In Norway, the local financial supervisory authority Finanstilsynet has imposed strict guidelines for banks on how to follow the current AML (Anti-Money Laundering) regulation. Amongst others, banks are required to be able to identify the individual person in your company who approved a payment batch. The only challenge is that Norwegian banks have taken different approaches to how to technically implement this requirement.
Initially, this may not seem to be problematic, but the problem becomes more apparent when the sending system – any system that you’re using for payments - does not implement the bank's technical requirements on how to create and deliver pre-approved payment files in Norway. As a result of that gap in technical requirements from the bank and your payments system, you must log in to your net banks and manually approve all your payments. This is a very cumbersome job for bigger companies with a high number of payments daily. It has left many companies’ treasury and finance teams very unhappy.
The technical approaches vary among different banks
DNB, Handelsbanken and Sparebank1
In Norway, DNB, Handelsbanken, and Sparebank1 have selected ASiC (Associated Signature Containers) as their technology for pre-approved payment files. To get into the technical specifics: ASiC is basically a compressed (zip) file, that contains the payment file, approval data file, ASiC manifest file, and a digital signature (PKCS#7) that ensures that no forgery or tampering of the ASiC content is possible. Within the manifest file, there are hashes of the payment file and there is also the approval data file. Inside the latter, is a reference to the payload file and personal identification (social security number) of the approver(s) of the payment file.
In practice, this means that instead of sending a payment payload file to the bank - such as pain.001.001.03 message - a zip file of the above-mentioned files with .asice extension need to be sent to these banks. As a treasury and IT team, combining this approach with other bank requirements can be a handful, especially when using several payment systems, ERPs, and banks.
The banks will also maintain the information of which users from your company are allowed to approve the different kinds of payments, and from which bank accounts they are sent. Upon receival of an ASiC container, the bank's back-end system will verify that the person who approved the payment file was actually allowed to do so. On top of that, at least DNB has an authorization API that needs to be used to synchronize this user’s information to the sender system to prevent unnecessary rejections.
DNB, Handelsbanken, and Sparebank1 have also let us know that ASiC is supported only through a new SFTP service, and therefore as a customer, you would need a new bank connection to be able to deliver pre-approved payment files. To make it easier for our customers, we have already added these new connection points to our cash management SaaS.
Danske Bank and Nordea
Nordea and Danske Bank have been slower in making decisions on how to provide companies a way to send pre-approved payment files. But, it seems that overthinking the solution may have produced a much simpler solution. The latest news from Danske Bank and Nordea is that the payment approver information can be incorporated into the actual payment payload files - such as pain.001 v03 message. Now, Sparebank1 has also stated that it will commence the development to support a similar process.
What will Nomentia do?
We will first implement support for pre-approved payments using BITS MIG, and after that develop a convenient solution for ASiC containers. We’re releasing all these functionalities in 2022. You can book a meeting with us to discuss how we can help you tackle these changes.