The journey of PSD2 has come to another major milestone, today is Publication Day, all banks providing access to their online accessible payment accounts have to make available all the required documentations for TPPs all over Europe. In this article we give another quick overview of what PSD2 is and why it is important for the future.
2019 is a big year for financial institutions in the European Union. PSD2 is set to go into full force with the 14 September 2019 live start of the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS for SCA and CSC). But what is PSD2? In the simplest terms, it’s a revision of the original Payment Services Directive from 2005 that regulated payment services and payment service providers throughout the EU and EEA. More specifically, PSD2’s main purpose is threefold. First, to strengthen customer rights in regards to transparency, security, and accessibility across the EU and EEA. Second, to create a more equal playing field to inspire competition for financial institutions and payment services providers. And third, to take steps towards a more integrated European market; a stronger sense of Pan European-ness.
The goals of PSD2 look great on paper, but there are definitely challenges ahead for financial institutions to meet the actual regulations. These challenges are exceptionally relevant as deadlines are fast approaching. Officially published 25 November 2015, the first deadline to meet PSD2 regulations was 13 January 2018 when the PSD2 directive itself officially came into force. The Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) were published on 13 March 2018 and came with an 18 month grace period, ending 14 September 2019. Despite that 14 September date, 14 March 2019 is an incredibly important date as well as this is when test Application Programming Interfaces (APIs) should have already been launched to still be able to complete the mandatory 6 month testing period.
The tasks at hand to meet the impending deadlines can be divided into two themes; efficiency and trust. Why these two themes? Well, financial institutions need to make sure their technical ducks are in order and can actually perform efficiently under the conditions of PSD2. Trust and security are always a concern when it comes to change and making sure information is never made vulnerable is detrimental to the success of PSD2.
In terms of efficiency one of the first tasks, and which has already been mentioned, is a 6 month test run of an institution’s API. There’s no point in launching a program without knowing how it works. Banks should have met regulatory standards and then created their APIs accordingly and have published their test APIs by 14 March 2019. Third Party Providers (TPPs) could then connect to these APIs and check whether or not they are compliant. Checking can be done with the use of Sandboxes. A sandbox is a testing tool which checks API requests and responses. Sandboxes should be provided by every bank or financial institution for their respective solutions and demonstrate their ability to meet regulations. Banks should also show to the National Conducting Authority (NCA) that they have proven fallback solutions. A fallback solution can be a dedicated interface if the bank has an exemption certificate from the NCA (FCA in the UK) or opening up the existing e-channels (like Internet Banking solution) for TPPs if no such certification has been granted. This type of opening up has been a common solution before APIs for older generations of TPPs, but with the RTS payment accounts are much more regulated and it is only a valid connectivity option if a bank decides not to provide APIs, but even in this case some extra requirements are to be met.
The next task in terms of efficiency is a Strong Customer Authentication (SCA) solution. This task corroborates well the second theme of trust. SCA requires businesses to use two independent authentication elements to verify payments, account access, or really any remote activity that can result in payment fraud. Approved SCA methods include two elements out of three categories: something known such as a password or pin, something owned like a mobile phone, or biometric data, fingerprints or voice patterns. Security concerns are not limited to how customers access their account or information, but the system itself needs to be checked as well.
More use of APIs will create a lot of surface area for cyber-attacks. Security breaches could be not just at the financial institution, but with the TPP as well. An efficient and effective security system will have to be at the forefront of businesses. With these concerns in mind, businesses will have to become trustworthy of their services. But how does a business meet these standards of trustworthiness? TPPs are required to have eIDAS qualified certificates, which prove their identity to Account Servicing Payment Service Providers (ASPSP). Obtaining such a certificate requires a TPP to be licensed by an NCA. This comes within its own limitations as certain information isn’t easily shared, like a fingerprint. Additionally, customer consent management provides that extra measure of trust. Each ASPSP will have to independently manage their consent interface and how often consent is requested within the boundaries of PSD2. Optionally, banks could also use access tokens which are issued by an affiliated ASPSP and service as a pass for limited authorization that a TPP uses to interact with APIs on behalf of the customer instead of collecting a customer’s credentials. These tokens can act as a representation of the user consent and the TPP access privileges to ASPSP services related to it.
There’s a lot happening on the business side of things with PSD2, but before we get too caught up in just the technicalities, there’s a bigger message to be known. The fundamentals of PSD2 in a societal, economic, and even cultural sense, will have a great effect on the EU and EEA. As technology becomes more advanced, and people move towards digital solutions for day to day tasks, financial institutions will have to develop systems which will adhere to changing customer activities. Que to emerging FinTech companies. The rise of Fintech and their effect on financial services are no joke. Integrating, rather than competing with services provided by FinTech companies, is the best solution for older institutions to comply with customer needs and new banking regulations.
Ideas of integration and competition provide opportunities for younger banking institutions to compete with their older peers and will spark innovation and development in creating new banking platforms or products. It is PSD2 that provides the stage for that to happen. PSD2 doesn’t just mean changes or benefits for businesses. PSD2’s contribution in allowing access to payment accounts and initiating payments will let customers be able to look forward to new type of services like instant P2P payments or debit cards not attached to a singular financial institution, also known as de-coupled cards. Increased security with the use of SCA can put customers at ease knowing it’ll be even harder for people to access their financial information.
Insofar as businesses go, yes they’re the ones who will have to adapt to changes most, but these changes are largely positive. Banks will be provided with the opportunity to explore a platform approach with the use of TPPs and collaborate with already existing FinTech services, instead of competing with said FinTech services. Fintechs will be able to check the availability of funds, initiate a payment, and access payment account information while also identifying themselves before accessing a customer’s information.
PSD2 is not a brand new idea coming out of nowhere. It has a history extending back to the first PSD initiative. PSD2 as a revision in of itself has already been around since 2013. But time is getting short for countries to fully implement systems that meet PSD2 regulations. 2019 is the year in which technical standards are applied and financial institutions and APIs need to be ready for this. While these looming deadlines are probably the biggest concern for businesses a little more reflection should be placed on PSD2’s implication for globalization.
PSD2’s application across the EU means customers can work with financial institutions across country borders. TPPs only need one license to operate, making acquiring services from a different country easier. This is especially attractive to customers exposed to different international markets to find similar services at a lower cost in different countries. Even more international e-commerce and financial institutions could operate in several countries. Communication, diversity, and competition means more and better products and services for the customer. Arguably, PSD2 is the catalyst of open banking made reality with positive benefits to a more open and integrated European Union. Successful changes and innovations made there will serve as examples to the rest of the world just how much financial services can change to benefit and help everyone.