EU Payment Services Directive PSD2
Comprehensive Analysis and Countermeasures
Before studying the material, it is recommended to read the “summary” of the PSD2 directive, as well as the abridged version of this analysis. For ease of understanding of the concept, the style of presentation of the material is figurative vernacular. The text is strongly recommended for distribution by all possible means with a mandatory link to the source.
Payment Services Directive revised (PSD2)
On 13 January 2016, the second Payment Services Directive of the European Union – Revised Directive on Payment Services (PSD2) – entered into force. Despite the name, this directive is not an evolutionary development of PSD1. On the contrary, it limits the possibilities of existing institutions and rigidly directs the development of the financial sector in one single direction.
The Directive regulates payment services, key consumer rights, principles of interaction between market participants and lays the foundation for a completely new financial system in the sense that the old one is being completely “phased out”.
It creates the foundation for excellent payment services that will be very much appreciated by end users. In this universal consumer WOW! lies the power of this undoubtedly American plan to replace the outdated US Federal Reserve with “something” that, for the time being, has no name.
Below are some of the most relevant provisions of the document.Provision No. 1
The Directive introduces new types of institutions into the regulatory field – financial intermediaries. New licences are not intended for the development of the old system, a new institutional hierarchy is being created – service providers are being brought to the fore, and the system of contractual relations is being replaced by cybernetically enshrined rules of interaction established by law.
Below are some of the most relevant provisions of the document. Considering that everything is so grandiose, but at the same time, banks are not affected at all by the directive, by analogy with mobile operators, which, with the development of “messengers”, have turned from service providers into teams of equipment maintenance technicians, upon further analysis, it becomes clear that banks are left with only one function – “money depositories” and nothing more. So, two new licences are being introduced:First licence:
Payment initiation service providers provide interfaces for making payments and act as intermediaries between the consumer and the holder of the funding source. Payment initiation services are entitled to debit funds from ANY account with ANY financial institution without the latter’s consent.
It is appropriate here to tell about a client who approached us a couple of years ago with a proposal to make a “browser add-on” that would allow you to pay anywhere “with one button” without worrying about the account used, the payment method and security – the system would choose everything itself and, in addition, protect its client from fraudsters, up to and including the control service communicating with the police.
This fantastically attractive idea had a problem – the system was NOT beneficial to all other service providers. Therefore, in order to implement it, it was planned to start with the weakest and smallest providers and gradually entice larger players.
In this case, the Americans, as the owners of the largest players, are coming in from the other end and simply crushing everyone at once. A super aggregator of all payment instruments will be created.Second licence:
Account information service providers, at the client’s request, request information about their accounts (e.g. balance) from financial institutions and consolidate it in one place. The key words here are “at the client’s request” – such an instruction to transfer information can be included in any of the general offers that the end user usually signs without reading. For example, in the mobile phone offer, which the user sees when they first turn on their phone and is forced to agree to in order to continue working with the system. It is interesting to ask here why this division into two licences – two different financial institutions – is necessary? The answer is simple: the 1st is incomplete without the 2nd, and the 2nd, in its most powerful form, through offers from technology IT companies such as Apple, Microsoft, will only be with the Americans themselves.
Provision No. 2
The Directive obliges financial institutions to provide information to financial intermediaries even without concluding a separate agreement. Since financial intermediaries are purely IT companies, one could say that the directive obliges “bankers” to transfer their main functions to “programmers”. As you know, it is impossible to compete with software companies on their own turf, plus the latter are given almost two years to prepare.
It is difficult to predict such processes, but the “reformatting” of financial sectors in individual states could be very rapid. For the most technologically advanced countries, it could even be days (if not hours).
Possible extreme scenario: all clients have been pre-sorted, the first versions of the financial intermediaries’ software have been downloaded by users (clients). The parliament of the next country passes a law, ratification, stamp. At 00:00, client applications are activated. That’s it, the natural and legal persons of the next state that has implemented the directive have entered a wonderful world where any payment is made “at the touch of a button”, all payment cards have suddenly become universal, and the banks of that state have become almost “nothing” at the same moment.
