Will trust woes undermine Open Banking under PSD2?

Will trust woes undermine Open Banking under PSD2?

In a roundtable discussion held Wednesday in London hosted by digital payments firm PPRO, industry leaders met to explore the impact PSD2 has imposed on key players in Open Banking and the changes needed to achieve the regulation’s objective in 2020 and beyond.

Ralf Ohlhausen, executive advisor and European TPP Association vice-chairman, commences the discussion on the topic of the current market position; “It’s fair to say the UK is far ahead in terms of API development for Open Banking being used in the market, which is a real head start.”

Despite this, regulatory fragmentation, implementation delays and a lack of consumer understanding is resulting in a lack of demand - a vital force for spurring incumbents to streamline processes and ensure regulatory deadlines are met.

On the issue of Strong Customer Authentication (SCA) and the complex task of balancing customer expectation with security, Ohlhausen comments that “in the absence of better technologies we are putting the burden back on to the consumer. We can’t just increase security by making customers do more.

“We need to find a way to avoid two factor authentication (2FA) which still complies with regulation as SCA is just too cumbersome. There are methods to achieve this and if we want to be able to provide the ‘Uber’ experience we need to look to solutions such as behavioural biometrics.”

Demonstrating how cumbersome the SCA process can be for consumers, Ohlhausen points to the ongoing disadvantage between the payment initiation and the card world whereby making payments -particularly to countries outside of the UK- can require multiple, separate, 2FA steps to be made by the consumer.

Further, Third Party Providers (TPPs) who provide their platform in to countries which do not yet function through APIs must operate through an original interface which requires yet another SCA.

The rise of Technical Service Providers (TSPs) sitting as a middle layer between regulatory bodies and the deliverers of Open Banking products and services is illustrative of the need to manage this incongruence.

When questioned as to whether the growth of TSPs should be attributed to the lack of clarity surrounding PSD2 regulation, Jack Wilson, head of policy and regulatory affairs, Truelayer, says “these firms are seen as being enablers of Open Banking in the UK. While there may be an effort towards standardisation in the UK in light of Open Banking standards, OB standards have been implemented differently within and outside of the UK.

“If you’re a fintech who specialises in just providing a specific service, you don’t want to be maintaining connections into millions of API endpoints or screen-scraping.”

Turning to Payment Initiation Service Providers (PISPS), James Booth, VP of EMEA, PPRO comments: “there is a huge hole in the market for PISP services and that’s because launching such a service is a huge undertaking.

“You need demand on both the side of the merchant and the side of the consumer. In a market that’s becoming more and more fragmented it’s becoming harder and harder to launch a PISP service.”

On the PISP front, Ohlhausen states that developing this capability “is the closest to rocket science I’ve ever come across, as it has to be both frictionless and it has to be secure. To achieve these two elements without a contract with a bank is very difficult.”

Despite faster payment services in the UK, these payments are still not universally instant, and to find a way to mitigate the risk that initiated payments will not be executed is the ‘rocket science’ Ohlhausen alludes to.

For PISPs to minimise this risk regarding payment mitigation, ample data must be pulled from the consumer payment history so that a provider can make a judgment about whether the payment will or will not succeed.

“The problem with PSD2 in this circumstance is that it isn’t prescribing the banks to provide all of this data through their APIs. There is no recognition of the fact that a PISP needs as much data as the Account Information Service Provider and that’s where we’re lacking a lot of functionality” argues Ohlhausen.

Tom Catchpole, Open Banking lead, Account Technologies, explains that the current way Account Technologies mitigates its risk is through a ‘synthetic overdraft’ product which sits to the side of a customer account.

If the company judges that a customer will go over their unauthorised overdraft funds are injected into their account and the account holder is charged an interest fee for the service. This is an expensive way to mitigate risk, Catchpole contends, with Account Technologies spending between £3 million and £4 million annually across their customer base.

Catchpole continues, “if however, we could remove this fee and push the saving to the customer, we could charge them around half the fee we currently charge. PISPs are a solution that we could see ourselves using to remove this risk-minimising process, but at this stage we’re not willing explore it until we have a contract with the banks.”

Consumer trust also remains a central component for every player in working towards Open Banking. From the financial institution through to third party provider relationship and potential suppliers in-between -be they PISPs or AISPs-, there is a necessity to build and maintain consumer trust which will act as a catalyst for building competition.

Olhlausen argues that while authority bodies and governments may have good intentions, their execution around generating and developing consumer trust constitutes a form of scaremongering: “they are asking the wrong questions.

“Rather than asking: are you happy to share your data? They need to be asking whether consumers wish to have access to products or services. And if they do, whether these providers can have access to their data to make the desired purchase possible in real-time.”

Wilson counters that while certain governments have made an effort toward educating the public to build understanding and trust, it is for the TPPs who have the customer relationship to nurture this trust in the hope of working toward a market which is more open to data sharing.

On the topic of data credential sharing, Ohlhausen continues: “If banks were not forced by regulation to deliver APIs then we would not have them available. Even so, it’s naïve to think that APIs will be the dominating tool for data pulling in the future.

“What we need is to incentivise players to allow direct access to accounts through credential sharing which in the absence of APIs will be the key enabler for data sharing. Banks need to stop the witchhunt and demonising of data sharing because they’re shooting themselves in the foot - it will be the only way to access Big Tech data and achieve reciprocity in this environment.”

By Paige McNamee, Junior Reporter, Finextra

Comments: (4)

A Finextra member
A Finextra member 06 November, 2019, 18:52Be the first to give this comment the thumbs up 0 likes

We've had open banking for over 20 years now...it's called the worldwide web. The problem was that it was targetted to humans. The goal of PSD2 should have been just to ask the banks to provide similar functionality, but computer-friendly APIs with digitally signed transactions signed in the user's favorite signing app which uses the secure enclave of the mobile phone. That is truly open banking. There was never a need for PISP/AISPs. This just adds a useless man in the middle that can be attacked, just like Mt Gox was a man-in-the-middle allowing mass theft and increases the costs and risks.  I think it will take 10 years before people realize that they should just open up banking DIRECTLY to any digitally signed requests that the user has authorized the pubic key for, e.g., the public key of a corporate HSM. That's when the magic will happen. 

David Parker
David Parker - polymath consulting - Woking 07 November, 2019, 09:59Be the first to give this comment the thumbs up 0 likes

Interesting a key part in establish consumer trust is their is no fraud.  Yet a key part of the process is the TPP Identity and Verfication.  This was not mentioned once, yet the EBA database even has a disclaimer on it saying it is not accurate.  Here at Konsentus we provide that yet many companies still think using a databsase that says it is not accurate is good enough.  When Fraud starts hitting the system how quickly will consumer trust be lost.

Arjeh Van Oijen
Arjeh Van Oijen - Icon Solutions - Amsterdam 07 November, 2019, 10:35Be the first to give this comment the thumbs up 0 likes

I fully agree with Steve's statement on the 'secure enclave of the mobile phone'. This technology is already used by payment schemes like Apple Pay and Android Pay. The key issue is that this capability is not made available/accessible to any party/App, but only to the ones that are permissioned by the owner of the phone eco-system. The question is whether legislation should be created that force the owners/controlers of the phone eco-system to open up the 'secure enclave' to any party that wants to make use of it, in the same way banks (ASPSP) have been forced to open up the payment account. The application area and value of this 'secure enclave' goes way beyond payments, but can be applied for every type of (2F) authentication and digital signing.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 07 November, 2019, 17:44Be the first to give this comment the thumbs up 0 likes

Yes, trust woes will indeed undermine Open Banking, which is why I said Open Banking Needs A Blockchain Boost.