As the deadline for PSD2 looms and financial services frantically try to get systems ready, application programming interface (API) standardisation would ease challenges, according to a panel at the Global RegTech Summit 2019.
On September 14, PSD2 will come into full effect and banks will be required to open their APIs and systems to third-party players (TPPs). From this, if a customer gives consent a TPP will be able to access the customer’s data and transaction information to provide new services such as personal finance advice or account aggregation.
Back in March 2019, financial institutions were required to make their systems live for external testing to ease integrations with APIs. Market readiness for PSD2 has been relatively positive, however, there are still concerns. A recent analysis from open banking service developer Tink even claimed that none of the tested APIs in the market meet the quality requirements of PSD2. If this is correct, then September 14 might not be a smooth transition and could leave a lot of companies missing the compliance deadline.
Sitting at the Global RegTech Summit 2019, the panel discussed the final push for PSD2 and meeting compliance before deadline day. The panel consisted of Nilixa Devlukia, the head of regulatory at Open Banking Implementation Entity (OBIE), DueDil co-founder and CEO Justin Fitzpatrick, Tobias Thygesen director of FinTech, payment services and governance division at Finanstilsynet, and HSBC UK and Europe Open Banking and PSD2 Programme Manager Andy Millar.
When concerns come to fruition around meeting the deadline, it begs the question of whether the players in the market took the regulation seriously or just put it on the backburners. Getting in the mindset of, ‘we’ll figure it out closer to the day.’ Tobias Thygesen, a director at the Danish financial regulator Finanstilsynet, stated that back in 2012 when work began on the regulation, banks were hesitant and asking why they should share their data. However, he now believes that they are all signed on to the cause.
So where are the problems? The general consensus of the panel was the issues lie with APIs, not the market eagerness. The regulators are fully aware of the market’s struggle and across Europe, they are offering as much support as they can. Finanstilsynet has offered support and dialogue explaining the regulation and necessary changes. In the UK, the Financial Conduct Authority has actively been engaging with the players in the market and helping the ecosystem get off the ground.
HSBC UK and Europe Open Banking and PSD2 programme manager Andy Millar said, “Time is the biggest one [challenge]. Anyone that doesn’t say that I think is deluding themselves. Just the complexity of delivering API’s across different business lines, different countries, different jurisdictions using different standards, which are the really key things for us. So, I don’t know how much people are aware, but in the UK you have something called the OBIE standard for APIs, in France you have Stet, and there’s a pan-European standard called Berlin Group. Sometimes you have the same country where multiple banks are using different standards, which doesn’t help the TPP and doesn’t help banks when they implement their process. It probably does not help the regulator either, but that is the situation we’re in.”
Having multiple different APIs is just hindering the costs, time and resources of both banks and third parties. The ones impacted the most would be the smaller companies which cannot afford to get their systems useable by multiple different API standards. In the UK at least, things are a little easier. While there is not a standardised API, the UK Competition and Market Authority ordered the nine largest banks in the country to adopt common API standards for sharing data and interacting with third parties. This might not be a standard all banks, but it’s a start in the right direction.
DueDil co-founder and CEO Justin Fitzpatrick said, “I think, as we go forward, if we want the ecosystem to mature to its potential, we really need to be looking at how we bring those standards in line with one another and apply the regulation in a consistent way so that all the participants in the ecosystem kind of know what to expect.”
There have been some discussions at EU level regarding a single SEPA API standard, but nothing concrete yet. Driving a single standard across one country would be tough but doing it for the whole of Europe would be a significant feat. How would the industry decide what one the standardised API should be adopted?
Tobias Thygesen said, “I think a common standard would really make sense, but I think a lot of people look to us as the regulators to sort of point the way. And that’s not a role that sits very well with us. I mean we normally leave it to the market to sort out, which solutions do you want to go with. And then the FCA has perhaps over here in the UK has perhaps a slightly more activist role, but we sort of stick to the rules and then we let the market sort it out. So, it’s actually quite a bit difficult for us to be in the middle of this discussion about which standard to adopt.”
Regulators across the region are already offering a lot of support to the market in terms of preparing for the change. The role of regulators is that precisely. It’s to ensure new regulations come in, firms understand it and then monitor that it is adhered to. Its role is not necessarily to promote certain solutions, unless it is something that comes under the regulation. However, in terms of a standardised API, DueDil’s Fitzpatrick believed the regulators do need to stay on top of things and get involved.
The reasoning for this is because if regulators do not and just let the market handle it, there can be bad consequences. Speaking of a different example, he explained how there is a move towards unique identifiers for businesses and the standard people are moving towards are legal entity identifiers (LEI’s). This has happened due to decades of a single provider monopolising a standard around identifiers for businesses.
He added, “If you just sort of let the market sort it out, well the market will eventually sort it out, but you’re probably going to create a monopoly in the process for something that ultimately should be a utility. And so, for something like a standard around APIs, we know the benefits of standardization of other parts of our lives. I don’t see why this is an area that we can’t create a standard around as well.”
In response, Thygesen pointed out that the EBA only published the guidelines for PSD2 around Christmas last year, and they needed to be implemented by June. This hardly gave banks enough time or of players in the market to work together and iron out some standardisation for APIs. It was rather a case of just cracking on and developing.
Millar said, “I think this is where the EBA maybe didn’t quite think far enough ahead many years ago, and maybe they didn’t realize how different the innovations would be across countries because I think where we’re going to end up on the 14th September is TPP’s will struggle to operate across countries in Europe, because of the different interpretations. Even on the same standard, the different interpretations are quite stark, and I think it will take, it will get sorted out. It will take years and the software will be the customer.”
Copyright © 2018 RegTech Analyst