Professional Documents
Culture Documents
Confidential and proprietary: Any use of this material without specific AND PROPRIETARY
CONFIDENTIAL WORKING DRAFT
permission of McKinsey & Company is strictly prohibited Any use of this material without specific permission of McKinsey & Company is strictly prohibited Last Modified 11/10/2018 00:05 Arabian Standard Time
Printed
Introduction
AGENDA
McKinsey & Company2
In the room today
Phillip Bruno Chandrasekhar Panda Abbas Sikander Karim Jindani Gene Neyer
Co-leader of Global Digital payments expert, Digital payments expert, Digital payments expert, Digital payments expert,
Payments Practice, Dubai Karachi Karachi New York
Partner, New York
McKinsey & Company3
McKinsey is uniquely qualified to work with SAMA Payments Regulatory Strategy and implementation
We have helped develop financial sector strategy and regulations in KSA and across the GCC,
1 and also supported SAMA in developing the regulatory context and building the supervisory and
licensing capabilities for the finance company and mortgage department
We have completed 1000+ payments engagements globally and have helped numerous countries
2 develop national payments strategy and regulations e.g. Europe ( UK, Nordics, Belgium), Americas
(US, Canada, Mexico) and Asia (Pakistan, Singapore, Thailand, Khalistan, Russia, Turkey)
We will commit our global and regional experts, on the ground, to bring the best of the Firm to
3 develop the regulatory strategy
We will adopt a unique approach by developing a target state digital payment landscape
4 through Future Studios, and then working backwards to identify regulatory, infrastructure and policy
changes needed
SAMA capability building will be embedded in how we work from day 1, by working together as a
5 single team and through on the job training and a series of capability and knowledge building
workshops
SOURCE: McKinsey McKinsey & Company4
We regularly shape the industry together with governments and decision-makers –
NOT EXHAUSTIVE
Designed vision and approach for regulatory sandbox and created the
business processes (e.g., application and evaluation processes)
We have put together a regional and global team of experts with relevant experience to help develop
the corporate strategy
National Financial Licensing and Digital
Payments regulations and Supervision design adoption & Payments
Relevant experience Strategy policy design and implementation innovation Infrastructure Countries
▪ Experience with SAMA
Jawad Khan ▪ Designing digital payment strategy
for Pakistan
Core Kishan Shirish ▪ Building digital payment platforms
team ▪ Crafting digital payment strategies
▪ Designing payments strategies
Jonathan Chan ▪ Implementing real time payments
scheme
▪ Experience with SAMA
Senior Hans Martin Stockmeier ▪ Developing and implementing
licensing processes
leader-
ship Philip Bruno ▪ Supporting government, banks,
and utilities to digitize payments
▪ Developing national strategies to Europe, APAC, Latin
Olivier Denecker digitize payments across EU,
APAC, Latin America America
▪ Reviewing regulations and policies
Gene Neyer as board member for the US Faster
Payments Council
▪ Designing supervisory activities
Clive Adamson and governance as Head of
Supervision at FCA
Core ▪ Developing payment systems
senior Chandrasekhar Panda ▪ Assessing payments regulations
and policy design
experts
▪ Developing strategies for national 1
Atakan Hilal payments processors, and bank
credit card and payment products
▪ Identifying regulation changes needed 2
Karim Jindani as part of National Payment strategy
▪ Assessing reg. and reporting framework
▪ Assessing branchless banking and
Abbas Sikander digital banking regulations as part
of central bank task forces
1 Azerbaijan 2 Rwandan McKinsey & Company10
OUR TEAM
Working model
Roles
▪ What is SAMA’s aspiration for the payments sector in terms of e.g. digitization, convenience, innovation?
▪ What gaps exist in the KSA payments market today vs aspirations?
Aspiration
▪ How might the KSA payments landscape evolve given the country’s dynamics? what new payments
systems may emerge?
▪ Who are the service providers and how would one define them?
Required
regulations ▪ What payment activities need to be regulated/licensed to manage risk and ensure inclusivity/growth?
and licensing
▪ How should the regulations be designed e.g. licensing approach, pricing controls, capital requirements?
SAMA’s role
▪ What should SAMA’s role be beyond regulation, licensing and supervising? (e.g., defining operating
and technical standards, such as a common QR code, or enforce ISO standards, regulate MDRs?)
