PSD2: Why Banks Shouldn’t Take the 14th March Deadline Lightly
By September 14th, banks in Europe are required to have implemented dedicated APIs for third party providers as part of the new PSD2 regulations.
Less well known, however, is another more imminent deadline. The PSD2 regulation requires banks to implement facilities for these third parties to test their functionality against a simulated bank environment six months prior to the September deadline, which means that these environments must be in place by 14th March. Below Nick Caley, VP of Financial Services and Regulatory at ForgeRock, explains that despite the importance of this fast-approaching deadline, many of the thousands of eligible banks are significantly challenged in meeting either deadline. And, while there are no formal penalties for not complying with it, there will certainly be consequences that could have long lasting commercial, technical and reputational effects.
Consequences of non-compliance
Banks which fail to meet the March deadline will need to implement fallback ‘screen-scraping’ – where customers essentially share their security credentials so third parties can access their banking information via the customer interface and collect the data for their own services – as a contingency mechanism at the same time as implementing their PSD2 API by the September deadline, something that would not be in the interests of banks, or their customers, and could lead to graver problems further down the line.
There are multiple problems associated with screen-scraping. Firstly, there are the significant security risks it poses. Screen-scraping involves customers sharing their banking security credentials with third parties, which is an outright, bad security practice. No-one should ever feel comfortable sharing a password to a system, let alone one that provides access to a bank account. Such credentials, whilst clearly able to provide access to banking data, also unlock numerous other account functionalities that should only be available to the account owner. Any increase in the risk that banking credentials could be compromised will not build the confidence of consumers.
Alongside security considerations, there are also cost implications since maintaining more than one interface increases the resources required. Each interface will require strict and ongoing monitoring and reporting to the National Competent Authority. While larger tier one banks might be able to absorb this extra cost, for smaller banks this will further compound the already serious burden of compliance with the regulatory technical standard (RTS).
Beyond these very practical concerns, failing to comply with the March deadline will mean banks are left playing catch up on the developments set to be made as PSD2 comes into effect. Avoiding such pitfalls would mean banks can significantly boost their long-term prospects, giving themselves a strong foundation to stay on top of PSD2, meeting regulatory deadlines whilst crucially increasing their ability to compete in the new era of customer-centric financial services.
Despite the clear importance of the March deadline, many banks are still largely focused on developing their production APIs ahead of the September deadline, rather than their testing facilities. For those banks who haven’t yet found a solution, having development teams put a testing facility live in such a short space of time might seem like an impossible task. The good news is that there are ready-made developer sandboxes that banks can deploy in a short space of time to stay on top of the requirement for a testing facility. These sandboxes are essentially turnkey solutions that are fully compliant with the defined API standards, making the March 14th deadline much easier to digest. Banks should look to these ready-made sandboxes if they haven’t already found a solution.
Looking further ahead
As the trusted holders of customer banking information, PSD2 gives banks an unrivalled opportunity to add value for their customers. Through development of new interfaces, modernization of authentication methods and the redesign of customer journeys, banks can achieve the new holy grail for any business; delivering intuitive, secure digital services and experiences that are personalised to the customer offering far greater insights and advice.
With the focus on complying with deadlines, it’s also important for banks to keep an eye on the competition. The promise of PSD2 is to provide a level playing field to encourage competition and innovation. There are certainly plenty of new competitors: Account Info Service Providers (AISPs), and Payment Initiation Service Providers (PISPs), retailers and internet giants, all have the opportunity to introduce their own payment and financial management products and services that integrate directly with the established banks.
At the same time, the challenger banks built from the very beginning to be ‘digital natives’ have been leading the way with innovative customer-first experiences and third-party marketplaces that go beyond what is currently on offer from traditional players. This means banks will need to provide better digital services to stay competitive, giving people more freedom and choice in the way they interact with financial services.
The March deadline is the first litmus test for which banks are keeping up with PSD2, and which are falling behind. However, as we have seen, the far-reaching changes that PSD2 heralds means this upcoming deadline won’t just be a test of a bank’s ability to meet technical regulations – it will be a strong indication as to how well each bank will be prepared to stay competitive in our increasingly digital future.