CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 730
- Points
- 113
Darina Sidorenko, coordinator of the IT and cybersecurity group of Sayenko Kharenko, and Alexandra Maksimenko, junior lawyer of Sayenko Kharenko, wrote a column for AIN.UA on the topic of the PSD2 directive: what it is and what it will change.
In the summer of 2019, the NBU set a course for the implementation of the EU Directive PSD2, which will soon open access for fintech companies and startups to the most valuable resource - the data of bank users.
What is PSD2? How exactly its implementation will change the development of fintech companies, as well as what nuances the development companies need to take into account, we will tell below.
What is PSD2?
PSD2 is the Directive that governs payment services in the EU and replaces the 2007 PSD Directive. The document was adopted back in 2015 due to the high pace of digitalization in the banking sector, as well as the need to provide users with better and more modern services, including through mobile applications.
The main goal of PSD2 is to create open banking, where third parties ("Third Party Providers", or abbreviated "TPP") can access financial information about a bank customer with his direct permission and through a system of enhanced authentication. According to PSD2, such consent can be given both for individual transactions and for TPP's full access to customer information that is stored in the bank. In this case, it is necessary that the client is properly aware of the extent of his consent, and it must be explicitly expressed.
In Europe, PSD2 began operating in January 2018, but the main implementation date took place on September 14, 2019, when technical standards for user protection began to work.
Participants in the payment services market have been preparing for this date for a long time, as technical standards introduced rules for enhanced customer authentication and requirements for platforms for open access to banking information. The norms stipulate that, with the exception of a number of minor operations, strong user authentication must be performed. This happens when two or more of the following elements are used:
Also, until September 14, 2019, banks had to ensure interaction with TPP in such a way as to protect information about their customers. Although PSD2 does not explicitly provide mechanisms for such interaction, technical standards recommend the creation of special interfaces for banks - open APIs that collect information received from customer accounts and transmit it to TPP with customer consent.
PSD2 has also introduced two new players that provide financial information service (AISP) and payment initiation service (PISP).
The function of PISP is that this new market entrant gains access to the user's account and initiates an online payment instead of using cards or online banking by customers. AISP accesses information on behalf of a client that is stored at a financial institution through an open API. Some AISP analogs already existed prior to the entry into force of PSD2. These are applications such as Personal Capital that collected information from user accounts. They were engaged in "screen scraping", which did not provide an opportunity to obtain all the necessary data and did not sufficiently protect users, since the applications received passwords and other confidential information. Another problem was the conclusion of separate agreements with each bank, which was time consuming and costly.
How will market change with the implementation of PSD2?
On July 10, 2019, the NBU announced the start of work on conceptual changes in legislation in the field of payment systems and money transfer with the involvement of external consultants and with the support of foreign donors.
In its press release, the regulator announced that it plans to introduce a number of new payment services (financial and non-financial); change the subjects of the payment services market; launch open banking; create new rules for licensing and registration of non-banking institutions that will provide payment services; strengthen the protection of payment services; to increase the protection of users' rights and improve the system of regulation in the sphere.
As a result of these changes, banks will no longer have a monopoly on the ownership of financial information about their clients. Banks will now compete with new players - TPP, which will be able to provide users with new convenient solutions for managing their finances. With the implementation of PSD2 in Ukraine, TPPs will act as non-financial institutions in the banking market.
According to the Concept of reforming the payment legislation, the launch of open banking and, along with it, increased security of payments can be expected in 2022, and changes to the legislation will begin to be introduced as early as 2020.
As in Europe, the problem is that financial openness raises concerns on the part of financial institutions and users, and increased authentication and the development of a secure open API requires a lot of efforts from banks and investments in infrastructure.
Nevertheless, following the example of the development of the payment services market in Europe after the adoption of PSD2, it can be argued that several players at once will be able to benefit from such innovations:
As a result, the implementation of PSD2 will become a new era for fintech, which can improve user friendliness and launch new innovative products. Companies will now be able to build their applications using payment initiation capabilities and customer account information that were previously only available to banks.
