Strong Customer Authentication

Across the European Union (EU) the original revised Payment Services Directive (PSD2) Strong Customer Authentication (SCA) final implementation date of 14th September 2019 has now been delayed by the European Banking Authority (EBA). It was previously noted that those in breach of the SCA law would have to provide a fallback mechanism (i.e. direct access) which was a costly investment on top of the dedicated interface, so Third Party Providers (TPPs) would have another way of accessing accounts and performing payment initiation services (Tink, 2019). Tink (2019) noted that:

“These penalties are severe because the banks who don’t comply are essentially inhibiting TPPs from offering aggregation and payment initiation services – and bank customers from taking advantage of these services. And because once it was decided this was the direction we were all going with PSD2 – toward better consumer protection, more innovation and more competition – we all became dependent on each other to get there.”

In the United Kingdom (UK) the financial services regulatory body, the Financial Conduct Authority (FCA), has now confirmed that they will delay full implementation until 14th March 2021 in order to allow time for businesses to create mitigation plans. In addition, the FCA in conjunction with UK Finance, has developed a rollout plan with staged compliance points ranging from 14th September 2019 to 14th March 2021.The extended grace period of 18 months is only applicable to any payments that are taken from within the UK, which means that if UK businesses collect cross-border payments from other countries within the European Economic Area (EEA), the SCA rules applicable to those particular EEA countries will apply.

Although for many businesses, this extended grace period will provide some much-needed breathing space, the envisaged harmonised and streamlined implementation of the PSD2 framework across the EU is now no longer in the works. Indeed, even as far back as March 2019 statistics from a survey of 442 European banks carried out by Swedish open banking platform ‘Tink’, highlighted that close to half of banks (41%) surveyed, had failed to meet the PSD2 deadline for the provision of a testing environment (i.e. sandbox) for TPPs (Finextra, 2019a).

The survey had covered 10 markets across the EU, and whilst countries such as Belgium, Finland, Germany, and Sweden all had high compliance rates above 80%, other countries such as Denmark, France, Norway, and Spain all featured lower compliance rates below 50% (Finextra, 2019a). Other countries such as the Netherlands (67%) and the UK (64%) featured compliance rates in between these two extremes. 

Market Research and PSD2 New Strategic Opportunities

The widespread failures to meet such implementation deadlines highlighted, not only the sizeable burden being placed on banks to meet such tight technological implementation deadlines, but also the potential subsequent disruption to various open banking platforms and services that had been caused owing to the missed deadlines (Finextra, 2019a). In practice this has precipitated a strategic free-for-all for banks and new TPPs as the new pan-European PSD2 payments market is now up for grabs. Those banks and new TPPs that have been able to meet technological deadlines, and are eager to implement advanced PSD2 strategic initiatives in order to capitalise on first mover advantages, are leading the PSD2 pack.

In fact, Swedish Personal Finance Management (PFM) platform Tink completed a €56 million investment round in February 2019 as it prepared to roll out its business out to five new European markets (Austria, Belgium, Germany, Spain, the UK) in order to take advantage of new Open Banking rules (Finextra, 2019b). In practice, Tink is aggressively expanding its growth, and is not only set to double its European staff to 300 full-time employees by opening four new offices, but it is also set to expand its European connectivity across 20 European markets by the end of 2019 (Finextra, 2019b).

Market research has also identified the huge need for PSD2 firms to implement highly comprehensive and well-researched strategic plans, in order to capitalise on PSD2 framework developments across the EU in a timely manner. For example, a new study by ING was carried out among 1,500 Dutch citizens as part of its half-yearly Digital Monitor (Touchtech Payments, 2019). At the time the study showed that the EU’s PSD2 framework was still unknown to 82% of the Dutch population (Touthtech Payments, 2019). Before the respondents were informed of PSD2, 67% held a “negative” or “very negative” perception. This demonstrated that PSD2 firms need to think far, far beyond technological developments, and in addition need to concentrate on longer term adaptation and educational strategies for new customers in potential new markets.

Indeed, much more than that, such operational strategies need to be specifically researched and segmented, not only for individual EU countries, but also for demographic segments across those individual EU countries. For example, it was noted that:

“…after respondents were explained what PSD2 is, almost half (46%) said they would be glad to avail of the new payment services that will be made possible by the directive. The number of respondents under the age of 34 who plan to use the services unlocked by PSD2 was nearly 40% higher than for the population overall” (Touchtech Payments, 2019).

