PREPARING FOR PSD2: EXPLORING THE BUSINESS AND TECHNOLOGY IMPLICATIONS OF THE NEW PAYMENT SERVICES DIRECTIVE

Transcription

1 A WHITE PAPER FROM FINEXTRA AND CA TECHNOLOGIES NOVEMBER 2017 PREPARING FOR PSD2: EXPLORING PSD2 AND UK MARKET ACTIVITY THE BUSINESS AND TECHNOLOGY IMPLICATIONS OF THE NEW PAYMENT SERVICES DIRECTIVE

2

3 JANUARY 2018 MAY BE THE PSD2 DEADLINE FOR NATIONAL LAWMAKERS BUT FOR PAYMENTS PARTICIPANTS IT IS JUST THE START OF AT LEAST AN 18 MONTH JOURNEY. NO BIG BANG Much has been written about Payment Services Directive 2 (PSD2) and its potential to herald a new era of open banking where banks no longer have a monopoly on payment services. Instead they will be forced to provide full access to customer accounts to third parties looking to provide financial services of their own, on top of banks existing data and infrastructure. All of this could prove to be true, just not on January 13th 2018, the deadline for national governments to transpose PSD2 into law. This is because there is still so much to be decided and clarified. The European Banking Authority s longawaited regulatory technical standards (RTS) on strong customer authentication (SCA) were issued in March 2017 but missing some of the finer details, such as the methods to remotely access customer data and account information and the measures around the use of application programming interfaces (APIs) and screen-scraping. 03 The major banks tell us that these final details will not be issued until the end of this year, giving them no time to interpret them into anything actionable by January Furthermore, while the RTS underpins much of how PSD2 operates, it is subject to a different timeline to the Directive and will only come into force after January 13th This is not to say that there are going to be any delays to the initial implementation of PSD2, however, banks are calling for more realism from the market in terms of what to expect on that January date. A survey of more than 200 European payment services professionals from 89 banks in 14 countries, conducted in June and July by Finextra in association with CA Technologies, exposed the lack of readiness. Only 5% said they had completed their preparations for PSD2. Only just over half (58%) expected to be PSD2 compliant by the January 2018 deadline while 31% were still in the phase of assessing what they need to do for PSD2.

4 PLEASE INDICATE WHICH STATEMENTS BELOW MOST CLOSELY DESCRIBE YOUR ORGANISATION S CURRENT SITUATION IN RELATION TO PSD2 (PLEASE TICK ALL THAT APPLY) My bank will be PSD2 compliant on time 58 % My bank is implementing the changes we need to make for PSD2 55 % 04 My bank is in the design phase of our PSD2 implementation My bank is still in the phase of assessing what we need to do for PSD2 My bank has implemented one or more new services inspired by the changes PSD2 brings My bank has implemented a solution for PSD2 which is future proofed, based on an agile methodology, meaning we can easily respond to changes going forward 19 % 31 % 30 % 43 % My bank has already abandoned one or more failed projects inspired by the changes PSD2 brings 10 % My bank has completed its preparations for PSD2 5 % Source: Finextra The survey also gave possible explanations for this lack of preparedness, from a lack of resources to confusion over regulatory requirements and a realisation of just how big the longer-term implications of the changes to the payments market will be. The question is what happens in the fuzzy 18 month period between January 2018 and mid-2019, by which time greater clarification will emerge around some of the outstanding issues facing banks.

