PSD2 is coming.
Lest that sound like a teaser for the newest Game of Thrones season, there is indeed a sea change coming to financial services — one that ostensibly will open the door to greater competition in Europe. Short for the Revised Payment Service Directive, PSD2 lifts banks’ total claim on customer account data and payment activities.
To be sure, the directive, which allows banking customers across the consumer and corporate spectrum to choose third parties to assist with and manage financial activity, does not take effect until January 2018. And in one recent directive, the European Banking Authority — in a complimentary effort alongside PSD2 — announced the intention to outlaw “screen scraping,” which is browser interaction that is automated. That comes as part of a Regulatory Technical Standard, or RTS. To get technical for a moment, the direct customer user interface is automated, with the customer’s permission. But controversy surrounds the fact that banks shall be able to deny this by offering instead a proprietary API to their platforms for data sharing.
In an interview with PYMNTS’ Karen Webster, Ralf Ohlhausen, business development director at PPRO Financial, said, “From the outset, none of the banks would have been very excited about the prospect of letting third parties access their customer data, which is quite understandable of course.” But as he noted, “on the other side, it’s also understandable that competition authorities would like to open up the markets more and to bring in third-party service providers, which are less regulated than banks, but still enough to ensure secure and compliant services.”
“There are also many holes in this,” he stated, as he likened the PSD2 text to the Bible or the Koran, where “there can be many interpretations on how to do things, which is why everyone was very anxious to get more clarity from the European banking authority” about regulatory and technical standards.
The text did indeed offer some clarity, said the executive, and yet questions still remain, as evidenced by the huge number of responses that the banking authorities got on the initial draft, which led to subsequent revisions.
Among the key debates, he said: strong customer identification and secure communication between the banks and third parties. “The final draft is now on the table, but unfortunately leads into the wrong direction.”
With screen scraping, there are concerns over security and access, with another dimension of controversy stemming from how that information is used by third parties. Webster noted that within the United States, one of the controversies was that, in a hypothetical scenario, screen scrapers are “taking information from Bank A, presenting it through their app and advertising against Bank A with a variety of offers from other banks.”
Addressing the security issue first, Ohlhausen said that “currently there is no formal identification of the third party coming in using the customer user interface on their behalf. In reality, the banks, of course, know from the IP address or browsing speed if a third party is accessing the account — but the real issue is that they must get enabled to deny such access from non-licensed third parties, which is what PSD2 will provide.”
The pending regulation mandates that third parties must identify themselves using authority-issued certificates, no matter if access is gleaned through front-end user interfaces or back-end APIs.
Webster and Ohlhausen discussed the possibility that security — with all its permutations governing ways of identifying who is accessing data and when — may be a “red herring” when in fact the “bigger concern is what you can do with the data as a competitor. But whether they like it or not, my data in the bank is not the bank’s data, it is my data,” he said, with a nod to the debate elsewhere about data ownership. Under the new rules in Europe, he said, the party holding the data has the responsibility of securing it, but must allow the consumer to access it, retrieve it and share it — or not — with whomever they want to.”
Later in the conversation, he stated that for PSD2, “the key point about licensed third-party providers accessing banks is that the accessing party can decide whether to use a bank-provided API, if it’s good enough — or, if not, go via the user interface to provide the service a customer requested.”
Innovation in finance and in payments comes in lockstep with this relationship, said Ohlhausen, and is not limited to bank data — it could stretch across tax documents, social media and many other data sources. Such data strata would lead to a whole new range of possible services, he added.
To balance innovation and security, said Ohlhausen, those third parties must get licensed, a hurdle that may not be easily cleared — especially with PSD2, where regulators will look at the handling of credentials and what sort of data is retrieved. In essence, the software and how that data is leveraged by the third party “will be inspected.”
But as the RTS stands now, banks would be allowed to provide an API at their back door and deny the direct access through their user interface front door. Thus, they would be able to be the gatekeeper and to control third-party innovation by limiting the data that is reaching the appropriate actors — “a recipe for disaster,” as he said, for competition and innovation, “if we let the fox guard the henhouse.”