By Ralf Ohlhausen, Executive Advisor at PPRO and Vice-Chairman of ETPPA
FinTechs, Banks, and Third-Party Providers (TPPs) are standing at the edge of a cliff now, with the impending arrival of Strong Customer Authentication (SCA) and the final implementation of PSD2 just around the corner. And all PSD2 regulators in Europe must act urgently to avoid falling off the metaphoric cliff.
With the September 14th deadline quickly approaching, the market is not prepared for it. This presents the danger of leaving customers vulnerable to service failures and fraud when accessing their bank data, as well as carrying out payments online. This has been recognised when it comes to conducting card payments in particular, and, it looks like another 18 months will be given to get things right on this front. However, for TPPs who are brought into a similar situation with no fault on their side, this is unfortunately not yet the case.
A major factor as to why they have arrived at this stage is because all necessary Application Programming Interfaces (APIs) were supposed to have been in place by March 14th and in production mode by June 14th. In reality, even today, many are not available at all and the vast majority is not functional as required. It is these APIs that TPPs that shall migrate their services and customer base to, and thus, ensuring they are acting within the regulations. To make matters even worse the required eIDAS certificates to use the APIs were not available by this deadline either. All in all, this hasn’t been managed and executed effectively, which has led us to the conundrum we are now facing.
all PSD2 regulators in Europe must act urgently to avoid falling off the metaphoric cliff.
One part of the reason that this is the current state of APIs is because the Regulatory and Technical Standards (RTS), which apply to PSD2, left room for too many different interpretations and created several unintended consequences. At the time however, no one had the foresight or ability to anticipate. The API Evaluation Group undoubtably did a splendid job in clarifying what is needed, but the bank-driven API standardisation initiatives only implemented the recommendations, which the regulator categorised as explicitly legally required and ignored the implicit requirements leading to the obstacles, which hinder TPPs in migrating their services without losing much of their purpose.
A joint statement was issued earlier this year which confirmed, banks and TPPs have found some common ground and ways of collaborating, but whilst this is a positive step, there is still a lot to do. Everyone agreed and still agrees that APIs are the way forward, but taking them live pre-maturely only stands to jeopardise the whole financial services industry. They are not ready and must be improved significantly, both from a functional and stability perspective. Granting exemptions and thereby not requesting banks to allow TPPs falling back to their established and well-working current practice would be grossly negligent, and it is very surprising to see that regulators, which are otherwise so careful, seem willing to err on the risk side.
For as long as APIs are not ready, TPPs must continue to use bank user interfaces directly. Many banks didn’t see this coming, and seem to be technically unable to introduce SCA for their customers. All the while they are providing TPPs a way around that for their automated services, where customers are not present to provide dynamic credentials. If banks and TPPs are not given a similar grace period as card payments to the introduction of SCA, this will bring many TPP services to a halt.
If banks and TPPs are not given a similar grace period as card payments to the introduction of SCA, this will bring many TPP services to a halt.
The ETTPA (European Third-Party Providers Association) requested such regulator action for many months, detailing the TPP business continuity requirements and the unintended consequences of the RTS and explaining the necessary measures to be put into place ahead of the deadline. Namely, these elements are; enabling TPPs to identify themselves as stipulated, providing the necessary technical ability to use TPP’s current practice for contingency, coordinate the introduction of SCA and, finally, allowing TPPs to handle the SCA for the required 90-day renewal of customer consent.
At this point, only the UK’s Financial Conduct Authority (FCA) has broadcasted it will hand a lifeline to TPPs, and delay its enforcement of SCA by six months after the deadline of September 14th, which takes the pressure off slightly. This is despite their APIs being 18 months older and more mature than those elsewhere. While France and Germany are also taking action, they have not yet disclosed any further details. The other NCAs seem not to care or wait for a green light from the EBA although they already indicated not wanting to harmonise this beyond card payments.
All of this has been a lead up to the position we find ourselves in today, on the edge of change. Banks and TPPs are open to collaboration, common ground has been found and some progress made, but it is in the hands of the regulators to now provide the flexibility needed to get this right and not drop the ball on September 14th. It goes without saying, all sides support the aims of PSD2, which ultimately is the regulatory foundation for innovation, development and cooperation across the payments industry in Europe.
it is in the hands of the regulators to now provide the flexibility needed to get this right
PSD2 was created to open up banking and hand customers power to unlock their data for more enriched services, whilst making online payments safer and increase consumers’ protection. It would be a disaster if it now led to the closure of existing services and if the outstanding technical difficulties would be ignored. This would lead to damaged customer experiences, with the added possibility of less secure transactions – the very things it was developed to protect against.
Europe is leading the way with Open Banking, but it is losing ground in many other areas. It’s extremely important for European companies to not fall behind; the successful implementation of PSD2, and the consequent RTS, is a pre-requisite to keep the Open Banking lead and also propel towards success on the way towards Open Finance and Open Data.