| 28-11-2017 | François de Witte |
In 2018, when PSD2 comes into force, banks will lose their monopoly on payment services and customer’s account details. Bank customers will be able to use third-party providers (TPP) to administer their payments. When a customer agrees on using the services of a TPP, then their bank has to give access to TPPs to their accounts. TPPs are then able to build and offer services that compete with the existing bank services. During the summer 2017, I published a Summer Update on PSD2. Since then, a lot of things have moved, and hence I found it the right moment to provide an update to you on some developments on PSD2, in this area.
LIST OF ABBREVIATIONS USED IN THIS ARTICLE
- 2FA: Two-factor authentication
- API: Application Programming Interface.
- EBA: European Banking Authority
- PSP: Payment Service Provider
- PSU: Payment Service User
- RTS: Regulatory Technical Standards (final draft issued by the EBA on 23/2/2017)
- SCA: Strong Customer Authentication
- TPP: Third Party Provider
- OTP: One time password
Main updates on the regulatory framework
Some member states have already advised that they expect delays in the transposition of PSD2 in the national law, e.g. Belgium (by March 2018), the Netherland (by June 2018), Sweden, Poland, Spain and France.
Following countries already announced that they will be on track, e.g. Italy, Finland, Ireland, Czech Republic, Germany and Bulgaria.
By end November the EBA should publish the revised draft on the SCA (Strong Customer Authentication) and Secure Communication. We expect that a number of points, raised by the market participants, will be incorporated in the text.
With regard to the access to TPPs, article 113.4 of PSD2 explicitly states that the member states shall ensure the application of the security measures within18 months following the entry in force of the law. Hence, we might expect that this part of PSD2 needs only to be implemented by Q3 2019. However, in some countries, the authorities are pushing for an earlier implementation (e.g. in Belgium by end Q1 2018). Given the strategic importance and the IT act, I recommend starting this quite soon.
Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.
The challenge is to create standards for the APIs specifying the nomenclature, access protocols, authentication, etc.”. Banks will have to think about how their new API layers interact with their core banking systems and the data models that are implemented alongside this.
A number of working groups were constituted to further elaborate on these standards, the most important ones being the UK’s Open Banking Working Group (OBWG), the Berlin Group, and STET. Experts seem to agree that the Berlin Group Standard is the most elaborate one., as it incorporates the most relevant use cases and has been built with the latest technology standards using REST, OAuth2, JSON and HTTP-signature. It relies on ISO 20022 elements for structuring the data to be exchanged between TPPs and ASPSPs
As Marc Lainez, CEO of Ibanity, part of Isabel Group (developing API and PSD2 solutions for the XS2A and beyond) pointed out: “We can already see a fragmentation on the market. Several groups publishing specifications that are on many points different. With the RTS still being a moving target at the moment, those specifications are also incomplete as some details still need to be clarified. Some banks also choose to implement their own specifications without following closely any of those already published. In engineering, a standard is usually something that emerges through the best practices of an industry, it is not something that can be thought off entirely before it is actually used. At Ibanity, we are convinced that fragmentation will be a reality and several formats and specifications will co-exist on the market for some time. Looking at them from a pure software engineering point of view, we can say that those that seem the closest to what TPPs are actually expecting in terms of API quality are the specifications from the Open Banking Working Group and the Berlin Group. They still need, of course, to be challenged by the market with real use cases.“
The large banks have already started working on being PSD2 compliant and on building for the opening of their banking architecture to the TPPs. However, several small or medium sized banks only started recently on this project.
PSD2 has numerous interdependencies with other regulations (such as GDPR and eIDAS Regulation), promising a complex implementation with multiple stakeholders. For many banks, compliance by 2018 will be a challenge. Moreover there is a strong technology impact, adding to the complexity of the project. The following graphs of a market survey of PWC are a good illustration of the current state of the project with the European banks:
The PSD2 creates challenges. Several topics need to be clarified such as the RTS and the market players need also to agree on common standards for the interfaces. Moreover there are some unclarities in the text.
However, there are solutions in the market to withdraw the hassle for Banks and TPPs. The clock is ticking in the PSD race. Consequently, there is no justifiable reason for any bank to delay starting these projects.
François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group
[button url=”https://www.treasuryxl.com/community/experts/francois-de-witte/” text=”View expert profile” size=”small” type=”primary” icon=”” external=”1″]
[separator type=”” size=”” icon=””]