By early 2017, uniform standards for data exchange with financial intermediaries will be prepared and will be mandatory throughout the EU. In its worst form, IT control will be implemented as a requirement for everyone to use a single certification authority and a single root security certificate. Presumably, since the root certificate must be held by one corporation, the US Federal Reserve is currently deciding whether it will be Apple, Google or Microsoft (maybe ICANN, by the way). It’s hard to say. But the advantage is clearly with Apple, as they have released a lot of “hardware” (phones, computers), and “hardware” is “rooter” and therefore more convenient for the forced introduction of the new standard.
Considering the above, it is logical to assume that there is collusion between the owners of money – the US Federal Reserve and the owners of hardware – Apple. Together, their PSD2 directive makes them virtually invincible.
Provision No. 3
A pan-European register of organisations that have the status of payment institutions, as well as their agents, will be created in the European Union.
How it will be done is written in paragraph 2, and even “unaccounted for grey gateways” serving the interests of shadow businesses will be included in this register – they will simply not be able to serve websites that are all looped to a common root certificate for the “financial concentration camp”.
Here, by the way, an interesting thing could happen: in a good way, in order to “hook” ordinary Internet users on the root certificate, it is necessary to have access to the 13 root DNS servers (the basis of the Internet – owned by the American corporation ICANN), also only by certificate. Then whoever does not use the root certificate will not be able to use the Internet.
Quote from Wikipedia: “Since 2010, means of checking the integrity of transmitted data, called DNS Security Extensions (DNSSEC), have been implemented in the DNS system. Transmitted data is not encrypted, but its authenticity is verified by cryptographic means. The implemented DANE standard provides for the transmission of reliable cryptographic information (certificates) by DNS means.”
Good heavens, the process was launched at least 6 years ago! And most likely even earlier – in the 70s when the IPV4 protocol was being developed. After all, it would have been enough to make the address length in the protocol 1 byte longer and the situation would have been impossible. Thousands of root servers could have been made. No, it was necessary to make exactly 13 servers, put 9 of them in the US and make the managing company American. This is mathematics. It is impossible to believe that the people who created the Internet (!) did THIS “out of stupidity”.
Digression into IT in the context of the DNS situation:
This is where the 13 root DNS servers of the Internet come in, containing full copies of the array of A-records for the entire planet. At the peak of the struggle, if the Russian Federation decides to secede from the new system, a fork will arise: if at least one of the 13 servers is located in our country, if the array of A-records of the IPV4 protocol of the RU zone is replicated to the other DNS servers from Russia, then we will be able to preserve our cluster of the Internet and consequently we will be able to preserve our internal payment system. If not, then we will lose even our own Internet and the payment system along with it. Unfortunately, disconnection from European and American financial institutions and the cessation of international payments will happen anyway. The question is “on the edge”.
Without going into details: if we don’t have one of the 13, but there are also “root” DNS servers that store records for the IPV6 protocol, then things are bad anyway, because the 6th version of the protocol was created for those “who didn’t have enough normal addresses”. Here the author is simplifying greatly, but the general meaning is clear.
Provision No. 4
The Directive continues to allow the provision of payment services by “payment institutions” – a special category of organisations that are not banks.
Of course, the old institutions should remain in place during the transition period, while the Americans build their pyramid of financial intermediaries (subjugating everyone at once, as in the example of the browser add-on at the beginning of the article) and use the infinite (!) liquidity of the Federal Reserve to create their own intermediary-of-intermediaries uniting the “pay buttons” of all other financial intermediaries under a “single pay button”.
Prudential requirements for payment institutions will remain largely unchanged. The authorised capital of payment institutions is set at €125,000. money transfer systems – 20,000 euros. payment initiation services – 50 000 euros. Payment market participants are also subject to differentiated requirements for the minimum amount of own funds (capital).
Obviously, the capitalisation and authorised capital have been kept to a minimum on purpose – everyone should rush to fit into the new rules and find their place in this “Egyptian pyramid” – by accepting the rules of the game, the business and people’s masses themselves are creating the basis for the very top brick, which will appear at the optimal moment (by the way, such a moment can be mathematically calculated and we can calculate it).
The limitations of the moment of appearance of the intermediary-of-intermediaries are obvious:
Lower limit: when the “IT people” agree.
Upper limit: the moment of appearance of the tops of too large alternative pyramids of financial intermediaries.
One way to combat the “something” being created is to have your own alternative top (intermediary-of-intermediaries) ahead of the curve. However, such a struggle would end in disconnection from the certificate, as mentioned above.
Nevertheless, this activity should still be carried out in order to create a false impression of our objectives. Moreover, in the event of the collapse of the Federal Reserve for extraneous reasons, our domestic “peak” could take its place, which would be one option for our victory.
Unfortunately, there can NOT be a multitude of “peaks”, since the financial system is being driven into a singularity by cybernetic technologies, from which there are only two ways out:
Natural way out:
Incorporation into the global payment system under a common certificate with the emergence of a universal “pay” button provided by the intermediary-of-intermediaries.
“Stop-cock” exit:
Return to paper money.
It is still possible to completely separate one’s financial system from the US, the EU and the rest of the world, but this is already a catastrophic scenario beyond the scope of this study.
Provision No. 5
The Directive does not apply to payment instruments that have limited functionality. For example, they may only be used in certain outlets or for the purchase of a limited range of goods and services. The Directive will also not apply to payments through communications operators of up to €50 (€300 per month) for the purchase of digital content, charitable payments and the purchase of electronic tickets.
Telecommunications providers are one of the weak points of the system built on the power of the certificate – they can substitute certificates and encryption keys and, if they wish, various other nasty things, such as disabling the replication of DNS server A-records. They are a “sacred cow” and untouchable at this stage. They must first fit into the new rules themselves and “get hooked” on the certificate. Then they will be safe.
Provision No. 6
Member States are entitled to exempt payment institutions with an annual turnover of up to €3 million from prudential and a number of other requirements.
This is understandable – “feeding the local animals”. However, the wording “entitled” is interesting. Bureaucracies are “fed” the absence of their rights (correlating with the provisions of TTIP) and shown a new source of their origin in the future, which they will undoubtedly use by placing payment intermediaries “above the law”.
The Transatlantic Trade and Investment Partnership (TTIP) Agreement, which would prohibit states from appealing court decisions in cases brought by corporations against those states, as well as prohibit states from even initiating proceedings against companies (this is a simplification, but that is the gist of it), has precisely this objective – to place private business above the law.
As the pyramid of intermediaries takes shape, the mindset that financial institutions are “above the law” (remember the key provisions of TTIP) will become the norm – the foundations of the new reality are laid in this very point. At some point, the top of the pyramid – the US Federal Reserve – will naturally also find itself “above the law” (although this is not envisaged by TTIP, it will already be a fact). That’s it – power has been seized, and it will be impossible to destroy the system that has been created. In this case, the Fed and Apple have won.
Of course, the financial industry is the most valuable in this operation, as the leading one, which is why the main operation is being carried out outside the framework of the Transatlantic Trade and Investment Partnership and hidden behind the PSD2 directive.
Thus, the hype surrounding the blatant lawlessness of corporations under the TTIP is just a diversionary tactic to make it difficult to see the main move in the financial and cybernetic plane behind all the noise.
That is why the Americans have become so relaxed and are “leaking” direction after direction: all the revolutions, ISIS, Syria, refugees and terrorist attacks in the EU are just cover operations, behind which the Transatlantic Trade and Investment Partnership agreement is being pushed through, which in turn guarantees the possibility of forcible introduction of the certificate by technology corporations, which in turn “cements” the new cybernetic links between financial institutions. These will be built into a hierarchical pyramid by the mass of the Fed’s liquidity. At the top of which is “someone” who owns both the certificate and the liquidity. And that someone is an American.
A needle in an egg, an egg in a duck, a duck in a box…
Provision No. 7
The Directive requires strong customer authentication when accessing an account online, when transmitting payment orders electronically, and when there are risks of fraud.
Strong customer authentication in its extreme form (which of course will be implemented) implies the identification of the user of an electronic device at the time of transaction initiation. The modest addendum about “fraud risks” will in practice mean a situation where: an automatic fraud filter “thought” you were a fraudster, it took your picture and called the police automatically, showing your picture on the police monitors, using GPS coordinates, instantly. The user himself accepted the offer that identifies him. And the offer, thoughtlessly accepted when buying a phone, coupled with the above-mentioned point of TTIP, which covers Apple, which covers the Fed through the certificate, has created such a wonderful legal field where the RISK (!) of fraud is enough. And welcome – the legal basis for a “digital concentration camp” has been laid: by buying a phone, you enter a parallel legal field.
Provision No. 8
As before, payment orders must be executed by default on the next business day. In some cases, this period may be extended to 4 working days.
Some cases are not specified, but it is clear that a payment intermediary crediting funds on the 4th day, while actually receiving them via the still functioning SWIFT on the 2nd, has an impossible advantage over those who are obliged to credit on the 2nd.
Clearly, “some cases” will be the prerogative of the top of the pyramid, which will be under the control of the Fed. For individual “machinators” driving funds from other countries to the main offshore jurisdiction of our time, +-2 days means nothing. But for the entire flow, it is the direction of the “magnetic field” that determines the distribution of financial intermediaries by hierarchical levels in the pyramid of competitiveness (the pyramid of financial intermediaries).
If we were to legislatively create the same system, but make a “special case” for our intermediaries of 5 days, this would create a situation where ours would have more “uncredited” funds at their disposal, allowing them to provide the “service” cheaper than their overseas counterparts, which already creates some opportunities to fight back. Unfortunately, this is not a complete solution and is only one dimension of this long-standing struggle for which our current “hybrid warfare” is merely a short-term cover operation.
Provision No. 9
The Directive maintains the client’s liability for unauthorised transactions at EUR 150. Liability may be reduced to zero if sufficient security of the payment instrument is not ensured (e.g. no two-factor authentication is used). The customer shall be liable for unauthorised transactions if they are carried out as a result of a breach of the rules for using the payment instrument.
This is also one of the advantages – as you know, card fraud, for example, for capital flight, is committed with cards of citizens of those states in which the holder is not liable for it. For example, with Belarusian cards, which fills the banks of this country with liquidity, paradoxically, it turns out that it is necessary to create conditions for fraudsters and they will “drive” money into the Russian Federation. Unfortunately, this is just an assumption – we do not know the exact distribution of funds in the flows. If this information becomes available, we will be able to carry out appropriate analysis in order to stop the outflow of capital through card schemes.Provision No. 10
The provisions of the Directive must be transposed into national law by 13 January 2018. At least 10 explanatory documents and technical standards necessary for the effective implementation of the Directive will be prepared during 2017-2018.
As always, the devil is in the detail – the Americans are not disclosing all the parameters. Forcing competitors, who are in a catching-up position, to write extreme figures into their legislation – at that moment, thunder roared and lightning flashed outside the window (the analysis was written on a night when there was a storm in Moscow) and a solution appeared: maybe it’s a thought: for the flash and the sound to be synchronised, the distance from the source must be minimal – we must act synchronously with the Americans: one step they take, one step we take. All the same, but we make the conditions a little better. Demonstratively. So that everyone can see, so that the business community can observe and understand that, in the end, we will be better off on every parameter. It is time to adopt the Chinese experience in copying.
For maximum effectiveness, we need to act effectively, as in the lightning example. The “sinister plan” must be met with a visible and well-publicised response.
This should have been done a year ago. There is no time for “swinging”. In this case, only the political will of the Head of State and the emergency involvement of a team of experts who understand the situation and already have a plan of action will help.CONCLUSION:
In order to wage the fight, it is necessary to involve multidisciplinary specialists (super-complex modelling) as soon as possible, who are able to compare factors from the following areas of knowledge:
1. International Law;
2. International Taxation;
3. Electronic payment technologies;
4. Information technology;
5. Social engineering;
6. Marketing (the driver of the directive is the consumer).
We are able to provide the Government of the Russian Federation with comprehensive assistance in developing a countermeasure plan, as we have significant experience in designing schemes of similar complexity for the business community. Alexey Zarin
Moscow, 2016.The full English text of the Payment Services Directive revised (PSD2) can be found at these links:
http://ec.europa.eu/finance/payments/framework/index_en.htm
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366
A similar analysis by the UK’s Sterling Bank, demonstrating the flawed analysis by narrow-profile specialists, can be found at:
https://www.starlingbank.com/explaining-psd2-without-tlas-tough/