18 September 2015
Why not shape the PSD2 disruption yourself?
The new Payment Service Directive (PSD2) will give third parties access to bank accounts. This means that non-bank TPPs (third party payment providers) like Quicken, AFAS, FinTechs and Google will be able to access all payment accounts in Europe to send customers’ money and look at their transactions. All the thousands of banks in Europe will have to implement this regulation, which is a time consuming and difficult task and raises many questions, above all on the control the user must have for third-parties to access his account.
To protect the users, the PSD2 mandates “strong customer authentication”. This should ensure that the service is authorised by the end-user, he knows who the beneficiary of the authorised payment is, and what the payment amount is. There will, however, be a number of challenge not least on how to reach a balance between practical usability for end-users (especially on mobile) and an appropriate level of security.
But not only the end users need control, also the banks need to be sure that only properly licensed and authorised third parties are accessing the accounts of their customers.
Each bank could now try to figure out its own way of doing this or one could set up a collaborative effort that shares costs, mitigates risks and makes sure the PSD2 regulation works practically and at scale.Three leading European payment processors for banks have now published a proposal on how to approach these issues together. It is an optional, open framework for “Controlled Access to Payments-related Services” (CAPS).
CAPS vs XS2A (“Access to account”)
Since users may not want third parties to access their accounts, send their money out, look at their salaries, mortgage payments, change their security settings and analyse their transactions, CAPS allows the user full control over who is allowed to see and do what with his account. We feel that a controlled access to specific payment services (CAPS) is a much better concept than unbridled access to everything on your account (XS2A) as PSD2 is sometimes felt to be implying. This controlled, specific concept is now being widely accepted and no-one (not even the European Commission) speaks any more of access to account in the context of PSD2.
Three levels of optional, open CAPS services have been conceived to support banks in providing end-user access via third parties to payment. Embracing CAPS will give numerous advantages – depending on level – to all the market players:
Thus one can see that there are many benefits of embracing CAPS to all stakeholders especially users, third parties, merchants, governments, banks and regulators.
There are also many other benefits not listed here e.g.
- that the banks will be in a position to develop a commercial model (through APIs beyond those specified in the regulation – since if one has to open up, then it is worthwhile doing it in a way that not only imposes costs and compliance). This will incentivise banks.
- that users will be comfortable to entrust their accounts easily only to safe/licensed/authorise third parties (no manual checking in European registries to see if a TPP is trusted, instead a digital certificate from CAPS between the TPP and the bank automatically makes sure nothing can go wrong). This will incentivise users.
Provide solutions to practical PSD2 issues
The CAPS services thus facilitate legislative compliance and optional enhancements towards safe, secure and non-discriminatory access by TTPs to payments services. It creates a level playing field for existing and new market players and fosters competition and innovation. CAPS would furthermore provide a solution to some of the practical issues that PSD2 is expected to entail, particularly regarding reach, security, authentication and liability. It would also actively support new entrants and established players with new viable business models to enter the open payments market and develop compelling services to consumers.
The ultimate goal of CAPS is a pan-European interoperability model, which will connect TPPs and AS PSPs in a common trust framework, allowing participants pan-European wide access. Instead of each TPP trying to access accounts individually for each of the banks in Europe, a standardised interface is proposed that makes connectivity simple for TPPs (rather than having to connect to each of the thousands of banks individually with their own specific interface whilst allowing TPPs the choice of which aggregator they wish to use):
Challenges need to be addressed
There are some challenges that need to be addressed and clarified before the benefits of PSD2 will be realised. For it to be a success it must be embraced and adopted by the market in an active and harmonised way to foster and promote innovation and competition. In reality this must be underpinned by simple, modern and flexible open infrastructure and authentication methods and have clear structured ways of assigning liabilities.
Importantly, to avoid each of the thousands of banks in Europe creating divergent implementations of the PSD2, there has to be a level of harmonisation in the basic standards and principles of Payment Initiation and Account Information services. EBA Authority will significantly contribute to this by the RTS (Regulatory Technical Standards) that they have been mandated to develop. However these will not be detailed “technical” protocols, interfaces and standards (as the name might suggest) but will instead be more high-level requirements. Thus the industry should act and make its own concrete proposals. For this a number of open, multi-stakeholder “coalitions of the willing” to make PSD2 work in practice have emerged that wish to bring the topic forward, and embrace the concept of CAPS.
If adopted correctly, the very welcome regulatory intent behind PSD2 (opening up banks for information and payment services to third parties) will be a critical step in driving future innovation. CAPS is meant to make PSD2 work in a practical, safe and secure way that respects users’ privacy and gives incentives to Third Party Payment Providers (TPPs), merchants and banks to embrace the coming regulation.
After all: if disruption is inevitable, you might as well be the disrupter.