Banks put Open Banking business value at risk by overachieving on XS2A compliance

The PSD2 discussion between the European banking and fintech community is reaching a tipping point. Although it is clear by now that access to payment accounts by third party providers (TPPs) is going to happen in some shape or form under PSD2, there still is a lot of uncertainty. The key discussion point still at the table evolves around “non-discriminatory access to payment accounts (XS2A) for third-party providers to enable new transaction services” (In PSD2 terms these transaction services are: Payment Initiation Service (PIS), Account Information Service (AIS) and Confirmation Availability of Funds (CAF).

Central to this discussion are three complex and interrelated elements: communication interface, functional scope of access and interaction model between bank, customer and third party. Banking executives should ensure to make informed decisions regarding these three elements, as they otherwise overachieve on XS2A compliance and thereby risk eroding the business value of their Open Banking proposition.

Setting the ‘interface scene’

Banks are challenged to offer a communication interface that is compliant with PSD2 and the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) (Final Draft RTS on SCA and CSC). Specifically, it is about a compliant interface with similar performance and availability as the existing online (or mobile) bank channel used by bank customers today. Only such interface will satisfy the payment account access requirements of third parties, EBA and national competent authorities.

Banks have two options available to meet PSD2 and RTS requirements for the communication interface (Innopay blog - April 2017):

• Option 1 - Online banking interface: allow access for TPPs via the (existing) interface Account Servicing PSPs (typically banks) provide to their customers for authentication and communication

• Option 2 - Dedicated interface: most commonly referred to as “Application Programming Interface (API)” and is specifically designed to enable TPPs access to payment accounts of the banks’ customers

The EU fintech community (Future of European Fintech Alliance) is a strong proponent of option 1 reusing the ’online banking interface’, to ensure non-discrimination, a level playing field and continuity of its services and business model in the PSD2 era. The banking community (European Banking Federation (EBF), European Savings and Retail Banking Group (ESBG) and the European Association of Co-operative Banks (EACB)), in contrast, is more lenient towards option 2 by designing APIs for the mandatory XS2A services (PIS, AIS, CAF) under PSD2.

Banks that consider reusing their online banking interface typically do not have that many choices to make. As most banks opt for APIs to ensure XS2A compliance, in this article we describe the challenges that those banks encounter. We discuss the informed decisions these banks need to make on where XS2A compliance ends and their Open Banking proposition begins.

Problem definition: It is easy to overachieve on XS2A compliance

It is exactly this decision for APIs to meet XS2A compliance obligations where banks risk putting the business value of their Open Banking proposition at stake. We observe that banks are overwhelmed by API designs and specifications. Numerous European standardisation initiatives (Innopay blog, June 2017), technology vendors and individual banks are developing all kinds of solutions and specifications that often exceed minimal compliance requirements. The debate on PSD2 compliant APIs is characterised by (legal) uncertainty and is thus triggering various interpretations of said actors.

Banks need to be mindful of the considerations and trade-off decisions regarding APIs to ensure XS2A compliance. The most relevant areas of decision making are functional scope of access and interaction models.

For more insights about the implementation choices banks are facing and the implications these could have for their future strategic options, read the full article in our Open Banking and APIs – a new era of innovation in banking.