Context: European banks, banking associations and fintech companies are currently waiting for the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) to be adopted by the European Commission and Parliament.
What does the European Commission aim to achieve with the RTS adoption?
Tim Richards: The RTS is the technical specification of requirements that already exist in the main directive. Roughly there are two main areas:
A requirement for banks to do 2-factor authentication on all electronic payment transactions, or come under a specified exemption
A requirement for banks to implement APIs that allow Third-Party Providers to initiate credit transfer payments and inspect account information.
Broadly the aim of the directive is to promote disruption in the European payments industry. This will have unexpected consequences – which, obviously, are hard to predict, but some possible outcomes are:
Banks are forced to become providers of federated digital identity services – large banks will be able to do this in an intelligent fashion, smaller banks may be forced to use generic third-party services or simply abandon basic payment functions
Large retailers have the opportunity to launch their own payment and loyalty programs on the back on the mandated bank infrastructure
Alternative payment providers can use the PSD2 APIs to fund their payment products and compete with existing card payment products
Domestic card schemes may struggle with the investments needed to stay relevant, especially given the capping of domestic interchange under the IFR
Kristian Sørensen: However, new schemes might see the light of day. E.g. some of the bank driven P2P mobile payments schemes like Mobile Pay in Denmark or Swish in Sweden can utilise PSD2 to become schemes, in their own right. This can be the dawn of non-card based schemes.
TR: Acquirers and PSPs may find themselves in a privileged position with the ability to source data directly from the consumer and also from the banks, via APIs – we see a move in this area to provide significant value added services to help merchants with new forms of acceptance and better data analysis
KS: Banks themselves can also become TPPs and thereby tab into the infrastructure of their competitors
Many banks have sold their card acquiring business to other players. With PSD2 some bank will look to get back into an acquirer like role by facilitating account based payments to their corporate clients.
TR: Consumers will experience a trend towards invisible payments where the payment method is less important than the consumer experience – however, SCA mitigates against this, so there will be significant investment in technology to ensure fraud rate exemptions are effective.
KS: As PSD2 driven services within payment and account information will lead to more frequent use of SCA solutions, a bank’s choice of SCA solution and provider becomes a strategic choice.
Context: The RTS have been subject to much controversy, criticism from various industry sectors and much lobbying and representations.
There are two main areas in dispute: the use of SCA to authenticate electronic payment transactions and the interface through which the new payment initiation (PISPs) and account information services providers (AISPs) will access customer accounts.
We will focus a bit on the second one: what happens if banks and other account providers are given too much power when accessing these interfaces?
TR: PSD2 is subservient to GDPR, which carries massive penalties for misuse of consumer data, especially if this is done in a systematic and premeditated fashion. We think any bank or TPP that misuses these interfaces is taking a HUGE risk.
The APIs are key to disruption and innovation in European financial markets, and SCA is the key to ensuring these APIs are provided safely. Although we can’t predict with any certainty how these will be used we can easily foresee the creation of comparison and budgeting services which will serve consumers with customised data. In this environment we think any intermediary that can create a brand and customer experience which simplifies their financial services will have significant opportunities. Clearly banks could do this themselves, but their record on innovation is not great.
KS: There have been speculations back and forth whether some ASPSPs will make the APIs difficult to use or with limited capacity to impair TPPs competing directly with the ASPSPs – but based on the conversations we have had with banks, most of these actually welcome the innovation that the TPPs will bring to the banks. “PSD2 will bring the bank account into the centre of innovation” is what we hear from many banks.
I remember some years back when the banks’ biggest fear was that people would store their money in all sorts of different wallets like the ones some of the telcos brought to market or feared that the future generations would want their salary in Facebook credit. With PSD2 there is nowhere better to store your money than your bank account which ensures its relevance going forward. As the number of services connected to your bank account increases the less likely you will be to move your account to another bank. So, all in all good news for the banks.
Context: A mandatory “dedicated interface” could allow account providers to impede or limit “direct access” to a customer’s account by these new service providers; nevertheless, this would run contrary to the overriding principles of PSD2 which are to open up competition and innovation.
How do you comment on this?
TR: Implementing mechanisms to allow third-parties to bypass the APIs is a challenge, especially given that the RTS makes it clear that this can’t be the equivalent of anonymous screen scraping. We understand that the reason for this is to keep banks honest – so that if they provide sub-optimal API access they will find the TPPs using direct access instead. However, quite how this is done without giving the third-party access to the customer’s login credentials is unclear, and is either a security hole or significant additional complexity.
We think the better solution is to ban the use of direct access by banks and force them to use the public APIs. That way if the performance is degraded they will suffer the consequences along with everyone else.
Context: Also, EBA’s insistence that “screen scraping” as a means of access should be prohibited once the RTS apply – what do you think?
How will a ban on screen scraping influence banks, third party providers, and fintechs?
TR: Screen scraping is worse than a dedicated interface – the bank has no way of knowing a third-party is accessing their systems. We agree with the EBA, although the fact that this is allowed in the transition period up until the RTS comes into force is a concern.
In fact, screen scraping companies ought to welcome these changes – the APIs allow them to get much better access to properly structured data and enable them to pass liability to the banks. They don’t even have to implement authentication themselves as the banks are mandated to implement this. There doesn’t seem to be any good reason why they shouldn’t implement this, and if they don’t they expose the whole ecosystem not just their own businesses. Obviously, this means they have to implement the new interfaces, but that doesn’t seem like a good reason for degrading the security of the customer data.
KS: Absolutely agree – PSD2 is about levelling the playing field, and while that mainly means that the established players like the banks are forced to open up, it also means that the currently unregulated players in the market becomes regulated.
Some final thoughts regarding the timeline – how will things evolve around PSD2/ RTS implementation?
TR: September 2019 is the due date for the implementation of SCA, subject to no unexpected delays. We don’t really expect there to be much leeway on that date – many of the most switched on banks are already well down the path of implementing this anyway, and the laggards are likely to find themselves with narrowing options.
KS: The 18 months’ timeline worries many banks as the process has been delayed. This means that the transition period between the day where PSD2 comes into force across Europe and the date where the banks needs to comply with the RTS will be longer than originally planned. The big question is what TPPs will be allowed to use as alternative access solution in the transition period and if these alternatives may end up becoming de facto standards that TPPs will lobby to be allowed to continue to use.
About Kristian T. Sørensen
Kristian is the co-founder of Norfico - the first agency in the Nordics to combine strategic advisory with PR and communication services with a dedicated focus on fintech. Norfico serves clients in Europe and North America delivering both content and context in the increasingly complex financial services industry. Kristian holds a masters degree in communication and psychology but has worked with financial services and digital payments for the past 15 years.
About Tim Richards
Tim manages Consult Hyperion’s digital payments practice where he has specific responsibility for digital payments, open banking and tokenisation projects. He has worked on PSD2 and open banking projects for issuers, acquirers, international payments schemes, fraud solution providers and fintech companies and was specified tokenisation solutions for major industry players. Tim has 30 years’ experience in secure processing systems having worked in the payments, transit and digital identity sectors on solutions as diverse as transit ticketing key management, HCE and mobile payments, ICAO e-passports and travel cards, remote management of multi-application smart cards and, of course, EMV.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now