Over the last weeks, there has been an increasing number of conferences, where the impact of PSD2 has been discussed. At the same time, there are more and more blog posts and articles talking about the impact of PSD2 Access to Account (also known as XS2A), especially in relation to strategic implications.
For the strategic vision to bear fruit, there are some operational and standardisation issues to resolve. As the market tries to organise itself to face the challenges (and opportunities!) that PSD2 brings, this post summarises some of the thoughts that are going around on the topic, concluding that more cooperation is needed to avoid fragmentation and frustration.
Some background:
The revised Payments Service Directive (PSD2) has been approved by the European Parliament and must now be “transposed” into national law by each member state by 13th January 2018. By this date, “Payment Service Providers” (broadly, banks and payment institutions) must be compliant with most of its requirements, although there is still discussion around some elements.
One part of PSD2 is known as “Access to Account”, which allows licensed payments service providers (known as TPP’s) to access an account, on the request of the account holder to either trigger a payment (Payment Initiation Services) or to obtain information related to an account (Account Information Services). Phew!
The Access to Account feature is heavily discussed, but much uncertainty still exists, due to the fact that a number of regulatory details are still to be decided. These details will be defined and created by the European Banking Authority (EBA) in the form of “Guidelines” and “Regulatory Technical Standards” (RTS). As we all know that “the devil is in the detail”, these RTS are highly anticipated.
Unfortunately, there are misunderstandings and assumptions that are not helping the debate. Two topics stand out:
- The contents of the register of TPPs that will be provided by the EBA
- The nature of the RTS
On the 9th of March, I had the privilege of being on the opening panel of the European Payments Summit, with Helmut Wacket (ECB), Geoffroy Goffinet (European Banking Authority), Piet Malleckoote (iDEAL) and Georg Schardt (Sofort). Particularly interesting were updates coming from the EBA on the register of third-party payment service providers (TPPS), and the RTS linked to Access to the Account. Below are some thoughts arising from these and other similar conferences, panels and discussions.
A Register of TPPs
PSD2 makes it clear that a public register will be published containing details of TPPs. For example:
- Article 14: Member States shall establish a public register in which are entered: authorised payment institutions and their agents.
- Article 15: EBA shall develop, operate and maintain an electronic, central register that contains the information as notified by the competent authorities.”
Most experts believe that in order to work, such a register will need to provide a real-time look up capability by Account Servicing Payment Service Providers (AS-PSPs) to find out whether a particular TPP is really licensed as a TPP or not.
They also believe, there needs to be a way of checking that the person claiming to be that legitimate TPP is who they say they are, and not an imposter. An often-cited way of checking is that there will be digital certificates used to very identify and that the public key to the certificates would be stored in the directory.
It seems, from what is said, that the EBA is not going to provide such an operational directory, as it falls outside its mandate.
The EBA is very clear that the ‘register’ of relevant Payment institutions that must be delivered by the EBA will not be an online operational directory updated in real-time and useable by software checking against a potential TPP list. In particular, it will not contain certificates. It will be rather a “legal register”. I imagine this as similar to the list of BICs in the EPC scheme registers, where the BICs are legal identifiers but cannot be used for operational routing of payments. For this, the routing tables of the clearing systems are needed.
Even more subtle is the point that the register – in whatever form it takes – may only contain those entities that explicitly apply for (and are granted) a license for payment initiation and account information services. The four to six thousand credit institutions who may legitimately want to provide payment initiation Services may not be in the register.
All this implies a real headache for the AS-PSP’s who want to – and are obliged to – protect their customers’ data while giving access to legitimate parties.
What are EBA Regulatory Technical Standards
There is a fear that if 4,000 AS-PSP all publish their own ‘Open API’ or access solution, TPP’s, merchants and consumers will be faced with up to 4,000 interfaces to connect to, with different security models, user experiences and data components. There are strong fears of fragmentation and the risk that the industry spends time and money on a project that does not meet its objectives.
The obvious answer is that the EBA RTS will clarify this, but this is unlikely. The RTS are “Regulatory”, but they are not (as we are told) “Technical” and they are not “Standards” – at least in comparison to standards found in the SWIFT world, or the world of internet API development.
Based on what has been publicly said by the Authorities, there is a consensus that unless something changes (and there is still nine months to go) we know that:
- Regulatory Technical Standards are not “Standards” but more of a framework.
- Neither the EBA, nor anybody else will give account servicing banks a certification or a stamp of approval to say that what they had put in place correctly complied with the RTS that was to be published. In fact, this is the job of the supervisory authorities in each country that after the event will follow up complaints of non-compliance with the law.
- The EBA has received over 120 responses to the consultation, which are now being read and which have now been published http://linkis.com/www.eba.europa.eu/ne/jpYbf and the first draft of the RTS will be published in early summer.
- The RTS will not deliver all the answers to the industry and the industry has some work to do to figure out how to open their accounts in an interoperable way.
There is some that hope that the magic of “Open API’s“ will save us, but I don’t believe this is the full answer, although the approach and technology clearly provide many specific answers.
And so to a scheme…
When EBA CLEARING created MyBank (which pre-dates PSD2 but also establishes a mechanism for a licensed PSP to access the account of another licensed AS-PSP for specific services) the value was not in the technical standards, but in the rules and agreements that participants make. These concern topics like the onboarding and certification process, the central registration directory (which is operationally secure, 24/7 access, contains certificates of confirmed participants), the dispute management process, the change management process and the business rules that go with technicalities (refunds, reconciliation, customer experience) and the agreements that bind the parties to a common way of working to avoid fragmentation.
As a result, MyBank has linked over 250 payment service providers to each other which are now initiating payments with each other. We also believe that through these mechanisms the AS-PSPS can find new ways of providing services to their customers.
In the last six weeks, I have heard for the first time the word ‘scheme’ being used to describe the administrative functions of putting some order in between the AS-PSPs, to ensure that thousands of compliant but non-interoperable interfaces are not created, and to facilitate the common administration of PI-SPs. Equally, the UK’s Open Banking report states very clearly the need for a ‘governance body’ to oversee security, usability, reliability and scalability of APIs and to “create frameworks for handling complaints and redress”.
Other national communities are also starting to imagine a set of agreements that players might make to ensure a level of harmony between them and so to ensure that consumers get a uniform experience that actually works when they try to pay.
Without any draft RTS to set a minimum baseline, it is hard to start working on the topic, but the complexity of the problem and the number of players involved means that the industry needs to start moving forward.
It is not clear what the end solution will exactly look like, or how the arrangements such as those used in MyBank will play a role, but it is clear, that the industry stakeholders must work together. Payments is a network business. As the saying goes, united we stand, divided we fall.