5 PLAN FOR THE FUTURE For banks, payment processors and service providers alike, the challenge will be to anticipate changes and to plan for the various scenarios. For the moment though, many banks are maintaining a watching brief and plan to meet the minimum requirements for January 2018 and then increase their active involvement throughout the year. For example, this means complying with the basic provisions of PSD2 such as the need for third-party providers to identify themselves as payment service providers and the banning of screen scraping in favour of secure interfaces. However, the consumer-focused implications of PSD2 will only become apparent after Jan 2018 the innovative new products, greater competition and the changing relationships/partnerships. Consequently the real work (strategic planning, technical build and implementation) will only happen post-jan One complication for banks is the fact that they are managing multiple, complex initiatives and regulations, many of which overlap. In the case of PSD2, there is also the European Union s General Data Protection Regulation (GDPR). The two regulations are increasingly considered together around their respective needs to capture and control customer data. However, the two acts of legislation are at different stages and have opposing objectives. 05 UK banks also have to take into account the CMA s Open Banking initiative, another area where the business implications are huge but the technical details are rapidly evolving. The obligation for banks to share clients data still needs to be more clearly understood, particularly around client credentials. The regulator is expected to continue to opine on the missing details but in the meantime, banks cannot afford to misalign the effect that these issues will have on their business models. Current customer authentication rules will most likely continue in the short-term to meet the basics of SCA and then develop post January Banks are concerned about what SCA rules will mean in terms of system changes. The majority would prefer to continue with their current customer authentication applications and build any new solutions required under PSD2 on their existing infrastructure as opposed to investing in entirely new solutions. However this objective is complicated by a lack of consensus around identity and what it means in the context of regulation and customer expectations. In an increasingly digital age where cyber security is paramount and current onboarding processes are considered costly, there is growing pressure to move away from using passwords for authentication towards greater use of biometrics and new identity schemes.

6 Both PSD2 and Open Banking raise the issues of identity assurance, consent to third party providers and how data moves between customers, their host bank and third-party payment providers but there are still different interpretations around exactly what is meant by identity. For example, identity should cover the use of biometrics, selfies and physical devices in real-time, say some banks but this is not explicitly referenced in the Directive. Consequently the market will have to wait and see how this area develops. 06 Not all banks will maintain a watching brief as regards PSD2. Some take the view that a more proactive strategy is needed that identifies the challenges and tackles them directly. However, in the current environment where the cost of compliance is greater than ever before, banks do not want to make too many assumptions about the future direction of regulations. The cost of compliance is considerable. The recently published World Payments Report 2017 shows 34 key regulatory and industry initiatives currently facing banks so they are looking for new ways to manage this burden. For example, many banks will look to build a single agile framework to deliver reporting requirements across multiple business functions and disparate infrastructures. THE CHALLENGER BANKS A key issue for all incumbent banks but for UK banks especially is the threat from challenger banks which are well positioned to embrace the opportunities of PSD2 while avoiding many of its complications. In terms of technology, their digital infrastructure means that they are more agile and unencumbered by the legacy applications that hamper their incumbent rivals. The changes required by the Directive, which are designed to encourage greater competition in the sector, can be more easily applied, as can the adoption of APIs. For example the arrival of Starling Bank with a $75m investor from a single source is based on the use of modern technology to make banking as convenient as possible. It offers products and services often provided by thirdparties through the use of its API network. It aggregates innovative thirdparty services on a single technology infrastructure it owns. There are also business benefits from PSD2 for the neo-banks. They do not have to contend with multiple groups of customers, from individual retail clients to multinational corporate customers, all of which have their own varying demographics, geography and expectations of service. And Open Banking gives them that much sought-after access to third party s customers, the ability to differentiate on service and the chance to graduate to a full account service payment provider.