There are already a number of applications in the world that take advantage of such opportunities. We analyzed some of them and compiled a list of the most successful products for developers that can be launched after the implementation of PSD2:
What needs to be done to protect the company from potential risks?
Despite their different purposes, PSD2 and GDPR depend on the consent to data processing, which will need to be obtained from users, in compliance with a number of requirements. PSD2 also, like the GDPR, states that “explicit consent” is required to provide services to consumers, the concept is undefined and there is no suggestion that it has the same meaning as in the GDPR. Lack of clarity about consent is a problem for the parties and can lead to a number of problems that can ultimately lead to a fine.
It is also worth noting that the GDPR gives a new right for users, namely the right to data portability, which allows them to transfer the data they have provided to their bank in AISP and PISP - in a structured, widely used and machine-readable format. That is, in other words, the application algorithms should allow you to easily get all the user's personal data in a format that would allow another fintech company to implement them into their system without losing data. It sounds a little complicated, but this is the reality.
APIs can standardize communication between incumbent banks and AISP or PISP, but their success across Europe will depend on agreement on the use of these standards.
Conclusions:
According to audit research, the volume of investments in fintech companies worldwide in 2018 reached $ 57.9 billion, and this was also facilitated by the European PSD2. Therefore, while the NBU is developing amendments to legislation in connection with the implementation of PSD2, it is high time for startups to start thinking about new developments for users of banking services. The changes in the legislation described in the article will open up the opportunity for new ideas, greater competition and attraction of investments in fintech in Ukraine.
Authors: Darina Sidorenko and Alexandra Maksimenko, Sayenko Kharenko.
In the summer of 2019, the NBU set a course for the implementation of the EU Directive PSD2, which will soon open access for fintech companies and startups to the most valuable resource - the data of bank users.
What is PSD2? How exactly its implementation will change the development of fintech companies, as well as what nuances the development companies need to take into account, we will tell below.
What is PSD2?
PSD2 is the Directive that governs payment services in the EU and replaces the 2007 PSD Directive. The document was adopted back in 2015 due to the high pace of digitalization in the banking sector, as well as the need to provide users with better and more modern services, including through mobile applications.
The main goal of PSD2 is to create open banking, where third parties ("Third Party Providers", or abbreviated "TPP") can access financial information about a bank customer with his direct permission and through a system of enhanced authentication. According to PSD2, such consent can be given both for individual transactions and for TPP's full access to customer information that is stored in the bank. In this case, it is necessary that the client is properly aware of the extent of his consent, and it must be explicitly expressed.
In Europe, PSD2 began operating in January 2018, but the main implementation date took place on September 14, 2019, when technical standards for user protection began to work.
Participants in the payment services market have been preparing for this date for a long time, as technical standards introduced rules for enhanced customer authentication and requirements for platforms for open access to banking information. The norms stipulate that, with the exception of a number of minor operations, strong user authentication must be performed. This happens when two or more of the following elements are used:
Also, until September 14, 2019, banks had to ensure interaction with TPP in such a way as to protect information about their customers. Although PSD2 does not explicitly provide mechanisms for such interaction, technical standards recommend the creation of special interfaces for banks - open APIs that collect information received from customer accounts and transmit it to TPP with customer consent.
PSD2 has also introduced two new players that provide financial information service (AISP) and payment initiation service (PISP).
The function of PISP is that this new market entrant gains access to the user's account and initiates an online payment instead of using cards or online banking by customers. AISP accesses information on behalf of a client that is stored at a financial institution through an open API. Some AISP analogs already existed prior to the entry into force of PSD2. These are applications such as Personal Capital that collected information from user accounts. They were engaged in "screen scraping", which did not provide an opportunity to obtain all the necessary data and did not sufficiently protect users, since the applications received passwords and other confidential information. Another problem was the conclusion of separate agreements with each bank, which was time consuming and costly.
How will market change with the implementation of PSD2?
