject to differentiated requirements for the minimum amount of own funds (capital).

Obviously, capitalisation and authorised capitals are left to a minimum on purpose – everyone should rush to integrate into the new rules and look for their place in this “Egyptian pyramid” – by accepting the rules of the game, the business masses themselves create the basis for the very top brick, which will appear at the optimal moment (by the way, such a moment lends itself to mathematical calculation and we can calculate it).

The limitations of the moment of appearance on the stage of the intermediary of intermediaries are obvious:
Bottom constraint: when the “IT people” agree.
Top constraint: the moment of emergence of the tops of too large alternative pyramids of financial intermediaries.

One of the options for combating the “something” being created is our own alternative top (intermediary of intermediaries) ahead of the curve. However, such a struggle will end with disconnection from the certificate, as mentioned above.

Nevertheless, this activity should still be carried out in order to create a false impression of our goals. In addition, in the event of the collapse of the Fed for extraneous reasons, our domestic “peak” may take its place, which will be one of the options for our victory.

Unfortunately, there cannot be many “peaks”, because the financial system is being driven to a point of singularity by cybernetic technologies from which there are only two ways out:
Natural exit:
Inclusion in the global payment system under a common certificate with the appearance of a universal “pay” button provided by the intermediary of intermediaries.
“Stopcock” exit:
Return to paper money.

You can still completely separate your financial system from the US, the EU and the rest of the world, but this is already a catastrophic scenario that goes beyond the scope of this study.

Provision No. 5
The Directive does not apply to payment instruments that have limited functionality. For example, they can only be used at certain points of sale or to purchase a limited range of goods and services. The Directive will also not cover payments through communications operators in the amount of up to EUR 50 (EUR 300 per month) for the purchase of digital content, charitable payments and the purchase of electronic tickets.

Telecom providers are one of the weak points of the system built on the power of the certificate – they can make substitutions of certificates and encryption keys, and if desired, various other nasty things, for example, disable the replication of A-records of DNS servers. They are the “sacred cow” and at this stage it is unacceptable to touch them. They must first build themselves into the new rules and “get hooked” on the certificate. Then they will become safe.

Provision No. 6
States have the right to exempt payment institutions with an annual turnover of up to EUR 3 million from prudential and a number of other requirements.

It is clear here – “they feed local animals.” However, the wording “entitled” is interesting. Bureaucracies are “fed” with the absence of their rights (correlating with the provisions of the TTIP) and a new source of their origin in the future is shown, which it will undoubtedly use by placing payment intermediaries “above the law”.

The Transatlantic Trade and Investment Partnership (TTIP) agreement, which prohibits states from appealing court decisions in cases initiated by corporations against these states, as well as prohibits states from even initiating proceedings against companies (this is a simplification, but the meaning is this), has precisely this goal – to put private business above the law.

As the pyramid of intermediaries is formed, the mindset in which financial institutions are “above the law” (remember the key provisions of TTIP) will become the norm – the foundations of a new reality are laid in this very point. At some point, the top of the pyramid – the US Federal Reserve will naturally also be “above the law” (although TTIP does not imply this, but this will already be a fact). That’s it – the power has been taken, in fact it will become impossible to destroy the system that has been created. In this case, the Fed and Apple won.

Of course, the financial industry in this operation is the most valuable, as the leading one, because the main operation is carried out within the framework of the Transatlantic Trade and Investment Partnership and is hidden behind the PSD2 directive.

Thus, the hype around the blatant lawlessness of corporations under the TTIP agreement is just a diversionary manoeuvre so that behind this hype it is difficult to discern the main move in the financial and cybernetic plane.
Here’s why the Americans are so relaxed and are “throwing” away one area after another: all the revolutions, ISIS, Syria, refugees and terrorist attacks in the EU, these are all just cover operations behind which the Transatlantic Trade and Investment Partnership agreement is being pushed through, which in turn guarantees the possibility of the forceful implementation of the certificate by technological corporations, which in turn “cements” new cybernetic links between financial institutions. Which, using the mass of liquidity from the Federal Reserve, will be built into a hierarchical pyramid. At the top of which “someone” will be, simultaneously owning both the certificate and the liquidity. And this someone is American.
A needle in an egg, an egg in a duck, a duck in a chest…
Provision No. 7
The Directive mandates the use of strong customer authentication for online access to accounts, electronic funds transfers, and in cases of fraud risk.

