With the Strong Customer Authentication (SCA) deadline looming in September, the mandate by the European Banking Authority requiring “strong customer authentication” for all electronic payments over €10 is causing banks to play catch-up.
Despite the compliance deadline being set back in 2015, many banks that offer application programming interfaces (APIs) to third-party providers and FinTech firms are still unprepared for SCA.
Merchant partners are also getting up to speed. The SCA mandate could cost them more than $75 billion in sales, especially as fraud protection becomes more critical than ever and PSD2 creates more transparency in the banking world. Yet only 40 percent of merchants in the European Union (EU) state they will be ready by September 2019, while another 44 percent report that they will be prepared only when it becomes active, according to the latest PSD2 Tracker.
SCA is intended to make online transactions safer for consumers. But some worry it could add friction and possibly result in fewer online sales.
Regulations can build trust and goodwill, though. Roughly one-third (36 percent) of U.K. consumers trust companies more under GDPR, according to the PSD2 Tracker.
The European Banking Authority recently announced it might provide extensions on a “exceptional basis” only.
Banks Competing with FinTechs
Under PSD2, banks are required to develop API portals to share customer data with third parties. This has forced banks to compete with FinTech firms as open banking expands. It also means FinTechs can create and offer the same products and services as those provided by legacy financial institutions (FIs).
Markos Zachariadis, associate professor of management and information systems at Warwick Business School, told PYMNTS in an interview, “The third parties will [then] have a lot of the information that we hold [and give] to the end customers. This could be a fundamentally huge shift in how a bank makes money, as they will have to compete with newer firms.”
Sharing customer data doesn’t just raise levels of competition, it also erodes banks’ exclusive customer relationships. Loyalty may go out the window, if consumers no longer need to access products through banks’ branded offerings.
Open banking doesn’t just provide opportunities for third parties, it also potentially appeals to cybercriminals. “The financial responsibility for a breach falls on banks even if it was a FinTech or third-party that was hacked. That’s one of the biggest discussions right now in open banking — the security and liability issue,” Zachariadis said.
Consumer Data Protections Beyond Europe
GDPR and PSD2 have been an inspiration toward open banking and data protection regulations beyond Europe’s borders. PSD2’s impact in Europe has not gone unnoticed by regulators in other areas of the world.
In Asia, regulatory bodies in Hong Kong and Singapore are using the PSD2 regulation as a template for their own data transparency innovations. These countries are innovating their online banking systems, developing new ways to treat data and online money movement with a new regulatory framework.
The Hong Kong Monetary Authority (HKMA) unveiled the Open API framework in early 2018, officially launched it in January and is rolling it out in phases that focus on things like credit charge limits, payments, transfers and new applications.
The Monetary Authority of Singapore (MAS) is taking a more measured approach. As banks and FinTechs revamp data sharing and digital payments, Singaporean banks will adapt measures to suit their needs without an official regulatory push. The idea that the country’s banks will begin to embrace data sharing when they see the benefits of open banking in other markets is more organic than regimented.
In the U.S., tech companies like Microsoft have been calling for a GDPR-like data privacy measure in the U.S. that would place the burden of data management on tech companies rather than consumers while allowing users to have more choice and better privacy regarding their data.
“Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States,” said Microsoft's corporate VP and deputy general counsel, Julie Brill, on the company’s blog.
Some are concerned about self-regulation in the tech industry and whether or not new antitrust laws may be needed in an era where platforms dominate globally and where data privacy is increasingly scrutinized.
There have been no federal mandates in the U.S., so California passed the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020.
According to the PSD2 Tracker, a little over half (55 percent) of companies plan to comply with the California Consumer Protection Act by its January 2020 deadline. It remains to be seen how the other 45 percent plan to handle it.