Will the blockchain save privacy under the Revised Payment

(1)

IN THE FIELD OF TECHNOLOGY DEGREE PROJECT

INDUSTRIAL ENGINEERING AND MANAGEMENT AND THE MAIN FIELD OF STUDY

COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS

STOCKHOLM SWEDEN 2017,

Will the blockchain save privacy under the Revised Payment

Service Directive?

JOHAN SANDMARK

(2)

(3)

Will the blockchain save privacy under the Revised Payment Service

Directive?

by

Johan Sandmark

Master of Science Thesis INDEK 2017:57 KTH Industrial Engineering and Management

Industrial Management

(4)

Kommer blockkedjan rädda integriteten under det nya betaltjänstdirektivet?

Johan Sandmark

Examensarbete INDEK 2017:57 KTH Industriell teknik och management

Industriell ekonomi och organisation

(5)

Master of Science Thesis INDEK 2017:57

Will the blockchain save privacy under the Revised Payment Service

Directive?

Johan Sandmark

Approved

2017-06-12

Examiner

Cali Nuur

Supervisor

Niklas Arvidsson

Commissioner

CGI Sverige AB

Contact person

Robert Book

Abstract

The Revised Payment Service Directive (PSD2) is deployed in the European Union to allow Third-Party Providers (TPP), with the consumers consent, the right to access payment account information from the banks as well as to initiate payments. The

communication of personal data will now not only be communicated from a bank directly to its customers, but potentially from banks to multiple third-parties before reaching the individual which puts more pressure on how to manage personal integrity and privacy.

Blockchain is a technology that provides a distributed exchange network to validate transactions without the need of a trusted third party as trust is built into the technology itself. This could very well be the next technology for the financial sector to embrace.

The purpose of this paper is to investigate if and how the blockchain technology can be used in order to provide a higher degree of privacy for the individual when deployed in the context of the upcoming PSD2 regulation.

A blockchain experiment was performed upon which ten qualitative interviews was conducted on PSD2 and blockchain. The results indicate that there are many challenges with PSD2 but that new innovative services are expected and that blockchain as a technology is interesting. The conclusion of this thesis is that the blockchain technology could be used to increase the level of integrity and privacy for consumers if applied by a single FinTech. It would be more beneficial if the blockchain was to be applied as a service for any FinTech to use but first more research is needed in several key areas such as governance and authentication.

Another observation is that PSD2 and the related directive General Data Protection Regulation (GDPR) seems to be a first steps towards a new model of privacy and a first regulated step towards an open banking environment in the European Union.

Key-words: Blockchain, PSD2, Revised Payment Service Directive, 2015/2366,

integrity, privacy

(6)

Kommer blockkedjan rädda integriteten under det nya betaltjänstdirektivet?

Johan Sandmark

Godkänt

2017-06-12

Examinator

Cali Nuur

Handledare

Niklas Arvidsson

Uppdragsgivare

CGI Sverige AB

Kontaktperson

Robert Book

Sammanfattning

Den nya betaltjänstdirektivet (PSD2) som träder i kraft i den Europeiska Unionen (EU) gör det möjligt för att tredjepartsaktörer, med kundens medgivande, har rätt att hämta betalkontoinformation från bankerna samt att initiera betalningar. Kommunikation av personlig data kommer nu inte bara ske mellan en bank och dess slutkund, utan potentiellt från banker till flera tredjepartsaktörer innan informationen når slutkunden vilket ställer högre krav på hur man ska hantera integritet och privat information.

Blockchain är en teknologi som tillhandahåller ett distribuerat nätverk för att validera transaktioner utan inblandning av en pålitlig tredjepart eftersom förtroende är inbyggt i tekniken. Det här kan vara nästa teknologi för finansbranschen att ta till sig.

Syftet med den här uppsatsen är att undersöka om och hur blockkedjetekniken kan användas för att tillhandahålla en högre grad av integritet för individen i samband med PSD2.

Ett blockkedjeexperiment genomfördes och användes som underlag i tio kvalitativa intervjuer på ämnet PSD2 och blockchain. Resultatet tyder på att det finns många utmaningar med PSD2 men att många nya innovativa tjänster kan väntas samt att blockchain som teknologi är intressant.

Slutsatsen är att blockchain kan användas för att öka graden av integritet för

konsumenter om den tillämpas av ett enskilt FinTech bolag. Det skulle vara ännu mer fördelaktigt om blockkedjan tillhandahålls som en tjänst för vilket FinTech som helst att använda men då krävs först ytterligare forskning kring vilket struktur som behövs samt om hur identifiering ska ske.

En annan observation är att PSD2 och det relaterade direktivet General Data Protection Regulation (GDPR) verkar vara ett första steg mot en ny modell för integritet och ett första reglerat steg mot ett öppen bankmiljö inom EU.

Nyckelord: Blockchain, PSD2, betaltjänstdirektivet, 2015/2366, integritet, privacy

(7)

List of Figures

2.1 Traditional communication . . . 6

2.2 Communication with AISP . . . 7

2.3 Bitcoin price index . . . 10

2.4 Chained transactions . . . 11

2.5 Blockchain components . . . 13

2.6 Personal data and blockchain . . . 16

2.7 Open Innovation Model . . . 18

3.1 Research design of this study . . . 21

3.2 Blockchain middleware . . . 23

3.3 Experiment definition write data . . . 24

3.4 Experiment definition read data . . . 24

(10)

2.1 Blockchain definitions . . . 12 3.1 Interviews during this thesis . . . 26

(11)

List of Abbreviations

AISP Account Information Service Provider.

API Application Program Interface.

AS-PSP Account Servicing Payment Service Provider.

DHT Distributed Hash Table.

EBA European Banking Authority.

EU European Union.

FinTech Financial Technology.

GDP Gross Domestic Product.

GDPR General Data Protection Regulation.

HCA Home Competent Authority.

P2P Peer-To-Peer.

PISP Payment Initiation Service Provider.

PSD2 Revised Payment Service Directive.

PSP Payment Service Provider.

PSU Payment Service User.

QTSP Qualified Trust Service Provider.

RTS Regulatory Technical Standards.

SCA Strong Customer Authentication.

TPP Third-Party Providers.

XS2A Access to Account.

(12)

A special thanks to Robert Book at CGI Sverige AB for your dedication to the specific research area, your support with discussions and guidance that have made this master thesis possible.

I would also like to take the opportunity and thank all the interviewees that shared their experience and information on the topic with a short notice.

Without you this thesis would not have been possible.

