After SCA & PSD2, the CBPR2 deadlines mean choices for Product & Compliance teams need to be made quickly

Cambrist_CBPR2_Phone_v3.jpg

When the next phase of the CBPR2 (EU2019/518) regulation comes into effect in April 2021, we anticipate material differences in how banks and 3rd party card issuers comply. Across Europe, Cambrist is working with banks in different markets with varying regulatory interpretations and design choices in their implementations. The differing approaches to practical compliance with the regulation reflects a wide range of trade-offs involved in each bank’s decision process – statutory compliance vs customer experience vs. implementation costs – and there are no easy answers for product & compliance teams.

“SCA Compliance projects are dominating the time of Cards & Compliance teams but CBPR2’s deadline is not far behind. Banks that wait too long to consider their options will end up with an imperfect solution and a more expensive implementation effort”

CBPR2: Issuer Requirements

CBPR2 (EU2019/518) is a new regulation that creates a common approach to pricing for foreign currency transactions, with all fees, commissions and exchange rate premiums consolidated into a single currency conversion cost that is compared to the ECB reference rate for that day. Today, all EU payment card issuers (banks and e-money issuers) must clearly present the currency conversion cost in their terms & conditions and on a publicly available website (e.g. https://alphabank.cambrist.eu/en). By April 19th 2021, the EU mandates that all card issuers must also send their customers an electronic messages (SMS, email, push notification) of the currency conversion cost after an eligible cross currency card transaction has been completed.

Key Design Choices

CPBR2 compliance requires a range of material project design choices for project teams, and in the context of multiple software providers and constrained IT capacity, no answer is perfect. Each of these design choices requires careful consideration amongst product and compliance teams as the implementation deadline nears.

There are four consequential design choices for project teams:

Cambrist Notify Key Design Choices Graphic.png
Design_Choice_Icon_1_.png

Minimum Regulatory Requirements or Improved Customer Experience

The minimum messaging requirement is for an electronic message to be sent for the first transaction in a new EEA currency, each month. While this minimum compliance standard will ultimately be associated with a small percentage of all transactions (thereby lowering message volumes) it will also lead to an inconsistent customer experience as cardholders receive infrequent communications. Furthermore, while the EEA currencies are the minimum mandated by the regulation, the fact that customers are not required to receive messages associated with USD, CAD, AUD, JPY, etc. (which are high volume & high value crossborder payment currencies) means that the minimum regulatory standard has the possibility of being an inconsistent consumer engagement tool and, therefore, less effective.

Design_Choice_Icon_2_.png

How to Define Eligible Transactions

The majority of a bank’s card transactions are processed through the standard authorization & clearing process flows. However, some transactions are exceptions, such as offline transactions where no authorisation record is received or transactions on the banks own ATMs bypass Visa & MasterCard processing flows. While it is unlikely that there will be many eligible transactions in these non-standard processes, Banks that are aiming for 100% compliance will need to incorporate these non-standard data flows into their implementation projects. This will require additional IT effort and change capacity vs. Banks that include only standard processes and therefore achieving ~95% compliance.

Design_Choice_Icon_3_.png

“Without Undue Delay”

A key phrase in the Regulation is that the messages must be sent to customers “without undue delay” after a transaction’s occurrence. For each card issuer, their interpretation of the words “ “without undue delay” relates to two key components of the project (i) determining when a transaction been completed and (ii) defining what timeframe must a message be sent to the cardholder.

Card issuers that define a transaction as being “received” only after clearing will significantly reduce implementation effort as CBPR2 processing will be limited to the clearing files only [1], which can take place off-line and will allow for multiple integration options (e.g. API, Batch processing etc.) with solution providers, thereby reducing operational risk.

On the other hand, card issuers that define a transaction as being “received” at authorisation will need to insert the CBPR2 processing into their authorization flow and overcome the inherent challenges therein. Such solutions will also have to determine the timeframe in which the cardholder message is issued. Our experience is that authorization based messages may be sent in a range of timeframes, ranging from near-real time communication to more periodic communications (e.g. every 30 minutes or every 2 hours), with varying impacts on the desired customer experience and IT effort.

Design_Choice_Icon_4_.png

Multi-Partner Implementation or Single Service Providers

Many Bank transaction processing environments deploy different systems, architecture and partners for different card products (e.g., credit vs debit). Therefore, project teams will have to decide whether to deploy independent solutions for each system or deploy a consolidated approach across all products and systems. Independent solutions for each product will risk further inconsistencies in the customer experience and create future co-ordination challenges should the Bank seek to build on minimum regulatory requirements.

There are many other choices that project teams will have to make as the implementation deadline approaches (e.g. communication channels etc.) but at this stage, these four choices are the most consequential. These choices will have a significant impact on both the implementation options for each bank, the cost of those implementation options and the level of compliance achieved.

Simplify your Bank’s Path to Compliance with Cambrist’s Notify

Cambrist provides a fully managed service that delivers currency conversion cost comparisons, per the EU regulation 2019/518 for both the 2020 and 2021 regulatory requirements. Our service is modular and can cater for any of the project design configurations discussed above. Contact us if you would like to discuss your project’s design choices and how Cambrist can deliver a consistent and consolidated customer experience across your card portfolios.

[1] For Banks that define eligible transactions as being via standard Authorization and Clearing process flows

David Fitzgerald