Open Banking & PSD2: A Change of Paradigm

+

WHITE PAPER

OPEN BANKING & PSD2: A Change of Paradigm

WHITE PAPER

OPEN BANKING & PSD2: A Change of Paradigm

Copyright ©2017 by Strands All rights reserved. No part of this publication text may be uploaded or posted online without the prior written permission of the publisher. For permission requests, write to the publisher, addressed “Attention: Permissions Request,” to marketing@strands.com.

EXECUTIVE SUMMARY PSD2. The Revised Payment Services Directive which is set to revolutionize the banking sector. A change of mindset, beyond which lies a wealth of opportunity that for the more open-minded financial institution, could prove far more beneficial than they had previously thought possible. The rewards? New revenue channels, reduced churn, a closer, more sustainable relationship with underserved markets, and above all, a dramatically improved customer experience. This White Paper will help you break down the jargon, and better understand how both customers and banks will be affected by this new legislation at this critical stage in the process.

Open Banking & PSD2: A Change of Paradigm

Contents I. Introduction - What Is PSD2 and What’s it All About? .................5 II. A Little PSD2 Background: What’s Changed Between PSD and PSD2? ....................................................................................................7 III. What Will Change? ................................................................................8 IV. When Will PSD2 Come Into Force? ...............................................12 V. Beyond PSD2: Open Banking & The Opportunities .................13 VI. The Bank & Their Role - What Does It Mean to Be PSD2 Compliant (and is it enough just to comply?)....................................14 VII. The “Everyday” Bank ........................................................................16 VII. How can Strands help?.....................................................................17 IX. Glossary .................................................................................................18 Resources ..................................................................................................20

4

I. Introduction - What Is PSD2 and What’s it All About? PSD2 is a new and updated version of its predecessor created in 2007. Since this legislation was passed, much has changed in banking and as such, modifications needed to be made. At its core: the customer. The age of the bank holding the key to all their customer data has come to an end, and the shift to a customer-centric banking paradigm has begun. Customers now decide which online payments and financial transactions they carry out, and what information they share, with whom and when. Banks simply have to adapt to fit.

New TPP Players

More SEPA Payments

Enhanced Security

Payment Initation Service Providers (PISPs)

Non-EU currencies with both legs in EU

Strong customer autentification

Account Information Service Providers (AISPs)

All currencies with one leg in EU

Secure & open access to customeraccounts (XSA2)

Better Consumer Protections Unconditional refund rights Fraud protection

Fig. 1 Source: Axway Digital Banking Checklist PSD2

Advances in Machine Learning, online and mobile technologies have greatly improved customer-company relations, with the user experience the vital component and common denominator across industries. Banking, a sector in which FinTech is transforming financial services globally, is no different. The consumer is welcoming the shift to client-first with open arms, as a wave of inspiration and innovation is unleashed amongst traditional banks. The European Banking Authority (EBA) can see clear benefits with the new PSD2 regulations and the potential to encourage collaboration between financial companies, with a view to creating the optimal user experience. 5

Open Banking & PSD2: A Change of Paradigm

With this legislation will come transparency the likes of which banks have never experienced. Having controlled all customer transactional data, protected from all competition and prying eyes from time immemorial, they are now forced to lower their portcullis to allow third parties cross the threshold and access protected customer information. In today’s digital climate and the age of data analytics, it was only a matter of time before information of such huge relevance to multiple parties became freely accessible.

Innovation in banking had been limited until this Europe-wide regulation was passed.

6

Open Banking & PSD2: A Change of Paradigm

II. A Little PSD2 Background: What’s Changed Between PSD and PSD2?

PSD - 2007

PSD2 - 2018

The first European single payments market.

More scope to include newer types of payment services. Level playing field for payment service providers.

Safer cross-border payments. As secure as national transfers.

Cheaper alternatives for internet payments which had previously been unregulated.

Ease of access for new market entrants and payment institutions

Regulation on fees for card-based transactions (Interchange Fee Regulation)

More competition and greater customer choice

A more integrated and efficient EU payment market.

Greater transparency and information for consumers

Encourages lower prices for payments and disruption

Quicker payments

Protection for consumers and more secure payment.

Banks to give TPPs access to raw account data (balances/ transactions) through APIs and initiate payment transactions on behalf of the customer, with customer permission.

