Wall Street sign on street post

EU Payments Directive Opens Door to Open Banking

Bernadine Reese, Managing Director Risk and Compliance – London

The second European Payment Services Directive (PSD2) is scheduled to become law on January 13, 2018. Heralded as a way to make it faster, easier and less expensive for consumers to pay for goods and services, it also forces European banks to share customer data and payment infrastructure with third-party service providers and disruptive new competitors known as fintechs.

For better or worse, banks will soon have to comply with the law. Their only choice lies in whether to embrace this disruption and use it as the catalyst for an “open banking” business model, or succumb to the competitive threat.

The European Parliament adopted PSD2 in October 2015 to promote innovation (especially by third-party providers), enhance payment security and standardise payment systems across Europe. Its practical effects would be to:

  • Regulate fintechs that fall within the wider definition of what is regulated in payment services
  • Limit transaction fees and rebates
  • Require banks to open their payment infrastructure and customer data to third-party financial service providers; and
  • Provide new protections to consumers and users of payment services.

In practical terms, PSD2 would create an open banking environment where banks would be required to share a customer’s personal financial data, at the customer request, with any regulated account information service provider (AISP), while the bank still retains responsibility for the risk and compliance aspects of the customer and his or her data. This will be done through an application programming interface (API) that complies with a set of technical standards set forth by PSD2.

For sure, this expanded access and consolidation of data increases existing risks (i.e., fraud) and poses new potential risks to the current business model of certain institutions such as banks, but it bring opportunities as well — particularly for challenger banks, and for traditional banks that choose to do more than the bare minimum PSD2 compliance. Perhaps a bit surprisingly, the prevailing sentiment — even among some bankers — is one of excitement and optimism.

Time will tell what innovations and unintended consequences PSD2 will create. In the most likely scenario, the financial services industry will see a dramatic rise in mobile technology driven by APIs. In the future, banks wishing to remain competitive will use API to build an “ecosystem” with not just payment providers but merchants, so they would remain their customers’ “everyday bank.” The use of APIs in financial services has been hampered by privacy rules and the private ownership of data and infrastructure. PSD2 clears those hurdles.

Consider this small sampling of possibilities:

  • Account aggregation, which provides consumers with an overview of all accounts held across different institutions, without having to log into multiple proprietary customer portals.
  • Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
  • “Marketplace” banks that offer lowest-cost services for loans, overdrafts and foreign currency transfers.
  • Credit decisions based on actual data by any institution and not just the institution currently providing bank account services — increasing choice and competition.
  • Payment facilities for the Internet of Things, such as, say, a self-replenishing refrigerator authorized to “shop” on the owner’s behalf, or a car that can pay for fuel or recharge without the customer leaving the vehicle.

There will be winners and losers. Potentially the biggest winners will be consumers and entities making and receiving payments within the European Economic Area. Cost and lack of competition in the existing payment space has been a concern for European regulators, and the opening up is likely to drive costs down for banks and consumers alike as competition increases.

An issue I deliberately did not mention here is data security and the safeguards built into PSD2 to ensure that personally identifiable data is protected. This is a topic for a discussion of its own right, and we will be covering the security aspect of PSD2 here on this blog and elsewhere. In the meantime, you can bet that PSD2 will be front and center, when the European financial services industry gathers June 26-28 in Copenhagen for Money 20/20. I hope to see you there!

John Harvie, Business Performance Improvement, Protiviti UK and Justin Pang, Risk and Compliance, Protiviti UK contributed to this content.

Add comment