Your Thoughts: PSD2 & Open Banking
As of this month, the revised second Payment Services Directive (PSD2) is in force and set to cause significant disruption within the European payments & banking sector. The first and foremost disruption is the possibility of Open Banking, as the legislation now allows a level playing field for PSPs to operate.
From data and cyberattacks to market competition, there are lots of opportunities and challenges to confront, but are Your Thoughts on the prospects of Open Banking? Below Finance Monthly hears from a record number of sources on the introduction of PSD2, each with a different take.
James McMorrow, Head of Payment Strategy, Global Transaction Banking, Lloyds Banking Group:
It is still very early days. Open Banking is now live and we are working with regulated third parties. What’s immediately clear already, from a client perspective, it has laid the groundwork for a range of new financial services solutions for consumers and businesses.
Saying this, it’s still worth noting that we’re still very much at the beginning of the journey in the UK and Europe. PSD2 is now live, but new payment and account types will be added to the API channels throughout 2018 and 2019 to meet regulatory requirements.
However, what these solutions will look like in practice, who will be providing them and the rate at which businesses and consumers will adopt them is not yet clear. An important consideration for the entire financial services industry will be finding the right balance between ensuring customer security and developing an exceptional user experience.
Winston Bond, Technical Director EMEA, Arxan Technologies:
All banks are now required to share their Application Programming Interfaces, or APIs, to third-party applications, however, many have still not been advised how to do this securely.
The principal weakness in sharing APIs is the simple authentication that is widely used by most API Management Solutions to confirm that the client app on a device is genuine and, has been authorised to utilise server assets. If a cybercriminal breaks through an app’s security and decompiles its code, they could potentially root out the encryption keys. Attackers can then trick the system into recognising them as a legitimate client, giving them access to anything the API is authorised to connect with.
To prevent attackers from exploiting an API in this way, banks will need to ensure they cannot access the cryptographic keys it uses to authenticate itself, by using code obfuscation, for example.
As we’ve said before, the onus really is going to be on the banks. The PSD2 regulation makes it clear that they are responsible for the ownership, safety and confidentiality of their customers’ account data. Consequently, banks are going to have to do everything they can to maintain their well-founded reputation as leaders in security, including creating a united approach to ‘open banking’ as they work on their own solutions throughout 2018.
Gunnar Nordseth, CEO, Signicat:
By providing their users with a safe way to store identities and offering access to these through an API, banks can leverage the trust they have fought to establish and defend.
Unlike physical identity credentials, such as passports and driving licenses, a bank identity API can expose only the required attributes—a business can ask if someone is who they say they are, where their country of residence is, or prove that they are over 18 without needing access to additional irrelevant information. A focus on identity will offer banks an opportunity where previously there was only challenges.
Ryan Wilk, VP, NuData Security:
While open banking will allow a myriad of services for customers to take advantage of, it will also open them up to third-party vendors and therein lies the challenge. Securing the supply chain so that personal information is protected from attacks will take a herculean effort and one that has not been entirely successful up to this point.
The new European directive mandates the use of strong customer authentication (SCA) – two or more identification elements – to increase customer protection. One of the three pillars of SCA is biometrics technology. Physical biometrics provide a convenient authentication layer for customers, and passive biometrics help institutions detect and avoid screen scraping from third-party providers who try to access customer accounts through the bank interface. With a multi-layered approach that includes passive biometrics financial institutions can block screen scraping and provide a higher level of safety to open banking.
Daniel Hegarty, CEO and Founder, Habito:
Open Banking will be a fantastic innovation for consumers. However, with one in five people in the UK classifying themselves as financially illiterate, it also presents a pressing need to be implemented safely and securely. The consent-based data sharing that Open Banking will bring, will enable many to potentially save thousands per year, for example by simply switching from their standard variable rate mortgage, to a fixed rate product. However correct data management is imperative - low levels of financial literacy, mixed with a new ease of financial information sharing, could put some at risk. Financial services firms need to continue to invest in technology and prioritise safe Open Banking implementation, for the benefit of UK consumers."
