Last Friday, 13 July, marked six months since the revised Payment Services Directive (PSD2) came into effect across the European Union (EU). With this in mind, we have been taking the pulse of the market to understand how Account Servicing Payment Service Providers (ASPSPs) are progressing with both their compliance programmes and strategic responses.
With few exceptions, ASPSPs seems to us to be broadly compliant with the PSD2 conduct requirements which became enforceable in January, and progressing well against those which will go live next year. However, determining what a successful open banking strategy looks like, and developing compelling use cases, continues to be more elusive.
Progress and challenges in PSD2 compliance programmes
As our survey conducted last autumn showed, PSD2 programmes have to-date been focusing on meeting regulatory compliance requirements and deadlines. It is therefore not surprising that most ASPSPs we talked to across the EU believe they are, overall, compliant with the PSD2 primary legislation requirements which became enforceable in January.
There are however a few exceptions, mainly due to delays in the transposition of PSD2 into national law in several EU Member States. Furthermore, some guidelines, such as the European Banking Authority (EBA)’s guidance on Fraud Reporting were still outstanding, and compliance programmes will need to be reviewed once these are issued.
Firms’ compliance programmes to implement the requirements of the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) also seem to be progressing satisfactorily, and gaining momentum. As a reminder, ASPSPs must fully develop their technical specifications for their communication interfaces, and make available their test environments to Third Party Providers (TPPs) by next March, and be ready for all other requirements by September 2019.
However, the ongoing absence of common standards for the Application Programming Interfaces (APIs) to be used for dedicated communications interfaces is causing fragmentation in the market. There is no EU-wide, and sometimes not even national, consensus on which industry-issued standard (e.g. the Berlin Group, the UK Open Banking, PRETA, etc) to adopt; and some ASPSPs have chosen to develop bespoke APIs, either on their own or in partnership with others.
We believe that the lack of common standards will lower the level of interoperability and, at least in the short to medium term, present an obstacle to the development of PSD2-enabled services and products, particularly across borders. As a response, we are seeing the emergence, or increased importance in those geographies where they already exist, of “central infrastructure” style utilities/platforms to manage all communications between banks and TPPs. These platforms are set up to provide “build once, connect to many” functionality, including interoperability between different APIs standards.
There is little clarity yet on whether ASPSPs developing a dedicated interface plan to apply for an exemption from the fall-back mechanism (i.e. the requirement of opening up existing user interfaces as a communication channel through “screen scraping”, should the dedicated interface be unavailable or underperforming). In order to inform ASPSPs still considering the best course of action, more information from National Competent Authorities (NCAs) is needed around what the testing and supervision of dedicated interfaces will mean in practice. ASPSPs whose NCAs have expressed a clear preference against screen scraping are likely to apply for the exemption. And, on balance, so are the biggest and most visible ASPSPs, on the basis that any form of screen scraping still exposes them to too much reputational and liability risk.
Screen scraping under the fall-back mechanism also feeds into the broader topic of how to reconcile PSD2 with the new General Data Protection Regulation (GDPR). While the EBA provided some more clarity in relation to some aspects of SCA, ASPSPs continue to be concerned, especially around what constitutes sensitive payment data and how it should be protected under both PSD2 and GDPR. We have explored these issues more fully here, but again, this is an area around which regulators and supervisors still need to provide clearer, and more practical, guidance.
In this respect, it is worth mentioning that the Application Programming Interface Evaluation Group (API EG), set up following a proposal by the EU Commission, is continuing its work to define objective evaluation criteria and guidance for APIs, including compliance with the PSD2 RTS and other relevant regulations such as GDPR.
Developing a PSD2 strategy
For now, compliance programmes remain the most immediate priority in most EU Member States, but the focus and investment in firms’ strategic responses to PSD2 have increased significantly over the past six months, reflecting a pivot to a more forward-looking stance.
Many ASPSPs are currently working on proofs of concept and pilot programmes, mostly focusing on ‘account information service’ use cases such as account aggregation services; Personal Finance Management applications; loyalty programmes; credit risk underwriting; as well as services to Small and Medium Enterprises. While we do not yet observe the emergence of any clear PSD2-based business models, we are starting to see more ASPSPs looking beyond the narrow confines of PSD2 and investing in the creation of new “ecosystems” of partnerships with TPPs. ASPSPs are doing so by leveraging “premium” APIs to provide their customers with a curated marketplace experience catering to their wider financial needs, both nationally and cross-border.
The appetite to become an authorised TPP, especially an Account Information Services Provider (AISP), is also clearly growing across the EU. In countries where NCAs opened for applications early demand has been very strong: for example the UK’s Financial Conduct Authority has authorised more than 25 AISPs since the beginning of 2018. However, the granting of licences has been hampered in many Member States by the delay in transposing PSD2 mentioned above. As more NCAs across the EU start accepting applications, we expect the number of authorised TPPs to increase appreciably.
Overall though, while the industry is becoming increasingly energised by the strategic opportunities arising from PSD2, consumer awareness of “open banking” products and services continues to remain low. With cyber-attacks and data privacy breaches frequently in the news, this lack of awareness may be compounded by a latent suspicion of new products and services based on the sharing of personal and sensitive data, especially by less known brands. This suggests that a major effort by firms may be required to improve consumers’ awareness, interest, and trust in this space.
After a somewhat slow start, it is encouraging to see that firms’ compliance programmes seem broadly on track, notwithstanding a number of remaining regulatory and compliance challenges.
As the pressure starts to lift from the compliance challenges, firms’ are turning their attention to the more strategic and longer-term opportunities and threats arising from PSD2, and their responses to these are increasingly taking centre stage. As firms continue to define and refine their strategy over the coming months, their focus should be on developing compelling products and services which offer enough value, security, and added convenience, to their customers to win over early adopters and help the rest overcome their nervousness around sharing their payments data. We never expected Open Banking to start with a big bang, but to gather pace and gain market share we believe firms should focus on what, innovation or not, remains a universal truth: give your customers something they really want (even if they don’t know they want it yet).
 Deloitte LLP