7 The statistics from the recent Finextra/CA Technologies EMEA survey back this up. The UK banks disproportionately view challenger banks as the major competitive threat compared to their European peers (49% to 32%). The challenger banks are more prevalent in the UK banking sector than on the continent. As of September 2017 there are in excess of 60 challenger banks operating in the UK, from Abacus to Zopa. These same challenger banks are also more attuned to the idea of open banking in the UK. Interestingly, the Finextra/CA Technologies survey showed that among UK respondents the incumbent and challenger banks view PSD2 in fundamentally different ways. Some banks see it as a catalyst to new business models and strategies whereas the challenger banks see it as a largely compliance-driven exercise. This is because they are already at such an advanced stage in terms of developing their open banking business models and embedded in the UK payments sector, more so than in Europe. CHOOSE YOUR PARTNERS WISELY It is clear that partnerships (between banks, between fintechs and banks, between fintechs, banks and service providers) will be important in the payments sector of the future. Market participants should consider their own objectives and ambitions in the payments market against these likely scenarios, start to plan and also consider what partnerships will be most beneficial to reaching these objectives. 07 Partnerships will be crucial to making PSD2 work for the banks, something that is becoming increasingly clear to them. Payment-based partnerships are not entirely new. It was back in 2012, for example, that ABN Amro teamed up with core banking provider Temenos to develop a new payments platform but there are likely to be many more in the next 18 months. The recent Finextra/CA Technologies survey on PSD2 also supports the prospect of partnerships, given that 93% of the UK payments professionals said that they will partner with third parties to meet their customers needs. As one banker recently said: Established banks have a multitude of challenges and must realise that to compete and comply, they should form partnerships with third-parties who can supply cost-effective solutions. Banks have to understand how they can take advantage of third party technology, particularly for some of the more technical challenges posed by PSD2 such as the problem of secure identity. Banks are also struggling with their own internal challenges skills shortages, budget constraints and technology limitations.

8 For example, banks are subject to unprecedented change and know that they must adopt a more agile approach to adopting and building customer facing services a scenario epitomized by PSD2 given the technical uncertainty but the urgent need for action. By taking an agile approach, banks can at least get started and adapt their approach as the standards solidify - in effect they are striving to deliver new banking services more rapidly by becoming a repeatable Software Factory. 08 They could learn from the example of challenger banks which are generally more agile and happy to engage with third parties to meet the demands of PSD2, GDPR and Open Banking. The most interesting scenario that could materialise by mid-2019 is greater partnerships between incumbent and challenger banks. The hope is that they will stop circling each other and recognise the mutual benefits of partnership and collaboration. There is a clear symbiosis. Banks have the benefit of a trusted brand (despite the reputational issues suffered by banks since the financial crisis, customers are still reluctant to entrust their banking details to anyone else), scale, distribution, customers and infrastructure. Challengers and fintechs have the advantage of new and more technology and applications as well as more inventive services. The European Banking Association launched the Open Banking Forum in September 2016 to foster precisely this kind of collaboration between fintechs and banks, creating what it says is a platform to facilitate European solutions that respond to the requirements of the market and the expectations of the regulators. Naturally this collaboration does not come without obstacles issues over branding and customer ownership, the address procurement process and respective risk assessments, for example. However, once these are overcome and the clarity around the technical aspects of PSD2, Open Banking and GDPR emerges from the current fuzz, the benefits for banks and their customers should be obvious to all.

9 Finextra This report is published by Finextra Research. Finextra Research is the world s leading specialist financial technology (fintech) news and information source. Finextra offers over 100,000 fintech news, features and TV content items to visitors to Founded in 1999, Finextra Research covers all aspects of financial technology innovation and operation involving banks, institutions and vendor organisations within the wholesale and retail banking, payments and cards sectors worldwide. Finextra s unique global community consists of over 30,000 fintech professionals working inside banks and financial institutions, specialist fintech application and service providers, consulting organisations and mainstream technology providers. The Finextra community actively participate in posting their opinions and comments on the evolution of fintech. In addition, they contribute information and data to Finextra surveys and reports. For more information: Visit contact contact@finextra.com or call +44 (0) CA Technologies The PSD2 Solution by CA allows organizations to add layers of functionality for new, innovative use cases, such as enrolling TPPs; consumers consenting access to accounts; strong customer authentication and context-based risk evaluation, which underpins the real-time validation of users. It also provides the building blocks to dynamically link transaction execution with authorization tokens and is fully enabled for monitoring and analytics. Moreover, PSD2 solution by CA breaks down the barriers to innovation by giving organizations a head start with specific PSD2 guidance on policies and rules, plus ready to use APIs and documented use cases.

10 Finextra Research Ltd 1 Gresham Street London EC2V 7BX United Kingdom Telephone +44 (0) contact@finextra.com All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without prior permission in writing from the publisher. Finextra Research Ltd 2017 Web