PSD 2 and XS2A Impact on the Banking Sector

The mother of all European Union banking regulations, Payment Services Directive (PSD), was adopted in its revised version – the so-called PSD2 – by the European Parliament last October. This updated Directive imposes new duties on banks in order to make the financial ecosystem more competitive, safe and secure; ultimately, better for consumers.

What does the PSD2 mean to banks? They will have to fulfill some new requirements and be rewarded for that with much stronger competition and less loyal clients.

Open Banking APIs

With the updated Directive, banks are obliged to allow access to their clients’ data, so that any third parties (which will be certified and controlled under the PSD2 regulations) could use it – of course, with the client’s consent and to the extent required by the scope of the third party’s service offered to the user.

The open banking API means that the customers’ information stored in banks will no longer be “proprietary” and will finally belong to the account owners, not to the banks keeping those accounts. The certified third parties – referred in the PSD2 to as account information services (AIS) and payment initiation services (PIS) – will be able to retrieve customers’ information from banks within seconds. This will allow for very fast user authentication: the KYC procedure was already done by a bank, so successful logging to the banking system equals to the access to verified, valid personal data.

Thanks to open banking APIs the AIS providers will have the possibility to extract and analyzecustomer account history, which enables fast credit scoring or offering better deals on the financial market. With the access to the client’s account balance, the PIS providers on the other hand could enable new payment options, like fast direct debits, especially for those consumers who don’t have credit cards. It all can be done with no account number, just with customer’s online banking credentials.

AIS and PIS providers will get the necessary tools to dramatically change the landscape of the financial world. Banks simply won’t be the only players anymore: using their infrastructure, the third parties will be able to offer similar or completely new services to customers. Banks will face similar competition as mobile virtual network operators (MVNOs) did to classic mobile carriers. In the worst case scenario, it would be the end of banks as we know them – they might transform
into infrastructure providers: data centres for the financial ecosystem of service providers.

The Costs That The Security Will Profit From, But They Might Not Secure Profits

The idea of open banking APIs sounds great, but it is also a big challenge for security. All of these information exchange processes must be conducted securely and precisely. The client’s data mustn’t be intercepted by any other party than API and PIS providers, and the extracted information has to be as minimal as possible. For example, the payment service provider will only be able to receive information from the payer's bank on the availability of funds (just a “yes/no” answer) on the account before initiating the payment, and the account information service provider will receive just a given range of account history – and possibly filtered to summarised incomes and spending only – for credit scoring.

Implementing such limitations in APIs and security measures in data accrual (user authentication) and transmission require lots of work, not to mention the fact that every bank will have to adapt a standardised API to its own banking system. It all will take time and money, and the bottom line from PSD2 for banks might be more red than black.