What is PSD2?
PSD2 was proposed by the European Commission in 2013 to be active and implemented in 2018, and its primary goals are:
➢ to increase, improve and integrate payment efficiency across the EU
➢ to offer better consumer protection
➢ to offer a seat at the table to new and emerging payment service providers
➢ to promote innovation in the payments space, and reduce transaction costs
➢ to provide clarity on the use of emerging payment methods such as mobile and online payments
➢ to harmonize pricing and improve security of payment processing across the European Union.
At the core of the new payment regulations is the need for banks to allow a secure way for customers to authorize their preferred third-party providers to have direct access to two aspects of their bank account:
➢ their account and transactional data
➢ the ability to authorize payments directly from their account.
The idea behind PSD2 is to improve the customer experience, as well as increase marketing competition and innovation. It’s about aggregating account data from multiple institutions into a single view. The PSD2 regulation is regarded by many as the single biggest change in the banking industry, as it will force banks to open their infrastructure to third parties. Many banks are concerned about this legislation, feeling exposed and under attack from new entrants, as well as by the position of customers in the driving seat. But does PSD2 need to be seen as a threat to banks?
Fintech providers now have a chance to become an Account Information Service Provider (AISP) themselves. PSD2 isn’t simply a compliance project – it can be used to your own benefit.
PSD2 will impact how we access our finances
Labor intensive task of getting complete overview of financial status across banks.
➢ You have multiple debit and credit accounts with various banks.
➢ You have to log in separately for each of them, but have no single view.
➢ It is very hard to have a real overview of your net worth.
After PSD2 adoption
Account Information Service Providers (AISPs) can offer direct insight in all products and transactions across banks.
➢ Now it’s possible for third-party, new fintech players, and existing banks to build a tool that aggregates the data from all the banks in one single view.
➢ Your account information, all your financial products and all your transactions can now be consumed in one single dashboard.
➢ The term Account Information Service Provider (AISP) could be applied to third parties like mint.com that can aggregate all the account information, but banks can become AISPs themselves and provide this single view of the data.
PSD2 will impact the flow of payments
PSD2 calls on banks to give third-party providers (TPPs) such as fintech companies, other emerging banks, retailers and telcos secure access to customer accounts (with customer consent). The opening of the payments market to new providers will widen consumer choice, lower transaction fees and improve convenience.
The new regulation represents an opportunity for TPPs to hasten change in the banking industry, aggregating financial products and services into more digitally friendly versions. These are businesses that enable customers to access different online banking accounts, including credit cards, current and savings accounts using a single online portal, and fintech companies moving into the payments sphere.
After PSD2 adoption
New parties can act as ’Payment Initiation Service Providers’ of work, with PISP to simplify the flow of transactions and payments.
Other organizations, such as retailers, telcos or utility companies, could also offer their own payment platforms (becoming Payment Initiation Service Providers, or PISPs), reducing commission fees, strengthening customer relationships and positioning themselves as identity providers. This is actually already taking place.
Some technology brands focused on gaming are taking an interest in the financial services industry. These brands, for example Microsoft Xbox, are already taking some margin from traditional banks in the form of cash float. Many of these gaming platforms have a ‘wallet’ feature, where value transfers can be accepted from mainstream payment platforms. Would these also be new entrants in the market?
The impact of PSD2 on banks
A major concern for banks is being prepared for PSD2 from a technological point of view. Banks are being asked to allow access to customer accounts by third-party providers (with the customer’s permission). To do this, banks could create their own APIs to enable connection with third-party providers. Alternatively, banks could “take a step back from the customer and allow their infrastructures to facilitate transactions, while consumer brands (such as Apple, PayPal or new players) engage with customers directly”.
For a long time, many financial institutions fought to avoid legislative and technological evolution by arguing that such changes would cost too much money, and would increase security risks. It’s difficult for traditional banks to come to terms with the idea of opening up to third parties. Yet, for those who want to survive and continue to prosper in this digital age, the need to restructure their organizations is imperative.
Banks will need to reorganize their IT infrastructure and refocus part of their business model. They will be required to open up their IT systems to third parties who are instructed to make payments for account holders, and / or they must ensure a consolidated real-time view of account statements.
