PSD2 is the revised version of PSD (Payment Services Directive) – regulation which was adopted in 2007 and provided the foundation for a Single Euro Payments Area. It entered into force in January 2016 and will apply from January 2018. The key drivers for PSD2 are technological – since PSD was launched in 2007, new players and new technologies in the payments industry have emerged and they were not regulated under PSD. PSD2 aims to catch up with the fast technological advances and to further stimulate Europe’s fintech industry. The regulators wanted to level the playing field between the banks and the new entrants and “open up” the EU payments market by requiring banks to allow third party access to their customers’ account information.
What does this mean for banks? Let’s first take a look at the new payment service providers - Payment Initiation Services Providers (PISP) and Account Information Services Providers (AISP). PISPs help customers make direct credit transfers from their online payment account for online transactions (thus eliminating the need for credit cards) and AISP are account information aggregators, consolidating different current accounts for customers, but could also provide financial management tools for those accounts, for instance). Under PSD2 banks (or Account Servicing Payment Service Providers, AS PSPs) must provide secured access to their customers’ account information when those customers decide to use the services of PISP or AISP. Even though the regulation does not specify the exact information to be shared, it does mention it must be only the information necessary to execute the services (Article 66, points (f), (g) and Article 67, points (d), (e), (f)).
Through PSD2, regulators are shaping the future collaboration between the big banks and the smaller agile players - with the Access-to-accounts (XS2A) provision, banks now have to build open APIs in order to provide third parties access to their customers’ account information, thus kick starting the digital ecosystem for financial services.
An API (Application Programming Interface) is a standardized set of requirements (a contract) that governs how one piece of software can talk to another. An example of such an interface is Google’s API, which allows software developers to embed Google authentication to their web applications (e.g. every time you can log in to a site, let’s say Dropbox or Spotify, using your Google account login, rather that creating a new username and password, you are a consumer of a product built via APIs). Another example is the social media’s “Share” buttons which allow users to post to their social media profiles from almost any news site. These buttons are simply calls to the respective APIs of major social media outlets to create a post with a certain content.
APIs are built on global technical standards, which make them interoperable, scalable, reusable and easy to code – as a programmer, I don’t need to learn some new and convoluted data transmission standard, since APIs already use the popular HTTP (and HTTPS for secured calls).
So what is an Open API and how open is it really? There are various degrees of openness – an open API can be fully publicly available, meaning all of the data it gives access to is open, or it could have different levels of authentication required in order to obtain data from it. In the financial sector, an open API requires at least a pre-authorized access for developers and for obtaining secured data – an authentication key.
At a bare minimum, banks need to comply with the XS2A provision and build APIs exposing their customers account data. The choices to make in this case revolve around IT subjects of API management (how to manage changes, troubleshooting with third parties, or outages of service or load to the system).
However, with PSD2, innovation has never been so accessible to banks and aside from simply becoming compliant, banks should build on that foundation in order to deliver more value-add services and better customer experience (CX) for their customers. Banks now have the opportunity to utilize new distribution channels and take on different roles in the value chain. They have traditionally played the role of AS PSPs while fintechs have been positioned as PISP or AISP. Keeping the status quo has implications, though. Not taking advantage of the new roles and distribution channels will simply leave banks with the huge costs of compliance. By becoming AISP or PISP, banks can strengthen their customer relationships and enrich their CX. Furthermore, by creating APIs that source data from other banks (be it simple account information aggregation or new products developed elsewhere), banks will grow their distribution network via the third-party ecosystem, will become more scalable and will create new value-add capabilities, while still remaining secure.
An example of a bank becoming an AISP includes an application that offers insights into their spending habits and peer comparison by aggregating data on their existing customers.1 A similar data mining service for private customers could provide information on what are they spending most on or how much they can safely save each month depending on their spending habits from previous analysis.
Banks need to think about their API strategy – will they be a simple transaction processor and leave the innovation to others, will they develop APIs in-house that will add value to their business and their customers, or will they enter partnerships with fintechs to improve their CX and grow their customer base?
APIs are the new bank products and they should be managed as such. Banks shouldn’t consider PSD2 simply as another regulatory requirement they need to comply with, but as a way to stay relevant in the new ecosystem of payments and banking. Improving the interface between fintechs and banks will accelerate innovation in the market, leading to more benefits for the customers. PSD2 (by ways of open APIs) will also encourage banks to extend their reach in innovative services which will grow the market further. APIs are nothing new outside the financial industry and they have driven positive change in the past decade – look at Amazon, Google, and Apple. Now banks need to ask themselves what is their overall strategic positioning and their ability to create value in the new ecosystem.
APIs – what do they mean for payments? (PDF 1.02 MB) A briefing from Payments UK, April 2016.
Understanding the business relevance of Open APIs and Open Banking for banks (PDF 3.57 MB)– Information paper, EBA Working Group on Electronic Alternative Payments, May 2016.
Examining the ECB’s expectations around data, technology, and cyber security.