PSD2 in 2019: A year of yet more delays
By Nick Caley, vice president of financial services and regulatory, ForgeRock
Looking back on the last 12 months, the story of the second Payment Services Directive (PSD2) – the latest regulation from the EU designed to shake up the payments industry – is one of hopes, dreams, deadlines and – sadly – delays.
Ultimately, PSD2 promises to transform the financial services payments landscape into a more competitive, more consumer-focused data-sharing ecosystem, by forcing banks to give third-party service providers direct access to their customers’ financial data. For fintechs, this provides a world of opportunity to introduce their own payment and financial management products and services, and for ‘digital native’ challenger banks it creates more opportunities to extend their already innovative customer-first experiences.
And yet, as we reach the end of what was supposed to be a milestone year for this industry transformation, the dream is still some way from becoming a reality.
There were two major PSD2 deadlines in 2019: 14 March and 14 September. The September deadline was the most widely discussed, since it was the date by which banks were to have implemented a dedicated API for third party providers and, in some cases also a fallback, screen-scraping contingency mechanism (where customers essentially share their security credentials so third parties can access their banking information via an interface and collect the data for their own services). The earlier – and lower profile – 14 March deadline gave banks the opportunity to avoid the need to implement screen-scraping altogether by releasing compliant testing facilities for APIs six months before the 14 September cut-off.
However, just before 14 September came around, the European Banking Authority (EBA) was forced to grant further potential exemptions, effectively allowing an 18-month extension to the implementation of a crucial element of PSD2 – Strong Customer Authentication (SCA) – thereby delaying the comprehensive introduction of PSD2 altogether. SCA requires that electronic payments are performed with multi-factor authentication: without it, the financial data that banks store on their customers could be exposed to security threats when opened up to third-parties such as fintechs and account servicing payment service providers (ASPSPs), and so the widespread lack of implementation of SCA, combined with a complete lack of public awareness, presented a potential “cliff-edge” scenario.
Although there were no formal penalties for those banks that failed to comply with the PSD2 deadlines, the wider industry was paying careful attention and the commercial prospects and market reputation of those that fell behind was at risk, and with it their ability to compete in the new era of seamless, customer-centric financial services. Moreover, screen-scraping is an unsustainable long-term proposition since it is insecure, fraught with privacy concerns, and requires formal regulatory agreement. It also ties up significant developer resources which could be used to deliver production-ready APIs.
Despite the risks, many European banks have continued to drag their heels on their PSD2 implementation, causing huge frustration across the fintech community which has been holding its breath for the quality APIs they need for their cutting-edge open banking innovations to work.
Lack of SCA reflects slow pace of adoption
While it is undoubtedly a good thing that the EBA stopped the potential of massive market wide disruption by granting an extension to SCA implementation, it is a sad reflection on the industry’s response – or lack of response – to PSD2. After all, every institution involved in payments and provision of accounts has had plenty of time to prepare: September’s deadline came after a phased implementation ‘roadmap’ which meant banks have had since 2015 to deploy new methods of authenticating customers. It’s also not because of a lack of suitable technologies: there are a variety of options on the market that can deliver improved security through multi-factor authentication, such as behavioural biometrics.
From the fintech perspective, the pace of change has been painfully slow. This only increases their frustration at the regulatory hurdles they’ve had to jump through themselves, only to be faced with patchy execution by banks, who are providing inconsistent access to customer data.
Of course, banks do have the massive scale of their systems and their responsibility to provide mission critical services for millions of customers to consider. However, with fintechs setting the pace on customer experience, the slower banking executives are with their own digital transformation, the worse their customer offer will fare against the ever increasing expectations of digitally savvy consumers.
And it is the banks’ customers who are the real victims of delays, and who are getting understandably frustrated at the frictions involved in current digital offerings, as well as the lack of mobile-first experiences, which most banks are simply failing to provide.
2020: The road ahead
Despite these frustrating delays, PSD2 will no doubt become a reality for everyday banking and in time will be extended further to enable Open Finance. Technology innovation is a market force that adheres to no deadlines, and digital leaders are continuing to deliver better, faster, easier and safer banking experiences, leaving the incumbents with no choice but to keep up or lose their market position.
Banks now have until March 2021 to get their act together on SCA. But they can’t afford to view this 18-month extension as an opportunity to delay their digital transformation. Not only have British-based digital-only banks grown their combined customer base to over 13 million, having already doubled in the last 12 months (according to Accenture), but more powerful players are moving quickly into this space. Apple has just launched a credit card with Goldman Sachs, while Google has stated its intention to offer checking accounts to consumers.
With fintech and big tech poised for an aggressive move into the world of digital banking services, there is much at stake for digital laggards. In 2020, we’ll likely see a much more meaningful reaction from banks and ASPSPs. For those players who are already well on the way to making the necessary adaptations to their digital strategy, 2020 will give them a great opportunity to race ahead of the competition – but for those who haven’t started yet, it may be much more of a scramble.