Levelling the Playing Field for Access Harnessing the Power of Now 2 Levelling the Playing Field for Access: Harnessing the Power of Now Contents

Levelling the playing field for access Harnessing the Power of Now 2 Levelling the playing field for access: Harnessing the Power of Now Contents

Foreword – Craig Tillotson, Chief Executive 4 Introduction 5 Why access matters The new access model Progress to date Timeline: key milestones for the access programme 6 The Power of Now: how we levelled the playing field for access to Faster Payments 8 Creating new aggregator and accreditation models 9 Creating a new assurance model 10 Creating a new Public Key Infrastructure (PKI) solution 11 Creating new contractual and settlement models 13 Simplifying access to bank codes and sort codes 14 Participants and Accredited Vendors 15

Levelling the playing field for access: Harnessing the Power of Now 3 Foreword

It is nine years since Faster Payments was launched as the UK’s 24/7 real-time payments service. £5 trillion and over 7 billion payments later, what we do has become of critical importance to the UK economy. The service provided by Faster Payments underpins most internet and telephone banking payments, together with standing orders, and has grown rapidly alongside the development and adoption of mobile banking, and most recently, mobile payments by the UK’s consumers.

Through the years, we have always believed that the world-leading service we offer should be available to as many customers as possible. To ensure that Faster Payments services are available on an equal basis to all end users that need or want them, we are constantly working to understand the access challenges faced by current and emerging Payment Service Providers (PSPs) of all shapes and sizes. Access to payment systems has been a hot topic for a number of years, and we are proud of our efforts at the leading edge of this important area. This report sets out what we did, how we did it, and the results we’ve seen. In December 2014, we published a white paper, ‘Faster Payments: A Vision for a New Access Model – Opportunities for Payment Service Providers and Solution Vendors’. This set out our vision for a Faster Payments service that is available, on an equitable basis, to all end users that need or want it. Supported in our goal by the Payment Systems Regulator (PSR), we have successfully achieved the objective of lowering barriers to real-time payments for a range of challenger banks and increasingly non-bank PSPs. Six new banks have already joined our original ten participants using our New Access Model, with more scheduled in the coming months and years. This includes non-bank PSPs using our new sponsorship model, and, in due course, will include institutions using the Bank of England’s non-bank PSP settlement account access option. Although Faster Payments took the lead, none of this would have been delivered without excellent collaboration across the industry; new Participants, existing Participants, FinTech vendors, the Bank of England, FCA, PSR and other PSOs all played a part in contributing to the success. Independent research commissioned by Faster Payments predicts the size of the UK real-time payments market is likely to almost treble in the next five years. We live in a digital smartphone age where consumers and – increasingly – businesses expect everything to be instant, 24 hours a day, seven days a week. It will become more and more important for payment providers to be able to process payments instantly, safely and securely. Our work on access, as you will read more about in the following pages, lays the foundation for the continued growth of our world-leading system. Craig Tillotson Chief Executive, Faster Payments Scheme Limited

4 Levelling the playing field for access: Harnessing the Power of Now Introduction

“Some challengers have been caught in a ‘Catch 22’ situation when faced with the decision on how best to offer Faster Payments to their customers. The New Access Model has stimulated a new market by substantially reducing barriers to entry for FinTechs and making 24/7 access to immediate payments economically attractive at lower volumes.” The Economics of the New Access Model, May 2015

