Open banking and PSD2 explained
What is Open Banking?
Open Banking enables fintechs to use APIs to connect their services to financial data. Launched in 2018, it marked a shift from a closed data model to an open one - in which data can be shared between different members of the banking ecosystem, with authorisation from the customer.
In a sense, Open Banking has forced banks to give customers increased ownership of their own financial data by allowing them to connect their data to other regulated providers - for example, a third party money management app which can display their transaction information and balances in one place. It has also opened up many opportunities for fintech innovation.
While these opportunities are exciting for banks, consumers and for fintech innovators alike, Open Banking has posed a number of security risks which PSD2 aims to reduce.
What is PSD2?
PSD2 (Payment Services Directive Two) is EU legislation designed to make open banking possible and secure, by:
- Enforcing higher standards of security around online transactions through multi-factor authentication (MFA).
- Requiring banks and other financial institutions to enable account holders to grant third-party applications permission to access their account and payment data.
When did PSD2 come into force?
PSD2 came into force in January 2016, with a deadline to apply it to national law by January 2018. An extension has been granted to e-commerce businesses with regard to the strong customer authentication (SCA) aspect of the legislation, until 14 September 2021. In the UK, PSD2 is regulated by the FCA.
Who does PSD2 affect?
Banks
PSD2 is mandatory for all payment service providers (PSP) in Europe. It requires banks and all payment providers to open up their data to third party providers, if consent is given by an account holder. It also requires banks to use strong customer authentication (SCA) to further enhance the security of payments and limit fraud.
Third-party providers
Two types of third-party provider are identified by PSD2:
- AISPs (Account Information Service Providers), which refers to any business that uses a customer's account information to aggregate their financial information in one place, to help them track their spending or plan their finances. Examples of AISPs include Yolt and Money Dashboard.
-
PISPs (Payment Initiation Service Providers), which refers any company that initiates online payments on behalf of the user, offering an alternative to the use of a card or online banking. Examples of PISPs include BankiFi, Sprive and Bud Financial.
Consumers
The safety standards required by PSD2 makes the connection of financial data with third-party providers safer for consumers. It also makes it possible for consumers to gain access to tools that can help them control their finances (for example, money tracking apps).
Is Open Banking working?
The success of Open Banking has always depended on the big financial services providers, who ultimately hold the data. It depended on them making it possible for third-party providers to access their Application Programme Interfaces (APIs), as well as helping to promote the new options and benefits to consumers. Has this happened?
Despite sluggish beginnings, marked by lack of consumer awareness and legacy banks relatively slow to get things up and running, it would seem so. And with the decline of bricks and mortar legacy banks and the rise of challenger banks (who were the first to leverage Open Banking - such as Monzo and Revolut), who’ve naturally integrated with fintechs, Open Banking has been a catalyst for the growth of fintech in Europe.
What about security concerns?
Some of the biggest concerns about Open Banking - for all parties involved - have been security related. Would it make banking data vulnerable to attack? Could consumers trust new fintech providers?
So far, we haven’t seen any PSD2 related cyber incidents to date, although the Financial Conduct Authority is investigating opaque marketing and use of data by some digital providers, particularly in light of GDPR which came into force this year.
Open banking has decreased the risk to customer data by reducing the prevalence of scraping, the original route taken by many fintech providers to access users' account information. In addition, under PSD2, AISPs and PISPs must be registered, licensed, insured and regulated.
The onus is on third party providers (TPPs) to safeguard against cyber-attacks of their own infrastructure, whereas for banks, the concern is mitigating fraud risk, as they are the first party liable for unauthorised financial transactions from a user’s bank account. As a result, banks should be investing in an extensive armoury of analytical tools to validate legitimate users and detect attacks.
Security has also been bolstered from an insurance perspective, as the PSD2 legislation requires that PISPs and AISPs have a specific type and level of technology-based professional indemnity and cyber insurance. One of the reasons this is so important for fintechs is that if a third party provider is compromised, it has an obligation to rectify the situation and refund any money to the customer, via their bank, within 72 hours. PSD2 insurance can be arranged to cover this.
As a fintech specialist, Superscript has worked with one of the leading providers in the market to build a specialist PSD2 policy for businesses in the fintech space. To discuss your specific needs, calculate the level of cover you require, and get your business protected, book a call with our team.