7

Open Banking & PSD2: A Change of Paradigm

III. What Will Change? AN UPDATED PAYMENT MODEL INCLUDING A PAYMENT INITIATION SERVICE PROVIDER (PISP)

Customer

Merchant

AN UPDATED INTERACTION MODEL INCLUDING AN ACCOUNT INFORMATION SERVICE PROVIDER (AISP)

Customer

AISP

PISP API

API

API

API Acquirer Bank/ Processor

Issuer Bank

Card Network

Present flow

Customer’s Bank A

Customer’s Bank B

Customer’s Bank C

Future flow

Fig. 2 Updated Payment Models including PISPs and AISPs. Source: Accenture

PAYMENTS Let’s break down this image (see Fig. 2). In the left-hand side image, the dotted line shows what currently happens when we make a payment online: the customer pays the merchant, the merchant asks for permission from the acquirer bank (the financial institution that maintains the merchant’s bank account and enables them to process debit and credit card transactions). The acquirer bank passes the merchant’s transactions along to the applicable issuing banks to receive payment.

8

Open Banking & PSD2: A Change of Paradigm

The continuous lines demonstrate the updated payment model including a payment initiation service provider (PISP). Third parties will be able to initiate online payments to an e-merchant or other beneficiary directly from the payer’s bank account via an online portal, cutting out the middle-man altogether. Banks, FinTech companies and large merchants would likely have capacity to provide such payment initiation services. On the right, the image depicts an updated payment model including a account information service provider (AISP), showing how third parties will be able to extract a customer’s account information data including transaction history and balances, and initiate an online payment to an e-merchant directly from the customer’s bank account, using an online portal. According to a survey carried out by Accenture, one in three debit card payments and one in 10 credit card payments are expected to move to PISP by

  1. Seventy-six percent of consumers are likely to choose traditional banks as their PISP over third-party PISPs. Banks have an important advantage over the competition - the element of trust. Banks strictly adhere to regulation and offer a less-risky option for the customer. Internet newcomers have fewer constraints and more is at stake.

SECURITY With this change, banks will be faced with one main concern: security, and how opening the floodgates, to all intents and purposes, will affect the stronghold they have traditionally had over their customers’ sensitive data. This is where SCA, or Strong Customer Authentication, comes into play: two levels of security ‘filters’ which, depending on the transaction, involve one or two authentication steps. To ensure optimum safety, transactions will now require two means of authentication and all payments and access to user data initiated by third parties will be closely monitored and controlled. SCA is essentially the implementation of identification mechanisms which allow banks to refuse third parties entry to customer data where necessary, and trace all third party transactions at all times. SCA puts access to financial data via web scraping firmly in check.

9

Open Banking & PSD2: A Change of Paradigm

2FA is considered to be authentication that is based on the use of two or more elements: knowledge (something only the user knows, e.g. password, PIN, etc…) possession (something only the user possesses, e.g. card, token), and inherence (something the user is e.g., biometrics) Both elements should be independent from one another (so the breach of one does not compromise the reliability of the others) and SCA is designed in such a way as to protect the confidentiality of the authentication data. Both SCA and 2FA will require a prior verification process to filter third parties within the bank’s API marketplace, meaning banks will have to implement measures to ensure security, traceability and control to block unwanted or unlawful access to user data. It shall apply to: Electronic payments initiated by the payer, such as credit transfers or card payments, but does not apply to electronic payments initiated by the payee only, such as direct debits. Any action through a remote channel which may imply a risk of payment fraud. Banks, to be in compliance with PSD2 regulations, will also need to provide a Sandbox testing environment to allow third party providers to join the bank’s marketplace and develop their financial services. PSD2 represents a strategic move by the EBA to create a freer financial sector in which all parties involved collaborate for the customer’s benefit.

SO, WHO BENEFITS? For customers, having access to and control over their own banking data will mean increased options for choosing and using financial products, and better ways to manage their finances. The end-user also gains access to third-party services and products as a direct result of this growing competition, and as industry players reinvent themselves and their offering. For industry challengers, having access to open bankdata, and clear, secure ways to integrate it with shared customer data, will mean they can quickly develop new, or better, products and services. For banks, being able to make 10

Open Banking & PSD2: A Change of Paradigm

their interactions with customers smoother and simpler will help them to find efficiencies, improve customer service and deepen their customer base. So, the EU is happy, the customer is happy, but what about the banks? Open Banking will go a long way to providing the solution to banks’ main concerns or pain points: additional revenue streams, greater customer fidelity, reduced churn rates and above all, a better, fuller picture of their customers’ habits. “Forward-thinking banks will have better luck keeping existing customers and attracting new ones, as companies with public APIs had three times more online traffic growth from 2014 to 2015 than those without open APIs”, according to Apigee research. A glimmer of hope for the bank? Much more than that, actually. By guiding how banking data can be better opened, accessed and shared, the Open Banking Standard will help developers to build services that are more targeted to meet the needs of customers, suppliers and other innovators in finance. Banks’ experience and in-depth knowledge of customers and their habits gives them the upper hand and puts them in a hugely advantageous position from which to reinvent reinvent themselves, and what it means to be a bank.

