2018 is set to be a pivotal year for the financial services industry with both the General Data Protection Regulation (GDPR) and the revised Payments Services Directive (PSD2) due to become law, transforming the way that businesses approach their customers’ data.
While GDPR looks to ringfence consumer privacy, PSD2 conversely looks to unleash the banking and payments sector, allowing third-party access to customer data. The combination is a potent legislative cocktail that will challenge banks and fintech companies as the European Union (EU) looks to actively enforce data protection rules while fostering a more open and competitive financial marketplace – writes Ian Clark ,Vice President, API Management, CA Technologies.
Both are the subject of much debate. But in this article, I want to explore PSD2, what it means for the financial community and the steps that must be taken in the lead-up to this pivotal year.
PSD2: Becoming law
PSD2 updates the original Payment Services Directive and was proposed by the European Commission in 2013. But January 2018 is the date on everyone’s lips as 28 EU member states transpose the provisions of PDS2 into national law.
PSD2 will revolutionise the way we make digital payments by allowing consumers to have the option of using third-party providers to manage their financial assets. It will take us from a ‘monolithic model’, where consumers interact primarily with just a single bank to a ‘banking platform model’ where consumers have the option of leveraging multiple services from multiple financial service providers and banks.
The regulation looks to level the playing field, creating a single integrated payment services market with uniform approaches for both banks and the emerging payments and fintech companies. It will further free the market by removing barriers to entry for new operators. The regulation does this by strengthening uniform security for all stakeholders, unlocking the opportunity for new payment services, ensuring transparency and promoting market competition through innovation.
Educating the consumer
PSD2 has the potential to be hugely beneficial to consumers and therefore to businesses delivering those services. PSD2 allows for faster payments and makes strong customer authentication mandatory. With consumers demanding access to all their banking services across every digital channel, whenever and wherever they are, this regulation gives the financial services market the chance to properly respond and deliver on those expectations.
But with less than six months to go before it is enacted into law, 89% of consumers do not know what PSD2 actually means for them. Banks need to take the lead in educating the public on the potential implications that the new regulations will have for them, allaying their concerns around data protection. Without effective communication, banks risk losing the trust of their customer base. Those that get it right could gain a competitive advantage here.
Realising the business opportunity
From a business perspective, PSD2 enables the industry to be more open, innovative and collaborative. But financial services companies must grasp that opportunity with both hands. With this in place, banks and fintech providers can partner to develop innovative new services that were not previously possible. However, the larger banks need to ensure that they are receptive to this change and become more open to sharing data and insights with fintech companies, or they could be left behind.
As with all modern data issues, implementing new technologies is crucial here and banks are turning to the latest enterprise software to make them more agile ahead of the PSD2 deadline.
Here are two examples of how organisations may encounter the new Directive and recommended tools to help meet and surpass key requirements of stronger authentication, for open secure communications:
- Issue: Online banking security
Solution: Advanced authentication: Advanced authentication is a flexible and scalable solution that incorporates both risk-based authentication methods, like device identification, geolocation and user activity, as well as a wide variety of multi-factor, strong authentication credentials. This solution allows financial organisations to create a layered, strong authentication process to ensure that only legitimate users gain access to their accounts and payment services
- Issue: Account access and API security
Solution: API management: Application programming interfaces (APIs) provide the connectivity to meet PSD2’s open communications demands and requirements (e.g. Third-Party Provider, TPP and Access to Account, XS2A). API management provides the capabilities financial organisations need to address new digital transformation challenges. This platform secures the open enterprise, providing a secure integration capability across apps, devices, and businesses
2018 and the introduction of PSD2, along with GDPR, will certainly bring disruption to the financial services market. However, this must be viewed as an exciting opportunity for businesses to re-evaluate their proposition to today’s consumer, and collaborate across the industry better to deliver new exciting innovative services.
There is potential for some delay to PSD2 given the lack of clarity of the EBA Regulatory Technical Standards (RTS) for strong customer authentication and common and secure communication. To ensure innovation is not stifled, the RTS takes a ‘what’ rather than a ‘how’ approach, leading many stakeholder banks to stall in defining their PSD2 strategy and building a solution.
Regardless of the possible delays until late 2018, to allow the details to be finalised, now is the time to consider an appropriate PSD2 strategy. Companies need to build a standards-based PSD2 platform that is ready for 2018 yet sufficiently flexible to adapt to the evolving regulatory and business needs of Open Banking that the market will demand.
If banks and fintech companies respond appropriately to these impending regulatory changes, a hugely positive shift for the market can be triggered, resulting in a far more consumer-centric operating model.