PSD2 – the second coming is nigh

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world,
The blood-dimmed tide is loosed, and everywhere
The ceremony of innocence is drowned;
The best lack all conviction, while the worst
Are full of passionate intensity.

Not only is PSD2 (Payments Services Directive) the second iteration of PSD it is also seen as the second coming by many in financial services, particularly that random bunch of new players broadly placed under the brand of Fintech. If you are not familiar with the 170 odd page delight of a read then here is a link to it though I highly recommend Starling Bank’s far shorter explanation, which also exudes their excitement for it. For a longer more detailed insight try this from Out-Law.

The excitement is brought about due to PSD2 promising to deliver an open payment network through APIs (PSD2 will do much more but this is the bit people are focusing on most). These will let companies with the appropriate license have the ability to make payment instructions upon bank accounts. Those with access are known as payment initiation services providers (PISPs) i.e. make payments, move money. The second group can aggregate transaction data from multiple institutions and are known as account information services providers (AISPs). The final text of the European wide regulation got rubber stamped in the European Parliament at the beginning of October. This means that by the beginning of December the countdown will begin. Member states and their banks / financial service providers have two years to implement the changes and place them into law. By the 1st January 2018 (if not a smidgen before) the second coming will be upon us.

In parallel to this in the UK we have the Open Banking Working Group (OBWG). A group brought together in response to the request from the Treasury for information on APIs and open data in banking. The OBWG is co chaired by The Open Data Institute and is represented by a host of experts across six sub committees from many aspects of finance. The aims around data access are similar to that of PSD2 (and their will be alignment) but the individual customer seems to be slightly more of a focus for the OBWG.

Let me state that I personally think both of these initiatives are brilliant. Access of this nature has been long needed to not only stimulate the market but more importantly give banking customers (pretty much all of us) access to our own transaction data in a more useful form than a downloadable spreadsheet. I have said this plenty of times in the past. The ability for payment instructions to be made on top of the existing accounts effectively means that the entire banking experience could be replaced by a third-party service and allow you top operate your banking across all institutions, with which you have a relationship, in a single interface.

That above are just the obvious use cases, these changes should unleash upon the world a wave of innovation like nothing the financial services world has seen…or maybe not. Plenty of people are imagining more such as Mondo, David, Matt etc. All good.

But I have a few concerns….

Banking is a slow moving ass and sometimes needs the stick of regulation to get it moving. What if the mandatory nature of this regulatory stick does not lead to an ideal solution to the problem it is trying to fix? The Technical Standards for PSD2 are 12 months behind the regulatory standards. This means there will be 12 months of analysing/designing/guessing how the compliant solutions should operate. The authentication methods to be used for access to data and the creation of payment instructions are key implementations upon which the hopes of many rest. Get this wrong and implement some clunky awful and unworkable solution and the blossom of innovation they hope to nurture will never appear.

Are the right level of people involved in the creation of these technical standards? I hope the very companies that desire this the most get to have an at least equal say in the design of these access methods. I also hope that people with experience of doing this kind of change before are also involved. For example the W3C (Web Governing Standards Body) are currently building out the Web Payments charter. The timescales align very well but I believe the twain have never met. The PSD2 proposed changes feel like they should fit perfectly or at least very well with the changing nature of payments as part of the fabric of the web. Leaving this design to bankers and policy makers alone feels risky to me.

In the UK the Open Banking Working Group have explicitly stated OAUTH as a mechanism of choice to be used for delegated access to data which is good news. While it may not be perfect it is a widely used standard and I believe these changes should be looking to use the best of breed of today rather than trying to create new standards.

Another aspect I am not clear on (and maybe completely wrong about) is the nature of access available to the individual customer. PSD2 refers to PISPs and AISPs but what about the humble user? Can I choose where I plug that data? Will I only be able to choose from an approved (by whom?) list of licensed and regulated AISPs? Can I not use the data myself in my own apps if I have the talent to build such things? Can I link that data to AISPs in other countries? What about companies outside the jurisdiction of PSD2? Are there rules around this data that make it far more sacred than it needs to be? People have been able to download and upload spreadsheets wherever they see fit for decades.

This automated feed does indeed bring greater risk but that being said hampering it with rules for rules sake may present more of a risk to growth than the threat risk perceived.

I am also concerned that banks will see this as yet another regulatory demand placed upon them outside of their business strategy. This means compliance as a bare minimum and nothing else. This is what the Fintech horde are hoping for. Complacency compliance instead of the incumbent providers taking the massive opportunity before them and making a real digital step forward. Clearly some banks will play this differently to others and history will no doubt show who played their hand most wisely. This is another reason that the people driving PSD2 cannot just be the banks or the regulators.

And finally…what happens when Apple/Amazon/Facebook/Google apply for their AISP/PISP licenses. Second coming gets a California style hype boost then and bank boardrooms across Europe hit the panic button. Maybe.

PSD represents a fundamental change to the way banking operates across Europe and possible the most seismic shift in ‘centuries of stony sleep’. The implementation of it will be key to ensure this delivers truly open payments and data access and not just the change that satisfies the regulation minimums. Let’s see what happens between now and January 2018 and then beyond.

Surely some revelation is at hand;
Surely the Second Coming is at hand.
The Second Coming! Hardly are those words out
When a vast image out of Spiritus Mundi
Troubles my sight: somewhere in sands of the desert
A shape with lion body and the head of a man,
A gaze blank and pitiless as the sun,
Is moving its slow thighs, while all about it
Reel shadows of the indignant desert birds.
The darkness drops again; but now I know
That twenty centuries of stony sleep
Were vexed to nightmare by a rocking cradle,
And what rough beast, its hour come round at last,
Slouches towards Bethlehem to be born?

The Second Coming by W. B. Yeats

Leave a Reply