The digital euro will fundamentally transform the European payments landscape. For banks and payment service providers, this means: now is the right time to prepare strategically for the upcoming changes. In our teaser paper, we highlight the key elements of the European Commission’s legislative proposal, outline the strategic challenges for financial institutions, and show how banks can successfully implement the digital euro.
ECB Decision on the Digital Euro: October 2025 as a Milestone
The European Central Bank (ECB) has announced that it will decide on the introduction of the digital euro in October 2025, following the completion of the current two-year preparation phase. Although a concrete launch date has not yet been set, banks and payment providers should not underestimate the potential impact of an implementation that, according to the ECB, could begin as early as 2028. As a legal currency, the digital euro will have to be offered mandatorily—both on the issuing and acquiring sides. Waiting or hesitating is therefore not a viable strategy.
Our teaser outlines why banks must prepare now for the digital euro and how they can position themselves strategically within their existing payment strategies.
Regulation of the Digital Euro
Key Challenges for Banks
Introducing the digital euro will entail significantly higher effort for banks than previous payment innovations. Similar to international card schemes such as Visa, Mastercard, or Wero (from the European Payments Initiative), the implementation and operation of the digital euro will be governed by an extensive rulebook. In addition, participating institutions will need to set up a new technical infrastructure, including the transfer of euro to digital euro and vice versa. They will also need to maintain separate digital euro accounts, increasing administrative complexity.
However, banks will not be able to pass these costs directly to their customers. According to the European Commission, so-called “basic services”—including account maintenance, euro-to-digital-euro transfers, and digital euro transactions—must be offered free of charge. The proposal also foresees the issuance of physical payment cards to prevent the exclusion of non-digital users.
Revenue Models and the Risk of Margin Pressure
Of course, the legislator must ensure the economic attractiveness of the digital euro for all market participants. However, this attractiveness will be strongly influenced by regulatory measures. The following transaction-based revenues will be generated for E-Commerce and POS transactions:
Revenues on the issuer side (banks): These will primarily stem from the Inter-PSP Fee – an ad valorem fee paid by the acquirer to the customer’s bank, comparable to the interchange fee. This fee is expected to be regulated by the ECB, similar to the interchange fee.
Revenues on the acquirer side: Revenues will mainly be generated through the Merchant Service Charge (MSC) – an ad valorem fee paid by merchants to their acquirers. Unlike current payment schemes, the MSC will also be subject to regulation.
The regulated nature of the Inter-PSP Fee and the Merchant Service Charge creates the risk of a “race to the bottom,” which could, in the long term, lead to significant margin pressure and declining transaction revenues on both the banking and acquirer sides.
For further information on the cost and revenue implications of the digital euro, especially from a banking perspective, please refer to our teaser paper.
Our Teaser also Covers:
Key legislative aspects and their implications for banks
The impact of the digital euro on issuer revenues and potential strategic responses
An illustrative business case for issuers
How banks can position themselves and the benefits of such positioning
How a strategy and implementation project for banks could be structured
Inaction Is Not an Option
Delaying preparation for the digital euro puts issuers and acquirers at risk of non-compliance with legal requirements, cannibalization effects from an unaligned payment strategy, and the danger of falling behind competitors.
Since banks and acquirers will be obliged to participate in the digital euro, they should define their strategic approach now. Our analysis highlights the key criteria that banks need to evaluate and weigh when shaping their individual digital euro strategy, including aspects such as cost leadership, customer centricity, and time-to-market.
Now is the time to set the strategic course. We would be pleased to engage in a personal discussion to exchange ideas and explore the next steps together.
With FiDA (Financial Data Access), the EU is facing a pivotal step: moving from Open Banking to Open Finance. The new framework is intended to give consumers and businesses greater control over their financial data while simultaneously driving innovation in the financial sector. However, there are also challenges: data protection, fair competition, and the handling of Big Tech spark controversial debates. This article examines the opportunities and risks of FiDA and highlights how Privacy Enhancing Technologies (PETs) could become a key tool in reconciling innovation with data privacy.
Framework for Access to Financial Data
FiDA, which stands for Financial Data Access, marks the next step for the EU in its transition from Open Banking to a broadly applicable framework for Open Finance. While the rules under the Payment Services Directive 2 and 3 (PSD2 and PSD3) primarily focus on access to payment account data, FiDA almost covers the entire financial spectrum: loans, savings, investments, insurance, mortgages, pensions, and crypto-assets.
The core principle of FiDA is that consumers and businesses are the owners of their financial data, which may be held by various financial institutions. They can share this data with third parties, known as data users, through a Financial Data Sharing Scheme, but only with explicit consent. To access consumer and business data, data users must hold a Financial Information Service Provider (FISP) license. Financial data is accessible only with this license and with the customer’s consent. The scheme enables standardized, real-time data exchange.
Consent for data sharing is given by the customer via the dashboard of their respective financial institution. The simple and secure transfer of data aims to foster innovation and competition while supporting the development of new, personalized financial products and tailored solutions. This gives consumers more control and greater choice.
FiDA also introduces a new regulation allowing data holders to charge a fee for the use of their data, providing them with the opportunity to generate revenue by sharing their information.
Schematic illustration ofFiDA
Ethics and Data Protection as a Clear Compass
Financial data is highly sensitive, as sharing it directly affects privacy, can increase financial vulnerability, and in extreme cases even compromise physical security. These risks must be carefully considered in the legislation. Political resistance from individual EU member states further complicates implementation, and the financial industry has already expressed concerns about FiDA.
