Interview of Mrs. Nina Stoyanova, BNB Deputy Governor in charge of Banking Department, for the Banker newspaper, pp. 4-5, 14 January 2022
Mrs. Stoyanova, the pandemic has triggered a boom in the use of digital channels and payment technologies. How do you assess these trends, will the digital transformation continue with the same momentum and what challenges arise from it?
The Covid-19 pandemic did serve as a catalyst for existing processes of change in consumer behaviour. The migration from cash to electronic payments, which had already started before, accelerated. According to an October 2021 report by the international consulting company McKinsey, cash payments worldwide declined by 16% in 2020.
The development in the use of payment services in Bulgaria is also dynamic. For example, the number of card payments initiated through virtual POS terminals has doubled in the last five years. For the first six months of 2021, in the country was registered an increase of more than 22% in the total number of cashless payments compared to the same period in 2020. Over the same period, electronically initiated credit transfers increased by almost 28%. All this signals a clear and sustained change in payment habits in our country.
The current policies of European and national regulators support digital transformation to achieve more accessible and secure payment solutions. Payment services in our country have been developing dynamically, following the trends in Europe. Among the significant technological innovations, it can be distinguished the development of mobile banking, digital wallets and digitised payment cards, the use of portable smart devices to initiate contactless payments, such as smart watches, etc. The increased use of digital payment channels also poses new challenges. Ensuring the security of payments and customer data is a constant focus for regulators and market participants, with measures being implemented in line with technological developments.
Could you highlight the most important regulatory requirements of recent years that payment service providers have to comply with?
The application of the strong customer authentication requirements is one of the fundamental changes introduced on the basis of the Second Payment Services Directive. This aspect was developed in detail through the regulatory technical standards for strong customer authentication, which entered into force in 2019. Their requirements started to apply immediately to credit transfers made via internet and mobile banking platforms. However, for online card payments, due to the significant technical changes required with respect to both payment service providers and merchants, an additional transition period was granted, harmonised at European level, until 31 December 2020. Thus, in 2021, payment service providers completed the migration of their systems and products and already apply all the requirements for strong customer authentication.
Recently, efforts have also been invested in improving the legal framework in view of the emergence of new technologies and business models in the payments market and the risks involved. In September 2020, the European Commission published a foundational document called EU Digital Finance Strategy, part of which is a proposal for a Regulation on digital operational resilience for the financial sector. This regulation complements and harmonises existing requirements in the area of payment security. It aims to strengthen cyber security and the operational resilience of the financial sector as a whole, including payment service providers. Among the important requirements to be introduced are those regarding the management of IT risks and risks stemming from IT technology and service providers. Work at European level to refine the regulation is ongoing and it is expected to be finalised this year.
What can we expect in 2022 on the regulatory front and also in terms of innovation in payment services?
The review of the Second Payment Services Directive is due to start in the second half of 2022. An analysis of the results of its implementation in a number of directions is expected. Firstly, an impact assessment will be carried out on strong customer authentication and updating, where necessary, of the technical solutions applied. The focus will be on strengthening payer protection and preventing new types of fraud, especially in the context of instant payments and threats such as phishing and social engineering. It is expected a review and revision of services falling outside the scope of the Directive, etc.
The reporting framework for payment statistics under Regulation (EU) No 1409/2013 of the European Central Bank is also being developed further and supplemented. In line with the adopted amendments to the regulation, from 2022 reporting will cover a broader and more versatile set of indicators, published at a higher frequency – quarterly and semi-annually. This will allow the public to receive more timely and detailed information on the development of payments in Bulgaria and the EU.
In the current year, a significant change in the technology and speed of execution of low value payments up to BGN 100,000 is forthcoming. In the final phase of implementation are the projects of BORICA AD, as the operator of the BISERA6 payment system for customer payments, for the execution of instant credit transfers and credit transfers in line with the applicable SEPA standards. Banking community and the BNB, as regulator and operator of the RINGS large value payments system, are actively involved in these projects. One of the projects is for the implementation of instant payments in BGN, with execution of transactions within 10 seconds. It should be noted here that the BGN instant payments platform has already been launched in a live environment, with two banks currently participating, and the number of participating banks is expected to increase in 2022. The other project is for the introduction of credit transfers in BGN based on the SEPA standard (the so-called ‘batch’ credit transfers). The execution of such transfers in real terms is envisaged to start by the end of January this year, with all banks in Bulgaria participating in the project. The time from the initiation of the transfer to the receipt of the funds in the beneficiary account is expected to be within one hour.
In your statements, you often highlight ‘open banking’ with the corresponding benefits it brings. However, in terms of customer data security, how does the BNB monitor the implementation of the Second Payment Services Directive and have you encountered any malpractices in the exchange of data between banks and the so-called third parties?
Indeed, the so-called ‘open banking’ is a much-discussed topic lately, given its great importance for the development of the payments market in Europe and in our country. The term ‘open banking’ in the European context covers the two new payment services – payment initiation service and account information service. At the heart of these new processes is a consistently pursued policy aimed at fair competition, equal treatment of payment service providers and application of high customer data security standards.