Strong customer authentication in its extreme form (which will of course be implemented) implies the identification of the electronic device user’s identity at the moment a transaction is initiated. The modest addition about “fraud risks” will in practice mean a situation where: an automated fraud filter “thinks” that you are a fraudster, and it automatically calls the police with a photo on the police monitor, using GPS coordinates, right at that very moment. The user themselves accepted the offer that identifies them. And the offer accepted mindlessly when purchasing a phone, coupled with the above-mentioned point of PSD2, which covers Apple, which is covered by the Federal Reserve through a certificate, created such a wonderful legal field where the RISK (!) of fraud is enough. And welcome – the legal foundations for a “digital concentration camp” have been laid: by purchasing a phone, you enter a parallel legal field.

Provision No. 8
As before, payment orders should be executed by default on the next business day. In some cases, this period may be extended to 4 business days.

Some cases are not specified, but it is clear that a payment intermediary crediting funds on the 4th day, while actually receiving them via the still functioning SWIFT on the 2nd day, has an impossible advantage over those who are obliged to credit on the 2nd day.

It is clear that “some cases” will be a privilege of the top of the pyramid, which will be under the control of the Federal Reserve. For certain “machinators” moving funds from other countries to the main offshore of our time, +-2 days mean nothing. But for the entire flow, this is the direction of the “magnetic field” that determines the distribution of financial intermediaries by hierarchy levels in the pyramid of competitiveness (the pyramid of financial intermediaries).

If we legislatively create the same system, but make a “special case” for our intermediaries for 5 days, this will create a situation where ours will have more “uncredited” funds at their disposal, which will allow them to provide the “service” cheaper than their overseas counterparts, which already creates some opportunities for struggle. Unfortunately, this is an incomplete solution and only in one of the dimensions of this long-standing struggle for which our current “hybrid war” is just a short-term cover operation.

Provision No. 9
The Directive maintains the client’s liability for unauthorised transactions at €150. Liability may be waived if sufficient security of the payment instrument is not ensured (e.g. two-factor authentication is not used). The client is liable for unauthorised transactions if they are made as a result of a violation of the rules for using the payment instrument.

This is also one of the advantages – as you know, card fraud, for example, for capital flight, is committed using cards of citizens of those states in which the holder is not liable for this. For example, with Belarusian cards, which fills the banks of this country with liquidity. Paradoxically, it turns out that it is necessary to create conditions for fraudsters and they will “drive” money to the Russian Federation. Unfortunately, this is just an assumption – we do not know the exact distribution of funds in the flows. If this information becomes available, we will be able to conduct appropriate analytics in order to stop the outflow of capital through card schemes.
Provision No. 10
The provisions of the directive must be transposed into national legislation by 13 January 2018. During 2017-2018, at least 10 explanatory documents and technical standards necessary for the effective implementation of the directive will be developed.

As always, the devil is in the detail – the Americans are not disclosing all the parameters. By forcing competitors in the catching-up position to prescribe extreme figures in their legislation – at this moment, thunder roared and lightning flashed outside the window (the analysis was written at night, when there was a storm in Moscow) and a solution appeared: perhaps this is the idea: for the flash and the sound to be synchronised, the distance from the source must be minimal – we must act in sync with the Americans: they take a step, we take a step. Everything is the same, but we make the conditions slightly better. Demonstratively. So that everyone can see, so that businesses can observe and understand that in the end, in terms of each parameter, we will be better. It is time to adopt the Chinese experience in copying.

For maximum effectiveness, you need to act effectively, as in the example with lightning. The “sinister plan” must be given a visible and well-publicised response.

This should have been done a year ago. There is no time for “rocking the boat”. In this case, only the political will of the Head of State and the emergency involvement of a team of experts who understand the situation and already have a plan of action will help.

CONCLUSION:
To wage the struggle, it is necessary to engage multi-disciplinary specialists (highly sophisticated modelling) as soon as possible, capable of comparing factors from the following areas of knowledge:

  1. International Law;
  2. International Taxation;
  3. Electronic Payment Technologies;
  4. Information Technologies;
  5. Social Engineering;
  6. Marketing (consumer as a driver of the directive).

We are able to provide the Government of the Russian Federation with comprehensive assistance in developing a plan of counter-measures, as we have significant experience in designing schemes of similar complexity for the business community.
Alexey Zarin
Moscow, 2016
The full English text of the Payment Services Directive revised (PSD2) can be found at the following links:
http://ec.europa.eu/finance/payments/framework/index_en.htm
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366

A similar analysis from UK-based Starling Bank, demonstrating the shortcomings of analysis by narrowly focused specialists, can be found at:
https://www.starlingbank.com/explaining-psd2-without-tlas-tough/

All text and graphics presented on this web-page are the property of LLC “AMSV GROUP” – the company registered in the Russian Federation.
The use of these materials without the written consent of the owner is prohibited and will be prosecuted in accordance with the legislation
by contacting the hosting centers serving websites of violators, as well as referring to the courts at the place of registration
of the violator or the residence of individual violator.