The Regulatory Technical Standards for Strong Customer Authentication (RTS SCA & CSC) from PSD2 (Second Payment Services Directive) came into force last Saturday September 14th. This was a significant milestone towards open banking, bringing increased transparency and a wider free choice of financial services for the consumer across EU Member States. It also brings enhanced security to payments through measures such as Strong Customer Authentication a.k.a. SCA. In this new landscape, banks and third-party providers must look outwards and define their approach as they link together.
Even though PSD2 has been well-known for some time, most experts, financial entities, and third-party providers considered that there was a need for more time to smoothly adapt and prepare their operations to meet the regulatory technical standards (RTS).
The EBA (European Banking Authority) took their request into account and allowed national regulators to grant an extension period to their national stakeholders. There are, however, some growing concerns about this adjustment period for SCA and its implications in establishing a competitive differentiation between card payment and payment initiation methods. As the extension only applies to SCA in card not present transactions.
Since, according to most TPPs, not many APIs should be eligible for an exemption, third-party providers are now required to identify themselves using an eIDAS Digital Certificate before continuing with current practices. This will pose a new challenge for them as they are encountering newly introduced SCA that has not been documented and tested by TPPs. Third-party providers are facing this new SCA for almost every bank at the same time, thus they are blindly adapting. Fortunately, this is proving less eventful than anticipated. However, in a world where PSD2 aimed to introduce new payment methods, it does not make much sense to not apply the same leeway to all kinds of payments.
That being said, PSD2 is much more than stronger customer authentication. PSD2 presents a new legal framework for payments throughout the European Union, it regulates new types of services making third-party providers supervised entities, and more importantly, requires banks to grant access to those third parties.
This is the key element of the challenges that banks and other financial institutions face, which we often mentioned: the way they will have to reshape their approach and their services if they are to become tomorrow’s hubs for customers by bringing services and applications together instead of just offering a static product.
In PSD2’s ideal landscape, banks, financial institutions and third parties can differentiate themselves and become more competitive by designing and offering innovative services and doing so in a seamless, secure way, thanks to integrated data and a dynamic way of developing the technology.
APIs are the heart and soul of such achievement. APIs are the connection points and the backbones of this new Open Banking ecosystem. Unsurprisingly, they are also the main source of problems and errors due to their understandable lack of maturity.
Unfortunately, after an in-depth analysis, we believe that some factors have influenced the way design and testing were undertaken as per EBA’s guidelines. The API-driven structure is still limited due to the insufficiency of a short, 6-month testing period. As proven in the United Kingdom where there where 18 months of live testing in addition to those provided by PSD2. That is the very reason for the FCA to establish an additional six-month period for testing the APIs and the application of SCA.
Furthermore, the lack of availability of eIDAS certificates within the required period has also shortened that small-time frame for testing. These certificates are needed to securely connect third-party providers to API environments. Lack of experience, clarification, and documentation has also played a key role in a belated, insufficient solution to issues that raised when joining APIs.
APIs need to be transparent, reliable and pack tight security when compared to alternative technologies if value is to be created for customers. PSD2 aims to facilitate this free flow of data, the ability to aggregate these data and the ultimate integration between banks and third-party providers. From there on, they can all base their business model on differentiation based on complementary services, responsiveness, innovation, payment methods and more.
Now is the time to continue working together to achieve readiness for PSD2 for the benefit of the consumers. There is an opportunity for all stakeholders involved to establish their place and their stakes with Open Banking. This will ultimately hinge on their capability to swiftly set-up a sound technological infrastructure and, more importantly, to overcome barriers and obstacles regarding access to data. Customers nowadays demand modern, user-friendly platforms with flexible integrations that solve their problems and does so in a secure way.