PSD2: Europe‘s Incubator for Open Banking

In financial industry, there’s hardly any topic that is being discussed more controversially than the PSD2, the "Payment Services Directive 2" of the EU. The directive entered into force on September 14, after a year and a half of preparation time. The new directive requires all banks in the EU to revise their security concepts and communication interfaces. This confronts institutions with the issue of an opening up of the industry to third-party providers and, in a broader context, the digitization and restructuring of the financial world.

PSD2 is the driving force of the concept of open banking in Europe and it is also shifting paradigms internationally.

PSD2 is the new payments directive of the EU. Enacted already in 2016, it has been transposed and implemented into national law in January 2018 and replaces the old payments directive from 2007. After a transition phase of one and a half years, it entered into force for all banks in the EU on September 14 in 2019.

The primary goal of the PSD2 is to increase security in payment transactions and to strengthen consumer protection. At the same time, PSD2 targets the promotion of innovation and competition in the banking sector by also enabling third-party providers to become market players.

Essentially, the directive consists of three main components:

• The Strong Customer Authentication (SCA) describes the implementation of stronger security concepts. It is intended to provide more security in payment transactions and stronger consumer protection. In practice, this is reflected the introduction of the so-called 3-D-Secure authentication. For instance, for online payments or transfers, two out of three independent security features from the categories of knowledge (e.g., PIN, password), possession (cell phone, card), or inheritance (fingerprint) must be met.

• Account Information Services (AIS) refer to the provision of information regarding the customer, his accounts and transactions to third-party providers. This allows third-party companies to provide customers with account information services such as for example a central overview/check of account coverage, credit checks, or multi-banking applications.

• With Payment Initiation Services (PIS), banks are obliged to enable customers to initiate payments and transfers via third-party providers without interacting directly with the bank or online banking account.

In plain language, the AIS and PIS imply the mandatory provision of dedicated interfaces, so-called APIs (Application Programming Interfaces), with which third-party providers can communicate directly with the infrastructure of the bank in order to retrieve customer data and trigger payments - of course only with the explicit consent of the customer (SCA).

In terms of functionality and security, the minimum requirements for such APIs are defined by the European Banking Supervisory Authority (EBA) via Regulatory Technical Standards (RTS). These standards aim to create a level playing field for all market participants. They stipulate, for example, that APIs must not contain any obstacles for third-party providers, such as an obligation of re-identification with an IBAN when connecting to the bank’s server, for instance. Since standardized banking APIs are a technical prerequisite for the digitization and the market opening of the financial sector, PSD2 is widely considered the ignition point of Open Banking in Europe.

Since the RTS were adopted by the EU Commission and the Directive was transposed into national law at the beginning of 2018, banks have had to adhere to a tight schedule. From March 14 onwards, the banks have been obliged to provide third-party providers with RTS-compliant APIs and a test environment. Since 14 June 2019, test runs with market data also had to be made available in order to fulfill testing prerequisites and to render possible the go-live on September 14.

PSD2 has a disruptive effect and, for the first time, sets uniform conditions for all market participants. The mandatory introduction of APIs inevitably initiates an opening up of the banking market to (new) third-party providers. The former advantage of banks is shrinking dramatically, since holding a banking license alone no longer is a guarantee for future success.

Albeit the overall optimism, the industry seems nervous as well. While the institutions are striving to comply with the strict requirements and tight implementation schedules, they seek for new strategies for their (re-)positioning in a revolutionized banking market. In order to face digital challenges and new competitors, a number of common initiatives have already been launched. Banks and third-party providers are working together on standards and future strategies.

In principle, the use of dedicated communication interfaces in Europe is not new. There are numerous predecessor concepts that have paved the way for co-operations with third-party providers and have laid ground for the necessary technical infrastructure. Thus, even before the mandatory introduction of APIs within the framework of PSD2, there were methods in use that allowed the data exchange between banks and third-party providers. Examples include web interface solutions such as screen scraping or the standard Financial Transaction Services (FinTS) for banks, which has been defining specifications for dedicated online banking interfaces in Germany since 2002.

In contrast to these voluntary, market-driven solutions, however, the PSD2 now requires all banks to set up and provide externally accessible interfaces. In addition, those interfaces must be RTS-compliant. Since the solutions used so far usually do not meet those new requirements, interfaces have to be developed anew or heavily modified at high cost. For example, anonymous data access by third-party providers, as with screen scraping, is no longer permitted. All data accesses must be identifiable and logged. PSD2 thus creates new rules on the market.

The European turmoil caused by PSD2 is also attracting international attention regarding the concept of Open Banking. Besides a few exceptions, such as Hong Kong or Australia, however, there is a preference for a market-driven shift towards Open Banking and a decision to forego a legal proposal. For instance, the Monetary Authority of Singapore has issued an API rulebook designed to stimulate and facilitate exchange between banks and FinTechs. In the USA, the Treasury published a report recommending regulatory standardization of APIs in July 2018, but Open Banking initiatives are still limited to the voluntary involvement of individual institutions offering different, non-standardized APIs.

The mandatory provision of APIs due to the PSD2 is causing mixed feelings in Europe. In Germany, for instance, the directive itself may be to blame for this, as it has lead repeatedly to uncertainties and triggered conflicts between the German Federal Financial Supervisory Authority (BaFin), banks, and third-party providers due to inadequate specifications. Since API development is not market-driven, but a regulatory requirement, the general uncertainty is amplified by a lack of willingness and time pressure.

For the banks, the ambitious timetable has been one of the biggest challenges so far: While their own strategic position in the Open Banking concept has not yet been fully defined, functional APIs had to be developed and integrated into their own IT architecture. There is a risk that APIs may be set up in a too minimalist manner due to uncertainty and thus, crucial opportunities for the bank‘s own (re-)positioning are missed. Since the considerable effort of API-development lies on the bank’s side, costs for a sustainable development of the APIs are often being avoided. In addition, banks are obliged by the RTS to provide additional fallback interfaces in order to guarantee constant data access in the event of a failure.

Low minimum (technical) requirements. Both banks and FinTechs have repeatedly expressed their wish for a more comprehensive and detailed RTS in order to avoid friction while implementing the APIs. In particular, third-party companies warn that PSD2 could even aggravate the market situation compared to previously used solutions. The deployment obligation, paired with too low technical requirements, could result in banks providing unusable and non-functional APIs to meet the deployment schedule.

Scope of the data provided. There have been constant complaints by some third-party providers that PDS2 only concerns payment transactions and therefore often only the associated (transaction) data is provided by the banks. Third-party providers also refer to the lack of cooperation of some banks in the definition of API standards and see themselves hampered to take advantage of the opening of competition.

API standardization. Although the RTS set minimum requirements in terms of development goals for the APIs, realization itself, i.e. development and implementation, is left to the banks or standardization initiatives. This raises the problem that APIs are often individually developed by the institutions which results in insufficiently standardized APIs that cannot be equally and easily used by all stakeholders. Not only does this fail to meet the PSD2's objective of promoting competition, but it also means that PSD2 is not successful in providing the necessary tools for the creation of a single market. This is also a setback for the development of the financial market towards open banking.

Since September 14, the PSD2 regulations apply to the market. Particularly in the final spurt, many banks have deployed an extra effort to ensure compliance with all specifications on time. Not all banks tackled the challenges on their own but took part in several initiatives to define and implement common API standards. Europe-wide, various such initiatives have been formed during the last year, of which the UK Open Banking Standard in the UK, STET in France, and the Germany-based Berlin Group are amongst the biggest. For instance, with its NextGenPSD2 initiative, the Berlin Group has already brought together numerous financial institutions from 20 countries to jointly develop API standards in accordance with the RTS. According to a recent survey by the ECB, about 78 percent of all banks in EU countries already rely on the NextGenPSD2 standard of the Berlin Group. However, also FinTechs are on the rise and offer standardized APIs as an outsourced service to banks. Two German examples include the Munich-based start-up FinTecSystems or NDGIT with its API marketplace product. All those developments simplify the alignment with market standards for banks and facilitate an outsourcing of complex implementations, technical maintenance costs and regulatory checks of APIs (make or buy decision).

