Best Practices of Open Banking Regulations and PSD2
In recent years, the finance industry has been exposed to major digitization. Online banking, financial technology, and other services have created unprecedented opportunities for customer experience improvements. In this article, we will explain the main open banking regulations and PSD2 and why they are picking up the pace of disrupting the financial industry.
Open banking regulations and PSD2 around the world
In recent years, the finance industry has been exposed to major digitization. Online banking, financial technology, and other services have created unprecedented opportunities for customer experience improvements.
Open banking is one of the most promising new chapters in fintech. As we previously learned, it possesses the following features:
- Open banking is a technology that empowers consumers to access and control their banking and financial accounts via third-party applications.
- It is going to disrupt the competitive environment and consumer experience of the entire banking industry.
- It brings opportunities for major improvements and high risks to consumers as their data is shared with third parties.
- What is the difference between open banking and PSD2 (Second Payment Services Directive)? They represent similar concepts but have some differences. In short, Open Banking in the UK requires the standardization of APIs, while PSD2 in the EU does not.
Shifting to open banking requires significant resources, and banks often tend to see no immediate benefits. In the worst case, it is perceived as helping non-banking competitors capture a particular market share. Open banking started slowly, as banks were creating the necessary API technology. Nowadays, there are 500+ open banking providers across the UK and Europe and over 4 million open banking users in the UK alone.
Given open banking’s steady development, regulators have started crafting new deadlines for openness. At the end of 2022, Europe is the furthest along, and there is evidence that regulators in the US and Asia plan to follow the example. Not all European banks adapted to the change well, which cost some senior executives their jobs because of poor transitions. However, others discovered a way to navigate the turbulence and took advantage of the new opportunity. The winners realize that opening their data is inevitable and may be highly beneficial if done in compliance with the regulations.
In the EU, multiple factors contributed to a successful transition to open banking. The most successful companies reorganized their teams to adjust to the new ecosystem. Banks also gained advantages by finding a new balance between IT and traditional business operations. They discovered a way to achieve the integration needed for open banking as a continuous process rather than a clear destination.
Initially, the Open Banking PSD2 directive was passed in October 2015 by the European Parliament as a revision of the existing Payment Services Directive. The new rules were established to foster the ongoing development of online payments through open banking.
How do PSD2 and open banking affect the financial industry? According to the European Commission, PSD2’s main aims are to:
- Create a more integrated and efficient payments market in the EU.
- Level the environment for payment service providers, including new players.
- Conduct payments more safely and securely.
- Encourage lowering of the transaction fees.
In June 2020, the European Banking Authority (EBA) was approved as the major PSD2 regulator. The institution made it clear there has to be parity between the online banking services that banks provide directly to their clients and the service they provide via PSD2 APIs. The EBA stated that if banks did not remove barriers to the open banking experience by April 2021, the national regulators would take further supervisory action, including imposing penalties.
In 2022, authorities started integrating PSD2 into the Single Euro Payments Area (SEPA) to ensure full coverage of instant transactions in the EU. This step is significant, as open banking providers prefer to conduct instant payments for consumers’ convenience rather than SEPA Credit Transfers, which may take about two days to arrive.
Open banking and PSD2 outside of the EU
Europe may reasonably claim to be the home of open banking as PSD2, and the UK's Open Banking Standard originated it. Today, open banking initiatives appear everywhere. It is not only a matter of duplicating the European approach in other places. Jurisdictions are establishing their approaches to open banking, setting their markets and policy objectives, and sometimes developing multi-industry approaches beyond financial services.
In the UK, the Competition and Markets Authority (CMA) brought in open banking intending to increase competition and speed up innovation in the market that had not undergone any material regulation for years. It came along with several immediate measures, such as a cap on overdraft fees set by the banks themselves – by far the most radical measure introduced.
The number of open banking payments in the UK grew more spectacularly than in any other place. It increased from 1.2 million in January 2021 to more than 7 million a month by the end of 2022. According to the providers’ data, the total volume of open banking payments surpassed $10 billion in the UK in 2021.
In other countries, open banking is currently developing as follows:
- The US has chosen a market-led approach. However, there were no material government initiatives to support the advancement of open banking products and services. Given the highly fragmented and state-based nature of the banking industry in the US, as well as a particular level of red tape, there is no clear indication of an intention to take this forward and issue a federal policy on it. The leading US banks are well aware of the strategic role of open banking and are working on API-based offerings, in partnerships with third parties, as a way to attract new customers and gain possible competitive advantages.
- Australia stands out for its ambitious and innovative approach. Similar to other open banking initiatives, the Consumer Data Right Act (CDR) allows consumers to share their data with chosen authorized third parties. The main difference, however, is that the CDR is a data policy regulatory document and not a financial services one. While it applies to banks first, it subsequently administers the energy and telecommunication sectors, and eventually, it could be applied to any industry.
- Hong Kong Monetary Authority released an Open API Framework in July 2018, laying out a 4-phased approach for banks to implement Open APIs. It starts with data sharing on their services, together with sharing transactional info and payments processing services. As opposed to the EU approach, while banks are required to develop APIs, they can restrict access to those third parties with which they choose to collaborate.
- Some countries—India, Japan, Singapore, and South Korea—do not have formal open banking regimes at the moment. However, their policymakers are working on various measures to accelerate the introduction of data-sharing frameworks in banking.
