It’s been a year since the European Union’s Payment Services Directive 2 (PSD2) was enacted. The directive, considered by many to be the most consequential regulation to affect the banking sector in recent times, continues to be a hot button issue; in practice, however, its impact has been underwhelming. Granted, PSD2 has not gone into full effect yet – there will be some time before certain provisions become mandatory. A recent study found that only nine percent of UK adults have had any interaction with open banking technology (the term, open banking, is applied generally to signify regulatory and technological efforts to break up the retail banking oligopoly by allowing payment and related tech solutions to become more competitive in the financial services space).
One of the key pieces of PSD2 is Strong Customer Authentication (SCA), which will be mandated on September 14, 2019. Industry insiders have expressed concerns over companies’ preparedness to be SCA-compliant, and its potentially detrimental effects on user experience.
Despite anxieties and skepticism around the feasibility of PSD2, industry leaders seem to have accepted that it is ineluctable. What adaptive changes will banks make, however, remains an open-ended question.
As Sebastian Siemiatkowski, CEO, Klarna, a leading German challenger bank, said recently:
“Some banks, will "manage to transform themselves" as digitally-driven businesses; most will take the mergers and acquisitions (M&A) route, snapping up fintech competitors to get ahead; and, lastly, others will just "fail."
Indeed, a year after the implementation of PSD2, crucial questions still remain unanswered: How will various payment and banking companies implement PSD2? Will the vision of open banking remain a vision or will it actually materialize?
With the benefit of hindsight, this post will revisit some of the core objectives of PSD2, along with their challenges, and assess where things stand today.
PSD2: Objectives and possibilities
Fundamentally, PSD2 opens consumer banking data up to third party providers (TPPs). PSD2 resolves TPPs into two categories: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
PISPs initiate payments on behalf of a user. On the other hand, AISPs offer users a consolidated view of their accounts with different banks. While AISPs could analyze a user’s spending habits, PISPs deal with the actual transfer of money in the form of Peer-to-Peer (P2P) transfers or bill payments.
Upon gaining access to consumer banking data, TPPs can build a host of new financial products and services on top of existing bank infrastructure, to the benefit of customers. Banks will have to compete not just with other banks, but with innovative upstarts fashioning new solutions and services out of data that, until recently, resided exclusively with banks.
Strong Customer Authentication (SCA): “GDPR on steroids”?
SCA is based on:
- Knowledge (something only the user knows; for example, a password or PIN)
- Possession (something the user possesses; for example, mobile phone or ID card)
- Inherence (something the user is; for example, fingerprint or facial recognition)
At the very least, SCA mandates that a customer’s identity be verified, using at least two of the aforementioned independent elements; for example, a question and a biometric scan or a password and a randomly generated Personal Identification Number (PIN).
As we noted earlier, there are concerns that SCA could create friction in the user experience. As per the regulation, SCA would be required for every transaction over €30 (or $35 approx.). This had displeased many: Comparing SCA to “GDPR on steroids”, industry experts predict that up to 30 percent of transactions could be declined after its introduction – no specific factors, however, were provided to account for the estimate.
Needless to say, the ideal approach would be to strike a balance between complying with regulations and building suitable customer experiences.
XS2A: How will TPPs and banks work together?
Access to Account (XS2A), which relates to how TPPs will actually obtain access to customer bank data, remains the most pivotal aspect of PSD2; there will be important risk mitigation, implementation and technical considerations as a result of XS2A. For example, what technologies and processes would require to be implemented to ensure that customer data is being accessed and shared in a secure manner? What specific procedures will compliance teams need to follow? How will liability be assessed when breaches or other failures occur?
The devil is in the details
Clearly, there are a host of unanswered questions around how SCA, XS2A and, indeed, the larger PSD2 project will play out. The European Banking Authority’s (EBA) has published opinions and guidelines, which speak more specifically to these questions.
As the adage goes, the devil is in the details, and when it comes to PSD2, the details around implementation will, to a large extent, determine the future of open banking.