SAMA’s Regulatory Role Strategy project

Saudi Arabian Monetary Authority

RFI presentation | January 29, 2019

Confidential and proprietary: Any use of this material without specific AND PROPRIETARY
CONFIDENTIAL WORKING DRAFT
permission of McKinsey & Company is strictly prohibited Any use of this material without specific permission of McKinsey & Company is strictly prohibited Last Modified 11/10/2018 00:05 Arabian Standard Time
Printed
 Introduction

Our credentials and experience

Team and working model

Our perspectives on payment

regulations

AGENDA
McKinsey & Company2
In the room today

Hans Martin Jawad Khan, Kishan Shirish, Jon Chan

Stockmeier, Partner, Partner, Engagement Manager,
Senior Partner, Dubai Dubai Dubai
Dubai

Phillip Bruno Chandrasekhar Panda Abbas Sikander Karim Jindani Gene Neyer
Co-leader of Global Digital payments expert, Digital payments expert, Digital payments expert, Digital payments expert,
Payments Practice, Dubai Karachi Karachi New York
Partner, New York
McKinsey & Company3
McKinsey is uniquely qualified to work with SAMA Payments Regulatory Strategy and implementation

We have helped develop financial sector strategy and regulations in KSA and across the GCC,
1 and also supported SAMA in developing the regulatory context and building the supervisory and
licensing capabilities for the finance company and mortgage department

We have completed 1000+ payments engagements globally and have helped numerous countries
2 develop national payments strategy and regulations e.g. Europe ( UK, Nordics, Belgium), Americas
(US, Canada, Mexico) and Asia (Pakistan, Singapore, Thailand, Khalistan, Russia, Turkey)

We will commit our global and regional experts, on the ground, to bring the best of the Firm to
3 develop the regulatory strategy

We will adopt a unique approach by developing a target state digital payment landscape
4 through Future Studios, and then working backwards to identify regulatory, infrastructure and policy
changes needed

SAMA capability building will be embedded in how we work from day 1, by working together as a
5 single team and through on the job training and a series of capability and knowledge building
workshops
SOURCE: McKinsey McKinsey & Company4
We regularly shape the industry together with governments and decision-makers –
in the Middle East…
Summary
▪ Developed the Finance Company sector
strategy, vision and the regulatory
framework for SAMA
▪ Implemented licensing and supervision
KSA operating model and designed the new
Finance Company Control department.
 Developed the 10-year financial sector
vision and detailed masterplan
 Conducted a 2-year transformation for
the central bank’s org, governance,
UAE
processes, policies, and culture
▪ Reviewed the consumer lending
framework and assessed impact of various
prudential measures
▪ Defined mortgage lending framework
GCC ▪ Assessed financial system stability
SOURCE: McKinsey Payments practice
NOT EXHAUSTIVE
▪ Developed sector vision in terms of number of new
licensed entities to aspire for and share of lending to grow
through finance companies
▪ Developed regulatory framework and trade-offs across
key levers e.g. capital requirements, ownership
requirements, leverage requirements etc. and aligned with
SAMA senior management
▪ Designed the licensing requirements and process
covering fit and proper requirements, business plan
structure, risk assessment map, licensing forms, licensing
process
▪ Developed off-site supervision and onsite inspection
process and policies for Finance Companies including
criteria to assess compliance, reporting requirements etc.
▪ Built the new department assisting in implementing new
organization and conducting extensive capability building
program
McKinsey & Company5
We regularly shape the industry together with governments and
decision-makers – in Americas…
National Regulation, licensing, Infrastructure
payments and supervision design design and
strategy and implementation implementation

Developed strategic guiding principles to structure payments industry

utilities
Created a framework to understand the US payments market, economic
trends, and a compendium of payment systems rules
Defined the vision and roadmap for the development of “faster pay-
ments” and improving the efficiency of the payments infrastructure in the US
Facilitated creation of common stakeholder vision for Canada’s payment
system and formulated final recommendations and drafting of report

Developed digital payments program for social security disbursement

Defined the mobile payments and banking market

Developed a future operating model to enable digital payments across

all government departments

Created strategy for payment utility initiatives by member banks

Recommended an model for the Federal Reserve’s multi-district net

settlement approach after assessing the risks and implications
SOURCE: McKinsey Payments practice McKinsey & Company6
… in Europe and Africa…
NOT EXHAUSTIVE

National Regulation, licensing, Infrastructure

payments and supervision design design and
strategy and implementation implementation
Created a shared vision on a roadmap for national financial services
market

Developed a common vision of the payment industry evolution with a

group of banks; built an implementation roadmap for a common
automated clearing house

Created national strategic framework for SEPA compliance across 24

direct and numerous indirect participants in the national payments utility

Design and implementation of the UK’s electronic cheque clearing

network

Designed a national mobile payment strategy to reduce cash and

digitize the economy

Developed and implemented payments strategy to digitize payments

and increase financial inclusion
SOURCE: McKinsey Payments practice McKinsey & Company7
… as well as in Asia-Pacific
NOT EXHAUSTIVE

National Regulation, licensing, Infrastructure

payments and supervision design design and
strategy and implementation implementation
Developed strategy for a payments utility to drive digital payments and
digitize the economy

Designed vision and approach for regulatory sandbox and created the
business processes (e.g., application and evaluation processes)

Supported the design, development and implementation of a real

time payments system to drive financial inclusion and digitize the
economy

Developed strategy for a payments utility to drive digitize of

payments, including assessment of adoption initiatives

Created a digital vision and transformation roadmap to digitize

Kazakhstan's economy

Developed strategic plan to digitize payments market and assessed

clearing infrastructure set-up and governance

Developed National Payment Strategy to increase financial inclusion

SEA
while reducing grey market and tax evasion
SOURCE: McKinsey Payments practice McKinsey & Company8
Our core on ground team and experts

