PSDII: A level playing field in the payment services industry?
The EU adopted the Second Payment Services Directive (PSDII) to level the playing field in the payment services industry by introducing the principle of “open banking”. The underlying idea of open banking is to improve banking services by allowing third party providers (TPPs) to enter the payments market and by creating a secure environment for these TPPs to access customers’ bank data. Open banking will trigger a wave of new apps that offer services based on our personal financial information (imagine apps that combine all our accounts from different banks on one screen, apps that optimize our expenses or apps that enable voice assisted payments).
Regulatory framework
“PSDII” and “open banking” have been buzzwords in the banking and fintech industry for the last four years. PSDII, also known as the Second Payment Services Directive, is a European directive aimed at stimulating competition on the European payments market by creating a level playing field and opening up the financial market to third parties that are not credit institutions (hence “open banking”).
The “revolution” in the banking industry is not exactly new, but started with the entry into force of the First Payment Services Directive (PSDI) more than ten years ago. With PSDI, the EU aspired to create a uniform payments market by establishing a single legal framework for payments within the EU. The aim was to make cross-border payments as efficient and secure as domestic payments. The PSDI also introduced a new category of payment service providers, allowing non-banking institutions to obtain a special authorisation as a payment provider in order to provide certain payment services within the EU.
PSDII builds on the first directive, further strengthens the rules applying to payment services within the European Union and introduces a number of new elements. As noted, one of PSDII’s most important innovations is that it not only extends the scope of the already existing payment services, but also includes new payment services and new non-banking players (e.g. payment service providers may now issue payment instruments, without managing the bank account of the payment service user). These new payment service providers are often referred to as Third Party Providers (TPPs).
Meanwhile, PSDII has been transposed into Belgian law, but the open banking principles will not apply until the entry into force of the “regulatory technical standards on strong customer authentication and secure communication” (RTS) on 14 September 2019.
Third Party Providers
PSDII paves the way for TPPs by allowing them access to a customer’s bank details following the customer’s sole consent. In other words, the TPPs do not need to have any contractual relation in place with the customer’s credit institution, nor do they need to obtain the credit institution’s approval.
There are two types of TPPs, i.e. “account information service providers” and “payment initiation service providers”. An account information service provider can, for example, offer one single account combining information from all the accounts a customer has with different banks.
However, not just anyone can become a TPP. TPPs still have to apply for a licence at the National Bank of Belgium. Each TPP, which is in possession of such a licence, will then be included in a central register that will be public and freely consultable.
Access to the customer’s data
The main question that arises for TPPs is how they will be able to access the customer’s data. This is where the RTS comes into play. The RTS regulates how the access to the customer’s account is shared between the credit institution and the TPPs. Credit institutions must ensure that communication channels are in place in order to make it possible to share the customer’s data with the TPPs in a secure way.
The RTS stipulates that the credit institutions may develop a “dedicated interface” enabling secure communication with the TPPs, which in practice will be an Application Programming Interface (API). An API is an interface that will allow credit institutions to share data with the TPPs without sharing the customers’ actual bank credentials.
On the other hand, the RTS also obliges credit institutions to have a “fall back system” in place in case the API does not work properly. This fall back system must ensure that TPPs can continue to provide their services at all times. Such a fall back system will allow access to the customers’ bank details by using the credit institution’s interface and the customer’s bank credentials. However, as opposed to the classic technique of “screen scraping” (i.e. in which it looks like the customer is logging in on the website of the credit institution in his/her own name), the RTS fall back system provides that credit institutions will know at all times who is accessing the data (i.e. the customer or the TPP).
Even though the classic “screen scraping” technique is banned by the RTS, many banks are opposed to granting access to their customers’ data by means of the fall back system as this entails safety risks since the customer must share its bank’s credentials. Under certain conditions, the credit institution may be exempted from such a fall back system. One of these conditions is that the API must be made available to the TPPs at least 6 months prior to the entry into force of the RTS. In other words, credit institutions that wished to make use of the exemption from the fall back system had to make their API available by 14 March 2019 at the latest. This testing phase will enable TPPs to assess the quality of the dedicated interfaces put in place by the credit institutions. As expected, all main banks that are active in Belgium[1] made use of this exemption and have an API in place for testing.
Where are we now?
As there have been significant developments in the field of technology and digitalization since the PSDI entered into force, the adoption of the PSDII can only be welcomed. However, there has also been some criticism from the various actors involved. For example, the RTS only sets forth the technical framework conditions but does not stipulate what the standards for the dedicated interface should be. Therefore, multiple organisations have taken it upon themselves to create such API standards (e.g. STET, Berlin Group). As a result, there will not be a unique API across the EU. Furthermore, fintech companies fear that the banks will use this lack of standards to make access to customers’ data more difficult. In addition, there are concerns that the different national authorities will have different interpretations as to whether the requirements of the PSDII and the RTS are met.
Despite the criticism, the PSDII also offers many opportunities. Not only will many TPPs enter the payments market, but also traditional credit institutions are expected to seize this opportunity to play a deeper role in their customers’ digital experience. Most banks will use this opportunity to go beyond their traditional banking products and evolve more towards a service provider focused on the customers’ every day needs by, for example, also acting as a TPP or collaborating with other TPPs.
[1] BNP Paribas Fortis, Belfius, ING, KBC, Rabobank, AXA.
Written by
Recommended articles
More flexibility for insurance contract termination
The rules on the duration and termination of insurance contracts governed by Belgian law have often been found overly formalistic and complex, especially by consumers.
Read onHacking NIS2: 5 innovations about the sequel to the EU’s cybersecurity framework
NIS2 (the second “Network and Information Systems Directive”) is an updated regulatory framework introduced by the European Union to strengthen cybersecurity across member states. It is a successor to the original NIS Directive, which was adopted in 2016.
Read onThe Act of 19 March 2024 gives new powers to the Belgian Competition Authority to support the European Commission’s competences under the Digital Markets Act
The Act primarily grants more powers to the BCA to improve its efficiency and allow it to adequately support the EC when the latter applies and enforces the DMA.
Read on