PSD2 – Open Banking



This is not just another compliance decree. PSD2 could change or even revolutionize the payments industry, in fact it actually mandates the idea of open banking!
In the past, the words ‘open’ and ‘banking’ seldom mixed. So, what is open banking?
Provocatively speaking, open banking suggests that “anyone” can have access to your bank account! Anyone, being a trusted 3rd party. With that, banks no longer have the monopoly on your account information!

But let’s start from the beginning! Back in October 2015, the European Parliament decided to promote innovative Fintech service providers e.g. for online and mobile payments. This means allowing access to bank data by third parties, by non-banks.

Up until now, a 3rd party service providers (TPSP) would seek access to consumers and merchants bank accounts. But banks could refuse this access, since their relationship with TPSPs was not regulated:
– The only agreements were ad hoc agreements.
– No standard interfaces or infrastructures were available.
Well, this is all changing!

On 13th Jan 2018, PSD2 came into force with its aims
– to increase pan-European competition
– expand the financial services ecosystem (non-credit institutions can apply for authorisation as a payment institution)
– guarantee faster payments (no less than 1 day)
– while at the same time harmonizing consumer protection and rights

But let’s get a view of the big picture:
– Who gets to play? -> Most of the payment services providers
– What data are we talking about? -> Account information, balance statement, history of transactions and the making payments.
– Where?- > European economic area.
– Any constraints? -> Strong identification i.e. secure e-payments.

This new financial ecosystem opens up the value chain to a set of new actors. Let’s look at the old and new kids on the block. (Note the fabulous new acronyms)
• ASPSP: Account Servicing Payment Service Provider (banks or an entity managing your accounts)
• PISP: Payment Initiation Service Provider (e.g. merchants or ecommerce business like Amazon or Ebay). Initiation of payments is no longer within the bank. The PISP operate now directly with the bank. This could make certain credit card services redundant. Up till now the payment value chain was fairly complex:[ 1] Consumer goes to Amazon, buys a book, [2] this transaction goes to a payments platform like Adyen [3] then to the credit card company, VISA [4] then to your bank. Now, Amazon and your bank will now communicate directly! So on B2B, the bank does not need to be contacted to make a payment. The payment can be made through a 3rd party application like Amazon.
• AISP: Account information service provider. These players can aggregate data from numerous sources (banks) and report the data without the bank. On the other side, banks can also be AISPs and aggregate information from other banks, report and give analytical insights! This opens up the opportunity of an almost brand new reporting and analytics industry.

So, going back to the proposition that ‘anyone’ can access your account. Well, anyone who fulfils certain PSP requirements. Here a few key constraints:
– Strong customer authentication (SCA) for all electronic payments
– Adopt regulatory technical standards (RTS)
– Must allow 3rd party payment providers access to client data, if client allows it!
– Payment service providers are responsible for finding evidence against fraud
– Securing confidentiality of users security credentials

Now, the payment ecosystem will be regulated and standardised. Banks will need to take down their barriers. This means a certification process enables a third party authentication to participate.
At large, banks don’t need to trust the TPSP (the PISP or the AISP), they need to trust the certificate or qualified certificate.

Are there any immediate risks involved? Sure, there are a couple worth noting:
– Banks risk losing their existing relationship with their clients (they lose direct contact with their clients). Until recently TPSPs were not regulated, but now they will have an official licence.
– Banks have to revise their business models, but the TPSPs also need to scale up: the will need new organisational structures and frameworks to establish strong customer authentication, ensure proper incident reporting, and risk and control frameworks.
– In the future TPSPs like Google, Facebook and Fintech firms will be maintaining that relationship

How will all this be done, technically?
– (API) Application Programing Interfaces. Already widely used between systems.
– The directive forces banks to expose those APIs to third parties (accounts, transactions, enable purchase of banking products or take credits).

So, what strategies or even opportunities arise from these changes:
– A player can decide to become a market leader of API exposure and API consumption
– Maintain and even enrichen the relationship with clients and those of competitors
– Or just comply with minimum requirements, essentially risking the first two areas of focus.

When is this really going to happen?
After a transition period of 18 months (after the publication of the delegated act in the Official Journal of the EU) between the application date of PSD2 (13 January 2018) and the application date of the RTS.
PSP will need this transition period to upgrade their payments security systems so that they meet the RTS requirements.

All in all, is it a good thing, is that what we want? Who benefits and let’s look at what we could be getting:
Benefits for clients:
– Unconditional refund rights for direct debits
– A strong customer authentication system (Two Factor Authentication)
– Ban on surcharging (additional costs) for card payments
– Better consumer protection against fraud (like capping any potential payments for unauthorised payment up to €50)
– Consumers will be able to run algorithms and assess product suitability using apps and use them to optimize their use of financial products
– Improved consumer protection for payments made outside of the EU or in non-EU currencies

Benefits for the new players:
– This offers lucrative cross-selling opportunities for these new providers – AISP’s will be allowed to grant you full view all of your multi-bank details in 1 portal (no need to talk to all your banks individually)
– API’s enables companies (innovative companies) to connect to financial institutions directly
– the directive will allow retailers to request consumers for permission to use your bank details. Once you give them your permission, the retailer will receive the payment directly from your bank – no intermediaries needed.

Any drawbacks or general points of concern:
– banks are faced with challenges since their role in internet payments as an intermediate is being both questioned and threatened
– creating these new API infrastructures are expensive and security issues are not minor – XS2A (Third party access accounts) has been vaguely defined by the directive. Too much room for interpretation.
– More administrative pressure on banks and payment service providers
– Will PSD2 open the Pandora’s box of overregulation that will cripple the European market or can we get a grip on it?
– With many players involved, problems with information asymmetry might emerge between consumers and those that makes use of customer data. E.g. predatory lending, targeting of financially unsophisticated borrowers and lure them to a firm’s financial products.
– Opening up more possibilities to cyber criminality and hackers if not aptly controlled.

So, no matter how sooner or later we get to there, for better or for worse, this where the European financial ecosystem is heading – Welcome to a brave new world of open banking!