Stockholm, 1 June 2017 Johan Sandmark sandm@kth.se

(13)

Chapter 1

Introduction

1.1 Background

Technology have drastically changed the way humans communicate since the birth of what we call the Internet. In a digital world new technological innovations continue to impact how and when we communicate and exchange information. Individuals generate vast amounts of data and beyond its sheer volume, data is becoming a new type of raw material with a high value. Some of the largest Internet companies, such as Facebook and Google, clearly show how collection and monetising of individuals data can rapidly grow enterprises [World Economic Forum, 2011]. The new market to earn money on personal data is becoming more visible as new services shed light on the trend [Jerräng, 2017] but General Data Protection Regulation (GDPR) is deployed to give the individual the right to their data. A new model for privacy on the web is also called for by many, including the inventor of the World Wide Web, Sir Tim Barnes-Lee, to make individuals feel more comfortable sharing information online [Curtis, 2014].

In addition to GDPR the new Revised Payment Service Directive (PSD2) is being implemented into the European Union (EU) [European Commission, 2016]

and it is not certain how the changes will affect competition and transparency in the financial market. The directive suggests among other things that Third- Party Providers (TPP), with the consumers consent, should have the right to access payment account information directly from bank Application Program Interfaces (API). In the EU 67% of the population are worried about having no control over their information they provide online [European Commission, 2015]. GDPR and PSD2 aims to change that by transferring the ownership of data to the individuals but is that enough to secure personal privacy and integrity? PSD2 allows, with the consumers consent, personal financial data to be shared which is a big change and could affect personal privacy in a negative way. PSD2 is both a challenge and an opportunity, depending on how well the current business models can adapt, as

(14)

current and new digital solutions must be adapted to new laws and regulations.

Recently new entrants are pushing their way into the market by competing aggressively on customer experience and price [PWC, 2015]. They are challenging the powerful financial institutions which have been ruling economic growth for centuries. Technology advancements has enabled small start-ups with Financial Technology (FinTech) to efficiently scale their operations with limited means and step by step cutting into different market segments previously dominated by banks [Dietz et al., 2016]. When the new entrants access even more services and data, by utilizing the effects of PSD2, the competition is expected to increase even further.

TPPs is a new type of entity for the banks and could be seen as customers, partners or competitors. Open Innovation is a process which could help to bring TPPs and banks closer and could be important when it comes to implementing PSD2 in the new financial landscape.

Blockchain is a technology that can be compared to the birth of the Internet. The blockchain is not just a revolution, it is a marching phenomenon that solves how to manage trust in a digital world [Mougayar, 2016]. What the blockchain technology provides is a distributed exchange network to validate transactions without the need of a trusted third party as trust is built into the technology. One of the currently most known blockchain applications are crypto currencies as the first paper on blockchain, published by Nakamoto in 2008, presented the crypto currency Bitcoin.

Bitcoin is arguably one of the biggest developments in finance since the advent of fiat currency [Franco, 2014]. Bitcoin is a decentralized crypto currency with Peer-To- Peer (P2P) transactions that can be used to send or receive bitcoins without going through a financial institution [Nakamoto, 2008]. But what is really interesting is the blockchain technology behind Bitcoin as it allows rapid transactions, low transaction cost and have great global opportunities [CGI, 2016b] and could very well be the next technology for the financial sector to embrace.

1.2 Problematization

With new regulations such as the Revised Payment Service Directive (PSD2) traditional banks face increased competition from new FinTech companies. PSD2 allows third-party providers to access their customers data which puts more pressure on how to manage personal integrity. The communication of personal data will now not only be communicated from a bank directly to its customers, but potentially from banks to multiple third-parties before reaching the individual. There is a need to secure privacy and integrity for consumers.

The question arises if the new blockchain technology could be used to not only comply with Strong Customer Authentication (SCA), but also manage personal data that must be shared due to PSD2, provide personal integrity and confidentiality.

Banks and other financial institutes must react and embrace the new changes from

(15)

1.3. PURPOSE

PSD2 in order to stay competitive and secure legal compliance.

1.3 Purpose

The purpose of this paper is to investigate if and how the blockchain technology can be used in order to provide a higher degree of privacy for the individual when deployed in the context of the upcoming Revised Payment Service Directive (PSD2).

1.4 Research questions

To be able to fulfil the purpose the following research questions was formed. The main research question is:

• How can blockchain technology be used to increase personal integrity and privacy in the context of the Revised Payment Service Directive (PSD2)?

In order to support the main research question two sub research questions was formed to further structure the research process:

– What does the PSD2 regulation say about privacy of personal data?

– How is the personal integrity affected by PSD2?

The main difference between the two sub research questions is that the first one refer to what the legal directive states while the second research question refer to what really will happen when the directive is deployed.

1.5 Disposition

The next chapters of this thesis will have the following structure:

Literature: The upcoming chapter will introduce previous research in PSD2, GDPR, blockchain and open innovation which is the theoretical foundation upon which the rest of the thesis is based upon.

Method: In this chapter the main methods and research process is described to give the reader an understanding how this investigation have been conducted. The methods in the thesis, software experiment and interviews, that was used to answer the research questions are described and evaluated.

Results: The findings from interviews are presented in a structured way in this chapter which is used in the analysis.

(16)

Analysis: An analysis is presented in this chapter based on and connected to the literature, theory and the learning’s from results to be able to answer the research questions in the next chapter.

Discussion and conclusions: Finally the thesis ends with an evaluation of the theoretical and practical contributions of this thesis, answers the main research questions and presents recommendations for further studies.

(17)

Chapter 2

Literature

In this chapter previous research is presented which was used in this thesis. In the next sections PSD2, GDPR, blockchain and open innovation is presented which are all connected to the main problem investigated. Despite the title much of the data presented in this chapter are not from academic sources as there is not much previous research in the research area of PSD2.

2.1 PSD2

2.1.1 Introduction to PSD2

By early 2018 one of the most disruptive financial regulations in the EU is deployed.

The new Revised Payment Service Directive (PSD2) is being implemented across Europe which will have a great impact on how companies can access the data only banks used to be able to access. With the consent from the individual the banks must now provide data to TPP through open APIs. By using the banks data TPPs can now build better services on top of the banks data and infrastructure which was not possible before [Evry, 2016].

The PSD2 is drafted and implemented by the European Banking Authority which is an independent authority and a part of the EU. The aim of the PSD2 is to ensure that all electronic payment services are carried out in a secure manner, guar- antee safe authentication and reduce the risk of fraud [European Banking Authority, 2016].

The protection of personal data is important for the European population, from a survey 67% of the respondents say that they are worried about having no control over the information they provide online [European Commission, 2015]. The PSD2 is here to shift the ownership of the data back to the consumers and to open up the competitive landscape in financial services. With the directive the European Com- mission aims to improve possibilities for innovation, protect consumers and increase the security of Internet payments and account access [Council of European Union, 2015].

(18)

2.1.2 Two new players

From PSD2 there are two new type of TPP main services entering the market, these are third-party Payment Initiation Service Providers (PISP) and third-party Ac- count Information Service Providers (AISP). The PISP can initiate payments for the individual and act as a trusted actor that informs the seller to release the goods or service for delivery. The AISP on the other hand may act as an interface between the banks and a individual in order to present aggregated online information to provide an individual overview of the financial situation [Council of European Union, 2015].