Designing FiDA therefore requires a delicate approach: clear rules if necessary, yet restraint to avoid stifling innovation. Ethics and data protection are central to FiDA’s development.
In a joint position paper, the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) emphasize that clear and robust rules are necessary to ensure fair competition. Data sharing should occur only under the following conditions:
with the explicit, informed consent of customers
with clear agreements on purpose limitation and data minimization
with protective measures against misuse and unwanted profiling
Both organizations stress that FiDA has no chance without strong consumer trust. Such trust arises not only through laws but also through technological safeguards that structurally protect privacy.
Regulatory Pressure and National Caution
One of FiDA’s greatest challenges stems from concerns over excessive regulatory pressure. Several member states, particularly France, Germany, and the Netherlands, have indicated a cautious approach to the regulation’s scope. A framework that is too broad could impose high compliance costs, especially on smaller market participants. At the same time, few concrete market opportunities have emerged, increasing uncertainty.
This cautious stance has led to limitations in the current draft legislation. According to an informal diplomatic document from May 16, 2025:
Data older than ten years, as well as data from terminated contracts, should be excluded from mandatory access.
The scope should be limited to natural persons and small and medium-sized enterprises (SMEs). Large companies are explicitly excluded.
While these limitations simplify implementation, they reduce FiDA’s innovation potential. Important datasets are excluded, which can significantly disadvantage fintechs, insurance companies, and data-driven SMEs, for example:
Credit information services cannot develop long-term risk models for mortgages over 20–30 years.
Insurtechs lack historical claims data to model rare but severe risks.
SMEs using AI models for forecasting or fraud detection lose access to deep datasets that reveal long-term trends.
Providers in the green finance sector are unable to analyze long-term energy or investment patterns to assess sustainability.
France has also intensified diplomatic efforts to adapt the regulation, expressing concern that FiDA could act as a Trojan horse for global tech giants. A framework intended to empower consumers, SMEs, and fintechs could, in practice, facilitate the entry of international tech giants into Europe’s financial markets. Germany and the Netherlands share these concerns, with the Netherlands also emphasizing the burden on banks and regulators.
Radical Cut: Excluding Big Tech
This concern fuels further debate. Under the current proposal, so-called gatekeepers, as defined in the Digital Markets Act, would be excluded from obtaining a FISP license. Critics argue that while this measure may be effective against Big Tech, it could simultaneously stifle innovation and disadvantage consumers.
The Computer & Communications Industry Association (CCIA) Europe stated in a letter to the EU Commission that this exclusion:
Is not proportionately justified
Unnecessarily hinders innovation
Takes away consumers’ right to choose which providers they trust with their data
While preventing market dominance is a valid goal, it is questionable whether a blanket exclusion is the right approach, especially in a market that relies on diversity.
Privacy-Enhancing Technologies (PETs) as a Foundation
A crucial tool for balancing innovation and data protection are privacy-enhancing technologies (PETs). These technologies enable data to be processed or analyzed without exposing the underlying information. Examples include:
Homomorphic Encryption: Enables calculations directly on encrypted data without decrypting it first.
Secure Multi-Party Computation (SMPC): Multiple parties perform joint calculations without full access to each other’s data.
Differential Privacy: Protects individuals by adding statistical noise to datasets to prevent inference.
Federated Learning: AI models are trained locally at the data source, so data does not need to be centrally shared.
PETs make FiDA’s core promise achievable: data-driven innovation while maintaining privacy. They allow strict data minimization, insights without revealing raw data, and a technical implementation of GDPR principles.
According to the Dutch Central Bank (DNB) and AFM, PETs should be considered mandatory, particularly for highly sensitive data such as pensions or credit information. Where laws set clear boundaries, PETs provide building blocks to reduce risk, build trust, and give developers freedom for creativity and competitiveness.
Balancing Ambition and Caution
Careful drafting of the final legislation highlights both FiDA’s complexity and its far-reaching impact on the financial industry. The legislation must strike a balance between:
Ambition in expanding data access, innovation, and competition
Caution in handling sensitive data and market power
Flexibility in integrating future innovations without creating lasting risks to privacy or security
In practice, this requires ongoing dialogue among policy makers, regulators, market participants, consumer organizations, and technology providers.
2025: Make-Or-Break Year or Another Stalemate?
FiDA is at a critical turning point. Trilog negotiations between the Commission, the Council, and the Parliament are expected to produce a final draft this year. Early contours of FiDA are emerging, but many central questions remain unresolved. It is also unclear whether an agreement will be reached in 2025 and when FiDA will ultimately take effect.
What is certain is that the outcome of the negotiations will determine whether FiDA becomes a strong instrument for Open Finance or a cautious compromise that preserves existing structures.
Next Steps for Proactive FiDA Implementation
With the upcoming FiDA regulation, banks, insurance companies, and other service providers must quickly assess its impact on their organizations and business models to ensure compliance and capture new opportunities.
The following measures support a structured approach to FiDA:
Awareness & Positioning Workshop
Understand and share the impact of the FiDA regulation, and define the ambition you want to achieve.
Ideation Session
Create, explore and research the new business opportunities that are within reach.
Gap Analysis
Investigate the extent of the impact of FiDA on compliance, data management, and organization.
This approach helps banks, insurance companies, and other service providers gain clarity on opportunities and challenges, enabling them to leverage FiDA actively and proactively.
