PSD2: Background and progress
PSD2 and Open Banking are the two concepts being heavily discussed by market participants, experts and all the interested parties since first offered in 2013. We have also previously spoken on the subject. But the more time passes the more interesting it is to watch how the situation evolves and what’s dynamic.
2018-2019 was a transitional period and starting from 2019 all the banks and financial institutions are required to comply with PSD2. Otherwise, fines would be imposed. According to Finextra only around 60% of banks comply with PSD2.
Despite the fact that the percentage of banks’ readiness is not extremely high for the moment of writing this article (May 2019) the major banks have already opened their demo portals for developers.
Banks create portals for developers with demo cabinets and documentation since this is one of the requirements of the directive – free access to documentation and the so-called sandbox where anyone can test the integration quality risk-free. The quality of the cabinets and documentation is predominantly not that high but at least it lays the ground for the further steps. First and foremost for the smooth integration with companies which act under AISP, PISP licenses.
Developers can create applications inside of the cabinets with the help of available API methods. Key operations can be classified as such:
- Authorization (SCA – Strong Customer Authorization)
- Balance check
- Transaction history
- Initiation and validation of payments/transfers
- Additional services: open account, order a card, set recurring payments/transfers
The above-mentioned operations fit within the business logic and instances operated not only by banks but Electronic Money Institutions (EMIs), Payment Institutions (PIs), Payment Service Providers (PSPs) and other licensed companies.
The comprehensive list of institutions covered by PSD2 can be found here. According to the data, a big chunk of companies which lie under PSD2 regulation simply does not state any readiness status. In my opinion, the situation might be much worse than that with the banks since the latter have more resources to implement all the specifications.
Worth mentioning that PSD2 compliance is not a cheap procedure not only in terms of development but also its functionality maintenance during the whole lifespan of the company. The price tag reaches tens and hundreds of thousand of EUR annually.
It’s crucial to understand that the requirement of the Central Bank to implement such changes gives birth to a whole new crowd of financial services and products and thus opens a new chapter for the whole financial industry. Firstly to the banks themselves as the final holders of clients and their accounts. The banks are allowed to monetize access to their infrastrastructure according to the directive.
Banks that implemented PSD2 can activate a comparatively new business model “ Banking as a Service” which is gaining momentum in Europe and Asia. In the UK 9% of the population are users of Open Banking products in 2018. Worth mentioning that there exists the national technical standard which sets the universal rules for banks across the country and makes Open Banking penetration much higher in comparison to other European countries.
In my opinion, the universal standard is a much more beneficial decision from the standpoint of developers and vendors. It eliminates the necessity to support tens or hundreds of different integrational services and data structures. At the same time, banks and financial institutions do not need to reinvent the wheel if there is a universal standard of data exchange which is discussed in detail below.
The concept of Open Banking is actively proliferating beyond The European Union.
For instance, Australia, Canada, Hong Kong, Japan, Israel, Mexico, New Zealand, and Singapore already have the approved Open Banking programs for the short term future.
Open Banking WorldWide
Discussing PSD2 we cannot skip the developers who are the final API consumers granted by the financial services companies. The more the faster the integration of your partners and end users. There are reviews by developers who examine and give scores to the available APIs on the market.
One of the examples is a recent rating on Payment services by a renowned developers’ service Programmableweb. Interestingly, there is only one bank mentioned. Our company has done similar research in autumn 2018. Only 2 out of 32 reviewed banks were granted the status “Developers Friendly”, 8 could claim the status “Work is in progress” but the majority were simply at the very start of their PSD2 journey. There were even unique cases like a developers’ portal in PDF format in Turkish! We are currently preparing research on 50 banks which is due to be finished by the end of the summer so that we could see which banks will miss the final deadline in September.
New technical standards
Discussing the developers’ portals we would like to shed light onto several critical technologies which are implemented not only by central banks but also by those who define how the global web should function.
For instance, W3С which defines standards of behavior of all modern browsers and many other protocols. W3C recently announced the official standard support of enhanced identification FIDO in major browsers.
FIDO is in fact hardware keys which can interact as an additional security element and which can be interacted simply via browser bypassing the setup of additional software or drivers which significantly simplifies the usage for the end-user.
Another new standard by W3C is a Payment Request which is created for PISP allowing to transfer a part of logic operation processing and offer clear and uniform interfaces to the end-user.
We should point out to the solution for those who actively use OpenID which works at their own protocol Financial-grade API (FAPI) WG. Worth mentioning the single important thing for the payment industry as 3D Secure with a simple extension in a name 3D Secure 2. The standard which has been long used and actively used now will be significantly updated and expanded in terms of functionality. You can find more details in the documentation of the leading European card processor and bank Wirecard.
ISO prepared a universal standard of financial messages exchange, ISO 20022 – Universal financial industry message scheme. The standard is aimed to put things right in the structure of the financial messages and ease the integration process between information systems.
The right to be forgotten
Talking about European technological standards we should mention the GDPR inaction – General Data Protection Regulation. European authorities do respect the data privacy of their citizens and oblige companies to comply with the new rules.
GDPR was enacted in 2018 that’s why there is not much data yet. There were around 200 000 requests for sanctions imposition, around 50% were denied, 50% are in process and 1% was resolved with fines.
Google has already paid EUR 50 mn, Facebook might get EUR 1,3 bn out of the pocket.
Opening access to infrastructure for third parties in terms of PSD2, banks and financial companies should use secure algorithms and procedures.
That being said PSD2 implementation should escape offering hackers a brand new vector for potential attacks. At this particular moment the situation does not seem to be very secure and despite the new type of attacks have not materialized yet the hackers are probably training intensively to enter the banking industry sweet spot.
“Experts of the company Positive Technologies evaluated the level of online banking security in 2018 and found out that 54% of the reviewed sample allow hackers to steal money and the threat of unsanctioned access to personal accounts and banking information exists in all online banks.” Isn’t that mind-boggling?…
Special attention should be paid at new types of attacks such as “Synthetic identities”. In a situation when a financial operator would never meet the client in person they would request a social media profile for analysis. As a response to this act by financial operators, black hackers responded with the creation of special firms where they breed multiple profiles.
Technologies of machine learning and artificial intelligence open hackers new horizons and expand their scope of activities. That’s why a number of countries signed a policy which describes the details of the ethical of ML and AI tools usage.
For instance, the service This person does not exist generates with every site opening a new photo of a person. In case of targeted phishing attacks, a neural network can generate any kind of picture with anyone given the preliminary training. And the culture of photo sharing in social media makes it incredibly simple.
Summarizing we can say that Europe is currently leading in online banking development. On the one hand, it opens new opportunities and market segments, on the other hand, brings new challenges to developers and raises the cost for business owners.
However, a positive sum result from the implementation will overpass all the incurred costs of the transitory period according to experts. Forward-looking financial institutions are already factoring in the new requirements and in a couple of years will give rapid progress to the whole industry.
Terms and abbreviations
Strong Customer Authentication
- Knowledge. something only the user knows, e.g. password or PIN
- Possession (something only the user possesses, e.g. mobile phone or ID card)
- Inherence (something the user is, e.g. fingerprint or facial recognition)
AISP, PISP, ASPSP
AISP (Account Information Service Providers) – Afterbanks, Fintonic, Cuéntica, Eurobits, Albert, MYValue …
PISP (Payment Initiation Service Providers) – Trustly (Scandinavia), Sofort , Ideal (Germany)
ASPSP (Account Servicing Payment Service Providers) – n/a
Players in Open Banking/Banking as a Service field.
Chase Paymentech (Bank)
List of resources