This is an opportunity for forward-thinking banks to embrace next-generation digital technology, increasing innovation efforts and maximizing value for customers. The new regulation represents an opportunity for adaptable banks to partner with fintech companies and third-party providers, to create a strategy that welcomes change and innovation.
PSD2 timeline - aiming for Q4 2018
➢ December 2015: EBA released discussion paper on authentication and secure communication.
➢ January 2016: PSD2 is published in the official journal of the European Union.
➢ June-Sept 2016 (est.): Consultation period on draft Regulatory Technical Standards (RTS).
➢ January 2017: Deadline for EBA to submit RTS on authentication.
➢ April 2017: EBA RTS adopted by commission.
➢ January 2018: Deadline for member states of the EU to transpose PSD2 as law across 28 member states.
➢ October 2018: Deadline for EBA RTS Compliance for ASPS, PSPs and authorities.
The aim of PSD2 is for all banks to comply to this new regulation during 2017. This regulation will then be turned into national law and be adopted by the 28 European member states, where all banks will need to have opened their API before Q4 2018.
So what needs to happen? Banks will need to comply before October 2018. This entails:
➢ Third-party authentication
➢ Third-party access to account information
➢ Fee transparency
➢ Fine grained entitlements: different levels of transaction on a certain area.
The main question we need to ask is: ‘To whom will this apply?’
PSD2 as a regulation will only be applicable to payment accounts and transactional data. I believe that PSD2 enabling open APIs, thus enabling third parties to have access to this data, will be the future for all banks. However, an open API strategy shouldn’t be solely confined to payment accounts.
Change to competitive landscape
Before the implementation of PSD2, banks have access to large quantities of data, payment engines, international payment networks; they are connected and they can provide services directly to their customers. In the digital world banks do this typically through their own APIs, referred to as an Enterprise Service Bus, or an API gateway. This internal data, functionality, and payment capability is used by traditional online and mobile banking applications. The only way for the customer to have access to this data is through a branch, call center or online/mobile app, from which they can access this data and these functions.
Once PSD2 has been implemented, the bank will need to provide the data and functionality to their own apps via an internal API or Internal Service Bus, but they will need to expose payment capabilities and aggregated information in a so-called public API.
API stands for Application Programming Interface, a technology that allows developers to access functions of different computer programs and make them work together. With PSD2, you will not only need to have an internal API, you will also need to have a public API.
The bank’s public API will be utilized by its own online banking applications but also in the post-PSD2 world, banks will have third-party applications that will use the bank’s public APIs that have access to account information and can initiate payments.
PSD2 will impact the competitive landscape, where currently the banks manage and control their own data, online and mobile banking apps, and have benefited from one-to-one relationships with their customers.
The shift in control
However, with PSD2, this has shifted. The banks are no longer fully in control, and open APIs means that innovation will be possible for third parties. Up to now, fintech startups have struggled to win customers, as they did not own the banking back-ends. However, with PSD2, third-party suppliers will have access to these customers to be able to build new relationships. It will also shift control back to the customer, while up to now banks have had control over data and information.
Strategy: Proactive vs Reactive
“Without a clear strategy, banks are going to be hit hard by competitors who already have the user experience nailed. Only those with a clear vision of who they will be in this new landscape, and a strategy to get them there, stands a chance of holding their ground while the industry finds its new plateau. It’s a time of shifting perceptions, monumental changes and experimentation. For some banks, this is where heads of innovation are now proving their value, slowly but steadily influencing the cultural and leadership changes needed in a post-PSD2 world while creating the new partnerships and platforms necessary for innovation to grow and thrive.”
Reactive / Disrupted Bank
➢ Meet the essential criteria
➢ Rest is business as usual
➢ Have defensive and delay strategy to third parties
Proactive / Disrupter Bank
➢ First to adopt open APIs
➢ First to welcome third-party developers/ecosystem
➢ Accept commoditization and find new differentiators
Following PSD2 (and the standards that will need to be agreed on by the European Banking Authority), banks’ obligations may lead to one of two fundamental strategic choices:
The Reactive Strategy
This option could be defined as doing the minimum required to satisfy PSD2 compliance and, through opening up APIs to a limited extent, enabling TPPs to execute payment initiations and account information services.
Banks may feel as if they have done all of the hard work over the years in collecting customer data, and now they are being forced to share it with others. This is a valid opinion, but not a customer-centric one. It won’t benefit anybody to implement PSD2 compliance slowly. This is a fantastic opportunity to adopt open APIs and welcome third-party developers and ecosystems.
The Proactive (Innovative) Strategy – moving to public APIs
Banks could go further by offering innovative (basic) payment initiation and information services, essentially competing with TPPs, by moving to public APIs. Furthermore, banks could collaborate with fintech companies to accelerate adoption and market growth of transaction services. Banks could provide the flexibility, customer loyalty and scalability, while fintech players could build customer-centric user experiences that drive conversion.
What strategic option suits the bank best?
The strategic option the bank chooses will have significant consequences for its future business and relevance. Making the right strategic decision will require banking executives to consider their ambitions, their desired position in the value chain, and their accompanying transaction portfolio.
Fintech companies move at a rapid pace. Incumbent banks need to think and act quickly to retain their market power through a resilient, digital, API-driven business strategy. Defining the business case for each strategic option and determining a strategy moving forward requires a solid understanding of regulatory, technological and business considerations.
APIs as the answer to PSD2
Providing consumers with unprecedented choice, flexibility and ultimate control changes the playing field, and provides banks with an incredible opportunity to define and distinguish themselves on the strength of their customer experience in a way that wasn’t previously possible. The ability to be able to view accounts from multiple banks in a single customer experience shouldn’t be underestimated.
If banks want to pursue this option, the time is now. The strategic choice would be to build a new, PSD2 global strategy, where banks focus on pursuing a ‘bank-as-a-platform’ strategy to enable third parties to build applications and services around the financial institution, based on open APIs; banks become a complete digital player, competing and collaborating for customer relevance in payment and information services. Exposing the data and functionality of legacy systems is the foundation of future digital growth.
Creating connected experiences
➢ Next-generation consumer experiences: PFM, card-linked offers.
➢ Work with fintech vendors: P2P lending, wallets, new Apps, IoT, etc.
➢ Outside-in banking: Cross-banking aggregation, multiple contextual financial apps.
➢ Alternative models in wealth management:Robo-advisors for affluent segments.
➢ Access control and risk management: Reduce risk through access control, metering of enterprise assets.
APIs will also bring with them the opportunity to build more connected experiences for customers, as well as the possibility to connect with new, innovative applications and third-party APIs. The opening of APIs will change the current fractured, siloed landscape and enable banks to create connected experiences on existing applications. Information already present such as deposit, investment or payment data can be used to enrich next-generation consumer experiences.
The option to use third-party APIs will help banks with various functions, such as personal finance management (PFM) and enriching existing transactions with, for example, offers linked to transactional information. Banks will be able to work with other fintech vendors by enabling P2P lending, digital wallets or insurance products connected to an Internet of Things (IoT). These are just a few examples of the opportunities that APIs will offer.
In this API economy, banks will be able to mix-andmatch as well as combine different applications from various sources. APIs will give access not only to the bank’s own internal system but also provide access to new innovative products external to the bank. Banks that have a strong platform that can consume these APIs will be able to further innovate by blending these with their own applications, creating really unique experiences.
The retail banking sector will be hugely impacted by this API economy, with the emergence of account aggregators that may enable the end-customer to visualize multiple accounts and details through one touchpoint. However, the business banking sector will also change, because they will have access to third-party systems. For example next to a business’s transactions they could be able to visualize and hook up their accounting system to view invoices.
Account aggregators will provide benefits for online and mobile banking, but on the payment side they may create more pressure because there is less need for a banking app to process a payment. We may see more situations emerge where end-users are able to make a payment within the context of an application. The payment initiation providers will probably enable in-context payments, and the banks will be invisible there.
Complete customer view
There will be players that will have a complete overview of all the data you get from the banks and from third-party fintech apps, and that player could actually be anybody.
Anyone that provides a full view of a customer’s finances in a dashboard that can be accessed 24x7, and shows this data in real-time will be in a good position to win customers and promote their brand.
While customers can see information from their current accounts, savings accounts, pension funds, investment funds and so on, the provider of this complete overview can keep its branding visible to the customer, no matter which other bank or fintech player is actually holding the accounts or funds.
Integrating fintech capabilities
Banks also have the option to integrate third-party APIs to enrich their omni-channel banking experience. Banks will not have to own everything themselves – they will be able to rely on the fintech capabilities of partners.
Fintech players will not only be competing with the banks but will also be partnering with the banks. This will enable banks to enrich their product portfolio. End-users will not only be able to buy products that banks already have from their core systems but also products provided by third-party players banks have partnered with. This creates a shared business model as well as a shared revenue stream.
This is a major part of the API economy, as banks will not have to own everything themselves. They will have the possibility to partnering with third-party specialists, and reselling their capabilities within their own brand and within their own customer experience.
Introducing new business models
Revenue-sharing models (API provider pays developer)
➢ Hybrid (flat fee plus fixed or flexible)
This refers to banks opening their APIs up to third-party providers based on their business model and the applications they develop on top of the bank’s API. This will result in a sharing model: revenue, margin or selling. This can be fixed, flexible or hybrid but the principle is that the bank and third party share revenues.
Fee-based models (API provider charges developer)
➢ Transaction Volume
➢ Custom Attribute
➢ Subscription: Advances / arrears, Pro-rated / full amount
This model is very common within the payments industry, for example with PayPal or credit card payments. Exposing an API is one thing, but executing a transaction via that API will certainly come at a cost. This is typically transaction-based, and depending on the type of transaction and the volume, the cost structure will vary, and could present itself as a one-time fee or a subscription fee.
This model is a bit more experimental. The freemium model is based on offering the capabilities for free for a fixed term or, for example, a limited set of data points. Once the customer becomes dependent on the capabilities, the bank tries to move them towards a more fee-based structure. It’s like implementing the seed with a free app, creating dependency and then introducing the fee structure to upgrade to the service.
The next step
If banks want to comply to PSD2 regulations, they must consider either acquiring or building a solution. This will enable banks to integrate certain things in order to be compliant. Solutions that can be built to enable this include:
➢ Third-party authentication: for example, putting in place oAuth (Open Authorization) and 2FA (Two-Factor Authorization), which should be secure enough in those areas where the regulation will be implemented. It should be emphasised that this should be strong enough and allow for multi-factor authorization.
➢ Entitlements: this is an important element in defining who has access to what, when and how, as well as setting other limitations. This should support the end-customer and enable them to set entitlements as well as permission access. This should allow the end-customer to authorise a third party to act on their behalf within certain limits.
➢ If banks are leaning towards an API strategy to be PSD2-compliant, it’s very important and useful to adopt API versioning and management. APIs will continue to increase and banks will see more of these applied. However over time some go out of date, underlying systems will need to be changed and APIs will need to be updated. In order to achieve this, banks will need to have a governance and management model, usually referred to as API versioning and management capabilities, and is an essential part of any API strategy.
➢ PSD2 means that banks will become more vulnerable, and consequently they must consider implementing solutions that enable them to monitor fraud and penetration. Authentication and fraud detection are two major elements that banks will need to address. The same security methods currently implemented by banks to protect their online and mobile banking platforms can also be applicable on top of these APIs.
➢ Developer tools (SDKs, sandboxes, documentation) are mainly used for banks adopting an experimental or reactive strategy. If banks open their APIs to provide access to the data, the hope is that people will build on top of these and utilize these APIs to create new business models and develop new app communities. However, we may also see some banks who will either be offensive or defensive and make it harder for people to access their APIs, and we may see some of these linger before they actually make these available. Overall, if banks are looking for volume and to experiment, then making developer tools available to build on top of their APIs is the most appropriate strategy for them to adopt.
As PSD2 is a regulation, it’s clear that it will not define the API for the banks. To comply with this new regulation, banks will need to take responsibility in defining a clear API strategy and standard. The best approach would be for the banks to collaborate and define a standard on how they will open up their APIs in order to set healthy foundations for this new development.
There is no need to wait for the regulations to be final.
PSD2 is going to happen and the technology selection processes and implementation can begin today.
The scope doesn’t have to be limited to just PSD2.
An open and creative approach in which APIs and services that can be enabled for third-party developers and partners will help create new business models and mutual benefits.
A ‘lean startup’ approach can be beneficial, with a willingness to experiment and be open to new ideas. If ideas don’t work, move on to the next thing. If they do, keep developing and improving.