Paperjam, February 2019
PSD2 and RTS, less than 50 days to go!
If you are a bank and offer online access to your clients, then a third-party payment provider (TPP) or a provider in the process of obtaining such authorization, will be entitled to access your infrastructure as from 14 March 2019. The remaining question many banks now have is as follows: have I considered the options to comply with the PSD2 regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication?
To open those access routes, banks can choose between two alternatives: the first is to allow the use of an adapted interface used for identification and communication with their payment services users (PSUs); and the second is to build a dedicated application programming interface (API), fulfilling the quality criteria defined by the RTS SCA. A key consideration becomes also the decision to use external Fintech technologies or develop all in house.
The build of a dedicated API is the preferred choice for most players. Market practice is to follow standards of communication which are issued by international or European standardization organizations (such as the Berlin group or STET). Moreover, the dedicated API technical specification documentation should be made available at no charge, upon request by the authorized TPPs. The technical specification shall include a set of routines, protocols, and tools needed for allowing TPPs’ software and applications to interoperate with the systems of the banks. A summary of the technical documentation shall be publicly available on the banks’ website as of March 14th, 2019. The interface needs to be limited to payment accounts, must include all payment functionalities as provided via other on-line banking means and request eIDAS certificates from the TPPs.
Banks can opt for different market approaches to building the adapted PSU interface or the dedicated API. They can build them themselves and cater for the respective costs and risks, or seek for collaboration with FinTech companies to host, aggregate, market, operate and expose their clients’ payment accounts.
According to the RTS SCA, all APIs, whether dedicated or not, will be subject to a 3-month “prototype” test, starting 14 March 2019 (until 14 June), and a subsequent 3-month “live” test, until 14 September 2019, in market conditions. The test periods will allow the authorized TPPs to assess the quality of the APIs put in place by the banks. On the other hand, based on the test results of the “prototype” phase, banks will be able to request the national supervisory authority – the CSSF in Luxembourg – in consultation with the EBA, to grant them with an exemption on the contingency safeguards and avoid opening a second channel or their current online banking module (containing payment, saving, investment and other accounts information) in case of failure of the adapted PSU interface or the dedicated API. Any regulated TPP authorized or passported in the country of domicile of the bank will be allowed to offer the services to its clients that allow them to consult its Bank payment account(s) or initiate payments from its bank payment account. Therefore, banks should anticipate that connections could come from every country in the EEA and that volumes will certainly not be neglectable.
In this context, if developments are not yet finalized or well progressed, it is time to act, banks should make their choice between an adapted PSU interface or a dedicated API and move fast. In parallel, new revenue models may be analyzed and the opportunity for banks to be acting like TPPs could be considered.