Open APIs have been around for awhile. The likes of Salesforce.com and other SaaS providers have been offering open APIs (publicly available application programming interfaces) to developers to help dictate how one application can interact with another. These APIs allow third parties to access the internal functions of a software program and to access backend data that can be used to enhance their own applications.
In a disruptive move, banks are now being mandated to open their own APIs in the EU, per the Payments Service Directive (PSD2) in order to help drive innovation and better customer service in the payments ecosystem. It’s a move that is sure to leave ripples in the payments space and alter the way customers interact with banks—and payments applications— in the near- and long-term.
The Revised Payment Service Directive, also known as PSD2, essentially breaks banks’ monopoly on their customers’ data. It allows merchants to access customer account data directly from the bank, enabling a payment directly from the customer to the merchant without redirection to another service like PayPal or a card brand.
This revised directive stands to position the customer as the ultimate beneficiary, as payments begins to shift from a commoditized entity to a more strategic element that can add real value to end customers. The key question is whether or not banks will be active participants and drivers in this power shift or whether they will sideline themselves as passive utilities in the payments ecosystem. In short:
The PSD2 mandates that banks provide third-party providers (TPPs) access to their customers’ accounts through open APIs. In turn, TPPs can build and sell financial services on top of the data and infrastructure provided by banks. It presents a real challenge and several threats to banks as they exist today. First, it makes the financial services space highly competitive. Banks will now have to compete against other banks as well as fintechs, TPPs, and merchants. It disrupts the payments value chain, which makes sense when you consider that the ultimate goal is to encourage innovation, improve customer experience and security, and to increase the security of online payments and account data.
The directive introduces two new entities to the financial service ecosystem in the form of Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). The former (PISPs) are entities that initiate a payment on behalf of the user, which may include P2P transfers and bill payments. The latter (AISPs) are able to access the account information of banks’ customers, which can then be used to analyze transaction history and spending behavior or to aggregate user account information across several banks and channels into one dashboard view.
These new players paired with a more level playing field means that banks must think strategically to withstand and effectively grow through this disruption. While threats to bank business are very real, there are also significant opportunities for banks to monetize this open API movement and to create new revenue streams. The first step is to become compliant. From there, banks can strategically position themselves (and the wealth of information to which they have access) to avoid disintermediation.
One way banks can innovate amidst the chaos is to find ways to monetize access. While banks are mandated to open up account data via APIs, they have the ability to open up beyond the directive’s minimum standards. One possibility is to offer seamless, fee-based API’s to third parties for payment services or offerings where they manage customers’ digital identities across merchants. Banks can also facilitate the completion of product applications through APIs for a fee. Not only does this open up new revenue streams, but it enables banks a seat at the table of collaboration with fintechs and third parties looking to create new products and services.
Another opportunity for monetization lies in the ability to offer customer insight-driven services. As customer-centric entities, banks can provide digital portals in partnership with third-party providers that offer value-added services benefiting the entire ecosystem. Strategic partnerships with third-party providers is going to be a key consideration and factor in banks’ success moving forward. Consolidation of services and data can cut costs and provide incremental value to customers—and subsequently increase revenue for both the providers and banks.
With the new directive, merchants are able to act as PISPs and become a payment processor themselves, connecting directly to their customers’ bank accounts through APIs. This facilitates a seamless payments experience as customers get instant payment confirmation after a simplified checkout experience. This has the potential to be a game-changer for merchants who can save big when it comes to card processing costs and fees associated with other intermediaries. Merchants now have direct access to a customer’s bank account to take online or mobile payments.
That said, merchants must understand what it means to be a PISP. First, it requires compliance with the Regulatory Technical Standards (RTS) as well as top not security and strong customer authentication. This can be a heavy burden for smaller merchants who find they don’t have the time or resources to meet compliance requirements while also focusing on the core business.
Only time and experience will tell how many merchants will consider the PISP option. It will require strategic analysis of the business and its payments systems to understand the true costs of compliance and the total financial value of managing direct payments. In some cases, the cost of compliance as a PISP will be too high or the benefit not great enough for this to be a viable option.
PSD2 is a boon for technology companies, who now have greater reign to implement and market new banking and payments technology innovations. Digital payments and cloud-based applications have already been disrupting the industry as well as boosting customer expectations when it comes to convenience and security.
PSD2 enables technology companies to truly compete with banks for customer touchpoints as they gain access to secure customer data. The PSD2 standards require banks to provide a protected “sandbox” to PISPs for testing and ongoing development of services that use the bank’s interface. This unfettered access could have multiple outcomes in terms of traditional banking’s role vs. technology companies.
On one hand, technology companies that leverage this new access could gain significant market share, take control of financial managers and initiating all transactions. The end-game could be closed-loop solutions that reduce banks to simple balance sheet providers. On the other hand, technology companies may opt to partner with banks in providing integrated payments and financial management, leveraging data to improve cross-selling. This option would solidify banks as trusted advisers, rather than cut them out of the equation altogether.
