What can we expect in a post-PSD2 banking world?


28 Nov 2016451 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Image: peterzsuzsa/Shutterstock

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

As we transition into a cashless world of electronic transfers, web payments and blockchain, where does that leave us? Professional services firm PwC is dissecting what we can expect in a post-PSD2 banking world.

Some of us remember the days when paper cheques prevailed, fleets of vans toured the country to pick up cheques from bank branches and deliver them to clearing centres for processing and onward distribution to the exchange for settlement. The whole process could take up to six working days before your money was available for withdrawal. The good news is that our use of cheques is in free fall, now left mainly to the preserve of seniors and small/medium businesses.

Over the past decade, there has been a push by the clearing houses and banks to see us move away from the use of cash and cheques in favour of electronic transfers. Card scheme payments have now become the default, and where we have seen most innovation.

But our banks’ systems are closed – they have evolved from heavily invested in monolithic core banking systems hosted on legacy platforms. They are difficult, slow and costly to change. However, over the years, a level of integration has been achieved through batch processing, file transfers and more recently by using middleware to enable the development of proprietary front ends, which abstracted the underlying technology.

There is no doubt that the innovation we have seen so far has improved how we transact with our banks. There are more channels available to fulfil our everyday banking needs, and operating costs of banks have been reduced by shifting traffic from branches and call centres to self-servicing over the web and on mobile. But our banks still enjoy a privileged position, with competition confined between banks within a tightly regulated market with high barriers to entry.

The Single European Payments Area (SEPA) was made mandatory in February 2014, when all banks and payment system users were legislated to migrate all payments from existing national credit transfer and direct debit payment schemes (eg, in Ireland, it was the Irish Payment Services Organisation) to their SEPA equivalents, to bring about the integration of the national retail markets across the EU/EEA.

The objective of SEPA was to stimulate efficiency and innovation in retail payments. However, given that 97pc of retail payments are made within national borders, the lack of integration was not surprising. In the same way that euro payment systems evolved using national standards, the law in relation to payment business evolved differently. A similar analogy could be made in relation to how data protection laws have evolved in each member state prior to the General Data Protection Regulation.

The Payment Service Directive (PSD) was put into force in November 2009 to provide a harmonised legal environment for payments, thereby facilitating the integration of national payment markets and improving competitiveness. There have been substantive changes in the payment market since the PSD was passed.

A new type of regulated entity called a ‘payment institution’ was established, which included money remitters, non-bank card issuers, merchant acquiring firms and certain mobile network operators offering payment services eg, PayPal Europe, which was granted a Luxembourg banking license that, under European Union law, allows it to conduct banking business throughout the EU. Apple Pay expanded into Europe using eligible Visa debit or credit cards. Pan-European card schemes, such as the Euro Alliance of Payment Schemes and PayFair were set up to challenge the Visa/MasterCard duopoly.

So why do we need PSD2?

The reality is that there are no global heavyweights in Europe to challenge the giant US card schemes of Visa and MasterCard. This is even more worrying given that MasterCard is to acquire VocaLink, which operates UK’s BACS (ACH), FPSL (FPS), and Link (ATM). This acquisition, subject to usual regulatory approval, would accelerate MasterCard as an active participant in the UK payments ecosystem, and could even be viewed as having a negative impact on innovation and competition in the payment industry.

The pace of technological change and inconsistencies in the way the PSD was interpreted by member states has led to new regulatory challenges. The European Commission responded by introducing the PSD2, which comes into force in January 2018 and aims at further driving innovation and competition, by forcing European banks to open their infrastructures (especially payment information), to third-party providers and ensuring adequate security. This will enable clearing and settlement without using cards, and will lead to a downward trend in costs and prices for payment service users that, up to now, only the card schemes have enjoyed.

The PSD2 proposal brings new Third-Party Service Providers (TPP), which can offer online banking services, once licensed or registered and supervised as payment institutions.

1. Payment Initiation Services Providers (PISPs) will have direct access to bank accounts and enable direct online payments from the bank account without the need for a card.

2.  Account Information Service Providers (AISPs) will provide customers with a consolidated view of their bank accounts (eg current accounts, saving/deposit account, pension).

The success of Mint.com in the US and Canada highlights the appetite from consumers for account aggregation. This free web-based personal finance management service has more than 10m users who can track banks, credit cards, investments, loan balances and transactions through a single user interface. The traditional banks in US are already feeling the competition, with a number of temporary bans on access to data, which under PSD2 would not be legal.

Most importantly, banks and financial service institutions may also take on the role of AISPs and PISPs themselves. This will all be enabled through the effective use of application programming interfaces (APIs), setting the scene for the API economy to play a disruptive role in the future of financial services ecosystem.

Regulatory technical standards for PSD2 are under development, which proclaims open APIs but do not mandate an API standard. While banks and fintech start-ups may complain, this is by design. The whole point of PSD2 is to disrupt the incumbents and promote transparency, competition and innovation.

If every bank has their own APIs, and a TPP wants to be able to work with the APIs of the top four banks in Ireland or top 10 European banks, there are only two ways around it; either banks get into a room and agree an API standard, or an intermediary creates an integration layer that hides the API complexity.

Standardised interfaces are powerful facilitators and drivers of digital businesses. APIs allow companies to adopt a modular approach for quickly and cost-effectively creating and scaling new businesses. For this reason, the pace of API development and use is accelerating in numerous industries.

Just look at Uber, which is the largest online network transportation company, but doesn’t own any taxis. It quickly grew from a small start-up to a global company by integrating partner capabilities via APIs. It uses the Google Maps API to locate customers and track drivers. It is also interesting to see that two years after applying for authorisation, Facebook was recently awarded a licence by the Central Bank of Ireland to operate a financial payments service – but what about Microsoft, Apple, Amazon and the mobile phone operators?

What does PSD2 mean for the consumer?

Like Facebook for social media and social networking, Microsoft, Apple and Android hide the complexity of GSM, TCP-IP, hardware, operating systems; all the things that have evolved into collaborative or de facto standards, and the consumer just sees the software applications running on the device. As a consumer, I don’t want to see my mobile phone company or my bank every day – I only want to see them when something is wrong.

Platform shifts tend to drive exponential growth, and the smartphone is the largest platform shift ever. The phone is the new high street; we use it for booking hotels, flights, checking email, navigation, taxis, listening to music etc, and the people who develop the apps are the people that own your mobile real estate.

All these services store a card number today, and tomorrow will need to use your bank’s APIs. But if they can’t use your banks APIs, then they will use somebody else’s and for those consumers without loyalty, they will bank with somebody else so they can continue to enjoy the apps that make their life easier.

What does PSD2 mean for banks?

When it comes to PSD2 and open banking, there are three main challenges that need to be overcome, [be it] an established bank, a new entrant or fintech.

Businesses, especially banks, need to appreciate that there is a well understood link between organisational structure and the software they create. By embracing new structures and concepts such as R&D and innovation incubation teams, they will unbundle/decouple the monolithic IT systems into reusable service components.

The new ecosystem will be comprised of not only financial institutions but also retailers, hi-tech companies, gaming, gambling, social media, crowdsourcing platforms and potentially anything that involves financial information or transactions. In this new ecosystem, APIs are the new channel for doing business and need to be given that level of attention and importance. Banks need not only to offer services to be consumed by third parties, but also think how to use third-party services for their own offerings.

API platforms need to consider architecturally significant areas such as security, customer authentication, auditing, scalability etc, such that when payments are invoked through revenue generating APIs, poor availability, reliability and performance are not an option.

In a new world where third-party providers are stretching banks’ infrastructure with requests for payment permission and for live data feeds, the risk vector has increased significantly.

By David Stapleton

David Stapleton is an enterprise architect for PwC technology practice.