Eike Weinberg, Tom Felix Becker and Sebastian Mattern find out
The Payment Services Directive 2 (PSD2) is a pan-European regulation that came into force in January 2018 and opened the payment transaction market to new providers. The regulation states that banks must disclose customer data (with the customer’s permission) to third party providers (TPPs) and create new system accesses in the form of an API or a user interface. This access would then allow a customer to access their bank accounts via the TPP.
In the past, TPPs were only partially regulated. PSD2 aims to protect customers and create a more secure environment when they interact with TPPs. The European Banking Authority (EBA) considers the following to be the key goals to PSD2: ensuring safety, promoting competition, protecting the end customer, promoting innovation and, in our opinion, the most important principle, to improve customer experience with new systems and to ensure a competitive level playing field.
The challenges around PSD2 for banks
From our experience working on a number of projects, Orbium has identified four main challenges that banks’ may face when complying with PSD2:
Security and authentication – Security and data protection has been defined as a key principle in PSD2. The difficulty with security aspects is to find the right balance between security and usability. In PSD2, articles concerning Secure Customer Authentication (SCA) are excluded from implementation, but will become mandatory from 14 September 2019 when the Regulatory Technical Standard comes into force under PSD2.
Access to account (XS2A) – PSD2 is a business enabler, so it’s possible to transform the closed ecosystem of banks with various IT systems into an Open Banking environment. To achieve this, Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) are regulated. The aim is to provide TPPs with non-discriminatory access to account information and payment methods. One of the possible use cases is to consolidate account information from various institutions. As customers are no longer obliged to use the bank’s own interface to access financial services, it provides the customer with more options as to the management of their financial assets, but could lead to a weaker customer relationship with the bank’s brand.
Reporting system – The PSD2 directive replaces the previous obligations in reporting for online payment transactions. From 13th January 2018, banks must additionally report on their annual fraud statistics. The most significant adjustment is that it is not just incidents in online payment transactions that are subject to reporting, but any form of incident, e.g. loss of system availability, which affects individual aspects of payment transactions. Banks are now required to include all service providers that carry out payment transactions on their behalf in their reporting processes; however, they can outsource part of any newly introduced stage reporting to the service provider. Through a new evaluation scheme, containing both quantitative and qualitative criteria, ‘serious security incidents’ are defined and thus reporting thresholds can be precisely determined.
Business strategy – Depending on the approach adopted by banks in the face of PSD2’s January launch, preparations for PSD2 may be a competitive advantage in the face of expected disruption. In addition to the rather technically driven requirements, banks have been faced with the task of evaluating their own business models against new reporting processes and the new technical requirements which must be implemented by September 2019. The matrix below maps out the challenges that banks might face and are represented schematically. This was an output from the Avaloq Sourcing client project affected by PSD2
Summary and outlook
PSD2 is just the beginning of Open Banking. The more we think about where it could go next, the more challenging it becomes. For example, the next regulation could be that banks must also give access to their security accounts via an API. From the bank’s perspective, the worst-case scenario would be if they become a mere processor for payments and security transactions.
For banks, it is important to define the future business model to develop a successful design and technical connection to the core banking system, the online banking system, or other systems to be prepared for future extensions of Open Banking.
The decisive question is whether a bank wants to passively comply with the guidelines of PSD2 or actively benefit from the regulation. Our recommendation is that banks look beyond just the minimum implementation and take the opportunity to evaluate their strategy and their desired market position to come up with a more sophisticated appropriate approach to PSD2.