How Fintech-friendly is PSD2?
The revised Payment Service Directive (PSD2) currently challenges the emerging FinTech sector in mainland Europe. I pinpoint the most important ones below and try to look for possible solutions.
The most identifying aspect of FinTech is that they are able to detect customer needs and quickly design new services in an otherwise traditional financial market. I see three main reasons why FinTechs are able to answer to the customer needs so swiftly:
- They move fast due to their lean & agile mindset.
- They deliver simple though efficient digital processes.
- They are completely focused on solving a narrow set of client problems.
However, is this enough to answer the challenges brought by PSD2?
Invest in trust
Before PSD2, the only way to collaborate with a bank was through long-term partnerships or by using “alternative” methods such as screen scraping*. PSD2 levels the playing field by offering easier access to a customer’s payment account. This means that FinTechs now have a proper legal framework to access some of the information they need to develop innovative services.
Some banks still show some resistance to collaborate with FinTechs acting as a Third Party Payment Service Provider (TPP)**. This is due to the different levels of risk appetite. In this increasingly security sensitive environment, FinTechs will therefore need to demonstrate the implementation of appropriate organizational and technical measures that protect their customers’ data in order to increase that trust.
Additionally, some banks are afraid of losing their competitive advantage when opening up some parts of their back-end systems. And you cannot blame them: open banking implies a huge change for banks. Not only system-wise, process-wise, regulatory-wise, but also concerning the mindset. A big challenge will be to grasp the opportunities at the right moment by leveraging on regulations like PSD2.
FinTechs will also need to invest a substantial amount of time in gaining the trust of the banks’ customers. The customer needs to understand what their financial data will be used for and for which purpose. Giving consent to a new market player to access bank accounts might be scary for some. So building a trustworthy relationship with that customer will take time. However, it is crucial for the FinTech to gain that trust and it is definitely worth it.
Becoming and staying compliant
A FinTech that acts as a TPP and that wants to obtain direct access to the customer’s data, will need to comply with several EU laws and regulations.
The three main regulations in the context of payment services are PSD2, Anti-Money Laundering (AML, a set of rules to combat fraud and money laundering in the EU) and the General Data Protection Regulation (GDPR, EU’s 2018 regulation to harmonize data privacy laws).
Each regulation gives rise to its own particular challenges and implementation has proven to be highly complex. Especially because there are several discrepancies between various regulations.
Generally, I recommend FinTechs to consider the following points:
- Capture and manage the consent and authorization of the customer in a transparent way.
- Manage the transferred payment and personal data in a secure way. Do not reinvent the wheel and pick industry proven methods off the shelf..
- Define accountability because PSD2 does not require a contractual relationship between banks and TPPs. A FinTech acting as a TPP should guarantee an appropriate level of data security.
- Assess and set up the relevant AML processes and controls in the right spot of the PSD2 chain.
- Document the roles and responsibilities of all parties in the chain properly.
- Do not forget that the local regulator can audit you at any time…
No API standards for banks
FinTechs will do what every start-up does: choosing the path of least resistance. If they find a bank integration option that is equally qualitative but faster than implementing all by themselves, most will favor that option. That is the added value API*** aggregators such as Ibanity can bring. Some TPPs will invest the time and money to integrate with all banks separately. But keep in mind that there is no Belgian nor European standard currently widely adopted for bank APIs. This means each integration is a new and potentially unique one. FinTechs should not waste their time. The core business of most FinTechs should not be bank integration. They should focus on delivering customer-friendly financial services and solving specific client problems.
From a compliance perspective, collaboration with aggregators or big TPPs could be an option for FinTechs in order to outsource compliance-related processes. However, this does not mean that FinTechs can ignore their minimum requirements because they remain accountable. Therefore, it is important to find the right balance when outsourcing processes.
Isabel Group’s PSD2 experts at Ibanity have created a free white paper on consents and authorizations in API aggregators.
* Screen scraping is the process of collecting screen display data from one application and translating it so that another application can display it. This is normally done to capture data from a legacy application in order to display it using a more modern user interface. (as put by Techopedia)
** Third Party Payment Service Providers (TPP) are the less traditional payment service providers like iDEAL, PayPal and Amazon Payments)
*** An API technically stands for Application Programming Interface and is a part of a server that receives requests and sends responses. It basically is a way of communication between servers (Petr Gazarov has a clear way of explaining it)