▪ How should SAMA best organize itself to support the financial ecosystem?
E-money issuance
▪ What services can spur innovation beyond
banking?
Virtual currency services ▪ What services pose significant risk and need to
be closely regulated?
Money-changing services
Services definition
Entity based Activity driven licensing
Capital
requirements One time Tiered by size
Transaction
volume/nature Risk managed by type of Managed by tiered capital
and risk risk e.g. Cross border by transaction volume
transactions
Fit and proper and
shareholder Set standards by years of Allow thriving
requirements experience, history of litigations entrepreneurship as long
net worth etc. as no history legal issues
Risk
monitoring Monitoring and management is the Centralized monitoring /
/management responsibility of participants management of all transactions
Access to RTGS
directly Heavily restricted: Only banks Open: All authorized participants
Technology
standards Limited Fully compliant/one standard
standardization across key elements e.g., ISO
20022, EMVco QR compliance
Data protection/
privacy standard Basic data protection Common data protection guidelines
guidelines across all participants1
Cyber security
requirements Defines minimum security requirements, Common security management
while participants set their own security requirements across all participants2
policies
Pricing oversight
Not regulated Caps on MDR and Controlled MDR/
interchange interchange
Consumer
protection No specific guideline initially Set standards e.g. customer
standards complaints response, liability
in case of fraud etc.
b Improve response to ▪ Improvements in systems to provide data to resolve consumer complaints, including pricing, charging and
consumer complaints billing (as required by PSD2, CFPB)
1 Principle for Finanicial Market Infrasturcture 2 Bank of International Settlement
4 Drive adoption
b Regulate pricing to ▪ Pricing being limited to encourage acceptance, e.g., EU Interchange Fee cap of 0.2% on debit, 0.3%
drive adoption credit; Australia interchange fee limited to 0.88%, debit fee <16.5 cents or 0.22%)
▪ Subsidize MDR (India)
a Adopt new RegTech ▪ Regulators are enhancing their own digital capabilities to match those of participants, and leveraging
and SupTech digital tools to better supervise the rapidly evolving digital ecosystem (e.g., Singapore using data analytics
5 Enhance and AI to enhance AML capabilities)
capabilities and
processes
b Actively manage and ▪ Payments council are established to engage and align banks, PSPs and other fintech related players
engage participants (Singapore, Australia)
Phase 1 : Benchmarking and gap analysis Phase 2 : Define payments regularity strategy Phase 3 : Drafting and implementation
(6 weeks) (8 weeks) (10 weeks)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Define overall
Identify critical KSA regulatory
regulatory
components, and define which
Payments regulation Regulation 10/26/21 strategy, and
participants, activities,
benchmarking and future gap 10/26/21 create phased Draft regulations
infrastructure/ networks and
vision definition analysis program with
General and standards should be subject to
prioritized
regulation
regulation deliverables
Draft
Plan and
licensing Implement licensing process
Identify and create new trigger the
Licensing requirements and create licensing
licensing categories licensing
and artefacts
process
process
Design oversight
Assess
Develop future oversight implementation plan
SAMA’s
model (regulations, policies, (org structure,
Benchmark oversight approach
Oversight functional and technical governance Support SAMA in developing the functional capabilities and processes
practices globally and
capabilities to support framework and
identify
oversight) industry
gaps
engagement)
Propose and develop methods and platforms for market consultation and forums as needed.
