Last week, Erik Reissenweber invited Maurice Jongmans to the Podcast ‘Compliance Advises’. Maurice spoke about Online Payment Platform, fraud, compliance and PSD2. An interesting behind the scenes at Online Payment Platform about all the extra measures intended to make trading on platforms and marketplaces more safe and secure.
What exactly do you do?
Online Payment Platform (OPP) is a payment service provider for platforms and marketplaces: these bring many sellers together with buyers. Our team consists of 32 employees that are located in a monumental building in Delft. It is a pleasant environment to work at. Besides Marktplaats (you might know us from the escrow service Gelijk Oversteken), we facilitate over 100 other platforms.
We are a licensed payment service provider (PSP) at the DNB (De Nederlandsche Bank), and since last year we are the first payment service provider in the Netherlands with payment services 7 & 8.
How is your Compliance structure?
An independent compliance officer is working at OPP (2nd line), In the board I have ultimate responsibility on compliance myself. The 1st line compliance issues lie with the supportteam.
OPP has 3 types of customers: the platform, its users (sellers) and the buyers. This requires 3 levels customer reviews, which is how we designed it. On a platform level: which risks does this platform have? Which limits do we apply and which steps are needed for onboarding of buyers and sellers.
The buyers are onboarded and afterwards we can monitor normal user behaviour based on transaction expectations. Our database holds over 4 million users of which we can use the transaction history for risk analyses and fraud detection.
We believe that verified and controlled users are an added value for the platform.
''We facilitate the payment, otherwise the platforms require a license for payment services. The individual user is making use of our service to handle a legal payment via the platform."
What are your important integrity risks?
We provide the safest way of paying each other, with a high level of control and security. However, you can never entirely rule out issues and fraud. There will always be unavoidable situations: a package is lost, a user is not responding, with the effect that payments might or might not be postponed or implemented. This can result in a negative user experience and these risks are essential to us of which we pay utmost attention to.
Online reviews are also a risk for us. Unsatisfied people easily write reviews, satisfied customers on the other hand are not in demand of writing a review. Hereby, leaving behind a responding message is vital to us as well as motivating satisfied users to write a positive review. On the long run, too many negative reviews can damage the company image.
Gelijk Oversteken (equal crossing) does not have a warranty? If it goes wrong, it goes wrong?
Sometimes we cannot determine if the seller nor the buyer made a mistake. But both parties receive a flag behind their name. Which could include potential disadvantages for the future. These users could not use the same telephone number, bank account or ID when creating a new account. With a 2nd flag behind your name, it could be that you will be closed off and blocked of all platforms we facilitate. We made a difference in the number of fraud cases on Marktplaats, partly due to our systems. Our systems can detect fraud, freeze payments and therewith prevent fraud.
''The system is capable of more than you think! Every day, we are working to make it more secure.''
What is the primary goal of the PSD2 regulation?
PSD2 is regulating many different things: especially the realisation of a professional payment environment in Europe. The security of accounts with Strong Costumer Authentication (SCA) has increased. It also means that multiple parties are included in the legislation. If a platform performs payments that flow through their own accounts, they are obliged to require a licence. These platforms must start their search to a psp with a focus on platforms and marketplaces (platform-psp). Because not many exist, these platforms come to us. Our customers have solved it quite well, all payments for platforms are through our license. This is the main reason why they become our customer.
Additionally, there is access to the account, meaning that banks and other parties that offer online accounts must require consumer bank account access to licensed third parties. These licensed third parties could then implement the following two services: payment initiation (perform a payment) and account information (insights in account information details).
What are the most important challenges regarding PSD2 for OPP?
For us it is the availability and quality of bank connections (API), which is often inadequate. In the Netherlands we connected to the six most important banks, resulting in a wide reach. When looking at the German market, there are over 2000 banks. This would mean that you would have to create 2000 connections in order to connect all banks. This is better regulated in England with only one system. In Europe, everyone could regulate their own systems. There is no forced standard for APIs, this causes large disparities.''
''We would have preferred a standard API, but unfortunately there is none.''
Will these standards arise?
The Berlin group standard is the largest in Europe, several banks accepted this standard including some Dutch banks. Everyone would be pleased if this standard would be the main one. Whether or not banks will see benefit in this and follow the stream, is questionable. This will vary greatly among different banks.
You already have a license for account information, are you currently receiving this data?
Yes, we have the license. We use this for linking your bank account. At the moment, the process is to transfer 1 cent. This is not the best way to do it, if I may say so myself. You are misusing the payment for a different goal. We would only request personal details if our service requires so. Not in order to read back account information history. That is not where our purpose lies.
Banks should actually provide us with the possibility to request limited information and access. Currently, all information is provided, whilst I only need the IBAN number. I believe this would be a good interaction with the user. He or she would then understand which information is asked. I can imagine that an application intended to help you with budgeting will need more details and information. I solely need information to link a bank account.
Which other developments caused by PSD2 do you currently see?
Emerging new parties that aim to solve the problem of the 2000 German banks by creating standard connection, some kind of technical aggregation. There are different parties, but none with 100% German coverage. I also expect more services to arise abroad. iDEAL-like solutions, but that will probably take some time. One of the things that always pop up with PSD2 is the 'Big Tech' parties. There is Apple Pay, they are not very present in the field of PSD2 yet, but they did however make a giant leap in the Netherlands. But still, there is not a lot of movement in the eCommerce payment landscape.
Specific point of view of VBIN regarding the field of PSD2
The United Dutch Payment Institutions (VBIN) now focuses on the quality and availability of the APIs, the fact that banks must comply and what we can expect of the specifications of these APIs.
Advice from Maurice regarding compliance
In everything that you do in the area of compliance, you can't stop thinking about your actions and the underlying spirit and thought of the regulation. I have seen some examples that helped building much better solutions. You must also think about the added value of the compliance department of your organisation. For us it's an added value. As it is with many others, I believe.''
Listen to the entire podcast here (in Dutch)