PSD2 makes it possible for TPPs to, with the consent from the individual, access the individual’s account information. This data could be used to analyse the spend- ing behaviour or provide an overview of the financial situation with data from several different banks presented in one overview [Evry, 2016]. The AISP could also include other payment accounts such as credit card accounts and mortgages accounts but as of this date we don’t know if merchant accounts are included [McInnes, 2016].

Traditionally only the individuals themselves could access their data by communi- cating directly with their bank, for example by using a online web page interface or even a mobile app provided directly by the bank. This is illustrated in figure 2.1 below.

Figure 2.1. Traditional communication between a consumer and the account in- formation provided by different banks. The only way to access data was for the individual to directly authenticate and communicate with the different services, for example by a web page or mobile app provided by the specific bank.

(19)

2.1. PSD2

Now when the new AISP will be allowed to access the data there is an alternative flow of information. Individuals can still access their account information directly as before, but a new alternative way of access is emerging presented in figure 2.2 below.

Figure 2.2. When the new AISP is introduced consumers can access their infor- mation not only directly from the banks, but also by using AISPs. This means that AISPs can gather the data and present it in new ways for the consumer, for example a complete overview of the financial situation including data from not one, but multiple banks.

New services that will benefit individuals are expected to enter the market as it will now be possible to collect consumer data from multiple data sources. Tech- nology giants such as Facebook, Apple, Google and Samsung will most certainly be trying to use financial information provided from the changes from PSD2 to enhance their own services. With access to even more data these big brands are expected to refine their marketing strategies and increase their brand presence even more [CGI, 2016a].

(20)

2.1.3 Challenges and objections

The most important effect from PSD2 is that TPP will get the right to access the payment service users account [Evry, 2016]. This is a drastic change in the competitive landscape that will affect many actors. After the first discussion paper on PSD2, published in December 2015, the European Banking Authority (EBA) received 118 responses. When the consultation paper, containing a draft of the Regulatory Technical Standards (RTS), was closed in October 2016 a total of 224 responses was received which is the highest number of responses the EBA has ever received [European Banking Authority, 2017].

The key issues that have been identified from the responses are:

1. Technologically-neutral requirements 2. Exemption for low-risk transactions 3. Access to payment accounts by TPPs

From the responses EBA has agreed to some of the proposals. From the first key issue identified about technologically-neutral requirements SCA were removed from the RTS, to ensure technology neutrality and allow for future innovations.

Regarding the third key issue about the introduction of the two new main players AISPs and PISPs introduced in chapter 2.4.2 EBA has decided to maintain the obligation to offer at least one interface for the new TPPs despite the objections [European Banking Authority, 2017].

2.1.4 Privacy

One direct effect from PSD2 is that it is possible for data to be shared in a different way than before. As introduced in chapter 2.4.2 two new players will be able to access the individual’s account information and transactions which puts more pressure on how to manage and secure a high degree of privacy.

According to the RTS AISPs shall have in place suitable and effective mechanisms that prevent unauthorized access to information in accordance with the user’s explicit consent. AISPs should also have the right to access information from payment accounts whenever the user is actively requesting such information, or up to four times (unless a higher frequency is agreed upon) during a 24 hour period with the user’s consent.

The RTS includes how SCA must be fulfilled but have changed from specific to a more high level to allow technology and business-model neutrality. The standards now only include that SCA must be ensured with three elements of (a)

(21)

2.2. GENERAL DATA PROTECTION REGULATION

something only the user knows, (b) something only the user possesses and (c) something the user is. EBA argues that data protection and data privacy is out of the scope of the RTS and therefore cannot be addressed in the RTS specifi- cations, but it is stressed as an important process when implementing the RTS [European Banking Authority, 2017]. As privacy turned out to not be a dedicated part of PSD2 the related directive GDPR had to be included which is presented in the next chapter.

2.2 General Data Protection Regulation

GDPR had to be included in this research as it turned out that PSD2 itself states that data protection and data privacy is out of the scope. This chapter introduces the most important aspects of GDPR that is needed to answer the research questions.

Regulators have not been able to keep up with the rapid changes in how much data consumers generate. Not only regulators but also lawyers and corporations are all affected by complex and outdated regulations [World Economic Forum, 2011]. In the EU the current data protection rules have been active for the last 21 years, since then there have been huge changes how people share personal information online.

From these changes and as the new PSD2 does not specifically include how the data should be managed, only provided, a new regulation is also introduced: the new GDPR is deployed to give back the power to the individuals [European Union, 2016].

The new regulation does not only empower the individual but also gives them the right to be forgotten. These changes will affect all enterprises operating within the countries that are members of the EU as not only current and new systems must be updated, but also processes about how you manage the customer relation and data. From the directive [Council of European Union, 2016a] the most important changes that comes from GDPR are:

1. The right to be forgotten 2. Data access

3. Transfer data 4. Consent required

The first one is about when an individual no longer wishes to have their data processed by a specific organisation, and there are no legitimate reasons to retain it, the data must be erased. This introduces some challenges for organisations as it is not trivial to comply with this new requirement. History, backups and other business applications all use consumer data in some way or another, and to simply erase data could be problematic. Under certain circumstances a processing restric- tion can be applied instead of a data erasure [Council of European Union, 2016b,

(22)

Article 16]. The second change about data access is that you as an individual have easier access to your own data, since you are the owner. You have the right to know what data that is stored about you and this is also connected to the third point about transferring data: with GDPR individuals have the right to transfer personal data form one service to another. This could be a key feature, it will be much easier to access your own data from your current service provider to give to your new one.

The last key change listed is consent, when consent is required individuals must be asked to give it with a clear affirmative action [European Union, 2016].

2.3 Blockchain

2.3.1 Introduction to blockchain

In its core blockchain is a technology that permanently records transactions in a way that cannot be altered or erased. The technology is a way to manage data with trust built into the technology itself without the need of any trusted third party. That means that blockchain have the power to introduce change that will affect governance, ways of life, traditional corporate models, society and global institutions in way we did not believe was possible [Mougayar, 2016].

Blockchain was first introduced in 2008 when Nakamoto presented a paper suggesting the new crypto currency Bitcoin. The most important features of the blockchain technology is described in Bitcoin as a purely P2P version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution [Nakamoto, 2008]. One of the currently most known blockchain implementations is called Bitcoin. Bitcoin is a decentralized crypto currency with P2P transactions that can be used to send or receive bitcoins without going through a financial institution. As shown in figure 2.3 the price for one Bitcoin have changed over time and is currently trading at $2,238 with a market capacity of $36.65 billions (22 Mars, 2017) [Coindesk, 2017].

Figure 2.3. Bitcoin price index history [Coindesk, 2017].

(23)

2.3. BLOCKCHAIN

The most important features of the blockchain technology is described in Bitcoin as a purely P2P version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution [Nakamoto, 2008]. From the paper we learn that the relatively simple idea about storing signed, hashed transactions with timestamps into chains is an efficient way to create records that cannot be changed without redoing the proof-of-work. As illustrated in figure 2.4 below each owner transfers bitcoins by signing a hash of the previous transaction, with the public key of the next owner [Nakamoto, 2008] and therefore forming what we call a chain of blocks, or a blockchain.

