By Nick Caley, Head of Financial Services and Regulatory, ForgeRock
14th June 2019 is the next significant milestone for Europe’s second Payment Services Directive (PSD2), yet you’d be forgiven if you weren’t even aware it was happening, with banks and Account Servicing Payment Service Providers (ASPSPs) still struggling to deliver against a timeline that has been known for years. However, despite the low-key response, this date does matter, with those banks that fail to meet it likely to fall behind the competition and face additional burdens in terms of time, costs, and competitiveness.
But what exactly is the June 14th deadline – and how will it impact banks? And, more broadly, what will it tell us about the state of PSD2 implementation across Europe?
A final checkpoint before full-blown implementation
Application Programming Interfaces (APIs) are the core technology that will make PSD2 successful – or not – by allowing third-parties, such as fintechs, to access a bank’s customer account information securely. 14th September 2019 is the ultimate deadline when banks are required to open up their account information in production environments to third parties through a dedicated third party access interface. However, if their dedicated interface hasn’t been sufficiently tested and used by third parties before this deadline, banks must also back up the interface with a contingency mechanism.
This is where the 14th June deadline comes in: this date marks the last opportunity for banks to be granted an exemption from having to implement contingency mechanisms to back up their dedicated API.
There are a number of very good reasons why banks would want to avoid these ‘contingency’ or ‘fallback’ mechanisms. Most significantly, they represent a continuing cost burden, soaking up expert resources supporting a method of access that has run its course. They also bring considerable security risks because they involve so-called ‘screen-scraping’, whereby the security credentials of banks’ customers are shared with the third parties. The maintenance work required drains engineering teams who are already stretched, directly impacting on the time they’re able to spend working on a banks’ main third-party interface.
So avoiding this contingency requirement should definitely be a priority for banks, but how do they get one?
To gain an exemption, banks must demonstrate they have a valid roadmap to implementation, including a dedicated third-party interface that is in testing and being “widely used” by existing third parties. Transparency is key. According to the European Banking Authority (EBA), ASPSPs must provide regulators with “a summary of the results of the testing”, as well as a copy of “the feedback received” from the third parties that participated in the testing and “the issues identified and a description of how these issues have been addressed”.
Those banks that failed to implement testing facilities by now are still encouraged to reach out to the regulator with their PSD2 implementation roadmap. If they can demonstrate that they are making an effort to develop and test a third party interface, they may be awarded an exemption.
Beyond the practical reasons banks should seek an exemption, there is also a longer term incentive: after all, having a successfully implemented third-party interface will be the only way banks will be able to truly compete when PSD2 comes into effect.
The promises of PSD2 put banks in pole position
Once banks have their foundational APIs in place, there are myriad opportunities for PSD2 to disrupt other industries, and open up new revenue opportunities for banks. As well as providing new levels of convenience for consumers, banks and financial service providers can expand their offerings and pivot to become customer-first digital services.
For example, payments services in connected cars will open up the automotive industry to banks, with users being able to connect directly to their bank accounts as they make use of different services. Imagine being able to pay for parking, fuel, toll-booths and on-demand infotainment services from the dashboard of your car. Streamlined, customer-centric payments methods such as these will also leverage the latest technology such as biometrics and voice -enabled commands to be as secure and dynamic as possible.
Such convenience is a no brainer in-terms of customer choice, and so the brands that can define and implement this level of seamless user experiences will be able to challenge the traditional financial services structures that exist today. This of course includes the financial arms of the automotive manufacturers that recognise the development of their very own hardware-based marketplace of digital services focused around drivers and their passengers.
Implementation is still slow across Europe
However, despite the size of the opportunity, and the serious roadblocks that failing to meet the upcoming deadline could cause, many banks and ASPSPs are simply not on track. What’s more, there is a growing frustration from the fintech community about the lack of quality APIs in the market.
In the UK, the CMA9 have supposedly had a head start due to the rollout of the UK Open Banking Standards, which promoted the early adoption of the regulatory standards that underpin PSD2 ahead of time. Theoretically, this means around 90% of the population already has access to open banking services. But even here, uptake has been slower than expected, and the CMA9 have been in the regulators’ sights since the start in January 2018 for missing the first deadline, with adoption continuing to be slow throughout the year.
There are some mitigating factors. Banks’ legacy infrastructures, which often involve complex manual processes, combined with the burden of regulatory risk and compliance, make change slow and difficult to implement, while the fact their systems have to be scaled to millions of customers also makes new deployment challenging.
However, there are new digital challengers such as 10x offering a white-labeled banking platform capable of addressing the missing capabilities of banks’ digital offerings. Equally there are numerous solutions that are being developed specifically for PSD2, such as Standards based, compliant Sandboxes which can be deployed rapidly to provide the testing facility, so excuses for lack of compliance should be non-existent.
Banks must act fast or forgo the future
While slow implementation across Europe is yet to create any real casualties, come September 14th reality will start to hit as third parties sound the alarm on those banks whose interfaces are causing problems. As adoption of Open Banking increases, those banks who deliver poorly designed API infrastructure, or get stuck supporting contingency mechanisms, will ultimately have detrimental effects on consumers, permanently damaging the brand reputation of those involved.
This is why the upcoming June deadline is crucial: it’s the last chance for banks to get on track with their PSD2 compliance, and stay ahead of those competitors who will open themselves up to increased risks and costs through the contingency mechanism or fall behind the rest as the future of banking comes into effect.
Although achieving compliance may seem like an insurmountable goal by itself, banks should also beware of settling for the bare minimum. They need to go beyond the point of merely complying and commit to real and ongoing innovation if they want to build a true leadership position. Everything is still to play for – and only those banks that are committed to testing and developing new open banking technologies, delivering meaningful use cases that drive customer adoption, and working closely with the fintech community will win out.