Core team Experts

Hans Martin Stockmeier Phillip Bruno Chandrasekhar Panda

Senior partner, Partner, Digital expert, experience with
Banking practice in Europe and the Co-leader of Global Payments Singapore payment regulations
Middle East, Experience with SAMA Practice

Jawad Khan Olivier Denecker Karim Jindani

Partner, Director of Knowledge Payments Payments expert, experience
Banking & Payments, Experience with Europe, APAC and
[Photo] with payments regulations in
SAMA and Pakistan regulator Latin America expert Pakistan, Jordan, Rawanda

Kishan Shirish Clive Adamson Abbas Sikandi

Partner, Senior expert, experience Payments expert, experience
Banking practice in Middle East, with UK payment regulations [Photo] with Pakistan payments
Payments and Middle East Expert infrastructure and regulations

Jon Chan Atakan Hilal

Engagement Manager, Partner, experience with
Banking practice, Payments experience Turkey payment regulations
in Pakistan, KSA

SOURCE: McKinsey McKinsey & Company9

OUR TEAM

We have put together a regional and global team of experts with relevant experience to help develop
the corporate strategy
National Financial Licensing and Digital
Payments regulations and Supervision design adoption & Payments
Relevant experience Strategy policy design and implementation innovation Infrastructure Countries
▪ Experience with SAMA
Jawad Khan ▪ Designing digital payment strategy
for Pakistan
Core Kishan Shirish ▪ Building digital payment platforms
team ▪ Crafting digital payment strategies
▪ Designing payments strategies
Jonathan Chan ▪ Implementing real time payments
scheme
▪ Experience with SAMA
Senior Hans Martin Stockmeier ▪ Developing and implementing
licensing processes
leader-
ship Philip Bruno ▪ Supporting government, banks,
and utilities to digitize payments
▪ Developing national strategies to Europe, APAC, Latin
Olivier Denecker digitize payments across EU,
APAC, Latin America America
▪ Reviewing regulations and policies
Gene Neyer as board member for the US Faster
Payments Council
▪ Designing supervisory activities
Clive Adamson and governance as Head of
Supervision at FCA
Core ▪ Developing payment systems
senior Chandrasekhar Panda ▪ Assessing payments regulations
and policy design
experts
▪ Developing strategies for national 1
Atakan Hilal payments processors, and bank
credit card and payment products
▪ Identifying regulation changes needed 2
Karim Jindani as part of National Payment strategy
▪ Assessing reg. and reporting framework
▪ Assessing branchless banking and
Abbas Sikander digital banking regulations as part
of central bank task forces
1 Azerbaijan 2 Rwandan McKinsey & Company10
OUR TEAM

Working model
Roles

Steering Committee Senior Leadership ▪ Provide overall leadership

▪ Key representatives ▪ Hans Martin Stockmeier
from SAMA ▪ Phil Bruno

Operational Leadership ▪ Guide project team

▪ Provide outside-in McKinsey perspective
▪ Jawad Khan
▪ Kishan Shirish

▪ Share expertise remotely and on the

Experts ground
▪ Olivier Denecker ▪ Guide team, join problem solving
▪ Clive Adamson ▪ Join workshops
▪ Atakan Hilal ▪ Share global best practices
▪ Chandrasekhar Panda
▪ Karim Jindani
▪ Abbas Sikander

SAMA team McKinsey working team ▪ Operationally manage the project

▪ Gather data and conduct analysis
▪ Project manager ▪ Jon Chan (Manager) ▪ Develop recommendations and approach
▪ Working team on ▪ 3 consultants ▪ Prepare workshops
regulations/supervision ▪ Syndicate recommendations with steering
committee and other key stakeholders
SOURCE: McKinsey McKinsey & Company11
SAMA must answer key questions to develop a regulatory strategy for payments in KSA and
prepare for a digital economy

▪ What is SAMA’s aspiration for the payments sector in terms of e.g. digitization, convenience, innovation?
▪ What gaps exist in the KSA payments market today vs aspirations?
Aspiration
▪ How might the KSA payments landscape evolve given the country’s dynamics? what new payments
systems may emerge?

▪ Who are the service providers and how would one define them?
Required
regulations ▪ What payment activities need to be regulated/licensed to manage risk and ensure inclusivity/growth?
and licensing
▪ How should the regulations be designed e.g. licensing approach, pricing controls, capital requirements?

SAMA’s role
▪ What should SAMA’s role be beyond regulation, licensing and supervising? (e.g., defining operating
and technical standards, such as a common QR code, or enforce ISO standards, regulate MDRs?)

▪ How should SAMA best organize itself to support the financial ecosystem?

Capabilities – What is the ideal organizational model and people required?

needed – What roles are required?
▪ What new capabilities will SAMA require to regulate and oversee the ecosystem?
SOURCE: McKinsey McKinsey & Company12
Defining the entities based on services offered and to be regulated
is both art and science
Services
Account issuance services
Domestic money transfer services
Cross border money transfer services
Merchant acquisition services
Key considerations
▪ What is the vision of KSA’s payments
landscape/structure?
▪ How have other digital economies evolved given
their context?
▪ Which services, if grown significantly can
address current challenges in digitizing the
economy?

E-money issuance
▪ What services can spur innovation beyond
banking?

