The PSD2 has been in effect since mid-January 2018. How did the German banks react to it in the run-up? Were there any concerns?
There really were concerns at first. During the law making procedure around five years ago, all the stops were pulled out to point out the crucial points. These particularly involved the security and data protection considerations if third party providers were to be given the possibility to access the banks’ infrastructure. However, these concerns were posed from an obstructionist mentality, as if the banks sought to prevent competition. Very late in the legislation process, the consumer protection agencies also latched onto this issue and supported our arguments. It was indeed a rare thing to see the consumer protectors and banks actually close ranks together.
At that time, the German Banking Industry Committee demanded that third party providers should not have access to the payer’s personalized security features (e.g. online PIN/TAN) for security reasons and in regard to compliance with banking secrecy requirements.
That, of course, was an issue that really concerned us. We can meanwhile say that the PSD2 establishes clear rules here. The customer can make his access data, such as PIN and TAN, available to third party providers if they are necessary for conducting payment initiating and account information services. Third party providers are legally recognized with the PSD2 and must fulfill certain conditions (license, registration). This means that they are subject to supervision by the banking authorities. Access to the data range is also regulated. These are all measures for strengthening security as well as banking secrecy.
Let’s talk again about the moment in which the attitude turned positive. How exactly did that happen?
When it became clear that the PSD2 was definitely going to happen, a change of thinking occurred one and half to two years ago. The focus was no longer only on the risks, but also on the opportunities it represented; and not only in Germany, but throughout Europe. The first considerations that arose included: Am I really just an operator of infrastructure? Am I really just an account-keeping service provider that makes payment accounts available for others free of charge, or can I slip into the role of a third party provider myself? Can I not offer these services myself? By placing themselves in the role of the market counterpart, they saw that their customers can also profit from these services if the bank offers them.
Major segments of the Swiss financial center are of the opinion that regulatory compulsion is an unnecessary intervention in a functioning market. Furthermore, the Swiss banks have already invested in fintech solutions and are working closely with start-ups. What do you think of this skepticism?
That is entirely understandable. Such skepticism also existed in Germany at the beginning. The advantage of the PSD2 is that legal certainty has been created with these European guidelines.
By the way, cooperation between fintechs and banks is also increasing in Germany, just like in the Swiss market. The Association of German Banks also offers something quite special: Fintechs have been able to become associate members for some time now. This is a completely new situation and probably also unique in Europe. The exchange in joint task groups and project committees has proven to be very fruitful. It really is the case that they have a completely different perception of certain things.
In Switzerland, it is being said that the introduction of PSD2 will result in high costs for the banks. By implication, this view suggests that the costs for the migration to PSD2 were not high in Germany. What is your estimation?
Since the PSD2 is European legislation intended to bolster competition throughout Europe, the focus was not all that powerfully placed on the market in Germany. Nevertheless, the costs and work involved are not to be played down. They really are enormous. Especially in regard to 13 January 2018, when the PSD2 was to come into force. The banks’ business terms and conditions and the complete terms and conditions for payments had to be modified. This caused high costs, in view of the fact that customers also have to be informed about it. And for users, this often takes place via the postal service today. The second major cost driver is the PSD2 interface, through which the banks must make their infrastructure available to third party providers free of charge.
In your opinion, how great is the danger that the banking sector will lose market share or that the PSD2 will lead to competition distortion to the detriment of the banks? Or conversely, that the banks will cut the legs out from under potential third party providers from the outset by themselves offering new account information services?
A great deal of trust is placed in the banking sector. That is one of the crucial competitive advantages they have over other market players. Moreover, we see a trend towards increasing numbers of cooperations between banks and start-ups in this area, which promises a win-win situation. On the other hand, it also makes sense that banks, which now must provide access to their infrastructure free of charge, seek opportunities that come with the new business models emerging with the PSD2. Just what the competition with payment initiator and account information services will be like is anyone’s guess at this point.
Each person now has, on average, 1.8 bank accounts, some even three or four. The PSD2 should be especially advantageous for multi-banking customers, enabling them to manage their entire financial situation at a glance. According to a survey, 15% of Germans are apparently prepared to disclose their banking data to companies. Were there other surveys or clarifications regarding potential consumer needs conducted in the run up to the implementation of the PSD2?
I am not aware of any such surveys. Having said that, when it comes to surveys, it really depends on which target group is addressed. Does it involve a younger generation, or an older one that may generally be skeptical about electronic services? From today's perspective, it is not possible to get a clear vision of which innovative products will someday exist. The general development, however, can be recognized: that data will truly be worked with, services offered by scanning account transactions and seeing, for example, that the electric bill is way too expensive and there are cheaper providers. It is entirely conceivable that a customer will say that there is a service they want to use, and so permit access to their data.
Speaking of consumer information. An EU directive stipulates that since 13 January 2018, a user-friendly electronic leaflet should be published on the websites of the EU Commission, those of the EBA and the authorities in charge "listing in a clear and easily comprehensible manner, the rights of consumers under this Directive and related Union law." Research on the Internet, however, shows that no German language datasheet exists. What is that about?
I’m afraid I also cannot answer that. We too are waiting for this datasheet and are looking forward to reading the specific contents.