Also fascinating is the way in which technology companies can partner with organizations across the industrial board—digital media, telecom, media and more—in an attempt to gain a foothold in orchestrating how customers shop, pay, and bank. These partnerships, along with access to data, enable companies to cater to sophisticated and complex consumer behaviors and outplay traditional banking systems by providing a more customized, secure experience.
The new access to customer transactions accounts afforded by PSD2 (which covers both retail and corporate customers), provides greater flexibility and differentiation in the customer experience. Technology companies have the ability to rival banks as PISPs, and potentially provide lower costs and higher security for consumers. In many ways, technology companies stand to strengthen their own positions within the fintech space, but also to help strengthen the competitive standing of merchants with which they partner.
PSD2 is geared toward driving innovation that improves customer experience. By opening up banking data and services to third parties, these external vendors can easily develop value-added tools that improve convenience for customers. This benefits the entire payments ecosystem as both fintechs/TPPS and banks recognize additional channels for growth and improved customer stickiness while customers enjoy more seamless financial services. The disruption to the payments supply chain ultimately changes the way financial services technology is built and delivered, making new financial models and partnerships possible and viable. The collaboration between banks and fintechs also increases the speed of innovation, ultimately benefiting customers.
While a lot of the literature on the topic of open APIs has discussed the benefits to TPPs and fintechs that can now leveral banks’ account data, the opposite holds true as well. There is an opportunity for banks to leverage the technology of TPPs to attract customers back into their systems. Whether its through aggregation of data that pushes customers towards the most beneficial transactions for their unique customer profile or through another mechanism, banks can utilize other platforms and not just be utilized themselves. Banks must find a way to add value to the data they already have, which is where partnerships with TPPs and fintechs can be lucrative. Banks must think outside of the financial box and think of cross-industry initiatives to which they can add value to customers through their own platforms and systems.
Given the massive amounts of data banks house, they have the power to aggregate insights that are critical to positive customer experiences. Banks need to switch their perspective from that of offering standalone financial products to that of a connected platform. Banks can layer external information from cross-industry partners on top of their own treasure chest of financial data to offer consumers powerful recommendations on financial and non-financial purchases as well as price comparisons for a plethora of products. As holders of aggregated consumer spending, they possess the cornerstone to users’ digital profiles, which they can use to enhance digital customer experiences of all kinds and to improve contextual commerce.
There are several aspects of security tied to the PSD2. The directive is geared towards “protecting the confidentiality and integrity of personalized security credentials.” Banks will have the ability to block third-party access to accounts where fraudulent or unauthorized activity is detected. Providers will also be held liable for any breaches resulting from a failure to authenticate a transaction appropriately.
The RTS specifies that strong customer authentication is based on multi factor authentication, including two or more of three independent elements. Additionally, payment service providers (PSP) must have adequate security measures in place that protect the confidentiality of their users’ personalized security credentials. In short, PSPs must ensure the integrity of payment credentials at all times that the payer:
PSD2 requires strong customer authentication in the case of electronic remote payment transaction initiation, including elements that can dynamically link the specific transaction to a specific payee and a specific amount.
The term “Open APIs” alone sounds harrowing when it comes to fraud prevention, which is why banks must adhere to a solid architectural approach to properly mitigate cybersecurity threats. Open API represent a more expansive attack surface to bad actors and remove the possibility of blocking critical applications with perimeter firewalls. The key here will be for banks to tightly coupled security requirements with business cases to ensure maximum responsiveness to threats without negatively impacting business outcomes. API security and management must be at the forefront of development. The traditional approach to API security (where APIs are viewed as a trusted B2B interaction) must be shifted to a more stringent “do not trust” approach that enacts security controls aligned with digital banking. This means enhancing the security layer with confidentiality, access control, threat detection, and integrity features.
Security is top-of-mind and central to the principles of the RTS and PSD2. Banks are required to implement multi-factor authentication for both proximity and remote payments across all channels, including two of three independent factors: knowledge, possession, and inherence. The PSD2 mandates that banks utilize security measures aligned with the level of risk involved in each payment service in order to balance user convenience with security. There are lesser requirements for low-value payments, repetitive transactions, and other exemptions as outlined in the RTS.
The good news is that entities who implement 3D Secure 2.0 (3DS2) will be covered under PSD2. Technically, it is not required by the directive (3DS 1.0.2 covers the requirements); however, 3DS2 eliminates friction while effortlessly preventing fraud for merchants, consumers, and banks. 3DS2 is a compelling tool for all parties in the payments ecosystem, as it affords numerous benefits across the board:
At the end of the day, consumers are looking for safety, security, and seamlessness when it comes to payments. As open banking takes hold overseas and the trend continues to push boundaries closer to home, third parties will continue to develop apps and services through APIs. While not yet mandated everywhere, open APIs offer limitless potential for both traditional banks and fintechs to contribute to the fintech ecosystem and make banking and commerce easier, more personalized and more enjoyable for customers.
Banks and fintechs are best served to work together and leverage each others’ complementary strengths, which will ultimately enhance the consumer experience. In the end, each party should be looking to add value on top of secure, seamless payments. Open APIs provide the mechanism for this ideal, though time will tell how receptive both sides of the equation are to the path ahead.