Skip to main content

Did you hear the sound of trumpets and exploding fireworks? Yes, the Payment Services Directive 2 regulation became law this weekend across the European Economic Area. It’s a big deal. So how will banks, retailers and consumers respond? Ahead of a MEF Digital Connects this Thursday to debate the issue, Tim Green asks 13 questions…

On January 13, after years of anticipation, the EU’s revised Payment Services Directive (PSD2) finally went live. The news may have struggled to detract attention from a new book about Donald Trump, but don’t be misled: PSD2 is a banking revolution.

In essence, PSD2 compels banks to release open APIs so that third party companies can access account information – as long as customers grant permission.

As a result, it will create two new types of third parties providers (TPPs). The first are payment intermediary service providers (PISPs). They have the ability to link merchants to a shopper’s bank account so the latter can ‘push’ a payment.

The second are account information service providers (AISPs)? They don’t move money. Instead, they analyse a person’s financial history across all their accounts in order to make recommendations. So, for the first time, entirely new companies have the ability to enter the market to offer vital financial services. In order to keep customers safe, the EU is also making rules about authentication.

This Thursday, MEF will host a webinar supported by CLX Communications to discuss PSD2 featuring Rob Malcolm, VP of Marketing & Online Sales at CLX, Andrew Bud, Founder & CEO at iProov and Adizah Tejani, Director of Marketing for EMEA at Token – you can sign up here.

Naturally, in a shake-up as big as PSD2, all sorts of questions arise. The webinar will address them. Until then, here is a flavour of the topics due for discussion:

  Transactional account data is one of the banks’ crown jewels. It can say so much about a customers desires and behaviour. Why would banks ever want to surrender control of it?

1) Are consumers trusting enough to try these new services?

For decades banks have told people to follow this golden rule: don’t give anyone access to your bank details. Now, have to change their script. Will the public really take this leap of faith?

2) Will the banks de-rail open APIs?

Transactional account data is one of the banks’ crown jewels. It can say so much about a customers desires and behaviour. Why would banks ever want to surrender control of it?

Well, of course, they have to. That’s the point on PSD2. Of course, banks might be best-placed to build new services based on open APIs. But do they have the nous and the vision to do it?

3) Will there be a single open banking API or a different one for every bank?

See above. The cynics say that the big banks will drag their feet and offer bespoke APIs that make it hard for developers to create interesting new services. Others are more optimistic. And companies like Token are working to develop a single standard with as many banks as possible.

4) What’s to stop someone creating a single bank API without the banks’ consent?

It might be possible (and could be legal) to backwards engineer bank APIs without the banks’ co-operation. This is what the renegade developer Teller wants to do…

5) Which companies will set up as Account Information Service Providers (AISPs)?

Lots of talk about comparison sites like Money Supermarket. But what about the banks themselves? Yes, they have to open up access to their customer data. So why not ask for access to accounts held by their competitors?

6) Could Amazon and others become AISPs?

Imagine buying something from Amazon and being asked: ‘do you want a loan?’ Amazon could then request access to your accounts and construct the best deal for you based on your historical buying behaviour. Some observers expect this to happen.

7) Which retailers will consumers trust with their bank details?

Arguably the biggest change resulting from PSD2 is the ability to make ‘push’ payments via payment intermediary service providers (PISPs).

Here, a merchant re-directs a customer to his or her bank app/site in order to enter the amount and ‘push’ it to the retailer. This is different from the usual pull process (a consumer enters his or her card number and Visa/MasterCard ‘pulls’ the money from the account).

Even though the merchant never sees the bank details with a push payment, many shoppers might not realise this. So which merchants will they trust?

8) Is screen scraping dead?

Before open APIs arrived, screen scraping was the only option if you wanted to analyse a person’s accounts. Here, a company effectively would get access to logins and passwords in order to browse the data. PSD2 appeared to be the end of it. But then the European Commission suggested it would keep a screen scraping option as a back-up should bank APIs fail.

9) Are PSD2 and GDPR philosophically opposed?

Open Banking makes data more accessible: GDPR controls access to it. Isn’t that a bit weird?

10) How will stakeholders build consent into PSD2 services?

Perhaps the key to making a success of brave new financial products is to make clear what the consumer is taking on. That makes consent crucial. The question is: how will this be communicated? Tick boxes? Email receipts? PDFs? Text notifications? All of them?

11) Does anyone know what Strong Customer Authentication (SCA) is yet?

A world of exciting new financial services can only prosper when it is secure. That’s why strong authentication is a pre-requisite of PSD2. The regulation mandates it should be two-factor. But there are still some grey areas…

12) What are the PSD2’s Regulatory Technical Standards – and why are they controversial?

A set of Regulatory Technical Standards specify what strong authentication is. But the first draft of RTS received a lot of negative feedback. Now, the European Commission has confirmed the deadline for RTS will be around September 2019.

13) What’s the deal with Brexit?

The inevitable question – especially for UK residents. The British government looks set to mimic PSD2 in its own law. But you never know.

Tim Green

Features Editor, MEF Minute


Sign up for the PSD2 webinar

PSD2 & Strong Customer authentication – Creating seamless customer journeys

18th January, 4PM GMT

Supported by CLX Communications & Featuring Rob Malcolm – VP Marketing & Online Sales at CLX Communications, Andrew Bud – Founder & CEO at iProov and Adizah Tejani – Director of Marketing EMEA at Token, moderated by Tim Green – join the discussion on the effect of the new PSD2 guidelines on the Payments market.

Register now to take part in the live broadcast discussion