Monday 24th April 2017
NEWS TICKER, 24st April: HSBC has secured the advisory mandate for Saudi Aramco’s upcoming IPO, which is expected to be the benchmark deal of this deal, both in terms of pricing, demand and size of offering -- InfraCo Africa will contribute $1.65m to the financing of the 50-MWp Abiba Solar project in Nigeria -- Fiat Chrysler Automobiles UK Ltd has announced a major restructuring of its senior management team. The changes come with immediate effect. Alejandro Noriega has been appointed country manager, Fiat and Abarth, and will oversee retail sales and marketing for the two brands. Noriega was previously head of the Fiat Professional brand and his experience and track record in commercial vehicles equips him well to take on Fiat and Abarth. Richard Chamberlain is the new country manager, Fiat Professional, responsible for all business activities of FCA UK's award-winning commercial vehicle division. Richard joined FCA in November 2016 from Renault Trucks, and has experience at both OEM level and dealer retail, having also worked for Inchcape Mercedes as National Corporate Manager. Lee Titchner has been appointed Network Development Director, responsible for FCA dealers across the UK and Ireland. Lee moves from his previous role as head of FCA UK’s Mopar division to oversee the dealer network, where he is already well-regarded. Also, Sebastiano Fedrigo has been named as the new Mopar Service, Parts & Customer Care Director. Sebastiano previously headed up the Fiat and Abarth brands in the UK and Ireland, and will now leverage his considerable passenger car and commercial experience to grow Mopar, its products and its services, in this country. Previous country manager for Jeep/Alfa Romeo, Damien Dally, has moved to a role in FCA HQ, Turin. His replacement will be announced in due course -- MNI PINCH reports market pricing no chance of a 25bp rate hike at the next meeting on May 3rd, however the probability of a hike in June has risento 66% from 41.5% seen last Wednesday and in July, markets are pricing in a 70% chance of a hike, up from 50%. While the next full 25bp rate hike has been brought forward to September 2017 from Dec, according to MNI PINCH calculations - According to US GovInfoSecurity E news, new documents dumped online by the Shadow Brokers group have revealed apparent NSA programs designed to target SWIFT service bureaus in the Middle East, as well as a slew of exploits designed to infect Windows systems, patched last month by Microsoft – The US is gradually upping the stakes in its attempt to change the terms of trade with selected countries. In the latest salvo by the Trump administration, Secretary of Commerce Wilbur Ross has announced the initiation of a new antidumping duty (AD) investigation of imports of carton-closing staples from the People’s Republic of China. “The Department will act swiftly, while assuring a full and fair assessment of the facts, to ensure that everyone trades on a level playing field,” says Secretary Ross. “The Trump administration is committed to the enforcement of America’s vital trade laws that ensure US businesses and workers have a fair chance to compete.” The petitioner, North American Steel & Wire, Inc./ISM Enterprises, filed a petition seeking relief from the effects of dumped merchandise on the US industry on March 31st. More than 30 Chinese producers of carton-closing staples are identified in the petition. The estimated dumping margins range from 13.76% to 263.43%. In 2016, imports of carton-closing staples from China were valued at an estimated $73.2m -- Private equity-owned ING Life Insurance Korea says it has priced its IPO near the lower end of an indicative range to raise a total of $973.54million. It priced the IPO at 33,000 won per share, compared with an indicative range of 31,500 won to 40,000 won per share, ING Life said in a filing.

Latest Video

The EBA is wrong about screen scraping — and it’s going to hurt European fintech!

Thursday, 20 April 2017
The EBA is wrong about screen scraping — and it’s going to hurt European fintech! By Ralf Ohlhausen, Business Development Director, PPRO Group On 23 February, the European Banking Authority (EBA) announced its intention to outlaw ”screen scraping” in one of their Regulatory Technical Standards (RTS) complementing the revised Payment Services Directive (PSD2), set to come into force in January 2018. Screen scraping sounds sinister. In fact, it simply refers to the practice of automating any internet browsing interaction, in this case with a bank, using their existing, direct customer user interface (online banking) with the customer’s permission. Therefore, let me rather call it “permitted automated direct access”, which describes it better and is less derogative. http://www.ftseglobalmarkets.com/media/k2/items/cache/04a2f961da926a65080aac1bd6f25f6d_XL.jpg

By Ralf Ohlhausen, Business Development Director, PPRO Group

On 23 February, the European Banking Authority (EBA) announced its intention to outlaw ”screen scraping” in one of their Regulatory Technical Standards (RTS) complementing the revised Payment Services Directive (PSD2), set to come into force in January 2018. Screen scraping sounds sinister. In fact, it simply refers to the practice of automating any internet browsing interaction, in this case with a bank, using their existing, direct customer user interface (online banking) with the customer’s permission. Therefore, let me rather call it “permitted automated direct access”, which describes it better and is less derogative.

The EBA suggests that banks can deny this type of “direct access” through their front door, if they are providing another “indirect access” possibility via a new to be developed API at their back door. Customers, the argument goes, are being trained to enter their online banking credentials into third-party websites and banks do not have an adequate oversight of who is accessing their customers’ data.

Infantilising the consumer

The problem here is that we’re engaging with perception rather than dealing with substance. Consumers who share their login credentials with a PSD2-licensed fintech company are making an informed decision. They have complete control — and oversight — over who accesses that data. And that’s the crucial point: the consumer is in control, not the bank and not the fintech. And that’s exactly as it should be.

