Banks and third parties can both profit from XS2A
The European Banking Authority (EBA) recently published the final draft of the Regulatory Technical Standards on Strong Customer Authentication, which is a crucial part of the PSD2 legislation. This final draft is the starting point for companies to bring their new products to the market. And although banks generally seem to believe that the regulation represents a threat, it actually provides new opportunities for them: a bank can also act like a Third Party Provider (TPP).
But before banks go to battle, they must be well prepared. It is crucial that they are compliant when PSD2 becomes effective in January 2018. In this case compliant has to do with Access to Account (XS2A). The regulation stipulates that third parties should have access to the bank accounts of customers, when the customer gives his permission for this. Banks must create an environment in which third parties have easy access to accounts.
Payment initiation versus account information
There are two important types of requests within the XS2A spectrum. First there is the Payment Initiation Service. For example: you want to buy a concert ticket online and you are at the online check out on the website of the merchant. With PSD2 the payment can be directly initiated on your banking account via a third party. You can use your current and trusted way to login into your bank account.
The second type of request is the Account Information Service request. If you digitalized your household expenses, it would be easy to integrate your banking information into this application. You can give the company behind the app permission to access your account(s), so it can send a request to your bank(s) to collect the needed account information. Authentication is very important in this process. One of the PSD2 requirements is that every transaction is secure, thus two factor authentication with a scanner, reader or via a text message is mandatory.
This can cause a problem for some European banks. The question is whether banks can reuse their current internet environment for the access and authentication needed for PSD2 and XS2A. And if this is not possible, being compliant in 2018 will be an enormous challenge. Providing access to accounts has to be ready by 13 January 2018 and the standardized way as described in the RTS has to be integrated later that year or even in 2019. Although there is more time to become compliant this can be challenging because not every bank can make the necessary investments to provide access as described in the RTS and to set up the Secure Customer Authentication.
When you sum this up, you can see why banks think of PSD2 and XS2A as a threat. But there are also some new opportunities coming with the legislation. Turn it around and look at the interesting services banks can provide thanks to PSD2. When banks e.g. provide mortgages, they can ask the customer for his permission to access his accounts. Based on the transaction information the bank can calculate a customized interest rate for the customer. And with data becoming more important, banks will gain a huge role in this data market. With permission of the clients, banks can sell their information to third parties. They may not charge the basic account information, but non basic information can be charged. And this is just one example.
The new possibilities are not just for new players because a traditional bank can act as a TPP as well. Banks just have to realize what these possibilities are. Yes, some of the usual income will vanish on the one hand. But this can be obviated with new revenues on the other hand. For example: a bank can send a request for account information and create new business with the new stream of information. Just like a TPP.
This blog was written by Tom Wijnen, Product Marketing Manager at equensWorldline, responsible for the company’s PSD2 and XS2A offerings.