Until now, banks have enjoyed control of the entire financial services value chain. A new EU regulation coming into effect this January aims to spin that model on its head for banks operating in EU countries. The European Union’s Revised Payment Services Directive (PSD2) requires banks to open up access to client data via APIs, so that customers can use trusted third-party providers (TPPs) to manage their finances.
New competition for payment services could reduce the incumbents’ income by as much as 40% according to one researcher. With the main compliance deadline set for January 13, PSD2 will widen the financial services ecosystem, by bringing in Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) – who could be considered direct competitors of traditional institutions.
PISPs offer an alternative to conventional card payments by integrating their service directly into merchants' online checkouts, enabling them to initiate payments straight from the consumer’s bank account. AISPs, on the other hand, aim to make banking easier and more convenient by enabling a consolidated view across a consumer’s various payment accounts.
What PSD2 means for banking IT
Technology implications of the upcoming regulations are far-reaching for sector players, according to Chris O’Driscoll, a financial services expert at PA Consulting Group. He says:
[The introduction of PSD2] may force incumbent banks to rethink their delivery models and more importantly their use of new and emerging technologies.
This will translate into the development of new capabilities such as the ability to integrate slowly changing, legacy transactional back ends with more dynamic, customer-facing front-end systems. Having an effective data analytics set-up will also become the norm. O’Driscoll says:
Being able to capture, store, process and analyze large structured and unstructured datasets will be crucial to sector organizations.
Process maturity will also be required of incumbents to enable greater automation through simpler robotic process automation (RPA) or more advanced cognitive approaches. According to O’Driscoll, simplifying new functionality will make it easier to integrate to legacy portfolios:
Simpler RPA and artificial intelligence tools are fairly forgiving towards the underlying architecture. However, for high values it will be necessary to orchestrate combinations of automation tools, machine learning, neuro-linguistic programming and data sources.
As well as the improved use of emerging technologies, there are other implications of PSD2 to banks and newcomers alike. These are related to the unprecedented volumes of data being exchanged between banks and TTPs, according to David Bannister, principal analyst at Ovum.
[Parties] will have to go through a process of verifying transactions and that really increases the amount of traffic. It’s difficult for banks as well, because these volumes are going to be very high and unpredictable – they will be getting requests from all over the place.
About the future burden this increase in data traffic might bring to sector institutions, Bannister adds:
I don’t think you can look at PSD2 and open banking in isolation, you really need to have robust infrastructures underneath that. Once you have PSD2 and you’re using APIs, you’re also going to need to have real-time payment capability.
The high volumes of data generated as a result of increased payment information also brings security risks. While large banks have been mostly able to mitigate these concerns, the many new entrants could mean the sector is in for a bumpy ride. Bannister says:
There might be data breaches. There’s probably going to be a few court cases along the way about who’s to blame for what.
Keeping up with competition
Despite increased demands, banks have been proactive in complying with PSD2. According to Bannister, they are required to have nine APIs to provide account functionality including bank balances, transfers and deposits, but large European institutions have gone well beyond that, with one of them publishing nearly 50 APIs.
The new rules introduce a business scenario where banks have little choice other than collaborate or fend off competition from smaller market entrants. Many banks have been working with third parties already to exploit opportunities in the retail banking space, but also in their corporate business.
The impact brought about by the new regulations stretches beyond Europe, to markets such as the US and Australia, where currently there are no requirements along the lines of PSD2. Nevertheless, banks globally see open banking not only as a competitive advantage but also key to keeping up with changing market demands.
The basic point to consider [for banks] is to decide whether they want to comply or compete. My real feeling is that this is all part of digital transformations anyway.
It’s a case of keeping up with competitive pressures in the sector, he adds:
If they don’t embrace these changes, whether it’s PSD2 in Europe or open banking in the UK or Australia or Canada, they won’t be around to find out whether it caught on. So if they don’t do it, they are not in the game.
About 40% of the European retail banking industry’s income is at risk as a result of the new directive, according to a report from Roland Berger. So sector firms will need to be extra careful when it comes to technology spend related to compliance, says Steve Beecroft, a financial services consultant at Consulting Smart.
