Whether the industry likes it or not, PSD2 regulations go into effect this year for payment and data access throughout the European Union. The bottom line is this: PSD2 mandates that third-party organizations be allowed to gain access to consumer banking data (with consumer consent, of course), and also facilitates payments from consumers’ personal accounts to beneficiaries’ accounts outside the construct of existing card-based payment schemes (PSD2 requires third-party facilitators to send funds directly to the merchant in the course of the transaction).
For basic information on PSD2, check out this earlier post, which offers an introduction to the topic. Today, we will focus our attention on various strategic options faced by bankers as they contemplate how best to position themselves in light of this new regulatory construct. Of course, the primary issue is the extent to which the bank chooses to view PSD2 as a regulation with which they are forced to comply, or an opportunity to fundamentally reconstruct how they partner and bring new products and services to their customers.
Said differently, do we play offense or defense?
The PSD2 Timeline
The European Commission has published the final regulatory technical standard (RTS) on strong customer authentication and common and secure open standards of communication. This regulation must now be approved or rejected by the European Council and the European Parliament. We expect the proposal will be passed in February 2018. Shortly thereafter, the RTS will be published in the official EU Journal and then banks will have 18 months to comply with the regulation.
The RTS requires banks to provide at least one dedicated interface that a third party can use when accessing consumers’ payment accounts. Most banks are expected to implement APIs as the dedicated interface and there are currently several initiatives across Europe to deliver standards for these APIs. The RTS also stipulates that in case the APIs are not performing in a satisfactory way the third party provider may use the consumer interface (also called screen scraping) as a fallback solution. Banks can be exempted from supporting the fallback solution when they can demonstrate that they have well-performing APIs. This serves as an incentive for banks to implement APIs long before the implementation deadline of September 2019. Banks may face penalties from regulators should they fail to implement a dedicated interface.
We have identified a number of strategic options banks will need to consider as they position themselves for a PSD2-enabled future:
- Minimal compliance. Some banks are taking the approach of treating PSD2 as a regulatory compliance issue, and will develop a basic set of APIs to authenticate consumers accessing their data through a third-party application, through the use of a standardized Secure Customer Authentication (SCA) scheme using multi-factor authentication. While this can be a reasonable short-term tactic to create the appropriate APIs in order to comply, the longer-term implication is that third parties will now be able to utilize bank data to create and deliver new products and services to consumers, potentially undermining the primary “bank” relationship and relegating the bank to the role of utility with shrinking margins and limited upsell and cross-selling opportunities.
- Data monetization. PSD2 requires that banks make available through third parties the same information that would be made available to a consumer accessing the bank data directly, although the bank may omit certain personally identifiable information due to privacy requirements (of course, the intersection of PSD2 requirements with the implementation of the General Data Protection Regulation – GDPR – is a broader topic for consideration). One approach would be to limit the information made available to consumers directly (e.g. balance and last five transactions, with additional information provided under a separate tab) thus limiting the data required to be made available to and through third parties under PSD2. Of course, limiting consumers’ access to data could have a negative impact on client satisfaction, so such an approach is not without risk. However, banks should look closely at what information they determine is required to provide to be minimally compliant, and identify other data elements that could be made available through third parties as a “premium data service” as a way to begin to monetize certain data made available to third parties. For example, information regarding savings accounts, loan accounts, credit scoring information and other data that could be of value to third-party providers is not covered under the PSD2 regulations and could represent an opportunity for banks to offer new data-driven revenue opportunities, provided that the consumer provides consent for the sharing of their personal information.
- Offering enhanced services through a partnership with third parties: While third parties may now be able to access and aggregate data from multiple accounts through PSD2, banks still have significant assets and capabilities – not the least of which are a trusted relationship with a large volume of consumers. PSD2 may streamline the ability of third parties to create these new services, which can then be made available back to consumers under the bank’s brand. The third party benefits from access to an important distribution channel for their products, and the bank benefits through the ability to deliver new and innovative products to their consumers under their own brand.
- Enhancing distribution through third parties: Banks may also leverage PSD2 to create new distribution channels through third parties for a bank’s existing services. For example, third parties could benefit from the ability to offer card-based products or lines of credit from the bank as an embedded element of their newly conceived product offer. Banks continue to make risk-based credit decisions, and may choose to deliver enhanced data sets to partners, in exchange for opening new distribution channels for their traditional products through third parties interacting with the bank through PSD2 calls.
This is obviously not an exhaustive list of strategic options, and a blog post does not provide for a deep dive into all the implications of pursuing these strategies (for a deeper dive into the pros and cons, take a look at this PSD2 webinar presented at a recent Mobey Forum). The intent is to simply begin the dialogue and broaden the perspective towards the use of PSD2 to take a more offensive posture rather than simply viewing it as a regulatory compliance issue.
The promise of PSD2 is lofty: open the market to greater competition by implementing a standardized method for banks to share data with consumers through approved third-party providers. However, the methods for accessing this data have yet to be defined as a true technical standard: what data is required to be provided to be compliant is open to interpretation, and the methods for determining which third party is certified to access the data is not commonly defined. 2018 is likely to be a year of exploration and initial implementation where new entrants and market leaders seek to position themselves to best take advantage of the promises laid out by PSD2, with large-scale adoption through standardized interfaces more likely to emerge by 2020.
In our next post, we will discuss the opportunities that PSD2 makes available to merchants, especially as a basis for creating new and interesting services partnerships between retailers and banks. Interested in exploring this topic further? Reach out to us today to get the conversation started.