Figure 2.4. How transactions are managed and “chained” in the Bitcoin network [Nakamoto, 2008]

According to Mougayar (2016) there are four main themes that can be identified in the paper by Nakamoto:

• P2P electronic transactions and interactions

• Without any financial institutions

• Cryptographic proof instead of central trust

• Put trust in the network instead of in a central institution

From these four themes, with the specification by Nakamoto in mind, Mougayar (2016) gives a good and easy to understand attempt to define what the blockchain really is about presented in table 2.1 below:

(24)

Type of definition Definition

Technically The blockchain is a back-end database that maintains a distributed ledger that can be inspected openly.

Business-wise The blockchain is an exchange network for moving transactions, values, assets between peers, without the assistance of intermediaries.

Legally The blockchain validates transactions, replacing previously trusted entities.

Table 2.1. Three different definitions of the blockchain [Mougayar, 2016].

2.3.2 Different types of blockchains

The blockchain technology have evolved since the introduction by Nakamoto in 2008. During the first four years after the launch of Bitcoin in early 2009 the technology was focused around the crypto currency itself to store digital value.

As the technology allows for decentralisation and security "blockchain 2.0" have shifted towards other applications such as domain registration, financial contracts or crowd funding. Blockchain is not limited to crypto currencies and since "blockchain 2.0" other digital assets and digital representations of physical value can be managed in a trusted way with the technology. During the current and next phase of the blockchain the focus is about scalability and protocols [Mougayar, 2016] which means that different types of blockchains can be applied depending on the use case and needs.

Consensus

When implementing a distributed P2P blockchain, such as Bitcoin, there is a need of a consensus model [Nakamoto, 2008]. In the case of Bitcoin the consensus model used to secure trust in the blockchain was a proof-of-work. There are other consensus protocols such as proof-of-stake, RAFT, DPOS and Paxox that can be used but the importance is that there is a reliable consensus mechanism in place when implementing a blockchain [Mougayar, 2016].

Smart contracts

The idea of smart contracts was originally introduced by Nick Szabo where he argued that the formalizations of relationships, especially contracts, provide the blueprint for ideal security [Szabo, 1997]. Smart contracts was for a long time only a theoretical concept but is now possible with the use of the blockchain technology.

Smart contracts allow real-world valuable property to be controlled by a digital protocol and by utilizing the trust built-into the blockchain millions of smart contracts are to be expected soon enough [Mougayar, 2016]. With support from releases such as Ethereum, a blockchain app platform, and programming languages targeting

(25)

2.3. BLOCKCHAIN

Ethereum such as Solidity and Serpent it is now much easier to build and deploy smart contracts [Gord, 2016].

2.3.3 The blockchain from a business perspective

Technology have drastically changed the way humans communicate since the birth of what we call the Internet. In a digital world new technological innovations continue to impact how and when we communicate and exchange information. The next big thing compared to the birth of the Internet is the blockchain. But the blockchain cannot be described just as a revolution, it is a marching phenomenon [Mougayar, 2016]. The verb “to google” is connected to the brand name of Google, the leading Internet search engine [Dictionary.com, 2017]. Today when we want to find information we google for almost anything, but tomorrow we will be able to perform the equivalent of “googling” to verify records, identities, authenticity, rights, work done, titles, contracts and other valuable information by using the blockchain technology [Mougayar, 2016]. There is great potential in the blockchain, one estimation is that 10% of the world BNP will be stored in the blockchain by year 2025 [Bauman et al., 2016].

The blockchain have many more applications than just a crypto currency as trust is built into the technology. One way to understand the great impact blockchain might have to business opportunities is to investigate the key features of what blockchain allows. The basics of blockchain is nothing new, it could be explained by three main known fields as illustrated in figure 2.5.

Figure 2.5. Three important areas that have existed for long, but now for the first time they have morphed together inside the blockchain technology [Mougayar, 2016].

Software Engineering, Game Theory and Cryptography science are all vital parts

(26)

of the blockchain technology.

According to Greyspark (2015) we can expect new blockchain solutions for capi- tal markets. For payments and remittance the blockchain allows for frictionless P2P transactions to reduce risk, transaction costs, efficiency, transparency and increased speed. For the market of securities the blockchain could allow direct exchange in a P2P network without the intermediation services that is provided today by a broker or clearinghouse. Clearing and settlement could occur directly on the blockchain to reduce latency and counterparty exposures. Smart contracts can be used with different financial instruments and be pre-programmed to carry out actions such as payments of bond coupons or dividends. Anti-money laundry and know-your-client processes can be stored on the blockchain to ensure secure and rapid authentication without storing sensitive data at third-party repositories. Finally one of the most fundamentally features is that the blockchain have transaction history built-in to deliver a fully transparent and accessible transactional database for the governing bodies [Greyspark, 2015].

When it comes to computer security the decentralisation of data storage within blockchains have the potential to manage large data quantities in a more secure way then the centralized solutions that are used today [Bauman et al., 2016] which could be used as a competitive advantage compared to traditional methods of data storage.

One important application of blockchains is the proof of existence, to verify documentation in a permanent way, and it is possible as data is time-stamped and immutable [Bauman et al., 2016]. Data that is stored in blockchains cannot be altered without redoing the proof-of-work [Nakamoto, 2008].

Even if blockchain is still a relatively new technology, new implementations are to be expected very soon. It was initially explored by FinTechs but now all sectors start to realise the potential the blockchain technology allows. In the last year of 2016 blockchain investments increased 79% year-over-year to a total of $450 million.

The blockchain is moving out of the lab and 77% expect to adopt blockchain by 2020 based on a global survey of 1,308 financial services and FinTech executives [PWC, 2017].

2.3.4 Regulations

As the blockchain technology is still very new it is not clear what types of regulations that will be needed and for what purposes. As most current implementations is within the field of crypto currencies that is also where current regulations have been focused. It is important to separate blockchain as a technology and different applications based on blockchain, for example such as Bitcoin as a crypto currency.

When it comes to crypto currencies there is a clear difference how different coun-

(27)

2.3. BLOCKCHAIN

tries tackles the question about how to regulate: countries such as Canada and Hong Kong takes on the approach to not regulate crypto currencies in order to support innovation. Bolivia, Ecuador, Bangladesh and Iceland are countries that on the other hand have banned the use of Bitcoin as a crypto currency [Bauman et al., 2016].

When it comes to this new technology and its applications it would be advisable to wait some time before it is regulated, it would be best if the blockchain was left alone until it matures further. The regulators are used to regulate the “trust providers”, but as trust is changing it would be advisable to hold on for further regulations [Mougayar, 2016].

