OPEN BANKING EXPO IDEAS, CONNECTIONS AND DEALS IN OPEN BANKING MAGAZINE LAUNCH PARTNER
Issue 2_Mar/Apr 2019 OPENBANKINGEXPO.COM
PSD2 GETTING INTO GEAR PAGE
26
PSD2 FEATURE SPONSOR
FOILING FRAUD
SME FOCUS
REGULATION
THE BIG INTERVIEW
How Open Banking can keep customer data secure
Partnership approach ‘paying off in SME banking’
The CMA’s Bill Roberts on the next 12 months
Citi’s Ireti Samuel-Ogbu talks fast-paced innovation
PSD2 Open Banking Third Party Provider Identity & Regulatory Checking Delivering solutions directly to ASPSPs and through our global partner network:
Contact us for details: enquiries@konsentus.com www.konsentus.com
Editorial
PUBLISHER’S WELCOME
Adam Cox Publisher & Co-founder adam.cox@openbankingexpo.com
One firm innovating through acquisition is Raisin, the panEuropean fintech marketplace, which earlier this month announced the purchase of MHB Bank in Germany.
Welcome to issue two of Open Banking Expo Magazine. A lot has happened since the last issue and the market is showing no signs of letting up. Open Banking Implementation Entity Trustee Imran Gulamhuseinwala OBE talked about the industry ‘revving up’ in terms of product innovation and service provision. We’re seeing concrete evidence of this, with partnerships being struck between fintechs and some of the largest retail banks across Europe. You can find out more in the news pages (pp6-13). The 14th of March came and went. This date, as many of you will be well aware, signalled the deadline for financial institutions to have a dedicated interface (open API) ready for testing by PISPs and AISPs. To a certain extent little was made of this, with the PSD2 deadline 14th of September claiming the most column inches. However, feedback and running commentary in the market suggest institutions have been and will continue to work hard with or without forming a partnership with a third party. One firm innovating through acquisition is Raisin, the pan-European fintech marketplace,
which earlier this month announced the purchase of MHB Bank in Germany. This issue focuses on the everlooming PSD2 deadline in September. The lead feature this month, kindly sponsored by Konsentus, considers what financial institutions are doing to ensure they hit that deadline, whilst retaining perspective on market (and consumer) expectations. From an in-depth interview with Citi’s Ireti Samuel-Ogbu to a marketplace update from the Competition and Markets Authority, and opinion from all corners of the industry, we’re privileged to bring you diversity of thought in the sector. Lastly, we have just announced our event line-up for 2019. We’ll be live in London, Amsterdam and Toronto this year, so turn to page 33 for details. As always, if you would like to be involved in any of our events then please do get in touch – we’d love to hear from you.
Enjoy the issue!
03
L E A D F E AT U R E / P S D 2
26 O P E N B A N K I N G E X P O . C O M
March/April 2019
FEATURE SPONSOR
PSD2
PSD 2
Getting into gear The onset of PSD2 made 2018 a pivotal year for European banks, but it won’t be until later this year that the regulations grow some teeth. Will it achieve its intended result?t?
I
Jennifer Turton reports
t’s crunch time for European banks as far as Open Banking is concerned. In the months following the introduction of the second European Payments Services Directive (PSD2) in January 2018, there was a sense, in some quarters, that banks felt little incentive to implement more than the bare minimum requirements of the legislation. But with the deadline to comply with the Regulatory Technical Standards (RTS) on 14 September fast approaching, this is set to change. RTS is significant because it requires banks to provide APIs to third-party providers (TPPs) that will allow them to build new products and services, such as payment methods and account aggregation applications. The hope is that this will lead to increased co-operation between large banks and smaller firms and create more choice for consumers and businesses. Reaching that promised land, however, will be a significant undertaking. Major banks must invest significant sums into overhauling legacy technology to make it possible to permit API integration, while the new legislation has sparked a broader debate around authentication and screen scraping. PSD2 seeks to solve these problems through a system that is faster, more accurate and more secure, but, in its current state, the market appears disjointed and there are concerns that this could stifle innovation.
