Payments as a Service

The events of the last couple of years have put pressure on businesses to move more of their services online in a bid to ensure business continuity in times of global instability and uncertainty, and financial institutions are no exception.

We have seen the global payments industry experience a seismic shift towards digital payments, open banking and the use of digital wallets, accelerating the adoption of new technologies, delivery models and payment types.  

In this insight, we summarise some potential advantages and disadvantages to assist any financial institutions considering outsourcing its payment services to a cloud-based solution - Payments-as-a-Service (PaaS). 

What is PaaS?

The PaaS model enables organisations to outsource a number of core business functions to third party service providers, referred to as PaaS providers, who offer advanced and specialised payment products and services through cloud-based software, platforms and infrastructure. 

As the evolution of global payments continues to be driven by new technologies and customer behaviour against a backdrop of tightening regulations, financial institutions are experiencing increasing pressure to keep pace with continuous innovation and emerging payment methods to remain both competitive and current.  With internal resources and legacy systems alone, meeting and managing these demands can be difficult.

The emergence of PaaS is a catalyst for change in the payments sector, providing financial institutions with a platform to leverage the expertise of PaaS providers and benefit from the advantages that cloud-based functions have to offer. The developer-centric, API-driven technology behind cloud computing enables PaaS providers of the latest features and services to make their services available ‘en masse’ by developing a single API or plugin to integrate into the cloud-based platform.  That feature or service becomes one of many features or services that can then be made available to any financial institution that has an integration with the platform, meaning those organisations can quickly and flexibly build a modular ‘pick and mix’ payment stack to suit their customers’ needs and differentiate themselves from the competition, while spending less time and cost on its own legacy systems.  

Potential advantages of outsourcing using PaaS include:

1. Scalability: Compared to on-site solutions that have limited data capacity, cloud-based services offer easier scalability. Financial institutions can use PaaS to more quickly and seamlessly increase or decrease resources as required to meet variable, and often unpredictable, demand with minimal disruption to their business or demand on internal teams. 

2. Flexibility: The cloud-based nature of PaaS boosts agility and flexibility by facilitating access to data and applications at any time and from anywhere in the world, provided there is an internet connection. In addition, the PaaS model can help to streamline the path to market for new payment products and services, making it quicker and easier for financial institutions to activate or deactivate features or services to better accommodate changing customer needs and incorporate new payment types and services.

3. Cost savings: Overhauling legacy technology with the complex underlying IT infrastructures required for cloud architecture is costly and time-consuming.  Financial institutions would need to commit a significant, upfront investment to develop and scale their own payment products and services, and bear the recurring expenditure associated with hiring and training specialist in-house teams to manage and maintain these. Outsourcing PaaS transfers the associated outlay costs onto the PaaS provider, in return for organisations paying a service fee, which may enable financial institutions to better focus resources and capital expenditure on more strategic endeavours like building partnerships, marketing and innovating. PaaS models are also typically provided on a services-based variable cost model, meaning that those procuring PaaS only pay for the services they use. 

4. Security: Having and maintaining robust security is key to the reputation of any PaaS provider. Testing and security are therefore core to PaaS solutions and as experts in navigating and managing cloud environments, PaaS providers are sensitive to vulnerabilities and potentially better placed, in both time and experience, to proactively manage, navigate and mitigate security threats. In addition, financial institutions can contractually manage PaaS providers’ security policies and procedures to ensure they mirror (or better) their own, and contractually remedy any breach or failure. This additional layer of legal obligation, together with the need to manage their own reputation, generally incentivises PaaS providers to host secure cloud environments to ensure the success and longevity of their platforms.  

5. Expertise: PaaS providers have extensive knowledge of cloud environments and are experts in managing and delivering PaaS solutions. They can assist with the preparation and implementation of effective cloud-migration strategies that align with the needs of the business and build ongoing management, support, optimisation, security and testing services into their solution. Through the use of advanced tools and specialist resources, PaaS providers can help to manage service delivery and operability in cloud environments which might otherwise consume the internal IT functions of financial institutions. 

6. Resilience: The cloud environment typically backs up and stores data across resilient and distributed networks, reducing the risk of data loss in the event of data loss where there is a system failure or disaster. This can strengthen disaster recovery and business continuity plans by facilitating the continued availability of, and access to, data and services. 

7. Analytics: The incorporation of artificial intelligence and machine learning into cloud-based solutions can provide organisations with cost effective ways of breaking down data silos and processing large amounts of data that would otherwise soak up the capacity of on-site data centres. Using advanced analytics tools, PaaS solutions can generate valuable customer insights to assist financial institutions in making informed business / marketing decisions, tracking customer behaviour and predicting emerging market trends.

8. Customer experience: Ordinarily, financial institutions use a number of channels to service customers such as website, email, telephone, instant messaging, chatbots and other applications. By providing access from a single platform, cloud-based solutions can eliminate the communication gaps created by different channels and provide the end customer with a more seamless, omni-channel experience. In addition, cloud-based products can enable financial institutions to offer more sophisticated and personalised products incorporating a number of value-added services. For example, PaaS solutions can support instant, 24/7 customer interaction to better service a global customer base without placing additional burden on in-house customer service teams. 

Potential disadvantages of outsourcing using PaaS include:

1. Compliance: When outsourcing to the cloud, financial institutions are subject to extensive legal and regulatory requirements to ensure stability, operational resilience and security are not compromised.  PaaS outsourcing arrangements are no exception and must comply with all applicable legal and regulatory requirements (these may include the European Banking Authority’s Guidelines on Outsourcing (2019), the EU’s Second Payments Services Directive (PSD2) (implemented in the UK through the Payment Services Regulations 2017), the Banking Act (2009), the Banking Resolution and Recovery Directive and, in the UK, the related Policy Statements issued by the Financial Conduct Authority and the Prudential Regulation Authority).  Financial institutions will need to carry out increased and ongoing due diligence on PaaS providers to ensure the outsourced operations (and contracts governing them) are compliant with the ever-changing legal and regulatory landscape.

2. Contractual / oversight arrangements: As a result of the often business-critical nature of the services being outsourced and the extensive legal and regulatory requirements financial institutions are subject to, the contracts governing PaaS are often highly complex, and heavily negotiated. Financial institutions must ensure certain controls are prescribed and exercisable in respect of key areas, including audit rights, subcontracting, data processing, security, termination and exit provisions. Putting these contracts in place often requires input from expert outsourcing and technology legal professionals.  Financial institutions also need to put additional oversight, monitoring and control policies and practices in place to ensure alignment with their own risk tolerance, legal and regulatory obligations, and internal policies and processes. 

3. Service downtime: Because PaaS solutions are reliant on internet-based cloud computing systems, PaaS will be unavailable if there is no internet connection or the internet path is compromised. As a result of this, the availability of the services and management of downtime ultimately sits outside of the control of financial institutions procuring PaaS, though this can be technically and contractually managed and mitigated. Financial institutions should carefully consider their contingency plans and the potential impact of outages on their business operations. 

4. Security: Although PaaS providers typically adhere to strict security standards and industry certifications, operating wholly online comes with inherent risks.  The infrastructure may suffer vulnerabilities, misconfiguration, account hacking, data breaches and insecure APIs. Financial institutions need to carry out sufficient due diligence and ongoing monitoring on PaaS provider to ensure outsourced operations align with and facilitate compliance with the financial institution’s own regulatory obligations and security management plans.

5. Influence: Each PaaS provider owns, manages and monitors its cloud infrastructure and ultimately decides how PaaS will be delivered to its customer base.  As the customer base of many PaaS providers will span multiple customers (potentially operating across different sectors), this diversity inevitably requires PaaS providers to adopt a ‘one-to-many’ service model based on standard terms and service performance measures. This may not satisfy the requirements of regulated financial institutions or the requirements of their individual customers. As a result, financial institutions may have less influence over the performance and delivery roadmap of outsourced PaaS than if those functions were carried out in-house.

Summary

Technology has become a critical enabler for any financial institution wanting to remain competitive in today’s payments market. We know the payments landscape is evolving rapidly, and will continue to do so.  The PaaS model can be a one-stop-shop cloud solution that sidesteps legacy issues whilst alleviating some of the burden of costs and risks associated with building (or upgrading) in-house infrastructure.  However, outsourcing and cloud-based solutions both come with inherent risks and financial institutions considering a PaaS solution should assess the potential advantages and disadvantages for their organisations at a governance and operational level before committing to the move.  

If you require any legal or regulatory advice regarding PaaS solutions, or outsourcing more generally, please do get in touch.

Contributors: Dave Gardner, Lauren Hemingway

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2022. Specific advice should be sought for specific cases. For more information see our terms & conditions.