The implications of PSD2 and third party access to accounts (research)

I just found some interesting research about how banks in Europe are reacting to the Payment Services Directive 2 (PSD2), and what other banks worldwide think about it.

PSD2 is a work-in-progress European regulation that will impact financial institutions already operating within the scope of the first Payment Services Directive of 2009.  PSD2 extends the scheme to operators of e-commerce marketplaces, gift card and loyalty schemes, bill payment service providers, public communication networks, account access services, mobile wallets and anyone who receives payment by direct debit.  The aim is to make these markets more open and more competitive by extending and clarifying some of the provisions of the first directive, while also fostering payment innovation, particularly in mobile, and harmonising some of the national interpretations.

Key elements of the directive include opening access across the industry to payment processing services, as well as to the customer accounts held by banks. It recognises a market demand for payment service providers (PSPs) granting third parties access to their online payment services in a regulated and secure way. This is Third Party Payment (TPP) service provision in the directive’s terminology. Also, under the ‘Access to Accounts’ (XS2A) rule, it will force banks to facilitate access via API to their customer accounts and provide account information to third party apps if the account holder wishes to do so.

The key findings of the survey, which was performed by Finextra and FIS Global in the Spring of 2015*, are:

More than half of banks are rethinking retail banking customer relationships and revenue models. But in Europe when it comes to PSD2, only 37% of respondents are confident that all relevant parts of their organisation have an appropriate understanding of the directive and its implications.

Both big established non-bank players and new entrants are a concern for banks as competition increases due to regulation and other disintermediation trends. But only 20% of respondents were sure that new entrants coming into the market on the back of PSD2 would pose a competitive threat right away.

Security is the biggest concern about the XS2A rule, with 88% agreeing strongly that data protection and risk to reputation are significant issues yet to be dealt with. There was also demand for issues around liability to be further spelled out by the directive, with 60% agreeing or completely agreeing that ambiguity in this area concerned them.

Compliance programmes are only now being kicked off in earnest at many banks, and a step-by-step compliance approach is being adopted. Teams who worked on SEPA compliance are being moved onto PSD2 projects, but a majority of banks will also turn to external partners for help with developing APIs, security layers and app stores as well as new business processes and product development.

With no hard deadlines in place, and more details on the implementation of PSD2 to be agreed, only 14% of banks were confident that on ‘day one’ they would have APIs in place to support open access. But 65% of banks said they wanted to create their own app store, with PSD2’s access requirements as the launching pad.

PSD2 has been the subject of consultation and debate within the European Commission since 2013. Negotiation and compromise revisions extended until January 2015, and the regulation is now expected to be passed by European Parliament sometime in 2015 and then transposed into national regulations across the region from 2016.

* the research received 103 responses from 64 different financial organisations in 28 countries, 69% of which were in Western Europe.  The full report can be accessed here.