While payment initiating services require authorization from the respective national supervisory authorities for their activities, account information service providers need only register, and are not required to obtain such permission. The EBA is considering requiring applicants to provide an extract from the criminal record registry. Neither the German Payment Services Oversight Act nor the consultation report from the government of Liechtenstein includes any mention of the changes to the payment services directive. How do you explain this discrepancy?
The fact is that these provisions from the European Banking Authority are formulated as guidelines upon which the national regulators are to orient themselves. Whether it is implemented one-to-one depends, among other things, on whether the special characteristics of the local market play a role; whether certain practices and eligibility criteria exist, for example, for payment institutions with which the highest requirements are met so that a one-to-one implementation in the text of the national legislation is not necessary. In addition to these guidelines, or recommendations, upon which financial institutions can orient themselves, there are also legal texts, the delegated regulations, which need not initially be implemented, but which will soon become applicable, such as the Regulatory Technical Standards (RTS) within the scope of the PSD2, with their rules for strong customer authentication and secure communication.
These RTS issued by the European Commission, however, will only come into force in the second half of 2019. This means that there is a gap between the PSD2 and the RTS. Under these circumstances, would it not have been better to delay the introduction of the PSD2 until then?
This discussion of whether the two must be implemented at the same time actually did take place. Some countries really made the case for doing so. But the deadlines for the PSD2 were already established; it was clear that it would come into force in January 2018. The RTS was originally planned to follow six months later. While no one really spoke about this gap, now we have one of around a year and a half. Meanwhile, the RTS were published as a delegated regulation on 13 March 2018 and must be implemented within 18 months, which means by 14 September 2019. The deviating deadlines were taken into account by national legislators in the respective implementation law. All third party providers that offered their services before the PSD2 was approved may continue doing so and their existing business are protected. What is new is that they need a license or registration to continue doing so, and are subject to national banking supervision. Only when the RTS is implemented in September 2019 must third party providers use the banks’ interfaces.
The Berlin Group has developed an ISO 20022-based, joint, Pan-European API standard to facilitate access to bank accounts by third party providers. If you take a look at the list of members, it is apparent that nearly a third of them come from Germany. Does this mean that the interest among other European financial institutions in a common interface standard is so minor? That they will invent their own APIs? Or that they will be interested in the finished product offered by the Berlin Group?
That there are a large number of members from Germany is simply attributable to the fact that we campaigned for a uniform standard very early on. You can almost say that the German banks, or the German Banking Industry Committee, are among the founding members of this initiative. Nevertheless, organizations from twenty EU nations are meanwhile represented, which is tremendous considering that it is a voluntary initiative. Looking at Europe, you will find that there are only five initiatives that have developed a standard: besides the Berlin Group, there are initiatives from Great Britain, France, Poland and Slovakia. Of these five initiatives, four are nationally oriented and only the one from the Berlin Group is actually Pan-European. That was the main impetus for our support for the Berlin Group.
How do you estimate the chances that agreement will be reached for a single international European solution? To what extent do these national standards differ from one another?
There are certainly efforts to merge the standards. The first harmonization efforts between the French standard and the Berlin Group, as well as in the direction of Poland, have already taken place. It was recognized that the uniform interface is better than proprietary solutions, regardless of whether from a bank or nationally. The European Commission also supports the idea of a uniform interface. However, there are indeed also national characteristics to be considered, such as with the British market, where the competition authorities are requesting that the nine largest banks open themselves up to competition. The requirements there go beyond the PSD2.
Are all requirements and the necessary investment security for the successful implementation of PSD2 otherwise in place?
Not quite. The RTS leaves it up to each bank to decide whether to offer a dedicated interface or whether to open the customer interface and, for example, online banking. At the same time, the RTS requires banks that offer a dedicated interface to also offer an emergency solution, or fallback access. The problem with this is that it involves a second interface, which would cause twice the investment costs among the banks. Under these requirements, no bank will offer standardized, dedicated interfaces, but their own solutions in the form of an adapted customer interface, which is precisely the opposite of what is intended to be achieved with an API standard interface. There is meanwhile an option in the RTS for a bank to free itself from this fallback solution by requesting an exemption from the national bank supervisory authority. This, however, is linked with the meeting of specific requirements for the interface, and the criteria have not yet been established in detail. We are slowly running out of time.
API stands for Application Programming Interface. APIs enable third party providers to use bank customers’ account data and bank functions in connection with these accounts.
Berlin Group is a European initiative that is dedicated to standards, harmonization and thereby interoperability in European payment traffic. This includes mobile P2P payments as well as APIs for PSD2.
PSD2 is the second Payment Services Directive (EU) 2015/2366, which had to be implemented in national legislation by January 2018. Among other things, it stipulates market opening for third party providers (TPPs) in payment traffic.
RTS stands for Regulatory Technical Standards, which the European Banking Authority has defined on behalf of the EU Commission. These were published on 13 March 2018 as a delegated regulation (EU) 2018/389 by the EU Commission. They define rules for strong customer authentication as well as secure technical communication between banks and third-party service providers. They are to be implemented by 14 September 2019.
TPP stands for Third Party Provider. TPPs generally refer to non-banks for which access to bank customers' accounts is permitted subject to conditions (such as through APIs).