Missed the Latest PSD2 Deadline? Here’s What you Need to Know
Whoosh! That was it. The March 14th deadline for PSD2 - the date by which banks in Europe were required to implement facilities for third-party providers (TPPs) to test their functionality against a simulated bank environment - has just flown by.
While most are aware of the upcoming September 14th deadline, which requires banks to have implemented dedicated APIs for third-party providers, the March deadline was much less well known, and many of the thousands of eligible banks in Europe will not have been compliant in time. Nick Caley, VP of Financial Services and Regulatory at ForgeRock says that while there are no formal penalties for those that did not meet the deadline, there will certainly be consequences that could have long-lasting commercial, technical and reputational effects. Read on to find out more about what to do if you’ve missed the deadline.
Consequences of non-compliance
Banks who have failed to meet the March deadline will now need to implement fallback ‘screen-scraping’ as a contingency mechanism ahead of the 14th September deadline, at the same time as implementing their PSD2 API. With screen-scraping, customers essentially share their security credentials so third parties can access their banking information via the customer interface and collect the data for their own services. This is something that’s absolutely not in the interests of banks, or their customers, and could lead to problems in the future.
There are multiple problems with screen-scraping. Firstly, there are the significant security risks it poses. Screen-scraping involves customers sharing their banking security credentials with third parties, which is an outright bad security practice. No-one should ever feel comfortable sharing a password to a system, let alone one that provides access to a bank account. Such credentials, as well as providing access to banking data, can be used to unlock numerous other account functionalities that should only ever be available to the account owner. Any increase in the risk that banking credentials could be compromised will undermine the confidence consumers place in financial institutions.
No-one should ever feel comfortable sharing a password to a system, let alone one that provides access to a bank account.
Beyond these security considerations, there are also cost implications as banks will need to find the resources necessary to maintain more than one interface, and each interface will require strict and ongoing monitoring and reporting to the National Competent Authority. While larger tier one banks might be able to absorb this extra cost, this will further compound the already serious burden of compliance with the regulatory technical standard (RTS) for smaller banks.
Beyond these practical concerns, failing to comply with the March deadline means many banks will now be left playing catch up on the developments set to be made as PSD2 comes into effect. This could seriously hinder banks’ long-term prospects, preventing them from giving themselves a strong foundation to stay on top of PSD2 and severely limiting their ability to compete in the new era of customer-centric financial services.
What can banks do now if they’ve missed the deadline?
The best advice for a bank that hasn’t met the deadline for a testing facility is to contact the relevant regulator (National Competent Authority) regarding the steps they could take to achieve an exemption. They will need to submit a description of what has been implemented so far, and their plan to complete the delivery of items that fulfil the requirements of PSD2.
The NCA will accept exemption requests up to June 14th 2019, after which date it is deemed that any banks with failed applications will have just enough time to apply the contingency measures before the September deadline. If a bank demonstrates ‘clear and credible plans’ for the required compliance by September then the NCA may confirm the exemption once it’s received evidence of the implementation.
Of course, the easiest way for banks to demonstrate credibility and get an exemption is to implement testing facilities as soon as possible. For those banks who haven’t yet found a solution, there are ready-made developer sandboxes that they can deploy in a short space of time. These sandboxes are essentially turnkey solutions that are fully compliant with the defined API standards, making the whole process far simpler and quicker.
The NCA will accept exemption requests up to June 14th 2019, after which date it is deemed that any banks with failed applications will have just enough time to apply the contingency measures before the September deadline. If
Whether or not banks are allowed an exemption, it is still worthwhile for them to continue with plans for a developer sandbox. This is because it will still enable third-party providers to test their functionality and make sure the bank is best prepared when September 14th comes around.
Looking further ahead
As the trusted holders of customer banking information, PSD2 gives banks an unrivalled opportunity to add value for their customers. Through the development of new interfaces, modernisation of authentication methods and the redesign of customer journeys, banks can achieve the new Holy Grail for any business; delivering intuitive, secure digital services and experiences that are personalised to the customer and offer far greater insights and advice.
At the same time, it’s important for banks to keep an eye on the competition. The promise of PSD2 is to provide a level playing field to encourage competition and innovation. Account Info Service Providers (AISPs), and Payment Initiation Service Providers (PISPs), retailers and internet giants, all have the opportunity to introduce their own payment and financial management products and services that integrate directly with the established banks.
At the same time, the challenger banks built from the very beginning to be ‘digital natives’ have been leading the way with innovative customer-first experiences and third-party marketplaces that go beyond what is currently on offer from traditional players. This means banks will need to provide better digital services to stay competitive, giving people more freedom and choice in the way they interact with financial services.
The March deadline was the first real test for which banks are keeping up with PSD2, and which are falling behind. However, these compliance deadlines are not just a test of a bank’s ability to meet technical regulations – they are also strong indications as to how well each bank will be prepared to stay competitive in the race for our increasingly digital future.