Irrespective of Brexit the UK will be getting an interoperable and innovative implementation of PSD2
With the memory of summer fading fast it is worth taking stock of what has happened within UK open banking during that time. In the depths of the holidays we had the release of the CMA’s investigation into the retail banking market and the EBA’s RTS on secure authentication and communication, both of which were preceded by the Brexit vote. So with all these comings and goings what is the state of open banking within the UK today?
A misguided RTS?
When most of Europe was at the beach the EBA quietly released their much anticipated consultation on the RTS for strong customer authentication (SCA) and secure communication (SCC). This forms the backbone of PSD2 and sets out how the various parties will interact with each other. The EBA says it has tried to strike a balance between security and customer ease of use, yet on reading the RTS it is clear it has gone for more of the former at the expense of the latter, perhaps something to do with the make-up of the initial discussion group.
Taking a look at a few sample clauses one can quickly see where the balance lies. Customers must be securely authenticated (two factors) for virtually all transactions (save for a few low-value exemptions,) on a channel or device different from the one that initiated the payment and authentication will be performed by the banks, except where a PISP has a prior agreement with that bank (outside of the scope of PSD2).
From a customer experience perspective this suboptimal and arguably makes the remote payment process worse than it is today (Amazon 1-Click does not pass this test for instance). From a merchant perspective, would the cost savings from offering PSD2 payments offset the potential disruption to customer conversion rates? For aspiring AISPs there is also further frustration on the limits to calling customer sensitive data (2 calls per day), which for instance would ensure any account aggregation service would not be displayed real-time without a cumbersome SCA process being repeated for each login.
The EBA has also shied away from a governing entity specifying the messaging and interface standards that would promote interoperability across the industry, instead leaving it up to the banks themselves to define. This is in stark contrast to the CMA who have insisted on exactly the opposite, as we set out below.
One wonders what the EBA’s taskmasters, the ECB, think of the proposed RTS given that it arguably fails on promoting innovation, interoperability and security. Certainly their comments on the draft (deadline 12 October for those interested) will be interesting to read.
CMA to the rescue?
The Competition and Market Authority’s (CMA) investigation into the retail banking market in the UK (also released in August) gives more certainty on the move to open banking than the EBA. It has come up with list of remedies that will be passed onto the statute books early next year. These remedies are more prescriptive than PSD2.
For instance, it states that banks must adopt a common digital standard by 13th January 2018, in line with PSD2 timelines. Furthermore, this is to include the adoption of security and communication standards, some 9 months earlier at least than the equivalent PSD2 RTS. Unlike the EBA they haven’t shied away from stating which digital standard that will be (APIs) nor from appointing a governing body (an ‘Implementation Entity’) to define them. In their words, this governing body will “undertake the work necessary for the adoption of common and open data, API and security standards.” They have engaged with Payments UK to establish the governing entity, which is to include the participation of UK fintechs and challenger banks.
For the moment the CMA’s scope does not extend to cards accounts – just bank accounts and lending accounts (SMEs only). For those accounts that do come under their remit they have stated that their remedies will not conflict with PSD2 and indeed will reinforce it
With a little help from the OBWG
The CMA also point out that their remedies have been built upon the work done by the UKs Open Banking Working Group (OBWG) in developing an Open Banking Standard for the UK and are keen to keep that connection going. In effect the output from the OBWG will heavily influence that of the CMA’s Implementation Entity. It should be noted however that the OBWG’s own timelines for developing an open banking standard initially had 2019 as the date for developing full read/write API specifications. It would appear that the CMAs stated deadline of January 2018 will supersede that. Compliance and IT departments take note!
In summary, the future for Open Banking in the UK looks healthy. We will be getting a version of PSD2 that will be more interoperable and promote more innovation than other implementations across the EU. Those key deadlines ultimately remain January 2018, 16 months away, the mere blink of an eye for core banking systems development lifecycles.
We’ve compiled these various open banking timelines into one useful infographic which you can find here. Comments welcome.