How does the banking change for you and your company?

The directive PSD2 affects the operations of our bank. Get to know the changes.

  • ING Business

  • Mobile app

  • Cards

  • Cash deposit machines

  • Terminals

  • Payments

  • Complaints

  • Open banking

ING Business

ING Business

  • When logging in, after entering the login and password, we will additionally ask you to enter the SMS code:

 

  • If you use a certificate to log in, nothing will change for you – you already log in using the strong customer authentication.
  • Regardless of the logging method, we will shorten the duration of each session from 30 to 5 minutes – if you take no action during this time, the system will automatically log you out.

Mobile app

Mobile app

  • The login process to the application will be still possible via the device ascribed to you at ING Business (possession element) and after introducing the following information:
  • password (knowledge element), or
  • fingerprint/face recognition (biometrics element)
  • We will shorten the duration of each session to 5 minutes – if you take no action during this time, the system will automatically log you out.

Cards

Cards

  • From the 14th of September you will have to confirm some of the contactless transactions below 50 PLN with a PIN code (until now it was not necessary).
  • The amount below which it is us and not you who will be responsible for the unauthorized transactions will be reduced to 50 EUR (previously it was 150 EUR).
  • The transferee will not be able to charge any additional fees for the payments done with payment cards (especially the debit and credit ones) where the interchange fee is regulated.
  • The transferee can block the funds on your card, once you have approved the transaction amount (it refers especially to hotel bookings and car rentals).
  • You will be more often asked to insert the payment card into the terminal (when making contactless transactions).

Cash deposit machines

Cash deposit machines

  • From the 14th of September you will have to confirm the deposits made at some of the CDMs with a PIN code (until now it was not necessary). Till the end of the year each transaction at the CMD will be confirmed with a PIN code.

Terminals

Terminals

  • From the 14th of September when making contactless transactions below 50 PLN via a payment terminal the owner of the card may have to enter the card PIN code (until now it was not necessary). The payment card issuer will decide which transactions will need the additional authorization.
  • You will be more often asked to insert the card into the terminal (when making the contactless payment).
  • As a user of the terminal you will not be able to add any additional fees when paying with payment cards if the interchange fee is regulated.

Payments

Payments

  • The foreign currency transfer charges within the European Economic Area are already shared between the two parties of the transaction (the so-called SHA option). We withdrew the OUR payment option where all of the charges were paid by the transferor.

Complaints

Complaints

  • In the case of an unauthorized transaction after the 14th of September we will send you the transaction amount back not later than at the end of the working day after the day when such a transaction was discovered.
  • The reply to your complaint will be sent within 15 days (previously 30 days). In special cases the reply will be sent within 35 days (previously 60 days). We have already introduced this change.

Open banking

Payment services within the open banking

  • The data about your accounts (apart from the banks, payment institutions and postal operators) can be used by the third parties (TPP, Third Party Providers). Those can be banks as well as any other company which gets the permission from the supervisory authority to provide the new PSD2 services.
  • The Third Party Providers will be able to collect the information about your accounts at one or multiple banks. It can be used to present to you the analysis of the transaction history.
  • Remember that it is you who decides whom and when the information regarding your company’s accounts is given to. It is you who gives us the permission to do so. The information regarding the accounts or particular amounts can be submitted to other companies only after receiving your permission.
  • Make sure you understand well the content you accept. Remember that you can always withdraw the given consent.
  • We as a bank will take care of the proper and safe standard of transmitting the data via the so-called API (application programming interface). It is a specially prepared software which allows the external tools to make use of the data regarding the accounts. It can only take place after the verification of the permissions and meeting the requirements regarding the safe communication. These requirements are the same for all the banks and strictly defined by the regulations.

We will keep you informed about all the changes which influence the way of using our products and services.

 

Why we’re making changes?

The changes related with PSD2 force us to use the so-called strong customer authentication. From the 14th of September we will always make use of 2 out of 3 possible ways to confirm your identity:

  • Something only you know (knowledge element) – e.g. password or PIN code
  • Something only you have (possession element) – e.g. phone or payment card
  • Something only you are (biometrics element) – e.g. fingerprints, face recognition

Each of the elements is independent of each other.

The Frequently Asked Questions (FAQ) 

  • What is PSD2?

    It is a conventional abbreviation which refers to the directive adopted by the European Parliament, regarding the payment services (Payment Services Directive 2). It governs and unifies the payment services market within the European Economic Area (UE countries as well as Norway, Iceland and Lichtenstein). It is introduced to the national law by the bill adopted on the 10th of May 2018 regarding the amendment to the act on payment services and some other acts.

  • What does implementation of PSD2 mean?
    • Together with PSD2 we enter the era of the so-called open banking. Your company’s accounts and the information regarding them will be available for the external entities (banks, fintechs, payment services called TPP, Third Party Providers). But of course, nothing without your permission. It is already happening – if you buy something online, you probably often pay with the quick transfer, the so-called pay-by-link. The payment operator initiates the payment and guides you to the chosen bank where you are only supposed to confirm the transfer, aren’t you?
    • The safety of your company’s money will increase, as well as the safety of the transfers you make online and with your payment cards.
    • New standard of the consumer and company protection
  • What is open banking?

