“May you live in interesting times”
A Chinese Curse
Banks are currently facing a new set of challenges. The crisis of confidence has opened the way to an entirely new groups of entities that are beginning to fulfil the role of banks without being banks themselves. And although the last bastion, i.e. money creation and the control of the supply, shall remain the domain of the banking system, virtually all other functions, especially those related directly to the end-customer and the underlying retail banking, are offered by other institutions as well.
A part of the pressure currently on the banks is regulatory pressure. We are witnessing a situation without precedent – an updated Payment Services Directive, known as PSD2, is introducing preemptive legislation enforcing a certain model of providing banking services before it has actually been implemented by the major market participants.
The standard has not appeared yet but discussion is already underway
The PSD2 Directive has at least two important aspects: organisation i.e. allowing access to the financial market available of new types of entities and defining the requirements for them, as well as the technical aspect forcing banks to open up access to information about the accounts and transactions performed by them by way of open interfaces (application programming interfaces, API).
The technical aspect of the regulation has appeared to be demanding both for the European regulatory body, banks and the other parties concerned, including electronic commerce. The European Banking Authority (EBA) has not been able to address the details of the solution, offering only a description of the requirements at the principal level.
The call for a discussion about the technical standards (Regulatory Technical Standard, RTS) for certifying a customer and safe communication was responded to by too few institutions for the proposed standard draft to represent a balanced compromise. As a result, the proposed standard prioritised safety issues over utility, which may be difficult to accept by the organisations playing a key role in the regulatory standard’s success, including the largest e-commerce players such as Amazon. Thus, the next stage of consultations inspired higher interest and it was possible to receive a lot of firm, substantial responses, among others from a large number of organisations involved (e.g. The Polish Banks Association).
Interestingly, the sector seems not to believe in the effectiveness of actions within the consultation process and many organisations have decided to start direct communication with EBA political principals. Despite the expiry of the deadline for replying to the RTS, the discussion is still ongoing. Most recently, thirty-nine of the largest cross-industry institutions have written an open letter to the EU Commissioner for financial services, wherein they put forward their concerns regarding the new regulation and at the turn of October/November the negotiating team for PSD2 in the European Parliament reported their observations.
Changing the existing model of relations
The implementation of open API shall not lead to a banking revolution in Poland, as the main beneficiary – e-commerce – is already generally exercising the benefit of safe online transactions, above all through pay-by-link type solutions. This is a distinguishing feature characterising the Polish market as compared to the European market, where the vast majority of e-commerce payments are card payments. The Polish market and other CEE markets are already applying API for payment initiation – currently, however, mainly on the basis of agreements between the bank and payment intermediary institutions; therefore, it is too early to refer to the open API.
The use of open interfaces by the existing payment intermediaries is inevitable, and thus the change in relations between the intermediary subjects and the bank too. PSD2 shall enable institutions registered as the providers of payment initiation services to perform operations on behalf of the customer without a separate agreement with the bank. It should therefore be expected that, due to the costs’ reduction, they shall willingly avail themselves of the aforesaid opportunity.
On the on hand, it is in the best interests of the banks to maintain the convenience of such payments confirmation, as any possible impediment to payment processing shall be an immediate competitiveness problem in relation to other banks. On the other hand, PSD2 imposes a huge responsibility upon banks to ensure payment security in the final settlement.
A separate issue is access to account information, a considerable part of which constitutes sensitive data – starting from the very customer’s data, through information on the customer’s related financial condition, to finally the transaction history. Access to this data represents a great opportunity to create products targeted directly at a particular customer, to facilitate the customer’s credibility verification, but it also entails responsibility for the data security and proper use thereof.
Open interfaces are increasingly demanding
Implementation of open bank interfaces, even at the basic level of compliance with the Directive, will be a challenge. The Banking Core System is the last point from which the API interfaces should be made available. The operation of an entirely new channel, whose characteristic would presumably be a considerable number of operations prioritising the collection of information over the transactions, poses a challenge to the stability of a banking platform, designed mostly for other uses and unsuitable for horizontal scaling. API service costs must be maintained at a very low level, which usually cannot be achieved by extension of the existing internet and mobile banking interfaces. They are unprepared both for that type of usage, as well as management and monitoring in a way necessary for servicing channels outside the bank’s control. Finally, managing delegation of authorisations and relations with payment services providers shall require the creation of a separate class of IT solutions.
Taking into account the development and adaptation of banking systems to the introduced PSD2 directive, it is worth establishing cooperation with an experienced technology provider and, based on developed strategies, to take steps towards developing a solution for verification of the cooperating entities, implementing security mechanisms dedicated to API, and ensuring the stability and availability of banking platforms and existing channels.