Virtual currency services ▪ What services pose significant risk and need to
be closely regulated?
Money-changing services

Non bank/Non FC card issuers

Payment Infrastructure/Network operators

SOURCE: McKinsey McKinsey & Company13

 With VGI
Key levers control licensing/inclusion of entities

Services definition
Entity based Activity driven licensing

Capital
requirements One time Tiered by size

Transaction
volume/nature Risk managed by type of Managed by tiered capital
and risk risk e.g. Cross border by transaction volume
transactions
Fit and proper and
shareholder Set standards by years of Allow thriving
requirements experience, history of litigations entrepreneurship as long
net worth etc. as no history legal issues
Risk
monitoring Monitoring and management is the Centralized monitoring /
/management responsibility of participants management of all transactions
Access to RTGS
directly Heavily restricted: Only banks Open: All authorized participants

SOURCE: McKinsey McKinsey & Company14

 With VGI
Other elements that are to be considered in regulations

Technology
standards Limited Fully compliant/one standard
standardization across key elements e.g., ISO
20022, EMVco QR compliance

Data protection/
privacy standard Basic data protection Common data protection guidelines
guidelines across all participants1

Cyber security
requirements Defines minimum security requirements, Common security management
while participants set their own security requirements across all participants2
policies
Pricing oversight
Not regulated Caps on MDR and Controlled MDR/
interchange interchange

Consumer
protection No specific guideline initially Set standards e.g. customer
standards complaints response, liability
in case of fraud etc.

1 e.g., storage limitations, data usage, consumer consent

2 Requirements for operational and security risk (physical access, data encryption, etc./), the management and reporting of incidents and the mechanisms for authentication and connection security (e.g., strong customer authentication)
McKinsey & Company15
Regulators are working with industry to enable innovation and drive digital
payments adoption while safeguarding the financial system (1/2)
Initiatives by
Themes regulators Examples
a Renew payment ▪ Real time payment systems being launched either directly by central bank or in cooperation with industry
systems ▪ Renewal of real time gross settlement systems (RTGS) – both national and pan-regional
1 Improve (TARGET2, P27 and GCC)
infrastructure
b Standardize ▪ Introduction of standardized QR codes to enforce interoperability (e.g., Singapore, India)
infrastructure
a Opening access to non- ▪ Open banking to foster innovation and competition by opening up access to financial data, and allowing
financial entities additional players to provide services – available or being launched in 36 countries (e.g., UK Opening
banking, developing in Canada, Australia, Singapore)
b Modernize regulations ▪ Legacy licenses being streamlined and consolidated to introduce a single regime (e.g., Singapore, UK)
2 Broaden ▪ Move to technology agnostic, activity based definitions rather than product based (e.g., Singapore)
participation
▪ Introduction of tiered requirements to limit exposure and safeguard ecosystem
c Provide sandboxes ▪ Technical and regulatory sandboxes established to allow new fintech solutions to be safely tested
for testing (e.g., UK, Singapore, Thailand)
▪ Regulators are coordinating to allow fintechs to test in multiple countries (passporting)
a Enhance cyber security ▪ EU Network Information Security Directive, EU General Data Protection Regulation (GDPR)
and data protection ▪ Tokenisation, authorisation and consent management being incorporated in systems
3 Protect ▪ BIS2 set PMFI1 cyber resilience principle for 2 hour recovery time after disruption
consumers ▪ PSD2 in EU will require strong identity checks, protect consumers against fraud

b Improve response to ▪ Improvements in systems to provide data to resolve consumer complaints, including pricing, charging and
consumer complaints billing (as required by PSD2, CFPB)
1 Principle for Finanicial Market Infrasturcture 2 Bank of International Settlement

SOURCE: McKinsey McKinsey & Company16

Regulators are working with industry to enable innovation and drive digital
payments adoption while safeguarding the financial system (2/2)
Initiatives by
Themes regulators Examples
a Create incentives for ▪ Direct financial incentives being introduced for users to use digital payments (e.g., India, Korea and
adoption Thailand introduced “lucky draws”, tax incentives in India)

4 Drive adoption
b Regulate pricing to ▪ Pricing being limited to encourage acceptance, e.g., EU Interchange Fee cap of 0.2% on debit, 0.3%
drive adoption credit; Australia interchange fee limited to 0.88%, debit fee <16.5 cents or 0.22%)
▪ Subsidize MDR (India)

a Adopt new RegTech ▪ Regulators are enhancing their own digital capabilities to match those of participants, and leveraging
and SupTech digital tools to better supervise the rapidly evolving digital ecosystem (e.g., Singapore using data analytics
5 Enhance and AI to enhance AML capabilities)
capabilities and
processes
b Actively manage and ▪ Payments council are established to engage and align banks, PSPs and other fintech related players
engage participants (Singapore, Australia)

1 Principle for Finanicial Market Infrasturcture 2 Bank of International Settlement

SOURCE: McKinsey McKinsey & Company17

We propose a 3 phased project plan over 24 weeks
PRELIMINARY
Key meetings

Phase 1 : Benchmarking and gap analysis Phase 2 : Define payments regularity strategy Phase 3 : Drafting and implementation
(6 weeks) (8 weeks) (10 weeks)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Define overall
Identify critical KSA regulatory
regulatory
components, and define which
Payments regulation Regulation 10/26/21 strategy, and
participants, activities,
benchmarking and future gap 10/26/21 create phased Draft regulations
infrastructure/ networks and
vision definition analysis program with
General and standards should be subject to
prioritized
regulation
regulation deliverables

Future studios Internal Internal Internal

workshop workshop workshop workshop

Draft
Plan and
licensing Implement licensing process
Identify and create new trigger the
Licensing requirements and create licensing
licensing categories licensing
and artefacts
process
process

Design oversight
Assess
Develop future oversight implementation plan
SAMA’s
model (regulations, policies, (org structure,
Benchmark oversight approach
Oversight functional and technical governance Support SAMA in developing the functional capabilities and processes
practices globally and
capabilities to support framework and
identify
oversight) industry
gaps
engagement)

Support licensing activities

Supporting
activities Support oversight activities

Propose and develop methods and platforms for market consultation and forums as needed.

