Our Blog

Why banks don’t like PSD2: they don’t trust third parties in their house

PSD2 will effectively give banking customers complete control of their own accounts. Sounds like a noble aim, and you would probably assume that there wouldn’t be much opposition – but that presumption doesn’t take into consideration banks, and their desire to retain control.

PSD2

The latest revisions to the Payment Services Directive (PSD) will improve customer choice by opening up the banking industry to Third Party Providers (TPPs). One of the key developments is the fact that customers must opt-in to access any of the new services proposed in PSD2. The customer has control.

However, here’s the problem: banks don’t like PSD2.

Banks don’t like PSD2

Repeat ad infinitum: Banks don’t like PSD2.

They specifically don’t like the scope that the PSD2 revisions provide to TPPs. This is not a knee-jerk reaction from the banking industry, they have never really liked the Directive revisions.

Recently, in May 2015, the European Banking Federation (EBF) stated that the European institutions had missed an opportunity with PSD2 “to contribute to a truly innovative, competitive and secure European market for payment services.”

The EBF, by the way, represents 32 national banking associations, accounting for some 4,500 European banks.

Back in May they labelled PSD2 as an agreement that “provides yesterday’s solutions for tomorrow’s problems.” The statement went on to criticise the compromise of the three institutions involved and the “fragile balance sought between sometimes conflicting objectives such as innovation, user security, market integration, data protection and competition.”

Banks are upset about the fact that they will be granting TPPs access to their customers via their own infrastructure. They don’t like the idea of allowing strangers into their house.

“PSD2 will force banks to grant third parties access to client accounts so that these third parties can provide their services via the bank’s infrastructure. It remains unclear to what extent security for both banks and consumers will be impacted by such access.”

These worries were communicated to the EU authorities as far back as 2013 in an EBF position paper on the PSD2 revisions. Back then the EBF stated that:

“A key, overarching consideration must surely be the need to safeguard the integrity of the payment systems and, in the final instance, trust in these systems. The EBF does not feel that this consideration is reflected adequately in the proposal as it stands. This is most pertinent in relation to TPPs.”

Effectively this statement queries whether TPPs have the integrity to engender trust in the payment system. Banks don’t trust TPPs and don’t want to give them access to their own systems. However, given the construction of PSD2 banks will have no choice in the matter as it is the customer who will have control.

The impact of PSD2 when it becomes law will, inevitably, lead to increased competition for existing banks; the chance for collaboration with TPPs on the creation of app stores, leading to increased loyalty between collaborators and consumers; and, also, disintermediation trends, i.e. banks being cut out of the payment loop.

So what does PSD2 propose?

The revisions to the PSD are the result of trilogue negotiations between the European Commission, the European Parliament, and the Council of Ministers.

PSD2 – according to this European Parliament document – seeks to achieve the following:

  • Improve security of electronic payments: crucial in order to ensure that consumers, merchants, and companies enjoy choice and transparency of payment services.
  • Customer’s access to information: clear and concise information for the customer re: switching fees (between banks and TPP); time-limits for payment initiation procedures; breakdown of all charges, and – where applicable – FX rates.
  • Access to payment account details: Ensuring that customers can access online banking; can make use of an authorised TPP, and are provided with details of all potential TPPs.
  • Liability: In the case of an unauthorised payment transaction, the customer’s PSP must refund the amount to the customer within 24 hours of having noted or having been notified about the transaction. If a TPP cannot show that it is not liable for an unauthorised payment then it should – within 24 hours – compensate the amount to the customer’s PSP.
  • Data protection: Processing of personal data by payment systems and PSPs should only be permitted when this is necessary to safeguard the prevention, investigation, and detection of payment fraud.
  • Management of operational risks: PSPs should establish a framework to manage the operational risks, including security risks, relating to their payment services. As part of that framework PSPs shall establish and maintain effective incident management procedures, including the detection and classification of major incidents.
  • Standards of communication and authentication: Proposal for the European Banking Authority (EBA) to develop draft regulatory technical standards in the form of common and secure open standards of communication. These standards should specify how TPPs are to authenticate themselves towards account-servicing PSPs and how account-servicing payment providers are to notify and inform third-party PSPs.
  • List of payment services providers: EBA website should list all authorised PSPs within the EU. That list should also refer to authorised PSPs whose registration has been revoked and the reasons for this.
  • Electronic leaflet: By 2017 it is envisaged that the European Commission produces a consumer-friendly electronic leaflet listing the rights and obligations of consumers laid down in PSD2 and in related Union law on payment services. This information should be made available on the websites of the Commission, the European Supervisory Authority (European Banking Authority – ‘EBA’), and national banking regulators.

Time will tell if empowering the customers is as noble an aim as we think it is. Perhaps many customers will continue to place their trust in the traditional banking model. As we become more digitally-aware are we becoming more risk-averse? Perhaps, and that’s probably a topic for another blog post.

Contact us

For information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts