Insight in to the PSD2 Revolution-Part 1
In September 2019 Europe’s financial markets will undergo a revolution. From that date, the Payment Services Directive (PSD2) will require banks to provide API software interfaces, allowing financial third-parties to tap customer data. This new secure access to customers’ bank data will produce a myriad of user-friendly services which will make fund management much easier.
Digital financial services are already growing fast:
50% of Europeans rely on mobile devices to shop and 45% of Europeans depend on digital payments (Visa, 2017).
Small businesses are also increasingly switching to digital financial tools in the areas of payments and bookkeeping.
The European Commission predicts that PSD2 will make online payments even easier, safer and cheaper.Analysts predict that at least 9% of all retail payments could be processed in a new way by 2020 (Hafstad, et al., 2017). Using fintech will allow retailers to cut out the “middle men” and collect payments directly from the customers’ bank.
For all payment players, the changes required by PSD2 will come at a cost:
Banks will need to update their old IT systems, just at a time when they will be facing new, disruptive competition.
Fintech will need to invest in new capabilities in order to connect with multiple APIs.
For individuals and small businesses using payments services, the impact is uncertain. Although PSD2 promises easy and safe access to a wide range of new services, many questions remain unanswered:
How will API access work?
Will customers have full control and knowledge over what data banks are sharing?
Will the security requirements frustrate as much as protect individuals and small businesses?
PSD2 requires double authentication for most transactions. Instead of ‘one-stop-payments’, individuals and small businesses may have less streamlined experiences. Another unresolved issue is privacy and data protection.
PSD2 regulates various aspects of payment services: security, authorisation and supervision of payment providers, and payments where one of the providers is based outside the EU. In developing PSD2, the fiercest debate revolved around access to bank account information.
Until now, fintech newcomers mainly accessed bank data to serve their customers through a process called ‘screen-scraping’; Consumers allowed them access their bank accounts, which was then ‘scraped’ and the records used to offer services. Most often, these credentials were stored and reused. Regulators fear that screen-scraping represents an invasion of privacy, as well as an inefficient, and unsafe way to share data.
PSD2 gives banks two choices:
Let third parties identify themselves and continue screen scraping (through ‘the user interface’)
or
Provide access through a ‘dedicated interface’, such as an Application Programming Interface (API)
This dedicated interface is supposed to be a standardized set of requirements that allows one company’s software to connect with another company’s software. Banks will stay in control of the API and client’s authentication with the bank remains a mandatory requirement to use the APIs. Proponents claim that this new system is safer than screen-scraping.
Thus, to the chagrin of some fintech players, PSD2 bans most forms of scraping when banks provide APIs. This change will cause a fundamental evolution in how fintech companies access and employ customer financial data.
PSD2 defines a payment account as “an account held in the name of one or more payment service users which is used for the execution of payment transactions” (The European Parliament and the Council of the European Union , 2015). This general definition will be further specified by national authorities within each of the European Union’s 28 member states.
Depending on each country, payment accounts may include current APIs accounts, e-money accounts, flexible savings, and credit cards.
Fixed term deposits, loans and mortgage accounts remain outside the scope of PSD2, meaning data from these accounts will continue to be available only through screen-scraping.
By Friday 13th September 2019 under the PSD2 technical standards, banks must provide a dedicated interface and functioning API infrastructure. If the banks fail to comply a fall-back option will be needed. That is where a new breed of fintech players coming into play. In our next post we'll explore the effect of PSD2 regulation on the fintech world.