A quiet revolution The onset of PSD2 was supposed to be a seismic shift in the European banking sector, but for the general public, it came and went with little more than a whimper. Rather than an immediate change in the banking landscape, it now appears progress will be gradual. Part of this is the result of an impasse among banks, TPPs and regulators over how Open Banking should be implemented. The intention for PSD2 was to foster innovation, but it has also created a lack of cohesion in the market. This is because, unlike in the UK, it did not prescribe a common standard for institutions to implement. Not only are there are multiple API initiatives in Europe, each proposing their own set of standards, but banks can define their own interface, making it more difficult for TPPs to build products that make use of Open Banking technology. Frans Labuschagne, country manager for UK and Ireland at security software fintech Entersekt, says this is a both a turning point and an opportunity for European banks. “Their willingness to embrace, and capacity to effectively assimilate, these changes is expected to make or break banks; move with the times or get left behind,” he says. ›
The intention for PSD2 was to foster innovation, but it has also created a lack of cohesion in the market. 27
L E A D F E AT U R E / P S D 2
› Sprint to the line When PSD2 first landed, it seemed many banks were a long way from embracing change. That apathy has to a certain extent been replaced with urgency as the deadline to implement RTS fast approaches. While European banks and payment service providers must have their APIs ready for the September 2019 deadline, the European Banking Authority required them to be ready for testing by 14 March. Sean Devaney, vice president of strategy for banking and financial markets at CGI UK, which provides IT and BPO services, says European banks were still able to provide contingency arrangements if they didn’t have dedicated APIs ahead of the March deadline. “Unfortunately, those contingency arrangements often amounted to allowing third parties to screen scrape data from bank sites,” he says. “This has some significant security implications for banks that allow this, such as providing opportunities for malicious third parties to persuade bank customers to grant far greater access to their accounts than a dedicated API would allow.” Now, the imminent deadline has motivated many banks to act. On the fintech side, the question is whether they have the scale and resources to become registered and regulated as a TPP, or if they should piggyback a larger player. Tristan Blampied, senior product manager at payments and compliance solutions provider Pelican, says smaller fintechs may be better off operating as resellers that piggyback other institutions, allowing them to “develop an app or functionality which the larger registered players then build into their own stack”. Roberts Bernans, co-founder of Nordigen, puts it bluntly: “Banks have two choices - to either deploy protectionist tactics, which are becoming increasingly frowned upon in the current market, or to open their APIs and create new business use-cases by partnering with leaner organisations.” The good, the bad and the API In the early days of the Open Banking era, much of the focus was on the security issues related to sharing data with fintech firms, even though a key 28 O P E N B A N K I N G E X P O . C O M
FEATURE SPONSOR
Third-party payment providers, such as Apple, Amazon and PayPal are already benefiting from the more ‘open’ banking ecosystem. Frans Labuschagne UK & Ireland Manager, fintech Entersekt
objective of PSD2 is to make payments and account access more ironclad. One measure being sought is to replace the practice of screen scraping with effective APIs and the use of strong authentication methods. Blampied says fraud will be a risk that is front of mind. “As we know, fraudsters are always looking for their next target and opportunity,” he says. “There are provisions of course to ensure controls and registers over the regulated TPPs who have the right to access the data upon their customers’ requests to do so; however, these need to be tightly enforced, and changes and updates applied in near real-time.” But the quest for greater security and fraud prevention may come at a cost. Tougher security standards may increase friction in payments, and this could put customers off. Another problem is the risk of fragmentation of API standards across Europe. While in the UK the Competition and Markets Authority required the country’s nine largest banks to collaborate and develop a common API from the start, it’s a different case for the rest of Europe and this is causing more issues. “The European Commission considered that imposing a single common API standard would be anticompetitive and therefore left the
technical details of PSD2’s APIs completely open, encouraging market forces to define them,” Hughes says. “Unfortunately, the European Commission’s position disregards the benefits of common standards and interoperability and risks creating fragmentation.” He adds: “Ironically, the EU’s decision not to impose a common API standard risks creating unnecessary complexity to the opening up of bank data, because different banks and countries across the EU may adopt different API standards.” Enter the challengers? Precisely who will benefit most from PSD2 and Open Banking is still up for grabs, but early indications suggest challenger banks and fintech companies are in a stronger position. Blampied at Pelican says the younger challenger banks were among the first to treat Open Banking as a strategic opportunity rather than a cumbersome regulatory obligation, and this may pay dividends down the road. Doing this, however, requires significant investment and development of customer-facing apps. Elsewhere, there is widespread belief that global tech giants are wellpositioned to gain from Open Banking. “Third-party payment providers, such as Apple, Amazon and PayPal are already benefiting from the more ‘open’ banking ecosystem,” Labuschagne says. “With access to customers’ financial data, an appreciation for user engagement and experience, and transactional infrastructures that suit the needs of the modern consumer, they are growing increasingly popular. Through increased interaction with these providers, consumers are also trusting them more and more.” As David Parker, founder and CEO of Polymath Consulting says: “It is like opening a new motorway but putting a 30 mile an hour speed limit on it; don’t be surprised if take up is low until you can start using it properly. Like with a new road, people need to discover where it goes and why it is better. PSD2 Open Banking will take time for users to adopt. It will all be about the propositions created around access to the data, whether that is easier loans and mortgages for consumers or better trade finance for business.” ■ March/April 2019