SOURCE: McKinsey McKinsey & Company18

APPENDIX
McKinsey & Company19
Payments uses cases must be prioritized based on transaction value and volume ILLUSTRATIVE

Deep dive provided

USE CASES VALUE p.a. (Currency) VOLUME p.a. (bn transactions)

a Merchant payments (goods/services) – in-person and online ~20 ~39

b Utility bills (incl. mobile top-up) ~1 ~8

c P2P incl. domestic remittances ~3 ~1

d National Savings scheme ~1 <0.1

e Private sector salaries and wages ~15 ~0.5

PRIORITY f SME supplier payments1 ~6 ~1
USE
CASES g Tax payments ~3 <0.1

h Dividends ~0.5 <0.1

i Federal government salaries and pensions ~0.5 <0.1

j Provincial government salaries and pensions ~1 <0.1

k Federal government supplier payments (services and goods) ~1 <0.1

l Welfare payments3 <10/26/21.1 <0.1

McKinsey & Company20

Globally, real time payment infrastructures have enabled a variety of products & services
QR code Contact What’s your number?, Close range
I need to transfer 500
payments payments to you payments

TO
ONEY
SEND M

60 8652
+91 95

Interoperable Integration Platform for

payments into widely robust
used apps Dinner was so much fun.
How much do I owe you?
marketing
Yes it was great! You owe me
500 PKR for your burger

PAY 500 PKR

t
Discoun KFC

SOURCE: Press search McKinsey & Company21

Singapore’s regulator has made a concentrated effort to digitize payments
Description
▪ Establishment of the National Payments Council 1 to regulate and drive
digital payments
▪ New Payments Services Bill in 2017 by MAS to create a single modular
Governance framework that is technology-neutral and activity based
▪ Centralization and consolidation of payment infrastructure, particularly
on integrated POS (with some subsidies) and common QR standard
▪ Card networks & non-banks (e.g. large department stores, stored value
Issuers facility) issuers may issue credit cards as their own brand or co-branded
with scheme providers
▪ Free market environment for acquirers with no regulation on MDR
▪ MAS planning to rollout unified POS terminals and common QR code
“SGQR” by NETS with S$30m investment from government with full
transition to “SGQR” planned
Acquirers
▪ Currently there is no single national infrastructure operator or ATM
network to replace the current multiple bank-owned models
Others
▪ Launch of FAST in 2014 offered by 20 banks to promote faster and more
efficient fund transfers (previously up to 3 working days for funds transfer
between banks to be processed)
1 Formed by MAS, includes 20 members comprising of banks, PSPs, businesses and trade associations
SOURCE: Expert interviews, KPMG APAC financial report, MAS
NON EXHAUSTIVE
Commentary
▪ Government push to Smart Nation to create
convenience for customers and potential savings of
S$150m annually to the economy
▪ Close monitoring of digital payments landscape
▪ MAS promotes competition and several use cases will
continue to be fragmented due to presence of single-
purpose & multi-purpose SVFs
▪ Acquisition highly competitive market in Singapore with
networks, banks and PSPs trying to get the merchant
relationship
▪ MAS is closely monitoring interchange caps being
implemented by other countries but currently does not
regulate interchange fees – balance of driving merchant
adoption and enabling profitable acquirer economics
▪ SGQR is expected to gain wide acceptability
▪ Exploring creating a single national infrastructure
operator to ensure consistency and consolidation of
investments to achieve scale and foster innovation through
expanding access to the payment systems
McKinsey & Company22
 MAS introduced a single payment service legislation to consolidate and
streamline licensing requirements for PSPs
Introduce single licensing regime
Payment Money-Changing
Systems and Remittance New Payment
Services offered by payment (Oversight) Businesses Act New payment Services Bill
service providers Act 2006 (2008) services1 (2018)

Account issuance services

Single licensing
Domestic money transfer regime:
services ▪ Streamlines
licensing
Cross border money process
transfer services
▪ Reduces time
Merchant acquisition and effort
services required by
PSPs
E-money issuance ▪ Attracts
FinTechs due to
clarity and
Virtual currency services simplicity of
process
Money-changing services
1 Previously unregulated

SOURCE: Consultation paper on Payment Services Bill, Expert interview McKinsey & Company23
MAS introduced a new payment service bill with activity-based licensing
to regulate new payment methods focusing on retail payment services
Activity based payments framework

Payment Systems Oversight Payment Services Activity-based licensing

Act (2006) Bill (2018) in the new payments bill:

Previous licensing regulations had Technology agnostic bill which ▪ Regulates new payment
product-based, generic definitions states PSP activities MAS service methods
for payment service providers which regulates. New Payment ▪ Reduces ambiguity
were inadequate and created Service Bill issues licenses ▪ Simplifies licensing
ambiguity in the licensing process to PSPs which provide decisions and evaluations
1. Account issuance services; ▪ Allows tiering based on
2. Domestic money transfer type of payment activity
Example services;
3. Cross border money
“Payment system” means a funds transfer services;
transfer system or other system that 4. Merchant acquisition
facilitates the circulation of money, services;
and includes any instruments and 5. E-money issuance;
procedures that relate to the system 6. Virtual currency services;
– PS(O)A 2006 7. Money-changing services

SOURCE: Regulatory Framework for Stored Value and Electronic Payment Systems and Consultation Paper on Payment Services Bill McKinsey & Company24
… and to introduce tiered regulatory requirements for different payment
service providers
NON EXHAUSTIVE

Risk based, tiered regulatory requirements

Payment Services Bill (2018)

The new payment services bill has introduced tiered licensing requirements for different payment service providers.
For example:

Requirements

Licensing1 & Minimum paid up

Security deposit
Business capital AML/CFT
(S$ 100,000)
conduct (S$ 100,000)
Type of payment licenses
1 Standard payment institution

2 Major payment institution

3 Money changing license

1 Permanent place in Singapore; one Singapore permanent resident executive director

SOURCE: McKinsey McKinsey & Company25

UK has updated its licensing requirements to enable new payments players:
Payment service regulation 2017 has two types of Payment Service Providers (PSP)

Payment institutions (PI) Electronic Money Issuers (EMI)

