PSD2 is here and Phase 2 of Open Banking is underway. We look at the implications for account servicing payment service providers (ASPSPs) and third party processors (TPPs).
Opening the box: PSD2 and UK open banking
PSD2 now requires all ASPSPs to open up access to authorised account information service providers (AISPs) and payment initiation service providers (PISPs) (together, TPPs) in respect of all payment accounts, where customer consent has been elicited.
ASPSPs will need to make technical specifications and testing facilities available to TPPs by March 2019, giving six months for TPPs to test their software before the remaining requirements governing strong customer authentication and secure methods of communication come into force in September 2019, under the Regulatory Technical Standards on Strong Customer Authentication (SCA-RTS).
Simultaneously with PSD2, Phase 2 of UK open banking started this January. This project only applies to the nine largest banks in the UK, and initially requires them to open up access just to online current accounts (narrower than the requirements applying to all payment accounts under PSD2).
Options for opening up access to data
The requirements for allowing access to customer data differ under the two regimes: UK open banking requires banks to sign up to a standardised API; whereas PSD2 does not (although the SCA-RTS do set out requirements ASPSPs must meet if using a dedicated interface).
But even though other methods can be PSD2 compliant, a standardised API is the approach being recommended by HM Treasury and the FCA in the UK. This is being termed the "redirect" model, and essentially redirects the customer from the TPP's application to the ASPSP's application so that they can authenticate themselves, and then back to the TPP's application. The advantages of this approach are customers not having to share their credentials, increased security and a technically cleaner model.
However, building systems that work with the standardised API has proved to be a laborious process, requiring a huge amount of resource, even by the standards of the nine largest banks. The Open Banking Implementation Entity (OBIE) has suggested that businesses looking to use the standardised API should contact them as soon as they can.
Furthermore, despite the redirect model being OBIE's preferred method, article 32(3) SCA-RTS provides that dedicated interfaces should not create "obstacles to the provision of [AIS] and [PIS]" - which includes imposing redirection. It isn't clear to us how these two positions can be reconciled.
There are alternative options being discussed across the EU (such as the 'de-coupled' and 'embedded' approaches), but there is no 'do nothing' option, given that straightforward screen scraping, where the TPP impersonates the customer, is prohibited under the SCA-RTS. An alternative form of screen scraping is permitted by Article 31 where the ASPSP offers the same interface as it does to its customers, but allows the TPPs to identify themselves to the ASPSP (identifiable screen scraping). So in order to be compliant come September 2019, even ASPSPs without a dedicated interface will need to make some changes (and it is expected that most ASPSPs won't have a dedicated interface, at least at first).
Time is tight, and this may play into which method is most suitable for a particular business. Either way, a practical approach is likely to be to co-operate with TPPs to ensure compliance in time.
What are TPPs doing?
Given that the aim of open banking is to improve customer engagement and switching between bank accounts in order to increase competition, the marketing around its launch has been surprisingly weak. It will now be down to businesses to give customers good reason to open up access to their data, and user experience will be key.
Although TPPs haven't set off an explosion in the way customers bank, there are more and more coming on to the market with disruptive potential. Around 25 are already authorised by the FCA.
Most of these were already FCA-authorised to provide other services, so it is clear that businesses like Funding Options, Moneybox and Clear Score are already taking advantage of open access to data to support and improve their existing offerings, for example, to help with visibility, assessing credit information and recommending loans, insurance and/or other investments.
At present, most have been authorised to provide account information services, with only a handful authorised to provide payment initiation services. Maybe the space is waiting for a killer app to make obvious to customers the benefits of the new system, but one thing is for certain: we expect this market to develop significantly.