Alex Bray, asst. VP of Consumer Banking, Genpact:
While this is a potential goldmine for fintechs which want to revolutionise the banking experience for customers, it poses significant challenges for banks which risk becoming a back-office utilities. In fact, a possible outcome is that banks could end up surrendering their direct customer relationships, becoming a commoditised payment back-ends as new aggregators or payment initiators swoop in. For banks to take advantage of PSD2, they will need to find a balance between openness, privacy and data protection. At the same time, they will need to improve their analytics so they and their customers can make the most of the huge amounts of new data that will become available.
Graham Lloyd, Industry Principal of Financial Services, Pegasystems:
As with all regulation, the unstated issue is what’s coming next in the pipeline, be it PSD3 or some other impactful directive. Beyond scenario planning, responding to the unexpected is all about the ability to change processes and technology rapidly and with minimal disruption. They must regularly redefine what it means to ‘promise’ and ‘deliver’, not just generating rich insights, but selecting the right recommendation and next best action within time and budget constraints. Also, operating models and IT should be quickly and painlessly changeable from a single point.
Jeremy Light, Head of Payment Services, Accenture:
Under the new regulations, banks will have to release customers’ financial data, with their consent by a few clicks online or through a mobile app. We found two thirds of consumers were reluctant to share their details with third party providers, and overwhelmingly trust their bank with financial information. Until new entrants to the financial services sector can earn consumers’ trust, banks can draw on their extensive heritage to secure an important early advantage. But, if banks move too slowly to adapt to the open banking landscape, they risk becoming back-end, transactional players, while retailers and third parties become the face of faster and frictionless payments
Victor Trokoudes, CEO and Co-Founder, Plum:
We anticipate a host of new providers coming to the fore in the wake of Open Banking. But these will be different to traditional banks, acting more like advisors to people’s financial life (from saving, to investing, to finding the right financial products). Users will still use their current provider to transact, but will manage everything else via these new wave of “added value” providers that are focussed on offering services that make their users better off.
Jessica Leitch, Principal, Adaptive Lab:
The biggest problem is that banks will start to lose access to their customers’ data. If you’re transacting purely through say Paypal or any other P2P payment platforms the banks not only can’t see what your spending your money on, they also can’t take advantage of overdraft, FX or other kinds of fees associated with financial transactions. Losing this also takes away the data the banks use to feed their risk models. Basically, it has the potential to disrupt the banks current prime account model as well as their payments value chain.
Lorenzo Pellegrino, CEO, Paysafe:
In this new world, fintechs no longer have to work within the limitations of legacy bank infrastructure. Instead, they can grasp the opportunity to refine their user experience, making it even more seamless and frictionless. More to the point, open banking — as well as the faster payments rollout in the UK and EU — may well result in card volumes shifting to online bank transfers, creating an environment ripe for disruption.
We also believe that services that allow users to send funds from their bank account in real time will benefit from these developments. And this holds especially true in Austria and Germany, where over 80% of all transactions are still cash- based.
But it’s not all roses. The price of payments is also intensely competitive. For businesses that have already achieved scale, large volume at low margin makes economic sense. For the rest, there will be a need to differentiate based on the ability to keep transactions as seamless and frictionless as possible.
Christian Ball, Head of Retail Banking, GFT:
The APIs of tomorrow will give banks a means to let customers do complex things quicker, such as apply for mortgages at the swipe of a mobile touch screen.
Our latest research confirms customers are excited by the prospect of more personal services, showing that 67% of them would be more likely to take out a loan with a bank if it came with practical advice unique to them. But to achieve the level of innovation required to stay relevant in an Open Banking world, banks need to be able get their customer data in order. Specifically, they need to get better at processing and segmenting customer data, which can be done through greater understanding of transaction metadata. This data can be described as the holy grail to unlocking the customer experience, and being able to use it properly will enable banks to understand what services customers actually want, and subsequently help to uncover new revenue opportunities.