It is beneficial to address FiDA at an early stage to uncover opportunities and prepare accordingly. The experts at Thede Consulting, part of the Projective Group, support you with workshops, analyses, and practical advice – tailored to your organization.
Did You Know? – Our Workshop #NextGen Payments
FiDA is part of our new workshop “NextGen Payments: Revolution or Evolution by 2030?”. In this tailored session, we explore how future drivers such as digitalization, regulation, and cybersecurity affect your business models and develop individualized solutions together. More information can be found here.
The European Union is on the verge of launching the EUDI Wallet, a trusted digital identity framework that will soon become mandatory across all member states. For banks and financial institutions, this isn’t just another compliance requirement, it is a transformative shift in how customers will authenticate, transact, and share data. Those who prepare early can reduce regulatory risk, streamline operations, and seize new business opportunities, while late adopters risk being left behind.
The Future of Digital Identity in the EU
In 2024, the European Union introduced eIDAS 2.0, a revised regulation on electronic identification and trust services that is fundamentally reshaping the regulatory landscape for digital identity and trust services across Europe. eIDAS 2.0 officially came into force in May 2024, marking a significant milestone in the EU’s digital transformation journey. The overarching goal of eIDAS 2.0 is to provide every EU citizen and business with the means to securely identify themselves and share verified credentials online, thereby fostering a seamless digital single market.
At the heart of this transformation is the European Digital Identity Wallet (EUDI Wallet), a secure, user-centric solution for managing digital credentials and enabling trusted transactions throughout the EU. By December 2026, each EU member state is required to offer at least one EUDI Wallet, ensuring broad accessibility for citizens and businesses. Furthermore, by December 2027, public and regulated private sector entities – including banks and financial services – must accept the EUDI Wallet for identification and authentication purposes.
The EUDI Wallet is designed to support a wide range of use cases, such as accessing government services, opening bank accounts, making payments, and digitally signing documents. The ecosystem is set to expand further with an amendment expected in Q4 2025, introducing a dedicated EU Business Wallet (EUBW) for organizational credentials. The EUBW will further broaden the scope and utility of the EUDI Wallet ecosystem.
eIDAS 2.0 and EUDI Wallet
How the EUDI Wallet will Impact Banking and Financial Services
Mandatory Acceptance and Integration
By 2027, banks and financial service providers will be legally required to accept the EUDI Wallet for key processes, including customer onboarding (KYC/KYB), payments (with Strong Customer Authentication, SCA), and digital signatures. This mandate is not only a compliance obligation but also serves as a catalyst for innovation and operational efficiency within the financial sector.
KYC and KYB in Customer Onboarding
The EUDI Wallet streamlines Know Your Customer (KYC) and Know Your Business (KYB) processes by enabling the secure, standardized exchange of verified digital credentials. Customers can open bank accounts remotely, using the EUDI Wallet to share only the necessary information with explicit consent and minimal friction. This approach reduces onboarding costs, improves data quality, and enhances the overall customer experience.
Payments and Strong Customer Authentication (SCA)
For payments, the EUDI Wallet introduces a unified, high-assurance authentication method. Banks must facilitate Strong Customer Authentication via the EUDI Wallet upon payer request, supporting both card-based and account-based transactions. This not only fulfils regulatory requirements under (expectedly) PSD3 and eIDAS 2.0 but also reduces fraud and enables innovative payment experiences such as “Fast Checkout”.
Digital Signatures and Consent Management
The EUDI Wallet supports legally binding digital signatures and robust consent management. It allows customers to authorize data sharing and transactions with full transparency and control. These capabilities are particularly relevant for loan agreements, account servicing, and other high-value interactions.
Opportunities and Challenges for Banks and Financial Services
The EUDI Wallet offers significant benefits for financial institutions, including fully digitized, automated onboarding and servicing processes. It enhances security, reduces fraud, and streamlines compliance with eIDAS 2.0, PSD3/PSR, and AML regulations. Additionally, the EUDI Wallet enables the development of new, identity-enriched services and business models, providing a competitive edge for early adopters.
Opportunities for Banks
However, the transition to the EUDI Wallet is not without challenges. Financial institutions must adapt to evolving technical standards, integrate with potentially 27+ different national wallets, and navigate overlapping regulations such as eIDAS 2.0, PSD2/3, and AML.
How Banks and Financial Services need to prepare now
To prepare for and leverage the EUDI Wallet, financial institutions should adopt a strategic, multi-faceted approach:
Strategic multi-faceted approach
1. Market Positioning and Business Model Innovation
Financial institutions should explore new business models that leverage verified digital identities, such as instant lending, cross-border account opening, and personalized financial services. Early adoption positions banks and financial services as trusted innovators and enables competitive advantages.
2. Technical and Operational Readiness
Institutions should integrate EUDI Wallet support into onboarding, authentication, and payment flows to ensure seamless customer experiences across all channels. Optimizing resources by clearly defining roles and responsibilities, avoiding duplicate investments, and aligning with evolving technical frameworks will further support a smooth transition.
3. Compliance and Risk Management
Aligning existing KYC/AML processes to EUDI Wallet requirements is crucial for identifying overlaps and gaps. Legal and customer communication frameworks should be updated to reflect new consent, data protection, and authentication mechanisms. Ongoing monitoring of regulatory developments e.g., the upcoming amendment for the EUBW, PSD3, and AML will help ensure compliance and interoperability.
