The P in PSD2 is for Pain
I used to write love letters and was even called an idealist when it comes to Open Banking regulation. So what has happened? Why has the second Payment Services Directive (PSD2) become so painful for me lately?
Well, you need to be strong to manage a hearing on the latest Draft Guidelines by the European Banking Authority (EBA). These guidelines deal with the supervision of dedicated interfaces that banks are obliged to provide under PSD2 – let’s call them PSD2 APIs. My irritation starts with the very same thirty minute lecture on the EBA and its responsibilities with which every single PSD2 hearing has kicked off for almost two years now. Thirty precious hearing minutes that are wasted. And focusing on the guidelines’ content it gets worse.
Pain points regarding the plans for the supervision of banks’ PSD2 APIs
The guidelines – planned to apply from January 1, 2019 – aim at regulating how member state authorities, such as the BaFin in Germany, are going to assess whether a bank offers a PSD2 API that complies with Article 33 (6) of the Regulatory Technical Standards on SCA and Communication (RTS). A positive assessment means that the bank is exempted from the obligation to offer an alternate access, i.e. a fallback for Third Party Providers. Even if these guidelines are addressed to national authorities, they have quite an impact on the future of EU open banking. The main pain points figo identified within the EBA’s draft guidelines are
- the planned process of banks’ reporting on availability and performance KPIs and test results of PSD2 APIs as well as
- the EBA’s lack of clarifying under which conditions redirects to bank interfaces are considered obstacles for Third Party Providers.
Regarding the first point figo asked a specific question in order to consider according answers for our written consultation input. However, the EBA’s reaction with regard to what kinds of hurdles the authority is facing when considering the idea of testing APIs to be operated by national authorities and the EBA itself was disappointing. The EBA’s representative replied: “Well, the obvious.” Seriously? I think that day I doubled my usual eye rolls per day ratio. While the EBA expects banks and FinTech companies to be innovative and to implement regulatory technology and while the EU Commission is eager to foster innovation as one of the main PSD2 goals – it seems to be just “obvious” for the EBA, that the authority itself cannot keep pace with market innovation?
If the regulator does not evolve simultaneously, how is a well-supervised EU open banking market supposed to work out? How can regulators act innovatively on the basis of each bank coming up with their individual front-ends for KPI reporting or pdf reports on API test results? How is innovation fostered when it is based on highly fragmented and inconsistent data for up to 6000 PSD2 APIs? Of course, some profit-oriented RegTech company or consultant probably has long since developed the solution to close this gap and market players will have to pay the price. However, in the mid- and long-term, the consumer will pay it too.
So dear EBA, if you want to foster market players to use dedicated interfaces within given timelines, how about learning something about APIs by actively using them? At least show some intention to be interested in long-term automated supervisory solutions. Eat your own dog food! Challenge yourself and national authorities by living the consequences of regulatory requirements in technical environments. Every party involved — especially the EBA and national authorities — could profit from this.
And banks? Oh banks!
I have invested a lot of understanding and offered a lot of trade off ideas. But after two years of discussions, I still receive bank feedback on PSD2 panels like “You cannot seriously ask me to provide some strangers access to my shower and even get them a towel to make them comfortable.“ One almost wants to scream back: “YES THAT’S EXACTLY WHAT I’M ASKING YOU TO DO! I‘d even check the best color and fluffiness of the towel, in order to charge them for whatever suits them best. Because these strangers are your new profitable source of revenues compared to retail customers getting more and more used to free services in exchange for their data.“
So what did I actually expect from banks regarding input on the supervision of PSD2 APIs? Banks are rightly (!) worried about publishing KPIs on their websites for security and competition reasons. However, instead of proposing a constructive trade-off, they refer to the idea of minimising the level of KPI details.
figo’s consultation input on regulatory reporting regarding PSD2 APIs
Nevertheless, figo has tried to keep a constructive attitude and contributed to the market consultation on the EBA’s Draft Guidelines, which ended August 13th, 2018. If you are interested in all eleven pages, check out the details here. To sum things up, figo tried to propose the following baby steps for innovation in the supervision of PSD2 APIs:
On the process of availability and performance KPI as well as test result reporting on PSD2 APIs, we kindly asked the EBA to consider setting up a joint KPI and test result web platform on the EU level, which only authorities, Third Party Providers and PSD2 API-offering banks would be provided access to. Moreover, we proposed offering incentives to banks to actively contribute to such a platform. For example a clear EBA commitment to assess how automation can limit banks’ operative efforts to support any national authorities’ processes of stress testing and monitoring of PSD2 APIs. An aligned database would offer various synergies that all involved parties could benefit from. Response times in percentiles and real-time published data clustered by Third Party Providers can support root cause determination, limit efforts for determining the culprit of delays and therefore prevent unjustified authority sanctions against banks.
figo’s consultation input on the EBA’s unfortunate redirect statements
And with regard to the never ending redirect discussions? Well the EBA should actually be concerned that no FinTech initiative is currently running a big counter campaign against the EBA’s pro-redirect approach. Officially, this is because solutions are being discussed as part of an API Evaluation group. However, unofficially, because those Third Party Providers might have eventually lost trust in the EBA and have already come up with their own practical, legally sound but likely non-innovative fallback solution. In a worst case scenario this would result in Third Party Providers scraping the redirect front-ends of interfaces. This sentence itself is a farce.
So figo outlined that the EBA has two options now. It either clarifies what kind of features are expected for a non-obstacle redirection on high level (such as a frictionless Oauth Flow and a token management for the purpose of permanent use cases) or clearly withdrawing the EBA statement that a redirect can be the sole method of access for PSD2 interfaces. When debating a final redirect wording, we asked the EBA to take a look at the UK. But not to take it as a role model for a great redirect solution, but for acknowledging the UK redirect as one potential reason why after six months of PSD2 interfaces being live, those interfaces do not seem to be in any commercial use. Fun fact in that context: I have never seen so many UK people actively contributing to an EBA hearing before July 25th, 2018.
figo’s open letter regarding PSD2 and GDPR conflicts
Last but not least, we stressed that so far obstacle debates and solutions have been solely focussed on methods of access to PSD2 APIs. figo is concerned though that there is potential for other obstacles, especially with regard to a misuse of requirements by the General Data Protection Regulation (GDPR). But the EBA cannot regulate data privacy matters. After recently noticing some unfortunate communication by the European Data Protection Board (EDPB) on PSD2 and GDPR conflicts, we provided an open letter to this new data privacy authority on August 14th, 2018. To sum it up, figo’s proposal for a clarification on the processing of so called silent party data is: an official statement by the EDPB that banks can implicitly expect GDPR compliance with regard to silent party data, as long as a regulated PISP and/or AISP is requesting access to payment accounts. Such statement is needed to limit the unfortunate room for interpretation. Moreover, there is no comprehensible reason why supervised AISP and PISP should not be provided with the same extent of rights for processing silent party data as other regulated players within the financial services industry.
Crossing our fingers for the payment service users
So besides crossing our fingers for the EBA and EDPB to take the right actions now for an EU Level playing field what are market participants to do? After all regulatory discussion eventually comes to an end, figo just wishes the market time to focus on the consumer benefits when actually living PSD2. It would be a real shame if the EU market did not use its tiny PSD2 head start for scaling its own services before other markets catch up and take the bigger part of the open banking honey pot.