Tomorrow marks the six month anniversary of the PSD2 deadline. So what have we seen since? Paysafe's Andrea Dunlop discusses.
For months, and even years, in the run-up to January 13 2018, the date was circled in the diary of every bank and fintech in Europe. It marked the launch for one of the most seismic shifts in financial services for decades; the implementation of the Second Payment Services Directive (PSD2). This would be the regulatory catalyst would provide improved banking and payment facilities in Europe, and initiate Open Banking in the UK.
Banks were required to permit registered third parties access to customer accounts (with the customer’s permission) directly through open APIs. This access would enable those third parties to make a payment to a merchant directly from a consumer’s account without going through an acquirer or card scheme.
A second facet of PSD2 compels banks to give third parties visibility of an account holder’s data in order to consolidate multiple accounts or financial service in one place. These third parties are referred to as Account Information Service Providers (AISP).
Understandably fintechs had high expectations of PSD2 prior to its implementation. Paysafe was one of the first third party providers to have its PISP license approved, in anticipation of the transformation to the payments landscape.
However, as we reach the six-month anniversary of PSD2 tomorrow it is fair to say that some of wind has been taken out of its sails. There is still an unshakeable belief in the payments community that PSD2 will have the impact it is earmarked to eventually, but progress since the implementation date has been slower than expected. Perhaps now a new approach is needed.
So what is the problem?
The costs of overhauling legacy technology to permit open API integration is significant, and the result of this forced investment is a much lower level of control over the customer relationship, so it comes as little surprise that the appetite for embracing PSD2 hasn’t been particularly strong on the part of banks. On the PSD2 launch date in January the Bank of Ireland, Barclays, HSBC, RBS and Santander were not even ready to comply with the legislation at all.
Open Banking’s primary goal is to break the stronghold incumbents have over the banking landscape; that was never going to sit well with the banks, but it was also never intended to. As per the wishes of the Competition and Market Authority (CMA), the benefits of Open Banking through PSD2 are stacked in favour of the banks’ customers, and it is the responsibility of the bodies overseeing the implementation of PSD2 and Open Banking to ensure their objectives are successfully met.
So ultimately there is no incentive for the banks to move beyond the minimum requirements of the legislation unless directed to otherwise, even if the minimum requirements of the legislation do not satisfy its objectives.
Delays, and the knock-on effect on consumer perception
One of the fundamental hurdles that needs to be overcome for Open Banking to flourish is consumer and business appetite for adoption. Currently consumers do not have any great visibility on what Open Banking is or its capabilities; familiarity will come through the applications and products themselves that are developed using API technology, not merely the concept.
This is important when considering the effect of the delays that have already occurred in banks’ delivering useable APIs to market. The delay in launching operational Account Information Services APIs was such that only now are we beginning to see products reach the market, and appropriate APIs for Payment Initiation Services are even further behind, with little evidence that a delivery date is on the horizon.
Despite the volume of research that has been dedicated to consumer attitudes to PSD2-enabled products, customer understanding is at a very primitive stage. As the products are not in the market to educate consumers on the benefits of PSD2, a negative narrative, particularly focused on security issues, has monopolised the conversation.
One of the key questions for the Open Banking Implementation Entity (OBIE), the body responsible for overseeing the implementation of Open Banking, is how to re-frame its perception once there are products that showcase the benefits.
Have banks exposed their hand?
The Emerging Payments Association’s Director General, Tony Craddock, recently penned an open letter to the OBIE, highlighting its concerns with the attitude of the banks to facilitating Open Banking.
“EPA members have noted that the nine banks currently covered by the CMA framework have displayed varying levels of enthusiasm in embracing some aspects of Open Banking, with some being described as striving to meet the letter of the law, rather than the spirit of Open Banking,” Craddock tells the OBIE.
“In an era of heightened concerns around data security and a lack of commercial incentive to go ‘over and above’ the strict regulatory requirements, this is perhaps unsurprising.”
As things currently stand third party providers are struggling to build usable services that plug into the APIs that have been made available by banks, and so PISP testing has ground to a halt. The “lack of commercial incentive to go ‘over and above’ the strict regulatory requirements” has resulted in banks’ compliance teams being determined to satisfy the demands of the regulation without regarding its ultimate purpose, and ignoring separate ‘innovation’ teams that are developing an understanding of how PSD2 can enrich the customer experience through Open Banking.
And in another blow to customer experience, there is further suggestion that some non-CMA9 banks will not even attempt to build the APIs at all, and instead revert straight to the regulation’s enforced fall-back option of permitting screen scraping out of fear that their APIs will not meet the required standards. The more cost-effective solution, which is currently compliant under the regulation, is to bypass creating the APIs altogether, so that the cost of only one technology solution is absorbed instead of two.
RTS: the game changer on the horizon?
There is now a new date in the diary for stakeholders in PSD2: September 14 2019. That is the banks’ compliance deadline for the European Banking Authority’s Regulatory Technical Standards on Strong Customer Authentication (SCA) and Secure Open Standards of Communication (SCS), a directive that clarifies how banks should be permitting access to customer data.
In effect, whilst January 2018 was the deadline for banks to ensure they offered ‘access to account’ under Articles 65-67, September 2019 is the deadline for access in the specific manner required by the regulator. For some commentators the period between the implementation of PSD2 and the RTS deadline has allowed banks to defer compliance with the legislation, which is the root cause of the confusion and frustration that has slowed PSD2 progress since January.
There are still question marks that need to be addressed with the exact obligations the RTS will place upon the banks; what is clear is that a greater emphasis needs to be placed upon banks to work with the fintech community to make sure the objectives of PSD2 and Open Banking are met.
Big bang or slow evolution?
The delay from banks to fully commit to the spirit of Open Banking is certainly going to continue being a stumbling block to its progression, and may result in the payments community having to rethink the pace of evolution.
The experience the payments landscape has undergone with Open Banking in the relatively short period since PSD2 implementation has identified numerous issues that appear to be outside of the scope of the OBIE, and perhaps even the CMA remedies upon which the OBIE was founded. If this is indeed the case then then a question needs to be answered concerning who must address these issues. The solution may even require the CMA re-examining what it has mandated, all of which suggests that we may have to wait a while longer until we see any impactful success of Open Banking.