A new era has been unfolding in the European banking world since 14 March 2019. Since then, new data interfaces owned by financial institutions that were developed in accordance with PSD2 have been put to the test. In the test phase and subsequent market testing phase, the question remains: What progress are banks making when it comes to API banking?
By way of reminder, API banking pursuant to PSD2 focuses on the end customer and should promote competition and innovation by opening up the banking world. If account holders want third-party providers to read account data or initiate payments, banks are obligated to make the technical facilities available for this in the form of APIs.
In this blog post, we report first hand about our experiences during the PSD2 test phase and the current market testing phase. We take a look at current developments and provide a forecast of what challenges bank customers should expect to meet even after the announced market launch of bank interfaces on 14 September 2019.
PSD2 Test Phase Paved with Stumbling Blocks
During the six-month test phase, which, as we mentioned at the beginning, began on 14 March 2019, the new data interfaces of banks were tested for their practicality. In completed test environments (so-called sandboxes), Account Information Services and Payment Initiation Services like us were given the opportunity to validate banks’ APIs based on test data.
However, the problems actually begin to mount with the sandbox process itself. As the term already suggests, sandbox tests do not take place under real conditions. Even if a test is successful, it does not serve as a 100-percent reliable indicator of the actual practicability of an application - an aspect that is quite delicate in the highly sensitive systems of the banking sector. The situation was exacerbated by the fact that many sandboxes were often difficult or even impossible to access for third-party providers during the test phase.
Test phase for #PSD2 under suboptimal conditions: Sandboxes are difficult to access and test datasets are not realistic. Now it’s time for the #markettestingphase!
A second aspect must also be considered in addition to the procedural issue. In order to check the quality of a PSD2 interface, transaction data from online accounts is required on a large scale. For example, meaningful expenditure accounts as the basis for an immediate loan commitment can only be created with complete datasets. API banking and XS2A are complex processes in which copious amounts of data are processed. By contrast, test data, which is much smaller in scope, is by far insufficient to handle this complexity.
Market Testing Phase for PSD2: Now or Never?
Following the suboptimal test phase, the go-ahead was given for the commencement of the PSD2 market testing phase on 14 June 2019. In this three-month period, banks have the opportunity to thoroughly examine their PSD2 compliance by subjecting the interfaces to a stress test. During this phase, the new banking APIs are validated with real data and extensively used in anticipation of the official PSD2 launch date on 14 September 2019.
Financial institutions that are up to the task can make an application to the Federal Financial Supervisory Authority (BaFin) for an exemption until then and do without such emergency mechanisms. To do this, banks must prove that their interfaces are fully functional, which is exactly where the cat chases its own tail. On the one hand, many FinTech start-ups and third-party providers have not yet had the opportunity to extensively test the practicality of their data interfaces, as most of them have not yet been fully developed. And as the Handelsblatt recently reported in an extensive article (German), this does not just apply to individual banks.
Among others, the German Banking Industry Committee stated that the interfaces for third-party providers do comply with the regulatory requirements. However, new providers who are dependent on API account access in their business model take a different view. For example, according to many banks, an account holder who submits an online loan application to a third-party provider should be redirected to a website of his account-holding bank so that they can enter their login details. Thanks to API banking, a seamless process whereby an account holder carries out the entire process without interruption on the provider’s site has long been possible.
Account Login: The Customer Experience Should Be Paramount
Our own tests have demonstrated that in many cases the account holder is not redirected to the actual session after being redirected to the bank, which means that the entire process ends up being aborted. From the customer’s perspective, this is an annoying situation and a matter of paternalism on the part of the bank. This is because the account login on third-party websites is legitimized according to PSD2 if the customer grants their consent. The corresponding providers are regulated by BaFin and are supervised in terms of data security according to the same standards as banks themselves.
A basic idea of #PSD2: Customers gain sovereignty over their data and are free to decide how to use it. Will everything finally be ready on 14 September 2019?
As responsible citizens, financial institutions should leave decisions like these to their customers. By the way, this is one of the cornerstones of PSD2: customers should regain sovereignty over their data and be free to decide how to use it. Our own experience from the test phase and the market testing phase shows that hardly any bank is as far technically and mentally as it should be at this point in time.
So What if the PSD2 Interfaces Are not Ready by 14 September?
Simply put, we will give ourselves more time in the market and in particular, the banks will have more time to complete the interfaces in order to enable customers to find innovative solutions. In the first step, however, the interfaces should not become mandatory from 14 September 2019.
The fallback solution to the dedicated interfaces can be found in the second alternative in Article 31 of the Regulatory Technical Standards (RTS) issued by the European Banking Authority (EBA): direct and authenticated access via the existing account holder interfaces. This way, banks’ interfaces can be adapted to customers’ needs until they finally reach the required level of maturity and fully support Payment Initiation and Account Information Services.
As a further step, third-party providers (TPPs) could test the interfaces on a broad scale, as stipulated in the RTS. The result would be PSD2 interfaces enabling customers to use their accounts for value-added services.