TO
ONEY
SEND M
60 8652
+91 95
t
Discoun KFC
Description Commentary
▪ Establishment of the National Payments Council 1 to regulate and drive ▪ Government push to Smart Nation to create
digital payments convenience for customers and potential savings of
S$150m annually to the economy
▪ New Payments Services Bill in 2017 by MAS to create a single modular
Governance framework that is technology-neutral and activity based ▪ Close monitoring of digital payments landscape
▪ Centralization and consolidation of payment infrastructure, particularly
on integrated POS (with some subsidies) and common QR standard
▪ Card networks & non-banks (e.g. large department stores, stored value ▪ MAS promotes competition and several use cases will
Issuers facility) issuers may issue credit cards as their own brand or co-branded continue to be fragmented due to presence of single-
with scheme providers purpose & multi-purpose SVFs
▪ Free market environment for acquirers with no regulation on MDR ▪ Acquisition highly competitive market in Singapore with
networks, banks and PSPs trying to get the merchant
▪ MAS planning to rollout unified POS terminals and common QR code
“SGQR” by NETS with S$30m investment from government with full relationship
transition to “SGQR” planned ▪ MAS is closely monitoring interchange caps being
Acquirers implemented by other countries but currently does not
regulate interchange fees – balance of driving merchant
adoption and enabling profitable acquirer economics
▪ SGQR is expected to gain wide acceptability
▪ Currently there is no single national infrastructure operator or ATM ▪ Exploring creating a single national infrastructure
network to replace the current multiple bank-owned models operator to ensure consistency and consolidation of
Others investments to achieve scale and foster innovation through
▪ Launch of FAST in 2014 offered by 20 banks to promote faster and more
efficient fund transfers (previously up to 3 working days for funds transfer expanding access to the payment systems
between banks to be processed)
1 Formed by MAS, includes 20 members comprising of banks, PSPs, businesses and trade associations
SOURCE: Expert interviews, KPMG APAC financial report, MAS McKinsey & Company22
MAS introduced a single payment service legislation to consolidate and
streamline licensing requirements for PSPs
Introduce single licensing regime
Payment Money-Changing
Systems and Remittance New Payment
Services offered by payment (Oversight) Businesses Act New payment Services Bill
service providers Act 2006 (2008) services1 (2018)
SOURCE: Consultation paper on Payment Services Bill, Expert interview McKinsey & Company23
MAS introduced a new payment service bill with activity-based licensing
to regulate new payment methods focusing on retail payment services
Activity based payments framework
Previous licensing regulations had Technology agnostic bill which ▪ Regulates new payment
product-based, generic definitions states PSP activities MAS service methods
for payment service providers which regulates. New Payment ▪ Reduces ambiguity
were inadequate and created Service Bill issues licenses ▪ Simplifies licensing
ambiguity in the licensing process to PSPs which provide decisions and evaluations
1. Account issuance services; ▪ Allows tiering based on
2. Domestic money transfer type of payment activity
Example services;
3. Cross border money
“Payment system” means a funds transfer services;
transfer system or other system that 4. Merchant acquisition
facilitates the circulation of money, services;
and includes any instruments and 5. E-money issuance;
procedures that relate to the system 6. Virtual currency services;
– PS(O)A 2006 7. Money-changing services
SOURCE: Regulatory Framework for Stored Value and Electronic Payment Systems and Consultation Paper on Payment Services Bill McKinsey & Company24
… and to introduce tiered regulatory requirements for different payment
service providers
NON EXHAUSTIVE
Requirements
Services enabling cash withdrawals from a payment account and all of the ▪ Withdrawals of cash from payment accounts, e.g. through an ATM or over the counter
operations required for operating a payment account
Execution of the following types of payment transaction: ▪ Transfers of funds with the customer's PSP or with another PSP
▪ Direct debits. including one-off direct debits ▪ Direct debits (including one-off direct debits). However, acting as a direct debit originator would not. of itself.
▪ Payment transactions executed through a payment card or a similar constitute the provision of a payment service.
device ▪ Debit card payments
▪ Credit transfers, including standing orders ▪ Transferring e-money
▪ Credit transfers, such as standing orders. Faster Payments. BACS or CHAPS payments
Execution of the following types of payment transaction where the funds are ▪ Direct debits using overdraft facilities
covered by a credit line for a payment service user: ▪ Credit card payments
▪ Direct debits, including one-off direct debits ▪ Debit card payments using overdraft facilities
▪ Payment transactions through a payment card or a similar device ▪ Credit transfers using overdraft facilities
▪ Credit transfers. including standing orders
Issuing payment instruments or acquiring of payment transactions ▪ Card issuing including where the card issuer provides a card linked to an account held with a different PSP (see
regulation 68 of the PSRs 2017) but not including mere technical service providers who do not come into
possession of funds being transferred
▪ Merchant acquiring services (rather than merchants themselves)
Money remittance ▪ Money transfer/remittances that do not involve creation of payment accounts
Payment initiation services ▪ Services provided by businesses that contract with online merchants to enable customers to purchase goods or
services through their online banking facilities, instead of using a payment instrument or other payment method
Account information services ▪ Businesses that provide users with an electronic "dashboard" where they can view information from various
payment accounts in a single place
▪ Businesses that use account data to provide users with personalised comparison services supported by the
presentation of account information
▪ Businesses that, on a user's instruction, provide information from the user's various payment accounts to both
the user and third party service providers such as financial advisors or credit reference agencies
SOURCE: FCA McKinsey & Company28
UK licensing requirements: electronic money institutions
NON EXHAUSTIVE
Distance Marketing ▪ Ensures PSPs provide customers adequate information when entering into a contract. For example:
Directive – Marketing information is clear, comprehensible and appropriate to the means of distance communication
The Unfair Terms in ▪ PSPs/ e-money issuers must ensure that the following are provided to consumers:
Consumer Contracts – A detailed risk assessment (of fraud and illegal use of sensitive and personal data)
Regulations 1999 (UTCCRs) – A description of mitigation measures against risks identified
Consumer Rights Act 2015 – Measures taken to ensure protection of software and IT systems, especially in cases
(CRA) of outsourced operations
▪ The CPRs intends to protect consumers from unfair advertising and marketing practices by businesses.