▪ Firms authorised or registered to provide payment
services, e.g.,
– Money remitters
– Certain electronic communication network operators
offering payment services
– Non-bank credit card issuers
– Merchant acquiring firms
– Payment initiation service providers
– Account information service providers
▪ Anyone issuing e-money, which is monetary value
represented by a claim on the issuer that is:
– Stored electronically, including magnetically
– Issued on receipt of funds for the purpose of making
payment transactions
– Accepted as a means of payment by persons other
than the issuer
▪ EMIs may provide payment services
▪ For example, prepaid cards that can be used to pay for
goods at a range of retailers, or e-Wallets that can be
used to pay for goods or services online

"Processing payments" "Storing value"

SOURCE: FCA McKinsey & Company26

UK licensing requirements: Payment institutions
Types of Payment institutions (PI)
▪ Authorized payment institution (API)
– Average monthly turnover in payment transactions of
>€3m
▪ Small payment institution (SPI)
– Average monthly turnover in payment transactions of
<€3m
– Does not provide account information services or
payment initiation services
– No cross-border payments
– Does not receive passporting rights
SOURCE: FCA
NON EXHAUSTIVE
Requirements
▪ Initial capital requirements of €20,000, €50,000 or
€125,000, depending on the business activities
▪ Ongoing capital requirements based on the fixed costs or
average transaction volume of the business
▪ Robust governance arrangement and clear org structure
▪ Effective procedures to monitor risk
▪ Management are fit and proper persons, with no
conviction of financial crimes
▪ 3 year business plan
▪ Professional indemnity insurance
▪ No initial or ongoing capital requirements
▪ Management are fit and proper persons, with no
conviction of financial crimes
McKinsey & Company27
UK licensing requirements: Types of payment services
What is a payment service?
Services enabling cash to be placed on a payment account and all of the
operations required for operating a payment account
Services enabling cash withdrawals from a payment account and all of the
operations required for operating a payment account
Execution of the following types of payment transaction:
▪ Direct debits. including one-off direct debits
▪ Payment transactions executed through a payment card or a similar
device
▪ Credit transfers, including standing orders
Execution of the following types of payment transaction where the funds are
covered by a credit line for a payment service user:
▪ Direct debits, including one-off direct debits
▪ Payment transactions through a payment card or a similar device
▪ Credit transfers. including standing orders
Issuing payment instruments or acquiring of payment transactions
Money remittance
Payment initiation services
Account information services
SOURCE: FCA
Examples
▪ Payments of cash into a payment account over the counter and through an ATM
▪ Withdrawals of cash from payment accounts, e.g. through an ATM or over the counter
▪ Transfers of funds with the customer's PSP or with another PSP
▪ Direct debits (including one-off direct debits). However, acting as a direct debit originator would not. of itself.
constitute the provision of a payment service.
▪ Debit card payments
▪ Transferring e-money
▪ Credit transfers, such as standing orders. Faster Payments. BACS or CHAPS payments
▪ Direct debits using overdraft facilities
▪ Credit card payments
▪ Debit card payments using overdraft facilities
▪ Credit transfers using overdraft facilities
▪ Card issuing including where the card issuer provides a card linked to an account held with a different PSP (see
regulation 68 of the PSRs 2017) but not including mere technical service providers who do not come into
possession of funds being transferred
▪ Merchant acquiring services (rather than merchants themselves)
▪ Money transfer/remittances that do not involve creation of payment accounts
▪ Services provided by businesses that contract with online merchants to enable customers to purchase goods or
services through their online banking facilities, instead of using a payment instrument or other payment method
▪ Businesses that provide users with an electronic "dashboard" where they can view information from various
payment accounts in a single place
▪ Businesses that use account data to provide users with personalised comparison services supported by the
presentation of account information
▪ Businesses that, on a user's instruction, provide information from the user's various payment accounts to both
the user and third party service providers such as financial advisors or credit reference agencies
McKinsey & Company28
UK licensing requirements: electronic money institutions
NON EXHAUSTIVE

Types of e-Money Institutions Requirements

▪ Authorized EMI
– Business activities generate average outstanding e-
Money >€5 million
– Receives authorization under e-Money regulation
▪ Initial capital requirements of €350,000
▪ Ongoing capital requirement of 2% of the average daily
outstanding e-money issued by the EMI
▪ Robust governance arrangement and clear org structure
▪ Effective procedures to monitor risk
▪ Management are fit and proper persons, with no conviction
of financial crimes
▪ 3 year business plan
▪ Professional indemnity insurance

▪ Small EMI ▪ If average outstanding e-money >€500,000 must have

– Total business activities generate average outstanding initial capital at least equal to 2% of their average
e-money <€5 million outstanding e-money; otherwise no initial capital needed
– No cross-border payments ▪ Ongoing capital requirements identical to initial capital
– No passporting rights ▪ Governance arrangement
– Does not provide account information services or ▪ Effective procedures to monitor risk
payment initiation services ▪ Management are fit and proper persons, with no conviction
of financial crimes
▪ 3 year business plan
SOURCE: FCA McKinsey & Company29
FCA has multiple consumer protection regulations to protect customers from
unfair practices of payment service providers
Regulation Description
▪ Clearly outlines consumer protection guidelines that all payment service providers must follow. For example:
– Immediately refund consumers if their debit card is lost and used to make a payment (subject to conditions)
Payment Services Directive
– Ensure tiered refund for consumers in case of unauthorized debit transactions (in case of consumer
(PSD2)
negligence, consumer is only liable for the first £35 of any loss)
– Ensure strong customer protection by making two or more authentication steps compulsory

Distance Marketing ▪ Ensures PSPs provide customers adequate information when entering into a contract. For example:
Directive – Marketing information is clear, comprehensible and appropriate to the means of distance communication

