THE HEART OF THE MATTER: A2A UNPICKED
In repealing what is now being called PSD1, PSD2 introduces change on a number of levels, but the feature that has attracted by far the most attention is the so called “access to accounts” (A2A) element. This is the provision which requires account holding institutions (typically existing banks) to allow access to their customers’ account information to facilitate payment initiation and account information services provided by newly regulated so-called TPPs.
A2A is the reason PSD2 has been hailed as the development which will lead to the disintermediation of incumbent banks at the hands of upstart new entrants, all set to dominate customer engagement and leave the traditional players scrabbling for scraps of low-grade commoditised back end account servicing business.
Tom Blomfield, CEO and Founder of UK digital challenger bank Monzo, paints a bleak picture. “Forcing the banks to open up will upend the retail banking system in the UK to the benefit of consumers,” he says. “For the big banks it’s potentially a major problem because their business is based on customer inertia and lock-in. Banks give out footballs to persuade young people to open accounts with them, and then throughout the customer’s life they cross-sell additional products. Since they have already acquired the customer, and because the customer can’t be bothered to switch, the banks can cross-sell products that aren’t necessarily competitively priced. The banks are not always giving the best deals to existing customers; they are giving them to new customers.
“PSD2 has the potential to up-end the retail banking market, forcing each product to stand on its own two feet. This will lead to increased competition and price compression. For the banks this is problematic. They will be caught between a rock and a hard place, trying to handle open banking while also spending GPB2-3 billion each on cost reduction and regulatory change programmes.”
A2A is certainly one factor driving change, believes Lyon at Fire Financial Services. “The way things are isn’t the way they are going to be in the future,” he says. “It is difficult to predict exactly how it will play out, but the way we’ve been looking at it is to talk about the attributes of the products that are likely to be successful. Are things going to be more social, secure, connected? Yes. Are more participants going to be involved in the transaction process? Yes. It’s hard for financial institutions to change, and that’s the reality. Technology change, change in the marketplace, intense competition: all the indications are that this is going to become a scramble. The idea of taking multiple products from the same institution will go. The idea of account switching will probably go. But the idea of downloading another app to access all your financial information – that can really work.”
The implications of opening up access to account information have caused banks concern at a competitive level. As Robert Langley, Enterprise Architect, Payments at National Australia Bank, observes: “The challenge is that banks face the threat of being disenfranchised by third parties and hence be trivialised as commodity service providers of accounts and value transfer services.”
A2A has also caused other concerns.
“The challenge of A2A is around access to data, from a privacy perspective,” says Leigh Mahoney, Head of Payments Portfolio, Group Payments, ANZ. “A consumer giving a third party permission to look at a balance but not transactions for example – that will present challenges to banks. To segregate out information to a granular level – this party can see that balance but not this one – is challenging. If you don’t put governance and control effectively on your front door it’s like giving a five year old a tub of ice-cream and a spoon and saying you can only have one spoonful. You know they will eat it all. Accessibility has to be balanced with governance and control.”
This level of granular information sharing may not be a problem only for banks, warns John Box, Head of Strategic Partnerships, Payment Services Division, Raphaels Bank. “Whether the customers are going to be comfortable with that level of flexibility in how they manage their finances remains to be seen,” he says. “It can be a full-time job managing the security settings around your Facebook page. Managing your bank account could be like that as well. To be successful, open API access will need hand-holding and education, something difficult to maintain and monitor over the long-term.”
An improving picture for the banks? The potential dangers from a data protection perspective of PSD2 for account holding banks have long been highlighted by banks. However, the consultation on the draft RTSs published by the EBA in August do seem to have alleviated some of those concerns. Ruth Wandhöfer Global Head of Regulatory & Market Strategy, Citi, highlights how challenging it would be for account holding banks to receive queries from third parties using their customers’ credentials. However, this issue is clarified in the RTSs, she says, which state: “To limit the risks relating to phishing and other fraudulent activities, it is appropriate to ensure that the account servicing payment service provider is aware that he is being contacted by a payment initiation service provider or an account information service provider and not by the client itself.”
