The Open Banking era begins
Open Banking is intended to shake up the payments market by requiring banks to provide TPPs with customers’ transactional data and access to customer accounts to make payments on their customers’ behalf. But the Open Banking revolution will get off to a slow start while several regulatory questions remain to be answered.
The revised Payment Services Directive (PSD II) comes into effect in January 2018, but firms’ compliance and strategic plans have been hampered by the lack of regulatory clarity, including the absence of a finalised Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common Secure Communication (CSC) between banks and Third Party Providers (TPPs). This will make the development and adoption of new services and products across the EU slower than expected in 2018, although in the UK, where the Open Banking APIs will go live at the same time as PSD II, things should move more quickly.
Most banks plan to use PSD II as an opportunity to transform their digital offerings to provide new and better services to their customers.
Their brand and financial strength, coupled with wide customer bases, mean they are well positioned, together with established “FinTechs” and “BigTechs”, to succeed. However, while many firms have carried out some form of strategic impact assessment, most resources to date have been spent on compliance programmes, rather than on a strategic response. Indeed, in a recent Deloitte PSD II survey, 59% of respondents stated they considered the regime to be an opportunity for their organisation, but only 32% felt they were ready to respond strategically. In this sense, while the delay in the finalisation of the RTS on SCA and CSC is challenging, it could buy banks some extra time to finalise their Open Banking strategies, as competition is likely to be slower to emerge than previously expected.
But compliance challenges will continue into next year.
Banks will be required to support existing solutions, such as screen scraping, from January 2018 until the RTS on SCA and CSC become applicable in September 2019. This places them between a rock and a hard place, as screen scraping will be difficult to reconcile with the GDPR. The European Commission has signalled clearly to banks that it will take a tough line on competition issues, but banks also risk hefty fines under GDPR. Firms will need to engage closely with the relevant supervisors to explain their concerns and try to obtain clearer guidance on how to balance competition with safety, not only with respect to GDPR, but also with respect to other liabilities under the PSD II Third Party model. Indeed, 58% of respondents to our survey cited issues around customer and third party authentication and the lack of an industry standard of communication as the biggest challenge for developing a third party access solution.
However, we expect banks and TPPs to overcome the lack of a specified common communication standard by coming together to define an industry standard for their market. This will increase interoperability, reduce implementation costs and time, and also ease some of the issues around customers’ consent verification and TPP identification. The UK Open Banking APIs will provide a useful model on which to proceed.
Finally, the FSB and the EBA have already stated they will monitor whether Open Banking will introduce any unintended consequences such as, for example, lower deposit “stickiness” and, in turn, a negative impact on liquidity and lending capabilities. The extent to which this risk manifests itself will depend on the rate of adoption of new products and services by consumers, but banks should make sure that they put in place systems to detect changes in depositor behaviours and their extent.