4. Customer Education and Support
Developing comprehensive customer education programs is vital to drive adoption and build trust in the EUDI Wallet. Updating customer support channels and staff training will ensure that wallet-related queries and issues are handled effectively.
Your Partner for the EUDI Wallet Transition
Thede Consulting, part of the Projective Group, supports financial institutions in the transition to eIDAS 2.0 and to fully leverage the opportunities of digital identities such as the EUDI Wallet. Together with our clients, we develop strategies that consider both the business potential of the EUDI Wallet and its regulatory requirements. We create a clear market positioning for our clients and to anchor future-oriented topics early on within their organizations. We pursue a holistic approach that reaches from strategy to implementation and enables sustainable differentiation in the competitive landscape.
Start prepared into the EUDI Wallet era and future-proof your business together with us.
Do you have further questions about the EUDI Wallet and the implications for your organisation? Feel free to reach out to our experts for further information.
Discover the future trends in our exclusive workshop. We will show you how the future drivers of digitalization, regulation and cyber security will affect your business models and develop individual solutions with you.
Payment services are subject to constant change, which has accelerated even further in recent times. They are reflected in the future drivers of digitalization, regulation and cyber security. As a bank and financial services provider, it is now crucial to think ahead and prepare for the future. What impact will these future drivers have on your business model?
Our exclusive “Next Gen Payments” workshop is customized to your company and your challenges. Together, we explore the future drivers and analyze their impact on your company. Our experts will guide you through the latest trends and show you how you can position yourself for success.
Your Benefits
Identification of current trends and relevant developments for your company
Evaluation of economic efficiency, opportunities and risks
Development of an individual strategic roadmap for the enhancement of your business models
Workshop Topics (4-5 hours)
Keynote speech by our experts “Payment in the triangle between Regulation, Digitalization and Cyber Security”
Collaborative impact analysis on your current business models
Identification of strategic and operational activities and the relevant fields of action
We look forward to supporting you in shaping the payment of tomorrow and enabling you and your business for the future.
Are you interested? Please feel free to contact us:
Trends in open banking and open finance are increasingly overtaking traditional banking. By opening up banking systems and the influence of new regulatory requirements such as PSD3/PSR and potentially also FIDA, a trustworthy environment will be created that encourages digital solutions and slim processes. Customers are increasingly demanding digital innovations and personalized services. Open Finance offers significant opportunities for this.
By 2025 three key use cases for APIs have been established in the payment and banking industry:
Services for switching bank accounts
Integration of banking services into third-party offerings and
API-based payment processing.
But the potential is far from exhausted. Embedded finance enables a functional and business model-specific development of the banking services. Meanwhile innovative FinTechs are increasing the competition for traditional banks on the German market.
New regulatory requirements, the adoption of APIs and the possibility of advanced data analysis will continue to transform the industry. The security for sensitive customer and financial data remains a key priority.
We look to the future and ask ourselves:
What will financial services look like in 2030? In order to remain competitive banks and financial service providers need to act now.
Learn more about the opportunities that APIs and open finance hold for the financial industry and how to benefit from these developments in our white-paper (download below). We give you valuable recommendations on how to proceed in the next few years.
Do you have further questions about the development of Open Banking/Finance and the impact on your business? Let’s get together and exchange ideas. We are looking forward to answering your questions.
In the fast-evolving world of artificial intelligence, confusion often reigns. While AI promises transformative potential, understanding its true value – especially in the context of financial services – requires separating fact from fiction. Here, we debunk the most pervasive myths, offering clarity and actionable insights for financial institutions.
Myth #1: AI Is a One-Size-Fits-All Solution
Many businesses mistakenly believe that AI can be applied universally, or that a product exists that is the magic bullet. The truth is, the success of AI depends on aligning the right tools with specific business challenges, whether it’s reducing costs, enhancing customer experience, or driving revenue. Financial services organisations must tailor their AI strategy to their unique needs and goals.
Myth #2: AI Is a Standalone Solution
Some still believe that AI operates in isolation, an autonomous entity capable of transforming entire systems on its own. In reality, AI must be embedded within an organisation to work alongside people and other technologies to help transform processes. Effective AI implementation requires thoughtful integration into the broader operational model, ensuring smooth collaboration between AI and human expertise.
AI in Action
As specialists in Financial Services, we have deep expertise in helping our clients to identify, navigate and implement AI use cases. In the Projective Group we have already worked with several companies in the European financial services sector to deliver AI success stories. There are obvious tasks where AI can be of great benefit. Here is a snapshot of where we see AI being successfully used in the market.
Eliminating errors and ‘waste’: Across the international payments networks, there remains a relatively high proportion of failed transactions. In general terms, the potential exists to integrate learning agents to the hardware / software solutions to reduce or even eliminate such errors. Such tools could start with basic, rule-based error-checking. Over time, they can learn the local patterns and the flag those that fall outside those boundaries. In a fully-fledged implementation, the tools could suggest remediation and even be given (limited / controlled) capabilities to auto-correct. We built a prototype of this capability for SWIFT.
Simplify Reporting: Financial services companies have huge reporting requirements. Many employees spend their days compiling, amending, and rewriting reports. AI can help reduce the duplication of tasks and simplify processes. It can even predict how data in these reports can be used. AI can explain complex report content and remove duplication. Moreover, it can significantly speed up large-scale data quality issues through classification, corrections, and processing unstructured text. The cost reduction and revenue generation benefits of this are easy to spot.