According to the most recent annual report from the the European Central Bank, blockchain is, at this stage of its development, not mature enough and therefore cannot be used in the Eurosystems market infrastructure [European Central Bank, 2017].

2.3.5 Personal data

Personal data framework

One application of the blockchain is to manage personal data. A prediction for 2025 is that the blockchain will allow us to hold our online identity and repu- tation in a decentralized blockchain where the individuals themselves own their own data [Mougayar, 2016] which is also supported by the inventor of the World Wide Web who claims that individuals should have full control of their own data [Curtis, 2014]. One proposed framework is to use a protocol that turns a blockchain into an automated access-control manager that does not require trust in a third party [Zyskind et al., 2015] which is presented in figure 2.6 below:

(28)

Figure 2.6. Overview of a decentralized platform to manage personal data where services can query data from a blockchain based on Distributed Hash Table (DHT) [Zyskind et al., 2015].

The platform that Zyskind et al. (2015) suggests has two main transactions:

Taccess which is used for access control management and Tdata for data storage and retrieval. Any personal data that should be communicated from the user is encrypted with a shared encryption key and stored in the blockchain with a T_data transaction. The data stored in the blockchain is encrypted pointers to the personal data that is stored in an off-blockchain distributed hash table storage [Zyskind et al., 2015] and therefore the personal data still have to be stored in a traditional way, the suggested framework does mainly solve challenges with permissions. One important feature in the suggested framework by Zyskind et al. (2015) is that the user can change the permissions granted to a service at any time just by issuing a Taccess with a new set of permission at any time.

As public and private keys are used every user can generate as many pseudo- identities as needed which increases privacy. The challenge with processing data and that services are able to observe raw data could be solved by running the computations directly on the network and to return the final result. If data is split into shares, rather than encrypting them, multi-party computation could be used to securely evaluate any function on the blockchain where the final result is stored in the blockchain [Zyskind et al., 2015].

(29)

2.4. OPEN INNOVATION

The personal blockchain

There are about 1.5 billion poor people worldwide, over the age of 14, that cannot identify themselves according the the demands set by authorities. But when it comes to proof of identity it can be a problem for both the rich and poor. For the rich problems are about anti-money laundering, know your customer and increased costs for legal and regulatory compliance. For the poor they are often excluded from property ownership, free movement and social protection simply because they cannot prove who they are [Mainelli, 2017].

In order to prove your identity today there is often an expensive process where a lot of manual work involved which consumes time and resources, the blockchain could help us to prove our identities in a digital world [Mainelli, 2017]. With a personal blockchain this process could potentially be instant by utilizing the trust that is built into the blockchain without a trusted third party.

When it comes to smart contracts, introduced in chapter 2.3.2 that can be deployed on the blockchain, Szabo suggested (1995) that multiple virtual personas could be used to only share data that the person would like to share [Gord, 2016].

2.4 Open innovation

One way to develop new solutions is to involve customers and partners into the innovation process which is called open innovation. By involving the customers early on the new solutions can be customized for their specific needs and it has become more normal to include customers, suppliers and other resources into product development and processes. This phenomenon can be used to reduce the cost of product development. In contrast to classic innovation, where huge investments are poured into a research and development department, open innovation allows for exchange of ideas, knowledge and technology with others in order to improve efficiency and reduce risk [Walling and Krogh, 2010].

To include end users in the process can have great impact on the result and possibly speed up customer acquisition. Not all industries have the same degree of customer involvement and in many cases the focus is mostly on the technology [Tidd and Bessant, 2013].

One challenge is to organize for and to choose when and how to use open innovation. One solutions is the five step model for integrating knowledge in open innovation presented in figure 2.7:

(30)

Figure 2.7. Five step Open Innovation model [Walling and Krogh, 2010].

To invite stakeholders in advance and discuss the pros and cons of opening up the innovation process to other parties is an important first step. Definition of the innovation process steps is also a opportunity to establish commitment to the collaborative process. Without the shared goal definition internally there is a risk of biases which must be avoided internally during the first step.

After the definition is done the second step is about realising that not all knowledge is found inside the organisation. By understanding the goal of the innovation process the focus shifts towards a "where can we access this knowledge" approach and the processes shifts more towards knowledge management in general.

For the third step it is important to specify how teams and people should contribute to the innovation process. Walling and Krogh (2010) suggests four main mechanisms for integration:

1. Integrate knowledge from outside

A defined set of rules about when and how to bring in an external consultant to solve a problem or task can help to free up time and resources for internal research and development to focus on external innovation.

2. Sequencing of tasks

Steps during the open innovation process can be planned in advance based on when they occur in time. For example external focus groups can be used to produce objective results.

3. Routines triggered by issues

Mechanisms is built into the process where deviation or unexpected results are verified and checked for inconsistency.

4. Decision making

External resources are not only involved to solve predefined tasks but also to define the processes.

Moving on to the fourth step in the Open Innovation model there is a need of a effective governance mechanism. The goal is to acquire new knowledge and

(31)

2.4. OPEN INNOVATION

therefore it is important to be aware of for example how participants to the open innovation process are selected or how internal versus external conflicts should be managed. The fourth step is about making it feasible for outsiders to contribute.

The fifth and last step in the model is to balance incentives and control. There must be a balanced incentive for all involved in the innovation process which is something that all project managers must take into account. Implementation of open innovation is challenging but if it is done right it can have a great positive effect on for example reduced time to market, reduce cost or adapting to customer needs [Walling and Krogh, 2010].

(32)

Method

This chapter begins with a description of the research process and then presents the methods how data was collected from interviews with support from the software experiment. A detailed overview is presented of the interviews and this chapter con- cludes with a discussion about validity, reliability and generalizability of the methods used.

3.1 Designing the research process

The purpose of this paper was to investigate how the blockchain technology can be used in order to provide a higher degree of privacy for the individual when deployed in the context of the upcoming PSD2 regulation. One of the biggest challenges during this thesis was the limited access to previous research in the research area. Exploratory research is often conducted when there are limited or no earlier studies [Collis and Hussey, 2013]. Due to limitations in previous research, as the PSD2 is a new directive and still not deployed, an exploratory approach with an initial literature study was used to understand the ongoing process and discussion.

The purpose of the research design must be to gather material which reflects the entire phenomenon [Blomqvist and Hallin, 2015] and therefore initial meetings with individuals that are affected by PSD2 helped to speed up the process by sharing their experiences. Participation in the panel discussion on the Ratkaisu event in Finland with the theme "Defining Tomorrow’s Bank – War or Collaboration with FinTechs" was also useful to further understand PSD2 and how it affects current financial institutes. Overall the method can be described as learning from previous research, defining a software experiment and to verify the primary results from the experiment with interviews. The overall research design used in this thesis is illustrated in figure 3.1.

(33)

3.2. LITERATURE REVIEW

Figure 3.1. Research design of this study.