On July 10, 2019, the NBU announced the start of work on conceptual changes in legislation in the field of payment systems and money transfer with the involvement of external consultants and with the support of foreign donors.
In its press release, the regulator announced that it plans to introduce a number of new payment services (financial and non-financial); change the subjects of the payment services market; launch open banking; create new rules for licensing and registration of non-banking institutions that will provide payment services; strengthen the protection of payment services; to increase the protection of users' rights and improve the system of regulation in the sphere.
As a result of these changes, banks will no longer have a monopoly on the ownership of financial information about their clients. Banks will now compete with new players - TPP, which will be able to provide users with new convenient solutions for managing their finances. With the implementation of PSD2 in Ukraine, TPPs will act as non-financial institutions in the banking market.
According to the Concept of reforming the payment legislation, the launch of open banking and, along with it, increased security of payments can be expected in 2022, and changes to the legislation will begin to be introduced as early as 2020.
As in Europe, the problem is that financial openness raises concerns on the part of financial institutions and users, and increased authentication and the development of a secure open API requires a lot of efforts from banks and investments in infrastructure.
Nevertheless, following the example of the development of the payment services market in Europe after the adoption of PSD2, it can be argued that several players at once will be able to benefit from such innovations:
As a result, the implementation of PSD2 will become a new era for fintech, which can improve user friendliness and launch new innovative products. Companies will now be able to build their applications using payment initiation capabilities and customer account information that were previously only available to banks.
There are already a number of applications in the world that take advantage of such opportunities. We analyzed some of them and compiled a list of the most successful products for developers that can be launched after the implementation of PSD2:
- One interface for all accounts. New applications will be able to collect information from all user accounts in one place and provide a consolidated report. Mint and Yolt are examples of applications that already provide this opportunity to users abroad.
- The financial analysis. With access to more information, developers will be able to better analyze the creditworthiness of customers, which is beneficial for banks, and provide advice on loans to users themselves. Such solutions will speed up the process of analyzing information and can provide a more complete picture. Services such as Credit Kudos are already operating in this area.
- Financial management. New services will help make the process of transferring funds easier. Applications have already appeared that transfer a certain amount of money to a savings account according to an individual mechanism that is set by the user himself. An example of such an application is Moneybox. The Plum app goes further and can use the money from the account to save money for further investment.
- Help in making financial decisions. Apps will be able to collect information on purchases made, including subscriptions and utility bills, and provide new offers to save money or change plans, as Bean is currently doing.
- Protecting users' personal data, or how PSD2 will work, complying with the requirements of the GDPR
What needs to be done to protect the company from potential risks?
Despite their different purposes, PSD2 and GDPR depend on the consent to data processing, which will need to be obtained from users, in compliance with a number of requirements. PSD2 also, like the GDPR, states that “explicit consent” is required to provide services to consumers, the concept is undefined and there is no suggestion that it has the same meaning as in the GDPR. Lack of clarity about consent is a problem for the parties and can lead to a number of problems that can ultimately lead to a fine.
It is also worth noting that the GDPR gives a new right for users, namely the right to data portability, which allows them to transfer the data they have provided to their bank in AISP and PISP - in a structured, widely used and machine-readable format. That is, in other words, the application algorithms should allow you to easily get all the user's personal data in a format that would allow another fintech company to implement them into their system without losing data. It sounds a little complicated, but this is the reality.
APIs can standardize communication between incumbent banks and AISP or PISP, but their success across Europe will depend on agreement on the use of these standards.
Conclusions:
According to audit research, the volume of investments in fintech companies worldwide in 2018 reached $ 57.9 billion, and this was also facilitated by the European PSD2. Therefore, while the NBU is developing amendments to legislation in connection with the implementation of PSD2, it is high time for startups to start thinking about new developments for users of banking services. The changes in the legislation described in the article will open up the opportunity for new ideas, greater competition and attraction of investments in fintech in Ukraine.
Authors: Darina Sidorenko and Alexandra Maksimenko, Sayenko Kharenko.
