The Final Countdown to PSD2: how Open Are Banks?
The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. September 14th marks the deadline for European banks to be compliant and for SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions. In a nutshell: everything we know about banks and payments processing and how we can access financial services is changing. But the question is: are all involved actors going to be on time for the September deadline? In view of the complexity of the directive requirements, on June 21, 2019 the European Banking Authority (EBA) released an opinion and granted national Authorities the possibility to postpone the 14th September deadline. They stated: “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, National Competent Authorities (NCAs) may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time”. What does this mean? From September, the SCA regulation under PSD2 is supposed to mean that European shoppers will have to authenticate online payments over EUR30 with two of the following: something they know (like a password), something they are (fingerprint/face ID), or something they have (phone). But this is not all about SCA. As many peers have highlighted in their recent blog posts or in an open letter sent to European NCAs, one of the main issues affecting the advent of Open Banking in Europe is that only a low minority of European banks are ready to be “open”. At Epiphany, we know this very well too. We have found less than 10% of APIs we tested were ready and with good quality to allow usage, and our Open Banking preliminary survey results that we will present at the BIAN event we are hosting in October (Register here) confirm banks are still struggling to be compliant for various reasons, including budget constraints, lack of strategic planning or of technical or legal resources, and in many cases because of providers of PSD2 solutions being late or not providing what promised.
How are NCAs reacting to the EBA’s June 2019 opinion? A number of European authorities have already taken action and leveraged EBA’s opinion to support all involved actors in this banking transition and with offering windows of delay for the SCA deadline. Denmark: the Danish FSA (DFSA) issued a statement saying that involved subjects may benefit from a specific agreement with the DFSA to continue to apply such authentication solution after 14 September 2019, but this is subject to presenting DFSA a specific migration plan – which needs to be approved by DFSA- ensuring implementation of authentication solutions in accordance with the EBA’s opinion. France: Bank of France, the French regulator, unveiled a 3-year strong authentication “transition” period already in 2018. Ireland: the Central Bank of Ireland has announced a delay to the roll out of Strong Customer Authentication (SCA) rules, without specifying the length of this delay. Italy: the Bank of Italy has decided to grant (upon request of the PSPs) an EXTENSION for a limited period, based on the maximum term that EBA will define and subsequently disclose to the market to complete the adjustments required by law concerning the security of card-based online payments. United Kingdom: the UK’s FCA, on behalf of Bank of England, stated that for online banking, the changes will be phased in from 14 September 2019 and completed by 14 March 2020 and with regards to SCA it will give the industry an extra 18-month implementation plan for card issuers, payments firms and online retailers. Also EPIF, the European Payment Institutions Federation, asked for an extra 18 months and has invited European NCAs align on industry readiness with an agreed Europe-wide roadmap. They also asked for clearly defined use-cases, with key milestones and clear and consistent metrics. Their request was also signed by Mastercard, VISA and EuroCommerce, amongst others. What about banks and the PSD2 compliance? PSD2 compliance is often seen as yet another regulation to implement. Relying on an incomplete solution means offering a very low opportunity to those willing to help banks offer better services to their customers, and may translate for banks in losing credibility and ultimately clients. The path to Open Banking has started to better serve end-users and to leverage innovative technologies. Nobody said it was going to be an easy journey for banks, but it is a challenge that may offer greater opportunity for them to enrich their offering, retain their customers, monetize on innovative service and avoid churn because of faster new entrants that may steal in the long term not only data, but also that trust they built in years, and their clients – as it’s already happening. The more banks will be able to offer clean and really open APIs and the more they will be open also with their mentality, focusing on offering effective Human Experiences, also through partnering with fintechs for offering innovative services, the faster and better Open Banking will ensure a greater way of helping their clients manage their personal finance and build a solid foundation for their future in these time of economic uncertainty. And this will ultimately translate for them in keeping their customers and attract new ones. At Epiphany we believe technology is here to serve human beings, and we help banks comply and pivot right into Open Banking easily, and effectively. Whether you are still not PSD2 compliant or working with NCAs to better define a definitive roadmap for your open banking, we can deliver a complete PSD2 compliance package in just 2 weeks, and support any open banking strategy with a Full-Stack digital banking platform and ready-to-use solutions to monetize on Open Banking. Contact us at firstname.lastname@example.org today to learn more.