For many involved in the European banking sector, PSD2 (Payment Services Directive 2) and the RTS (Regulatory Technical Standards) have loomed large for some time, and the same probably holds true for the wider financial services and eCommerce industry. PSD2, which aims to protect consumers while encouraging innovation and competition in the financial sector, came into force in January 2016 and needs to be transposed into the national legislation of EU member states within two years of that date.
In parallel, the EBA (European Banking Authority) was empowered by the European Commission to deliver the RTS that will translate PSD2 into technical requirements. This means that by early 2019, banks, fintechs and businesses using payments credentials need to be adhering to these new rules, and the industry has waited with baited breath to learn what these might look like.
Now, after months of discussions and debates, the EBA has just released a new version of the RTS that is commonly expected to be the final one. The next steps are now the adoption – or rejection – of the RTS by the European Parliament and Council within the next three months. Assuming they’re not rejected, they’ll come into force 18 months later, with a preliminary six month testing phase, meaning banks only have until March 2019 to be ready.
Foundations for a true open banking approach in Europe
The revised RTS standards are a major step towards the market transformation that PSD2 promises to deliver. The core principles of the RTS – i.e. Strong Customer Authentication (SCA), Secured Communication, Risk Management and Transaction Risk Analysis (TRA) – have been maintained, confirming the directive’s security objectives. Open APIs will become the new standard for communication between TPPs (Third Party Providers) and banks. Screen scraping is only present as a fall-back mechanism and an incentive for banks to implement robust interfaces, as it is hardly compatible with the RTS security requirements.
This final version is a good compromise between the European Banking Authority’s initial position and the first feedback from the fintech community, which had been concerned about the impact on their business models. Application developers mainly feared the great user experience they offer – which is instrumental to adoption – could be compromised by a cumbersome authentication experience or a poor API performance.
A new article explicitly prevents banks from creating hurdles for TPPs to deliver their service. Of particular interest is the fact that the redirection to a bank’s interface for SCA may no longer be sufficient, as it’s now defined as a potential obstacle to the provision of TPP services if imposed. This alone should pave the way to new innovative SCA scenarios which offer better interoperability between TPPs and banks.
What next for the industry?
Now the rules are clear, it will be very interesting to watch banks and fintechs’ reactions, and how they plan to combine the directive’s twin objectives of consumer protection and enhanced competition to create new and compelling user experiences.
Several leading banks have already followed in the steps of TPPs by launching account aggregation and P2P payment services. Many financial institutions have also come to realize they could leverage the innovation capabilities of fintechs by partnering with them.
Digitalization may have already transformed the banking and retail environments, but there are still numerous opportunities for further growth and innovation – not to mention a rich array of new services for customers. At the same time, cyber-crime poses an ever more serious threat to both the integrity of customer data and end user confidence. The RTS for PSD2 are critical in terms of addressing these issues and facilitating the transition to a truly open banking experience throughout Europe.
Now the clock is ticking – banks will have to make sure they are ready by March 2019, six months before the RTS come into force.