5 August 2014
Controlled Access to Payment Services
This blog post is based on a whitepaper written by Michael Salmony, Executive Advisor Equens SE.
There has been some intense debate on European legislation that would require banks to grant third parties access to their customer accounts. This debate was fuelled by the Payment Services Directive 2 (PSD2), which was published about a year ago by the European Commission The access to accounts proposal, which will require banks to open their customer accounts to third party providers (TPPs), was one of its key elements, igniting an intense debate around whether and how banks should open up. Especially the ‘how’ is still unclear for many market participants; one thing that is clear is that some further boundary conditions need to be set.
While open systems may be new in the bank sector, their benefits have already proven themselves in other sectors. When IT provider IBM opened up their systems through the advent of open Internet, the IT revolution gained momentum. Now not only the economy has benefited tremendously from open, interconnected IT, but so did IBM as well. This is due to the fact that IBM embraced change, shaped it actively and also due to the facts that all participants developed a mutually beneficial ecosystem. It is now the banks’ turn to open up. The PSD2 proposal is clearly demanding access to bank accounts (or more correctly: to payment services) for third parties. Banks can potentially be those benefitting most. If they take the right decisions now and if the regulator and market ensure a fair ecosystem where contracts regulate liabilities and fair prices are paid for services rendered.
Looking into the current e- and m-commerce space, there are already strong alternative payment solutions including PayPal, Amazon Payments and various Overlay Services, even without access to accounts legislation. PayPal offers proprietary virtual accounts and so far the majority of their transactions in Europe are funded from the user’s current account via a direct debit mandate. In view of the success of PayPal, some might think that banks are losing the online battle. However, it is worth noting that despite 15 years of active market development, good growth rates and huge media attention, PayPal’s processed volume still only represents under 0.05% of global electronic transactions and is really putting no dent at all into banks’ business. So far, no one is losing the battle for online payments, but all players face significant opportunities that should now be addressed.
Most of the current ‘winners’ in online payment are overlay services riding on bank infrastructure. Building on banks’ card or ACH networks, these overlay services provide significant additional convenience to consumers and merchants. On the one hand, most of these service providers have not signed contracts with banks for infrastructure usage, are thus not tied into any liability partitioning, hinder harmonized communication, dispute management and redress procedures, and no compensation is paid for providing the underlying infrastructure, compliance, issue resolution and contact points in case of problems and much more. On the other hand, alternative providers face difficulties establishing innovative payment solutions, e.g. due to the diversity of payment products across markets, or due to the lack of a standardized interface to online banking. The absence of a standardized online banking interface in most European markets is one of the barriers for TTPs to enter the market more widely and in a pan-European (SEPA) harmonized way.
In this world of overlay services, banks run the risk of being increasingly disintermediated (as recently discussed in the article on the un-banking of Europe and the US), degraded to commodity providers and losing many transactions to TPP (e.g. through wallet-to-wallet, in-game or mobile-to-mobile transactions without any connection to the bank account).
Controlled Access to Payment Services
If bank accounts (or online payment services) are to be opened up to third parties, this must happen in a controlled, secure, trusted, safe and fair way. Especially in payments, one particularly critical issue is security: no consumer or bank would endorse a situation where unregulated third parties would be granted uncontrolled access to users’ accounts. This is why there is a need a Controlled Access to Payment Services (CAPS).
The new payment services defined in the PSD (information on funds, payment initiation) must only be permitted under specific conditions to ensure the risks will be contained. This is essential since, if the infrastructure were to be compromised, all electronic funds would be endangered, posing not only a risk to users and banks, but even a severe systemic risk to society and the economy. This is the reason why third parties need to be certified and regulated by PSD2. There need to be contracts with banks and merchants in place that clarify the liability partitions The negotiation on the degree of access, quality of any guarantees could be based on a mutually fair ‘dual consent’ system. The system needs to be secure, handling access to accounts in a controlled way with authentication being given only for specific accesses. Transactions need to be entirely controlled by consumers to avoid a situation where consumer account data is exploited without permission. And last but not least, there needs to be a fee that is attractive enough for all parties, including merchants, banks and TPPs, to provide the infrastructure, develop innovative services and provide customer support.
A wealth of opportunities – with potential to benefit all parties
The emergence of overlay services building on bank infrastructure has led to a very layered online payments landscape. Several overlay service layers have driven a wedge between the consumer and the bank, sometimes easing the way consumers pay, but often confusing them with multiple virtual accounts, wallets and passwords. Banks are clearly being disintermediated in online payments and need to act. The underlying conviction is that a world where both transaction volumes and customer value are maximized is one with a key role for banks. Providing a standardized controlled access to the bank account can help reduce and simplify the multiple layers observed today and provide new value to both banks and alternative providers.
The way forward
The next steps that can be considered by the stakeholders could be:
- The regulator must clarify some of the open issues in the new PSD2 whilst leaving enough room for the market to maneuver.
- Banks, beyond implementing what they are forced to by PSD2, could embrace this development and actively assist TPPs for example by hosting developer conferences to ensure that the new services are used and to promote common understanding of business rules and technical interfaces.
- Coalitions of the willing between banks, TPPs, infrastructures/services providers and other relevant stakeholders could be formed to define common business rules, fair and open ways of working together to ensure that TPPs can unfold their full potential, that banks benefit for providing the basis underlying service and data, and that users have a secure and convenient interface for new services.
- The infrastructure/processors/service providers could come together to agree on a common service layer, so that developers can produce new apps, according to the app-store model.
- Standardization bodies such as ISO could develop standards inspired by the above ad hoc industry agreements.
If all stakeholders work together in this constructive way we will see an explosion of safe, secure, innovative new services for users based upon bank and payment infrastructures. The European Digital Market, the developers, the infrastructure providers, the users and banks all win.