EU PSD2 Regulation enters into law
The second EU Payment Services Directive (PSD2) entered into law over the weekend on 13 January.
PSD2 presages a new era of open banking and payments and of shared application programming interfaces (APIs) and associated data. This will impact instant and all other payment instruments, and the surrounding competitive environment.
The immediate impact of PSD2 for payment processors and retail banking industry professionals, however, was somewhat negated by the 18 months delay previously announced to the Regulatory Technical Standards (RTS) element covering payment security. This has caused some to refer to its official commencement as a false dawn.
If consumers will be willing to share their data with new financial and payment service providers remains a doubt as well in these early days of the regulation, especially if where the liability resides in the event of a data breach is not made clear.
Regardless, many in the industry are getting excited with Sophie Guibaud, VP of European Expansion at German neo challenger bank Fidor, commenting in a press release that: “PSD2 will change banking forever and for the better. In the future, thanks to this legislation, consumers will have much more access to innovative online and mobile banking services far beyond what we are currently have [thanks to Open Application Programming Interfaces -Ed.]. Meanwhile, it will level the playing field for competition amongst financial organisations.”
Ben Boswell, VP Europe for World Wide Technology said that the regulation “is meant to see the start of disruption for the banking industry. However, this kind of technology change can be very complex for banks. It involves dealing with very high-stakes application assurance, meaning the confidence to know that their systems are running, available and secure at all times.”
For payment professionals, the RTS delay will stymie PSD2 immediate impact and many incumbent banks with legacy IT systems aren’t ready for its introduction. “The simple fact is that some financial organisations are unprepared for PSD2,” admits Guibaud, citing PwC research findings that as few as 9% of banks last month feel they’re ready. Some large banks, such as HSBC and ING with its Yolt app, have done prep work but by no means all institutions are at that stage.
Many banks were not ready for the 13 January PSD2 deadline, despite the 18 months RTS delay, as the need to share customer data with accreditated newcomers to the marketplace was beyond their aging IT systems and siloed data stores.
In Britain, where the overlapping UK Open Banking regulation is also relevant and provides a dual challenge, some banks had to notify the UK Competition and Markets Authority (CMA) that they could not release all the data needed on their customers in the timeframe required by the similar new law there that covers open APIs.
This indicates the on-going technology challenge faced by banks that are having to open up their customer data to accredited external users and competitors under regulations, such as Open Banking or the EU-wide PSD2, which are designed to encourage competition. Only three out of nine UK banks met the CMA-mandated January deadline for Open Banking, with Barclays, RBS, Nationwide, Bank of Ireland and Santander among the big banks applying for an extension to complete the build of their open API interface at the last moment.
• It was latterly announced that Contego, a compliance specialist, has been chosen by the UK Open Banking Implementation Entity (OBIE), the body created to ensure effective open API security and other standards are met, as its technology partner. Contego will run ID checks and verify the bona fides of users that want to access personal account data for third party development work, thereby impeding fraudulent usage of people’s data if they choose to share it in search of a better deal. The new era will replicate price comparison websites in the insurance area in many ways and make banking and payments more like a utility.