PSD2 Open Banking Third Party Provider Identity & Regulatory Checking Helping ASPSPs deliver PSD2 open banking by September 14th 2019 RESTful API based solution – Plug and Play Full European TPP identity checking through 70+ eIDAS providers Complete European TPP regulatory checking from the 31 National Competent Authority databases Simple commercials, with no set up fee
Contact us for details: enquiries@konsentus.com www.konsentus.com
Q&A
Brendan Jones Konsentus
Better prepared Former MBNA/Bank of America product development director Brendan Jones is now a part of the leadership team at RegTech firm Konsentus. He looks at the challenges that organisations are facing from PSD2 Open Banking. OBE: How has your career to date informed your opinions on the changing payments landscape? BJ: I have worked in the payments arena for more than 30 years, for a wide range of companies - from technology providers to banks and consulting. This has given me a rounded view of the world when it comes to payments and banking and the challenges many banks face in meeting new regulatory hurdles. OBE: What is the biggest change coming from the implementation of PSD2 Open Banking? BJ: The most transformative thing over the next three years is going to be the adoption of push payments or pay-bybank services. The traditional methods of payments based on card transactions will face tough competition from payby-bank payments, which will threaten the existing card payment networks. If we look at the operations of Google, Amazon, Facebook and Apple – aka GAFA – this pay-by-bank initiative will be ideal for them as very large merchants. They will be able to circumvent the existing networks, using direct bank-tobank rails to get paid. That is going to threaten the incumbents and it will align with the European Commission’s aim of breaking the effective duopoly of the existing payment network operators. When it comes to PSD2 Open Banking people make the mistake of talking about Europe in broad terms, but it is dangerous to do that. There are 31 countries within the European Economic Area (EEA) and the demographics are
30 O P E N B A N K I N G E X P O . C O M
March/April 2019
Q&A
very different in each country, as are each population’s attitude to payments. In the UK, card-based payments are overtaking cash, but if you go to other European countries like the Netherlands or Germany, cards are not nearly as prevalent for online payments. OBE: How is Konsentus helping clients embrace the opportunities from Open Banking? BJ: Konsentus offers third party provider (TPP) Identity & Regulatory checking services, ensuring that financial institutions are PSD2 Open Banking compliant. The service is delivered through a SaaS-based solution using restful APIs with no set-up fee. Konsentus covers all the EEA 31 national competent authorities (NCAs), working with the European Banking Authority’s TPP Register and 70+ qualified trust service providers, to ensure financial institutions never provide data to unregulated TPPs. OBE: Why is monitoring of third party providers vital? BJ: Financial institutions need to ensure that data is only ever provided to a correctly-regulated TPP. TPPs are not required to have contractual relationships with the financial institutions to access payment accounts. So when a TPP knocks on the door (API) of a financial institution, the institution has no way of verifying the TPP’s identify, other than through the documentation the TPP presents. PSD2 Regulatory Technical Standards state that TPPs should use eIDAS (electronic identification, authentication and trust services) certificates to identify themselves. However, these are much like an MOT certificate in the UK (car road test certificate), which only says a car is roadworthy the moment it passes the test. As soon as it is driven off, it is a dated document. Likewise, an eIDAS certificate is only as good as the time it was issued. After that it only proves who an organisation was when it was granted regulatory status. In addition to proving who a TPP is, financial institutions also need to check they have the appropriate regulatory status to receive the information they
are requesting – AISP/PISP. If a financial institution provides the wrong data, or data to an unapproved TPP, they are potentially in breach of PSD2 and GDPR. OBE: Are there not free databases in the market that financial institutions can use? BJ: Yes, the European Banking Authority’s database is free. However, it is only updated twice a day and once daily by the NCAs. It only lists payment institutions, electronic money institutions and TPPs regulated or approved by NCAs; it does not cover credit institutions. The database is online and machine-readable but is not real time and once a financial institution downloads it, they then need to build the interrogation and management platform around it. While the NCA databases are also free, today none are machine readable and online. Crucially these databases are the source data for a TPP’s regulatory status. Thus, a financial institution would need to work with all 31 NCAs in order to have an up-to-date database. Neither the EBA or NCA databases provide online support for TPP identity checking, and thus this capability also needs to be built to interrogate and manage this data. OBE: There has been much discussion over whether PSD2 Open Banking will increase security risks. What are these and how can organisations protect themselves and their customers? The simplest risk is that data is given to an unregulated/unapproved TPP or provided without the explicit consent of the Payment Service User (PSU).
In terms of authentication processes through the API, there are three main authentication models: • Redirection: customer is redirected to the financial institution’s domain (online portal or app) for entering bank-issued security credentials and then directed back to third party provider. • Decoupled: customer uses a separate device (for authentication) to the device on which the third party app or website is being used. • Embedded: customer’s ASPSPissued credentials are given directly to the TPP Strong customer authentication is achieved by using two out of three specified elements: • Knowledge: e.g. password. • Possession: e.g. card details (CVV, PAN), one-time SMS code. • Inherence: e.g. fingerprint or other biometric elements. Strong customer authentication must be applied (unless exemption is available) where the payer makes an electronic payment or the customer accesses account data, directly or via a third party provider. The greatest risk to PSUs will be an increase in phishing attacks where fraudsters try and get users to voluntarily push payments to an account that has been taken over. However, in the UK new voluntary requirements around payee recognition from UK Finance, commonly referred to as Confirmation of Payee, along with other elements of security, are being put in place to help combat this risk. ■
Yes, the European Banking Authority’s database is free. However, it is only updated twice a day and once daily by the NCAs. It only lists payment institutions, electronic money institutions and TPPs regulated or approved by NCAs; it does not cover credit institutions.
31