The providers of the new services are innovative high-tech companies. In parallel, however, they are regulated institutions and have to go through a licensing or registration procedure, depending on the type of services offered. They should be proven to meet a number of conditions, in accordance with the legal framework, including having the qualifications, reliability and suitability of the persons managing and representing the respective company, implementation of effective security rules and mechanisms against identified risks, fraud or illegal use of sensitive and personal data, etc.
The technical basis for the development of these new processes was laid with the adoption of Commission Delegated Regulation (EU) 2018/389, which introduced the regulatory technical standards for strong customer authentication and common and secure open standards of communication. In order to meet the regulatory requirements regarding open banking, banks in Bulgaria, like most banks in Europe, have predominantly opted for the development of dedicated interfaces known as Application Programming Interfaces (API). These special interfaces ensure the providers of the new services have access to banking systems, providing a high degree of security, speed and the ability to handle a significant number of simultaneous requests. However, there are quite a few challenges with respect to their development and implementation, given the complexity of the processes. Insofar as the legal regulation in Commission Delegated Regulation (EU) 2018/389 is more general, its practical application raises a host of questions that require further interpretation at European level.
It should be noted that in some European countries, such as Sweden, the Netherlands, Germany, the United Kingdom, etc., the practical provision of payment initiation and account information services had already developed before the adoption of the Second Payment Services Directive. In other EU countries, however, the processes have been developing more as a consequence of the European legal framework. In accordance with that framework, the BNB issued the first licences for the provision of the new services in the second half of 2019. Again in 2019, the first exemptions were granted to account servicing payment service providers from the obligation to implement fallback mechanism in addition to the developed application programming interfaces. This process continued and ended in 2020, when a consultation procedure between the national competent authorities and the European Banking Authority (EBA) was already required for each specific exemption.
For the purpose of ensuring consistent supervisory practices and addressing emerging technological issues, in June 2020 the EBA published its Opinion on obstacles under Article 32(3) of the regulatory technical standards on strong customer authentication and common and secure communication (EBA/OP/2020/10). The EBA has also published clarifications on a number of questions related to the application of the uniform supervisory framework in the field of open banking. The regulatory discussions led by the EBA, in which the BNB is an active participant, have a catalytic role in interpreting and treating emerging obstacles and issues in a consistent manner at European level.
This process continued during the past 2021 so as to ensure the use of a unified approach in responding the questions raised by the Member States and market participants. In its Opinion on supervisory actions to ensure the removal of obstacles to account access (EBA/OP/2021/02) of February 2021, the EBA specified that, although many account servicing payment service providers had removed some of the obstacles to account access, other obstacles remained. The European Banking Authority expects national competent authorities to take the necessary actions to ensure that the identified obstacles are removed within reasonable time. Such actions were also taken by the BNB which, in order to ensure the removal of the obstacles for open banking in Bulgaria, had active communication on specific issues both with the account servicing payment service providers and the providers of the new types of payment services throughout the year.
The consolidation and further standardisation of the legal framework for dedicated interfaces is included in the work on the forthcoming review of the Second Payment Services Directive.
In 2021, there was a lot of discussion on the regulation of the crypto-assets activities. When could we expect Bulgaria to adopt specific legislation in this area, and has the BNB any obligation currently, and a mechanism, to detect suspicious activities related to cryptocurrencies?
The topic of cryptocurrencies is indeed a very relevant one, considering their proliferation and the increasing public interest in them. The European regulators consider this type of instruments within the broader term ‘crypto-assets’, and a number of warnings have been issued and published, describing the risks of this type of investments.
Currently cryptocurrencies are subject to regulation in Europe primarily with regard to the prevention of money laundering and terrorist financing. From 2019 onward, in line with the European requirements, the entities in our country which provide services of converting crypto into traditional currencies, and of keeping and transferring cryptocurrencies, are required to apply the legal anti-money laundering and counter financing of terrorism (AML/CFT) measures. Such service providers operating in Bulgaria are subject to registration by the National Revenue Agency (NRA). Leading role in the activities for the application of the AML/CFT measures is assigned to the State Agency for National Security.
In 2022 two new EU regulations regarding crypto-assets are going to be finalised. One of them will complement Regulation (EU) 2015/847 on information accompanying transfers of funds, with the obligation to collect such information also on certain crypto-assets. This is expected to limit the anonymity in the cryptocurrency transactions. The other EU regulation, called ‘Markets in Crypto-Assets Regulation’ (MiCA), will be more extensive and aims to regulate comprehensively the issuance and offering of crypto-assets as well as the related activities and services. This regulation stipulates authorisation and control of both crypto-asset issuers and crypto-asset service providers, such as crypto-asset trading platform operators. It is not clear yet which institution will be the competent authority in Bulgaria for this new regulation, but it is expected the institution to be granted serious legal powers with regard to the crypto-assets issued and offered in our country.
