January 13, 2018 was the springboard for open banking in Europe. This was the day that the EU’s Payment Service Directive II (PSD2) came into force. With PSD2, banks must provide access for third parties to initiate payments (Payment Initiation Service, PIS) and retrieve account information (Account Information Service, AIS) on behalf of the banks’ customers.
This may sound inconsequential, but the fact is, PSD2 is the regulatory step that will change the banking game forever, and lead banks into a completely new era. Instead of today’s linear business model, so-called ‘open banking’ paves the way for a platform business model. Banks become actors in a global network of providers of financial services.
Many bank executives still have their heads stuck in the sand, maintaining that open banking will be bad for business. Some even argue that bank executives are looking to make their open banking implementations cumbersome to deliberately discourage usage together with the disruption that goes with it. They are wrong to do so. Making open banking difficult to use won’t hold back the tide, on the contrary, it will embolden disruptors who look to fill a gap.
There will be both winners and losers. Banks that are successful with the platform business model will quickly create and deliver new products and services, both on their own and in collaboration with external third parties. By being customer-centric and delivering the products and services their clients want, these banks stand to win.
Implications for consumers
What about the ‘open’ part? Should consumers be worried about their bank accounts being ‘open’? Consumer trust in the banking industry has been severely tarnished since the financial crisis of 2007-2008 and banks are still struggling to recuperate. It doesn’t mean consumers don’t trust banks to hold their funds (granted there aren’t many alternatives unless you invest or keep cash in the mattress), but on pretty much all other levels, consumers are suspicious about banks and their intentions.
For the banks, this is a big problem. Millennials (for want of a better description) represent more than a quarter of the population in Europe and the Americas and are set to build significant wealth through individual earnings and inheritance.
Many are digital natives and trust technology brands far more than they trust a bank. While that may change in the era of Facebook and Cambridge Analytica, doing nothing to repair a poor reputation is not a sustainable model. Banks (like any organisation) must - and can - earn their customers’ trust. Challenger banks were not affected by the financial crisis a decade ago and are taking advantage of this opportunity, combining their ‘clean’ reputation with the use of modern technologies to attract millennials as customers.
New regulations - an opportunity
PSD2, and also the new EU regulation General Data Protection Regulation (GDPR), are opportunities for banks to regain consumer trust. While PSD2 allows third parties to access a customer’s bank account, the third parties can only do so under strict rules. First, the consumer must give consent (and revoke consent) to allow the third party access to their bank accounts. Second, there are strict rules about how to authenticate against the bank including strong customer authentication (SCA) for transactions over EUR 30. And third, once authenticated, the consumer must authorise the transaction.
Banks that adopt the new regulation while providing a frictionless customer experience (for example, when sharing data with a third-party public financial management (PFM) application), and clearly communicate the handling of privacy-related information have a better chance of regaining consumer trust and will be better positioned to compete for new business. Customers prefer service providers that are open, transparent and that communicate in an easy to understand way. Transparency wins customers in the long-run.
Personal data is protected
Consider the following example:
Julie is a customer of Iron Bank. She is also a customer of Finvertex, an online service that helps people analyse their spending behaviours. On Finvertex’s website, Julie requests to connect her Iron Bank account so that Finvertex has access to the transaction history of the account. First Julie approves Finvertex to access her Iron Bank account. Then Finvertex connects to Iron Bank and Julie authenticates with Iron Bank.
Once authenticated, she authorises the operation and Iron Bank releases the transaction history to Finvertex. During the next 90 days Finvertex can request updates from Iron Bank without additional action by Julie. At any time, Julie can revoke access for Finvertex.
So what happens to the data retrieved by Finvertex? How is the shared data regulated? This is where the GDPR comes in. GDPR states that data controllers and data processors must have a legal reason to process any personal data. This means that in order to process her data, Iron Bank must inform Julie what data is processed and which parties are involved, ensuring full transparency.
Equally, the GDPR places additional responsibilities on Iron Bank and Finvertex to ensure that Julie’s data is secure at all stages of the process, by ensuring that technical and organisational measures are in place before processing can proceed. Failure to comply with the GDPR can lead to significant fines for data controllers and processors.
Differentiation by utilising PSD2
AIS and PIS will give people access to a range of new services that will help them to manage their money better and give them more flexibility in the payment providers they use.
However, the fraud prevention measures that are at the core of PSD2 will have a knock-on effect for consumers. Sometimes, security checks such as multi-factor authentication will make initiating a payment more difficult and irritating than it is today. It’s well known that introducing friction into customer payments has a negative impact on conversion during ecommerce checkout. Many merchants even consider cart abandonment losses more damaging than fraud losses.
Fortunately, PSD2 provides banks with a few options to exempt transactions from strong customer authentication, which can make the customer experience frictionless. For example, exemptions can be made for transactions to trusted beneficiaries and when the risk is deemed to be low. Banks that take full advantage of utilising these exemptions will ultimately deliver better customer experiences and will, as a result, have a competitive edge. Customers will gravitate to the banks with the best customer experience.
Clear customer communication wins
PSD2 introduces new actors in the financial services market. This, and the new security checks, will clearly have a significant impact on consumers. Banks and providers of AIS and PIS must find ways to clearly communicate to their customers about their rights and obligations. This includes communicating information about the new services as well as notifying customers in a clear and concise manner when transactions fail or when fraud checks are imposed. This will no doubt be a challenge.
PSD2 done right
Open banking platforms have to be based on modern security frameworks that allow banks to address the PSD2 requirements while not compromising on security nor on customer experience.
Read more about open banking in our latest Digital Intelligence publication, available in MyBCS.