Of course, consumers must be protected against malicious “phishing attempts”, which is what the PSD2 security elements mentioned below are all about, but that applies to bank and fintech websites in the same way and also independently of using front or back doors.

Sharing login details between reputable financial services companies, subject to a competent financial regulator (for instance, the FCA in the UK or the BaFin in Germany) is perfectly secure. Such companies are regularly audited and must, by law, take all necessary technical, legal, and procedural steps to protect consumer data. This absolutely includes login details, but also includes the actual financial data itself. If they make a mistake, they are liable for providing restitution — so you can bet your bottom dollar that they are serious about not making mistakes.

As a matter of fact, the new General Data Protection Regulation (GDPR) stipulates that consumers shall be enabled to access all their data, retrieve it and share it – or not – depending on their explicit consent. The only feasible technology for achieving this is the permitted automated direct access of the consumer’s data via the very same interface they are using manually – and this does not just apply to banks, but also insurances, telecoms, social media sites and any other company storing data on behalf of their customers.

What’s more, European data-protection laws also demand proportionality in how data is collected and used. The customer’s consent only covers data strictly necessary to the job with which the he or she has tasked the company. In the US, there has been some concern that screen scraping might give financial-service companies ongoing access, allowing them to harvest a broad range of data from customer accounts. In Europe, this just isn’t possible.

To the contrary, PSD2 stipulates the use of Strong Customer Authentication (SCA) to disable the potential misuse of static login data by requiring a second factor, e.g. a one-time password, to authorise any particular transaction. It also stipulates that licensed fintechs have to properly identify themselves to the banks. The rumour that this would not be possible with direct access is simply not true – fake news! The certificate approach suggested by the RTS can be used equally well for direct or indirect access.

The danger in getting this wrong

Globally, fintech — particularly in the payments industry — is at a crucial stage in its development. E/M-commerce is booming. Volumes are expected to grow exponentially over the next few years. This is driving a rapidly growing demand for innovative online payment and financial products. So far, Europe has been one of the main beneficiaries of this development.

Two key planks of this success have been European fintech’s ability to innovate and its ability to provide a good customer experience. The ban on permitted direct access to customer data puts both at risk. If fintechs must always go through the bank’s back door API, they are essentially beholden to the banks, which could then “control the innovation” – that’s like letting the fox guard the henhouse. If the development of a bank’s API lags behind changes to the way its accounts are structured or the way its online banking works, then EU fintechs — and ultimately consumers — will be at a disadvantage.

At the same time, permitted direct access is the easiest and quickest way for a consumer to get started with a new financial provider. The vast majority of them are using this type of access today – including banks by the way! By forcing the consumer to take a more complicated route to sharing his or her data, the EBA would bring existing competition to a halt and make the customer experience less seamless. This will hurt not just such new providers, but also the conversion rates of many merchants.

The only way to motivate banks providing and sustaining an equally good – or even better – indirect (API) access than what they offer their customers directly is the following: leave the decision about which one to use to the consumer and their chosen fintech. Leaving it to the banks instead and then hoping for a level playing field by regulating and trying to enforce things like “functionality”, “availability” and “performance” levels of APIs will just create endless arguments and disputes between the parties, make the courts even busier and turn lawyers – not consumers – into the real beneficiaries of PSD2.

Driving competition into Financial Services by banning direct access is like promoting electrical cars without allowing them on to public streets. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use! Banks can always be a big step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door.

Some banks will want to provide great APIs to attract many fintechs around them and create a whole ecosystem, similar to what Apple and Google achieved with their app stores. Some others – probably the majority I would guess – will prefer to do nothing and save their money and scarce tech resources for more burning problems. The remaining banks in-between will do the minimum to comply and the maximum to hinder the new competition knocking at their front or back door.

The new competitors will want to use APIs if they are good, because it’s easier than automating the direct access, but they will not want to use them if they are not so good, because it would lead to not so good services to their customers, which by the way are also the customers of that bank – not to be forgotten!

In November 2016, the European Commission established a Financial Technology Task Force, with the aim of helping fintech in the EU reach its full potential. 2017, we were told, was going to be the “year of fintech” in the EU. Potentially hamstringing EU fintechs with an anti-competitive rule is an odd way of showing it.

What should we be doing?

To really protect consumers, the EU needs to help them understand how to choose the right providers when buying financial services and to safeguard against the use of malicious ones. National authorities should rigorously enforce existing laws on data protection and information security, making an example of any company which fails to meet proper standards either in the collection or use of data. This would do what the misguided EBA ban on “screen scraping” aims to do, but cannot, without harming the growing EU fintech sector.

“Permitted automated direct access” should be recognized as one of the most important enablers for innovation and competition in general, and not just in the financial services industry. Therefore, governments, regulators and competition authorities should embrace it and focus on keeping it secure and efficient, rather than throwing it out with the bathwater.

To be fair, the European Parliament recognizes this already judging by a letter[1] they wrote in October 2016. Amazing that the EBA chose to do the opposite, and I can only hope that the parliament will insist and prevail!

Properly nurtured and regulated, European fintech will continue to be a success story: an engine of growth and a job creator, at exactly the time such things are sorely needed. This isn’t the time to put that at risk, particularly not for the sake of excessive legislation that won’t achieve its stated aim.

THE EVOLUTION OF CUSTODY IN A POST T-2S WORLD

TWITTER FEED