January 16, 2018 | DOUGLAS HARTUNG
Whether the industry likes it or not, PSD2 regulations go into effect this year for payment and data access throughout the European Union. The bottom line is this: PSD2 mandates that third-party organizations be allowed to gain access to consumer banking data (with consumer consent, of course), and also facilitates payments from consumers’ personal accounts to beneficiaries’ accounts outside the construct of existing card-based payment schemes (PSD2 requires third-party facilitators to send funds directly to the merchant in the course of the transaction).
For basic information on PSD2, check out this earlier post, which offers an introduction to the topic. Today, we will focus our attention on various strategic options faced by bankers as they contemplate how best to position themselves in light of this new regulatory construct. Of course, the primary issue is the extent to which the bank chooses to view PSD2 as a regulation with which they are forced to comply, or an opportunity to fundamentally reconstruct how they partner and bring new products and services to their customers.
Said differently, do we play offense or defense?
The PSD2 Timeline
The European Commission has published the final regulatory technical standard (RTS) on strong customer authentication and common and secure open standards of communication. This regulation must now be approved or rejected by the European Council and the European Parliament. We expect the proposal will be passed in February 2018. Shortly thereafter, the RTS will be published in the official EU Journal and then banks will have 18 months to comply with the regulation.
The RTS requires banks to provide at least one dedicated interface that a third party can use when accessing consumers’ payment accounts. Most banks are expected to implement APIs as the dedicated interface and there are currently several initiatives across Europe to deliver standards for these APIs. The RTS also stipulates that in case the APIs are not performing in a satisfactory way the third party provider may use the consumer interface (also called screen scraping) as a fallback solution. Banks can be exempted from supporting the fallback solution when they can demonstrate that they have well-performing APIs. This serves as an incentive for banks to implement APIs long before the implementation deadline of September 2019. Banks may face penalties from regulators should they fail to implement a dedicated interface.
We have identified a number of strategic options banks will need to consider as they position themselves for a PSD2-enabled future:Minimal compliance. Some banks are taking the approach of treating PSD2 as a regulatory compliance issue, and will develop a basic set of APIs to authenticate consumers accessing their data through a third-party application, through the use of a standardized Secure Customer Authentication (SCA) scheme using multi-factor authentication. While this can be a reasonable short-term tactic to create the appropriate APIs in order to comply, the longer-term implication is that third parties will now be able to utilize bank data to create and deliver new products and services to consumers, potentially undermining the primary “bank” relationship and relegating the bank to the role of utility with shrinking margins and limited upsell and cross-selling opportunities.
This is obviously not an exhaustive list of strategic options, and a blog post does not provide for a deep dive into all the implications of pursuing these strategies (for a deeper dive into the pros and cons, take a look at this PSD2 webinar presented at a recent Mobey Forum). The intent is to simply begin the dialogue and broaden the perspective towards the use of PSD2 to take a more offensive posture rather than simply viewing it as a regulatory compliance issue.
The promise of PSD2 is lofty: open the market to greater competition by implementing a standardized method for banks to share data with consumers through approved third-party providers. However, the methods for accessing this data have yet to be defined as a true technical standard: what data is required to be provided to be compliant is open to interpretation, and the methods for determining which third party is certified to access the data is not commonly defined. 2018 is likely to be a year of exploration and initial implementation where new entrants and market leaders seek to position themselves to best take advantage of the promises laid out by PSD2, with large-scale adoption through standardized interfaces more likely to emerge by 2020.
In our next post, we will discuss the opportunities that PSD2 makes available to merchants, especially as a basis for creating new and interesting services partnerships between retailers and banks. Interested in exploring this topic further? Reach out to us today to get the conversation started.