In addition to the financial industry itself, in today's European Union regulators and other policy makers provide the key impetus to digitalisation and innovation. The Payment Service Directive (PSD2) is an example of such initiative and stimulus that resulted in regulation, said Ivan Biluš, the Executive Director of the Payment Operations Area of the Croatian National Bank at the F2 – Future of Fintech Conference held in Zagreb on 13 November 2018, organised by the Bug magazine.
The European Central Bank (ECB) has also decided to develop and manage the retail payment service infrastructure. Its TARGET instant payment settlement (TIPS) service is expected to become operational at the end of November, stressed Ivan Biluš. He explained that the TIPS system, or the instant payment system, will enable users to effect account-to-account euro payments quickly and easily anywhere in the EU. Transactions will be executed within seconds, at very low infrastructure costs (0.2 euro cents per transaction). The CNB will support the TIPS system so banks in Croatia will be able to join the TIPS starting from December and provide the service of instant payments in euros to their clients. Biluš added that the Croatian banking community, aided by the CNB, also launched the project of developing instant payments in kuna, which should become available to banks in Croatia and their clients by the end of 2019.
In answering the question whether the web tech giants were driving technological development and transformation, Biluš said that companies such as Google, Apple, Facebook and Amazon had strongly penetrated the payment services market. Their advantage lies in the fact that they have already accessed various aspects of the everyday habits of billions of their users so they see payments only as added value offered to their users. The said web tech giants can afford to subsidise this functionality from income generated by their core business and provide it free of charge or very cheaply to their users. In addition, due to their size, these companies have exceptionally strong negotiating positions and thus 'make' banks, card schemes and regulators change their strategies and regulations. Banks, on the other hand, traditionally see payment services as core business, expecting returns on their investments and adequate earnings.
Biluš concluded that the race between banks and Fintech was not entirely fair given that banks are well-established in this business with firmly held positions. However, he said we can soon expect certain changes. As the most realistic scenario he sees a future intensive partnership between Fintech and banks, with banks being the carriers of payment services to users, while technological solutions will be developed jointly.
The panel discussion on the topic of Fintech in the EU, its perspectives, regulation and the transformation of the financial industry included, in addition to Ivan Biluš, Filip Šaravanja (Croatian Financial Services Supervisory Agency, Hanfa), Miroslav Klepač (Croatia osiguranje), Vlaho Hrdalo (UBIK, Udruga za blockchain i kriptovalute, an association for blockchain and cryptocurrencies) and Damir Bićanić (Funderbeam), and was moderated by Milan Deskar Škrbić (Erste&Steiermarkische bank). The participants discussed innovations under preparation, regulatory requirements pertaining to payment services and the insurance market, problems arising from the GDPR and the challenges faced by the crypto community. As confirmation that users increasingly more often opt for online services Miroslav Klepač said that the number of online claims for compensation increased by 50 per cent. Damir Bićanić felt that in the future banks will become merely platforms and will not be actually visited by their users, while Vlaho Hrdalo stressed the necessity to set up an adequate regulatory framework for the activities of the crypto community.
Client authentication – secure and open communication standards
As part of the panel Challengers and defenders: the technologies used to challenge the financial market and how do old players defend their positions, Bernad Karačić, Advisor at the Information System Security and Protection Division of the Croatian National Bank explained the reasons for the delay in the adoption of regulatory technical standards for reliable client authentication and common secure and open communication standards (RTS) adopted pursuant to the PSD2, which regulates payment services. Karačić briefly explained that RTS deals with reliable authentication, exceptions to reliable authentication, security of authenticated data and requirements pertaining to secure and open communication standards. Although PSD2 came into force at the beginning of January 2018, meeting the requirements set by the RTS was postponed until September 2019. The RTS was adopted by the European Banking Authority (EBA). It is based on principles, which means that it defines the criteria to be met by the solutions offered, while the specifications and communication standards themselves need to be defined by the industry alone.
Each new technology brings benefits to consumers. However, care should be taken of its risks, warned Karačić, stressing that the CNB awards special attention to the assessment of these risks. In case it is deemed there was a possible breach of security, the CNB imposes certain measures. As an example for regulator activity, he mentioned the screen-scraping technology which is used by third parties to pose as users. This is an unwanted technology due to possible abuse, which resulted in the launching of initiatives to reduce is use.
Speaking of security, Karačić stressed that the CNB noticed a need to supervise banks' information technology systems and monitor technological innovations affecting the manner in which the banking system functions. As a result, more than 10 years ago, the CNB adopted the Guidelines for information system management aiming to reduce operational risk and the Decision on adequate information system management, which, among other things require two-factor authentication, confirmation of bank web sites through appropriate certificates, having in place the function of the head of security, defining the security management framework (security policy), control of access rights, keeping of adequate records, etc.
In addition to Bernad Karačić, the panel included Dean Muhoberac (Combis), Ivan Glavaš (blockchain entrepreneur), Zdeslav Šantić (Splitska banka), Bojan Ždrnja (security guru) and Danijel Baruškin (HPB). Bojan Ždrnja stressed that everybody needs to be aware of the risks when it comes to data security and that there is no technology guaranteeing 100 per cent security. Banks will have to change, said Zdeslav Šantić, adding that he thinks that in the future they will become a mix of what are now banks, consulting and Fintech companies.