The problem was updated in a iterative collaboration with a supervisor from CGI Sverige AB, upon which a literature review was conducted in order to gather the necessary information about the problem. After the initial literature study was completed an experiment was performed with a software integration where a basic blockchain was developed in a sandbox environment to evaluate how it could be used in the context of data available from PSD2. The result from the experiment was used as the foundation for qualitative semi-structured interviews with different organisations that will be affected when the PSD2 is set in motion. During this thesis a lot of abbreviations was used which initially was a challenge. It turned out that people that are involved in PSD2 uses these abbreviations in most communication and therefore this thesis adapted to that vocabulary, the reader is asked to use the list of abbreviations when needed.

3.2 Literature review

Literature and research papers was used as a starting point and as secondary resources to understand the research area. The literature review helps to understand the area of contribution [Blomqvist and Hallin, 2015] and it is also clear that no prior investigation have been done if the blockchain technology could be used to manage the challenges from the new PSD2. This insight helped to position this thesis in context to other research and to understand the contribution of this study.

The literature was later used to design the software experiment in order to concep- tualize the phenomenon. The academic papers used was mainly accessed by KTHs database for scientific articles but as both blockchain and PSD2 are still new research areas, many other online resources was used during this study. Despite the chapter title much of the data is not from established literature due to the fact that there is not much research done in PSD2.

PSD2 is described in detail in the raw legal directive from the EU which have been the main source of information about PSD2. But as the directive is still being developed and updated the data gathering process have been challenging, the final report on the draft of the RTS was released during the literature study. Other secondary sources, such as consultancy reports, have been very useful to evaluate the possible effects that PSD2 might have when it is initiated. The consultancy reports used could be biased but by triangulating between the different reports, academic material and the directives helped to limit the risk of biased information.

(34)

Main keywords in the literature study: blockchain, PSD2, GDPR, FinTech, Bitcoin, decentralized data, payments directive, privacy

3.3 Software experiment

3.3.1 Incentive

The software experiment was a prestudy for the author to investigate blockchain in more depth before conducting most of the interviews. A simple and concise software experiment would make it easier to discover possible applications and obstacles of how the blockchain could be used to manage personal data originating from banks.

The incentive of why to do an implementation, instead of a pure theoretical concept, is to further study and to be able to visualise abstract findings to be used during interviews to verify if the suggested solution is advantageous in the proposed context.

3.3.2 Definition

TPPs will soon be able to access consumer data from APIs provided by the banks when PSD2 is deployed. This data could potentially be encrypted, stored and managed in a distributed blockchain. This experiment aims to provide a framework and basic implementation how this process could be managed to discover the possible outcome. Instead of companies accessing the bank APIs directly this blockchain implementation acts as a middleware. All AISPs would use the blockchain and indirect access the banks data, instead of communicated directly. Compared to the new possible data flow with AISPs presented in chapter 2.1.2 and figure 2.2 this implementation would act as a middleware, between AISPs (which now is called actors) and bank APIs, illustrated in figure 3.2:

(35)

3.3. SOFTWARE EXPERIMENT

Figure 3.2. Possible application of this experiment where the blockchain acts as a decentralized, encrypted storage middleware between actors and banks to secure that consumer privacy is intact.

Now the blockchain becomes what is defined as a AISP, which would also mean that only one entity communicates with the banks instead of all actors themselves.

To further describe how actors and consumers can utilize the blockchain middleware the suggested process is illustrated in figures 3.3 and 3.4.

(36)

Figure 3.3. Banks (or other data sources) can write data to the blockchain with the consent from a user.

Figure 3.4. Actors can execute services on the blockchain, based on data from the blockchain shared from a user, and access and read only the result.

When data is written to the blockchain only the user holds the keys to be able to decrypt and use the data. Services are built on top of the blockchain to enable actors, when the user allows it, to execute a specific service that is granted access to data on the blockchain. The service and only the service can access the raw data

(37)

3.4. INTERVIEWS

decrypted from the block, but only the result is allowed to exit the blockchain. Data that is written to the blockchain can never leave the blockchain but only be used in internal execution when a service is running.

3.3.3 Implementation

A basic implementation of a blockchain is developed in Node.js based on the open source Naivechain by Lauri Hartikka (2016). Naivechain is an attempt to provide as concise and simple implementation of a blockchain as possible [Hartikka, 2016]

suitable for a basic experiment. The software environment Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non- blocking I/O model that makes it lightweight and efficient [Node.js Foundation, 2017].

3.3.4 Experiment delimitation

During this basic experiment a simplified consensus model was used based on a algorithm where the longest chain always wins. Normally the consensus algorithm must be chosen with care as described in 2.3.2 but this experiment was limited to proof of concept.

3.4 Interviews

During this investigation it have been important to access data both from literature and interviews. The primary results from the software experiment have been used as the foundation for qualitative interviews. As the interviews have been conducted they have shifted from a unstructured approach towards semi-structured, but during all interviews the interviewees have been able to share their experience in their field of interest. During the interviews it was useful to shift from unstructured towards semi-structured as the author learned more about the research area and could adapt the interviews as more information was discovered. None of the interviews were recorded but transcribed directly during the interview. The lack of recordings could affect validity in a negative way. To counter that all interviewees have approved how they are referenced after the writing of this thesis. A detailed overview of the interviews that were conducted is presented in table 3.1.

(38)

Date Interviewee Title Type 2017-01-19

13:00 - 13:40 Nicolaj

Hval-Thomsen

Head of Innovation Labin Transaction Banking at Nordea

Unstructured, blockchain, phone 2017-04-10

13:05 - 13:45 Jenny Rolling

Head of Cash Management at Riksgälden

Unstructured, PSD2, blockchain, personal

2017-04-10

15:60 - 16:55 Jan-Olof Brunila

Deputy Director Group Cards at Swedbank Group

Unstructured, PSD2, blockchain, phone

2017-04-11

10:50 - 11:25 Johan Terfelt Senior Advisor at

Finansinspektionen Semi-structured, PSD2

2017-04-11

12:55 - 13:20 Linda Hellström

Compliance expert and CEO of GRC WATCH AB

Semi-structured, PSD2, blockchain, phone

2017-04-12

08:15 - 09:30 Björn Segendorf Adviser at Sveriges

Riksbank Semi-structured,

blockchain 2017-04-12

09:10 - 09:30 Johan Schmalholz Economist at Sveriges

Riksbank Unstructured,

PSD2, blockchain 2017-04-12

13:00 - 14:35 Mikael Derkert Business Developer

at Bankgirot Semi-structured, blockchain 2017-04-12

13:00 - 14:35 Oskar Havland Business Developer

at Bankgirot Semi-structured, blockchain 2017-04-12

15:30 - 16:15 Stefan Åkerblom Senior Economist at

Konkurrensverket Semi-structured, PSD2

Table 3.1. Interviews that were conducted during this investigation.

3.5 Results

All data that was gathered and presented consist of results from the interviews.