Furthermore, the EBA document makes clear in line with PSD2 Article 97 (5), that although payment initiation providers (PISPs) can rely on the authentication procedures provided by the bank to its customer, these secure customer authentication procedures remain fully in the sphere of the bank.
Another challenge that has resulted from third-party activity in the past, Wandhöfer says, is the risk of constant querying by new payment players of the mainframes of established banks for account information. “These types of behaviours can put a real strain on banks’ core systems – sometimes being likened to a denial of service attack,” she says. “In the RTS it states that if a third-party is not responding specifically to a client demand for information, the third-party can only query the bank for data twice per day maximum. This should help to limit the types of behaviours that create costs for really no benefit.
Though some refinements are needed, the RTSs are a “positive outcome”, agrees Fabrice Denèle, Head of Cards & Payments, BPCE. “The EBA has listened to the market and has achieved the right balance between the expectations of different players and the needs of different users, and that is quite a challenge,” he says. “At the end of the day, what the EBA has produced is flexible enough to secure any innovation that any player – whoever they are – would like to implement and promote. The guidance is also in my view at the right level of detail – not too technical, not too far in the clouds. As a bank, we consider it is a text that grants innovation and also grants us the ability to be compliant with our liabilities.”
Not all bank observers are fully reassured by the RTSs. Says Gunnar Berger, Head of Cash Management Solutions at Nordea: “The biggest concern we still have is around authentication and authorisation. The guidelines we have still leave some questions unanswered, and for payments industry professionals, the document uses some odd terminology and displays some illogical thinking. This concerns me, because creating a really good authorisation process – where we have end-to-end authorisation through third parties – is a challenge, and if that is unclear for a while it will give the industry little time to actually put this in place in a proper way.”
The document states: “Each account servicing payment service provider should offer at least one communication interface enabling secure communication with account information services providers, payment initiation services providers, and payment services providers issuing card-based payment instruments, which should be documented and freely available on the account servicing payment service provider’s website. This communication interface should allow account information services providers and payment initiation services providers to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user.”
It also states: “The EBA discarded reference to generic internet communications standards (such as HTTP, HTTPS, TLS, and SSL) … as the EBA judged them as already of general use and too unspecific for communication standards under the mandate conferred on EBA by PSD2.”
These texts have been interpreted as implying the use of APIs as opposed to screen scraping which, suggest observers such as Erik Engellau-Nilsson, Head of Communication at Klarna, basically means putting the established banks in control and the new entrants at the mercy of the banks’ IT. “This has supposedly been done on the grounds of security, although there have been no security issues with our solutions at all,” says Engellau-Nilsson, “and basically means replacing the use of a proven solution with the use of a solution which is totally unproven and is almost certain not to fully and reliably work from the outset.”
The disenchanted new entrants are making their objections plain through their responses to the consultation (including a public hearing scheduled for September) and hope to succeed in having HTTPS mechanisms named as viable options alongside API type solutions. It is worth remembering therefore that the situation as outlined in the draft RTSs could change.
That said, even though not all aspects are clear, the banks have little option put to push ahead if they are not to lose valuable time. Says Miguel Simões, Head of IT at Portugal’s BNI Europa: “We believe that reduced time to market is a key business differentiator today. In this sense, though the regulatory technical standards are unclear, the most important thing is to react quickly to change requirements as soon as the standards are disclosed in early 2017. Being surrounded by an engaged IT service provider community is definitely a key aspect required to succeed.”
Nilsson at Swedbank echoes the view that the banks are considering the opportunities as well as the challenges of A2A. “We have actually looked at the TPPs question from two angles,” she says. “What do we need to do to become compliant, and also how can we take advantage of this as an opportunity? On the first, we are looking at what we need to have – standard APIs and the capability to share information on accounts. When it comes to the opportunity, here we see ourselves as established providers for our customers, and we are also considering the services we can provide to new entrants. They will need information from us.”
The banks’ thinking has certainly evolved, she continues. “TPPs are a threat and we will have to deal with them. However, while initially when you read PSD2 you might think, let’s block them out, keep them from entering the value chain, when you think about it, you realise that what’s expected of us by the Commission is to increase consumer protection.”