Incumbents will need to consider their IT investments carefully to ensure optimal impact.
Advice to finance industry CIOs
Despite all the work large institutions are putting into their own innovation and into partnerships with startups to keep up with PSD2, they are not as nimble as fintech startups - so the threat is significant to banks, according to Beecroft. On how incumbents will be dealing with this issue beyond collaborating and partnering, the consultant says:
Another countermeasure from banks would be acquisition, without making the mistake of over-complicating the process with excessive rules and policies, but allowing the newly-acquired division continued autonomy and retention of its agility and nimbleness.
The changes brought by the PSD2 will put pressure on sector organizations, but there is still time before some changes take effect. Although APIs have to be in place by January, it will be another 18 months before full compliance is required on related security measures such as strong customer authentication and standards for secure communication. Beecroft says this effectively gives banks extra time to react:
[The compliance timescales] would serve the big players well to be strategically and tactically astute in their planning to cover both certainty and flexibility in their approach.
Based on his own experience in working with decision makers in the sector, Beecroft observes that not many large players see the opportunities and seem to be focusing more on the threats:
Understanding that the landscape is changing and how that is happening may sound obvious – but not many CxOs truly understand the full impact that PSD2 will have on their business.
Beecroft argues that IT decision makers in the banking sector should be less insular and more collaborative if they are to deal with the new rules in a more positive manner:
My advice to IT decision makers is to energize colleagues at the Innovation Center and challenge them to create new ways of exploiting the opportunities of PSD2.
PA Consulting’s O'Driscoll agrees that change will happen, but not overnight. More specifically on forward technology planning around PSD2, he suggests that incumbents should master automation to complement human resource, expand analytics teams and improve relationships within the vendor community. He adds:
The only way to learn how the new possibilities best fit your goals, your culture and your strategy, is to start experimenting with different options and tools and building an organization that can handle the resulting conclusions.
As non-banks get ready to enter the financial sector aided by the second version of the European Union’s Payment Services Directive, commentators have been predicting the end of banking as we know it. They echo the sentiments of Microsoft founder Bill Gates back in the 1990’s that “banking is necessary, but banks are not.” This is not quite correct – not yet, anyway.
PSD2 is not necessarily about the disintermediation of banks as some have stated – people will still keep their money in the bank until a better alternative comes along – but it is all about a drastic competition increase in the sector. And this will not necessarily happen between banks and startups in the first instance.
Competition will be primarily between banks – this is illustrated by the fact that many have created comprehensive platforms for third parties to plug into and gone well beyond the minimum requirements set by the new rules. They can act as account information or payment information service providers themselves, because they have the financial and innovation means to do so.
What we will see more of in the short to medium term is partnerships between banks and their cherry-picked fintechs. There are many examples already. UK bank Starling has partnered with real-time savings tool provider Moneybox, HSBC joined forces with AISP fintech Bud, Santander teamed up with personal finance management startup Meniga – the list goes on. Consumers will soon become used to seeing and dealing with non-banks as the floodgates open, so debating whether they will have a significant role to play is not the main point.
In a new reality where banks will have to offer ‘needs-based’ packages to consumers, one possible consequence is that some would turn into back-office, data warehousing facilities – so a bank unwilling (or unable) to meet new consumer demands could possibly lose its identity as the integrated service provider it is today and become more of a utility. But if the recent history of partnerships between new ventures and banks is indicative of future trends, most incumbents will continue to fight for customers and try to offer new front-end services.
Beyond innovation, crucial technology aspects to PSD2 include, for example, data protection and where the rules will overlap with the upcoming General Data Protection Regulation (GDPR). The evolution of cloud computing to accommodate the dramatic increase in data traffic for sector organizations is another related development worth following.
But what will be really interesting to watch is how the new rules will enable consumer data juggernauts such as Apple, Google, Facebook and Amazon to come into the market – this could change entirely the way payments flow through the system and replace cards and cash altogether. That is where observers following the sector for a while would put their money on.