Compliance with the open-banking regulations of the European Union's second Payment Services Directive is high on the agenda in financial services. Although the vision of open banking is simple – to give consumers more valuable experiences – implementation has proven to be complex.

PSD2 has a notably broad scope but it provides little in the way of specific implementation regimes or guidance. For anyone who tries to translate broad directives into concrete and real-world practice, compliance can be costly and confusing.

Compliance complexities

Compliance officers at banks, FinTechs, standards groups and regulators alike are all responsible for ensuring compliance with the PSD2 Regulatory Technical Specifications.

The first official legal compliance date of September 2019 has passed, yet few European banks had started obeying these requirements by that date. The market is fragmenting as different regions and regulators have resorted to pursuing their own internal initiatives and deadlines. The UK's Financial Conduct Authority, for example, has given banks an extended deadline of September 2021 to comply with the standards, while the European Banking Authority set the deadline months earlier at December 2020.

On top of regulatory deadlines, PSD2 makes it clear that security and privacy breaches must not be the 'opportunity cost' of open-banking systems. The directive calls for the use of strong customer authentication (SCA) and secure communication, with responsibility once more falling to banks. SCA requires two-factor authentication when people access their accounts online, when an account holder initiates an electronic payment transaction, or takes any online action that might create the risk of payment fraud.

Non-compliance could result in steep fines, which can be up to 4% of a company’s turnover. Accompanied by legal issues and reputational damage, this is definitely not a matter to take lightly.

However, the achievement of compliance should not just be used as a tick-box exercise to avoid undesirable consequences. If a business approaches compliance with the PSD2 regulations in the right way and with the right technology, it can help itself grow. Rather than seeing compliance as another obstacle to overcome, banks should champion the real objective of PSD2 in their strategy – the provision of better experiences for customers.

Amid this compliance-related confusion, a reliable technical toolbox and testing expertise are essential resources for firms that try to juggle between multiple standards and compliance requirements. Tools such as Fime's and Bridge’s API testing enable banks and third-party payment providers or TPPs to assess and manage compliance against multiple standards easily.

Testing for success

For anyone who faces trouble with regulators, consultancy and testing support can be invaluable in understanding and overcoming these compliance hurdles without huge internal investment.

To comply with PSD2, banks must complete conformance testing (also known as compliance testing, to ensure that something meets standards) in line with PSD2 APIs. In particular, they must test the functions and security of their APIs to persuade the regulators to exempt them from having to have fall-back mechanisms - a requirement of PSD2 in most cases. The challenge lies in the fact that FinTechs have been assigned the job of supporting banks to evaluate their APIs. This has resulted in a slow-moving ecosystem in which the need for testing greatly outstrips demand; FinTechs only have so much money and, quite rightly, need to concentrate on developing and differentiating their products to begin generating revenue.