PSPs and e-money issuers must avoid:
The Consumer Protection – Misleading as to the extent of the protection given by safeguarding
from Unfair Trading – Suggesting funds are protected by the Financial Services Compensation Scheme and they aren’t
Regulations 2008 (CPRs)
– Describing accounts provided by PSPs as ‘bank accounts’ or otherwise implying that such a provider is a bank
– Advertising interbank exchange rates that will not be available to the majority of customers
McKinsey & Company30
UK
FCA closely
oversees trials
No standard relaxations on requirements - FCA
using a customized Case to case
regulatory 3 relaxations
conducts case-by-case review on waivers applied
based on risk assessment
environment for each
pilot – including
safeguards for
consumers Strong consumer protection 4 key guidelines - informed consent, notification of
4 guidelines risks, compensation of losses and a fair exit strategy1
Consumer credit
Stock brokers
Insurance
intermediaries
1 2 3 Investment firms
Conduct
Prudential regulation Prudential regulation Prudential regulation
regulation
Designated
investment firms
1,600
Insurers
firms
Systemic infrastructure, Prudentially significant Investment firms and All financial firms
central counterparties, firms, exchanges, other financial Deposit-takers
settlement systems and deposit takers, insurance, services providers including
payment systems some investment firms IFAs, investment exchanges, Prudential
insurance brokers and fund supervision
managers
Quick turn-around Can take up to 2-3 months In 21 days evaluation decision announced
3
on evaluation decision
Case to case relaxations, No standard relaxations - FCA conducts case- MAS maintains a list of possible relaxations;
4
based on risk assessment by-case review on waivers applied however there some compulsory regulations
Globally integrated with Regulatory collaborations with 11 countries: Regulatory collaborations with 8 countries:
(Singapore, Australia, USA, Dubai, etc.) which (UK, South Korea, India, Australia, Abu Dhabi)
6 other regulatory allows firms to navigate between countries as which allows firms cross-border trial of
sandboxes they look to scale their ideas solutions
1 A tale of 44 cities - Deloitte
1 No relaxation
Phase 1 : Benchmarking and gap analysis Phase 2 : Define payments regularity strategy Phase 3 : Drafting and implementation
(6 weeks) (8 weeks) (10 weeks)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Define overall
Identify critical KSA regulatory
regulatory
components, and define which
Regulation 10/26/21 strategy, and
Payments regulation participants, activities,
gap 10/26/21 create phased Draft regulations
benchmarking infrastructure/ networks and
analysis program with
General and standards should be subject to
prioritized
regulation
regulation deliverables
Future studios
Draft
Plan and
licensing Implement licensing process
Identify and create new trigger the
Licensing requirements and create licensing
licensing categories licensing
and artefacts
process
process
Design oversight
Assess
Develop future oversight implementation plan
SAMA’s
model (regulations, policies, (org structure,
Benchmark oversight approach
Oversight functional and technical governance Support SAMA in developing the functional capabilities and processes
practices globally and
capabilities to support framework and
identify
oversight) industry
gaps
engagement)
Propose and develop methods and platforms for market consultation and forums as needed.