This gives established providers certain strengths, she says. “The EBA RTSs give the account holding service provider the role of deciding the level of security and what credentials will be used. The banks will have to allow TPPs to use them, but having that right means the banks can make the decision about where they put consumer protection. TPPs are very active already, and PSD2 will clarify their roles and responsibilities where today they have none. We believe that not all of those providing services today have the capacity to become TPPs, and that there will be several providers that will be approaching the banks to get access to the systems they need, and there could be opportunities for us to offer access to our infrastructure. So overall, we see a range of opportunities.”
We should “forget about banks staying only as account servicing payment service providers (ASPSPs)” says Denèle at BPCE. “Banks will be innovative and creative enough, with enough expertise, to become also AISPs and PISPs,” he says. “Banks will play in the TPP space. We have had a lot of discussions with banks within the French banking community and this is the case for my banking group as well. We are having strategic discussions and we will play new roles in the value chain in the digital space which will evolve from this legislative framework.”
James McMorrow, Senior Manager, Payment Strategy and Business Development for Lloyds Bank Global Transactional Banking, also sees opportunities. “The ‘open’ philosophy behind PSD2 may appear to introduce a significant competitive threat to some traditional banks,” he says. “The proposed barriers to entry are low for third parties, and the openings for challenger banks and technology vendors could be wide-ranging. But PSD2 actually offers a new world of opportunities for them through embracing technology and working with clients to understand how to meet their future needs and improve operational efficiency.”
Banks must decide what their business response is to PSD2, he suggests. “Do they intend to simply achieve basic compliance with the regulation, or do they want to look for commercial opportunities in regulatory change? The answer will depend largely on which customers the bank serves and what their customer needs are. They can choose to seek ‘compliance only’, which will involve just meeting regulatory compliance requirements and sharing of data with the regulated parties that customers request. Whilst this is likely to be a cheaper implementation, this could come with considerable risks and threats to the bank; as customers may seek value-added services and operational benefits from providers that can offer additional value added services, capitalising on the new technology.”
This could open up opportunities for banks to redress the balance in the digital stakes, McMorrow suggests. “Where banking has largely been behind the curve compared to other Industries is the digital space, banks now have a chance to start designing more intuitive solutions that put the user experience first. Competition will encourage banks to turn traditional product design processes on their heads, starting first with the user experience and channel and working backwards to the underlying solution,” he says.
Simões at BNI Europa says the bank “is conscious that PSD2 will cause severe market disruption and promote new banking paradigms”. “January 2018 is right around the corner,” he continues, “and as such, BNI Europa is not only working to ensure compliance with the regulation by that time, but also – and most importantly – to benefit from the significant business opportunities that will arise from the legislation.”
Currently, BNI Europa is focused on actively engaging its IT service provider community around key aspects of PSD2 “such as strong customer authentication, secure communication and open APIs for payment initiation service providers and account information service providers, Simões says. “In the near future, we will increasingly move our focus towards the development of new business models and unconventional revenue streams that will leverage an open API infrastructure.” Berger at Nordea too sees the opportunity to go beyond compliance. “Our PSD2 strategy is to make Nordea fully compliant – that’s a given of course – but we are trying to do this in a proactive manner, seeing it as an opportunity to generate benefits not only for our customers but also for Nordea,” he says. “We believe we can create a platform on which we can build for the future. Our strategy is also to consolidate activities in Nordea so we gather our strength into building one platform which serves all the product units in Nordea.”
There may be some changes – “we may have to realise and accept that for certain customer segments there will probably be someone else providing the interface or the device through which the customer will initiate the payment: that’s the way of the future” – but the trick for banks will be to “find smart ways of dealing with this, and probably collaborating with these third party providers in a way that provides the best experience for the customer”. “I think the third party providers will actually benefit a lot from having a good collaboration with the banks. Instead of them replacing us, I think we will be serving the customer together,” Berger suggests.