Credit Risk Models and Fraud Detection: Banks are already successfully using AI to assist them in activities that range from the creation of credit risk models through to fraud detection (with a reduction in false-positive rates).
Read, Summarize and Create Code: AI applications can read, summarise and create programming codes (e.g. in Cobol), but also eliminate technical legacy. This enables companies to better understand how their platforms work and how they can make better use of them.
Chatbots (LLMs): Chatbots are invaluable research tools and can take on a huge amount of the role of your customer services department. They are good at summarising legal documents and never tire of completing onerous KYC and AML checks. We have used AI to build a chatbot for one client.
The development of AI is progressing rapidly – what is cutting-edge differentiator today becomes a commodity feature tomorrow. The toughest part of any initiative is moving from PoC to production, where regulatory, security, and scalability challenges arise. Leaning on established vendors for certifications and support can help, as can a focused AI development strategy. ‘AI’ may be the future, but it is not a miracle cure. Your company will still have to consider risk factors, the cost of adoption and the unavoidable fact that not everyone has the skills to use it effectively.
We can help to structure and implement a realistic and clear AI strategy. A strategy that will allow you to use artificial intelligence to deliver real value.
This article was first published in the Payment & Banking white paper titled “AI Use in the Payment Industry.”
The payments industry is on the brink of monumental change. Key drivers – digitalisation, regulation, and cyber security – are not only adding layers of complexity to the current landscapebut also intensifying uncertainty about what lies ahead. In our latest whitepaper, we explorethe prevailing trends within the payments sector and outline five potential scenarios for the future of payments.
The three future drivers of the payments industry
While cash is slowly but surely losing its dominant position, innovations such as the digital Euro, embedded finance solutions, and European initiatives like Wero have the potential to fundamentally reshape the market. These developments challenge the established business models of payment providers. Yet, they also open up opportunities for those who engage proactively with these changes.
Moreover, a comprehensive new regulatory package is set to impact every player in the financial system over the next two years. Regulations such as PSD3/PSR and DORA are poised to revolutionise the way payments and banking services operate. Additionally, there is ongoing debate about FIDA – whether it will come into force and, if so, what form it might take.
Adapting to the new requirements and reporting obligations may be exhausting – but even here lie tremendous opportunities. Data will become significantly more accessible to all actors, and when combined with the broader adoption of AI. Customers will soon benefit from highly personalised and precise financial offerings like never before. While it is by no means certain that all these changes will occur exactly as anticipated, now is the perfect time to prepare for a multiple future scenarios.
Our whitepaper (available for download below) aims to provide clarity on the direction of the payments industry. And offers guidance on how companies can best position themselves amid these upcoming changes. Which trends will prevail? Is there even one single driver that will ultimately dominate? We answer these questions by presenting a series of plausible scenarios for the payments world of tomorrow.
What does this mean for my company?
Discover in our exclusive workshop ‘NextGen Payments: Revolution or Evolution by 2030?’ how the future drivers of digitalisation, cyber security and regulation will affect your business models – and how you can make your company future-proof. Let’s start a dialogue together. We will be happy to answer any questions you may have.
Between the dynamic poles of cyber security, regulation, and digitalisation, future drivers are having a major impact on today’s payments industry. This article, the third in a three-part series, takes a closer look at the opportunities and challenges of cyber security for banks and payment service providers. The first article presented the current initiatives shaping payment digitalisation in Europe – the digital euro, while the second, analysed the impact of PSD3/PSR and DORA on the payments industry.
In today’s world of digital finance, fraud prevention, and cyber security are key topics due to the increase in online transactions and more sophisticated fraud techniques. Banks and payment service providers are therefore under great pressure to meet customer needs, comply with regulatory requirements and strengthen their general cyber security policies. Dealing with these topics offers great opportunities, but also poses significant challenges that require extensive preparation. What impact do cyber threats have on the payments industry and what do they mean for banks and payment service providers?
Triangle of digitalization, regulation and cyber security in the payment industry
Cyber security – what is it all about?
Cybercriminals are taking advantage of increasingly complex weaknesses such as API vulnerabilities, malware, and man-in-the-middle attacks and exploiting human failures through phishing, social engineering, and app fraud. Banks and payment service providers need a holistic approach that takes technical and human factors into account to respond to these threats.
To recognise threats at an early stage, a close collaboration between cyber security and fraud prevention teams is key. Technologies such as risk-based authentication, behavioural analytics, and fraud scoring engines are central to this. Banks and payment service providers need to find solutions that incorporate seamlessly with their core systems to ensure real-time detection and effective defence. Beyond that, regulatory requirements increase the need for action but also offer the opportunity to strengthen customer trust through higher security and transparent communication.
The increasing complexity of cyber-attacks requires structured protection methods
The most common technically driven cyber-attacks include man-in-the-middle-attacks, in which attackers interfere undetected in the communication between customers and banks in order to obtain confidential information. API vulnerabilities allow attackers to exploit ineffective secured interfaces to access databases or manipulate transactions. Malware and SQL infections are used to infect banks or end users’ computers in order to gain unauthorised access to networks and data. On the other hand, fraudsters exploit human failure, such as phishing, where fake emails or websites are used to steal credentials. Social engineering manipulates employees or customers to disclose confidential information or carry out authorised transactions. Scams and Authorised Push Payment (APP) fraud trick customers into transferring money directly to fraudulent accounts by posing as trustworthy entities.