Why access matters The New Access Model: Progress on access Since being introduced in 2008, Faster Payments’ solution Six new banks have already joined Faster Payments has grown rapidly To ensure the world-class Faster using the New Access Model, with every year. Consumers, businesses Payments service is available on a more scheduled in the coming and government have come to rely level playing field, we worked to months and years. on the convenience of real-time understand the access challenges In February 2017, Faster Payments 24/7 payments. of existing and emerging Payment and Raphaels Bank were recognised Although 99.9% of sort codes can Service Providers of all shapes and for the Industry Achievement of receive a Faster Payment, more than sizes, whether banks or otherwise. the Year at the Card & Payments 400 banks and payment providers We created an entirely new way Awards, for the ground breaking still connect indirectly – meaning to access Faster Payments through achievement of onboarding the many customers don’t have the aggregator model, which first new joiner using the New certainty about how quickly their enables technology vendors to Access Model. payment will be received. offer PSPs technical access through Many other countries are looking The importance of offering a managed gateway solution. to replicate what has been achieved real-time payments will only We developed a new technical here as they look to modernise increase: independent research accreditation model to give their own payment systems. SEPA predicts the size of the UK real- challengers confidence when INST has been created for Euro time payments market is likely to choosing a gateway supplier. payments, Singapore has recently almost treble in the next five years, implemented similar systems, and with annualised growth of 20% We have launched UTSP, a PKI the USA and Australia will launch forecast, leading to 3.3 billion (public key infrastructure) trust comparable real-time payments Faster Payments being sent in service to lower barriers to entry. schemes by the end of 2017. 2020 alone. We redeveloped our Risk Assurance process so that there is more focus upon the elements that really matter. We have introduced a means of sort code allocation, where a PSP does not wish to use the services of a Bacs member.

Levelling the playing field for access: Harnessing the Power of Now 5 Timeline

Accreditation ‘trust mark’ launched FIS and PayPort become REPORT: Creating a first FinTechs to pass competitive market in access technical accreditation REPORT: A vision for a services for real-time, 24/7 Pre-funding settlement tests proving ability to New Access Model payments model introduced send and receive Faster Faster Payments publishes External independent analysis ‘Pre-funding’ guarantees Payments (ACI, Bottomline whitepaper describing shows New Access Model settlement without any Technologies and revolutionary ‘New Access could lower five-year costs shared risk, removing a CompassPlus follow suit Model’. for challengers. barrier for smaller players. during 2016).

Dec 2014 May 2015 Oct 2015 Feb 2016

Apr 2015 Sep 2015 Dec 2015

Payment Systems Regulator Industry code of conduct PSR publishes report on Direct (PSR) created. for indirect access Access to payment systems published “Faster Payments seems to be the scheme most actively working to solve the access issues.” PSR panel member

6 Levelling the playing field for access: Harnessing the Power of Now Raphaels Bank becomes first new participant in Faster Payments to support TransferWise as their first Starling Bank joins onboarded customer Faster Payments TSB joins Faster Payments

Aug 2016 Jan 2017 Apr 2017

Jul 2016 Dec 2016 Feb 2017 May 2017

PSR publishes indirect access Metro Bank joins Faster Faster Payments launches Market Review Payments PKI service Report notes ‘positive progress’ Access Programme wins Competitive Public Key of four PSPs planning to Card & Payment Awards Infrastructure trust service directly participate in Faster ‘industry achievement of launched to help joiners keep Payments, and five gaining the year’ customer details secure. accreditation to provide direct Monzo Bank and ClearBank technical access via the new join Faster Payments. aggregator model.

Levelling the playing field for access: Harnessing the Power of Now 7 The Power of Now: how we levelled the playing field for access to Faster Payments

In 2014, we set out to provide a cost-effective way of accessing Faster Payments on a 24/7 basis for Payment Service Providers (PSPs). PSPs had previously relied on either connecting directly – which can prove costly for smaller businesses and start-ups, or connecting indirectly – which rely on connecting and processing via another Faster Payments Participant, which creates potential latency which means 24/7 payments cannot be guaranteed.

Speaking at the time, Nick Caplan, the Independent Chairman of Faster Payments, summed up the challenge by saying: “We live in a world where ‘some time today’ is no longer accepted, as proven by the continued rapid growth in Faster Payments. “Our aim is for our world class service to be available to as many end users as possible from any of the financial organisations they choose to use. We believe our New Access Model will benefit both Payment Service Providers and technology suppliers by extending participation opportunities.” This report sets out the steps taken by the Faster Payments Scheme to address this challenge alongside our service users and regulators. The report describes both ‘what we set out to do’ to create a new access model and how we achieved our objectives across a range of activities, including accreditation, assurance, security and settlement. Our work on the access programme culminated in Faster Payments being jointly awarded the ‘Industry Achievement of the Year’ at the 2017 Card & Payment awards. We believe equal access to Faster Payments is now embedded in our ‘business as usual’ operation - our next challenge is to continue operating and developing our service in the interest of all our service users.

