PSD2 - not all doom and gloom!
Chris Hamblin, Editor, London, 14 January 2018
The revised payment services directive (PSD2) became European Union law in January last year and the deadline by which all EU countries must enshrine it in their laws and regulations has now passed.
Banks now have to offer people access to data through open APIs (Application Programme Interfaces, publicly available application programming interfaces that provide developers with programmatic access to proprietary software applications or web services). Any third party (i.e. not the bank or the customer) with a trusted licence – a light-touch form of regulatory approval – can ask for customer-related data and the bank must provide easy access to that data through plug-and-play software. These so-called third-party players or TPPs are allowed to access payment accounts in order to provide new value-added services to consumers, such as account aggregation (i.e. one app on a smartphone or tablet consolidating the financial data of a consumer from his various accounts held at different banks).
The UK - still a member of the EU despite its vote to leave - has gone one better and set up the Open Banking Implementation Entity (OBIE), a company whose trading name is Open Banking Ltd. It is governed by the Competition and Markets Authority and funded by the UK’s nine largest banks and building societies: Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group and Santander. Its job is to design specifications for APIs, create security and messaging standards, manage an open banking directory, produce guidelines for participants in the open banking ecosystem and set out processes for the management of disputes and complaints.
Hackers, housebreakers and Sir Howard
A new law that forces lenders to provide their coveted data about customers to so-called fintech challengers might be all very well, but many in the banking industry are trepidatious about its dangers. Foremost among them is Sir Howard Davies, the former CEO of the old Financial Services Authority, which the Government split up in 2013. Sir Howard, now the chairman of Royal Bank of Scotland Group plc, recently told Bloomberg at a conference: "We are not confident that our customers’ data will be protected from hackers and thieves. We cannot refuse to hand over data because that’s what the legislation says, but we will have to try to educate people to understand the vulnerability that they will then have."
An adventure
It is not all doom and gloom, however. Paysafe, a global payment processor, feels that the financial sector should be looking at PSD2 and the opportunities it presents positively. Simon Chandramani of Paysafe told Compliance Matters: "PSD2, which comes into effect this weekend, aims to increase competition in the payments industry, bring into scope new services and enhancing customer protection and security. There are businesses which have chosen to overcome it by introducing a service fee model to their transactions ahead of the January 13 drop date, though this may not work for all industries.
"We should look at PSD2 positively and consider the opportunities it presents. For operators who haven’t got large legal teams, moving card payments from what was a profit centre to a cost centre can seem daunting. Breaking this down into achievable steps can set a good foundation to make these small percentages back. We recommend that merchants should do the following.
- Review their payment models. They should find out what interchange, scheme fees and processing fees are being paid and identify the opportunity for negotiation.
- Explore new services to help their transition. The market share of card payments is expected to go down in favour of new instant bank transfers enabled by PSD2 APIs.
- Consider whether their payment strategies are flexible enough to support growth. For instance, could payments be offered in local currencies, and settled in any currency? Consider how consumers may want to pay for large-ticket items, perhaps by monthly instalments.
- Look at back-office efficiency by examining the collection process, whether the business receives above-average failed authorisations and how many hours are used in manual reconciliations.
"Ultimately, PSD2 claims to champion frictionless payments, which can only be a good thing for the customer. This is the beginning of a new customer journey that will evolve over time as demand for new payment methods continues to grow. Stepping back and looking at the wider payments picture is part of the adventure."
Rubbing their hands
Other third-party players have been rubbing their hands at the prospect of what is to come. Steve Tigar, the CEO of Money Dashboard, which has long been helping people to integrate all their online banking accounts (from all providers) into one app, commented: "The terms and conditions of the UK's large banks have previously placed impediments in the way of our service, with customers concerned about breaching the terms of their account by using our app. On Saturday, this stops. Customers now have the legal right to permit [inexplicably, the actual phrase he used was 'to permission'] our service to use their banking data. This is a big day for our company, but more importantly it is a liberating day for our customers, who have driven the demand for services like ours."
Winston Bond, a director at an application security specialist firm called Arxan Technologies, added his voice to the chorus.
“It may have seemed a long time coming but on Saturday 13th January, the new Payment Services Directive reinvented banking and payments as we know them, ushering in a new era of ‘open banking,’ where customers have unprecedented freedom in how they access financial services. Because of this, all banks are now required to share their APIs to [sic] third-party applications. However, many have still not been advised how to do this securely.
"The principal weakness in sharing APIs is the simple authentication that is widely used by most API management solutions to confirm that the client app on a device is genuine and has been authorised to utilise server assets. If a cyber-criminal breaks through an app’s security and decompiles its code, he could root out the encryption keys. Attackers can then trick the system into recognising them as a legitimate client, giving them access to anything the API is authorised to connect with.
"To prevent attackers from exploiting an API in this way, banks will need to ensure they cannot access the cryptographic keys it uses to authenticate itself, by using code obfuscation, for example. As we’ve said before, the onus really is going to be on the banks. The PSD2 regulation makes it clear that they are responsible for the ownership, safety and confidentiality of their customers’ account data.”
Going beyond the deadline
Consumers can now instruct their banks to share data securely with third parties, making it easier to transfer funds, compare products and manage their accounts. However, according to the Competition and Markets Authority, several of the UK’s major banks have been granted more time, after indicating that they would fail to miss the PSD2 deadline. Barclays, Royal Bank of Scotland, HSBC, Santander and Bank of Ireland informed the Competition and Markets Authority that they could not release all the data needed on their customers in the timeframe required by the new law. This indicates that banks are in real technical trouble.
Ben Boswell, a bigwig at World Wide Technology, commented: “January 13th is meant to see the start of disruption for the banking industry. However, this kind of technological change can be very complex for banks. It involves dealing with very high-stakes application assurance, meaning the confidence to know that their systems are running, available and secure at all times.
“Banks are essentially service providers, because of the high level of technological infrastructure they provide around the globe. Therefore the level of technology assurances they need are extremely high.”
PSD2 will require banks to facilitate third party access to their customers account via an open Application Programming Interface (API). The software intermediary acts as a standardized platform that is a gateway to the data, making it essential that banks, financial institutions, and fintechs have the technology in place.
Boswell continued: “All legacy applications need to be refactored to fit with the agile API infrastructure. Many banks currently use private APIs to improve information flow internally between legacy systems, so they already have experience of this kind of programming. But the technology and security implications of open APIs are far greater and require a high level of assurance.”
Izabella Gabowicz, the chief operating officer of an expense management company called Sensibill, recently told pymnts.com: “The initial reaction [to data sharing] was a negative, knee-jerk reaction that, ‘This is our proprietary data that we collected, and now we’re being asked to share it — that’s a negative for us.’ Initially, it was seen as a bad thing. But what’s happening is they’re starting to come around.”
This seems to be the truth, as her company announced its partnership with the Royal Bank of Scotland to integrate its services for some of the bank’s customers in October, perhaps (or, indeed, perhaps not) over Sir Howard's objections. Her firm is but one out of many 'FinTechs' that have struck such deals with traditional banks that have to share data. Over the next year or two, the story is bound to unfold.