Overall, Open Banking regulations and initiatives are still in the early stages of implementation. Companies and regulators must do more to raise consumer awareness and outreach scale, even in jurisdictions like the UK, where open banking standards are already fully in place. Establishing a safe and well-functioning multi-industry data-sharing ecosystem will take some time.
What is PSD2 and open banking compliance?
As noted above, open banking may offer consumers convenient access to financial information and services and streamline costs for financial institutions. However, it poses potential risks to financial privacy and the security of personal finances and related liabilities to financial institutions.
Open banking APIs are not free of security risks, such as the possibility of a malicious third-party app cleaning out a customer's account—a serious but unlikely threat. Much broader concerns are about data breaches because of poor security and hacking or insider threats that have become quite widespread in the modern era.
Bank ownership of the data has long given them a competitive advantage in pricing and risk scoring. This may now disappear as data is actively shared with third parties. Additionally, this data could also be used to grant consumers innovative, user-friendly banking services. Crucially, by offering services that utilize confidential banking data to give consumers additional value, third parties may remove intermediaries from the process of banks’ interaction with customers.
However, a great level of compliance is required as PSD2 is wide in scope and covers third-party providers (TTPs). It is expected that banks will be required to grant them access to customer payment accounts, known as XS2A (Access to Account), to ensure that their data is shared with trusted and compliant TTPs.
As open banking enables customer data sharing between organizations, banks need to ensure that the process is secure when data is revealed to other parties, and that customer consent is obtained and kept up to date. Wider third-party access increases the chances of fraud, and banks may not have sufficient control to prevent it.
What PSD2 requires and when?
Essentially, the regulation looks closely at the parties that can access or collect electronic payment data. There are clear requirements to protect consumers by upgrading security and speeding up transaction processing.
Let’s go over the main elements of PSD2.
Strong Customer Authentication (SCA), as part of the PSD2, is required for the parties on either end of a transaction in the European Economic Area. The payment authentication process goes beyond the usual, where only the data on the credit card (name, expiry date, and CCV) is needed. SCA requires stronger authentication, and that’s when multi-factor authentication (MFA) is involved.
The main enabler of SCA is 2-factor authentication (2FA). Consumers must provide two out of the following three independent factors to confirm their identity:
- Something they own: a mobile phone or a tablet.
- Something they know: a PIN code.
- Something a consumer is: a fingerprint.
SCA is performed via APIs that are authenticated by PSD2-compliant certificates, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which comes after SSL. The data is encrypted to ensure payments are safely processed.
Additionally, PSD2 utilizes Know Your Client (KYC). It serves to verify the identity of a financial services user. KYC is a regulatory process of confirming the identity and other information of the user. Many countries and economic regions oversee anti-money laundering agencies or regulators that monitor financial transactions to prevent tax evasion, terrorism financing, and other undesirable activities. The agencies are a part of the Financial Action Task Force (FATF), which lays out a framework for financial transactions overview globally.
PSD2 implications for banks
How do PSD2 and open banking affect the financial industry, particularly banking institutions? For banks, considerable investment in technology is required as they must use open APIs. It facilitates open banking competition, resulting in more innovation and better service for clients. Open APIs enable account data service providers to reach consumer data if consent is given. It paves the way for increased business intelligence resulting in better, more tailored consumer services. Also, it eliminates intermediaries from transactions and makes them quicker.
As previously mentioned, the requirement of open APIs encourages innovation. Third parties will be motivated to utilize them and create solutions that address consumer demands. Anybody who deals with transactions that involve banks from the European Economic Area must comply with PSD2. This applies to both payments sent and received.
In particular, banks are required to do the following:
- Increase security measures with MFA to prevent transaction risks.
- Share account data and aggregate it with third parties while setting up all of the internal infrastructures to securely transfer the information.
- Introduce conflict resolution procedures that comply with the timeframes and other requirements of the regulation.
Although the regulation introduces considerable requirements for banks, it also promotes a level of innovation that can be advantageous and eventually spread outside of the EU.
How will the emergence of third-party providers (TPPs) drive payment competition?
PSD2 requires banks and other financial institutions to allow specific third-party access to personal bank account data, aggregate data, and payment data as requested by the consumer. It helps organizations retrieve information directly from the source when a transaction is made, removing the intermediary in payments. Many online retailers benefit from this process as they can get additional verification of the customer's financial identity and instant resolution of debits.
Under PSD2, institutions intending to act as Payment Initiation Service Providers (PISPs) or Account Information Service Providers (AISPs) must be authorized payment service providers (PSPs).
While supposedly a payments-focused directive, PSD2 is likely to have the greatest impact on opening bank-controlled customer account data to AISPs. If third-party AISPs gain substantial traction, banks may lose their ownership of the customer interface and the primary customer relationship. The threat may be further exacerbated if some TPPs choose to act as both AISPs and PISPs, allowing customers to make payments from their accounts through a third-party interface.
Open banking enables payments directly from a bank account by opening up banks' data. It should be both quicker and cheaper since, otherwise, the intermediaries would charge for their service. In this case, the bank approves the transaction without involving other organizations.
What’s next in open banking?
The emergence of marketplace banking and the subsequent competition for the customer interface between banks and new entrants will drive the change. Undoubtedly, the PSD2 concept will be adopted worldwide, requiring national regulators to step in to oversee the changing banking industry.
From there, natural development would be a move towards some form of global standards. At the moment, we do not know exactly what it may look like, but the prospect of worldwide open banking adoption should certainly be under consideration.
Would you like to know more about how open banking & PSD2 may impact your business? Contact our team for a consultation.