Overview of targets for cyber-attacks
Comprehensive fraud management – a four-phase approach
To effectively manage the lifecycle of a fraudulent transaction, a four-phase approach is required: prevention, identification, detection, and resolution.
Prevention: Advanced security infrastructures such as firewalls, security protocols, and intrusion detection systems minimise technical failure.
Identification: Regular checks, monitoring of abnormalities, and marking high-risk transactions or users help to recognise potential weaknesses and areas of fraud. Algorithms and AI identify suspicious activities and unusual customer behaviour.
Detection: Monitoring tools, behavioural analytics, and fraud detection systems enable rapid detection of fraud in real-time or near real-time.
Resolution: Once a fraud attempt has been recognised, immediate action must be taken to reverse it and minimise the damage.
Cyber security teams protect IT infrastructures from unauthorised access and cyber threats, while fraud prevention teams analyse suspicious behaviour patterns and detect fraudulent transactions. The collaboration of both teams is crucial to effectively combat fraud caused by technical and human error. Regulatory requirements are forcing banks to strengthen their security measures in order to protect customer data and guarantee the integrity of their payment processes.
Comprehensive approach to fraud prevention
Challenges in the implementation of regulatory requirements and corporate goals
Compliance with regulations is essential to avoid sanctions and ensure customer trust. At the same time, banks and payment service providers must strive for better security, trust, and efficiency. These service providers face challenges in these key areas:
Management, governance, and target operating model: Banks must adapt their structures and processes to constantly changing regulatory requirements. A gap analysis helps to identify weaknesses and develop steps to enhance their regulatory compliance.
Process optimisation: Optimising internal processes is essential for preventive action against fraud. The implementation of prevention mechanisms and training programmes for secure payment processes is key.
Technical implementation and project management: Banks need to introduce new authentication procedures to fulfil increased security requirements. The introduction of Strong Customer Authentication (SCA) procedures to increase the security of digital transactions is one possible solution.
Provider selection and contractual arrangements: Banks often integrate external service providers for specialised fraud management solutions. Selecting the right third-party service providers and drafting contracts that fulfil regulatory requirements is crucial for preventing cyber risks.
Defend against cyber risks – What needs to be done?
Fraud prevention in the payment industry is complex and includes the implementation of technical and regulatory aspects into today’s systems and processes. Compliance with regulatory provisions requires detailed work and comprehensive expertise. Particularly detailed gap analyses for technical and regulatory requirements are key steps towards effective cyber security. Innovative solutions such as risk-based authentication, behavioural biometrics, and fraud scoring engines are essential to counter fraud risks. The selection of appropriate partners and product solutions is an important step here. Banks and payment service providers must analyse their status quo in terms of cyber security and decide how to position their strategic and operational approach in order to remain competitive in the market in the future.
This article was first published on ‘The Paypers‘.
What impact does cyber security have on your company?
Discover in our exclusive workshop “NextGen Payments: Revolution or Evolution by 2030?” how cyber security and the future drivers of digitalization and regulation will affect your business models and how you can make your company future-proof.
We look forward to hearing from you and will be happy to answer any questions you may have.
The financial world is in constant state of change, driven in particular by technological advances and regulatory adjustments. The current regulatory initiatives of the European Commission, PSD3 (Payment Service Directive 3)and PSR (Payment Service Regulation), will be further steps in this development. According to the European Commission, they aim to harmonize payment transactions within the European Economic Area, increase the security of payment transactions, and promote competition in the payment market. These new regulations present a number of challenges, but also opportunities for banks and payment service providers.
In this blog article, we look at the key points of PSD3 and PSR and their potential impact on banks and payment service providers. We highlight the measures that need to be taken to efficiently and timely implement the regulatory requirements.
What are PSD3 and PSR?
PSD3 builds on previous regulations, particularly PSD2, and clarifies existing regulations. It includes, among other things, an extended liability for banks and sets new IT and risk standards. A key focus is on strong customer authentication and transparent payment transactions.
The PSR (Payment Service Regulation) complements the Payment Service Directive and leads to directly applicable law in all EU states. Its goal is to harmonize regulatory standards within the EU and ensure uniform regulation in European payment services.
The objectives of PSD3 and PSR:
Where do PSD3 and PSR stand now?
In June 2023, the drafts for PSD3 and PSR were published as proposals to revise PSD2. The European Parliament approved this proposal on April 23, 2024, with some amendments, including regulations on strong customer authentication and liability rules. Currently, the European Parliament and the European Council are negotiating the final statutory text. The final version of the statutory texts is expected by the end of 2024. Given these developments, we expect the new regulations to come into effect in 2026.
PSD3 implementation schedule (2023-2026)
What does this mean for banks and payment service providers?
Adapting to the new PSD3 requirements is essential for banks and payment service providers to ensure compliance with the regulations and seize opportunities. This results in the following impacts requiring action:
Strong Customer Authentication (SCA): PSD3 and PSR foresee the introduction of stricter requirements for customer authentication and an expansion of authentication options for people with low digital affinity and vulnerable groups. Additionally, in April 2024, the European Parliament proposed expanding the inherence factor to include environmental and behavioral characteristics. This means that banks and payment service providers must invest in the development and implementation of more robust and innovative security mechanisms. This can increase the security of payment transactions but is associated with implementation costs and additional complexity in adapting systems and processes.
Extended liability for payment institutions: With the tightening of liability rules in fraud cases, banks, payment service providers, and providers of electronic communication services are held more accountable. Issuers will have to prove that, for example, a fraudulent transaction is unequivocally due to customer misconduct to avoid liability. Additionally, payment service providers are obliged to immediately block a payment instrument if there are objective risks or suspicions of fraudulent use. This will be difficult to demonstrate in many cases and may not be in the interest of the relationship with the customer in question. Investments in customer communication, prevention, and handling of fraudulent transactions are to be expected, as well as the challenge of maintaining an efficient balance between transaction conversion and fraud prevention. Furthermore, the reversal of the burden of proof could have a massive impact on customer behavior. The issue of fraud will gain significant momentum. This is already evident in the UK, where the mere sharing of liability risk has led to a significant increase in damages. The issue of fraud should be a major priority for payment institutions in the coming years.
Transaction monitoring and exchange of fraud-related data: To effectively combat fraud, banks and payment service providers must monitor transactions and exchange fraud-related data among themselves to detect early warning signs and respond appropriately.
IBAN-name-check: Implementing the IBAN-Name-Check requires verifying the entered IBAN and the associated account holder’s name to reduce fraud cases and increase transaction security. This may result in additional costs for banks as they will need to adapt their existing systems and processes to integrate this new measure.
Prohibition of fees for certain payment services: PSD2 introduced the surcharge ban, which prohibits providers from charging customers extra fees for certain payment methods. The new draft of the PSR expands this ban. Providers should not be allowed to charge fees for payments, although discounts or special offers that steer the selection of a particular payment method are not excluded. Banks and payment service providers should now identify alternative revenue sources and develop new service offerings to remain competitive.
The impact of PSD3 on banks and payment service providers at a glance:
What are the next steps for a smooth implementation of PSD3 and PSR?
Given these new regulations, it is crucial for banks and payment service providers to act proactively to ensure early compliance with the regulations and secure the competitiveness and profitability of their offerings.
The following measures should be taken to meet and successfully implement the new regulations:
Optimization of security mechanisms:
Advanced authentication technologies that are both secure and user-friendly should be introduced to meet the requirements of PSD3
Strengthening fraud detection and prevention:
Fraud detection and risk management systems should be integrated to detect and prevent fraudulent activity early on
Staff should be trained to identify suspicious transactions to raise awareness of fraud prevention
Decision-makers should exchange information on fraud issues to learn from each other and create synergies
Integration of the IBAN-name-check:
Automated solutions for the IBAN-name-check should be introduced to meet the requirements. It remains to be seen to what extent efficiency and security of payment transactions will be improved
Development of alternative revenue streams:
New service offerings and payment solutions that provide additional value for customers, such as innovative financial services or personalized offers, should be introduced
The business model should be diversified by exploring new markets or partnerships to tap into additional revenue sources and remain competitive
With our long-standing expertise in the areas of payment transactions and regulation, we navigate our clients through the complex requirements of the payment market, in particular PSD3 and PSR. Our team of experts supports you in leveraging market developments, developing tailored solutions, and making your business models future-proof. From analysing business processes, identifying and tapping into new revenue sources to selecting and implementing technology solutions – together, we can strengthen your company’s position in the payment market. Please feel free to contact us.
What impact does PS3 and PSR have on your company?
PSD3 and PSR are part of our new workshop “NextGen Payments: Revolution or evolution by 2030?”. In a customised workshop, we discuss with you how the future drivers of digitalisation, regulation and cyber security will affect your business models and we will work together to develop individual solutions. You can find more information here.
Further regulatory requirements – DORA
Alongside PSD3 and PSR, other regulatory requirements such as DORA are influencing payment transactions. Learn more in this blog article.
The digitalisation of products and processes brings not only opportunities for banks and payment service providers, but also an increasing number of risks. Cyber attacks and IT failures can cause enormous financial and reputational damage. This is where DORA, the Digital Operational Resilience Act, takes action. This EU regulation aims to ensure that financial institutions become more resilient against threats targeting their technical infrastructures and that cyber security is prioritised across the entire organisation.
In this article, we take a closer look at the requirements DORA places for banks and payment service providers and how companies can take action to fulfil these.
Was ist DORA?
The Digital Operational Resilience Act (DORA) is a key EU regulation that aims to strengthen the digital operational resilience of the financial sector. It intends to ensure that banks and payment service providers are robustly prepared against cyber attacks, IT failures and other digital threats. The regulation sets out general standards for IT security, particularly in the areas of information and communication technology (ICT) risk management, the reporting of ICT incidents and the monitoring of risks by third-party ICT service providers.
Highly efficient and stable ICT structures shall create more security in the financial system and minimise the risks of digital transformation for market participants. This will lead to a significant growth in the analysis and reporting requirements for financial institutions. DORA will place the current high outsourcing rate of banking IT and banks’ strategies for digital transformation in the focus of supervisory authorities.
DORA already came into force on 17 January 2023 and will fully apply from 17 January 2025 on. Financial institutions must therefore achieve DORA compliance until January 2025.
The schedule of DORA (2023-2025)
On July 8, 2024 the BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) published a supervisory statement regarding DORA. It contains extensive implementation guidelines for ICT risk management and ICT third party risk management, among other topics. The guidelines are not mandatory but provide assistance and explanations for organisations to fulfil the DORA requirements. Beyond that the supervisory statement compares the existing IT requirements (BAIT/VAIT) with the new DORA requirements. In providing the supervisory statement, BaFin states that existing IT requirements (BAIT/VAIT) are largely covered and expanded by DORA. With the national implementation of the FinmadiG (Finanzmarktdigitalisierungsgesetz), BaFin plans to suspend previous IT requirements (BAIT/VAIT/KAIT/ZAIT). Companies that are not covered by DORA still have to take proper action to deal with IT and cyber risks.