This type of finding would suggest that PSD2 firm strategies in the Netherlands should focus on a segmentation approach whereby a specific target population (i.e. 18 > AGE < 34) would form the primary target which needs, not only to be continually educated and prepared on PSD2 developments, but also potentially ‘acclimatised’ to future PSD2 initiatives, offerings, and services to be offered by specific PSD2 firms.

In addition, it was found that once PSD2 had been explained to the respondents, many of the respondents responded positively to the envisaged changes, with many respondents showing enthusiasm for a number of new proposed services, such as: (1) consolidated payment accounts (29%); (2) viewing all balances in one place (28%); (3) using savings applications (Apps) (26%); (4) using household Apps for payments and credit cards (25%); and (5) making online purchases without credit cards (21%) (Touchtech Payments, 2019). This kind of research highlights the significant benefits to be gained from PSD2 strategic initiatives that are grounded in jurisdictional and demographic research, as specific offerings by PSD2 firms can be specifically tailored to efficiently align with the anticipated demand that has been deduced from PSD2 field research.

Nevertheless, at the same time such positive responses can also be contrasted with the responses elicited from 400 senior decision-makers in retail banks based in Australia, France, Poland, and the UK which were surveyed by US retail banking technology provider Fiserv (Touchtech Payments, 2019). The results from this survey showed that most (54%) bankers felt that they had insufficient information in order to become compliant with PSD2 and other open banking requirements by the forthcoming deadlines (Touchtech Payments, 2019).

In addition, most of those who had already implemented some form of open banking disagreed that they had enough information to remain compliant, and only 8% believed that they had enough people and the right skill sets to comply (Touchtech Payments, 2019). Furthermore, regarding monetisation opportunities around open banking, 44% of retail bankers believed it offered monetisation opportunities while 19% believed that open banking did not (Touchtech Payments, 2019). The results of these types of surveys highlight the real and pressing need for these types of firms and individuals to obtain much more extensive and comprehensive training, not only in the forthcoming PSD2 and Open Banking regulatory frameworks, but in fully understanding the monetisation opportunities and commercial strategies open to banks, Financial Technology (FinTech) firms, Regulatory Technology (RegTech) firms, and new TPPs.

Another market survey undertaken in Sweden by the analytics software firm ‘FICO’ which was executed by ‘SIFO’, showed that few Swedes were prepared to share their banking information with a third party, and that nearly half of the respondents (46%) did not want to share information with any third party (FICO, 2018). In addition, the survey showed that there were mixed views on whether PSD2 would lead to an increase or decrease in fraud (FICO, 2018). Again, these types of findings shows how crucial it is for PSD2 firms to truly understand the markets which they wish to develop and operate in, and the problems, obstacles, and challenges they must overcome in order to successfully develop PSD2 offerings. The survey showed that only 36% of respondents knew about PSD2, with the lowest awareness among those younger people aged 16-24, where only 29% knew about it (FICO, 2018). Dylan Jones from the Nordics, FICO commented that:

“Our survey shows though that few consumers know about the directive, which suggests that it will take some time before customers are ready to give third parties the necessary access in order to be able to take advantage of the new services that will launch” (FICO, 2018).

Another survey undertaken by FICO on 500 UK consumers found similar findings (FICO, 2019). It was found that only half (53%) of UK customers would give their bank their mobile number to comply with new fraud rules, and that this number dropped to 47% for consumers aged 18-24 (FICO, 2019). Moreover, one in four respondents noted that they would complain if asked, either to the bank, on social media, or to a consumer association or newspaper (FICO, 2019). These findings also coincided with a report by UK consumer advice firm ‘Which?’, which reported that 92% of the public was unaware of the PSD2 initiative which officially launched on 13th January 2018 (Dhami, 2018). It can be surmised that strategic educational marketing initiatives must form a crucial part of marketing and business development strategies in order to achieve effective PSD2 market penetration in the long term.

PSD2 Strategic Challenges

The PSD2 and Open Banking frameworks have brought forth a host of strategic challenges which FinTech firms, RegTech firms, and TPPs must address and successfully overcome, if they are to strategically leverage the new opportunities available under the PSD2 framework. For example, it has been identified that the absence of common standards for APIs to be used for dedicated communications interfaces is causing fragmentation in the market (Deloitte, 2018). Deloitte (2018) observes that:

“There is no EU-wide and sometimes not even national, consensus on which industry-issued standard (e.g. the Berlin Group, the UK Open Banking, PRETA, etc) to adopt; and some ASPSPs have chosen to develop bespoke APIs, either on their own or in partnership with others.

