The worrying fragility of PSD2

This is the write up/script of a Pecha Kucha-ish talk I gave at the ustwo Fintech Talkies II event on Thursday the 19th of May 2016. What I actually said was recorded on video and will be embedded here when available. There are a few mentions of Monument Valley in here as the game was made by ustwo, this seems to have confused a few people who are seemingly unaware of this fact. Sorry. I have also added a load of links to the end of the preso if people want to read a lot of stuff about PSD2.

****************

Slide1

Slide 1: Hello. I am Aden and I want to talk about my favourite bit of European Parliamentary legislation and my worry over its wellbeing.  PSD2 is the second iteration of the Payments Service Directive a series of proposals to change to European law around the movement of money and transaction data. It will change the way we bank and I really want it to be successful in doing so.

Slide2

Slide 2: Here is the legislative beauty. 90 odd pages of almost impenetrable legalese. Its stated purpose is to make a more integrated and efficient European payments market. And to level the playing field. What it means really is to kick banks assess to open up data and cut out dominant middle men from payments. It will introduce two key things. PIS and AIS.

Slide3

Slide 3: Let me try and explain. Ada wants to buy the complete works of M.C. Escher, she takes out her Mondo card (she strikes me as a Mondo user) and she inputs her card details into Amazon. The payment request goes off to the acquirer, Worldpay – this is routed through the card scheme in use, MasterdCard here and then to Ada’s bank that issued her card. Money sent back for payment to amazon. Amazon keeps the card details on file. Repeat ad infinitum for other merchants.  (Thanks to Starling for the inspiration for these diagrams – link to the originals below)
Slide4Slide 4: In the new world of PIS. No card details are exchanged. Instead a token based connection is made, The merchant makes a request to Ada’s bank / card provider for a token based relationship to be formed. This then creates a direct link to Ada’s account. Unique to the merchant. Ada is in full control. A failing at the merchant means she does not have to cancel cards. The merchant must be licensed in some way to be able to move money in this way. They will be known as PISPs. This change also cuts out all those other pesky mainly American card scheme and allows new players to emerge, it also starts to make current accounts more platform like.

Slide5

Slide 5: Let’s now take a look AIS. Here Crow, who is very organised with his finances as he is saving for a curse lifting procedure, Crow has his main account with Barclays and he downloads the transactions manually every so often in CSV format. Crow has a credit card with HSBC and he downloads his transactions in the bloody useless format of PDF because reasons. He swears. He also has a joint account at Lloyds with his crow lover. This is a semi automatic download and he has given his password details over to money dashboard to scrape his transactions. He is a reckless maverick. He then munges all this data together and manages his money the best he can. He caws with disdain regularly and walks around seemingly aimlessly in frustration. (No way I managed to say all this in 20 seconds)
Slide6

Slide 6: No more pain in the brave new world my Crow friend! Similar to the payment relationships, in the future banks will have to provide an automated and much safer less painful means of transfer. Like the way you would connect your twitter account to a third party app.  The consumers of this data must be licensed ins some as yet undefined way. These new information aggregators will be known as AISPs.

Slide7

Slide 7: Now I don’t know about you but these changes are exciting. AISPs and PISPs could effectively replace a lot of functionality of exisiting banks and allow for some hopefully much richer, simpler, more interesting interfaces, experiences and services. The rules were signed into European Law at the beginning of the year and the EU members must all be compliant with the proposals by the start of 2018….but all is not quite pelvis thrustingly awesome…although to continue the theme slightly

Slide8

Slide 8: Now as we saw last week, Europe is a beautifully diverse set of countries who interpret things in many ways. When it comes to PSD2 and the need for some solid standards for APIs, communication and security variation and creativity might not be the best thing. The directives need to be transcribed by all 28 EU members into local laws, in the UK this will be part of the Payments Services Regulations.

Slide9

Slide 9: There is another hitch. There are will be some Regulatory technical standards., RTS for nine areas relating to these changes. The key ones being around communication methods i.e. APIs and strong customer authentication to allow these functions to work. These things are not published yet. They are due ‘this summer’. The final ratification of the standards though could take 18 months. The EBA are confident there will be enough published in time for solutions to be created to meet the deadlines. This feels like shaky foundations to me….

Slide10a

Slide 10: Because we do not want the kinds of people that bought you these bloody things to be cobbling together technical standards that will drive the future of banking. We must not let those that forced the situation of today be in charge of the situation of tomorrow or we will end up with some very uncomfortable solution…

Slide10

Slide 10a: *Uproarious laughter or tumbleweed and very bemused looks*

 

 

 

Slide11

Slide 11: The lack of easy access to payments and more importantly data has forced awful workarounds that put brave users at risk and stagnate change for the mainstream. Scraping is a necessary evil and I hate that it has to exit. Thankfully PSD2 sounds the death knell for scraping banking data or at the very least ensures better methods will exist.