    The regulations of the PSD2 directive create a completely new way of functioning of the payment services market. The banks will be obliged to provide access to the accounts to third party providers, called TPP (such as other banks, fintechs, payment services). The access will only be possible after getting the consent from the person who has online access to the account.

     

  • Is open banking safe?

    Yes, your data will be protected by the newest technology and the highest safety standards.
    Only you can decide who and how can make use of your data (bank or any other TPP).

    Only you can decide who and how can use your data (bank or any other TPP). Make sure you understand well the content you accept. You can always withdraw the consent given to the third party provider regarding the access to the information about your bank accounts.

  • Who is a third party provider (TPP)?

    The third party provider is a bank or any other company which gets the permission from the supervisory authority to provide new services. The TPP will be able to:

    • download the information about your company’s account (the so called AIS – Account Information Service),
    • initiate payments to your counterparts account on behalf of your company (the so called PIS – Payment Initiation Service). It will work in a similar way as the quick online transfer (the so-called pay-by-link),
    • send to a company indicated by you a confirmation regarding the availability of funds on your payment account (the so-called CAF – Confirmation of the Availability of Funds).

    The TPP will be able to collect the information regarding your accounts at one or multiple banks.

  • Who can give consent to release information regarding the account to the TPP?

    Each user in the range of the permissions given to them by ING Business. The Third Party Provider will only be given the information you have got access to at ING Business within the powers.

    Remember that it is you who decides which information can be provided (for example which accounts and transaction statuses).

  • How can I give consent to release the information regarding the account to the TPP?

    In order to give consent, you will be always directed by the TPP to ING Business where using the strong customer authentication you will be able to confirm the range of the given consent (e.g. which accounts and transaction statuses you want to send to the TPP). Make sure you understand the content you accept. Remember that you can always withdraw the consent earlier given to the TPP.

  • How will the bank transmit the data to the TPP?

    As a bank we have taken care of proper and safe standard of transmitting the data via the so-called API. It is a specially prepared software which allows the external tools to make use of the data regarding the accounts. It can only take place after the verification of the permissions and meeting the requirements of the safe communication. These requirements are the same for all the banks and strictly defined by the regulations.

    The specification regarding the interface together with the detailed description is available at the so-called developer portal. It is available at the following website: https://devportal.ing.pl/ 

  • What kind of payment orders can be initiated by the Third Party Provider?

    With the Third Party Provider you can initiate the following:

    • Domestic transfers
    • International transfers
    • Transfers to tax authorities/customs chamber
    • Standing orders
  • Who can initiate the payment?

    When initiating the payment (so called PIS – Payment Initiation Service) we always check the scope of authority. You will not be able to initiate the payment from the account which you do not have the full scope of authority to. You also need to have the authority to accept the transfers on your own.

  • What does the strong customer authentication mean?

    From the 14th of September we will always make use of the 2 out of the 3 possible ways to confirm your identity:

    • Something only you know (knowledge element) – e.g. password or PIN code
    • Something only you have (possession element) – e.g. phone or payment card
    • Something only you are (biometrics element) – e.g. fingerprints, face recognition

    Each of the elements is independent of each other.

    Log in to ING Business:

    When logging in, after entering the login and password, we will additionally ask you to enter the SMS code.

    If you use a certificate to log in, nothing will change for you – you already log in using the strong customer authentication.

    Log in to mobile app

    The login process to the application will be possible via the device ascribed to you at ING Business (possession element) and introducing the following information:

    • password (knowledge element), or
    • fingerprint/face recognition (biometrics element)
  • Can the strong customer authentication be used for each payment initiated by the payer?

    No, there are some exceptions from the strong customer authentication, e.g. transfers to trusted/authorized transferees/counterparts. All of the transactions made between your accounts (e.g. currency exchange) are not subject to the requirements of the strong customer authentication.

  • Will the way of authorizing the payment orders change in the ING Business system and mobile app?

    Nothing will change.

  • Do the changes concern me if I use other than ING Business electronic banking systems offered by the ING Group?

    The PSD2 directive is in force in the whole European Union. If you are not the ING Business user, but you use the global solutions of the electronic banking of the ING Group, the changes concern you as well.

    The ING Group has prepared a solution which is based on another API standard, that is Berlin Group API. The interface specification together with the detailed description are available at the so-called developer portal. It is available at the following website: https://devportal.ing.pl/  Contact your customer assistant to get the detailed information. 

  • Will the way of using the ING WebService change?

    Nothing will change, you will still be able to use the service as before.

  • Why do I have to enter the PIN code when making transactions below 50 PLN?

    The directive introduces the requirement of strong customer authentication, but the are some exceptions. As far as contactless payments are concerned the extra authentication is not required for every transaction below 50 PLN, but for safety reasons the banks can require entering the PIN code for some of the transactions.

Are you a Third Party Provider? Visit the website for the developers.