Ralf Ohlhausen, Executive Advisor at PPRO and Vice-Chairman of ETPPA
Banks, FinTechs and Third-Party Providers (TPPs) are facing a very steep cliff-edge with the impending arrival of Strong Customer Authentication (SCA) and the final implementation of PSD2. Action must be taken very urgently by all PSD2 regulators in Europe to avoid plummeting. With the September 14th deadline fast approaching, the market is not fully prepared for it, which may leave customers vulnerable to service failures and fraud when accessing their bank data and carrying out payments online. For card payments this has been recognised and it looks like another 18 months will be given to get things right. Unfortunately, for TPPs who are brought into a similar situation with no fault on their side, this is not yet the case.
One of the major factors as to why they have arrived at this juncture is because all necessary Application Programming Interfaces (APIs) should have been in place by March 14th and in production mode by June 14th, but in reality, even today, many are not available at all and the vast majority is not functional as required. It is these APIs that TPPs shall migrate their services and customer base to, and thus, ensuring they are acting within the regulations. To make matters even worse the required eIDAS certificates to use the APIs were not available by this deadline either. All in all, this hasn’t been managed and executed effectively, resulting in the tricky conundrum we are now in.
Part of the reason that this is the current status when it comes to APIs is because the Regulatory and Technical Standards (RTS), which apply to PSD2, left room for too many different interpretations and created several unintended consequences, which no one could foresee at the time. The API Evaluation Group did a great job in clarifying what is needed, but the bank-driven API standardisation initiatives only implemented the recommendations, which the regulator categorised as explicitly legally required and ignored the implicit requirements leading to the obstacles, which hinder TPPs in migrating their services without losing much of their purpose.
Confirmed by the joint statement issued earlier this year, banks and TPPs have found some common ground and ways of working together, but whilst this is a positive step, there is much more to be done. Everyone agreed and still agrees that APIs are the way forward, but taking them live pre-maturely would jeopardise the whole financial services industry. They are not ready and must be improved significantly, both from a functional and stability perspective. Granting exemptions and thereby not requesting banks to allow TPPs falling back to their established and well-working current practice would be grossly negligent, and it is very surprising to see that regulators, which are otherwise so careful, seem willing to err on the risk side.
As long as APIs are not ready, TPPs must continue using the banks’ user interfaces directly. Not having expected this situation, many banks seem to be technically unable to introduce SCA for their customers, while providing TPPs a way around that for their automated services, where customers are not present to provide dynamic credentials. If banks and TPPs are not given a similar grace period as card payments to the introduction of SCA, this will bring many TPP services to a halt.
The ETTPA (European Third-Party Providers Association) requested such regulator action for many months, detailing the TPP business continuity requirements and the unintended consequences of the RTS and explaining the necessary measures to be put into place ahead of the deadline. Namely, these elements are; providing the necessary technical ability to use TPP’s current practice for contingency, enabling TPPs to identify themselves as stipulated, coordinate the introduction of SCA and, finally, allowing TPPs to handle the SCA for the required 90-day renewal of customer consent.
So far, only the UK’s Financial Conduct Authority (FCA) has announced it will hand a lifeline to TPPs, and delay its enforcement of SCA by six months after the deadline of September 14th, which takes the pressure off slightly. This is despite their APIs being 18 months older and more mature than those elsewhere. France and Germany are also taking action, but have not yet disclosed any details. The other NCAs seem not to care or wait for a green light from the EBA although they already indicated not wanting to harmonise this beyond card payments.
This leads us to the position we find ourselves in now, on the cliff-edge. Banks and TPPs are open to collaboration, common ground has been found and some progress made, but it is in the hands of the regulators to now provide the flexibility needed to get this right and not drop that guillotine on September 14th. Clearly, all sides support the aims of PSD2, which ultimately is the regulatory foundation for innovation, development and cooperation across the payments industry in Europe.
PSD2 was created to open up banking and allow customers to unlock their data there for more value-added services, whilst making online payments safer and increase consumers’ protection. It would be a disaster if it now led to the closure of existing services and if the outstanding technical difficulties would be ignored. This would lead to detrimental customer experiences, and possibly make their transactions less secure – the very things it was devised to protect against.
Europe is losing ground in many areas, but we were and still are ahead with Open Banking, so it’s extremely important to not screw this up, as the successful implementation of PSD2, and the consequent RTS, is a pre-requisite to keep that lead and also to go further on our way towards Open Finance and Open Data.