Turning the Bank into a Platform (Part I)
Payment Services Directive 2 (PSD2)
The definition of the word platform evolved quite a lot in the last decade. When I started coding, after graduation, in 2004, we used to call Microsoft .NET framework a platform, where we could build applications on top of it. We used to call Java platform neutral — because the same compiled Java byte code can run on Linux, Window, Mac — or on any operating system with the corresponding JVM (Java Virtual Machine). There we used to identify the underlying operating system as a platform. Under today’s context, Facebook, Uber, AirBnB, Amazon, eBay, Google, Alibaba are all known as platform companies. The author of the book, Platform Revolution, Sangeet Choudary defines “the platform” as the digitized, open and participative business models creating commercially connected ecosystems of producers and consumers. Uber, the world’s largest taxi company, owns no vehicles. Facebook, the world’s most popular media company, creates no content. Alibaba, the most valuable retailer, has no inventory. And Airbnb, the world’s largest accommodation provider, owns no real estate. They all build platforms where producers and consumers can meet to innovate.
Financial industry is the most regulated business globally. Understandably so, many countries do not encourage cross-border transactions. In the last Silicon Valley FinTech meetup happened couple of days back, Sankaet Pathak, Founder & CEO of SynapseFI had interesting thoughts along these lines. Any payment you do within the USA, within the same bank or between two different banks, happens immediately — or at least within a day. But — if you want to transfer money from USA to Africa, even though the corresponding African bank follows regulations, just as strong as in USA, it would take more than three days. This is not an issue with the technology — but regulators do not encourage cross-border payments. Fortunately, Europe took a step ahead of the rest of the world to turn the bank into a platform — where the rest of the world can innovate on top of it — and ultimately will be a win-win situation for all the customers, banks and fintechs.
This is the part-I of a series of blogs (three parts), that I will walk you through the innovation happens in European financial industry and discuss the impact of it to the rest of the world. My focus is mostly on the technology and business sides of it — but not the regulations.
Overview
Payment Services Directive 2 (PSD2) is a data and technology-driven directive that aims to drive increased competition, innovation and transparency across the European payments market, while also enhancing the security of Internet payments and account access. There is a key difference between a directive and a regulation. For example, GDPR is a regulation (it was a directive before — Data Protection Directive 95/46/EC). An EU regulation is immediately applicable and enforceable by law in all member states while in an EU directive, each national authority must create or adapt their legislation to meet these aims by the date specified in each corresponding directive — but then again, it’s too applicable to all the member states.
The Payment Services Directive (PSD) or PSD1 is the predecessor to PSD2, was introduced in 2007. It was focusing on building an EU-wide single market for payments. It aimed at establishing a modern and comprehensive set of rules applicable to all payment services in the EU and the wider European Economic Area (EEA). EEA includes Iceland, Norway and Liechtenstein, in addition to the 28 EU countries. PSD1 also provided the necessary legal platform for the Single Euro Payments Area (SEPA). SEPA harmonized the way cashless euro payments are made across Europe. It allows European consumers, businesses and public administrations to make and receive credit transfers, direct debit payments and card payments cross-border.
PSD2 was adopted by the European parliament on 8th October 2015 and by the EU Council of Ministers on 16th November 2015 as the Directive 2015/2366/EU. By 13th January 2018, all member states will have to implement PSD2 into their national regulations. To clarify the technical and regulatory aspects of PSD2, EBA (European Banking Authority) in cooperation with the ECB (European Central Bank) are supposed to issue a comprehensive documentary set of 6 Regulatory Technical Standards (RTS) and 5 Guidelines by 2018.
At the core of PSD2 is a requirement for banks to grant third-party providers access to a customer’s online account/payment services in a regulated and secure way. This “access to account” rule mandates banks and other account-holding payment service providers to facilitate secure access, most likely to be delivered via APIs. PSD2 helps customers have more control over their data and to make it easier for financial technology companies (Fintechs) or other businesses to make use of bank data on behalf of customers in a variety of helpful and innovative ways. This move by EU helps to drive more competition in banking to improve outcomes for customers, and further support the Fintech industry.
Motivation
One of the most common approaches to share consumer banking data is through “screen-scraping”. In screen-scraping, one system mimics a human user and interacts with the normal webpage. This leaves us with lot of challenges. The users have to give their bank credentials to a third party, and not quite aware which data are pulled from their banking sites. Whoever the third party, can do anything, once they own the credentials. Also — this kind of screen-scraping is highly fragile — it can fail, even after a small redesign in the banking web site.
The best way, and also the proven way to share data with the rest of the world in a non-fragile, much secured way is via APIs. The global proliferation of APIs, has been one of the major drivers behind Web 3.0. Unlike any other innovations in the past, the public APIs have catalyzed the innovation itself. It helps you building a larger ecosystem around your business with less effort from your end. Most of the verticals bought into the idea of APIs — and posted a huge amount of success in their balance sheets. In 2013, 90% of Expedia’s business was coming through its API. Salesforce generates almost 50% of its annual $3 billion in revenue through APIs, while at eBay, APIs contribute 60% to the annual revenue.
In Europe, and mainly in Germany and UK, new competitors are gaining market share. In Germany, for example, Sofort has become leader in e-commerce payments with over 2 million transactions per month and 35,000 merchants in less than 10 years.
Another key driving force behind PSD2 is the customer push towards using digital banking. According to a research done by BBA the customer demand for a digital banking experience is increasing exponentially. More than 22.9m internet banking apps have been downloaded, an increase of 56% in 2015, and Britons were login onto internet banking 9.6m times a day in 2015. On the other hand, branch and telephone banking transactions are falling 6–7% per annum.
In a research done by Ipsos MORI it was found that consumers overwhelmingly (77%) believe that the third parties accessing their financial data should be regulated.
What’s New In PSD2?
The three key changes PSD2 makes to PSD1 are to extend its scope, to strengthen security and customer authentication requirements for mobile and internet payments, and to introduce two new third party providers(TPPs) to the EU payments market — as well as license and supervise them. Let’s delve into the details.
Scope Extension
The current scope of the PSD only applicable if the payment service provider (PSP) of both the payer and payee are located within the European Economic Area (EEA) and the transaction is in sterling, euro or another non-euro member state currency. PSD2 will be applicable, with some exceptions, to ‘one-leg out’ transactions and all currencies. In other words, if at least one PSP is in EEA, for any currency, PSD2 is applicable. For example, if you buy something from Amazon USA, paying by your bank account in Europe, PSD2 is applicable. Your PSP is your bank in Europe, while Amazon’s PSP can be a bank in USA.
Strong Authentication
PSD2 introduces a requirement for strong or 2-factor customer authentication (2FA) using two or more elements out of the following three:
- Knowledge: something only the user knows (e.g. a password or PIN)
- Possession: something only the user holds (e.g. a card or a token)
- Inherence: something only the user is (e.g. a finger print or voice)
The Payment Service Providers (PSP) (for example, banks) must apply strong customer authentication where the payer accesses his/her payment account online, or initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. The RTS (Regulatory Technical Standards) on Strong Customer Authentication (SCA) defines further requirements and exceptions for strong authentication. The part-III of this blog series will delve deep into this. Anyway, if you are interested in, you may read it here. Also the the consultation paper on strong customer authentication and common and secure communication under PSD2 is available here.
Apart from the requirements for strong authentication, PSD2 provides two guideline documents for security measures and incident reporting. On 5th May 2017, EBA (European Banking Authority) issued the consultation paper regarding draft guidelines on the security measures for operational and security risks of payment services under PSD2 — which you can find here. The guidelines for major incident reporting is available here — published on 27th July 2017.
PSD2 requires the implementation of strong authentication by the end of October 2018.
New Third Party Providers
PSD2 introduces two categories of third party providers(TPPs): Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). We would need to understand the behavior of these two entities under the context of other banking terminology.
A Payment Service Provider (PSP) offers shops online services for accepting electronic payments by a variety of payment methods including credit card, bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking. Typically, they use a software as a service model and form a single payment gateway for their clients (merchants) to accept multiple payment methods. An Account Servicing Payment Service Provider (AS PSP) is one category of a PSP, a traditional financial institution (e.g., banks) which provides accounts to consumers and from or to which the consumer issues payments.
Account Information Service Providers (AISP)
Account Information Service Providers (AISP) are the third parties who will have to be given access to account information by the AS PSP when granted permission by the account holder. Information given by the AS PSP can subsequently be used by the AISP for aggregating data relating to consumer accounts held across one or many AS PSPs. For example, AISP can be a personal financial management(PFM) tool, which helps consumers to budget better and understand their overall financial position, by often pulling information from multiple AS PSPs.
In order to be an authorized AISP, it is required to hold professional indemnity insurance and be registered by their member state and by the EBA. There is no requirement for any initial capital or own funds.
Payment Initiation Service Provider (PISP)
Payment Initiation Service Provider (PISP) is a third party who will be allowed to initiate payments issued by the account owner between the AS PSP (bank) and consumer. The retailer itself can be the PISP — or there can be a single PISP addressing requests from multiple retailers. This allows them to use the information from AS PSPs to facilitate online banking payments. The Third Party Payment Service Provider (TPP SP or TPP) is the generic term used for a third party Account Information Service Provider (AISP) or a third party Payment Initiation Service Provider (PISP). A TPP does not hold a payment account nor does it enter into possession of the funds being transferred. Finally, the Payment Service User (PSU) is the consumer or retailer who is the user of services provided by payment service providers like banks or TPPs.
Unlike AISP, the minimum requirements to become an authorized PISP are significantly higher. In addition to being registered, a PISP must also be licensed by a competent authority, and it must have an initial and on-going minimum capital of EUR 50,000.
Benefits
With PSD2 in place, the bank will turn into a platform — where the rest of the world can innovate on top of it — and ultimately will be a win-win situation for all the customers, banks and fintechs. Let’s discuss some of the benefits PSD2 brings to the table.
The Competition and Markets Authority (CMA) of UK found that UK consumers could save money if they switched to the current account best suited to their needs. But the challenge is to compare and find the best suited account — among all the available options. PSD2 could eliminate this friction to improve the consumer experience. A consumer would simply give a price comparison service (AISP), the permissions to access their bank account data and the rest would happen “behind the scenes” and in real time.
Let’s find another example. Personal financial management tools (PFMs) help consumers to budget better and understand their overall financial position, by helping them categorize and manage their spending using visualization tools and predictive cash flow tools. They often pull information from other financial services products, such as credit cards and savings accounts, to provide an aggregated view to the consumer. PFMs are popular in the US, with 32% of consumers using them to manage their finance, of which approximately three-quarters use third-party solutions such as Mint or yodlee.com. PFM uptake in the UK has been low primarily because consumers cannot give PFMs access to their transaction and balance data. To date, the typical workaround has been for the PFMs to screen-scrape the data from the banks’ online web pages. This forces consumers to share their login details with the PFMs, which makes some consumers uncomfortable and in some cases invalidates banks’ own terms and conditions. Under PSD2, customers would be able to grant access to their data securely and efficiently without sharing their credentials with any party other than their bank.
Historic transactional data is an important determinant of credit quality and real-time transactional data is a valuable indicator in the ongoing serviceability of loans. Currently this information is only available to the current account provider, which means third-party providers may not be able to offer the best terms to users when they shop around. When I moved to USA, a couple of years back, from Sri Lanka — this was a hard hit. Even though I had a very good credit history for many years in Sri Lanka — it’s all useless in USA — and had to start from zero. This made me to pay a high rental to my apartment — and almost doubled the monthly installment for the leased car. Due to the same reason in UK, it’s found that 90% of SMEs procure loans from their primary banking relationships while 50% of consumers are likely to purchase new banking products from their current bank. This gives more control over the consumer to the bank — and make banks less competitive. With PSD2, individuals and businesses will be able to share transactional data securely with potential providers of credit to achieve the best possible deal.
GDPR and PSD2
The EU General Data Protection Regulation (GDPR) is the regulation 2016/679 of the European parliament and of the council, which replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ (and residents’) data privacy and to reshape the way organizations across the region approach data privacy. Commonly known as GDPR, was passed as a regulation on 27th April 2016 — and will be effective from 25th May 2018. GDPR became quite prominent due to the heavy penalties introduced by it for violators — which could be as much as 4% of the annual global turnover or €20 Million (whichever is greater).
There is a myth, some believe — PSD2 is all about making the user data available to third parties, while GDPR is all about keeping this data private. I do not quite agree. GDPR is not about — not sharing data — it’s about how you securely share data with third parties in a much secure way, with the consent from the data owner. Just like in PSD2, GDPR gives the data owner more control. Further, GDPR will strengthen the objectives of PSD2. For example, an AS PSP should never share account information with an AISP or accept a payment order from a PISP, without the the PSU’s (owner’s) consent.
Open Banking and PSD2
In September 2014 the Open Data Institute and Fingleton Associates published a report titled Data Sharing and Open Data for Banks. Following this report, in the 2015 budget, Treasury (or the economic and finance ministry) announced its commitment to delivering an open standard for APIs in UK banking, to help customers have more control over their data and to make it easier for financial technology companies (Fintechs) or other businesses to make use of bank data on behalf of customers in a variety of helpful and innovative ways. This move by the UK Government helps to drive more competition in banking to improve outcomes for customers, and further support the Fintech industry.
While PSD2 is a directive (or a set of rules) at the EU (and EEA) level, Open Banking is an initiative by the UK Treasury. PSD2 defines what needs to be done, while Open Banking defines how things are to be done. Further it builds an open API to communicate between AS PSP/AISP/PISP/PSU and all the other entities, to preserve interoperability. In the part — II of this blog series, we’ll be talking about Open Banking in detail.
Summary
In the part — I of a series of blogs (three parts) to discuss the innovation happens in European financial industry and the impact of it to the rest of the world, we covered the latest European directive on financial services: PSD2. In part — II I intend to talk about the UK Open Banking initiative.
