Before the end of 2019, financial players must be compliant with the Payment Services Directive II. Commonly referred to as PSD2, the European directive concerns the development of new products and payment services, as well as their inclusion in a legal framework. Johan Luyts, Integration Expert at AE, discusses the changes this new payment directive brings about and elaborates on strategies banks can use to turn those challenges into opportunities.
A logical step following the European Parliament’s first payment directive to create a more uniform payment market within the EU, PSD2 is an update which has come about for various reasons, including changing consumer behaviour, the emergence of innovative technologies and the presence of new players in the payment market. The latter, until now, fell into a grey area in terms of legislation. Johan Luyts explains: “In short, PSD2 requires banks to make their payment applications and customer account information available to third parties via APIs.”
The guidelines, in other words, challenge financial players to reflect on evolving towards new business models, says Luyts: “Opening up these functionalities means customers will no longer interact with banks directly, and banks will have to explore different ways of competing. On the one hand, banks can set up their own third party to maintain in close contact with the customer. On the other hand, they can opt to sell their products more efficiently and to maximise their sales market, thereby striving for operational excellence.”
PSD2 will have a major impact on financial players in two areas. Johan Luyts: “The applications currently used by banks have been developed to communicate with their own Fronts. In most cases, that means they are mainly geared towards current users. Although the APIs that are now being requested by PSD2 are very similar, they do require a large number of adjustments before external parties can gain access to the same functionalities. Moreover, not all banks are equally adept at using restful APIs.”A second challenge, Johan believes, will be consent management. “Account owners will have to give banks permission to make certain changes to their account and to make their data available to third parties. This principle actually doesn’t exist today, and thus requires a new module to be added alongside the current infrastructure.”
End customers will also experience the changes PSD2 brings about at first hand. By authenticating through a card reader or itsme®, they grant new parties access to their data. This enables them to consult an overview of their current accounts with various banks within their own banking app. In addition, customers will be able to easily transfer amounts to other parties within that very same environment, as they are no longer tied to the application(s) their bank(s) provide them with.
PSD2 requires banks to review their internal business processes. More specifically, there are four different strategies for dealing with the new open banking guidelines. In Belgium, many banks opt to limit their focus to becoming PSD2 compliant as they perceive the new regulations as a threat. While ensuring third parties can use their services, these banks don’t pay much attention to user-friendliness. The second strategy sees banks as TPPs (Third Party Providers) – a preferred approach by some Belgian players, including KBC. The bank introduced its TPP application some time ago, enabling customers to use their KBC app to consult accounts they have with other banks, and clearly indicating that KBC is willing to play an active role in the front application end customers use to consult their accounts.
The third strategy is applied by banks who want to focus on offering APIs. Going further than is legally required, they even unlock additional information and offer extra functionalities that make them a more interesting party for others to interact with. Finally, the fourth strategy focuses on building a platform to which other banks can connect their APIs and through which third parties can request information from all affiliated parties. This provides financial players with a wealth of information about a diverse group of end users and how they behave on the platform, whereas banks adhering to other strategies are only able to capture information concerning their own customers.
Nevertheless, the new legislation is not without risk. Luyts: “For the time being, banks have a reasonably good view of the number of times their services are being used, because everything happens in the Fronts which they manage themselves. Once PSD2 goes live, however, financial players will lose that overview and the exact load on their systems will become anyone’s guess. If the underlying systems are not be able to cope with the load, the infrastructure will collapse. This is one of the biggest risks at the application level today. From a business point of view, banks risk losing touch with their customers unless they opt to establish themselves as a TPP or platform.”
AE are currently supervising various projects for bankinsurrance companies, helping them design and implement APIs. Johan is closely involved in these projects:“We ensure that the APIs connect seamlessly with the back offices from an architectural point of view, so that they can be linked to internal business services. Moreover, we help our customers deal with all security aspects inherent to opening up certain services.”