The Unfair Terms in ▪ PSPs/ e-money issuers must ensure that the following are provided to consumers:
Consumer Contracts – A detailed risk assessment (of fraud and illegal use of sensitive and personal data)
Regulations 1999 (UTCCRs) – A description of mitigation measures against risks identified
Consumer Rights Act 2015 – Measures taken to ensure protection of software and IT systems, especially in cases
(CRA) of outsourced operations

▪ The CPRs intends to protect consumers from unfair advertising and marketing practices by businesses.
PSPs and e-money issuers must avoid:
The Consumer Protection – Misleading as to the extent of the protection given by safeguarding
from Unfair Trading – Suggesting funds are protected by the Financial Services Compensation Scheme and they aren’t
Regulations 2008 (CPRs)
– Describing accounts provided by PSPs as ‘bank accounts’ or otherwise implying that such a provider is a bank
– Advertising interbank exchange rates that will not be available to the majority of customers
McKinsey & Company30
UK

FCA is promoting innovation and ensuring appropriate consumer protection

safeguards by establishing Regulatory Sandboxes
Sandbox approach Key features of UK sandbox Description
Simple, online Easy to navigate website with a 4 page online
Space for innovators 1 application process application
to test new ideas
with real customers

2 No application fee No application fee

FCA closely
oversees trials
No standard relaxations on requirements - FCA
using a customized Case to case
regulatory 3 relaxations
conducts case-by-case review on waivers applied
based on risk assessment
environment for each
pilot – including
safeguards for
consumers Strong consumer protection 4 key guidelines - informed consent, notification of
4 guidelines risks, compensation of losses and a fair exit strategy1

Provides the FCA

with intelligence on Regulatory collaborations with 11 countries:
developments, trends Globally integrated with (Singapore, Australia, USA, Dubai, etc.) which allows
and emerging risks 5 other sandboxes firms to navigate between countries as they look to
scale their ideas

1 Plan to wind down in case of unsuccessful tests or technological failure

SOURCE: McKinsey McKinsey & Company31

UK

UK regulatory framework include several bodies, with FCA taking responsibility

for all payments institutions
Bank of England Split of responsibilities between PRA and FCA
FPC
Producing and enhancing the stability of the financial Financial conduct authority Prudential regulation authority
Contribution to the Bank’s objective to protect and
services system of the United Kingdom, aiming to work
enhance financial stability, through identifying and
with other relevant bodies including the Treasury, the
taking action to remove or reduce systemic risks, Over 50,000 firms
PRA and the FCA. The Bank’s Special Resolution Unit
with a view to protecting and enhancing the
is responsible for resolving failing banks using the
resilience of the UK financial system
Specific resolution regime. E-money institutions

Consumer credit

FPC powers of recommendations and

Payment services
direction to address systemic risk

Stock brokers

PRA FCA Fund managers

Enhancing financial stability by
promoting the safety and soundness of
PRA authorized persons, including
minimising the impact of their failure
Enhancing confidence in the UK financial system by
facilitating efficiency and choice in services,
Asset managers
securing an appropriate degree of protection, and
protecting and enhancing the integrity of the UK
financial system Mortgage brokers

Insurance
intermediaries
1 2 3 Investment firms
Conduct
Prudential regulation Prudential regulation Prudential regulation
regulation
Designated
investment firms
1,600
Insurers
firms
Systemic infrastructure, Prudentially significant Investment firms and All financial firms
central counterparties, firms, exchanges, other financial Deposit-takers
settlement systems and deposit takers, insurance, services providers including
payment systems some investment firms IFAs, investment exchanges, Prudential
insurance brokers and fund supervision
managers

SOURCE: PRA public records, team analysis McKinsey & Company32

Best practice regulatory sandboxes have some common features which allows them @J
to attract fintechs and foster innovation in payment services orde
30 f
Singapore and UK’s sandboxes are ranked overall number 1 when evaluated against World Bank Doing Business Index, the had
Global Innovation Index and the Global Financial Centres Index 1 use
swit
Key Features of Sandbox United Kingdom Singapore to S
Simple, online Easy to navigate website with a 4 page online Easy to navigate website and a 2 page online
1 application application
application process
No application fee No application fee
2 No application fee

Quick turn-around Can take up to 2-3 months In 21 days evaluation decision announced
3
on evaluation decision
Case to case relaxations, No standard relaxations - FCA conducts case- MAS maintains a list of possible relaxations;
4
based on risk assessment by-case review on waivers applied however there some compulsory regulations

4 key guidelines - informed consent, 2 key guidelines - Informed consent and

Strong consumer notification of risks, compensation of losses and fulfilling aligned obligations before exit
5
protection guidelines a fair exit strategy (plan to wind down in case of
unsuccessful tests or technological failure)

Globally integrated with
6 other regulatory
sandboxes
1 A tale of 44 cities - Deloitte
Regulatory collaborations with 11 countries: Regulatory collaborations with 8 countries:
(Singapore, Australia, USA, Dubai, etc.) which (UK, South Korea, India, Australia, Abu Dhabi)
allows firms to navigate between countries as which allows firms cross-border trial of
they look to scale their ideas solutions

SOURCE: McKinsey McKinsey & Company33

SINGAPORE

MAS introduced a regulatory sandbox with a range of possible regulatory

relaxations to allow testing of different innovative payment solutions

“Possible to relax” requirements "To Maintain1” requirements Impact

▪ License fees
Capital ▪ Minimum liquid assets/ paid-up capital
▪ Fund solvency and capital adequacy

▪ Asset maintenance requirement “MAS organised

Financial ▪ Cash balances & Credit rating its first ever
▪ Financial soundness
Fintech Festival
in November
▪ Board composition ▪ Meeting Fit and Proper criteria 2016 and
Organi- ▪ Management experience attracted 11,000
zational ▪ Relative size participants
▪ Reputation & Track record from more than
50 countries”
Consumer ▪ Technology risk management and ▪ Confidentiality of customer information
outsourcing guidelines ▪ Handling of customer's moneys and assets by
protection
intermediaries
and cyber ▪ Preventing of money laundering and countering
security the financing of terrorism

