PSD2 Spring Update

| 18-06-2018 | François de Witte | TreasuryXL

During the fall of 2017, I published a Summer Update on PSD2. Since then, a lot of things have moved, and hence I found it the right moment to provide an update you on some developments PSD2 and open banking.

LIST OF ABBREVIATIONS USED IN THIS ARTICLE

AISP:            Account Information Service Provider
API:              Application Programming Interface
ASPSP:         Account Servicing Payment Service Provider
EBA:             European Banking Authority
PISP:            Payment Initiation Service Provider
PSP:             Payment Service Provider
PSU:             Payment Service User
RTS:             Regulatory Technical Standards
SCA:             Strong Customer Authentication
TPP:             Third Party Provider

Main updates on the regulatory framework

Several member states have experienced in the transposition of PSD2 in the national law. The current status (27/5/2018) is as follows:

• Full transposition measures communicated: Austria, Bulgaria, Cyprus, Czech Republik, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Slovakia, Slovenia, Sweden, United Kingdom
• Partial transposition measures communicated: Belgium, Lithuania, Malta, Poland
• No transposition measures communicated: Croatia, Latvia, Luxembourg, Netherlands, Portugal, Romania, Spain

Source : https://ec.europa.eu/info/publications/payment-services-directive-transposition-status_en

The EC has launched an infringement proceeding is against the states who did not or only partially transposed PSD2 in their national law.

The Regulatory Technical Standards on strong customer authentication and secure open standards of communication have been published on 13/3/2018 in the Official Journal of the European Union. They will apply in as from September 13, 2019, leaving 18 months to the payment industry to get ready for this new state of play.

The EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. As of 13/9/2019, the existing practice of third party access without identification (at times referred to as ‘screen scraping’) will no longer be allowed. In order to address the concerns raised by a few respondents, the final RTS now also require that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.

The banks need already to prepare some steps as from early 2019 onwards. The following timetable illustrates the deadlines:

The finalization of the RTS is an important milestone which will give banks and TPPs much more clarity and certainty on how to push forward their PSD2 compliance and strategic programs.

13/1/2018, the date of implementation of PSD2 appeared to be nonevent. Over one third of the member states failed to implement PSD2. Only very few banks had published their APIs. We observe that banks are much slower in opening up their APIs to TPPs, and this for various reasons, e.g. APIs are not yet ready technically, chicken and egg situation with other banks, etc. As a result, the API aggregators need to use screen scraping or reverse engineering to enable to provide for the TPPs (including banks) access to the accounts held at the ASPSPs.

Furthermore, the standards are not yet harmonized throughout Europe. A number of working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET. Experts seem to agree that the Berlin Group Standard is the most elaborate ones, as it incorporates the most relevant use cases and has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs However the UK Open Banking standards also provide interesting insights. The UK has already a much larger experience in open banking. In my view it’s essential to create a set of common, industry standard APIs that can be used by all.

Another challenge is the implementation of the multi-factor authentication. There also some interesting initiatives took place. Gemalto the world leader in digital security, has enabled Belgian mobile ID scheme ITSME to enroll 350,000 users and securely process one million transactions per month for both private and public online services – making it one of the most successful mobile ID applications in Europe within one year of launch.

Real-time payments can be the catalyst for a new wave of innovative corporate banking, payments and cash management services. The SEPA Instant Credit Transfer, will offer in combination with PSD2 interesting new use cases for Open Banking. However, it will take time to take off, as it requires huge investment from the banks, and also a change in the mentality of the consumers.

Conclusion

Although PSD2 should have been enacted by the member states, some states are still lagging behind. The banks are slow in opening their APIs, and open banking is not taking off as quickly as expected. Market players need also to agree on common standards for the interfaces.

However, there the deadline of 13/9/2019 is approaching and there is no way back. The clock is ticking in the PSD race. “If you cannot beat them, then you better join them”.

Open banking is a new way of approaching the delivery of financial services for customers, and as such, it requires a new way of thinking and new ways of working. This will also require a new mindset and a different team set up. Teams are going to be more agile and have a mix of skills and people. This is a big challenge for several institutions.

For your information, I will give a one-day training on the subject at Febelfin Academy on 21/11/2018. For more information, please go to: https://www.febelfin-academy.be/nl/opleidingen/detail/psd2-and-the-open-banking-architecture-addressing-.

François de Witte – Founder & Senior Consultant at FDW Consult; Managing Director and CFO at SafeTrade Holding S.A.

 

[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]

[separator type=”” size=”” icon=””]