The onset of PSD2 made 2018 a pivotal year for European banks, but it won’t be until later this year that the regulations grow some teeth. Geordie Clarke asks: will it achieve its intended result?
It’s crunch time for European banks as far as Open Banking is concerned. In the months following the introduction of the second European Payments Services Directive (PSD2) in January 2018, there was a sense, in some quarters, that banks felt little incentive to implement more than the bare minimum requirements of the legislation. But with the deadline to comply with the Regulatory Technical Standards (RTS) on 14 September fast approaching, this is set to change.
RTS is significant because it requires banks to provide APIs to third-party providers (TPPs) that will allow them to build new products and services, such as payment methods and account aggregation applications. The hope is that this will lead to increased co-operation between large banks and smaller firms and create more choice for consumers and businesses.
Reaching that promised land, however, will be a significant undertaking. Major banks must invest significant sums into overhauling legacy technology that makes it possible to permit API integration, while the new legislation has sparked a broader debate around authentication and screen scraping. PSD2 seeks to solve these problems through a system that is faster, more accurate and more secure, but, in its current state, the market appears disjointed and there are concerns that this could stifle innovation.
A quiet revolution
The onset of PSD2 was supposed to be a seismic shift in the European banking sector, but for the general public, it came and went with little more than a whimper. Rather than see an immediate change in the banking landscape, it now appears progress will be gradual. Part of this is the result of an impasse among banks, TPPs and regulators over how Open Banking should be implemented.
The intention for PSD2 was to foster innovation, but it has also created a lack of cohesion in the market. This is because, unlike the UK, it did not prescribe a common standard for institutions to implement. Not only are there are multiple API initiatives in Europe, each proposing their own set of standards, but banks can define their own interface, making it more difficult for TPPs to build products that make use of Open Banking technology.
Frans Labuschagne, country manager for UK and Ireland at security software fintech Entersekt, says this is a both a turning point and an opportunity for European banks.
“Their willingness to embrace, and capacity to effectively assimilate, these changes is expected to make or break banks; move with the times or get left behind,” he says.
Sprint to the line
When PSD2 first landed, it seemed many banks were a long way from embracing change. For much of 2018, the big banks appeared concerned about being compliant only with the bare minimum requirements. Faced with the prospect of less control over their customer relationships, they perhaps can be forgiven for not embracing PSD2 in their droves during the early days.
That apathy has to a certain extent been replaced with urgency as the deadline to implement RTS fast approaches. While European banks and payment service providers must have their APIs ready for the September 2019 deadline, the European Banking Authority required them to be ready for testing by 14 March.
Sean Devaney, vice president of strategy for banking and financial markets at CGI UK, which provides IT and BPO services, says European banks were still able to provide contingency arrangements if they didn’t have dedicated APIs ahead of the March deadline. “Unfortunately, those contingency arrangements often amounted to allowing third parties to screen scrape data from bank sites,” he says.
“This has some significant security implications for banks that allow this, such as providing opportunities for malicious third parties to persuade bank customers to grant far greater access to their accounts than a dedicated API would allow.”
Now, the imminent deadline has motivated many banks to act.
On the fintech side, the question is whether they have the scale and resources to become registered and regulated as a TPP, or if they should piggyback off a larger player. Tristan Blampied, senior product manager at payments and compliance solutions provider Pelican, says smaller fintechs may be better off operating as resellers that piggyback off other institutions, allowing them to “develop an app or functionality which the larger registered players then build into their own stack”.
Roberts Bernans, co-founder of Nordigen, puts it bluntly: “Banks have two choices – to either deploy protectionist tactics, which are becoming increasingly frowned upon in the current market, or to open their APIs and create new business use-cases by partnering with leaner organisations.”
The good, the bad and the API
In the early days of the Open Banking era, much of the focus was on the security issues related to sharing data with fintech firms, even though a key objective of PSD2 is to make payments and account access more ironclad. One measure being sought is to replace the practice of screen scraping with effective APIs and the use of strong authentication methods.
Blampied says fraud will be a risk that is front of mind. “As we know, fraudsters are always looking for their next target and opportunity,” he says.
“There are provisions of course to ensure controls and registers over the regulated TPPs who have the right to access the data, upon their customers’ requests to do so; however, these need to be tightly enforced, and changes and updates applied in near real-time.”
But the quest for greater security and fraud prevention may come at a cost. Tougher security standards may increase friction in payments, and this could put customers off.
Another problem is the risk of fragmentation of API standards across Europe. While in the UK the Competition and Markets Authority required the country’s nine largest banks to collaborate and develop a common API from the start, it’s a different case for the rest of Europe and this is causing more issues.
“The European Commission considered that imposing a single common API standard would be anti-competitive and therefore left the technical details of PSD2’s APIs completely open, encouraging market forces to define them,” Hughes says.
“Unfortunately, the European Commission’s position disregards the benefits of common standards and interoperability and risks creating fragmentation.”
He adds: “Ironically, the EU’s decision not to impose a common API standard risks creating unnecessary complexity to the opening up of bank data, because different banks and countries across the EU may adopt different API standards.”
Enter the challengers?
Precisely who will benefit most from PSD2 and Open Banking is still up for grabs, but early indications suggest challenger banks and fintech companies are in a stronger position. Blampied at Pelican says the younger challenger banks were among the first to treat Open Banking as a strategic opportunity rather than a cumbersome regulatory obligation, and this may pay dividends down the road. Doing this, however, requires significant investment and development of customer-facing apps. Elsewhere, there is widespread belief that global tech giants are well-positioned to gain from Open Banking.
“Third-party payment providers, such as Apple, Amazon and PayPal are already benefiting from the more ‘open’ banking ecosystem,” Labuschagne says.
“With access to customers’ financial data, an appreciation for user engagement and experience and transactional infrastructures that suit the needs of the modern consumer, they are growing increasingly popular. Through increased interaction with these providers, consumers are also trusting them more and more.”
As David Parker, founder and CEO of Polymath Consulting says: “It is like opening a new motorway but putting a 30 mile an hour speed limit on it; don’t be surprised if take up is low until you can start using it properly. Like with a new road, people need to discover where it goes and why it is better, PSD2 open banking will take time for users to adopt. It will all be about the propositions created around access to the data, whether that is easier loans and mortgages for consumers or better trade finance for business.”