Recent years see rapid growth in popularity of e-payments and mobile banking services. In answer to the increase in demand for fintech solutions, the EU introduced the revised Payments Services Directive. Its goal is to open the banking sector to a broader financial market of and introduce healthy competition among providers. Let’s see what benefits, improvements but also challenges this, arguably, revolutionary initiative brings.
What is the PSD2 directive?
Payment Services Directive PSD2 was proposed by the European Parliament and the Council of the European Union in 2015 and has come into force on 13 January 2018. It deals with payments provision in the EEA internal financial markets. It has significant impact on the activities of all bank and non-bank related payment service providers and their customers.
EU Member States must implement it by September 2019. The requirement of common access to financial information opens markets to new opportunities and possibilities.
PSD2 – new opportunities and possibilities
Introduction of Payment Institutions (PI)- providers of smaller scale financial services on looser terms and conditions than banks, the possibility of introducing new products and financial services to the market, improving the quality of customer service by increasing competition among providers, open banks’ API accessible to Payment Institutions meeting certain requirements.
It will also enable cross border access to the services of banks and PIs throughout the European Union, support for providing money transfers services and customer account information, introduction of strong authentication – a requirement of confirming of transactions using at least 2 authentication methods (e.g. password and fingerprint), lowering the liability threshold for unauthorized transactions – the existing threshold of 150 EUR is reduced to 50 EUR. In case of theft or misappropriation of funds, the customer will receive a full refund from the service provider.
Functions available in the API
According to the directive, the following new services will be introduced:
- AIS (Account Information Service) – access to account information, e.g. balance check, transactions history,
- PIS (Payment Initiation Service) – the ability to make payments via the service provider directly from the account,
- CAF (Confirmation of the Availability of Funds) – the ability to confirm the availability of a specific amount necessary to execute a transaction.
Thanks to the widely available API, users with accounts in various banks will be able to eg. use third party services to manage all accounts from a single mobile app.
The Polish API
With the implementation of the PSD2 Directive, a need arose to develop a common API standard for the Polish financial sector. A solution is being created offering comprehensive approach to cybersecurity, bringing together banks and PIs.
What is the API provide?
The Polish API is the country’s financial sector answer to the provisions of PSD2. It is to constitute a certain standard for payment institutions and providers in Poland. Association of Polish Banks with commercial and cooperative banks, Polish Organization of Non-bank Institutions of Payments and others are involved in the works on the project.
The list of banks enabling access to the test environment (sandboxes) includes both commercial (18) and cooperative (over 400) banks. Among the most prominent Polish institutions are:
- Bank Pekao S.A,
- Santander Bank Polska S.A,
- mBank S.A,
- ING Bank Śląski S.A,
- BGŻ BNP Paribas SA,
- Bank Millennium S.A,
- Alior Bank S.A.
The full, continuously updated list can be found here. In addition, each item on the list has a link to development portals or information on access to the ASPSP test environment (account provider).
Access to the API
Only certified entities (TPP) can use the API, but some of the banks provide the APIs to entities that are in the process of acquiring the certificate (confirmed applications).
The importance of Payment Services Directive 2
The Payments Service Directive 2 imposes an obligation on banks to allow open access to AIS and PIS regardless of any prior agreements between providers. The banks take on individual approach when it comes to registrations for the access, and require provision of variety of information from the applicants. The test API is available since March 13, 2019 and interfaces for data collection and triggering operations must be launched by September 2019.
How to become a TPP?
Each entity exchanging information with payment institutions (with the assurance of integrity and authenticity) is obliged to be eIDAS certified.
Certificates with a validity period from 1 to 2 years can be received by any entity that has obtained the permission from the Polish Financial Supervision Authority to provide services under PSD2 regulation.
Both the website authentication certificate and the set of authorized electronic seals can be obtained from KIR (the Polish National Clearing House) . Orders can be placed via the Szafir online store website and provides:
- data for the validation of the electronic seal with a legal entity and confirms its name,
- authentication of websites and assigns a website to a person or a business entity.
Obtaining a certificate
Certificates can be obtained electronically, follow the ordering procedure, by sending a qualified, electronically signed request. To order a certificate you need: a valid contract for the provision of trusted services, details of the person(s) authorized to receive the certificate, identity confirmation by competent authority, and an order signed (on paper or electronically) by authorized representatives of the financial institution.
Quick loan from your mobile application, access to all your bank accounts from one system – they’re but two examples of future new benefits for the consumer of financial services.
PSD2 – Users’ benefits and needs
Checking the account balance, transaction history, money transfers, currency exchange, international transactions etc… all currently require accessing your bank’s services directly.
All these functions can now be made available not only in bank applications, but also in third party solutions from other providers.
New players on the market
As mentioned before, the new regulations allow the creation Payment Institution (IP) -third party providers operating only on the basis of an entry in the KNF register, without a bank license or strict financial supervision. The PIs will be able to provide payment accounts of up to 2000 EUR, issue and accept cards and e-payments, process transaction up to EUR 1.5 million / month, issue loans.
The current limitations of amount limits, lack of access to AIS and PIS services and no possibility to provide services outside of Poland make the PIs a little restricted to begin with, but surely this will change with time.
Banks have been accumulating their customers’ data for many years, ensuring high-level consumer protection. Not only authentication and authorization details, but also personal data, credit-abilities, spending trends. The PSD2 will now make part of this sensitive information available to competing providers.
Users’ fear of using e-banking services or bank’s mobile apps is becoming a thing of the past. Now that other institutions are able to join the game, users may yet again become skeptical of sharing information about their financial activities with other providers. To ease the consumer’s mind – these institutions will only receive the data with clients explicit permission.
Additional concerns and threats are not related to cyber security itself, but to the business model of small financial institutions. Established Fintechs and large banks, owing to extensive resources and continuous development of their services, will remain first in line to gaining trust and customer loyalty in the initial phases of adoption of the PSD2.
The full adoption of the PSD2 is intended to improve security and allow access to information about our finances by limiting the banks’ monopoly. The open banking system will see expansion of services and creation of new solutions utilising the potential of available data. If you’re already in the payments industry and have so far been limited by banks unchallenged rule – the PSD2 is well worth a thorough consideration.