Despite all those efforts, shortly before the introduction of PSD2, there was another affront. On August 14, the BaFin, which is responsible for the introduction of PSD2 in Germany, published a circular describing additional new requirements for the banking APIs, after realizing that the pre-defined PSD2 requirements are not sufficient to achieve the PSD2 targets.

The letter was, amongst other things, triggered by repeated complaints from third-party providers regarding the quality of the available interfaces in the test phases. Originally, the RTS stipulated that banks could be exempted from the obligation to provide additional fallback interfaces as soon as they could prove that their PSD2 interfaces had been tested smoothly for three months. In the BaFin’s view, this was generally not the case for most of the bank applications, as currently most APIs still do not fully meet PSD2 standards.

The circular implicitly means that previously used interfaces, even if they are non-RTS-compliant, may be used as fallback solutions from third-party providers until further notice. Banks are only exempt from this obligation if they can doubtlessly ensure their APIs fully meet the PSD2 requirements. Third-party providers welcome this prorogation and encourage the banks to understand this as an opportunity to improve the quality of their APIs.

As the first mandatory measure worldwide, PSD2 creates important basic prerequisites to sensitize the financial market to the topic of Open Banking and to initiate a competitive opening.

However, on one side, the challenges of the last year and a half as well as the current dissonance about API standards show that many banks are not yet certain of their strategic positioning, while third-party providers feel disadvantaged by the partly unclear regulations of the PSD2. On the other side, standardization initiatives create a sense of stability and offer a platform for banks and third-party providers to converge. Nevertheless, it should be stressed that PSD2 is only the beginning. Focused on securities and payments, it creates the foundation and awareness for the industry's development towards open banking.

List of references:

[1] “Guidelines für die PSD2”-Einführung: Strategien und Optionen für Banken bei der Einführung von PSD2”, Whitepaper Nextdigitalbanking, retrieved on 08/28/2019, https://nextdigitalbanking.com/wp-content/uploads/2019/04/PSD2-Whitepaper.pdf

[2] “PSD2: Die finalen RTS – was bedeuten sie für Banken?”, IT-Finanzmagazin, retrieved on 09/02/2019, https://www.it-finanzmagazin.de/psd2-finale-rts-die-analyse-fuer-banken-62207/

[3] “PSD2”, Bundesbank, retrieved on 08/28/.2019, https://www.bundesbank.de/de/aufgaben/unbarer-zahlungsverkehr/psd2/psd2-775434

[4] „Berlin Group und der Weg zur PSD3“, Moneytoday, retrieved on 08/28/2019 https://www.moneytoday.ch/news/berlin-group-und-der-weg-zur-psd3/

[5] “BaFin-Einschätzung zu PSD2-Schnittstellen – FinTechs jubilieren, Banken lecken ihre Wunden”, IT-Finanzmagazin, retrieved on 09/09/2019, https://www.it-finanzmagazin.de/bafin-psd2-api-fintechs-banken-93658/

[6] “Der RTS-konforme Zugriff über vorhandene Schnitt­stellen verschafft Zeit – Kommentar FinTecSystems”, IT-Finanzmagazin, retrieved on 09/09/2019, https://www.it-finanzmagazin.de/rts-konforme-zugriff-schnittstellen-fintecsystems-93677/

[7] “PSD 2: BaFin ermöglicht Erleichterungen bei Kundenauthentifizierung”, Pressemitteilung BaFin, retrieved on 09/09/2019, https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Pressemitteilung/2019/pm_190821_PSD2_Kundenauthentifizierung_en.html;jsessionid=69E8BDBC1901CE25B4CE1BF32B4FFA1C.2_cid390