The PSD2 experience: what other countries should consider about Open Banking

If you are a merchant from the European Union, chances are you have heard about PSD2. Actually, the aforementioned revised Payment Services Directive and the things it entails recently sparked an interest of countries outside the EU.

Some of them even started working on their versions of the Open Banking legislation, which shows the commitment for the change it will bring to the finance industry.

Before uncovering why other countries are interested in Open Banking, let’s first discover what early effects it had on the EU.

Pioneering Open Banking in the EU 

The Open Banking concept as we know it is a system that allows third-party-providers (like Fintechs and similar companies) to use application programming interfaces (API) to access financial data from banks. All this happens only under the customers’ approval, and if the person uses the third-party-provider (TPP) services for additional banking tools, etc. For instance, a person can allow a budget planner app to access their bank account information to make the necessary estimates.

Within the EU, it was first established in 2015 as a part of the revised Payment Services Directive (PSD2), which is why some consider Open Banking and PSD2 to be the same thing. In reality, the former is just a part of the PSD2 legislation.

Another part of it is strong customer authentication (SCA) that requires merchants to use the 3D Secure 2.0 protocol to verify customers’ identities during transactions. The compliance deadline for SCA was 31 December 2020. British customers should be ready to comply before September 15, 2021. [1]

The issues of PSD2

The encouragement of Open Banking by the EU is understandable. It addresses the need for digitalization of financial services, which, like last year’s lockdowns have shown, is in high demand. Another reason is pushing a competition between traditional banks and Fintech, by offering the latter more flexibility. This leads to a better customer experience, as the race for clients’ attention refreshes the stale banking services.

Such changes to the industry raised some concerns, mainly in security: the data transferring from banks to TPPs can lead to its leak, or scammers creating fake companies to steal customers’ information.

You see, along with PSD2, the General Data Protection Regulation (GDPR) also came into effect within the European Union in 2018. GDPR addresses the security concerns and includes guidelines for any entity that collects and processes the personal data of the EU customers.

Unfortunately, the introduction of the two created some contradictions, as you can imagine: PSD2 encouraged data sharing through third parties, while GDPR restricted it. As a result, at first, the EU merchants didn’t quite know how to comply with both, prioritizing one over the other.

The European Data Protection Board (EDPB) addressed this issue in July of 2020 by publishing Guidelines on the interplay of PSD2 the GDPR for a public discussion. [2] The public consultation on the issue lasted till 16 September and while some companies and industry representatives agreed on the motions suggested in the draft document, others insisted it needed additional clarification.

For instance, the European Banking Federation noted that the guidelines should also be coherent with such legislation as the Regulatory Technical Standards on SCA and common and secure communication (CSC) [3].

Following the consultations, the EDPB published the second version of the Guidelines on 15 December, in which the Board addressed the public consultation by adding a section on fraud prevention. [4]

Only time will tell if the Guidelines were of use for European banks and merchants, but the precedent itself shows that establishing legislation for Open Banking is a complex, multi-factor process.

Addressing the fraud concerns

Fraud is always a vital problem for merchants and is very acute during uncertain times. It is forecasted, that in just six years the world will collectively lose over $40,6 billion to payment fraud. [5]

The aforementioned strong customer authentication addresses the payment fraud: it requires double authentication of a customer by two out of three of these parameters: something a person knows/has/is. The use of 3D Secure 2.0 for this purpose decreases the number of fraudulent transactions, as a customer should provide either an OTP from their phone or biometric data to confirm the purchase.

Even though SCA offers merchants more secure conditions for accepting payments, some companies find it difficult to comply with them. For instance, in October 2020 it was revealed that 66% of companies from the travel industry weren’t ready to comply with SCA by 31 December 2020. Most of them explained that the delay is due to the pandemic (65%) or the lack of internal resources (55%). [6]

What to know before diving into the Open Banking implementation?

All-in-all, Open Banking is still a very new concept, and the PSD2 implementation, which started in 2018, shows us which issues should other countries regard when deploying their legislation.

The Global Open Banking 2.0 report, published in September of 2020, explored the Open Banking initiatives in 23 countries. The government or industry bodies of 70% of these have introduced the standards necessary. Now they are waiting for the response of banks and Fintechs. 39% of the nations offered technical standards and 44% – functional standards for the Open Banking implementation. [7]

So, what are the main things these and other nations should understand when thinking about introducing Open Banking:

Don’t rush the legislation. As the situation with PSD2 showed, nations should think rationally and address all the possible issues before they occur when working on regulations relevant to Open Banking or legislation, that can potentially contradict it. As in the case with PSD2 and GDPR, the contradictions between the two made merchants uncertain which regulation comply with, hurting both causes.

The fraudsters will always be a threat. Even with additional implementation of anti-fraud regulations and tools like 3DS2, scammers always catch on to the vulnerable exploits to steal customers’ financial data and assets. It is also possible, that merchants from other countries won’t be required to use 3DS2. Whatever the case may be, we recommend that you use the services of a reputable bank or payment gateway. For instance, Maxpay offers Covery anti-fraud platform services for risk management and other features to prevent chargebacks and disputes.

Open Banking is the next step in improving banking services. No matter the issues the Open Banking concept is experiencing in the EU now, we believe this initiative is a natural answer to a rapid digital transformation. And the events of 2020 only pushed this need for convenience, security further. Open Banking is something that can benefit all the parties involved.

Fintechs get more opportunities to grow and develop, traditional banks are pushed to higher standards and start taking digitalization and competition more seriously. Customers get more convenient ways of paying, using online banking, and more diverse features to manage their finances. And merchants can experience new anti-fraud technologies and an increase in customers, who switch to online shopping.

About the author:

Artem Tymoshenko, CEO Maxpay

Artem is a fintech expert in international acquiring, payment systems, processing systems, e-money, risk management, network & system security, digital self-service, and e-billing. With over twelve years of experience in the industry, he is currently the CEO of Maxpay.

He has developed successful products for online business owners. It all started with Maxpay — an international payment service provider. Then Covery – the anti-fraud platform that helps mitigate risks.