We believe that the lack of common standards will lower the level of interoperability and, at least in the short to medium term, present an obstacle to the development of PSD2-enabled services and products, particularly across borders.”

This lack of a common standards framework across UK and EU markets is said to have the effect of stalling innovation, as banks can define their own interface, resulting in diverging standards and a sub-optimal level of API capabilities generally (Dunlop, n.d.).

Another major stumbling block for firms is that consumer awareness of Open Banking products and services remains low (Deloitte, 2018). Consequently, it is envisaged that this fact, combined with the high frequency of cyber-attacks and data privacy breaches in the news, will act together to constrain take-up, interest, and trust in new PSD2 services because of a latent suspicion of new products and services based on the sharing of personal and sensitive data, especially by less known brands (Deloitte, 2018). Deloitte (2018) comments that “This suggests that a major effort by firms may be required to improve consumers’ awareness, interest, and trust in this space.”

In fact, a survey of 4,000 customers across France, Germany, Spain, and the UK undertaken by GoCardless found strong evidence to substantiate such views. The survey asked customers questions on feelings about certain specific elements of the new PSD2 SCA requirements, and also how increased security at checkout would influence their buying behaviour (GoCardless, 2019). The research had a range of interesting and relevant findings. The respondents were first asked about their previous shopping habits and many reported that they had abandoned a complex payment process in the past (France, n=33%;  Germany, n=48%; Spain, n=40%; UK, n=40%) (GoCardless, 2019).

In addition, it was found that some customers would consider shopping less at their favourite brand if they were faced with a more complex checkout process (France, n=23%; Germany, n=26%; Spain, n=24%; UK, n=23%; would shop less at their favourite brand if security measures at checkout increased) (GoCardless, 2019). It was also found that likelihood of purchase abandonment was even higher when shopping with brands that are new to the shopper, especially in markets such as Germany where 36% of respondents would cancel a purchase if a new brand had a lengthy (but still secure) payment process (GoCardless, 2019).  

The survey showed that there were clear differences in responses elicited by the groups across the different markets. In the UK for example, it was identified that if the favourite brand of the respondents increased security and length of checkout process, then 43% would be frustrated but would still shop with them, whereas 23% said that they would actually shop with the brand less (GoCardless, 2019). Clearly, such a finding is significant in terms of PSD2 preparations, especially in terms of what needs to be completed from a technological perspective (i.e. frictionless checkout experience) combined with a pre-implementation customer PSD2 educational strategy.

There were higher levels of comfort in terms of the provision of security information during an online purchase identified, for example, 76% comfortable supplying agreed security information (e.g. passwords); 78% comfortable supplying device information (e.g. mobile phone); and 69% comfortable supplying biometric information (e.g. fingerprint) (GoCardless, 2019). However, it was also found that 44% of respondents had abandoned an online purchase because of complex security procedures at checkout and 40% of respondents said that they would feel suspicious if faced with a more complex checkout process (GoCardless, 2019). Interestingly, 63% of respondents said they would be likely to pay for online subscriptions using Direct Debit if it meant that they could avoid lengthy checkout processes (GoCardless, 2019).

There are three other key concerns related to PSD2 and Open Banking that have been identified. The first relates to consumer ethics, namely, the increased concern by experts that increased third-party access to accounts and data may create opportunities for TPPs to ‘intrusively profile customers’ (Dhami, 2018). This in turn may potentially lead to an increase in predatory lending, where TPPs target ‘vulnerable’ borrowers with highly segmented advertising in order to sell products and services (Dhami, 2018). The question, therefore, is whether there is sufficient oversight on this potential new imbalance between the new and highly significant power in the hands of lenders, and new segments of PSD2 borrowers?

Another area of concern is that of a potentially significant increase in cybercrime. As the PSD2 framework heavily relies on the opening up of pre-existing banking channels and customer accounts, applying new security controls and processes to legacy IT systems may in practice be highly complex and costly (Dhami, 2018). This problem is augmented in relation to smaller new PSD2 firms that may in actuality not be equipped with to effectively deal with the new and highly complex and onerous PSD2 requirements relating to managing fraud, human error, identity theft, and also the loss of customer data (Dhami, 2018). Finally, it has been noted that the new Open Banking frameworks:

“…may trigger an increase in social engineering attacks against customers who may be inexperienced using new technology platforms. Risks include phishing, malware, fraudulent apps, and physical theft or loss of endpoint devices that could provide access to third parties” (Dhami, 2018).

