When the Second Payment Services Directive (PSD2) was implemented in the beginning of 2018, most banks were not ready for PSD2’s key change, open banking. However, 2019 may well be the year PSD2 begins to make an impact, in particular as the Strong Customer Authentication (SCA), one of PSD2’s Regulatory Technical Standards (RTS), will come into effect across the EU. In this article, we explain what can be expected from new PSD2 regulations during the following months and already this week.
Open banking is often used as a synonym for the requirements and new business opportunities brought by PSD2. PSD2 creates open banking by obligating banks to create a system of open Application Programming Interfaces (APIs) that gives third-party service providers access to the accounts of the customers of the banks.
This means that customers will be able to use the services of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), for example for the purposes of analyzing their accounts in various banks or initiating direct bank transfers. Both services require the consent of the customer, but no separate agreements with banks. By this way, AISPs and PISPs are authorized to use the customer’s bank data in order to facilitate new services, and traditional banking payment models will eventually change.
Current Status in Finland
Although PSD2 was implemented on 13 January 2018 and the majority of its provisions apply already, the change to open banking is not yet visible in the payments market in Finland. This is due to the fact that PSD2’s provisions on strong customer authentication and common and secure communication will come into operation only on 14 September 2019 when the SCA-RTS will be enforced.
During the transitional period between 13 January 2018 and 14 September 2019, banks are required to comply with PSD2, but are not yet obliged to implement the new security requirements regarding e.g. the ability of APIs to access customers’ accounts. This means that banks have only started to introduce their open APIs, and it takes time until everything is settled up. There also remains some ambiguity e.g. on how the APIs should look like, and whether any standards are going to be developed more widely across Europe.
Furthermore, PSD2 regulates that customers’ data can only be given to trusted AISPs and PISPs. To offer new services under PSD2, PISPs will therefore need to apply for authorization and AISPs will have to register with the Finnish Financial Supervisory Authority (FIN-FSA). This may cause further delays before new services are availableon the market.
Critical Dates and Next Steps
The final deadline on the PSD2 timeline is now quickly approaching. Additionally, the SCA-RTS specifies an earlier deadline, which is six months before the aforementioned date.
By 14 March 2019, all banks with online payment accounts must have their “dedicated interface” (i.e. open API) ready for testing by PISPs and AISPs as well as have the technical specifications of their access interface available. Banks that are not ready for testing must provide a “contingency mechanism” which can mean e.g. the maintenance of a web-based online or mobile interface for so-called screen scraping during the transition period. The mechanism must in any event be reliable and secure, and only provide access to the account information requested by the customer.
Finally, all requirements specified in the SCA-RTS, in particular strong customer authentication SCA, will come into effect on 14 September 2019.
Along with open banking, SCA’s greatest impact will be on consumer experience in online transactions. SCA requires additional security checks for online transactions by requiring customers to prove their identities by using two out of the following three options:
- Something you know (e.g. password, answer to a security question or PIN);
- Something you have (e.g. a device or security token); and
- Something you are (e.g. biometrics such as face recognition or fingerprint).
Although there are some exemptions to the SCA, there will definitely be changes in online payments, in particular for payment cards, due to the SCA. This means traditional methods to authenticate card payments (i.e. card number, CVV code and expiry date) may no longer be acceptable, and customers are likely to have to additionally authenticate via another method, which has already often been the case in Finland.
To summarize, the SCA-RTS will come into effect across the EU in six months, and the future of the European payments market will finally be more visible. The change to open banking is not going to happen overnight, but for any payment services provider who wishes to be among the first movers, year 2019 is the final time to act.
We hope this article helped you to catch up with PSD2. We at Dittmar & Indrenius are happy to discuss any questions you may have regarding PSD2 and its national implementation in Finland.
As PSD2 is still a work in progress, open questions are addressed also in the PSD2 Monitoring Group (in Finnish), which aims to discuss interpretation issues and give guidance to supervised entities by the FIN-FSA.