Banks’ experience and in-depth knowledge of customers and their habits gives them the upper hand.

11

Open Banking & PSD2: A Change of Paradigm

IV. When Will PSD2 Come Into Force? By mid-2018, banks will need to be able to show what measures they propose to take in compliance with these new rules. At this stage, it is becoming increasingly likely that there will a two-phase approach to adoption. Actual implementation will be nearer the 4th quarter of 2018.

2007 24th July European Commission first PSD2 proposal.

December PSD1 comes into force.

2013 5th May Political agreement among Commision, Parliament & Council.

8th October European Parliament adopts PSD2.

16th November Council of the EU adopts PSD2. 23rd December PSD2 published in Official Journal of the EU. Q1 EBA to complete consultation process for Regulatory Technical Standarts.

2016

Q1 EBA to publish Regulatory Technical Standards.

2017 Q4 Member States to complete transposition into national legislation.

13th January Current deadline for PSD2 implementation into national laws and regulations. (initial implementation phase) Screen scraping is no longer allowed.

18th September Member states to provide Commission with details of compliance (and every 2 years thereafter).

2018 12th July banks must have have submitted additional information required, so as not to lose authorization.

November / December The RTS (Regulatory Technical Standards) on security and authentication come into force.

Fig. 3: PSD Timeline. Source: www.ximedes.com

12

V. Beyond PSD2: Open Banking & The Opportunities For banks to take advantage of the opportunities that Open Banking offers, and the enhanced data and broader perspective it brings, they must be able to work with what they have at their disposal now, rather than place the focus entirely on the future: they must first be able to understand the data they currently have within their reach. This means being able to identify patterns, trends and clusters of users, before adding more external data to the equation. Once they are clear about how to segment and understand their own data, the final piece of the puzzle will be all the more useful. In a world of open banking, traditional retail banks, with their own products and distribution channels, can specialize in one or more sub-steps of the end-to-end process, promoting the areas in which they have a clear competitive advantage and leveraging the scale and efficiency that partnerships with other players enable. One area in which banks can differentiate themselves from the competition, is regarding trust. As touched on earlier in this document, banks will find that customers are much more likely to feel secure in using services from a trusted bank, rather than a new market entrant. Far from losing out from adapting to this new system, banks will discover new revenue models and business opportunities to be explored, offering the best, most convenient service (own or third party) to their clients at any given time and establishing new third-party collaboration models.

13

VI. The Bank & Their Role - What Does It Mean to Be PSD2 Compliant (and is it enough just to comply?) For banks to be in compliance with this new legislation, all that is required is for data access to be given to third parties, and a basic-level open API should be provided. Simple. But with this new system comes a whole host of new opportunities for the bank that knows how to avail of them. Anything done by half measures will only yield half the results. PSD2 is no different. Figure 4 proves that only by going the extra mile and creating a superior API platform, setting up as an AISP or PISP or offering services above and beyond the call of duty, are banks likely to become the user’s main bank. Basic compliance is more a reactive than a proactive approach. Simply allowing external access to data and providing a base-level open API, will tick all the boxes for first-level implementation (stage 1, Fig. 4). For good measure, a little more-segmented information could be offered (stage 2, Fig. 4). This is where banks can begin to leverage their current upper hand, and create new revenue channels. Cashing in on their raw data will be short-lived, so a little foresight and perspective will be key in ensuring their future success. Stages 3 and 4 in the Fig. 4 show what the future can hold if a bank is open to reinventing itself, providing new services and greater insight to third parties. Banks will gain the offsetting benefit of participating in larger profit pools in which they should be well positioned to play a leading role, creating new service propositions combining predictive analytics, artificial intelligence, and financing to enhance consumer and business offerings, for example. Among incumbents, organizations that are proactive and nimble enough to be first to deliver innovative, appealing products that customers want and need (e.g, intuitive interfaces and value-added services such as budgeting, expense categorization such as that offered by digital entrants like Monzo or top-tier banks like Barclays or Deutsche Bank) will gain huge advantage over the rest.