PSD2 Strategy and Innovation

The previously identified surveyed perceptions and views are now absolutely crucial for FinTech firms, RegTech firms, and TPPs to take on board and incorporate in their developmental strategies. However, in practice it has been seen that many FinTech firms, RegTech firms, and TPPs are solely concentrating on developing, refining, and implementing their technological solutions, to the exclusion of marketing strategies and developmental strategies.  For example, a review by Deloitte (2018) identified that most Account Servicing Payment Service Providers (ASPSPs) that they had talked to across the EU believed that they were overall compliant with the PSD2 primary legislation requirements. It was noted that their focus had been on implementing regulatory requirements such as the European Banking Authority (EBA)’s guidance on Fraud Reporting, on finalising Application Programming Interfaces (APIs), and on implementing the requirements of the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA)  and Common Secure Communication (CSC) (Deloitte, 2018).

In practice, it is submitted that this is a fatalistic approach in this new era of PSD2 regulation and technologies. Indeed, this is not simply market commentary, but in actuality market fact. For example, Storm-7 Consulting previously had enquiries from the payments firm ‘Iron Group’ in the UK, which wanted to have advice and training on PSD2 changes related to the subscription base model.  Notwithstanding discussions on this area, Iron Group did not proceed with the training. Later that year Ironggroup, the digital agency expert in the subscription industry, ceased its activities in October 2017, highlighting the challenges in successfully navigating the new PSD2 strategic landscape. According to Dhami (2018):

“Open banking will generate increased competition between established providers and innovative new entrants aiming to make existing products more flexible, bespoke and convenient. These entities include the likes of Amazon, Apple, Google and Facebook, who have agility in their investment capabilities as well as an advanced technological architecture to utilize their customer data insights at scale.”

Koić (2019) is in accordance with such a viewpoint, and acknowledges that APIs allow firms to dip into customer data held by banks in order to create their own complimentary or alternative financial applications, meaning that tech leaders such as Google, Amazon, Facebook and Apple will be able to compete on the banks’ home territory. Koić (2019) notes that:

“Customers have come to expect that their banks will offer the same ease of use they get from the big four digital FANG companies – Facebook, Amazon, Netflix and Google. Customer-centricity is in vogue and the race is on for banks to deliver digital satisfaction.”

Although, this in theory may to a certain extent be true, it has been seen that this does not convey the full picture. Indeed, as has been noted previously, pre-existing customer sentiment and attitudes are a crucial part of the PSD2 strategic formula that PSD2 firms must develop, including the big digital FANG companies which many customers already have low feelings of trust in. Notwithstanding such large existing user bases, technology companies will only become fierce competition if they manage to find a formula to leverage their pre-existing customer base in a way that will ensure customer buy-in and trust across-the-board. And that is not an easy proposition to do in this new era of hidden PSD2 consumer sentiment and trust.

Some providers have already committed themselves to developing their commercial strategies early on, notwithstanding implementation problems and delays relating to SCA throughout the EU. For example, Vipps in Norway, Mobilepay in Denmark, Keks in Croatia, and Blik in Poland, have all started implementing strategic solutions, and even banks in the United States (US) are strategically evaluating opportunities and threats that may arise owing to PSD2 APIs (Koić, 2019). Some commentators believe that the majority of banks have treated PSD2 as an exercise in minimum compliance instead of looking for customer-led outcomes (Dunlop, n.d.). This means that many banks have foregone the opportunity to create slick applications to relaunch the authentication experience (e.g. by leveraging technology such as fingerprint ID), and have instead opted to conservatively redirect customers to a multipage web browser to authenticate (Dunlop, n.d.).

From a strategic perspective, it has been argued that:

“Whilst development remains ongoing, it is increasingly difficult to make a business case for committing resources to development of an API product on a grand scale when the size of the market is undeterminable…

In the current Open Banking environment, the lack of scalability and certainty of direction of travel means that there is no advantage in being an early adopter of PSD2.

For established fintechs there is always a desire to not be caught behind the innovation curve, but at the same time a business case needs to be evident before a commitment can be made to developing or modifying any product or payment service.”

