David Kovacs
CTO
Shaping the future of finance – Part I: Open Banking and PSD2
an explanation for non-technical mortals
06 August, 2019
This is the moment to take time and understand
It’s paramount for decision-makers to understand how technologies that shape the financial services industry really work. Technology and business have become completely intertwined, and that is how things will stay. Of course, technology has been widely used in financial services for decades, but its importance was nothing like it’s become over the last ten years.
Not long ago, you sent messages to the engine room and hoped that the IT guys would figure out what to do. More specifically, you sent “business specs” or “demand requirement documents” and hoped that you’d get software that resembled something you’d imagined. Once you finished contributing to the spec you could return to your real job — the one not revolving around computers but around finances and banking. But as consumers started to pass the barrier between physical and digital space the importance of IT solutions skyrocketed.
You probably started to spend more and more time at meetings making decisions about technologies, infrastructure and other seemingly exotic topics.
There is no engine room anymore: now your whole company is the engine room!
Just as technology permeated your private life (think of the last time you took a walk without your smartphone) the same has happened to your workplace. This marriage of tech and business won’t dissolve; the union will just grow stronger and stronger.
To accommodate this new reality business decision-makers have to develop a deeper understanding of the IT world. Only this can lead to fruitful conversations about the future of your company with engineers and decisions which are rooted in the understanding of each other’s domains.
The future-shaping power of new technologies
In this series of articles, we focus on four key technologies that are changing the face of the financial industry today. In the upcoming weeks, we are going to devote a separate blog post to each of the following topics that we consider the most influential technologies today in financial services.
1. The tech behind Open Banking and PSD2
2. Microservices and Containerization
3. Big Data
4. Artificial Intelligence and Machine Learning
There is no denying that the future in financial services will belong to those who understand the tech behind it. This guide will help you to make sure you have a crystal clear picture. To start with, let’s jump into the tech behind Open Banking and PSD2.
1. The tech behind Open Banking and PSD2
Meet your customer Joe Smith. Joe has a savings account here. And a Forex account at another bank. And a money market account way over there. And for that far off rainy day, he has a brokerage account far off in the other direction. (He’s never mentioned that one to his wife.) Just imagine Joe’s grief when he has to figure out how much money he has. Or which account to access to buy that scooter he’s been eyeing, especially when he really wants to buy it just before rent is due. Luckily for Joe, the EU’s PSD2 Directive is going to make his life a whole lot easier.
PSD2 and Open Banking open the doors to a wide variety of new services to be built on top of existing, robust banking infrastructure. The EU created the PSD2 directive to boost competition between financial service providers.
The EU also aims to open up possibilities for newcomers to build banking services without the hassle of acquiring a banking license. While there is plenty of discussion of the ensuing opportunities, let’s focus on the technology that’s behind this revolutionary movement.
PSD2 Service Providers
Put simply, PSD2 basically does two things:
First, it forces banking institutions to create a secure way for 3rd parties to access account and transaction details. Second, it makes it possible for the 3rd parties to initiate payment transactions.
PSD2 hence makes possible two kinds of access, resulting in two new kinds of providers, namely:
1. Account Information Service Providers (AISP): These are authorised to retrieve account data provided by banks and financial institutions. This could benefit Account Aggregators or Personal Finance Managers. An Account Aggregator could access your balances from several accounts at several banks to tell you how much money you have in total and what are you spending on (and here you were, thinking that you don’t overspend on street food!).
2. Payment Initiation Service Providers (PISP): These are authorised to initiate payments into or from a user’s account. A good potential service here would be a Savings apps, which could chip off a little from your main account every day and invest the money without you having to do a thing. And presto! You get notified that you now have the money for that scooter you put on your bucket list a year ago.
Figure 1: The Logic Behind PSD2
It is important to note that 3rd parties must go through a rigorous FCA (Financial Conduct Authority) authorisation process before getting permission to provide these types of services. They are required to have certain insurance and initial capital, and must comply with data security and privacy regulations. This will give Joe the assurance that his money will be as safe with the new provider as with his bank.
Ok, let’s say we want to create an app that aggregates account balances for customers who have multiple accounts in multiple banks. First of all, we need to get access to the data the customer has at the various banks he or she is using.
Banking APIs
For a start, we need to somehow connect to the bank and all the information stored there. To provide information and initiation, banks have to create communication interfaces that allow third-party access to data and payments. For this reason, according to the PSD2 directive, banks have to provide open APIs (Application Programming Interface) that can be used to retrieve data.
What is an API? API is a set of functions for a given service that is made public for outside access. For example a user of the API can say that I need the transaction history for a given user’s account and the API returns a list of transactions for that account. Or he can say that Joe wants to send 100 euro to a Bill and the API executes the payment.
Unfortunately the PSD2 regulation does not standardize APIs, meaning every bank can decide how it wants to implement its API independently.
This could mean that the ~5000 banks in the EU will use 5000 different APIs. For us to provide services for every customer and for every bank we would need to integrate all 5000 of them!
Figure 2: The flow of customer’s data with open APIs
Fortunately there is hope. There are some initiatives aiming to standardize APIs for banks:
- OpenBanking is an open standard;
- NextGenPSD2 from Berlin Group consists of 40 banks;
- PolishAPI in Poland.
This means that if a 3rd party can speak the language of NextGenPSD2 it could reach data and payments from all 40 banks that provide NextGenPSD2 standard APIs.
It is unlikely there will be one standard that will rise above the rest and be adopted by everyone. But there is a good chance that 4–5 standards will become popular and be adopted by most banks. So to tell your customer how much money she has over several bank accounts in several countries, you won’t need to learn 5000 languages. Four or five will do.
Strong Customer Authentication
So your customer loves the comfort you promise. Bring all their banking into one easy-to-use system. But what about the customer’s sense of security? Surely Joseph Smith does not want to accidentally pay for Guiseppe Fabbro’s weekend in Sardinia.
PSD2 regulates authentication procedures related to payments. This is called Strong Customer Authentication, or SCA. This means that in order to initiate a payment transaction the user needs to authenticate with at least 2 of 3 authentication factors:
- Something the customer knows (e.g., password, PIN);
- Something the customer has (e.g., mobile, hardware token);
- Something the customer is (e.g., fingerprint or facial recognition).
This is meant to reduce fraud and make online payments even more secure than is currently the case. Joe Smith, rest assured, the only Sardinian holiday you’ll be paying for is your own.
Conclusion
With the rise of open APIs everyone will want to get their piece of the financial market pie. It will be easier than ever to create new and innovative fintech solutions; therefore we expect to see some new global contenders. To stay on top and keep their customers satisfied bankers will need to understand the ins and outs of APIs and the opportunities they create. The first step to compete with disruptors is to understand the tech behind the scenes.
