A new European Union payments directive is set to go live next month — and for U.S. bankers, it’s worth keeping an eye on.
The second Payment Services Directive, or PSD2, will not only further integrate the European payments market, but also significantly increase security in electronic payments and digital account access and enhance consumer protections.
However, there’s a more radical change in store: The directive requires financial institutions and others to grant licensed third-party providers access to bank customer account information. This change will trigger a new revolution in payment services in Europe, and the U.S. should watch the developments with interest, including the many arguments over how to implement the model.
In the run-up to PSD2’s implementation, there has been an unprecedented level of industry debate. Apart from the question concerning which payment services should be exempt from the stringent new requirements for secure, two-factor, customer authentication, the liveliest discussions have focused on what form third-party access to banks’ online accounts should take.
Like most regulators, the European Commission aims to remain business model and technology neutral to ensure an even playing field and to encourage competition among market participants. However, the way many European banks intend to grant access to their customer accounts is by open application programming interfaces.
In time, the widespread adoption of open APIs is likely to have a revolutionary effect on the European financial services market, triggering a wave of innovatory services tailored to customers’ needs.
True, the European Commission published a decision in November that some might interpret as a dampener on plans for banks to use open APIs as a prime compliance route. The regulator has told banks and others offering third parties a “dedicated access” route to customer accounts (via open APIs) that it will also require them to set up and maintain a contingency measure in the form of modified “direct access.”
The rationale is to ensure continuity of service and fair competition in case the direct access route either fails or does not deliver the required quality of service. To put it another way, the European Commission is asking banks and others to not allow screen scraping, which lets third-party companies access bank accounts on a customer’s behalf using the customer’s bank account credentials.
Rather, banks are supposed to adapt their customer online banking interface in the following ways: to allow third-party providers access to the data — and only the data — they require, and to enable banks and third-party companies to identify each other and communicate with each other through secure messaging. Screen scraping, which remains popular in the U.S., is in fact to be outlawed under PSD2 at the end of a transition period.
To be sure, this may make some banks question the business case of investing in API technology — after all, PSD2 does not prescribe APIs. So why not simply implement the adapted form of customer online banking interface (modified direct access), which PSD2 requires as a fall-back option in any case, and be done with it?
There are two reasons to think this won’t be the case. The first is that banks choosing this route would miss out on all the potentially substantial business opportunities offered by using open APIs — hindering their role in the next stage of the development of payment services, and indeed of wider banking services as well.
The second reason is that the European Commission has allowed banks that can demonstrate they have fully functional dedicated interfaces to be granted an exemption by their competent national regulator from having to maintain the fall-back option. In other words, the regulator is happy with the API route — just as long as it is properly set up and well maintained.
API standards should, therefore, play a significant role in banking — increasing the likelihood of the interface being accepted by the competent authorities, thus negating the need for investment in a fall-back option, while also reducing the cost and timeframe of its implementation.
What might a PSD in the United States achieve? Would it be a good thing? If modeled on its European equivalent, it would have the effect of abolishing screen scraping and encouraging banks and others to widely adopt open APIs, which are generally recognized as a high-octane catalyst for innovation. Electronic payments and remote account access would become more secure by using strong, two-factor, customer authentication for all but a very small number of payment transactions.
Not everybody welcomes these developments. Some fintech companies are anxious they will lose out if they can no longer use screen scraping and banks fail to offer them quality and easily accessible APIs. However, a regulator could put strong pressure on banks to offer and maintain high quality APIs, as is the case in Europe.
On the whole, what seems to be happening in Europe is that, after initial partial hesitation, the banking industry is buying into the adoption of open APIs as the next great wave of innovation and progress for the industry. Of course, banks across the pond might need more convincing of the potential benefits, especially smaller and regional ones, because of the considerable investment and effort that would go into the change.
At Deutsche, we think the API route offers the best balance between protecting and securely sharing valuable data and generating a wealth of exciting new services for consumers.