What are the main objectives of DORA?
Improving ICT risk management processes and ICT governance
DORA requires financial institutions to develop and implement ICT risk management systems. This includes the identification, assessment and reduction of ICT risks. Through standardised processes and regular reviews, risks should be identified at an early stage to take action immediately. BaFin’s implementation guidelines for DORA emphasise that the responsibility for ICT risk management lies within the management body of financial organisations.
Increasing resilience against cyber threats
Another goal is to strengthen actions to detect, prevent and respond against cyber threats. Banks and payment service providers need to develop plans for dealing with cyber threats and test these regularly. In addition to the retrospective view of ICT-related incidents and the performance of the ICT risk management scope in the past, new technological developments, including cyberattacks, should also be monitored. Financial institutions should be able to create a fast and effective reaction capability that enables the organisation to maintain business operations continuously.
Ensuring the continuity of critical functions
DORA requires the development of emergency plans and business continuity strategies. Financial institutions must ensure that critical functions can continue in the event of serious ICT incidents. Testing ICT security measures on a regular basis is key.
Strengthening monitoring and reporting of ICT incidents
DORA requires the reporting of serious ICT incidents to supervisory authorities and to analyse their sources. The aim is to create transparency for supervisory authorities so that effective control mechanisms can be implemented. By establishing an ICT asset management and categorising related risks, dependencies on third-party ICT service providers, risks from cyber threats and ICT vulnerabilities should be identified and regularly reviewed.
Supporting due diligence requirements for third-party providers
DORA sets a high value on due diligence in the selection and monitoring of third party providers of critical ICT services. Banks and payment service providers need to take appropriate security actions and ensure that their service providers are regularly reviewed. The DORA implementation guidelines set out enhanced contractual requirements for the use of ICT services, including minimum requirements for all contractual agreements and obligations to review and test. This minimises outsourcing risks and increases security along the entire supply chain.
Management of third party ICT risks
What specific action does DORA require from banks and payment service providers?
The new requirements are forcing banks and payment service providers to rethink and adjust their ICT risk management processes. The following actions should be taken to ensure regulatory compliance:
ICT governance and risk management: adaptation of internal guidelines and processes
Internal guidelines must be reviewed or established to reflect DORA’s new ICT compliance requirements and to ensure continuous risk assessment and management (including documentation of processes for providing documentary evidence to supervisory authorities). Moreover, an ICT risk control function must be established that is responsible for the management and monitoring of ICT risks.
Testing digital operational resilience: implementation of baseline tests and TLPT
Internal guidelines and operational processes must include regular, at least annual baseline testing and TLPT (Threat-led Penetration Tests) to identify and eliminate potential weaknesses. Cooperating with testing service providers can be considered in this context. Beyond that, it is necessary to consider extended scenarios such as climate change, insider attacks and large-scale power outages.
Disruption incidents and reporting obligations: establishing a reporting system
It is necessary to develop an internal reporting system for ICT incidents with defined processes and criteria for classifying and reporting security incidents. Financial companies must ensure that logs are protected against manipulation and loss and that all ICT systems are synchronised with a reliable time reference.
Management of third-party risk: ICT outsourcing management and monitoring critical ICT service providers
Reviewing and updating outsourcing guidelines, contracts and internal processes for analysing the risks of third-party providers, including regular due diligence methods, maintaining an information register and adapting tendering processes based on extended evaluation criteria. This includes minimum requirements for all contractual agreements as well as review, testing and cancellation rights.
In the course of 2024, there will be more specific legal acts in the form of technical standards (RTS and ITS) for most of the regulatory areas.
The impact of DORA at a glance
DORA is a challenging task for financial institutions, but it is also an opportunity to strengthen ICT security and resilience. Although the implementation of DORA requires significant effort and investment, it contributes to the long-term stability and security of the European financial sector.
How do we successfully support banks and payment service providers?
With our extensive consulting experience in the payment and banking sector, we are looking forward to supporting you in implementing the DORA requirements. In addition to dealing with the requirements of DORA in your company, we can contribute our knowledge and experience from various sourcing strategy and implementation projects. The requirements for outsourcing ICT services to third parties in particular are increasing significantly. New requirements include conducting risk assessment before a contractual agreement is concluded with a third party. In contrast to the MaRisk the DORA regulation no longer differentiates between outsourcing and other external procurement of ICT services.
Which means other external procurement of ICT services will also be covered by DORA in future, with corresponding due diligence obligations for banks or financial service providers. Sourcing strategies and existing outsourcing of ICT services should therefore be reviewed in order to take the requirements of DORA into consideration at an early stage and, if necessary, implement adjustments, for example in service provider management.
Are you looking for a way to develop secure and innovative processes, strengthen your digital resilience and get your company ready for the future? Please feel free to contact us.
What impact does DORA regulation have on your company?
DORA is part of our new workshop “NextGen Payments: Revolution or evolution by 2030?” In a customised workshop, we discuss with you how the future drivers of digitalisation, regulation and cyber security will affect your business models and we will work together to develop individual solutions. You can find more information here.
Further regulatory requirements – PSD3 und PSR
Alongside DORA, other regulatory requirements such as PSD3 and PSR are influencing payment transactions. Learn more in this blog article.
