Consumers are increasingly accustomed to instant payments through various mobile offerings. At the same time, there is a similar “instant” expectation for non-mobile payments that’s causing both consumers and legislators to put pressure on organizations to modernize the payments ecosystem. One of the biggest challenges these organizations face is evolving regulations related to payments. For example, the EU Council and Parliament has given the green light to new rules for instant payments and the EU AI Act in addition to the DORA mandate.
To modernize, remain competitive and demonstrate their compliance with regulations requires organizations to work with a technology partner they can trust, who can help to bring together their traditional payment practices and innovative solutions. A cloud-based infrastructure that uses IBM Cloud® for Financial Services can be the answer to ensure the security, privacy and flexibility needed to keep up with these changes in the industry. Let’s explore the new regulations to see how IBM can help with payments modernization while prioritizing resiliency, regulatory mandates and performance for mission-critical payments workloads.
What are the key regulations driving the change and what are their implications?
1. EU Parliament’s approval of the EU AI Act (March 2024)
The EU AI Act aims to harmonize rules on AI systems across 27 member states to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field. The law will apply to any companies doing business in the EU and allows for penalties of up to 7% of global turnover or EUR 35 million, whichever is higher, for those that don't keep their use of AI under control.
The EU AI Act provides a framework for ensuring transparency, accountability and human oversight in developing and deploying AI technologies. Privacy and data security are the primary concerns regarding AI in instant payments transactions. Customers are concerned about how AI systems might utilize or handle their personal and financial information improperly.
2. EU Council’s regulatory mandate on SEPA instant payments (February 2024)
Single Euro Payments Area (SEPA) aims to harmonize the way cashless euro payments are made across Europe. It allows European consumers, businesses and public administrations to make and receive the payments (credit and debit) transactions under the same basic conditions.
How is “instant” defined in the mandate?
- All participants will be able to process SEPA Instant Credit Transfer (SCT Inst) payments 24x7x365, which enforces infrastructure resiliency.
- The SEPA payment will be in your account within 10 seconds, which enforces automation and performance.
- The mandate requires robust implementation of security and data privacy through fraud detection and fraud prevention. For example: Confirmation of payee (an overlaying informative flow before authorizing and instructing an outgoing SCT Inst) and implementation of AML and CTF sanctions when processing SCT Inst.
Which countries can participate?
What’s the timeline? It can be expected that banks will need to act quickly to comply with the new regulations.
December 2024: Banks of EU and Eurozone countries are required to support receiving SEPA instant payments. Banks, payment institutions (PIs) and electronic money institutions (EMIs) can screen entities and individuals only once a day.
December 2025: Banks of EU and Eurozone countries are required to support sending SEPA instant payments. Banks of EU and Eurozone countries are required to support international bank account number (IBAN) name verification on instant payments.
December 2026: Banks of EU non-Eurozone countries are required to support receiving instant payments.
March 2027: PIs and EMIs of EU and Eurozone countries are required to support sending/receiving instant payments.
June 2027: Banks of EU non-Eurozone countries are required to support sending SEPA instant payments.
3. EU Commission’s adoption of Digital Operational Resilience Act (DORA), 2022
The European Commission adopted DORA in aim of harmonizing information and communications technology (ICT) regulations in the financial services sector in the European Union (EU), imposing common requirements in all EU member states in the following areas:
- ICT risk management and governance
- Incident reporting and management
- Operational resilience testing
- Management of ICT third-party risk
What’s the timeline? DORA comes into effect in January 2025, covering EU Financial Institutions and associated ICT service providers.
The road ahead: challenges and opportunities
Adding a new payment rail takes at least 9 months. Also, there are additional requirements such as fees for these new instant payments that must stay in line with non-instant transfers and have capabilities in place to verify clients against sanctions list on at least a daily basis and match the IBAN and the name of the beneficiary.
With varying timelines for PSPs based in euro and non-euro countries, the transition presents a complex landscape of regulatory, technical and operational challenges.
How can IBM help?
For organizations that have not yet taken action to adopt instant payments, the timelines for doing so are likely to be challenging. The IBM Cloud-based payments-as-a-service can help clients as it is optimized for regulated industries, addressing the complex and evolving needs of the payments industry.
· Responsible AI: IBM watsonx® products can help organizations demonstrate their compliance with the EU AI Act and upcoming legislation worldwide to unlock the incredible potential of responsible AI.
· Embrace and implement regulatory changes: The first cloud optimized for the unique needs of regulated industries with the laws, DORA principles, and regulations built in from the outset—informed by the industries themselves.
· Scalable 24x7x365 service with built in resiliency: Instant payments require a modern infrastructure built specifically for the purpose of settling payments in real time. Our steadfast focus on resiliency means you can deploy with confidence.
· Performance: Our platform-centric approach is open, secure and flexible, starting where you are. Easily automate payments and manage cash across the SEPA zone by using your existing banks.
· Total cost of ownership: Hybrid cloud offers the power of choice and performance with workloads anywhere to maximize performance from x86, Power—to Cloud—to Quantum.
· Collaboration and innovation through ecosystem: Deploy preconfigured, customized security and compliance controls across your enterprise and third-party ecosystems.
The upcoming EU instant payments regulation requires financial institutions to ensure their payment systems’ high availability and performance is adequate to process payments in real time, 24x7x365. While pricing mandate concerns are valid, the total relationship value must be considered, and instant payments are a key factor in attracting and retaining highly valued business clients.
Selecting a trusted, technical partner that offers a cloud-native end-to-end payments solution can help to quickly advance modernization initiatives for both current and future demands.
------------------------------
Kamini Belday
PRincipal - Payments
------------------------------