API readiness for PSD2: can we start testing now?
The second Payment Services Directive (PSD2) came into effect on January 13, 2018. It opens the financial services market to TPPs (Third Party Providers) with access to bank accounts via API (Application Programming Interface) communication channels. These include AISPs (Account Information Service Providers) offering smart apps to manage your money such as Bankin’ or Linxo, and PISPs (Payment Initiation Service Providers), which are third-party providers that initiate payments on behalf of customers.
PSD2 also provides additional specifications such as the RTS (Regulatory Technical Standards), created to enhance consumer protection, promote innovation and improve the security of payment services across the European Union.
The RTS are designed as a framework for new players on the market and they will come into effect as of September 2019. As the RTS do not provide interoperability standards, different standardization initiatives have emerged to facilitate implementation and to allow for simplified collaboration between different market players. Following OBIE (the Open Banking Implementation Entity) in the United Kingdom, other standardization initiatives like the Berlin Group (which originated the NextGenPSD2 standard) and STET have also gained traction across Europe.
On March 14, 2019, six months prior the important RTS milestone, all European banks had to provide a test environment (the interface between a set of APIs and their various stakeholders, often referred to as “developer portal” or “sandbox”) as well as documentation to enable TPPs to test the banks’ APIs with anonymized data.
This article looks at the readiness of key banking players in France, Belgium and Luxembourg and provides a state of the market with regards to their developer portals, the standards being used, and interoperability with other banks and TPPs.
1. Major banks operating in France, Belgium and Luxembourg have for the most part responded in time to foresee an API sandbox and test environment
Below is a (non-exhaustive) overview of the developer portals launched by banks per country:
Tier 1 banks:
Tier 1 banks:
Tier 1 banks:
- Banque Générale du Luxembourg (BGL)
- ING Luxembourg
- Banque et Caisse d’Épargne de l’État (BCEE)
- Banque Internationale à Luxembourg (BIL)
- KBL European Private Bankers
- Puilaetco Dewaay
- EFG Bank
- Société Générale Luxembourg (SGL)
- Lombard Odier
Compliance or opportunity?
While some of these banks offer intuitive, detailed developer portals with extensive documentation, others have decided to set up portals that are relatively basic, not very intuitive and sometimes difficult to access (e.g. some portals require the creation of an account to consult the documentation). The quality of the developer portals is an issue Accenture has already addressed in our study Competing in the new era. Banks that deploy a fluid, detailed and easily accessible portal will be able to take the full advantage of all the interactions made possible by developers and TPPs, while the others risk benefiting only partially. This situation may be temporary for some time-pressed institutions but it could also be perceived as indicative of banks’ strategic response to PSD2. Indeed, some banks interpret PSD2 as a directive to be complied with, while others approach it as an opportunity to seize.
2. There are key differences between countries with respect to the standards they have adopted
Different trends can be observed:
- The majority of banks in France have decided to adopt STET standards
- In Belgium, on the one hand major banks implemented the PSD2 based on their own understanding of the PSD2 law and RTS provided by EC/EBA without following pre-defined standard like STET or Berlingroup, while on the other BNPPF has adopted STET (in line with its French counterpart) and AXA bank and Argenta have adopted the Berlingroup standards.
- In Luxembourg most banks decided to adopt NextGENPSD2 standards. To help banks meet PSD2 requirements, an API platform called LUXHUB was created by four major Luxembourgish banks (BCEE, BGL BNP Paribas, Banque Raiffeisen and POST Luxembourg).
- Interestingly, HSBC simultaneously uses the STET and OBIE standards, while working on the integration of the Berlin Group’s standard.
Convergence or multi-standard support?
We expect this to be a temporary situation. The future trend is likely to evolve towards convergence and/or interoperability of standards, or towards the generalization of multi-standard support (at least for banks with an international presence). Open Banking experiences in the UK have already highlighted that even while sharing a common standard, differences in interpretation between actors can be significant. When it comes to multiple standards, this imposes a significant integration effort on the part of TPPs and especially in the case of NextGenPSD2, which is in fact a toolbox with many options. NextGenPSD2 may provide common elements, but because it also offers numerous options interoperability is not a given. This mainly applies to actors with an international positioning, but it can also impact local actors if they want complete coverage of banking players present in a country.
For consumers this situation may result in short-term limitations on banks supported by some TPPs, in non-homogeneous experiences, and in varying service levels. This opens the opportunity to tech companies to close the gaps, aggregate APIs and provide a “real” standard to the outside world. There are plenty of them on the market. Solutions such as Ibanity are already moving in this direction.
3. Customer authentication in the spotlight
Aside from the standards being used, the way customers are authenticated is another key challenge of PSD2. Three major models stand out in strong customer authentication:
Based on information currently available, all the banks listed above seem to support the redirection model rather than the embedded or the decoupled model. This choice strongly impacts the TPPs already in place (e.g. Linxo, Bankin’...) and their users. Redirect is easy to implement for TPPs but it is attached with frictions in the customer journey. Furthermore, PSD2 requires that strong authentication is renewed at least every 90 days for AISP, which imposes an additional burden.This choice strongly impacts the TPPs already in place (e.g. Linxo, Bankin’...) and their users. Under the redirection model, TPPs lose some control over the customer journey of their own users. Furthermore, PSD2 requires that strong authentication is renewed at least every 90 days, which imposes an additional burden. This is proving to be a point of contention for TPPs. Frustrated by the lack of progress, some TPPs are exploring other methods as screen scraping and reverse engineering to retain control over the customer journey.Banks should not ignore this. They need to take into account the standards being used by TPPs themselves as well as the TPP responses they receive. This will also impact the regulator’s acceptance of a bank’s APIs (in particular when making exemption requests to the fallback solution).
What comes next?
While most banks in Benelux have formally met the regulatory milestone in March, there is still some way to go to fulfilling the promise of a truly open ecosystem. At present, some TPPs are not well satisfied about the position taken by banks, particularly in the case of authentication models, but more broadly they complain that APIs sandbox do not meet expectations. What banks do next will be key and there are three important steps to take in the short-term.
Preparing exemption files for the implementation of a fallback solution.
- For French banks, the filing deadline was set by the ACPR on July 14, 2019. One of the conditions in France is to prove that by this date the banks’ interface has been used extensively in accordance with EBA guidelines during the previous three months.
- For Belgian and Luxembourg banks, the filing deadline was set by the respective authorities as June 1, 2019 and May 1, 2019.
- Adjustments to interfaces based on TPP feedback. Some banks will need to step up their service level and/or APIs in order to secure their position in the ecosystem.
- Communicating to clients. As they develop additional services and interactions with TPPs, banks need to begin or increase their dialogue with users about what they are doing, what will change, what the impact/benefits are for the users, etc.
Want to know more about this topic or any other topic PSD2 or Open Banking related, don’t hesitate to contact us for a chat!