PSD2: The lowdown on bringing open APIs into banking
**Probably** the only thing you’ll read on the subject that features Darth Vader
Last week we discussed the General Data Protection Regulation (GDPR) in terms of what it is, what it means for businesses and the reasons why it has been implemented. Just as an advanced warning, the later analysis in this article will assume you’ve read the prior article — which you can find here (or you’re at least familiar with the GDPR regulation).
For most businesses GDPR is where the story ends in terms of major data regulations. For Financial Services however, PSD2 is also going to have a major impact on how personal data is treated from 2018 onwards.
What is PSD2?
The Payment Services Directive applies to those in banking (as opposed to the more inclusive GDPR). The objective is to increase competition, by ending the monopoly that banks have on their customer account information and payment services. As you may have guessed, the ‘2’ in the name is because there was an original Payment Services Directive in 2009 that this will supercede.
In the words of Payments UK:
“PSD2 is an important step towards a Digital Single Market in Europe, which aims to make the EU’s single market fit for the digital age.”
From 13th January in 2018, PSD2 will allow bank customers (both consumers and businesses) to use third party providers to manage their finances — using the data directly from their bank account. (wowsers)
The banks are legally obligated to provide these third parties with access to their customers’ data with open APIs. This means that banks will no longer just compete with each other in servicing customers — but effectively with anyone who can design and build a product based on having access to that data.
As an example, a financial advice hub or platform could be (even more!) attractive with the ability to pull together multiple accounts from different banks. As after PSD2, it can be completely neutral as to where the data is coming from (assuming the user gives them access of course) and provide a service across all of them. Mint already provides a service along these lines in the US.
In the case of merchants (like Amazon for example) this directive enables them (again, with permission) to retrieve your account data and make a payment for you, without using an intermediary such as PayPal or Visa.
The Challenges for Banks
With everyone freely able to choose a service provider regardless of which bank their money is physically with — how do they differentiate from one another? Do banks risk becoming simply trusted places to store money that innovators draw from? Will specialist providers / platforms dominate specific services?
The playing field is truly levelled in theory. Banks can no longer rely on the fact that changing bank is a cumbersome and frustrating experience — because people won’t need to. They’ll be able to do anything and everything with their money, without ever directly interacting with their bank.
Greater Competition?
In theory this will allow for greater innovation in financial services, with startups not limited by their access to the data that makes their products truly impactful. Providing they are licensed by the financial authority of their home country, PSD2 allows for third parties to operate across all European member states — meaning the stakes are raised in terms of competition among startups too. This will provide an interesting testing ground in a traditionally conservative industry as to how comfortable consumers are using ‘out of market’ products.
Is this completely new?
Well some banks have actually already made APIs available, including Capital One.
Wait — so GDPR is about data privacy, and PSD2 is about giving it away willy nilly?
On the surface there looks like a conflict there. It may appear as though PSD2 is about making the data of individuals available to third parties, and GDPR is about keeping this same data private.
But when you dig a bit deeper, the common thread between the two is about empowering the individual to be the master of their personal data.
GDPR brings far more accountability to businesses in terms of their responsibility for the data they hold. Combined with open APIs, these regulations underline that data will ultimately belong to the individual to which it refers (and for them to be free to give, use and reclaim as they wish) and not to the business that stores it.
Historically there’s been something of a Wild West feeling to how data is captured, processed, stored and in some cases even sold. Regulation and legislation is a notably slower process than the pace of change in tech and these regulations can be seen as attempts by the regulators to catch up to reality.
What Next?
The obvious first steps to either GDPR or PSD2 will be to ensure compliance. But it’s also about looking for the opportunities that will inevitably also emerge.
For example, there’s a whole lot more incentive now to build a fintech product knowing that access to data is not an issue and that on-boarding users has fewer barriers. It also opens up a whole new range of potential product options. New entrants can fully focus on delivering a single service better than anyone else, because users don’t have to switch bank to benefit.
In a recent report (see above) the World Economic Forum listed this (switching service) as one of the major barriers to adoption facing new Fintechs. PSD2 will essentially mean this isn’t necessary. People can receive the benefit of a third-party platform without ever needing to move their money.
From the other perspective, incumbent banks still have the opportunity to build these kinds of aggregated products themselves and remove the ‘need’ for their customers to go elsewhere for these services. In many cases, they will also still benefit from the trust they have earned with customers, and so forward-thinking banks will still retain an inherent advantage if they act quickly.
Further Reading:
