Revised Payment Service Directive has been a hot topic among Fintech startups and banks. In particular there has been a lot of discussion around banks needing to open their APIs. But what does that mean? Will anybody be able to use bank’s infrastructure
and or will they become a platform for those companies loosing their client facing business? Or will banks find new revenue models due to the PSD2? Head of Innovation at Santander Spain Manuel Cantalapiedra comments:
“Banks that are now only considering PSD2 as a matter of technology/cybersecurity compliance will be eventually unbundled by the different PISP and AISP new entrants and lose their relationship with their customers. However, there is a clear opportunity
for banks to find new revenue sources under this new scenario, either by competing with these TPPs or by truly becoming a Banking Platform, allowing TPPs to partner through Open APIs.”
Access account data in one place
PSD2 is great opportunity for new businesses, who focus on providing users with their account data in one place (Account Information Services). Instead of screen scrapping, which results in missing data, these type of businesses will be able to get the most
accurate account information in real-time. For users that will mean that they will not only see all their bank account data in one place, but also could compare their fees between banks and analyse historical data to industry average.
Pascual de Juan Núñez, Global Head of Innovation in Technology at BBVA comments: “For Banks it will mean far much more computing power, which is mainly obsolete and expensive worldwide. If there’s not a business case behind account data providing, keeping
plain old Mainframes will make adding transitive charges to avoid bankruptcy. Offering cached data, which it is far from “real-time” but “yesternight-batch” instead. Banks who move to fresh core banking will win this battle.”
Strong 2-factor authentication
Starting from 2018 all banks in EU will need to have strong 2-factor authentication.
Currently several banks in the EU use only a password to protect their customer account. Besides a password (something you know), user will need to have 2nd factor — either something you have or something you are. Although the technical standards will be
specified by the end of 2017, we already see that in a lot of EU countries tan lists (code cards) will not be allowed to be used anymore. The reasoning behind this is that tan lists (and most likely also SMS) are considered 2-step verification instead of two-factor — people
need to know the code they apply.
Pascual de Juan Núñez adds: “More than one second factor would mean more than “security level” to fit different security scenarios, according to the severity of the action to be done.”
Banks will become identity holders
Related to the 2-factor authentication, a hot topic also has been how the Fintech companies (in particularly those, who will use banks’ APIs) will protect user data. In the PSD2 Q&A organised by the European Central Bank banks have been insisting that they
keep the security on their side, indicating that they have more resources and experience in this field. For Payment Service Providers (PSP) this will mean that the user experience for transferring funds between different bank accounts will be limited to the
security solution that each bank will choose. For banks on the other hand, this will present a great opportunity. If banks play it wise they not only could set a barrier for new Fintech companies but potentially could gain even more. Banks could become the
digital identity holders of people and be involved in their customer daily interactions even more.
Just imagine that instead of spreading your identity across web it is kept in one safe place — bank — and third services only verify with bank that there is such a person and that the person wanted to perform certain action. Think Facebook pass but legally
Pascual de Juan Núñez comments: “Legally binding means some liabilities, and has some risk probability to be covered, which could be weighted and charged accordingly to handle claims like “you ensured me this identity was right, and it is not”. This approach
should evolve from “wouldn’t it be nice?” to “how much would I pay for it?”. “.
Pascual is right and this definitely will be the case if the certificates are issued by the bank itself. However in the case certificates are issued by a trust service provider, the liability would be on them. That is why an auditing would be needed and
currently Big 4 companies are looking how to audit mobile phones for carrying these kind of a devices. Basically, this is a separate topic and is more related to the eIDAS, which came into effect this July.