Slide12

Slide 12: Thankfully our own fine land is on it. We have the Open Data Institute pulling together some open standards and bring lots of people to the party, we also have the competition markets authority this week demanding that APIs be ready by Q1 of next year in the UK for certain types of data. I do hope they have the power and the skill to make this happen…although I do have minor concerns about fragmentation of standards…and it is adding yet more committees and requirements and words to the debate…

Slide13

Slide 13: Which is bringing to mind the classic battle of the Open Systems Interconnection reference model and Transport Control Portal and Internet Protocol. OSI was debated and designed to the nth degree, technically perfect and backed by regulators, industry, engineers alike….but it lost to something simpler yet flawed. This quote from one of the god fathers of the internet sums it up perfectly. I worry PSD2 technical guidelines will drag on because someone wants to make it a beautiful dream.

Slide14

Slide 14: Meanwhile companies with real vision are living the dream. Brilliant UK based companies like Currency Cloud have shown what real platforms and smart APIs can build, Go cardless made direct debit easy, Mondo and Starling are both building for API driven worlds with current accounts as a platform. Thankfully some bigger banks are there too, BBVA with their open platform and Citi with their mobile API challenges.

Slide15

Slide 15: Companies like Stripe have proven the power of treating APIs like products, making the developers real customers and making it easier than ever to make things involving the movement of money. They have raised the standards of the industry ten fold, pushing PayPal to buy Braintree, Mastercard and Visa to relaunch and redouble their API efforts regularly. These are the kinds of people I want to ensure are involved in the design of solutions for banking’s future.

Slide16

Slide 16: Another nice little example that I like is Xignite. They provide market data with lovely APIs, they are building out an ecosystem of parties who all provide data in this same way. More ingredients to build more things. Fintech companies coming together to build something greater than just they themselves ever could. My utopian hippy self wants far more openness and collaboration between financial services firms for the benefit of people who want to make better things.

Slide17

Slide 17: Because we need to challenge the stereotypical attitude of the banker, they are by no means all like this but still the attitude to PSD2 is this is our data we won’t make it easy for those bastards to just come in and steal our customers because we are shit at making decent interfaces. They need to see that decent APIs will benefit their own developers over anyone else. People being able to make things faster than ever before. The smart ones know this, they know they no longer ‘own the customer’ but that they need to integrate well into the customers whole financial relationship.

Slide18

Slide 18: Ultimately I want to see the innovative players drive the market. Yes the regulation is welcome and needed. But what will really make the incumbents move is a mixture of regulation and the fear of missing out. Missing out on how banking will work tomorrow, how easily new players launch products and services, how easily business models are mixed and remixed and how their customers bank with the companies that fit into their lives the best.

Slide19

Slide 19: PSD2 does feel like an illusory adventure of impossible architecture….but is certainly a challenge worth facing but unlike Ada there will be no forgiveness if this does not pan out the way it should. The people who have suffered rubbish banking have suffered long enough. Please let’s not fuck this up.

 

Slide20

Slide 20: Thanks very much for listening. Slides and what I was meant to say are published here, I have also included a load of links to more reading material used to make this presentation. If anyone wants to hire me based on my awful presentation puns and passion for European regulation then please do let me know. Cheers.

Video link – Coming soon hopefully

View on Slideshare

Lots of other links to related material.

PSD2 Framework – http://ec.europa.eu/finance/payments/framework/index_en.htm

PSD2 FAQ – http://europa.eu/rapid/press-release_MEMO-15-5793_en.htm?locale=en

Discussion on RTS on strong customer authentication and secure communication under PSD2 – https://www.eba.europa.eu/news-press/calendar?p_p_id=8&_8_struts_action=%2Fcalendar%2Fview_event&_8_eventId=1303933

EBA Discussion paper on innovative uses of consumer data by financial institutions https://www.finextra.com/finextra-downloads/newsdocs/eba-dp-2016-01.pdf

UK Gov – Call for evidence on data sharing and open data in banking – https://www.gov.uk/government/consultations/data-sharing-and-open-data-in-banking-call-for-evidence/call-for-evidence-on-data-sharing-and-open-data-in-banking

Competition & Markets review of banking for SMEs https://www.gov.uk/cma-cases/review-of-banking-for-small-and-medium-sized-businesses-smes-in-the-uk

CMA – Retail banking market investigation Provisional decision on remedies(THIS IS GOLD) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/523755/retail_banking_market_pdr.pdf

UK Open Banking Standard Intro – http://hollandfintech.com/wp-content/uploads/2016/02/298568600-Introducing-the-Open-Banking-Standard.pdf

OBWG Short Proposal Apr 2016 – https://docs.google.com/document/d/1s6ITjXD1HNUQMmsxdqmmUS8c1UwgLhTXSIr1ZjgxIS0/edit#

Explaining  PSD2 – Starling Bank http://starlingbank.co.uk/explaining-psd2/

W3C Web Payments group – PSD2 https://www.w3.org/Payments/IG/wiki/PSD2

W3C first public working draft payment request API https://www.w3.org/blog/wpwg/2016/04/21/first-public-working-drafts-of-payment-request-api/

OSI – The Internet that wasn’t http://spectrum.ieee.org/computing/networks/osi-the-internet-that-wasnt

Programmable Web – Banking API directories http://www.programmableweb.com/category/banking