By Nick Taylor, Director Customer Engineering, ForgeRock
It’s natural to view the introduction of the European Union’s Revised Directive on Payment Services (PSD2) and the Open Banking mandate in the United Kingdom as significant challenges. There’s no question that compliance will require tremendous effort as financial institutions work to enable the greater customer control, transparency, data portability and multiparty interoperability called for by the new rules. But the implications of the PSD2 and Open Banking go far beyond technical burdens or legal constraints. Over the coming years, the open-industry ecosystem mandated by these initiatives will spark new customer-centric banking models that will transform financial services for the new digital economy—and create powerful opportunities for established organizations and newcomers alike.
New customer expectations drive industry transformation.
Across Europe and around the world, consumers are demanding more control over their own data, more effective security from the companies with whom they do business, and more innovative services designed around the changing needs of the digital economy. Just as the European Union’s (EU’s) General Data Protection Regulation (GDPR) has embodied these expectations in new requirements around data security, portability, access and control, the PSD2 and Open Banking will empower financial-services customers to control how their data is used, and by whom. As this consumer-rights trend continues, we can expect these regulations to become the standard in more and more countries around the world—especially as multinational banks and other financial-services providers begin to realize the competitive benefits of innovation. Similar initiatives are already underway in the United States and Asia-Pacific regions.
Designed to increase consumer choice while promoting new online and mobile-payment models, the main provisions of the PSD2 call for the opening of banking services to third parties, user consent for data sharing and the enforcement of strong user authentication. In technical terms, the PSD2 requires that banks in Europe introduce secure APIs (application program interfaces) in order to enable third parties to have access to previously proprietary customer data, with explicit customer consent required. Evolving in parallel with the PSD2, Open Banking requires UK banks to allow consent-based access to customer data for third-party service providers.
While these new rules will require additional investment and effort to achieve compliance, they will also spur the kind of industry transformation that creates new value for customers, new forms of competitive advantage for banks and new business models for financial-services startups. As incumbent banks achieve compliance with the new regulations, providers throughout the industry—including established banks as well as challenger banks and fintechs—will build innovative products and services around the newly available data. These will offer compelling benefits for customers and powerful competitive opportunities for the providers best able to respond.
The promise: a more customer-centric banking industry
For customers, the new regulations will usher in simpler, more convenient and more consumer-centric products and services. Empowered with unified visibility across all of their accounts—banking, credit, mortgage and so on—people will gain new insight into their spending patterns to enable better decision-making and a more holistic approach to personal financial management. Instead of struggling to decipher complex pricing models, customers will be able to use digital comparison tools and personal financial-management tools to find optimal offers based on their own financial positions and behaviors, and even automate account-switching according to rules they set themselves.
Who will deliver these new types of third-party services envisaged in the PSD2 and Open Banking? Account information service providers (AISPs), one such next-generation fintech, will offer advice based on aggregated information across all of a customer’s financial accounts. For example, an AISP will be able to analyze a customer’s transaction history and make recommendations for a less costly mobile- phone plan, a lower-fee checking account or a better retirement strategy. As consumers identify opportunities for better interest rates, lower fees and more suitable products, increased data portability will make it much simpler to switch providers in an automated, seamless and secure way. Payment initiation service providers (PISPs), another type of fintech, will offer new flexibility for customers to make payments directly from their bank accounts, a potentially cheaper and faster alternative to using existing payment services such as Visa, American Express and PayPal.
Opening the door to disruption.
For startup banks and fintech providers, the PSD2 and Open Banking will create openings for disruptive new business models and competitive opportunities. Retailers, Internet giants, AISPs and PISPs will introduce their own payment and financial-management products and services. Digital native challenger banks built with more open and dynamic technological infrastructures will take advantage of this head start to build innovative offerings around the new data-sharing ecosystem. Established banks that are unable to keep pace with this rapid transformation will risk losing customers to a new generation of digital disruptors, just as traditional payment-card and online-payment companies such as Visa and PayPal face the prospect of disintermediation.
There’s no questioning the daunting scope of the PSD2 and Open Banking compliance challenge for established banks and service providers, beginning with a new set of technical requirements to maintain the security of customer data and ensure that it is accessed only with consent. The new regulations are also likely to have a significant impact on the dynamics and composition of the industry itself. The open APIs called for by the PSD2 and Open Banking will make it possible for third parties to enter the banking-and-payment ecosystem without the need to invest in and maintain their own technical infrastructure, dramatically lowering barriers to entry and unleashing unprecedented innovation and competition.