Simões at BNI Europa takes a similar view. “PSD2 will definitely contribute to improving the competitive landscape in the payments industry. It is extremely likely that new market entrants will emerge from the fintech and from the internet and social media industries. We foresee that banks will promote the establishment of partnerships with those players,” he says.
The emerging thinking around the inter-relationship between banks and FINTECHs is that banks should embrace some of the new propositions coming from the FINTECH space that will complement their existing offerings, bringing new functionality to customers (in a timely and efficient way) without completely disintermediating them; on the contrary enabling them to bring the best of what fintech has to offer under the umbrella of a trusted bank relationship.
And Box points out that the fintechs are also looking to partner around PSD2 and A2A. “We are having many conversations with challengers who are looking to benefit from PSD2 and open access and they are not looking to take down the banks,” Box says. “They want to offer financial services in addition to a bank account. It is rare you see something that will completely replace a bank’s offering – the fintech will either do something different or in a different way.”
How challenging the A2A component of PSD2 proves to be for banks will somewhat depend on their existing businesses, says Simões at BNI Europa. “A2A will definitely be a challenge for most traditional banks, mainly those whose businesses highly depend on the fees from card-based transactions. Being a bank which currently does not have card-based acquiring merchant business, the disintermediation of the payments value chain will definitely present an opportunity to develop a non-card-based acquiring merchant business model, without having the risk of market cannibalisation,” he says.ù
Versmessen at Swift agrees that “in the corporate banking world we already see quite sophisticated solutions”. “Most of the banks have offered corporate online portals and corporates have been able to send instructions for payments at another bank.”
Rainer Wolff, Innovation Lab, Product Management Cash Services, Commerzbank Transaction Services and Financial Institutions, adds: “In our corporate business it is already possible to receive account information from other banks for example via Swift, and it’s also possible to send payment instructions. The implementation of payment initiation and account information services for corporates is totally normal.”
But that doesn’t mean there isn’t an opportunity here for the banks, WillemsRosman continues. “Corporates are looking for their banks to continue to innovate and provide market leading services. PSD2 provides a platform for these innovations to take place and to generate a level playing field. This will not only benefit clients, but will also allow banks to offer more creative payment and account services solutions. Ultimately, corporates are not necessarily looking for the market to fragment further – which is a risk with PSD2 encouraging new payments entrants. Our experiences with our corporate clients suggest they ultimately are looking for a wider relationship play, from providers which can help them in multiple spaces, to provide an overall connected experience and help them be successful.”
McMorrow at Lloyds agrees. “If, for example, a multi-banked corporate customer chooses to use the bank as a provider/aggregator of choice, there is an opportunity for the bank not only to deliver multi-banking payment and cash management but in addition to then deliver rich data and analytics to the corporate,” he says. “This information can be plugged back into the business to help the corporate better understand their working capital, for instance. Leveraging standardised data in this way could significantly reduce the operational burden on clients, whilst also allowing banks to better understand their customers.”
Swedbank is also examining the “impact PSD2 will have on our corporate cash management offering”, confirms Nilsson. “There I can see the possibility of a single point of information and access to support you if you are a multi-account corporate bank – the possibility to have one digital bank, not based on receiving account statements from all account holding banks and sending payment initiation through multiple internet banks.”
Other drivers of market change – such as the rise of instant payments – in conjunction with PSD2 could be important in creating new services for corporates, observers suggest. Christophe Chazot, Group Head of Innovation, HSBC, certainly sees that “PSD2, connected sources of information and instant payments will really make corporate treasurers’ lives easier”. Mahoney at ANZ also identifies the real-time payments trend as significant. “We see corporate customers in light of the move to real-time banking looking at the integration that has traditionally happened through Swift and file-based means and accepting that with the move to real-time there is a more dynamic need for that to happen,” he says.
Corporates will need new liquidity management capabilities in this context, Mahoney continues, adding: “The other side of this for corporates is real-time receivables management, the online fulfilment of-goods and services. Being able to make real-time payments from the bank account implies the real-time enabling of the thing you have bought. That’s where the additional desire will come from in the corporate world.”