Our Blog

PSD2 heralds era of OpenAPI Banking

Banking? Is there an app for that? Soon, there will be – if not then your bank has been left trailing in the wake of the OpenAPI Banking revolution.

The European Commission’s second Payment Services Directive (PSD2) is expected to be passed sometime in 2015, and to become legislation in 2016: it is set to open up the banking market. This is not optional, banks will have to evolve as third parties enter their space.

OpenAPI Banking

In mid-May the European Banking Authority (EBA) released a statement outlining its development of requirements in relation to PSD2. The EBA is an independent EU Authority with the overall objective of maintaining financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.

It is developing requirements so as to fulfil its mandates under the revised PSD2. Once PSD2 is agreed, the EBA will work with the European Central Bank to improve operational and security requirements for payment services. The EBA will also approach the industry and “other interested parties” to gather input on its plans.

Supporters of PSD2 claim that the Directive will herald the era of ‘OpenAPI Banking’ with new competition for banks (the disruptors), and the opportunity for third party payment providers to gain more traction in the payment process via the use of apps.

What is OpenAPI banking?

In a March 2015 HM Treasury report – ‘Banking and the 21st Century: driving competition and choice’ – the idea of OpenAPI Banking was clearly outlined.

The report stated that HM Treasury will “work closely with banks and financial technology firms to take the design work forward and will set out a detailed framework for an OpenAPI standard by the end of 2015.”

This work the report added “will allow the development of third-party apps that are compatible with the systems of all UK banks, and that can securely use customer banking data (with their permission), to provide even more in-depth comparisons and other value-added services.”

OpenAPIs – in theory – enable content to be created and shared between banks, customers and third party vendors far more quickly and efficiently than would ever previously have been possible. Companies that use OpenAPIs can tap into the pool of ideas, services, products and talent available in the community, cutting the cost of development while boosting the sophistication of their own offerings.

The most relevant area for banking competition is in product comparability. One UK example was the March 2015 launch of the ‘midata’ current account comparison tool. This tool gives UK online banking customers access to a year-long record of their banking transactions.

Customers are able to download a CSV file detailing their account usage: divided into sections such as overdraft fees, in-credit interest and foreign usage. This CSV file can then be uploaded to the Midata comparison website – powered by Gocompare.com, the developers of the technology – where they can view how their account compares to those of other UK banks.

Currently only Barclays, HSBC, Lloyds, RBS (including NatWest) and Santander avail of the service with others to follow suit in due course.

HM Treasury believes that in using OpenAPIs, comparisons could improve on the midata approach, by being more user-friendly, taking into account a wider range of data, and being much more customisable.

Going beyond comparisons, the potential range of applications is limited only by app developers’ imaginations, ranging from apps that can work out where you like to eat out and email you special offers, to apps that can turn saving into a game with achievements unlocked as personal milestones are reached, and beyond.

The need to mirror the digital consumer

Banks need to meet this challenge head-on. The increasingly-digital consumer wants information instantly and wants to be able to securely access their account information via apps.

Banks, though, can also take on the role of the third party. It’s a break from the traditional banking role but, then again, it’s now a case of adapt or become irrelevant.

APIs are the avenue for banks to maintain their relevance and not be cut out of the payment loop by emerging technologies. This point was embellished by MIcrosoft’s EMEA Banking Industry Lead  Richard Peers in a piece titled ‘Empowering the Digital Bank’:

“Banks can now combine their existing rich data with public data and partner with specialists to create new service levels. For example, they may team up with an automotive trading website such as AutoTrader. A potential car buyer who is known to have owned a car for three years may be targeted with advertisements for the bank’s personal loan products while they are using the AutoTrader website. In addition, AutoTrader may be able to facilitate the loan or organize an insurance policy from within the app, offering a seamless experience for the consumer.”

Banks still operating in the traditional deposit/savings/loan model should be worried about the implications of PSD2, others that have evolved into payments and m-commerce should be embracing the possibilities that PSD2 offers.

Too many ‘traditional’ banking executives are still worried about their core business but PSD2 offers them access to other services.

The Payment Services Directive (PSD) explained

The PSD is an EU Directive regulating payment services and payment service providers (PSPs) throughout the EU and the European Economic Area (EEA). It has been in operation since December 25, 2007, having received two interim updates in 2009 and 2012.

The original PSD’s purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users.

PSD2 is a work-in-progress that will impact financial institutions already operating within the scope of the 2007 Payment Services Directive, but also extends to operators of e-commerce marketplaces, gift card and loyalty schemes, bill payment service providers, public communication networks, account access services, mobile wallets and anyone who receives payment by direct debit. The impact of PSD2 when it becomes law will lead to increased competition for existing banks; the chance for collaboration on the creation of app stores, leading to increased loyalty between collaborators and consumers; and, also, disintermediation trends, i.e. banks being cut out of the payment loop.

Security and convenience

No matter the landscape of the payments world once PSD2 becomes legislation, two core issues remain: security and convenience.

A recent Gartner report stated that by 2016, 75% of the top 50 global banks will have launched an API platform and 25% will have launched a customer-facing app store. This approach achieves the following:

  • Eliminates ageing systems
  • Fosters innovation and choice for consumers

Banks need to be agile and proactive. They need an open and collaborative approach which puts the digital-first customer at the centre of their business model. This approach will require banks to:

  • Open its infrastructure
  • Develop an ecosystem
  • Launch an app store

The above will foster convenience, but what about security?

Opening up a banking system via an API has to have security at its heart. To this end the PSD2 is leaning heavily on the SecuRe Pay forum. The SecuRe Pay forum (a European Banking Authority (EBA) and European Central Bank (ECB) joint venture) was established in 2011 and brings together PSP supervisors and overseers of payment systems, schemes, and instruments, within the EU/EEA. The forum’s aim is to understand the issues related to the security of online payments and to make recommendations.

SecuRe Pay has already published these recommendations, including the most recent on the security of internet payments in October 2014. The ECB had released its final SecuRe Pay recommendations for the security of internet payments in January 2013 with an implementation date for February 1, 2015. These recommendations are now to be implemented by August 2015.

Latest SecuRe Pay recommendations

The following were the first set of recommendations (considered as minimum internet payments security requirements) issued by the SecuRe Pay forum in January 2013, after two months of consultation:

  • Protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication
  • Limit the number of log-in or authentication attempts, define rules for internet payment services session “time out” and set time limits for the validity of authentication
  • Establish transaction monitoring mechanisms designed to prevent, detect, and block fraudulent payment transactions
  • Implement multiple layers of security defences in order to mitigate identified risks
  • Provide assistance and guidance to customers about best online security practices, set up alerts, and provide tools to help customers monitor transactions.

On foot of these recommendations the EBA agreed to develop guidelines “aimed at establishing a framework for PSPs with regards to the security of internet payments.” These EBA guidelines come into force on August 1, 2015, and are based on the provisions in the first PSD, published in December 2007.

Finextra poll on banks’ awareness, concerns, and hopes

A recent Finextra poll of over 100 banks, conducted on behalf of FIS, found that 54% of banks are “rethinking their retail banking customer relationship and revenue/business model, with an aggregate positive score for this of 78%.” However, only 37% of banks felt that “understanding of the full implications of the new rules was high across all of their IT, payments, and retail banking units and at board level.”

Security is a concern when it comes to the XS2A (Access to Accounts) rule with 88% of banks agreeing strongly that data protection and risk to reputation are significant issues yet to be dealt with. The XS2A rule will force banks to facilitate access via an API to their customer accounts and provide account information to third party apps if the account-holder wishes to do so. The opt-in from the account-holder, of course, is the crucial security element.

The Finextra poll also revealed that a majority of banks will turn to external partners for help with developing APIs, security layers, and app stores as well as new business processes and product development. Only 14% of banks were confident that on ‘day one’ they would have APIs in place to support open access. However, 65% of banks want to create their own app store and are using PSD2’s introduction as the launchpad.

There’s plenty of food for thought, but for banks it’s time to dine and shine.

Where Aviso comes in

So we’ve established what the PSD2 will do to the banking industry, but how will we help?

We exist to improve efficiencies and reduce time-to-market and connectivity costs. The changing payments landscape moulded by PSD2 renders these attributes all the more desirable. Acquirers and their merchants cannot afford to lag behind competitors in this environment, especially as PSD2 – when implemented – will blow the banking market wide open.

Our solutions are designed to be cost-effective and, crucially, to be seamlessly integrated into existing payment systems. That’s the key here, little or no upheaval to an existing system.

Remember, Apple Pay – for example – still utilises the existing payments messaging system and acquirers need only ensure that their merchants’ terminals are NFC-enabled.

At our core we provide flexible EFT switching technology for electronic payment systems. Our innovative approach enables our clients to ring-fence their investment in legacy systems and add a software layer that delivers valuable functionality and security to existing inflexible payment systems.

We understand the need for payment industry stakeholders to innovate in order to drive new revenue streams. We want to incubate that desire. We work with our customers to eliminate the pain associated with implementing wholesale changes in an effort to future-proof an existing system. Time to market is the key driver. The payments industry is in a state of flux. Friction is being reduced and real-time payments are in demand.

The real challenge facing payment industry stakeholders is that almost immediate change is required, yet project size, cost, and consequences can be daunting. Aviso’s solutions can improve existing systems while drastically reducing time-to-market.

Our cost-effective payment software solutions accelerate the roll-out of new payment services (potentially reducing implementation time by up to 80%) and provide opportunities to increase revenues by adding new functionality without affecting or bypassing the core payments infrastructure.

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts