In June 2018, I published a Spring Update on PSD2 (Payment Service Directive 2). Since then, things have moved, and hence I found it the right moment to provide an update you on some developments PSD2 and open banking.
Main updates on the regulatory framework
Several member states have experienced in the transposition of PSD2 in the national law. The status (28/8/2018) is as follows:
- Full transposition measures communicated: Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Slovakia, Slovenia, Sweden, United Kingdom, Belgium, Luxembourg, Poland
- Partial transposition measures communicated: Lithuania, Malta, Romania, Latvia
- No transposition measures communicated: Croatia, Netherlands, Portugal, Spain
Source : https://ec.europa.eu/info/publications/payment-services-directive-transposition-status_en, as updated by information, which I gathered.
The RTS (Regulatory Technical Standards) on SCA (strong customer authentication) and CSS (Common Secure open Standards of communication) will apply in as from September 13, 2019, leaving 18 months to the payment industry to get ready for this new state of play. The EBA (European Banking Authority) has published in the meantime on 13/6/2018 its Opinion on the implementation of the RTS on SCA and CSC, as well as a Consultation Paper on Draft Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC).
The Contingency Measures impose that the ASPSP (Account Servicing Payment Service Provider) must provide a fall back mechanism, i.e. measures that should be taken to restore access to the customer payment account, in case that the API happens to be unavailable. Exemptions can be granted if all the following conditions are met:
- The API meets the quality requirements defined in the RTS
- The API has been successfully tested by the market
- The API has been approved by the competent authority (in Belgium the NBB and in the Netherlands the DNB), which itself should have consulted the EBA, to ensure a consistency of quality criteria for APIs
This is a hot topic, as the cost of a fall back mechanism is quite high, and we expect that the ASPSP will ask exemptions.
Up to now, some banks had published their APIs (Application Program Interface). We observe that banks remain slow in opening their APIs to TPPs (Third Party Providers), and this for various reasons, e.g. APIs are not yet ready technically, chicken and egg situation with other banks, etc. As a result, some API aggregators screen scraping or reverse engineering to enable to provide for the TPPs (including banks) access to the accounts held at the ASPSPs.
Furthermore, the standards are not yet harmonized throughout Europe. A few working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET.
Although the adoption of the RTS has provided a degree of market certainty, some articles are still open to interpretation.
The permissible methods of strong customer authentication remain unclear. One-time passcodes sent via SMS are not explicitly allowed or disallowed by the RTS. There is also debate about the dual factor requirement for such an authentication method. This is particularly if the mobile device to which this is sent is already serving as an authentication factor. Would the consumer be required to have an additional device?
It also remains unclear if the exemptions for PISPs on low-value credit transfers (30 EUR and 100 EUR accumulated, up to five transactions) and contactless payments (50 EUR, 150 EUR accumulated, up to five transactions) must be counted together or separately per channel.
National competent authorities will have to balance the convenience, familiarity and inclusiveness of the method against its known vulnerabilities to certain types of attack.
There are also uncertainties on how what the EBA calls TRA (Transaction Risk Analysis) will work in practice. This risk-based approach gives exemptions to strong customer authentication for low-risk transactions, if the Payment Service Provider operates within certain thresholds as to fraud by value bands.
We see increasingly new business opportunities popping up. PSD2 allows the existing banks to source valuable partnerships pursuing multiple potential objectives. During my contacts in the market, I identified following interesting use cases.
- Use cases to improve the consumer banking experience and increase customer control:
- Offer new payment solutions based on smartphones and apps
- Facilitate reloading of prepaid cars
- Increase customer attraction and retention:
- Offer loyalty cards and potential gains based on actual spending
- Offer tools for expense and budget control
- Retain clients with multiple banking relations
- Permit access to all banks’ information through a single user interface
- Allow clients to deposit cash through TPP’s network
- Provide a complete asset overview
- Provide integrated view beyond PSD2
- Give overview of all assets (real estate, crypto, cars…)
- Optimize internal processes
- Automate and enhance credit scoring based on data integration
- Monitoring of loans – Early Warning signals in case of credit deterioration
The banks are slow in opening their APIs, and open banking is not taking off as quickly as expected. Market players need also to agree on common standards for the interfaces. However, there the deadline of 14/9/2019 is approaching and there is no way back
Open banking is a new way of approaching the delivery of financial services for customers, and as such, it requires a new way of thinking and new ways of working. However, I see any new opportunities and use cases.
For your information, there will be on 20/9/2018 in Brussels an interesting conference on “Recent Trends in Payments” organized by IFE. The conference will be chaired by Joan Carette, Partner at Osborne Clarke, with several prime speakers including Begoña Blanco Sánchez, Gert Heynderickx, Cédric Nève, Sébastien De Brouwer and myself. For more information, please go to www.ifebenelux.be/nl/opleiding/actualiteit/services-de-paiement-etat-des-lieux-et-nouvelles-tendances-betalingsdiensten-stand-van-zaken-en-nieuwe-trends.html.
I will also give a one-day training on the subject at Febelfin Academy on 21/11/2018. For more information, please go to: www.febelfin-academy.be/nl/opleidingen/detail/psd2-and-the-open-banking-architecture-addressing-.
Founder & Senior Consultant at FDW Consult