Challenges brought by PSD2 directive
The EU PSD2 Directive opens banks, obliging them to provide Small Payment Institutions (small PI), suppliers who provide access to account information solely and digital service providers with information on accounts and transaction histories.
In order not to let their competition get ahead, both banks and TPP (third party providers) have to watch the schedule. Banks are obliged to provide TPP with data from their clients’ accounts by September 14, 2019. Testing environments and documentation must be made available by mid-March 2019, though.
The implementation of the Directive will involve technological improvements that will enable the creation of completely new services and products taking into account the interests of clients at the same time.
Entities trying to introduce new types of payment services and obtain the status of a trusted third party (TPP), can acutely benefit from ongoing legal changes, but they also have to face a number of challenges.
The scope of TPP’s operation, as well as the intention of the legislator and the rights and obligations of the parties, are defined by a number of regulations. They suggest or impose certain standards. However, they do not indicate the technical specification that determines the implementation. To avoid a situation in which every European bank would implement PSD2 in its own way, several standardisation initiatives were created. These standards focus on technical aspects. They define data models, business flows and communication protocols. Standardization facilitates TPP integration. For banks, it means less work, as well as an easier demonstration of compliance of their individual implementations with regulatory requirements.
Among the most significant European standards, there is the Polish API, developed by the Polish Bank Association and dynamically evolving since January 2018.
In Poland, the Polish Financial Supervision Authority handles registrations of companies applying for TPP status. Certain requirements need to be met, however registrations do not require obtaining a license. Registration may be related to one of the three types of TPP’s activity:
- Provision of account information services,
- Provision of payment services,
- Confirmation of the availability of funds on the account.
Registration and TPP status themselves are not enough to gain access to bank data, it is necessary to overcome numerous technical challenges related to multiplicity and variability of standards as well as time constraints.
Lack of one binding standard means that the bank can either choose an existing standard, select only the elements suiting it while interpreting the others in its own way or opt for a completely new solution. The ability to prove compliance of its own implementation with the directive delegated regulations and the act on payment services is the only restriction of freedom of the bank’s choice.
Discrepancies may also concern the scope of data and services provided by individual banks and even some aspects of the standards themselves, e.g. in the case of the Polish API, the area of TPP’s technical registration and onboarding has been excluded.
In addition, even if the Polish API is fully accepted on the Polish market, there is no guarantee that it will gain similar recognition abroad. TPP that considers foreign expansion needs to be prepared for simultaneous support of many standards.
Considering the number of banks in the market, even several new versions of interfaces coming into effect weekly can be expected. This means that each interface must be adapted to each of the banks with which TPP is integrated.
Changes in the PSD2 access interfaces are also generated by TPP’s detection of errors and their suggestions of corrections for further improvement of the quality and stability of interfaces.
The changes resulting from legal regulations and the introduction of new products will force banks to make new functionalities available via the PSD2 interface.
Also, replacing some standards with others or combining two or more standards will mean major changes in the banks’ interfaces. The standards themselves will also be subject to evolution.
Therefore, developing a common European standard is strongly desirable.
TPP has six months to test and integrate with bank interfaces. One should know that integration remains a pure theory until banks provide access to their test environments for TPPs.
Two main TPP strategies in the circumstances can be expected. First, waiting until the standards and recommendations for implementation are clarified, to draw on the experience of other companies and second, joining the integration as early as possible to gain own valuable experience. The first strategy will work for entities for which PSD2 is only an enrichment of existing functionality (e.g. those that want to offer a new variant of payment for their services). The second one will prove itself within companies which product is mainly based on PSD2 (such as, for example, account aggregators).
In the near future, the appearance of products and services that facilitate the TPP’s operation, such as the one announced by KIR – HUB PSD2, can be expected. Also, over time, the experience and knowledge gained by the subsequent companies implementing the directive will unify standards, which will facilitate obtaining and then proving compliance with regulations to all entities.
For more on the PSD2 directive and the challenges related to its implementation, read the article by Grzegorz Abramczyk at: https://geek.justjoin.it/wyzwania-dla-it-niesie-soba-dyrektywa-psd2/ (article in Polish).