Open Banking can deliver on the promise of PSD2 XS2A

By Vincent Jansen, Mounaim Cortet and Luc van Oorschot – Innovation experts in Payments, Digital Identity and E-business – Innopay

Although it is clear by now that “XS2A” – access to payment accounts by third party providers (TPPs) -is going to happen in some shape or form under PSD2, there still is a lot of uncertainty. The transposition of PSD2 into national law is being delayed in numerous member states (e.g. NL, BE and SE) and the Regulatory Technical Standards on Stro ng Customer Authentication and Common and Secure Communication (the RTS) are not yet finalised by the European Commission. These are expected late November 2017.

As a result, many market actors remain uncertain regarding compliance requirements and shifting implementation timelines.

Situation: XS2A market expectations might be overestimated

Banks are challenged to offer a communication interface that is compliant with PSD2 and the RTS. While banks could reuse their existing online banking interface and allow for a more “secure” form of “screen scraping”, we see that most banks opt for implementing Application Programming Interfaces (APIs) to establish XS2A compliance.

The design of these PSD2/RTS compliant APIs, like any compliance effort, has triggered various (legal, functional and technical) debate s on the interpretations o f what are the minimal requirements. With the dust now sort of settling, we see a situation emerging where market expectations regarding the innovation possibilities of XS2A could be overestimated. Three topics that contribute to this possible “gap” between expectations and reality are: 1) functional scope of access, 2) interaction model between bank, customer and TPPs and 3) innovative information services by TPPs.

Topic 1: Functional scope of access

To enable the mandatory PSD2 services (PIS, AIS and CAF), banks designing APIs are likely to implement the bare minimum payment functionality an d information that can be accessed from online accessible payment accounts. Other accounts, functionality or information will most likely not be made available via APIs as part of the bank’s compliance efforts. This richer functional scope of access is likely to be part of an open banking strategy, for those banks that seek to open-up further than what is required by PSD2.

Topic 2: Interaction model between bank, customer and third party

Banks across Europe also have varying interpretations regarding the interaction model(s) they are required to support to enable XS2A. These interaction models (e.g. redirecting the customer or not) directly affect integration possibilities and user experience. Without clear guidance and rules from law makers and no option to require any additional contracts, it only makes sense that banks would exclusively trust their own issued credentials and only in their own digital channels. Anything else introduces risks that cannot effectively be mitigated.

Topic 3: Innovative information services based on XS2A

There are different degrees of added value that a TPP can offer its customers based on access to their data, ranging from aggregating “raw account data” in the service to its customers, to offering services based on aggregated and enriched customer data, e.g. credit scoring, credit worthiness assessments and personalised service offerings.

However, two issues arise as TPPs process financial data. First, the more we deviate from “raw account data”, the more questions arise whether these activities are part of the scope of PSD2, and if these activities will be in scope for TPP licenses. Another limitation in use may arise from a different piece of (higher) legislation: all processing of personal data is subject to the General Data Protection Regulation (GDPR).

Conclusion: The synergy between PSD2 XS2A and Open Banking 
PSD2, and the concept of XS2A in particular, can be viewed as an important catalyst to accelerate change in payments, innovative banking applications and respective business models by leveraging payment functionality and account information, but might in itself not deliver on all expectations given the limitations mentioned above.

The step to open banking, however, could overcome most of these limitations. Banks can, on their own terms, offer more functionality and information rich services in different interaction models and design shared responsibility models for meeting GDPR requirements, resulting in more value add and a better customer experience. To enable such services, (bilateral) contracts between banks and partners can be put in place with agreement on risk and liability partition and revenue models. In this way, open banking is expected to deliver on the heightened expectations for digital transaction services and offer new value to customers. Where PSD2 XS2A compliance will only be a first step, open banking can deliver on the promise.

Discover more: PSD2 and Open Banking Event, Amsterdam
At the PSD2 & Open Banking Event (Dutch spoken) will banks, supervisors and FinTech join forces. Get insights into all PSD2 requirements, the impact of delay and the strategic innovative capabilities of open banking. We look forward to meet you on the 14th and 15th November! See the full program or get your ticket.