PSD2 and open banking: what is the impact for your organisation over the next 18 months?

With the recent announcement from the Competition and Markets Authority (CMA) ordering a number of British high street banks to ‘open up’ and adopt the new principles for open banking and the impending implementation of PSD2, banks, including challenger banks, will soon face a new data revolution – cementing the customer at the heart of everything they do.

What is PSD2 and what does it mean?
Payment Services Directive version 2, or PSD2 as it is commonly known, has been brought in to update the first version which came into force in the UK in 2009. It’s also been extended to cover a number of things including strong customer authentication, secure communications and increase innovation from third party providers (TPP). This subsequently opens up a level playing field for authorised companies, such as Fintech start-ups, to access the payment methods and data from customers’ payment and bank accounts.

The UK has until January 2018 to transpose it into national law.

While the consultation period is still taking place, if you are a Payment Service Provider you need to start considering how PSD2 will affect your business over the next 18 months, as it presents both threats and opportunities. Key to this is understanding what the possible technical requirements will be and how your organisation will take steps to meet them. Whilst the next 18 months are inevitably going to be focussed on preparing for the enforcement of PSD2, the change spans beyond that and banks should start to consider long term strategies that are underpinned by strong authentication and robust practices.

How will the announcement of Open Banking impact PSD2?
In conjunction with PSD2, the CMA set out its proposed Open Banking principles in August this year to open up and increase competition specifically within the retail consumer and small business market.

As we’ve seen over a number of years, consumers’ reliance and notable trust in aggregator or “price-comparison” sites has fuelled and changed the insurance market beyond recognition. The Open Banking principles are set to shake-up retail banking in a similar way and empower the consumer to make better, more informed financial decisions – each based on data harvested from the customer’s payment accounts. In the medium term, it will also be possible to make payments through this new route.

The first delivery is scheduled for early next year and is focussed on account data.

The Open Banking goal is to enable and empower consumers (and small businesses) to take control of their finances, managing their accounts with several providers through a single application. Both pieces of regulation overlap both in scope and in when they will be introduced.

What are the key things to think about over the next 18 months?
Despite the referendum results the UK will almost certainly need to implement PSD2 and payments going into, or coming out of, the EU. In addition, since it establishes common regulations for payments, it is highly likely that businesses will have to manage PSD2 changes in the short term regardless

Over the next 18 months, all payment service providers will need to think about two key things:

  1. Strong authentication – how they’re going to make sure our customers are who they say they are? Which technologies could you use to do that – biometrics, shared knowledge, security tokens or identified devices and passphrases?
  2. Open up access to accounts – how they’re going to ensure they allow customer access from devices, such as mobile phones, to their payments accounts?

Who plays a part in the implementation of PSD2?
PSD2 will be mandatory for any payment service provider who wishes to continue trading and supplying payments within the EU. Implementation is very much up to the each organisation and as such should be looking at their current technology capabilities, their customers, and how they as a payment service provider (PSP), can serve them better.

At this stage of the consultation process, PSPs will most likely have their work cut out in order to comply with what is being suggested through the consultation period. Revised processes, new technologies and procedures will all need an overhaul and review to support the new directive.

In addition, businesses which take card payments or set up direct debit collections online will also be forced to make changes as these come within the requirements for strong authentication.

Once the new directive is in place, the impact for the consumer will come in some form of stronger authentication methods which could include educating consumers on new ways of accessing their information through proposed biometrics, device and knowledge-based authentication. There are already positive suggestions that the UK is becoming more aware and ready for biometrics to play a part in their online banking activity and that most adults are ready to embrace biometrics as a method of asserting their identity.

So, whilst the next 18 months mean inevitable change, beyond that the strategy and change is revolutionary and banks must ensure robust, compliant practices that have a strong edge of competitiveness in a growing emerging market. Have you thought about it?