How PSD2 and Open Banking Will Affect You

The Second Payment Services Directive or PSD2 comes into effect January 13, 2018. This open banking initiative will no doubt be a game changer in Europe and really for any retail bank or fintech that wishes to work with Europe.

Today we’ll give you an overview of what exactly PSD2 is. Then we’ll offer you the most up-to-date information coming straight from the banking and API specialists who shared the next steps of this often mysterious initiative at this year’s APIdays in world financial capital London.

What Is PSD2 Anyway?

As you can imagine, first came PSD, which was adopted back in 2007. It laid out rules and guidelines for modern payment services in the European Union which simplified payment processing throughout the member states. The goals of the first PSD were efficiency, innovation, cost reduction, and to open up the financial industry for new players and technologies.

As you can imagine, since there is a second round in such a short amount of time, given financial industry timelines, it wasn’t very successful. A decade is an eon in technology however, and regulations must be updated both to address the shortcomings of the first PSD while taking advantage of advances in tech.  

The goal of both directives is to make payment policies more equal across EU borders and all levels of financial institutions. The benefit is that the landscape becomes more competitive and smaller entities like fintech startups have a chance against established institutions. And that competition means that us as consumers should have better options and better user experiences, particularly in our online banking.

The movement to revisit and revise the original PSD was in part initiated by the September 2014 Fingleton Report, which was originally made to advise the top nine UK banks on data sharing and open data for banks. These were the recommendations from this report:

1. Banks agree on an open API standard for third-party access.
2. Banks should adopt independent standards that ensure data sharing meets all legal requirements of those involved.
3. There should be an industry-wide approach established to vet third-party applications, which is then published as open data.
4. All purchase and credit terms and conditions should be published by banks as open data.
5. Credit data should also be made available as open data.

What Does PSD2 Mean for You as a Consumer?

If you are in the tech space or anything financial adjacent, there’s a lot we’ll talk about later in this piece. But first let’s offer the highlights of how it’ll benefit us as consumers. Just remember, this is a European Union mission. That means that only those banks must comply, but this is something that will put pressure on and affect all international banks, so it wouldn’t be surprising if U.S., Canadian and Swiss financial institutions, among others, follow suit.

Continued from page 1. 

The main goal of PSD2 is for banks to better serve consumers and to give consumers more insight into their financial lives. Here are the two legs PSD2 stands on:

PSD2 Objective 1: A Complete View of Your Financial Status.

Most of us have numerous bank accounts. We may have a mortgage in a different one than our paycheck goes into. We probably have retirement savings in another place. We may even have financial accounts in different countries and different currencies, including cryptocurrencies like Bitcoin.

But, at least for those of us with European bank accounts, instead of having to log in and out of different websites, with PSD2 we should be able to get a consolidated, data-rich view of our financial situation, often on a third-party site. In exchange, that site will probably try to upsell us other financial opportunities. This is where Europe is following the U.S. which already allows account aggregators like mint.com.

PSD2 Objective 2: With No Rerouting, Payments Will Be Faster, Maybe Cheaper.

How it works right now is when you pay with a card, an online store asks an intermediary like a credit card company or bank — or usually a series of intermediaries — for money from your bank. Then a few more hoops are jumped through to get that money back to the store. This isn’t that time-consuming usually for us, but it is costly to the vendor who then in turn raises prices on us.

With PSD2, retailers will be able to ask you if you’d like them to directly withdraw from your bank. You can revoke that permission at any time. This won’t change too much of the process for you except that it’ll lessen delays on payments showing up in your statements and, without the intermediaries, there will be fewer entities involved, presumably, meaning a lesser chance of fraud.

On the other hand, there is less clarity between merchants and banks if something does go wrong. For example, if your account is fraudulently accessed, which entity involved has to pay, all of them?

Already, some European banks are enacting this, asking you to create a specific I.D. to extra-verify you’re you when shopping online. Then, following on step one, once your bank accounts are consolidated in one vision, you will have the option to give this permission to a website, like Amazon, but for all your payment services.

PSD2 Will Change Retail Banking

These two changes are what Ireland’s Starling Bank calls“probably the biggest technological innovation in retail banking since the Internet.” It will be great money-saving for merchants, mostly good for consumers and, after a significant initial investment, will make banks more capable of serving both of these modern customers.

What about Brexit?

