Cedric Neve, CEO of Digiteal, explains how the EU’s second payment services directive aims to make banking more open, but warns that banks themselves are not enthusiastic about opening themselves up to their customers.
The EU’s second Payment Services Directive (PSD2) is a great initiative for European citizens as it aims to open up the payment space in the EU by giving certified third parties the ability to access the account information of citizens and initiate payments. The promise is that instead of having your money and your account data locked behind the interfaces of your bank, you will be able to connect your accounts to the services of many new Fintech players. The Fintech players accredited by the authorities to use the new PSD2 services are called third-party payment (TPP) service providers. Digiteal is one of those wannabe TPPs and we want to share our experience and the multiple opportunities offered by the second payment services directive with you.
TPPs offer the opportunity to have all of your accounts shown to you in a bank aggregation service. This means that you will be able to view every account that you have open, regardless of which bank it is open with, all in one app. This will provide you with innovative options for payment, lending, insurance, or any other service that you wish.
When it looks too good to be true, there is usually a problem. There isn’t just one problem, but a whole bunch of them. These problems are not visible at first glance, since the EU wrote the directive very well. However, there are cracks and holes into which the incumbent players in the payment sector have jumped to protect their turf. These include the following:
Not suitable for all types of account
Only payment bank accounts are in the scope of the second payment services directive. This means that trading and savings accounts, from which you cannot perform external payments, are not available. Banks do not need to allow you to see the balance or bank statements, or to initiate a payment from those accounts. However, most of your money is probably in a savings account, so an aggregated view of only your current accounts will give a very incomplete view of your financial situation. If you cannot make a payment to top up your current account from your savings account, the payment service itself is hindered.
Every bank has its own application programming interface (API)
PSD2 did not go all the way in defining a standard API that the banks must provide for each service. Banks argue that this is normal and that it generates competition, as it provides banks with the ability to compete in providing the best APIs to its customers. Of course, this is just an excuse. Since the services that must be opened are the same for every bank, the necessity for a single API is a no-brainer. A single API provides easier integration, removes the necessity of aggregators and is aligned with the digital single market which the EU promotes.
Banks obstructing access
Banks have mixed feelings towards PSD2. They are forced to open up and to give access to the crown jewels that they were told to keep as secure as they possibly could. What can they gain from this? Banks can provide an aggregated view of the accounts of their customers in other banks. Therefore, if they do a better job than the other bank, they will increase the popularity and use of their app. The more usage they have, the more chance they get to sell other services.
It is very important for banks to stay visible to their customers and to be able to provide additional services. However, by being an open book, they not only have to compete between themselves (which they have been doing for decades), but they also have to compete with all those “pesky” Fintech companies that are much more agile, and will take advantage of PSD2 a lot quicker than the banks themselves have managed to.
They need to open up. However, they will take advantage of the cracks in the directive and will occasionally use dishonest tactics in order to prevent access to the accounts of their customers through third parties. As a Fintech company, as customers and as Europeans, we do not approve. The regulators will be attentive and the law will be respected, but this is already happening and everybody understands the reasons behind why some of the incumbents are acting this way.
Security and regulation requirements
The second payment services directive is not a piece of cake for the incumbents, but it isn’t easy for the Fintechs either. In order to gain access to the account information and to initiate payments, TPPs must be certified by the regulator. The National Bank of Belgium (NBB) is a very reasonable, positive and constructive regulator. However, this is a new piece of regulation that they need to absorb, make sense of, create procedures for, approve and supervise.
As an example, Digiteal was the first Fintech in Belgium to request its grandfathering to move from a PSD1 licence to a PSD2 licence and to extend its services to accounting information systems and payment initiation services. This was done on November 20th, 2017 and it is new for us and new for the NBB.
There are a lot of questions to be answered and this takes time. The security requirements of PSD2 are also very important; tighter security is a must have, however, this adds to the delay. We must have a secure infrastructure, which the NBB then needs to review and approve. Digiteal received its PSD2 licence on the 5th July 2018.
How can PSD2 keep its promise? There is room for improvement, so how can we make it better?
The TPPs can do little to solve this, apart from complying with regulation and security requirements. The rest is simply out of their reach. Most of the incumbents will not do much more than comply with the second payment services directive and, as we mentioned above, with all the cracks in the mandatory requirements, this will not provide a true open-banking experience. Therefore, the questions we must ask are: who can make open banking happen? And, maybe more importantly, who wants to make it happen?
The aggregators can integrate the numerous bank APIs to provide a unified API for their customers. They will provide this service at a cost, meaning their business case is clear. They can also help by going around the traps set up by the banks that will seek to limit access to the accounts they manage. Finally, they can help by taking part of the regulatory and security load off the TPPs.
The same people that brought us the second payment services directive in the first place are the ones that will most likely fix it, based on experience gathered during its implementation. The EU has both the incentive and the legislative power to fix the cracks in second payment services directive.
The customers, Fintechs and API-friendly banks
The last party that can do something to make open banking happen are the customers themselves. Bank account portability and customer choice about which account they would like to use as their main current account can make all the difference. Indeed, if some banks do not play the game as it was intended and head towards exploiting the cracks, other banks such as Fidor and Bunq are playing ball. Those new players provide beautiful APIs that facilitate PSD2 and more. They go the extra mile because they believe that by offering more they can attract Fintech companies to use those APIs. If the customers choose to open an account with innovative players and then use those accounts as their primary bank accounts, then Fintechs do not have to worry about some accounts not being available, many different APIs and some hindered capabilities. They will only have to integrate the services of the new, successful open banks.
The bank account portability itself is restrained by special contracts that lock customers into keeping accounts in banks to access specific services like credits or insurance. Customers are reluctant to change bank. They have their habits and they need a big incentive to make them move. Fintechs have an uphill battle to win and to make this happen. The future looks very interesting.