Regulatory Technical Standards (RTS) for Stronger Customer Authentication (SCA) and secure communication have been published by the European Banking Authority (EBA) and the Open Banking Implementation Entity (OBIE) respectively. The revised dates for PSD2 implementationhave also been decided (UK to implement APIs for Open Banking in phases starting from January 2018 and SCA by Q1 2019 – other countries to implement both APIs and SCA together by Q1 2019). Now, it is time to assess the current status and ability of the banks to be ready for full-fledged implementation.
Following are the critical components of PSD2 that impact the systems and processes of significantly:
- Account information and payment initiation: Provide customers a consolidated view of their accounts (with multiple banks) and payment transactions
- Multi-factor authentication: SCA through more than one authentication method
- Transparency around payment transactions, covering aspects like SLAs, fees, and disputes handling
Across Europe, multiple working groups consisting of regulators, banks, and fintech firms have agreed on APIs as the channel for delivering compliance with regard to PSD2. Banks have assessed the impact on their existing systems and processes and have identified several enhancements, such as:
- Implementing an Application Programming Interface Management (APIM) solution and building an API operating model
- Creating services for account and payment information in preparation for the final interface specifications
- Developing test APIs to prove the solution and the
As we see it, there are a few challenges that banks may face in their journey to PSD2 compliance. Though the provisions with respect to ’customer consent’ are clear and unambiguous, their impact on internal processes may vary from bank to bank. This necessitates each bank to carry out thorough analysis on all variants of access by multiple parties, to ensure servicing through APIs does not open up possible process gaps or inconsistencies.
The criteria for classification of an account as a ‘Payment Account’ (to decide if the provisions of PSD2 are applicable or not) is defined by each member state separately. It will be the responsibility of the banks to identify payment accounts by applying the defined criteria as applicable for the concerned state and following the guidelines from the regional regulator.
The maintenance of National Registers by the respective countries is a critical factor that contributes for the success of PSD2 in the area of customer transparency. The UK Open Banking Register is now finalized. However, passporting across Europe and how UK will integrate with eIDAS (electronic Identification, Authentication and Trust Services) is unclear.
Further, banks are not clear as to how the regulations are going to be accepted parties including PSPs, customers, and other entities associated with payment services.
Despite all odds, there is no denying that the opportunities that PSD2 throws open for industry players are enormous. The banks, in addition to servicing the accounts of the customers, can offer the full suite of payment services. Apart from servicing their own customers, they can play the role of third-party providers (TPPs) for small banks that do not have the capability to offer the full range of services. By diversifying the spectrum of services and the target segments, banks will be able to significantly increase their revenue and profitability Banks are definitely in an advantageous position due to the favorable factors such as:
- AISP opportunities are still viewed as the main use of APIs. Customers are willing to share banking information if this enables them to have a portfolio view and better product recommendations
- There are significant opportunities for banks to become AISPs
- Customers still favor the bank as the PISP since they inherently trust the bank
Considering all the above, banks are working in all earnestness to implement PSD2. They have to leverage on the trust their customers currently have on them, to deliver value-added services.
The additional bandwidth that the revised timelines for implementation of PSD2 has provided, can be considered as an opportunity by the large players to fully realize the benefits the PSD2. The players who have plans to embrace PSD2 in phases, can now redefine their strategy to offer full services from day one.