PSD2 opens up bank accounts to third parties. What could possibly go wrong?

Phil Wainewright Profile picture for user pwainewright April 10, 2018
PSD2 is rolling out open banking across the EU and beyond, giving third parties access to bank account data. Here are six reasons things won't go smoothly

Customer getting account access at open banking cashier © auremar -
Many industries fear 'Uberization' — the arrival of a disruptive digital upstart that overturns the established order in the same way that Uber is challenging the taxi business or that e-commerce players led by Amazon have transformed the retail industry. In the banking industry, the agent of disruptive change goes by the unlikely name of the Revised Personal Services Directive (PSD2), drawn up by regulators at the European Union (EU) to force banks to open up their account data to third parties. Now coming into effect across Europe, PSD2 is seen as a welcome opportunity to remove longstanding barriers to competition and usher in a new era of Open Banking. What could possibly go wrong?

The answer to that question has repercussions far beyond the borders of the EU. For one thing, there's the practical consideration that payment processors based in any country must be certified for PSD2 to process any transaction involving a counterparty in the EU. More importantly, PSD2 is being seen as a global catalyst for digital innovation in the banking industry, and many banking regulators outside the EU want to follow its lead.

The difficulty is that the directive doesn't precisely specify how PSD2 should be implemented. As is normal in the EU, that's been left up to the national banking regulator in each individual country. That leaves plenty of opportunity for differences of interpretation and timing, which means there's a lot that can go wrong with PSD2 as it rolls out before it starts to come right. Here are six ugly problems that seem likely to surface. They're not insuperable, but they'll generate huge frustration.

1. No interoperable technology standards

Although PSD2 specifies that banks must open up account data to third parties, it doesn't specify any aspect of the technology. While there's an expectation it means banks will create APIs that third parties can connect to, there are no API specifications associated with PSD2.

In the UK, regulators have forced the pace by setting up an organization called Open Banking which is co-ordinating the development of common implementation standards. But that's just in the UK — each country's regulator will take its own approach. In many cases, they will leave it up to banks to work out for themselves how to conform to the directive, with the potential for each bank to do something different.

2. No authorized third parties in some countries

Third parties have to be authorized for PSD2 by their national banking authorities, but many countries have not yet begun publishing their official registers of these authorized third parties. So even if a bank in such a country had complied with the directive and opened up its accounts to third parties, it would find no local providers authorized to access it.

3. Authorized third parties not regulated in other countries

Once a third party has been authorized in any EU state, it has the right to 'passport' its services into any other member state — even if the regulators there have applied different standards when authorizing their own local providers. On top of that, there's no formal mechanism for national regulators to communicate changes in status. So if a third party regulated in one country has its authorization revoked, there's no process that guarantees when or whether banks and consumers in other countries will be told.

4. Security confusion scares off consumers

Although PSD2 is already in effect, the technical standards relating to security don't become mandatory until later in 2019. Once those are in place, customers will be able to grant third-party access to their bank data without having to share their login credentials with the third party. Until then, banks have been asked to turn a blind eye to third party providers who continue to use less secure workarounds.

Some in the industry think that's a bad idea, including Anne Boden, CEO of mobile-only challenger Starling Bank:

Unless we're very careful, we may scare people off by talking about APIs and data sharing in the wrong way.

We all have a very difficult time between now and December 2019 when the banks are not allowed to give very good advice on this.

Open APIs, open banking, it's safer than other ways of sharing data. It's safer than many of the things in place at the moment. It is the right thing to do. But we're in this in-between phase.

5. A growing hairball of different requirements

With so many different regulators and few common guidelines in place, the proliferation of banking APIs as banks prepare for PSD2 across Europe is likely to snowball. Third parties may end up having to support a separate interface for each of hundreds of different banks, with no single source of support to help them manage the task. In the UK, the industry can get some level of standardization and support from the Open Banking organization, but there's no equivalent body at a European level.

6. Having to do the whole thing all over again

As the industry grapples with the practical challenges of implementing PSD2, people are discovering there are many elements that are either not clear or not provided for in the directive. The outcome will inevitably be shaped by needing to compromise between those in the banking industry that want to keep its impact to the bare minimum and those who would like to see it go further.

But once PSD2 has demonstrated what's possible — and especially as participants build new business models and services on top of the foundation it provides — the momentum for change may well grow.

My take

In the early days of computing, there was a maxim that an operating system or application typically didn't stabilize until it reached version three. Perhaps PSD2 will share the same fate.

The potential problems highlighted above remind me of the EU's long-running issues with data protection, where a first directive resulted in many different interpretations across the continent and ended up with recognition that the only way to have a single digital market would be for everyone to abide by a single standard for data protection, which will shortly come into force as GDPR. Banking is a sector where member states are especially reluctant to give up autonomy, and so PSD2 is probably the best that could have been achieved as a first step, but it may come to be seen as something of a stopgap on the way towards a more comprehensive set of standards.

These issues will cause a lot of frustrations but eventually it will be made to work. The question then is, what comes next? I'll leave the last word to Open Banking's Head of Technology Chris Michael:

The opportunity that PSD2 brings is massive but it doesn't define a lot of stuff well enough I don't think, and so there are opportunities to create emerging models on top of PSD2.

January is the start of something — and we were ahead in the UK — but over the course of the next few years it will be really interesting how this plays out across Europe.

A grey colored placeholder image