This post originally appeared in The Open Banking Report 2019 – Insights into the Global Open Banking Landscape.
In January 2018, the Payment Services Directive 2 (PSD2) was implemented into national law in 22 European Union countries. PSD2 introduces Open Banking, which uses open APIs to enable third-party providers (TPPs) to build applications on top of bank infrastructure and data. PSD2 comes into full effect on 14 September 2019, and will affect all transactions in the region, including ‘one-leg-out’ transactions (i.e. transactions where only one of the payment service providers – either payer or payee – is based within the EU). In this context, payment service providers need to implement stronger security protocols, as they will be held liable for any unauthorised transactions or any deficiency in the execution of the transaction.
As part of PSD2, TPPs have regulated access to customer accounts and data via two new generic services, Account Information Services (AIS) and Payment Initiation Services (PIS). While AIS deals with account aggregation and the benefits therein, PIS allows fintechs to create new payment solutions. While there are benefits to this, it has also given rise to unique challenges that players need to overcome.
The benefits of Payment Initiation Services
PIS providers (PISPs) can initiate an online credit transfer to debit the customer’s account and credit the merchant’s account. As these transfers are cheaper than online card payments, PISPs can generate revenues while reducing online card processing fees for corporates. This also simplifies the payment process for consumers, resulting in increased speed and ease of use. Merchants could use TPPs, or even become PISPs themselves, and leverage more cost-effective methods for payment acceptance.
However, these great benefits come with great responsibilities. First, PISPs need to ensure they have the consumer’s consent to access their data and act on their behalf, which require strong customer authentication steps to be in place. Next, to connect with the business to initiate payments, they need to ensure they do their due diligence, establish strong KYC and AML guidelines, and have the required account information. They also need to connect with the consumer’s bank afterwards, which requires additional customer authentication protocols, as well as access to and implementation of the bank’s APIs. Lastly, if the PISP will be acting on the business’s behalf – for instance, in case of supplier payments – explicit consent is needed, and appropriate security measures must be provided.
The major concerns around PISPs
This brings us to the major concerns around PISPs. As privacy and security become more important, PISPs are under pressure to ensure they implement strong security measures. Many PISPs are new players and will have tenuous relationships with banks; they’ll need to prove themselves reliable in order to survive in this competitive landscape.
Another concern around PISPs centres around the dependence of the bank on the PISP. From the consumer’s point of view, the PISP and the bank both represent a single institution, tying the reputations of the two together. A PISP’s failure – in terms of security, user experience etc. – would have an adverse effect on the partner bank. This loss of faith can result in serious reputational damage for the PISP.
After all, no discussion about the concerns surrounding Open Banking is complete without addressing the potential loss of customers. Open Banking allows customers to switch service providers with minimum effort, as well as allowing competitors to access customer data. Competitors could potentially leverage this information to woo customers away with better services. Since PISPs act as the crucial interface between the customer and the bank, there is significant pressure on both parties.
The impact of PISPs on banks
Going forward, the fate of PISPs and their partner banks will be closely tied, with banks (arguably) having more to lose; never before have they had to place their trust in an unverified partner. So how can they mitigate these risks?
The first step involves understanding and defining their needs clearly. Banks need to thoroughly evaluate their processes and how customers interact at each touchpoint. This will help identify gaps that they can then address to compete effectively in an Open Banking world. This information can also help with prioritising business goals so that both the needs of their stakeholders and their customers can be managed.
Next comes the careful selection and vetting of PISPs. A stable and secure PISP will impact the user experience dramatically. Banks need to do their due diligence and ensure that their PISP understands both the business’ requirements and the regulatory environment. In August 2019, the fintech company Ipagoo was issued a cease-and-desist order from the UK Financial Conduct Authority, reportedly for not segregating client money and for using client funds for working capital. This order came just seven months after it had announced an Open Banking – based payment solution for airlines called IATA Pay. Ipagoo subsequently went bankrupt. Therefore, the potential reputational risk for partners can be material.
Finally, banks need to ensure that they mitigate the inherent risk of having their customers interact and engage with a PISP on their behalf. They need to ensure that they protect themselves against any PISP security lapses; having or providing alternate payment options in case the PISP is unable to perform are two possible ways of dealing with that situation.