Still, while the PSD2 and Open Banking pose challenges for banks, the opportunities they offer are even more significant. As the industry ecosystem becomes more open, the bank can become a platform on which fintechs can build their applications and services. Banks have the distinct advantage of being the owners of existing customer relationships and experts in technical infrastructure and regulatory compliance. Rather than being disintermediated, banks can leverage these existing relationships and data to support new services in partnership with PISPs, AISPs and other specialized providers. With the requisite technical capabilities and the right strategic vision, the new era of banking can be a winning proposition for incumbent banks, newcomers and customers alike.
Overcoming technical hurdles to digital transformation.
To capitalize on the opportunities offered by a more open banking-industry ecosystem, established banks will need to update infrastructure designed for an earlier era, as well as introduce new capabilities to enable more open, customer-centric business models. To succeed, these efforts must achieve their technical objectives while also allowing the optimal customer experience now essential for competitive success.
To begin with, the PSD2 and Open Banking call for strong, multi-factor customer authentication to be enforced every time a user accesses or initiates a payment from an online account. Over the years, most banks have accumulated a complex matrix of authentication and fraud-reduction mechanisms implemented differently on different channels, with separate silos for mortgage accounts, credit cards and checking accounts; in-person vs. mobile vs. online; and so on. Built primarily as proprietary technology, these systems make it much more difficult to achieve PSD2 and Open Banking compliance, while fragmentation makes it impossible to deliver the seamless, unified experiences customers now expect. Banks will now need to implement measures such as push authentication, which allows users to authorize a login by responding to a notification message sent to the email address they provide; Touch ID and other biometric readers; adaptive risk authentication; and integration with third-party fraud-detection engines.
As banks open their customer data to third parties, they must also ensure that the APIs that make this connection are fully secure to protect both customers and the bank itself. This calls for a multi-layered, defense-in-depth approach encompassing access control, threat detection and prevention, confidentiality, integrity and availability. With varying standards in place in different geographies across Europe and the globe, banks also need the flexibility to meet diverse requirements through an efficient, unified approach. The adoption of a common REST API will enable banks to securely extend and integrate their services with third parties and comply with Open Banking and PSD2 requirements without the need for the added cost and complexity of a standalone API solution.
One of the most important challenges to solve is that of customer consent, a core tenet of respecting consumer-data privacy. Banks must gain explicit customer consent for the execution of payments and for third-party access to data according to the customer’s specifications (e.g., read-only access, or access to only a specific type of transaction), as well as ensuring that data will not be used, accessed or stored for any purpose other than that requested by the customer. Today, many banks lack mechanisms for collecting granular consent, and both regulators and customers will expect much more than pre-populated opt-in checkboxes. The OAuth 2 and OIDC (OpenID Connect) standards, chosen by the UK to address Open Banking authentication and authorization challenges, have also become the preferred mechanisms for enforcing user consent for the initiation of payments or sharing of banking data. The User-Managed Access (UMA) standard, viewed by industry experts as the future of consent management for both Open Banking and the PSD2, can empower users to share data with each other, not just with organizations, allowing the introduction of peer-to-peer payment services that comply with the new generation of banking regulations.
Finally, for both regulatory and competitive reasons, digital-identity management is becoming even more important in the digital economy. Banks have to be able to provide a seamless and consistent experience across every channel and service that a customer uses, building a rich profile based on his or her activities, preferences and characteristics across all touchpoints. This is important for more than just PSD2 and Open Banking compliance; as competition intensifies, the banks and service providers that can provide the most personalized services will be best able to build strong, enduring customer relationships.
Embracing the new face of banking.
Yes, the technical to-do list for banks has grown much longer with the introduction of the PSD2 and Open Banking. But viewing these mandates as nothing more than regulatory burdens—even exceptional ones—would be short-sighted in the extreme. While these new mandates do pose technical challenges, they also represent a vigorous industry response to the demand by consumers for more control over their own data and the way it is used by businesses. Beyond satisfying a legal requirement, compliance will make it possible to introduce new products and services designed to meet the needs and expectations of today’s empowered consumers. Banks that are slow to adapt to the competitive dynamics of a customer-focused financial-services industry will be quickly overtaken by more agile competitors and industry newcomers. Success today begins with the understanding that the new era of banking has much to offer to banks and customers alike.