8 Levelling the playing field for access: Harnessing the Power of Now Creating new aggregator and accreditation models

What we set out to do The aggregator model set out to encourage FinTechs to directly connect to the central infrastructure and then work as a gateway aggregator for PSPs. Faster Payments aimed to catalyse a market to enable multiple aggregators to compete to offer both commercially viable and world class services to PSPs. We foresaw a number of different aggregator models, to meet the differing needs and aspirations of PSPs, in order to provide a variety of access options; working as a banking platform provider; as a single tenant solution provided by a vendor; as a multi-tenanted solution for Faster Payments which supports multiple PSPs and as a multi-tenanted solution which supports all payment types for multiple PSPs. The idea behind FPSL’s new aggregator model was to provide an option, whereby a PSP can connect to a technical aggregator that combines demand from multiple PSPs, creating economies of scale. PSPs get a guaranteed real-time payments service, 24/7, but at a lower cost per transaction than the PSP can achieve by connecting directly to the FPS central infrastructure itself.

How we achieved it The aggregator model can be seen in the diagram below (labelled as 1). This model has proved effective in offering alternative routes of access for PSPs. Compared to the indirect ‘sponsor’ model, PSPs no longer have a dependency upon the technical performance of a sponsoring bank. In terms of the accreditation model, by the end of 2015, there were three vendors poised to launch the New Access Model, matching the target set by FPSL of having several vendors set to launch by the end of this time period. The technical accreditation service was launched in February 2016. Currently there are six FinTech vendors accredited to the FPS scheme. The accreditation service has been a success, enabling PSPs to have confidence in the solution provider and greatly assisting in their supplier selection process.

1 Connected via new gateway aggregator model

Direct Participant Direct Participant Direct Participant

2 Connected via Faster Payments Faster Payments own ‘in-house’ gateway Gateway Aggregator Gateway Aggregator Direct Participant

Faster Payments Scheme Central Infrastructure Direct Participant

3 Direct Participant Direct Participant Direct Participant

Indirect Indirect Indirect Indirect Participant Participant Participant Participant

The sponsored indirect model

Levelling the playing field for access: Harnessing the Power of Now 9 Creating a new risk assurance model

It had been highlighted to FPSL that the assurance requirements, designed to support payment integrity and financial stability, were perceived as a barrier to entry for many PSPs. What we set out to do Previously, the assurance model required prospective PSPs to fill in two questionnaires: one on general assurance and the other focussed on security to all direct participants. These questionnaires required long, essay-style answers to over 100 questions. Some smaller PSPs found this process caused a significant strain on resources. FPSL therefore outlined a new model that was intended to be more PSP friendly, whilst retaining the key assurance needs for FPSL, by focussing on those areas of most importance. FPSL asserted that assurance should be provided only once; i.e. by each aggregator; so there would be no need for each PSP using an already assured aggregator to repeat the elements of assurance that FPSL was already in possession of. Furthermore, the assurance model would be more of a risk-based model rather than a ‘one size fits all’ process. This means that requirements for Participants must be proportionate to their size, and payments volume, and thus the systemic risk they bring to the service. The intent of the process therefore is to meet with PSPs’ desire for easier, less time consuming access. FPSL outlined a proposed process that would be simple and efficient whilst at the same time ensuring there is no dilution of the overall assurance (in order to guarantee the safety of all our service users).

How we achieved it The new assurance model is risk-based in both scope and depth. The process will only look for assurances in the areas that are seen as either being of particular systemic risk to an individual participant and where the risk is not clearly or transparently being managed and assured elsewhere. Furthermore, there is no longer a need for Participants to provide ‘chapter and verse’ descriptive responses. Instead, they will be requested to point to the relevant risk mitigation and supportive evidence. The risks that will be concentrated on are the ones that are specific to the service (i.e. risks that could impact on the delivery of service from other participants). The approach is scaled to reflect the systemic importance of PSPs of different sizes. Therefore the time taken to complete the assurance will no longer be disproportionate between large and small PSPs as the process is tailored towards their size. The model that FSPL have developed for this new Access model is called the ‘Three Layered Assurance Model’ and can be seen below.

