Central Banking

Tensions rise as EU payments deadline nears

Europe’s revised payment services directive is meant to boost innovation, competition and security, but many are concerned it has serious flaws
mobile-payment-phone
Europe's revised payment services directive is set to become law in January 2018

With less than six months to go until Europe’s revised Payment Services Directive (PSD2) is due to become law, tensions are rising over potential flaws and many details are yet to be finalised.

The directive is meant to open up payments in Europe to more competition and innovation by forcing banks to hand over customer data to third parties where authorised to do so. It also aims to tighten standards for cyber security, which will be critical with so much sensitive data changing hands.

Under PSD2, third-party payment providers (TPPs) will be able to use an application programming interface (API) – a way of straightforwardly gathering data direct from its source – to collect customer details, if the customer gives permission. This opens up two major services in particular – payments initiation services and aggregated account information – to pull in information from accounts at multiple banks or other financial firms.

The idea is simple enough in principle, but has raised widespread concerns. Banks are understandably less than eager to hand over their data, but TPPs are also worried they will have to use an API provided by a bank, which may not be fit for purpose. At the same time, the proliferation of different approaches, often handled by very small, start-up companies, could leave consumers highly vulnerable to cyber attack.

To make matters worse, the deadline for implementation is January 2018 but aspects of the Europe-wide regulatory approach, in development at the European Banking Authority (EBA), will not be binding until at least 2019. The EBA released an opinion in late June, criticising some amendments proposed by the European Commission (EC), highlighting the many details that are still proving controversial.

As a recent report by BNP Paribas and Capgemini finds, banks are reluctant to fully implement the rules with so many questions unanswered.

Security vs innovation

A key tension is between the desire of small players to take payments in new directions and the need for financial firms to maintain high standards of security. Regulating a plethora of small firms will be a challenge, though PSD2 does include guidelines for the standards firms must meet before they can be authorised.

Andrew Whaley, vice-president for engineering at Arxan Technologies, a cyber security firm, warns there is a mismatch between the degree of cyber preparation by banks and TPPs. Whaley used to be part of the cyber security team at Barclays and notes that while banks devote significant resources to their defences, TPPs tend to have smaller teams and tighter budgets.

It will also take time for them to fully adapt, he says: “We are probably going to see a lot of compromises before fintech firms get to an equivalent level to banks… Inevitably it is going to take time for some of the smaller players to catch up.”

Managing access to data is also likely to be a challenge, he says. Bank apps will log their user out and remove all data from the local device after a certain period, but it is conceivable that others – for instance a Facebook payments app – might hold on to data for longer, creating vulnerabilities. It is not clear how easy it will be for consumers to revoke permissions to access data once it is given.

Another headache for banks is the possibility that they will retain fraud liability related to their data, even when it is being handled by third parties – currently a grey area in the directive’s wording. “I think it is going to be a testing time for banks,” Whaley says.

Backup options

Many TPPs were up in arms after the EBA proposed dropping the use of existing data collection methods, notably screen scraping, as a backup option. Firms have invested heavily in the methods, which tend to “scrape” the code behind a web page to gather data, and are anxious that bank-provided APIs may be a poor substitute.

Ralf Ohlhausen, business development director at PPRO Group, says TPPs are seeing their business models “undermined” by the EBA’s opposition to screen scraping. He believes that, without the possibility of a backup option, there is little incentive for banks to provide a high-quality API and TPPs will be totally dependent on the APIs working reliably.

“There is no way a TPP can survive without access to the data for I don’t know, hours, minutes…” he says. Customers making an instant payment via a TPP app expect the payment to go through in seconds. Any signs of trouble and they are likely to revert to their standard bank app.

Ohlhausen argues TPPs operate a business model that is robust to cyber attacks. They only use customers’ details “for milliseconds” in authenticating payments, after which they are no longer stored in the memory, he says. So even if cyber criminals break into the system, they will not be able to steal anything of use, such as passwords or other login information.

Final preparations

The final decision on regulations falls to the European Commission, but the EBA highlights various concerns with screen scraping as a backup option in its opinion, including cost, the risk of fragmented interfaces, competitive disadvantages for firms wishing to enter the market and a lack of clarity for consumers as to how their information is accessed.

“With this opinion, the EBA’s work on this particular RTS [regulatory technical standard] is completed, and it is now for the EU Commission, Parliament and Council to adopt the RTS as EU law,” a spokesperson tells Central Banking.

On the question of cyber security, the spokesperson points to a handful of EBA guideline documents that will support regulators in assessing risks. Guidelines on the minimum standards for authorisation have been finalised, while guidelines on operational and security risks and major incident reporting are under consultation and due to apply from the January go-live date.

“The national competent authorities in EU member states will implement these guidelines and supervise in their respective jurisdictions the compliance by individual firms,” the spokesperson says.

Aspects related to APIs will be finalised when the EC approves final legislation, potentially later this year. After that point, firms and regulators will have 18 months to comply with the provisions.

There is clearly a lot of work to do, but the BNP Paribas-Capgemini report is optimistic, suggesting once PSD2 is implemented it could become a model that others emulate. “This could have a ripple effect across the globe,” it says.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.centralbanking.com/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Central Banking account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: