58b8e573acfd550b00533306_BW_lo
Last Friday, 13 July, marked six months since the revised Payment Services Directive (PSD2) came into effect across the European Union (EU). With this in mind, we[1] have been taking the pulse of the market to understand how Account Servicing Payment Service Providers (ASPSPs) are progressing with both their compliance programmes and strategic responses.

With few exceptions, ASPSPs seems to us to be broadly compliant with the PSD2 conduct requirements which became enforceable in January, and progressing well against those which will go live next year. However, determining what a successful open banking strategy looks like, and developing compelling use cases, continues to be more elusive.

Progress and challenges in PSD2 compliance programmes

As our survey conducted last autumn showed, PSD2 programmes have to-date been focusing on meeting regulatory compliance requirements and deadlines. It is therefore not surprising that most ASPSPs we talked to across the EU believe they are, overall, compliant with the PSD2 primary legislation requirements which became enforceable in January.

There are however a few exceptions, mainly due to delays in the transposition of PSD2 into national law in several EU Member States. Furthermore, some guidelines, such as the European Banking Authority (EBA)’s guidance on Fraud Reporting were still outstanding, and compliance programmes will need to be reviewed once these are issued[2].

Firms’ compliance programmes to implement the requirements of the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) also seem to be progressing satisfactorily, and gaining momentum. As a reminder, ASPSPs must fully develop their technical specifications for their communication interfaces, and make available their test environments to Third Party Providers (TPPs) by next March, and be ready for all other requirements by September 2019.

However, the ongoing absence of common standards for the Application Programming Interfaces (APIs) to be used for dedicated communications interfaces is causing fragmentation in the market. There is no EU-wide, and sometimes not even national, consensus on which industry-issued standard (e.g. the Berlin Group, the UK Open Banking, PRETA, etc) to adopt; and some ASPSPs have chosen to develop bespoke APIs, either on their own or in partnership with others.

We believe that the lack of common standards will lower the level of interoperability and, at least in the short to medium term, present an obstacle to the development of PSD2-enabled services and products, particularly across borders. As a response, we are seeing the emergence, or increased importance in those geographies where they already exist, of “central infrastructure” style utilities/platforms to manage all communications between banks and TPPs. These platforms are set up to provide “build once, connect to many” functionality, including interoperability between different APIs standards.

There is little clarity yet on whether ASPSPs developing a dedicated interface plan to apply for an exemption from the fall-back mechanism (i.e. the requirement of opening up existing user interfaces as a communication channel through “screen scraping”, should the dedicated interface be unavailable or underperforming). In order to inform ASPSPs still considering the best course of action, more information from National Competent Authorities (NCAs) is needed around what the testing and supervision of dedicated interfaces will mean in practice. ASPSPs whose NCAs have expressed a clear preference against screen scraping are likely to apply for the exemption. And, on balance, so are the biggest and most visible ASPSPs, on the basis that any form of screen scraping still exposes them to too much reputational and liability risk.

Screen scraping under the fall-back mechanism also feeds into the broader topic of how to reconcile PSD2 with the new General Data Protection Regulation (GDPR). While the EBA provided some more clarity in relation to some aspects of SCA, ASPSPs continue to be concerned, especially around what constitutes sensitive payment data and how it should be protected under both PSD2 and GDPR. We have explored these issues more fully here, but again, this is an area around which regulators and supervisors still need to provide clearer, and more practical, guidance.

In this respect, it is worth mentioning that the Application Programming Interface Evaluation Group (API EG), set up following a proposal by the EU Commission, is continuing its work to define objective evaluation criteria and guidance for APIs, including compliance with the PSD2 RTS and other relevant regulations such as GDPR.

Developing a PSD2 strategy

For now, compliance programmes remain the most immediate priority in most EU Member States, but the focus and investment in firms’ strategic responses to PSD2 have increased significantly over the past six months, reflecting a pivot to a more forward-looking stance.

Many ASPSPs are currently working on proofs of concept and pilot programmes, mostly focusing on ‘account information service’ use cases such as account aggregation services; Personal Finance Management applications; loyalty programmes; credit risk underwriting; as well as services to Small and Medium Enterprises. While we do not yet observe the emergence of any clear PSD2-based business models, we are starting to see more ASPSPs looking beyond the narrow confines of PSD2 and investing in the creation of new “ecosystems” of partnerships with TPPs. ASPSPs are doing so by leveraging “premium” APIs to provide their customers with a curated marketplace experience catering to their wider financial needs, both nationally and cross-border.

The appetite to become an authorised TPP, especially an Account Information Services Provider (AISP), is also clearly growing across the EU. In countries where NCAs opened for applications early demand has been very strong: for example the UK’s Financial Conduct Authority has authorised more than 25 AISPs since the beginning of 2018. However, the granting of licences has been hampered in many Member States by the delay in transposing PSD2 mentioned above. As more NCAs across the EU start accepting applications, we expect the number of authorised TPPs to increase appreciably.

Overall though, while the industry is becoming increasingly energised by the strategic opportunities arising from PSD2, consumer awareness of “open banking” products and services continues to remain low. With cyber-attacks and data privacy breaches frequently in the news, this lack of awareness may be compounded by a latent suspicion of new products and services based on the sharing of personal and sensitive data, especially by less known brands. This suggests that a major effort by firms may be required to improve consumers’ awareness, interest, and trust in this space. 

Conclusion

After a somewhat slow start, it is encouraging to see that firms’ compliance programmes seem broadly on track, notwithstanding a number of remaining regulatory and compliance challenges.

As the pressure starts to lift from the compliance challenges, firms’ are turning their attention to the more strategic and longer-term opportunities and threats arising from PSD2, and their responses to these are increasingly taking centre stage. As firms continue to define and refine their strategy over the coming months, their focus should be on developing compelling products and services which offer enough value, security, and added convenience, to their customers to win over early adopters and help the rest overcome their nervousness around sharing their payments data. We never expected Open Banking to start with a big bang, but to gather pace and gain market share we believe firms should focus on what, innovation or not, remains a universal truth: give your customers something they really want (even if they don’t know they want it yet).

[1] Deloitte LLP 

[2] The EBA final Guidelines on fraud reporting under PSD2 were issued on 18 July 2018

Stephen Ley

Stephen Ley - Partner, Risk Advisory

Stephen leads the UK Payment Practice and co-leads the EMEA payment practice. He has more than 20 years experience in assurance and advisory services, specialising in providing technology risk and control services to the banking and payments industry. Stephen works with all parts of the payment eco-system including schemes, processes, acquirers, issuers, regulators, banks, payment institutions and market infrastructures.

Email | LinkedIn

Adam


Adam Scott - Senior Manager, Risk Advisory

Adam is a Senior Manager within Deloitte’s UK payment practice. He has more than 10 years’ experience in providing assurance and advisory services to the Financial Services industry, and focuses on Payments, IT & Operational Risk, and Change & Project Management. Adam has extensive experience of delivering and leading business and technology risk projects as well and regulatory assessments across many parts of the payment ecosystem.

Email | LinkedIn

Valeria Gallo_Professional_Picture

Valeria Gallo - Manager, EMEA Centre for Regulatory Strategy

Valeria is a Manager in the EMEA Centre for Regulatory Strategy. Her focus is on regulatory initiatives related to payments and FinTech. Valeria joined Deloitte in early 2012 from a global strategy consulting firm where she was the Business Operations Manager for the European financial services practice.

Email | LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.