Scheme Requirement, Participant maintains a 24/7/365 Claim or system that meets Scheme SLAs Expectation

Participant able to cut over to Participant has robust Incident Participant has dual sites that are PSP Supporting disaster recovery site within Management capability physically & logically separate Argument scheme SLA

PSP evidence Evidence of effective incident Evidence of regular Documented Risk Assessment management processes in place contingency site testing of Production and Contingency Evidence of appropriate Data Centres staff training

10 Levelling the playing field for access: Harnessing the Power of Now Creating a new Public Key Infrastructure (PKI) Trust Service

In order to be able to securely access customer sensitive data available via the Faster Payments User Interface participants need to have the use of a Public Key Infrastructure (PKI) based Trust Service.

A Trust Service has to be built to industry standards and approved so that it can be trusted by all Scheme Participants. PKI credentials are issued by the Trust Service and stored on a PKI Smart Card or in a Hardware Security Module (HSM).

What we set out to do Potential Participants we talked to told us that existing market providers did not meet their needs and were effectively a further barrier to entry. We therefore added the introduction of a PKI Trust Service to the project scope. The introduction of a PKI Trust Service was added to the scope of the access programme. FPSL planned to meet the requirement by setting up a shared Trust Service (a complete service that provided a: certification authority; registration authority, validation authority; provision of tokens and associated software).

PKI credentials permit participants to: access the Faster Payments User Interface; automate download of Scheme reports containing sensitive customer data; access the Payments Services website in order to maintain participant contacts and grant them specific privileges; sign Faster Payments’ Direct Corporate Access (DCA) and FIM files (if required); manage DCA and FIM users (if required); manage directly connected agencies (if required). The Faster Payments Trust Service is designed to be a cost-effective provision of PKI credentials. Since Bacs and Faster Payments use the same security model, the Trust Service also supports participants joining Bacs. The Trust Service is flexible and could allow for certificates to be used for other purposes (within the constraints of the agreed policies) if a Participant requires.

Levelling the playing field for access: Harnessing the Power of Now 11 How we achieved it FPSL issued a Request For Information (RFI) and received ten responses. This was followed by an Invitation To Tender (ITT) and several responses were received. FPSL selected a prime bidder and asked them to carry out a ‘proof of concept’. This was completed in April 2016. A wholly owned subsidiary of FPSL, called UTSP Limited (Universal Trust Service for Payments) was then set up in order to procure, manage, implement and deliver the service. Contracts were developed and signed with Trustis Limited who in turn put a contract in place with Gemalto as PKI Smart Card supplier. Trustis delivered a test version of the Trust Service which has been in use with half a dozen banks for over six months. A standard contract has been developed for Participants. The live service was made available on the 3rd May 2017. As of the end of July 2017 five Participants are live on the service, three of whom have also joined Bacs and are using the Trust Service for their Bacs PKI credentials. Another three are expected to join the Trust Service in the second half of 2017 with further joiners expected in 2018. As the service has developed, certificates to support submissions by Participants for the Current Account Switch Service, Cash ISA Transfer and Paym database updates have been provided.

PKI Service Overview

Participant function Bacs & FP Schemes UTSP functions

Local Registration Authority UTSP Registration Authority Certification (Enrolment Officers) (Participant setup) Authority

Trust Services Provision Bacs Payment User setup & privileges Services Website RA support Interface (contains Reference data) Other Token Validation Certificates Enrolment Authority Enquiries, Reconciliation, (OCSP responder) Investigations, Reports Faster Payments & MI etc User Interface Token and signing software provision Enrolment software provision Automated Report Download HSM

12 Levelling the playing field for access: Harnessing the Power of Now Creating new contractual and settlement models

Non-Bank PSPs are currently unable to hold a settlement account at the Bank of England, leaving only two options for this type of PSP to process their Faster Payments transactions: a. to process their payments through an existing FPS Participant (an Indirect Agency), or b. as a Direct Agency into the Scheme, with a sponsor bank undertaking their settlement obligations. A consequence of both the above models was that none of these PSPs had a direct contractual relationship with FPSL.