a Opening access to non- ▪ Open banking fosters innovation and competition by opening up access to financial data, and allowing additional players to provide
financial entities services – available or being launched in 36 countries (e.g., UK Opening banking, developing in Canada, Australia, Singapore)
▪ Streamline and consolidate legacy licensing to introduce a single regime (e.g., Singapore, UK)
2 Broaden participation b Modernize regulations ▪ Move to technology agnostic, activity based definitions rather than product based (e.g., Singapore)
▪ Introduce tiered requirements to limit exposure and safeguard ecosystem
c
Provide sandboxes ▪ Establish technical and regulatory sandboxes to allow new fintech solutions to be safely tested (e.g., UK, Singapore, Thailand)
for testing ▪ Coordination between regulators to allow fintechs to test in multiple countries (passporting)
b
Improve response to consumer ▪ Improvements in systems to provide data to resolve consumer complaints, including pricing, charging and billing (as required by PSD2,
complaints CFPB)
a
Adopt new RegTech and ▪ Regulators are enhancing their own digital capabilities to match those of participants, and leveraging digital tools to better supervise the
SupTech rapidly evolving digital ecosystem (e.g., Singapore using data analytics and AI to enhance AML capabilities)
Enhance capabilities and
5
processes
b
Actively manage and engage ▪ Establish payments council to engage and align banks, PSPs and other fintech related players (Singapore, Australia)
participants
Regulators Defines the regulatory requirements to Determines requirements and specification Of the APIs,
take part in Open Banking the protocols through which data is exchanged and
guidelines on user experience
▪ Hold customer data, provide and maintain payment accounts/ banking services
and required to publish read/write APIs to make the information available to TPPs
in the context of Open Banking
Consumers ASPSPs2 ▪ Mandatory ASPSPs are CMA9 Banks who must comply with the Open Banking
regulation and expose APIs to share data subject to consumer consent
SME & Retail Users
authorize third party ▪ Voluntary ASPSPs are banks who are not currently mandated to share data but
providers (TPPs) to have voluntarily chosen to
access their data
held by banks
(ASPSPs) when Provide services to customer through Open Banking propositions
signing up for these ASP (Account Information Service Provider) PISP (Payment Initiation Service Provider)
services
Can read account information and provide consolidated Can read account information and initiate a payment
information from multiple accounts order at the request of the payment service user (with
respect to a payment account held at another payment
TPPs3 service provider.)
1 The Open Banking Implementation Entity (OBIE) is the company set up by the CMA in 2016 to deliver Open Banking
2 ASPSPs: Account Servicing Payment Service Providers 3 TPPs: Third Party Providers
1 No relaxation
Quick turn-around In 21 days evaluation decision announced Can take up to 2-3 months
3
on evaluation decision
Case to case relaxations, MAS maintains a list of possible relaxations; No standard relaxations - FCA conducts case-
4
based on risk assessment however there some compulsory regulations by-case review on waivers applied
Globally integrated with Regulatory collaborations with 8 countries: Regulatory collaborations with 11 countries:
(UK, South Korea, India, Australia, Abu Dhabi) (Singapore, Australia, USA, Dubai, etc.) which
6 other regulatory which allows firms cross-border trial of allows firms to navigate between countries as
sandboxes solutions they look to scale their ideas
1 A tale of 44 cities - Deloitte
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
KSA 10/26/21
10/26/21 p.a. 10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
10/26/21 10/26/21
937
10/26/21 10/26/21
805 10/26/21 10/26/21
700
10/26/21 10/26/21
586
503 10/26/21 10/26/21
435 10/26/21 10/26/21
363
289 10/26/21 10/26/21
223 231
10/26/21 10/26/21
10/26/21 10/26/21
10/26/2110/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21
10/26/21 10/26/21 10/26/21
SOURCE: Mckinsey Global Payment Map, World Bank McKinsey & Company42
POS and card penetration in KSA is low compared to other countries
Number of POS per 1000 inhabitants (2017) Card payments per POS (2017)
39 7 ▪ Card
penetration is
28 8
low at ~12%,
26 6 although
transaction
16 9 volume is
37 7 growing, at
~25% (5 year
26 3 CAGR)
15 3 ▪ POS roll-out
accelerating,
27 4 but significant
gap to be
8 10/26/21 2 10/26/21
closed (~500
31 1 POS terminals)
to reach
1 0 similar levels
2 1 to other
countries
Ø 10/26/21 Ø 10/26/21
SOURCE: McKinsey Payments Research McKinsey & Company43
DIGITAL USERS (DEMAND)
▪ 75% social media users (32% growth YoY), ranked #1 per capita YouTube
consumption globally and active Twitter users regionally