PSD2 – time to open and secure APIs and rethink business models

With the EU’s Payment Service Directive (PSD2) going into effect in January 2018, banks have no time to waste in preparing for the changes it will bring

The revised Payment Service Directive (PSD2) is on its way, bringing fundamental changes to the finance industry in the EU. With new and updated details released, it is time for banks to act to ensure they are ready when the PSD2 becomes effective.

Among the changes are new requirements for strong customer authentication (SCA), including support for two-factor authentication (2FA) for most payments, as well as the need to provide interfaces to so-called third-party providers (TPPs). Such TPPs can be payment initiation service providers (PISPs), but also account information service providers (AISPs) or a combination of the two.

A PISP initiates payments, while an AISP provides access to bank account information. Both can thus become competitors to banks, acting as the interface for the customer to access all banks and accounts. Notably, one of the declared targets of PSD2 is fostering competition and innovation, so this change in the competitive landscape is not by accident, but by design.

For traditional banks, this change has two consequences. One is that banks must provide interfaces, such as application program interfaces (APIs) to the TPPs. Notably, PSD2 explicitly prohibits the use of screen scraping.

However, due to the change in the competitive landscape with TPPs becoming the potential interface to the customers, banks are also urged to rethink their business models. Do they want to lose customers and business to others? Or do they want to stay in control of the value chain, acting as both a bank and a TPP?

Given that APIs must be provided, one request to the finance industry is to show significant progress in standardising APIs. There are initiatives underway both in the finance industry and the open source community, notably the Open Bank Project.

The banks themselves must enable such APIs, requiring the management and security for APIs, but also creating an architecture which ensures the interfaces between external TPPs, the APIs, new types of own applications (the agile part), and the stable core banking systems are well defined, secure and scalable. Having a “bimodal” or “multispeed” IT now becomes mandatory. From a security perspective, a thought out, multi-layered security approach, including API security management, is inevitable.

When looking at the changes in competition and thus in business, banks must rethink their business models. There is the opportunity, either in the existing entities or through separate legal entities acting more in an agile start-up mode, to act as a TPP itself. If done right, this allows the provision of the preferred interface to the customer while remaining in the driver’s seat.

Clearly, PSD2 puts massive pressure on banks to step back and reconsider business models from a very fundamental perspective. However, banks that ignore this change are likely to fail.

PSD2 will lead to huge changes in the EU finance industry. With only nine months left until PSD2 becomes effective, it is time to act, and create cross-organisational teams to find solutions for the new, competitive bank of the future.

Read more on Privacy and data protection