14

Open Banking & PSD2: A Change of Paradigm

LOW VS HIGH DIGITAL AMBITION

Become a “utility bank”

Become an “Everyday Bank”

STRATEGIC OPTIONS 1 Comply with PSD2

Comply with PSD2 requirements Give 3rd parties access to data required by law Provide a basiclevel open API (free for anyone)

2

3

Facilitate & Monetise Access

Provide Advice & New Services

Comply with PSD2 requirements

Comply with PSD2 requirements

Develop more advanced API; allow granular data access beyond what is required by law

Extend from providing API access into providing insight and services to monetise data

Monetize access to raw data and banking services to create unconventional revenues

Establish as an AISP and/or PISP

4 Expand Ecosystem & Aggregate Value Comply with PSD2 requirements Open APIs to create an ecosystem between the bank, merchant and consumers Offer products & services to address financial & non-financial needs Become an ‘Everyday Bank’, central to a customer’s daily transactions

Fig. 4: PSD “LEVELS”. Source: Accenture

15

Open Banking & PSD2: A Change of Paradigm

VII. The “Everyday” Bank After basic compliance with legislation is covered, banks can move into new territory, safe in the knowledge that they are in poll position when it comes to knowing the needs and wants of the customer. Rather than simply providing a channel through which to access data, the more ambitious bank will go beyond the data provision required by law, capitalizing on the data and services they provide to third parties and offering products and services that provide a relevant solution to the end-user. The shift is from being merely a bank, towards being at the centre of their financial ecosystem, creating a bridge between the customer and third-party providers for all the services the client needs on a dayto-day basis and more importantly, making life easier on the one that calls the shots. The customer. The bank is facilitator, value aggregator and a provider in their own right, and can negotiate deals on their customers’ behalf. Time is of the essence, however, because to become the bank of choice, there is fierce competition, with banks and non-banks vying for that all-important role.

UMER GOODS CONS TR AN S

T

N

AV E

L VA

R

U

L&

L EIS

URE

M COM

U

IO AT NIC

& EDUCATION

ATIO N

RM

GR

AG

D-Market Place

I LI

TI O

C FA

C OTE

AT O

TR

Target Ads

Ticketing

FO

BANK

E

ACC E S S

HEALTH & PR

Couponing, Vouchering, Loyalty

Polymorphic Payments

EG A TO R

Comparator

IN

HO M E

Buying Suggestions

ION AT RT PO

PROVIDE VICE R AD

N

Fig. 5: PSD “LEVELS”. Source: Accenture

16

Open Banking & PSD2: A Change of Paradigm

VII. How can Strands help? Although a go-it-alone approach may be viable for institutions with ample resources and an agile culture, varying gradations of partnership may be a more plausible strategy. Strands is committed to enabling banks and merchants to anticipate the needs of customers and create long-term value for their users, remaining relevant and empowering people to better manage their financial life with a wide range of tools:

PFM Strands’ Personal Financial Management (PFM) tool is all customers need to take a more active role in their personal money management, whilst receiving relevant offers based on their spending habits. Our intuitive PFM tool is able to preempt customer needs, providing fitting solutions in real time and a greater understanding of finances in the long term.

BFM Strands Business Financial Management (BFM) is the comprehensive digital banking solution for managing business financials, designed especially for SME banking customers.

API HUB A full financial picture in one place. All customer accounts in one place and less time spent logging into different accounts to carry out simple transactions. The only place customers need go to manage their money.

17

Open Banking & PSD2: A Change of Paradigm

IX. Glossary Open Banking - this is the ‘umbrella’ concept that encompasses a new form of banking. The Open Banking Standard recommends that open APIs need to exist for banking, to help provide open access to open data and shared access to private data. Access to private data through open APIs can only be given with the data owner’s permission, subject to approved security and technical standards. Open APIs - An API, or Application Programming Interface is a technology that can help provide access to open data (such as a list of products that a bank provides) and secure shared access to private data (such as a list of the transactions in an individual’s bank statements). Data accessed via an open API may be closed, shared or open. Open APIs need to be supported by robust security, legal and governance frameworks, and allow companies to crosspollinate or collaborate. PSD2 - Revised Payment Service Directive (EU) - this is the revised one, hence the 2. The first PSD was passed by the EU in 2007 and needed updating to incorporate new types of payment services, amongst other things. The new regulations were approved in 2015, but will be implemented in 2018. OFX - Open Financial Exchange (US) is an open standard for client-server systems and cloud-based APIs for exchanging financial data, and performing transactions between financial institutions and applications. Dodd Frank (US). The Dodd-Frank Wall Street Reform and Consumer Protection Act is a massive piece of financial reform legislation passed by the Obama administration in 2010 as a response to the financial crisis of 2008. Under current revision by the Trump administration, so scale-backs are likely. PISP - Under PSD2, Payment Initiation Service Providers will be able to initiate online payments from the payer’s bank account. AISP - Account Information Service Providers will be able to extract and accumulate customer account data, including transaction history and account balance.