Alastair Winsey, Regional Director EMEA, Thousand Eyes:
When a business’ network becomes unruly and far-reaching, locating the true origin of a problem, degradation issue or even a DDoS attack can take the best part of a day. This is due to the number of third-party providers that cloud computing ultimately relies upon to create an application ecosystem enabling a wide range of services ranging from payments to text and voice notifications. By providing true instant visibility of a complete network path including corporate networks, the internet and connected APIs and Cloud Provider apps, companies can shrink this time from days to mere hours, enabling them to quickly remedy any problems. The dawn of Open Banking in 2018 will make network health a vital component to business success in the finance industry.
Alexander Beattie, Enterprise Director UK & Ireland, Anomali:
From an overarching cyber security perspective, a major concern is the fast-growing number of new organisations who are now authorised to handle sensitive information. Whereas this data was previously held in the hands of a few well-known and visible organisations, under pressure to adhere to regulatory standards and security measures, now the same data will be shared with numerous other, relatively unknown, untested organisations.
This may create a greater chance for fraudulent activity, as Threat Actors explore the weak links in this new enlarged target-rich environment. Undoubtedly, this plethora of new market entrants will be held accountable and will have to adhere to regulation, to safeguard the security of the data they handle. To ensure this they will be investing heavily in the state-of-the-art cyber security systems and processes to try and stay ahead of the curve.
Nick Caley, VP financial services and regulatory, ForgeRock:
PSD2 and Open Banking will democratise the payment services industry by creating more choice for consumers, in turn opening up possibilities for innovation and changing the relationship between consumers and payment service providers for good.
While a lot of the discussion has been focused on how this change will put more pressure on the established banks from tech-savvy fintechs, it is often overlooked that retail banks do have considerable advantages over new players entering the market. For instance, the big retail banks have had decades to build trust with their customers, and they have a strong track record of protecting customer data. This foundation of trust is something that emerging fintechs will need to try and replicate if they are to succeed in the long-term.
Vanita Pandey, Vice President Product Marketing, ThreatMetrix:
Any new payments schemes governing payment initiation service providers (or PISPs) will need to be carefully crafted. Existing payment infrastructures are based on years of heavy investment, with specific operating regulations, settlement protocols, liability measures and pricing structures mutually agreed upon by innumerable parties. Many of the risks associated with a wholesale migration to a new schema can be mitigated by the use of risk-based authentication that preserves the balance between security and convenience.
With all the investment retailers have made in backend processes for one-click payments, it is critical that final directives include provisions for risk-based payments, so retailers can maintain friction-free customer experiences while securing all one-off and recurring transactions.
Camilla Sunner, Managing Director for the Global Partnership Business Unit, Valitor:
When you think about the number of options we now have to purchase goods when we are shopping, it is incredible. On top of that, the process involved in making a payment is highly complex. The fact is, we no longer expect to be faced with numerous decisions in a store or online. We want a simple equation where the consumer buys, the merchants sells, and payments shouldn’t even need to be thought about. PSD2 will help us along that path, making payments quicker and easier by opening up banks’ data.
However, the responsibility for steering this change shouldn’t just lie with the regulators. Traditional businesses need to focus on working together to build one uniform high-tech payments pipe that will ultimately make buying and selling less complicated.
Edward Berks, Director of Banking, Fintech and Ecosystem, Xero:
Open Banking means three major changes for accountants and bookkeepers – better access to digital bank feeds, slicker payments and new tools to empower accountants to predict when a business might need more working capital. The smartest banks and fintech players are already recognising the important role that accountants play in supporting businesses through this transition. Competition for mind-share among accountants will amplify in the coming months as new services and experiences become available across banking, payments and lending.
The most forward thinking accountancy firms, regardless of size, are finding ways to deliver great value and services to their growing client bases by embracing digital.
We would also love to hear Your Thoughts on this, so feel free to comment below and tell us what you think!