1 No relaxation

SOURCE: Fintech regulatory sandbox guidelines McKinsey & Company34

We propose a 3 phased project plan over 24 weeks
PRELIMINARY
Key meetings

Phase 1 : Benchmarking and gap analysis Phase 2 : Define payments regularity strategy Phase 3 : Drafting and implementation
(6 weeks) (8 weeks) (10 weeks)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Define overall
Identify critical KSA regulatory
regulatory
components, and define which
Regulation 10/26/21 strategy, and
Payments regulation participants, activities,
gap 10/26/21 create phased Draft regulations
benchmarking infrastructure/ networks and
analysis program with
General and standards should be subject to
prioritized
regulation
regulation deliverables

Internal Internal Internal

workshop workshop workshop

Future studios
Draft
Plan and
licensing Implement licensing process
Identify and create new trigger the
Licensing requirements and create licensing
licensing categories licensing
and artefacts
process
process

Design oversight
Assess
Develop future oversight implementation plan
SAMA’s
model (regulations, policies, (org structure,
Benchmark oversight approach
Oversight functional and technical governance Support SAMA in developing the functional capabilities and processes
practices globally and
capabilities to support framework and
identify
oversight) industry
gaps
engagement)

Support licensing activities

Supporting
activities Support oversight activities

Propose and develop methods and platforms for market consultation and forums as needed.

SOURCE: McKinsey McKinsey & Company35

BACKUP
 Regulators are working with industry to enable innovation and drive digital
6 payments adoption while safeguarding the financial system
Themes Initiatives by regulators Examples

a Renew payment systems

▪ Real time payment systems are launched in cooperation with industry, or sometimes directly by, the central bank (e.g., Jordan, Mexico)
▪ Renew real time gross settlement systems (RTGS) - national and pan-regional (TARGET2, P27 and GCC)
1 Improve infrastructure
b Standardize infrastructure
▪ Introduce standardized QR codes to enforce interoperability (e.g., Singapore, India)

a Opening access to non- ▪ Open banking fosters innovation and competition by opening up access to financial data, and allowing additional players to provide
financial entities services – available or being launched in 36 countries (e.g., UK Opening banking, developing in Canada, Australia, Singapore)

▪ Streamline and consolidate legacy licensing to introduce a single regime (e.g., Singapore, UK)
2 Broaden participation b Modernize regulations ▪ Move to technology agnostic, activity based definitions rather than product based (e.g., Singapore)
▪ Introduce tiered requirements to limit exposure and safeguard ecosystem

c
Provide sandboxes ▪ Establish technical and regulatory sandboxes to allow new fintech solutions to be safely tested (e.g., UK, Singapore, Thailand)
for testing ▪ Coordination between regulators to allow fintechs to test in multiple countries (passporting)

▪ EU Network Information Security Directive, EU General Data Protection Regulation (GDPR)

a
Enhance cyber security and ▪ Incorporate tokenisation, authorisation and consent management in systems
data protection ▪ BIS2 set PMFI1 cyber resilience principle for 2 hour recovery time after disruption
3 Protect consumers ▪ PSD2 in EU will require strong identity checks, protect consumers against fraud

b
Improve response to consumer ▪ Improvements in systems to provide data to resolve consumer complaints, including pricing, charging and billing (as required by PSD2,
complaints CFPB)

a Create incentives for adoption

▪ Introduce direct financial incentives for users to use digital payments (e.g., India, Korea and Thailand introduced “lucky draws”, tax
incentives in India)
4 Drive adoption
Regulate pricing to drive
▪ Limit pricing to encourage acceptance, e.g., EU Interchange Fee cap of 0.2% on debit, 0.3% credit; Australia interchange fee limited to
b 0.88%, debit fee <16.5 cents or 0.22%)
adoption
▪ Subsidize MDR (India)

a
Adopt new RegTech and ▪ Regulators are enhancing their own digital capabilities to match those of participants, and leveraging digital tools to better supervise the
SupTech rapidly evolving digital ecosystem (e.g., Singapore using data analytics and AI to enhance AML capabilities)
Enhance capabilities and
5
processes
b
Actively manage and engage ▪ Establish payments council to engage and align banks, PSPs and other fintech related players (Singapore, Australia)
participants

1 Principle for Finanicial Market Infrasturcture 2 Bank of International Settlement

SOURCE: McKinsey McKinsey & Company37

6.2a There are four main actors in Open Banking in the UK Focus of this document

FCA: regulatory body OBIE1: implementation body

Regulators Defines the regulatory requirements to Determines requirements and specification Of the APIs,
take part in Open Banking the protocols through which data is exchanged and
guidelines on user experience

▪ Hold customer data, provide and maintain payment accounts/ banking services
and required to publish read/write APIs to make the information available to TPPs
in the context of Open Banking

Consumers ASPSPs2 ▪ Mandatory ASPSPs are CMA9 Banks who must comply with the Open Banking
regulation and expose APIs to share data subject to consumer consent
SME & Retail Users
authorize third party ▪ Voluntary ASPSPs are banks who are not currently mandated to share data but
providers (TPPs) to have voluntarily chosen to
access their data
held by banks
(ASPSPs) when Provide services to customer through Open Banking propositions
signing up for these ASP (Account Information Service Provider) PISP (Payment Initiation Service Provider)
services
Can read account information and provide consolidated Can read account information and initiate a payment
information from multiple accounts order at the request of the payment service user (with
respect to a payment account held at another payment
TPPs3 service provider.)