18

Open Banking & PSD2: A Change of Paradigm

ASPSP (Account Servicing Payment Service Providers) aka banks and financial institutions, are the account providers that are required to offer APIs to PISPS and AISPs. TPP - Third Party Provider. Anyone that offers money management or payment services. Lots of these coming out of the woodwork, not least Apple, Google and Facebook. XS2A - Access to Account. SCA - Strong Customer Authentication - with freer access to customer information comes a need for heightened security. One of the main issues customers have with handing over personal financial data is that by doing so, they are putting themselves at risk. SCA can be carried out in 3 ways: knowledge (password or PIN no.), possession (using a token or smart device), or inherence (something inherent to the user such as biometric characteristics). This applies to transactions where the payer a) accesses their payment account online, b) initiates an e-payment transaction and c) carries out any action using a remote channel where risk of identity fraud is high. 2FA/TFA - Two-Factor Authentication- This is authentication taken to the next level, using two independent components to access information.

19

Open Banking & PSD2: A Change of Paradigm

Resources “Open banking: setting a standard and enabling innovation” The Odi https://theodi.org/ open-banking-standard “Consumers’ initial reactions to the new services enabled by PSD2” Accenture https:// www.accenture.com/t20160831T035645w/us-en/_acnmedia/PDF-19/AccentureBanking-Opportunities-EU-PSD2-v2.pdf “Consumer’s reactions to AISP and PISP - The new PSD2-enabled services” Accenture https://www.accenture.com/gb-en/insight-consumer-reactions-aisp-pisp-new-psd2enabled-services “PSD2 - opportunities, threats and strategic options for banks” Finextra https:// www.finextra.com/blogposting/13090/psd2---opportunities-threats-and-strategic-optionsfor-banks “The Future Of Banking: Innovation & Disruption in light of the revised European Payment Services Directive (PSD2)” PWC https://www.pwc.com/it/en/industries/banking/ assets/docs/future-banking-psd2.pdf “An obscure European law will profoundly change how you’ll use banks” Forbes https:// www.forbes.com/sites/alanmcintyre/2017/06/05/an-obscure-european-law-willprofoundly-change-how-youll-use-banks/#c0dd0565b057 “Security v convenience: strong customer authentication under PSD2” Lexology http:// www.lexology.com/library/detail.aspx?g=f4914aa9-5499-49c5-b6d3-7aacc5491c2d “What is 2FA?” Securenvoy https://www.securenvoy.com/two-factor-authentication/ what-is-2fa.shtm “How to build an Everyday Bank” The Financial Brand https://thefinancialbrand.com/ 38023/digital-big-data-banking-accenture/ “PSD2 XS2A adoption – what are the implications for banks?” The Paypers http:// www.thepaypers.com/expert-opinion/psd2-xs2a-adoption-what-are-the-implications-forbanks-/763148 “Payments regulatory timeline” Osborne Clarke http://www.osborneclarke.com/media/ filer_public/90/79/907918b9-6e8f-4d22-9b13-70efd48d3cb6/payments-regulatorytimeline-feb2016.pdf

20

Open Banking & PSD2: A Change of Paradigm

OPEN BANKING & PDS2

STRANDS WORLDWIDE Strands is the FinTech partner for banks, having delivered more than 600 bank implementations for over 100 million customers in 36 countries. Clients include Barclays, BBVA, Bank of Montreal, Commercial Bank of Africa, Deutsche Bank, and Huntington, among others. Strands is a FinTech pioneer with the award-winning solution for Personal Financial Management (PFM) launched in 2008 in the United States and Europe. Strands Finance Suite today includes a portfolio of products that share a common foundation based on Big Data Processing, Artificial Intelligence, Machine Learning, Open API and best-in-class Customer Experience. The company’s mission is to enable banks and merchants to anticipate customer needs and proactively suggest next-best-actions to increase long-term customer value. Strands’ solutions empower people to better manage their financial and consumer lifestyle, and make decisions in a smarter, more transparent and independent way.

www.strands.com | blog.strands.com | twitter.com/StrandsFinance

21