The recently published Regulation Technical Standards (RTS) related to the introduction of the Second Payment Services Directive (PSD2) announced the date by which banks must make their interface technical specifications available to Third Party Providers (TPPs) and provide free and public access via their websites to this documentation and the corresponding functional and connection testing environment. This deadline must be at least six months before the directive’s final implementation date, in other words on 13 March 2019.
According to the RTS (Regulation (EU) 2018/389 Recital 20), banks must provide an access interface enabling secure communication with TPPs, emphasising that they “should be free to decide whether to offer a dedicated interface [...] or allow, for that communication,” the interface to be used to identify the users of, and communicate with, the TPPs. Consequently, banks have two options to comply with PSD2 and the RTS:
1. To allow TPPs to access accounts through the current online banking interface, just as customers do now, which means continuing to use the less secure “screen scraping” access system.
2. Through a dedicated interface, designed specifically to allow TPPs to access users’ payment accounts.
According to a survey conducted among the European Banking Federation, the European Savings Banks Group and the European Association of Co-operative Banks, financial institutions would prefer the dedicated option because it is the more secure.
The dedicated interface must at a minimum support the following services: Payment Account Information, Payment Initiation and Balance Confirmation. In addition:
- It must guarantee availability and performance similar to the bank’s online banking interface. This requirement must be met by defining “transparent key performance indicators and service level targets for the availability and performance of dedicated interfaces that are at least as stringent as those for the interface used for their payment service users” (RTS Recital 23). These KPIs must be published quarterly.
- It must not block or obstruct the provision of payment initiation or account information services.
- All interface-related problems must be resolved within an appropriate time frame.
- To avoid any disruption to the provision of services by the TPPs, a fallback mechanism must be provided except “where their competent authorities establish that the dedicated interfaces comply with specific conditions that ensure unhampered competition” (RTS Recital 24). To avoid creating this alternative mechanism, the dedicated interface must have been tested for at least three months and used extensively by TPPs for a further three months with satisfactory results for the market.
While the European PSD2 directive and its technical standards (RTS) make no reference to the type of interface, the market prefers the API form "due to its combination of external stability and internal flexibility”
Although there are some hot topics still under discussion, such as authentication methods, the scope of the data and user consent, there is no doubt that in the second half of 2018 or, at the latest, the first quarter of 2019, banks will begin to publish their PSD2 interface or, if they have already published them, adapt them to the RTS, to allow developers to test them. Several European standardisation initiatives (which will be discussed in a later post) can help in implementing the new directive when the focus is on ensuring compliance. Xeridia is also working to help financial institutions address the exciting challenges that these regulatory changes present.
Lucia Caballo is a Functional Analyst at Xeridia