The results was organised into themes very close to the structure of the interviews as most of the interviews started with the background of PSD2, a general view on blockchain and lastly discussion about the blockchain experiment. Innovation was a theme that emerged from the general discussions about PSD2. It was helpful during the analysis to be able to analyse one theme at a time but it could also be convenient for the reader to be able to study one theme at the time rather then one specific interview.

(39)

3.6. RELIABILITY, VALIDITY AND GENERALIZABILITY

3.6 Reliability, validity and generalizability

3.6.1 Reliability

Reliability refers to the possibility to repeat the research and get the same result with high accuracy and precision [Collis and Hussey, 2013]. One challenge during this thesis was that the data available on PSD2 was changing and revised as we moved closer to the deadline when compliance should be in place. But despite the clarifications and interpretations of the demands for legal compliance the main purpose with PSD2 is still the same. If this research was to be repeated, even with updated data, the result is expected to be very similar. Reliability is achieved when there is a majority of informants that agree on a shared opinion [Blomqvist and Hallin, 2015] and therefore it was important to conduct multiple interviews with different organisations that are affected by PSD2. During the semi- structured interviews a pre-prepared guide was used to ensure collection of reliable and comparable qualitative data. But despite the pre-prepared guide one challenge with semi-structured interviews is that reliability could be affected in a negative way as it might be hard to redo the interviews and expect the same results, due to the nature of semi-structured interviews.

Overall with the current literature available, PSD2 in its current form and data gathered from interviews based on the basic software experiment this thesis is considered to be reliable and repeatable. One challenge with reliability is that if the interviewees would get the same questions in a few years, when PSD2 has been deployed, their answers is expected to be different as new experiences could be utilized.

The use of blockchain technology is expected to increase in the next years, if this study was to be redone the mindset and knowledge about blockchain would proba- bly be different and the concerns about the possible immaturity of the technology would not be the same which could affect reliability.

3.6.2 Validity

The literature and theoretical review of this study have been conducted with different publications, ranging from academic reports to consultancy reports and online articles. As reliable sources is a necessity to answer the research question [Collis and Hussey, 2013] the challenge with validity in this thesis is that there is still no established research based on PSD2, which is one half of this thesis, as it is still a very new legal ambition. Publications from established consultancy firms have their own agenda but key parts chosen with a critical mindset merged with the directive itself provides an interesting and useful overview. Time might also affect validity as the directive is still changing and being adapted for integration into the EU, therefore it is important to point out that new data for the directive might be published after the publication of this thesis.

(40)

3.6.3 Generalizability

Generalizability is about how well research findings can be extended to other cases or settings [Collis and Hussey, 2013] and as this thesis is focuses around a concept, rather than a case study, the generalizability of this thesis is considered to be high.

Even if the prerequisites might be limited to PSD2 and the EU the thesis is really about managing personal data in a structured way which could be applied to multiple other environments and settings.

One limitation when it comes to generalizability is how the sampling for interviews was conducted. The interviewees was selected by asking for recommendations from the supervisor but also from previous connections to the author from relevant events connected to PSD2 which means that no random sample was used. This selection could limit generalizability of this study.

(41)

Chapter 4

Results

In this chapter the results from the interviews are presented. The results are divided into themes, starting with a general overview of PSD2. After that concepts about blockchain are presented, followed by results from the software experiment that was discussed during the interviews. Finally this chapter ends with results related to innovation.

4.1 The effects of PSD2

The purpose presented in the beginning of all interviews have its root in the PSD2 directive that allows access to new data for TPPs. This chapter poses a good introduction to the results as the interviewees have different views on what effect PSD2 is expected to have on the financial market. The next chapter declares opportunities and challenges the interviewees expect with PSD2.

4.1.1 PSD2 initiative

Ultimately the new PSD2 is an opportunity for the consumers but there is also risk involved as the landscape is changing so fast [Rolling, 2017]. New payment account data will be available which is the story of your personal life. The society shifts from a coin based society to the digital world where every purchase, when and where, is recorded [Terfelt, 2017]. The consumers should always come first but PSD2 is also about opening up the financial market for new payment services [Åkerblom, 2017], there are other directives that directly aims to protect the consumer such as GDPR.

When it comes to PSD2 it is not directly a threat, nor a possibility for the banks. From the bank’s point of view the authorities demand compliance to build a better functioning internal European market. The banks will be able to manage the process but unfortunately there is a risk that payments will be more complicated for Swedish consumers due to the new rules. We can expect more controls, scrutiny and possible objections in the flow of payments which affects countries such as Sweden which currently already have processes for payments [Brunila, 2017].

(42)

4.1.2 Regulations

The interviewees share the opinion that the goal behind PSD2 is to further regulate the European payment industry to provide consumers with better services.

One problem today is that there is regulatory uncertainty about how TPPs should access the information they need, there is also a limitation in PSD2 as it does only include payment accounts. Current TPPs, for example TINK and other budget apps, does not only access payment accounts but also collects other information. For the Swedish implementation this means that those TPPs will be more regulated as they now will only be allowed to access payment accounts for a specific purpose. If these TPPs would like to also provide for example lending of credit, they will have to apply for multiple permits. Now it will be regulated that the TPPs should exist on the market which is a good thing. The existing financial players will now know how to manage the new TPPs which is beneficial for the consumers of financial payment services [Terfelt, 2017].

In general the financial authorities are very cautious in their statements, you must interpret a lot of regulations by yourselves. One effect of this is that when new regulations and supervision are introduced smaller companies might find it hard to manage compliance [Hellström, 2017].

We can expect new related regulations soon about Geo-blocking, for example it will soon be forbidden in e-commence to only sell your service to specific countries within the EU. Money laundering laws are also being updated, the fourth directive is to be implemented soon and is proposed to ban anonymous payment services thus restricting electronic currencies like Bitcoin. That would mean that anonymous Bitcoins would be banned but we do not know for sure yet until the addendum is released [Brunila, 2017].

Otherwise no specific regulations is expected related to PSD2 in near future.

PSD2 does not only regulate and support new TPPs to enter the financial market, but is also about clarifying and to unify the demands and regulations on current Payment Service Providers (PSP) [Terfelt, 2017]. It would be beneficial for FinTech and competition if financial authorities could meet and discuss with FinTechs. Oth- erwise it could be very expensive to always hire consultants to manage compliance and rejections as most FinTechs are mostly very skilled in technology, but often lack experience in compliance [Hellström, 2017].

There is a continuous need to update the legislation, it will most certainly be a PSD3 in the future [Åkerblom, 2017].

(43)

4.1. THE EFFECTS OF

4.1.3 Timeline gap

PSD1 is from 2010 and that directive left some questions open, now it is time to take the next step. The PSD2 is a part of EUs digital agenda for the internal market for payments [Brunila, 2017] but there is a challenge with the deployment of the PSD2: there is a long gap between when PSD2 is initiated and when the RTS is in place.

EBA will investigate this gap as there is a request from multiple members of EU, to discuss and understand the problem and challenges, in order to manage it in a similar way between the different countries. The directive does for example include that the countries are not allowed to counteract TPPs before PSD2 is in place, but what does that really mean [Terfelt, 2017]?

