Out-Law / Your Daily Need-To-Know

PSD2 takes effect without 'open banking' APIs ready at most banks

Out-Law News | 16 Jan 2018 | 11:08 am | 2 min. read

Changes to payment services laws came into effect in the UK on Saturday despite many banks still not having new technical solutions in place to act on the reforms.

The revised Payment Services Directive (PSD2) was implemented in UK law by the new Payment Services Regulations.

Under the new regime banks, building societies and other account holding institutions are obliged to enable third party 'account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account data they hold on customers, at those customers' request, to allow the businesses to provide the customers with their services.

The legal reforms are expected to trigger greater competition and innovation in the payments market, with fintechs, technology companies and retailers among those expected to develop AIS or PIS offerings.

In time, banks and other payment service providers (PSPs) will be required to facilitate the third party access rights of AISPs and PISPs in accordance with new regulatory technical standards on strong customer authentication. Those standards, which have yet to be finalised, will take effect 18 months after their publication in the Official Journal of the EU.

However, the third party access rights that PSD2 introduces will apply during the transitional period before the standards begin to apply, meaning PSPs must not unjustly block AISPs or PISPs from accessing customers' payment account data where those third parties have the customers' consent to do so.

In the UK, nine major banks have been working on the development of new technical solutions to facilitate access to bank account information under the 'Open Banking' initiative. The Open Banking reforms were prompted by an order made by the UK's Competition and Markets Authority (CMA) after it identified competition concerns in the retail business and consumer current account markets. The Open Banking initiative in the UK was subsequently broadened in scope to apply to the same types of payment accounts that PSD2 covers.

The open banking initiative envisages the use of open 'application programming interfaces' (APIs) to link the systems of third parties into those operated by banks. An Open Banking Implementation Entity (OBIE) has been leading work on the development of standards to ensure APIs are developed in a way which makes them both interoperable and secure.

However, by 13 January 2018, the date on which the PSD2 reforms and the CMA's legal order on open banking took effect, just three banks had developed solutions in line with the Open Banking standards to facilitate the reforms, according to media reports.

It means that most other banks and other PSPs will have to facilitate third party access through alternative means, such as APIs that are not in line with the open banking standards or by allowing third parties to continue engaging in the practice of 'screen scraping' – a technique that many banks have previously raised security concerns about.

A soft launch of the open banking solutions is being overseen by the OBIE. The first lot of open  banking APIs are expected to come into widespread use from March, it said.

"Over the course of the next six weeks the OBIE will bring the UK’s largest account providers and regulated third parties online and fully test the system using selected testing accounts only," the OBIE said. "This will enable all parties to be absolutely certain that the system is stable, fully secure and ready for UK consumers and small businesses."

Adam Land, senior director at the CMA, said: "Open banking will allow you to take control of your own data and use it to find the best deals, help you switch and manage your money securely and more effectively. The possibilities are endless.”