1 The Open Banking Implementation Entity (OBIE) is the company set up by the CMA in 2016 to deliver Open Banking
2 ASPSPs: Account Servicing Payment Service Providers 3 TPPs: Third Party Providers

SOURCE: McKinsey McKinsey & Company38

UK licensing for Payment Service Providers also allows authorized PSPs and
EMIs to provide services in other European countries
Passporting is valid for 30 EEA states
▪ Passporting allows an authorized EEA states supporting
PSP passporting
PSP or EMI to provide their service
under EU legislation in another
European Economic Area (EEA)
state on the basis of authorisation or
registration in its home EEA State (UK)
▪ Authorized PSP and EMIs must apply
for passports
▪ Passports are country and advice
specific and cannot be used in a ‘one
size fits all’ way, but simplifies the
process of expanding services to
other EEA states

McKinsey & Company39

SINGAPORE

MAS introduced a regulatory sandbox with a range of possible regulatory

relaxations to allow testing of different innovative payment solutions

“Possible to relax” requirements "To Maintain1” requirements Impact

▪ License fees
Capital ▪ Minimum liquid assets/ paid-up capital
▪ Fund solvency and capital adequacy

▪ Asset maintenance requirement “MAS organised

Financial ▪ Cash balances & Credit rating its first ever
▪ Financial soundness
Fintech Festival
in November
▪ Board composition ▪ Meeting Fit and Proper criteria 2016 and
Organi- ▪ Management experience attracted 11,000
zational ▪ Relative size participants
▪ Reputation & Track record from more than
50 countries”
Consumer ▪ Technology risk management and ▪ Confidentiality of customer information
outsourcing guidelines ▪ Handling of customer's moneys and assets by
protection
intermediaries
and cyber ▪ Preventing of money laundering and countering
security the financing of terrorism

1 No relaxation

SOURCE: Fintech regulatory sandbox guidelines McKinsey & Company40

 Best practice regulatory sandboxes have some common features which allows
6.2b them to attract fintechs and foster innovation in payment services
Singapore and UK’s sandboxes are ranked overall number 1 when evaluated against World Bank Doing Business
Index, the Global Innovation Index and the Global Financial Centres Index 1
Key Features of Sandbox Singapore United Kingdom
Simple, online Easy to navigate website and a 2 page online Easy to navigate website with a 4 page online
1 application application
application process
No application fee No application fee
2 No application fee

Quick turn-around In 21 days evaluation decision announced Can take up to 2-3 months
3
on evaluation decision
Case to case relaxations, MAS maintains a list of possible relaxations; No standard relaxations - FCA conducts case-
4
based on risk assessment however there some compulsory regulations by-case review on waivers applied

2 key guidelines - Informed consent and 4 key guidelines - informed consent,

Strong consumer fulfilling aligned obligations before exit notification of risks, compensation of losses and
5
protection guidelines a fair exit strategy (plan to wind down in case of
unsuccessful tests or technological failure)

Globally integrated with Regulatory collaborations with 8 countries: Regulatory collaborations with 11 countries:
(UK, South Korea, India, Australia, Abu Dhabi) (Singapore, Australia, USA, Dubai, etc.) which
6 other regulatory which allows firms cross-border trial of allows firms to navigate between countries as
sandboxes solutions they look to scale their ideas
1 A tale of 44 cities - Deloitte

SOURCE: McKinsey McKinsey & Company41

While cashless payments transactions in KSA are growing at 17% p.a., 84% of
transactions are still in cash compared to 40-50% in developed markets
While cashless payments transactions in KSA are growing …high share of cash transactions indicated significant room
rapidly… for growth
Total volume of cashless payments Cash’s share of total transactions
Millions Percentage, 2017 estimates

10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
KSA 10/26/21
10/26/21 p.a. 10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
937
10/26/21 10/26/21
805 10/26/21 10/26/21
700
10/26/21 10/26/21
586
503 10/26/21 10/26/21
435 10/26/21 10/26/21
363
289 10/26/21 10/26/21
223 231
10/26/21 10/26/21
10/26/21 10/26/21
10/26/2110/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21 10/26/21 10/26/21

SOURCE: Mckinsey Global Payment Map, World Bank McKinsey & Company42
POS and card penetration in KSA is low compared to other countries
Number of POS per 1000 inhabitants (2017) Card payments per POS (2017)

39 7 ▪ Card
penetration is
28 8
low at ~12%,
26 6 although
transaction
16 9 volume is
37 7 growing, at
~25% (5 year
26 3 CAGR)
15 3 ▪ POS roll-out
accelerating,
27 4 but significant
gap to be
8 10/26/21 2 10/26/21
closed (~500
31 1 POS terminals)
to reach
1 0 similar levels
2 1 to other
countries
Ø 10/26/21 Ø 10/26/21
SOURCE: McKinsey Payments Research McKinsey & Company43
DIGITAL USERS (DEMAND)

The citizens in KSA are ready for a digital economy…

Key Insights Observations
▪ The number of internet users has almost tripled in 8 years, reaching 90%+
penetration 10/26/21
# of Internet Users 10/26/21 3x growth
Individuals are Millions
hyper-connected 10/26/21 2018
▪ 71% mobile penetration (10% growth YoY)

▪ 75% social media users (32% growth YoY), ranked #1 per capita YouTube
consumption globally and active Twitter users regionally

65% 63% 78%

Positive attitudes of citizens believe that new of citizens prefer to of citizens believe data
towards digital technologies offer more complete tasks digitally privacy and protection
opportunities than risks whenever possible are very important

▪ E-commerce has grown more than 5x in 7 years

Value of E-commerce Transactions
e-Commerce is Billions USD 5x growth
growing 8.0
significantly
1.7
10/26/21 10/26/21
▪ ~40% of the population made an eCommerce transaction in 2017, expected to grow to ~60% by 2020
SOURCE: InternetLiveStats, StatCounter (Q1 2016), Press search, McKinsey report (Digital Middle East: Transforming the region into a leading digital economy) , CITC ITC report, Hootsuite McKinsey & Company44