PSD2 & Open Banking

development Apr 3, 2020
blog post image

ITOMYCH STUDIO is an experienced partner for companies operating in the fintech market. We have a number of successful applications launched at the international level. Our team never stops looking for new ways of delivering better products and catering to world markets. In this article, we would like to focus on the promising direction that, we believe, will allow scaling up fintech application development and unlock its potential to the fullest.

All-embracing digitalization has not left the financial service industry aside. Although banking legacy systems have long been viewed as a significant setback to its modernization, the regulations negotiated at the government level left banks no choice but to adopt technological innovations for the sake of prosperity. The introduction of the PSD2 and Open Banking in September 2019 forced banks to open up their data to external providers through public APIs. Both initiatives were meant to boost market innovation and competition, enhance payment security, and allow customers to manage their funds better. The regulations have had a global impact, resulting in the US, Australia, and Asia elaborating similar standards to keep up with their European counterparts.

What Is PSD2?

PSD (Payment Service Directive) was launched in 2007 to regulate payment service providers by creating a legal framework for their operation throughout the EU and EEA. The Revised Payment Service Directive (PSD2) came into play to provide for easier, faster, and more secure payments. Financial institutions should share account information with third-parties upon their clients’ approval to automate standard banking operations and exclude the middleman. It requires the creation of dedicated APIs to enable account data access and a register, defining two categories of third-party payment service providers (TPPs). To become a TPP, a company should apply for either license, the difference being what information can be extracted and its further processing:

  • Account Information Service Provider (AISP) is granted “read-only” access to customers’ data. AISP applications can provide an overview of a person’s various payment accounts in one place or share this information with a lender to speed up the process of obtaining a loan.
  • Payment Initiation Service Provider (PISP) can initiate payments from customers’ accounts with their consent. Apart from enabling payments, PISP apps can help save money by regularly transferring the agreed amount to a savings account or avoid overdraft fees by moving funds between the client’s several accounts.

Thus, the directive levels the playing field, facilitating newcomers’ entry into the financial services sector. Fintech startups can now compete with major banks by offering a variety of new solutions, benefiting the end-user. Nevertheless, the implementation of the regulation requires that payment providers should be compliant with Regulatory Technical Standards (RTS), Strong Customer Authentication (SCA) included.

Enhanced Customer Protection Through the Use of RTS

RTS is a set of rules payment service providers must comply with under the PSD2. They cover strong customer authentication and secure communication, the key points being as follows:

  • Financial institutions provide TPPs access to their core infrastructure via standardized APIs.
  • The API standard for each country should be developed in accordance with a registered industry benchmark, like the PolishAPI in Poland, or STET in France.
  • No client’s personal information can be derived upon the authentication code disclosure. Moreover, a new code cannot be generated based on the previous one.
  • Bank-related technical documentation, methodology, and tools should be publicly available on the corporate website.

The SCA goal is to increase security levels by providing two-step authentication when accessing account details and making e-payments. An action within the account is confirmed if two of the following elements are provided:

  • Knowledge (something the user knows, like a PIN-code or password).
  • Possession (something the user has, like a banking card, mobile phone, or token).
  • Inherence (something the user is, i.e., biometrics, like fingerprints or facial features).

There may be some exceptions to the requirement implementation, including payments to trusted partners, those executed by companies, and low-value transactions. The official compliance deadline for the SCA section of the PSD2 directive is extended until 14 March 2021. In case of the requirements non-fulfillment, businesses can be held liable and even lose their license.

Open Banking Explained

Open banking is a UK response to the EU PSD2 regulation, referring to the use of Open Banking API, a set of protocols enabling external providers to communicate with online banking systems and build software solutions around them. The steps needed to comply with the initiative are similar to the ones outlined by the PSD2:

  1. Integrating open banking components with the existing technology architecture.
  2. Developing API in line with the technical specifications and making it available for registered TPPs.
  3. Controlling the system running smoothly and making regular reports to the Financial Conduct Authority (FCA).

As long as the mentioned requirements are followed, banks can reap benefits from collaborating with fintechs, as the latter help them extend the range of customer services. However, sometimes financial institutions fail to follow API standards, which leads to penalties. Here’s a list of actions punishable under the PSD2 and Open Banking regulations:

  • Some APIs and websites include sensitive data, such as transaction details or customers’ IMEI codes, violating the General Data Protection Regulation.
  • There are banks using outdated data aggregation and sharing techniques, like the direct access method.
  • Banking mobile apps can be linked to an external party, like an advertising or data analytics company.

The listed issues constitute just a part of what banks and financial institutions should deal with before complying with the PSD2 and Open Banking regulations.

New Opportunities for Fintech App Development Companies

The introduction of the discussed directives has created a myriad of ways fintechs can benefit the financial apps market. The Competition and Markets Authority (CMA) has initiated the Open Up Challenge 2020 with a £1.5m prize for developing the best solution within the open banking environment. The aim is to increase competition in the financial sector, bring innovation, and, consequently, educate customers about the advantages of fintech apps. Open banking-enabled products can empower users with their data, making it work for them. In the end, fintech expansion is a win-win process, as financial startups multiply their revenue, whereas customers learn about better money management and make the most out of their income.

Open APIs have made it possible to develop multi-service applications, providing a full-fledged experience to end-users. Fintech companies can now complement their apps with dozens of additional features implemented by other market players. Third-party integrations have given rise to such “hybrids”, as P2P insurance apps, budgeting apps, comprising wealth management and investment options, as well as e-wallets. This is far from an exhaustive list, as developers constantly come up with newer combinations to enrich customer experience. Thus, the technological possibilities are abundant, so it’s up to fintechs how complex solutions they can elaborate.

Conclusions

The European PSD2 and UK Open Banking regulations have revolutionized the financial sector. They have brought technological changes to outdated banking systems and opened up infinite possibilities for further development for fintech companies, which has influenced not only Europe but also many other countries around the world. The compliance process may be cumbersome; nevertheless, once the requirements are met, both banks and fintechs can enjoy the rewards it entails. Our company is highly enthusiastic about this direction, as we trust that strong security measures, comprehensive-as-never-before customer experience, and a whole new level of innovation are worth the efforts. If you share our outlook, love developing apps as we do, and have an immense desire to broaden your professional horizons, welcome on board! The ITOMYCH STUDIO team always awaits for individuals having inquisitive minds and an insatiable hunger for knowledge, so don’t hesitate to apply provided you’re ready for challenges, and we mean it.