By: Ralf Ohlhausen, Executive Advisor at PPRO
The closer to the September 14 implementation deadline for the Regulatory Technical Standard (RTS) on SCA & CSC detailing much of the PSD2 legislation, the less room there is for lack of clarity about its stipulations.
The RTS mandates a number of API processes and functionalities explicitly, but it cannot define everything in all detail and therefore has a “catch-all obstacles article” ensuring that nothing can fall through the cracks. It actually lists some examples of obstacles, including the thorny issue of “redirection”, but these became rather unclear since the European Banking Authority (EBA) stated that “redirection is not an obstacle per se.”
Millions of consumers, merchants and corporations are using Third Party Provider (TPP) services and have done so for more than a decade across several countries. These are often very sophisticated services, mostly running automatically in the background to deliver value-added services in the form of personal finance management apps, e-commerce payments or bookkeeping software, just to name a few.
Migrating these services onto APIs to access underlying account data is a huge effort for most TPPs. From March 14th, TPPs should have been able to do this and test their software, but unfortunately, we didn’t see many such sandbox environments and those created, were not really usable and had most functionality missing.
Testing of APIs is not smooth
Instead, TPPs were used to beta test the new bank APIs and so far, the feedback has not been very positive.
On June 14th, all the APIs should have been in production, allowing TPPs to do their first live transactions and start migrating their customer base. In reality, many APIs were not yet in production mode, the required eIDAS certificates to use them were not available and even the few really live APIs, were missing all sorts of functionality and thereby creating obstacles for migrating the TPP services, without losing much of their purpose.
Due to these obstacles, the APIs are not yet compliant with the RTS and TPPs must continue to use the banks’ user interfaces instead. However, these will then require strong customer authentication and therefore customer presence in most cases, so that automated TPP services cannot work anymore.
So, we are facing a cliff edge on September 14th, unless we take action now and put the necessary elements into place to avoid it. First, this requires regulators to allow flexibility and not enforcing the use of APIs, which are not ready, and second, a common willingness to ensure the continuity of existing TPP services with current practices to avoid any customer detriment.
PSD2 plans ahead
There is no time left and the regulators and the banks must understand that the elements defined and requested by the European Third-Party Providers Association (ETPPA) are essential to ensure this service continuity and that the necessary contingency measures are observed, namely:
- Not blocking the TPPs’ current practices for contingency if required
- Enabling TPPs to identify themselves as stipulated
- Coordinating the introduction of SCA, which requires similar flexibility recently granted to the card schemes
- Allowing TPPs to handle the SCA for the required 90-day renewal of customer consent.
The framework is in place for a seamless PSD2 transition, it is now a matter of execution. It’s crucial for the financial community to provide safer ways to make payments with fraud and cybercrime becoming an ever-bigger problem in the credit and debit card space. If banks provide APIs to TPPs offering value-added service, it can create much safer and easier payment processes for consumers where they do not have to disclose sensitive personal data.
Open Banking, if implemented well and without creating obstacles to solution providers, can be the basis of much safer, but still user-friendly payment methods. All we need is a little bit more time to get there!
Guest Author: Ralf Ohlhausen is an Open Banking, PSD2, payments, fintech, e-commerce and mobile telecoms expert with international experience in developed and emerging markets. Combining commercial, operational and technical skills, he is Executive Advisor for business development opportunities in the fintech arena, Open Banking public policies and affairs vis-à-vis EU authorities and Central Banking matters at PPRO.