PSD2 and Open Banking: What you Need to Know

PSD2 and Open Banking have been around for a few years now. Each aims to disrupt and future proof the financial services market following the vast technological advancements that occurred over the last two decades, and have left the industry with legacy processes and a lack of legislature to cope with emerging challenges.

The introduction of FinTechs and mobile banking, for instance, were not accommodated for in the original 2007 PSD, a directive implemented to make payments across borders as easy, secure and inexpensive as domestic payments.

A solution was needed, but the road hasn’t always been straightforward. In our blog we discuss the PSD2 and Open Banking journey so far, what payment service providers (PSPs) need to know, and the effect of open APIs in banking nearly two years on.

What is PSD2?

In 2015, the European Union introduced PSD2 to reduce the existing monopoly on customer account information and payment services, while improving and setting a standard for customer security procedures. Payment processors must implement two major changes to comply with PSD2:

• Banks must give third-party providers (TPPs) such as aggregators and brokers, access to customer accounts via open APIs
• Payment service providers must integrate secure customer authentication (SCA) to reduce the number of cyber-attacks, including credential stuffing, card cracking and account takeover.

What is Open Banking?

In January 2018, the UK introduced the Open Banking legislation, set up by the Competition and Markets Authority on behalf of the UK Government. Every PSP that uses Open Banking to offer products and services must be regulated by the FCA or the EU equivalent.

There is currently very little to differentiate Open Banking from PSD2. However, where PSD2 necessitates banks make their data available to third party providers (TTPs), Open Banking states that data is made available in a standardized format.

The PSD2 and Open Banking SCA compliance timeline

Although the UK is no longer part of the EU – as of 31st January 2020 – the legislation is still effective in the UK as it relates to the European Economic Area (EEA) not just the EU. That means that since PSD2 came into force in 2018, all PSPs throughout the EU and UK alike are required to comply with the Directive by its initial compliance deadline of 14th September 2019.

The key word here is initial. The compliance deadline has been extended twice to accommodate concerns of readiness from the Financial Conduct Authority regarding the need for SCA in eCommerce. The most recent deadline pushes back SCA enforcement in the UK from March 2021 to 14th September 2021 – two years on from the first deadline.

Why has the deadline been extended

Covid-19 has had a significant impact on all industries, not least retail and financial services. The extension has been provided by the FCA to ensure SCA could be implemented with minimal disruption to consumers and merchants.

What do PSPs need to do to comply before the SCA enforcement deadline?

To accept payments in compliance with PSD2, a service provider must meet SCA requirements by building additional authentication into the checkout flow. SCA authentication must include two of the following elements:

• Something the customer knows: a PIN or password
• Something the customer has: a phone
• Something a customer is: a fingerprint or facial recognition

If payments fail to meet these criteria following the compliance deadline, banks will need to decline the payment.

How is the finance industry benefiting from open APIs?

But that’s not to say the changes introduced by PSD2 and Open Banking haven’t been successful. The introduction of open APIs has enabled a range of new FinTech products that make it easier for consumers and business to manage their finances.

A recent report from the UK’s Open Banking standard revealed that:

• 300 FinTechs and innovative partners have joined the Open Banking ecosystem
• 2.5 million UK consumers and businesses are actively using Open Banking-enabled products to manage their finances, access credit and make payments
• Hundreds of thousands of UK consumers and business become new Open Banking users every month
• API call volume has increased from 66.8 million in 2018 to nearly six billion in 2020

Open APIs have effectively given businesses the key to the financial market without the burden of stringent compliance and infrastructure. New entrants can instead focus on providing one service while connecting to other service providers via APIs. This creates a new marketplace of specialists and greater competition that ultimately leads to better services for customers.

How secure are APIs?

APIs are an increasingly attractive target for cyber-attacks, and yet not deemed as vulnerable as websites and mobile apps by most businesses. In fact, in Netacea’s Bot Management Review 2020, we discovered that just 4% of financial services enterprise organizations believed their API was likely to suffer a bot attack.

Establishing a resilient API environment is vital to maintaining a truly secure and high-functioning open banking ecosystem in which both interconnected parties are protected. If left unchecked, bots can be used to takeover accounts, scrape data and prevent the API servicing users.

At Netacea we take a revolutionary approach to bot management, applying a single solution with innovative coverage across all API points of vulnerability – web browser, mobile app and API server – without the need for multiple products or complex mobile SDKs.

To find out more about open API security, read our two-part open API blog series in which we provide greater context to the challenge.