The risk with the PSD2 timeline is the gap between PSD2 and RTS. The reason why is because the EU have not been able to align the process to implement the PSD2 and its technical standards at the same time [Brunila, 2017].

Despite the gap between PSD2 and RTS one estimation is that those who are affected will successfully manage to comply with PSD2 before the deadline, the industry have the knowledge to do that [Terfelt, 2017].

Uncertainties all around regarding the time plan for PSD2 and Access to Ac- count (XS2A). PSD2 is stipulated to come into force January 2018 but the specific date depends on the transposition into national law. The directive states that the Account Servicing Payment Service Provider (AS-PSP) must open up for TPP access but not how this must be done. The RTS on strong customer authentication and secure communication details, to some extent, requirements on XS2A but the RTS is expected to come into force Q2 2019 (possibly later). What is required in the period from January 2018 until the RTS comes into force? There are multiple views in the market, both among different commercial actors and authorities. Fur- ther, the GDPR introduces requirements on customer consent which needs to be managed or major sanctions could be imposed [Havland, 2017].

What actors in the market can do, may do, and when needs to be clarified. There are several initiatives both on European and national level but there is a major risk that we will see a fragmented implementation of the PSD2 [Havland, 2017].

4.1.4 Authentication

EBA are as far as possible, technology neutral, but there is a must of SCA [Segendorf, 2017].

One part of PSD2 is that all legal citizens in the European have the right to access a payment account [Terfelt, 2017]. This means that for example that if you are legally located in Spain and have a legal digital authentication, you should be able to open a payment account in Sweden, but how is that suppose to happen? For the Swedish

(44)

implementation the digital authentication BankID is not registered and approved in all of EU [Terfelt, 2017] which causes some challenges with the right to access payment accounts.

The biggest concern is the uncertainty about technical aspects, how should the interface work? The interface could be different compared to what the direct customers get. These concerns is a big challenge right now and only time will tell how these parts of the directive is implemented [Åkerblom, 2017]. Also note that the RTS, despite its name, is not technical standards as an engineer would understand but rather function standards as it is written by lawyers [Brunila, 2017].

It is somewhat problematic that online authentication in Sweden is mostly done by BankID which is jointly owned by the banks. For many other countries this authentication service is provided by the authorities [Åkerblom, 2017]. Historically it has typically been the authorities that issued ID documents, it could be a risk if it is only managed by other parties [Segendorf, 2017]. For the Swedish Competition Authority it is somewhat problematic that the banks could for example, in theory, set the price for online authentication of citizens and determine the conditions vis- á-vis third parties. This puts a lot of power into the hands of the banks. There are many possible suppliers of online authentication services but it would be desirable for the government to also provide an alternative [Åkerblom, 2017].

But as BankID currently have a vital role in the Swedish system for authentication it is also positive. There is a high need of trust and if authentication becomes to decentralised it could be hard to manage [Rolling, 2017].

It is hard to only look at PSD2 or blockchain, it is not only about PSD2 as a directive but rather about that we have not yet transitioned into the digital world in its entirety. One example is that when you are driving your car you must have your driving license with you, the police does not yet approve BankID as authentication [Derkert, 2017].

4.2 Blockchain

During the interviews blockchain was foremost discussed in general as a technology presented below. After the initial discussions the focus shifted towards the blockchain experiment presented in 4.2.2.

4.2.1 Technology

There is a need of a clear goal and strategy of what should be achieved with the blockchain technology. Payments is a natural application but even the banks con- sider that maybe they should not start there but to focus on other business areas. Not only established banks are interested but FinTechs are looking into the

Will the blockchain save privacy under the Revised Payment

Will the blockchain save privacy under the Revised Payment

Service Directive?

JOHAN SANDMARK

Will the blockchain save privacy under the Revised Payment Service

Directive?

by

Johan Sandmark

Master of Science Thesis INDEK 2017:57 KTH Industrial Engineering and Management

Industrial Management

Kommer blockkedjan rädda integriteten under det nya betaltjänstdirektivet?

Johan Sandmark

Examensarbete INDEK 2017:57 KTH Industriell teknik och management

Industriell ekonomi och organisation

Johan Sandmark

2017-06-12

Cali Nuur

Niklas Arvidsson

CGI Sverige AB

Robert Book

The Revised Payment Service Directive (PSD2) is deployed in the European Union to allow Third-Party Providers (TPP), with the consumers consent, the right to access payment account information from the banks as well as to initiate payments. The

communication of personal data will now not only be communicated from a bank directly to its customers, but potentially from banks to multiple third-parties before reaching the individual which puts more pressure on how to manage personal integrity and privacy.

Blockchain is a technology that provides a distributed exchange network to validate transactions without the need of a trusted third party as trust is built into the technology itself. This could very well be the next technology for the financial sector to embrace.

The purpose of this paper is to investigate if and how the blockchain technology can be used in order to provide a higher degree of privacy for the individual when deployed in the context of the upcoming PSD2 regulation.

Another observation is that PSD2 and the related directive General Data Protection Regulation (GDPR) seems to be a first steps towards a new model of privacy and a first regulated step towards an open banking environment in the European Union.

integrity, privacy

Johan Sandmark

2017-06-12

Cali Nuur

Niklas Arvidsson

CGI Sverige AB

Robert Book

Blockchain är en teknologi som tillhandahåller ett distribuerat nätverk för att validera transaktioner utan inblandning av en pålitlig tredjepart eftersom förtroende är inbyggt i tekniken. Det här kan vara nästa teknologi för finansbranschen att ta till sig.

Syftet med den här uppsatsen är att undersöka om och hur blockkedjetekniken kan användas för att tillhandahålla en högre grad av integritet för individen i samband med PSD2.

Ett blockkedjeexperiment genomfördes och användes som underlag i tio kvalitativa intervjuer på ämnet PSD2 och blockchain. Resultatet tyder på att det finns många utmaningar med PSD2 men att många nya innovativa tjänster kan väntas samt att blockchain som teknologi är intressant.

Slutsatsen är att blockchain kan användas för att öka graden av integritet för

En annan observation är att PSD2 och det relaterade direktivet General Data Protection Regulation (GDPR) verkar vara ett första steg mot en ny modell för integritet och ett första reglerat steg mot ett öppen bankmiljö inom EU.

Contents

List of Figures

List of Abbreviations

Chapter 1

Introduction

1.1 Background

1.2 Problematization

1.3 Purpose

1.4 Research questions

1.5 Disposition

Chapter 2

Literature

2.1 PSD2

2.2 General Data Protection Regulation

2.3 Blockchain

2.4 Open innovation

Method

3.1 Designing the research process

3.2 Literature review

3.3 Software experiment

3.4 Interviews

3.5 Results

3.6 Reliability, validity and generalizability

Chapter 4

Results

4.1 The effects of PSD2

4.2 Blockchain