The revised Payment Services Directive (PSD2), which has been in force since January 2018, aims to modernize Europe's payment services and to benefit both consumers and businesses. The General Data Protection Regulation (GDPR) also came into effect and major changes in processes, data management, regulation and customer relations for banks and the financial industry were expected. Whereas PSD2 is focused on driving competition between the payment providers by opening up their APIs to Third Party Providers (TPPs), GDPR aims to strengthen and consolidate data protection for all individuals by giving them more control of their personal data. Banks and fintechs have been struggling to adopt both, coping with the promotion of data sharing coming from PSD2, and yet having to manage data privacy enforced by GDPR.
More than 7 months after the PSD2 kickoff, Europe seems clearly to be still in the early phase of open banking, and a lot of technical integration work is still being done. Moreover, there is still a lack of API standardization in the EU, with initiatives for a standard coming from many sources. The best known - the Berlin Group - already has around 40 banks, associations and PSPs from across the EU and has defined a common API standard called NextGenPSD2. However, it still fails to be the common standard as other initiatives are also being launched in parallel, such as the Open Banking UK API standard, the PolishAPl or the French STET.
Another additional challenge seems to be the constant changes in regulation combined with a similar lack of standards. In March, the final Regulatory Technical Standards (RTS) on strong customer authentication was published, specifying only the technical framework conditions but no interface standard. In May, new EU rules were in place setting out strict new boundaries for the information companies can gather about their clients and how they use it.
Uncertainty and the complex technical and legal requirements for GDPR and PSD2 are major concerns for banks and fintechs in 2018, and perhaps the reasons for the slowness of adoption. For banks as payment service providers, they fear that they might be non-compliant with GDPR, which could be triggered by complying with PSD2, and that could lead to the fine of 4 percent of global revenue.
Nevertheless, momentum seems to be impressive as the statistics start to appear. For example, the Open Banking Implementation Authority (OBIE) claims that there were 1.2 million uses of open banking APIs in June (up from 720,000 in May), and in the same month another milestone was reached with the first Payment Initiation Service Provider conducting an end-to-end payment through a public API.
It seems that most banks “are not there yet”. PSD2 and GDPR will continue their drive in 2018 and require banks and other traditional financial entities to undergo continuous crash courses in user-centered thinking, cybersecurity, and API management. Fintechs as partners have a crucial role to play here as they can help with focused knowledge, a lower risk transition, and flexibility towards future changes. There is still a lot of work to be done to fully adopt PSD2 and GDPR, but it is still the overall belief that these two directives are proving to be more of an opportunity than a threat.
Read our white paper to learn more about the PSD2 opportunities for banks.