Given the huge amount of time needed to develop, test, refine, and perfect new PSD2 technologies and offerings; the huge amount of market research that still needs to be undertaken in order to more accurately identify consumer sentiment across multiple EU markets and consumer segments; the huge amount of time and effort that is needed in order to pre-educate potential markets and consumers; and given the highly differentiated, nuanced, and carefully orchestrated marketing and promotional activities required by PSD2 firms in the build up to widespread acceptance of new PSD2 technologies – to which many customers are already resistant to (owing to strong security and convenience preferences) – it is argued here that the belief that there is no advantage in being an early adopter of PSD2 is a highly flawed argument based on very little strategic knowledge behind PSD2 strategy and innovation.

Deloitte (2018) has identified that there has, to date, been little evidence regarding the emergence of any clear PSD2-based business models, although more ASPSPs are now looking beyond the narrow confines of PSD2 and seeking to invest and develop new “ecosystems” of partnerships with TPPs. This is undertaken by leveraging premium APIs in order to provide customers with a carefully organised marketplace experience that caters to their wider financial needs, across national and international markets (Deloitte, 2018). In addition, ASPSPs have been working on proofs of concept and pilot programmes that focus on Account Information Services (AIS) use cases (e.g. account aggregation services; PFM applications; loyalty programmes; credit risk underwriting; Small and Medium Sized Enterprises (SMEs) services) (Deloitte, 2018).

What has become clear is that PSD2 and Open Banking frameworks are highly complex areas that do not follow the developmental timelines previously established by historical EU legislative initiatives within the banking and financial services sectors. The frameworks that they usher in are both ground breaking and disruptive, notwithstanding the fact that their originally envisaged implementation timeline has been elongated. Contrary to certain market commentator beliefs, early adoption of PSD2 compliance programmes as well as strategic initiatives is imperative if PSD2 firms are to ensure that their propositions remain viable in the forthcoming paradigm shift of payment services within the EU. Indeed, for many firms, a lack of focus on strategic initiatives, market research initiatives, and educational market initiatives, means that many may find themselves struggling to develop market share, and at a loss to explain why they face such troubles. As summed up by Virdi (2016):

“PSD2 has the ability to force banks into a metamorphosis or be left behind as other visionary providers innovate, create closer customer relationships and develop new revenue streams. Simply being tactical is not enough; banks need to think strategically and differently if they are to remain relevant to their current customers and attract new ones.”

References

Deloitte (2018). Baby steps, but no giant leap: PSD2 at six months old. Deloitte LLP.

Dhami, I. (2018). Open Banking and PSD2: Disruption or Confusion? (31st January), Security Intelligence, [Online], Available at: https://securityintelligence.com/open-banking-and-psd2-disruption-confusion/.

Dunlop, A. (n.d.). Open Banking and PSD2: A confused roadmap to innovation. PaysafeGroup.

FICO (2018). Risk & Compliance.  (5th June), [Online], Available at: https://www.fico.com/en/newsroom/swedes-confused-about-psd2-changes-to-payments.

FICO (2019). FICO Survey: UK Consumers Could Thwart Strong Customer Authentication. (31st January), [Online], Available at: https://www.fico.com/en/newsroom/fico-survey-uk-consumers-could-thwart-strong-customer-authentication.

Finextra (2019a). 41% of banks missed PSD2 deadline says survey. (21st March), [Online], Available at: https://www.finextra.com/newsarticle/33569/41-of-banks-missed-psd2-deadline-says-survey.

Finextra (2019b). Sweden's Tink aims for pan-European coverage with €56 million in funding. (7th February), [Online], Available at: https://www.finextra.com/newsarticle/33334/swedens-tink-aims-for-pan-european-coverage-with-56-million-in-funding/retail.

GoCardless (2019). Security vs. convenience in the payment experience. What matters most to online shoppers.

Koić, M (2019). Breaking the bank: how financial institutions can embrace disruption. (5th March), The New Economy, [Online], Available at: https://www.theneweconomy.com/strategy/breaking-the-bank-how-financial-institutions-can-embrace-disruption

Tink (2019). What a missed PSD2 deadline says about the challenge of implementation. (21st March), [Online], Available at: https://tink.com/blog/2019/3/20/psd2-sandbox-status.

Touchtech Payments (2019). European citizens and banks still unclear over PSD2 provisions. (8th February), [Online], Available at: https://medium.com/@touchtech/european-citizens-and-banks-still-unclear-over-psd2-provisions-f62daeb4220a.

Virdi, T. (2016). PSD2: One of the biggest disruptions in banking for decades. (26th January), Global Banking & Finance Review, [Online], Available at: https://www.globalbankingandfinance.com/psd2-one-of-the-biggest-disruptions-in-banking-for-decades/.