What we set out to do In 2014, FPSL started to investigate how best to address these challenges. Non-bank PSPs made it clear to FPSL and other parties that they required more options in how they interacted with Faster Payments, especially with regard to settlement options. Indirect Agency was seen as sub-optimal, as commercial offerings did not offer a genuine real-time, 24/7 experience for the service users of such PSPs. Direct Agency arrangements carried significant responsibilities and obligations to the Sponsor, over and above that of settlement obligation, so there was a very limited appetite to provide such services. FPSL also identified that even if restrictions on settlement accounts at the Bank of England were lifted, the need to lodge cash with the Bank as collateral to guarantee settlement completion in the event of a liquidity short-fall, posed challenges for non-bank PSPs, as e-Money Institutions and Payment Institutions cannot encumber client funds; something the prefunding model, with its Deed of Charge, required. How we achieved it The new access model offers PSPs various access and settlement options. These include continuing to use a sponsor bank for settlement or opting to self-settle if they have a settlement account with the Bank of England. The latter option was originally open to banks only, but FPSL promised the potential to change this and committed to work with the Bank of England to find solutions to enable non-banks to self-settle. Unbundling settlement from the other services needed to access Faster Payments mean it can be negotiated separately, providing more flexibility for non-bank PSPs. On the contractual side, FPSL are working with external counsel to identify a new legal model – the Flawed Asset Default Agreement. The new model removes the need for a Deed of Charge to be put in place on client funds held as collateral against a Net Sender Cap. Having worked with potential Participants and the Bank of England, we are fully supportive of the Bank of England’s recently announced initiative around opening access, and have proposed a number of solutions to help support this.

Levelling the playing field for access: Harnessing the Power of Now 13 Simplifying access to bank codes and sort codes

Bank codes are four digit numbers used to identify a participant in a payment scheme such as Faster Payments. Bank codes have to be allocated before a PSP can undertake certification testing or be set up on the live Central Infrastructure or be issued with sort codes. A bank code is also needed to enable an organisation’s Public Key Infrastructure (PKI) to be registered.

A sort code (also known as a sorting code) is a six digit number, typically formatted as 12-34-56, used by many services including Faster Payments to route payments to another Participant within the clearing systems’ Central Infrastructure. A sort code has to be allocated and activated in a Scheme before an intending Participant can send or receive payments. New PSPs also found that they needed the assistance of a Bacs Member (who could be a competitor or their existing Bacs Sponsor) in order to be allocated sort codes. This was seen as a barrier to access and a potential breach of confidentiality since the sponsor bank would learn of its competitor’s plans at an early stage.

What we set out to do In 2014, FPSL started to investigate how best to address these challenges. Non-bank PSPs made clear to FPSL that they required more options in how they interacted with Faster Payments, especially around settlement. The goal was to: a. make the bank code allocation process a clear and business as usual process; b. enable the allocation of sort codes to PSPs who did not want to use the services of an existing Bacs member. How we achieved it Faster Payments worked with Bacs (which manages sort codes and bank codes for the industry) to simplify the application process for bank codes and set up a new process for sort code allocation that removes the need to work through a sponsor bank. New PSPs can now be allocated a bank code based on an accepted Letter of Intent to join the Faster Payments Scheme. An organisation applying to join Faster Payments is advised when and how to apply for one or more sort codes by their on-boarding manager. Sort codes can now be allocated either by the reference data manager or a sponsor bank, depending on the new PSP’s preferences.

14 Levelling the playing field for access: Harnessing the Power of Now Faster Payments Participants

Accredited Vendors

For more information please contact us at [email protected]

Levelling the playing field for access: Harnessing the Power of Now 15 July 2017

Faster Payments Scheme Limited 2 Thomas More Square London E1W 1YN 020 3217 8200 www.fasterpayments.org.uk

Levelling the playing field for access: Harnessing the Power of Now 16