Many are questioning if the British and Northern Irish banks — particularly the nine big banks that are leading much of this change — are going to have to follow through with PSD2 after the UK voted to leave the EU. This second directive goes into effect January 2018. If it happens at all — really nothing is certain and now the UK Parliament has to vote if they want it—  Article 50 isn’t set to be triggered until end of March 2017 and it’ll take two years after that for the UK’s exit to be negotiated and settled on.

“And even though the UK is going to be leaving the EU this deadline is before we leave the EU, and even if it wasn’t, I strongly suspect whatever deal we in the UK negotiate with the EU will conform with PSD2,” said Financial Tech Consultant Jack Gavigan at APIdays.

In addition, the next steps of the European open banking standards are leaning towards excluding by default non-member states from accessing member states’ customer data. That means that part of any Brexit will undoubtedly involve the UK negotiating a bilateral banking treaty with the EU because it’s very clear the exit country is committed to keeping within the single economic market. If they are permitted to do this, they will have to adhere to PSD2.

In short, Brexit shouldn’t even be a factor here.

What does PSD2 mean on the tech side? API-driven Interoperability

For both banking and backend, the main goal is to play better together — aka, interoperability. As you may have guessed by the outcomes listed above that means it’s all driven by the application programming interface or API. Specifically this is based on open APIs which are public interfaces based on an open standard to be agreed upon by the Open Banking Project.

At the APIdays conference, Simon Redfern, founder of the Open Bank Project, said that with each EU general data and privacy regulation, the more we’re going to need more APIs. And he says it won’t just be about creating one API per bank, but rather multiple catalogues of APIs, “a rich ecosystem” that factors in emerging trends like blockchain, external and internal databases and the Internet of Things.

Continued from page 2. 

Fellow ProgrammableWeb writer Mark Boyd interviewed 179 banking and fintech business and technology professionals for his report “Banking APIs: State of the Market 2016.” While last year’s report focused on using APIs to offer better customer service, this year’s survey responses uncovered two main themes:

1. Complying with PSD2.
2. Leveraging APIs to create a platform business model.

“APIs are about the potential to leverage that platform as a business model,” he said. “They want somewhere where they can actually make their own apps available to their customers.”

An API-backed platform allows banks to learn more about their clients and then to rapidly prototype and deliver more innovative products and services to their clients. Plus a well-designed API enables banks to do all this on any device and to more quickly comply with regulations.

PSD2: Will You Just Adapt to Regulations or Adopt a Full API Strategy?

Now, PSD2 — or at least what’s finished of it so far — doesn’t really mention APIs. It just talks about the need to open up customer data. The general assumption is that the API is the method. But how data will be opened is up for discussion.

Boyd’s report found that many banks will simply use APIs to adapt to the regulatory requirements, resting on their laurels until clear standards arise for the creation of an open API. He contends these banks will:

• Create APIs that will be used to create the bank’s mobile app
• Improve data collection to better understand customer behavior
• Allocate internal resources to make sure they meet regulatory requirements
• Do “some work” toward adding a REST interface on top of existing architecture
• Silo APIs to the teams sanctioned to be innovative

• Creating APIs in areas of lower risk, including branch locations and faster credit scoring
• Improving data collection to understand how customers engage with API-enabled services
• Allocating internal resources not just for regulations but for an entire API strategy
• Moving toward an API-based and microservices architecture
• Innovating via APIs across the company not just in innovation silos

But sooner rather than later, the discussion will turn toward not only internal use, but how can banks change the authentication of those internal APIs to open them up to third-party app providers and developers. It just makes sense for banks to design their internal APIs like they were going to be externally exposed from the start.

When it comes down to it, it’s no longer a question of technology but of corporate culture and bureaucracy. If the open intention of PSD2 is to come to fruition there has to be a change in mindset from private to public APIs.

Authentication and Identification with PSD2

Authentication is going to be essential with PSD2 since the directive aims not only to make the financial markets more accessible but also more secure. The problem is financial institutions haven’t actually decided on a common way of doing it yet.

Co-founder of Notakey notary app Janis Graubins spoke about the challenge of authentication in different governments and financial institutions and the varying ways they’ve succeeded and failed. To simply summarize, if you want the general public to adopt something, it has not only to be proven secure, but it’s got to be easy to use and implement.

It all started when he and Notakey were working with the Latvian government to develop customer-based authentications with an electronic identity card.

He said “It’s the most secure authentication possible” for authenticating and signing legal contracts.

But that meant that people using this needed a card reader. Only ten percent of citizens got the reader and then a fraction of that actually used it. Why? Well, you are already carrying around your phone and less and less your credit cards and wallet, you don’t want to have carry around a reader the size of a calculator too.

But then, in other countries like the tech-pioneering Estonia and the Nordic countries, Graubins said the bank electronic ID card “was successful because the government said it was mandatory.”

Then last year the Notakey team were asked to help banks meet these new open banking standards. One of the so-far unoutlined objectives of PSD2 is two-factor authentication, which means not only something simple like a passport, but something that “cannot be easily guessed or left in a cab or chopped off,” like a fingerprint, he said.

First, they came up with bank hardware tokens, soon learning that they were too complicated and expensive to do at a large scale.

Next, they investigated software solutions. But most of them are based on shared secrets which simply risks too much human error.

Codes sent via SMS is something widely executed in European banking now, but they often don’t work across borders and don’t happen within a trusted execution environment.

What is a Trusted Execution Environment (TEE)?

Graubins calls this a separate hardware element on the phone which you can use to store and generate private keys. A public key infrastructure seems to be a popular way forward. In Android it’s also called TEE. In iPhones since 5S, it’s a Secure Enclave.

Yes, SIM cards would work well for this, but Apple and Samsung are heading toward SIM-less phones next year. This will become a problem for countries like Estonia where the whole identity is linked to the SIM card.

When it comes down to it, whatever the final authentication solution is going to be, it’s got to be simple. As Graubins says, “The more complex the system becomes, the less secure it is.” But then you have to also overcome the considerable barrier of the human onboarding.

“The way forward is mobile phones,” Graubins said.

He went onto say that it really needs to be onetouch approval like push notifications, with a layer added on top that includes that second factor, like a fingerprint, facial recognition or voice recognition. Or the next step could involve other sorts of biometric gadgets that are still only fairly precise and quite expensive, but that in the near future could identify us by the heart rate in our Fitbit or by the veins in our palms.

Continued from page 3. 

Also as big data becomes, well, bigger, and more digestible, behavioral pattern recognition — like how fast or how hard we type — may arise as the most accurate two-factor authentication.

Big data will dramatically improve fraud detection, with the bank double-checking if you really want to log into that page and if you are really doing so from your current locations.

Why should banks invest in this? Graubins cited the 2015 Accenture Digital Banking Survey that “86 percent of consumers trust their bank over all other institutions to securely manage their personal data.” It’s a responsibility for banks to deliver in terms of security and fraud detection, not based on where a person is at the moment but much more detecting what is usual or unusual behavior.

As data algorithms advance, the possibilities are almost limitless, so long as they are simple to adopt widely and easily. In the end, convenience will be the major deciding factor in the adoption rate of digital banking and the success of implementing PSD2.

PSD2 Isn’t the Only Standard to Comply with

Graubins also pointed out that interoperability isn’t essential just because of PSD2’s open banking standards. Each country and currency — there are 11 currencies within the current EU — will have different regulations. Add to that the regulations of external countries they are working with. Most importantly, all actions of PSD2 must comply with current EU regulations (and those regulations must be adapted for PSD2 compliance.)

Some other standards and regulations to keep in mind:

• elDAS — cross-border acceptance of electronic signatures and allowing these signatures to happen via a mobile device.
• General Data Protection Regulation (GDPR) — This is still under debate by the European Council and Parliament and subject to change, but deals with these five concepts:
  
  • 1. How data protection is a part of system design
  • 2. Banks required to report quickly and publicly if they have a data breach
  • 3. Institutions must prove a “legitimate interest” in the data they are collecting
  • 4. It will protect both EU citizens and small businesses
  • 5. Third-party entities outside the EU won’t be able to access this data if there isn’t a bilateral treaty.
• Cybercrime Directive — Large institutions in high-risk industries have to publicly disclose when their data security measures have been breached. (Not in effect at time of publishing, but widely accepted and due very soon.) This means also disseminating to the public in a timely manner, not just waiting to snail-mail people long-winded explanations.

Another issue on the table is that there’s still not a list of trusted electronic signature devices. Currently, each member state is putting together a list of devices that are approved. Early next year the EU is expected to compile and roll out a list of trusted Qualified Electronic Signature (QES) devices, but, with devices changing all the time, bureaucracy will have to keep up with technology.

In the end, GDPR and other regulations fit in with one of the main goals of PSD2, as Vice- President for the Digital Single Market Andrus Ansip said in a press release last year:

“With solid common standards for data protection, people can be sure they are in control of their personal information.”

In addition, it’s important to note that there are certain measures like the General Data Protection Regulation up for debate soon by the European Parliament and Council which could require that non-EU third-party entities that want to access EU citizens’ and businesses’ data will have to adhere to the same regulations. Basically, even if your country isn’t in the EU, if you want to think internationally, you need to think PSD2 too.

And if all of what’s currently in the GDPR is adopted, that means that you may not be able to access this data at all unless the country your business is based in has signed a bilateral treaty with the EU Basically, you have to remember that while these open banking standards seem great, they are particularly great to EU member states and may be prohibitive to businesses outside the EU.

Open Banking: The Next Steps

Each member state has been holding its own meetings and pontificating its own plans as a way to support the overall goal of PSD2. Probably no bigger influence on PSD2 is the third largest member state with a stronghold on the financial industry — the United Kingdom. In September 2015, the Open Banking Working Group convened to enable the development of an open API standard for UK banking. By looking at what this group has done in the last year, you’ll get a view of the future of open banking APIs in the UK and, by extension, the EU and the world.

The Open Banking Development Group (OBDG) was created to drive open innovation around the open banking standard. In August, the OBDG released its focus on these four question marks that were arose with the new open banking standards:

1. Liability — Who is at fault to pay if fraud happens via a third party?
2. Governance — How can a desire for security and a better user experience be balanced against fostering innovation and competition?
3. Security — How can we make sure these third-parties we’re opening up to will protect users’ data and securely access accounts?
4. Data Protection — What can and cannot be shared with third parties?

1. The Open Banking Standard must be overseen by an independent authority which should act transparently and welcome wide participation.
2. Third parties must be vetted for security standards and insurance requirements. These third-party entities should be on a public list.
3. Some sort of “OAuth-style” authorization should be given to third parties to access customer data and accounts. The banks retain the ability to shut down this access.

1. Adopt and maintain a common API standard so they can share data with third-party services.
2. Set up an entity to agree on, implement and maintain these shared open banking API standards.
3. Appoint an independent trustee. (Rumor is they have but this well-paid individual hasn’t been announced at time of print.)
4. Agree to be bound by said trustee.
5. Agree to and comply with these standards by January 13, 2018. (Launch date of PSD2.)

And as an even greater focus, CMA is dedicated to empowering small businesses with banking service comparisons and making it easier to switch for better services and rates.

“The reforms we have announced today will shake up retail banking for years to come, and ensure that both personal customers and small businesses get a better deal from their banks,” said Alasdair Smith, chair of the retail banking investigation, along with releasing the CMA report. “We are breaking down the barriers which have made it too easy for established banks to hold on to their customers. Our reforms will increase innovation and competition in a sector whose performance is crucial for the UK economy.”

It’s exciting to see how the UK government is looking to harness open banking to allow the technological changes that have transformed so many other industries. As consumers, we will have increased visualization into our finances. And it will open up unprecedented access for small businesses in the space.

Are you ready for PSD2?

It’s natural to think that the banking industry will be slow to change because, well, it doesn’t have a history of evolution. But even the oldest banks in Europe — which are indeed the oldest in the world — are working to technologically evolve so they can offer better service.

Česká spořitelna is the Czech Republic’s oldest and largest bank — a Spring chicken for Europe at merely 200 years old. It has 600 branches and five million clients, almost half the country’s population.

“What we do have is a reputation of a dinosaur,” admitted Jaroslav Machan, API evangelist at the bank, but that “because of APIs, it’s us who are a part of the whole business strategy.”

He went onto say that “The majority of the Czech banks perceive PSD2 as some evil dragon we have to fight. We view it as an opportunity for us. The challenge is you have to be the first.”

Machan said that when you are trying to build an ecosystem, you need to focus on the single part that affects everything. For Česká spořitelna, that’s the developer experience. For them that’s about making sure that anyone who is using the API has everything at her disposal.

We are in full agreement with him and his final words:

“Don’t think of PSD2 as a threat to your community.”

You need to put your trust into the belief that investing in PSD2 is investing in the future and will not only make your clients more secure, but more securely yours.

Are you developing APIs at a bank? Or perhaps you’re a fintech or payment startup looking to leverage PSD2? Tell us your experience below.