article banner

PSD2 – are your APIs available?

Paul Olukoya Paul Olukoya

All payment account providers and banks with online services must provide regulated screen scraping (as a fallback mechanism) and/or make their Application Programming Interface (APIs) available to authorised third party providers (TPPs), in line with PSR 2017 and PSD2 rules.

For banks who would like to provide only a dedicated API interface, APIs should now be available in a developer sandbox with full documentation. Banks choosing to request an exception from the fallback interface should submit a request to the FCA by 14 June - by this point all banks should have API interfaces available for live industry testing. This is a key delivery date for PSD2 and firms missing this date must deliver both a screen scraping option and a live API – with potential regulatory enforcement for further failings.

Screen scraping as a fallback option brings complications in relation to GDPR. PSD2 requires access to financial data of customers and personal data should not be shared to TPPs – this means that personal information must be filtered out under the fallback option. For this reason API’s are simpler, more cost effective and carry reduced risk on a long term basis.

Meeting the demands of PSD2

When PSD2 was introduced in January 2018, it created a set of security and operational standards for payments firms to operate under. The regulation aimed to encourage new entrants into the UK and European payments market – and in the UK alone, almost 3,000 firms have since been registered and authorised as Payment Service Providers (PSPs).

Identified as a key growth area by the FCA and EBA, the cash-less digital payment sector is on track to grow $1 trillion in new revenue by 2027. Regulators have worked hard to keep pace with the speed of growth and have introducing a range of new regulations over the last couple of years -  bringing challenges around implementation and demonstrating regulatory compliance.

PSD2 and open banking also include mandatory requirements for Strong Customer Authentication, Charges, Incident Reporting and Business Continuity Arrangements.

Making your APIs available

All banks offering online services, must now deliver an API that other regulated third parties can use to access users’ detailed account/transaction information held by the bank, as well as initiate payment from the bank. In the UK, the Open Banking API standard from the CMA Open Banking Implementation Entity (OBIE) has been adopted by most banks. The NextGen PSD2 API standard by the Berlin Group is more common across Europe. MasterCard is also a notable proponent of Next Gen PSD2 API standard which allows third parties to directly connect to the financial institution’s infrastructure (normally referred to as XS2A ‘Access to Account’). You should consider conformance with the Next Gen PSD2 if your strategy is EU wide.

Keeping a close eye on security

As of 1 January 2019 all PSPs are now required to record fraud statistics under the EBA fraud reporting guidelines, and report data on fraud related complaints to the FCA from 1 July 2019. You must establish adequate mechanisms to track the necessary statistics, collecting the MI in an appropriate format to meet the FCA’s reporting requirements.

Under PSR 2017, the FCA has also mandated that all payment service providers submit an annual assessment (REP018) of their operational/security risks and control mechanisms related to payment services. The submission must include an audit of the IT security measures by independent auditors. At the end of March 2019, firms will start to be tested for full compliance. You must have an effective risk assessment methodology in place to identify potential issues on an ongoing basis, and implement appropriate controls to mitigate them. These should remain up to date as part of your internal audit plans, with an effective mechanism for reporting.

Our payments, cyber security and technology team can support with additional information on IT security reviews and internal audit.

What does this mean for you?

In the short term, you should review the full set of requirements and ensure adherence to the milestones set out in the FCA Approach to final Regulatory Technical Standards and EBA guidelines under the revised PSD2. This includes ensuring immediate compliance with the PSR 2017 and PSD2 requirements, and making API testing facility and technical specifications available to third parties.

As with any regulatory change, the cost of compliance can be high. The mandatory independent assurance requirements are an additional operational cost, and extra resources or specific technologies may be required to monitor controls on an ongoing basis. This in turn brings an extra element of operational and IT risk to the equation.

All changes bring new business opportunities and you need to maximise the potential for growth. Notably, there are increased opportunities to increase your market share by leveraging Payment Initiation and Account Information aggregation. But you should also look at:

  • Cost savings via lower transaction and interchange costs when cards are dis-intermediated
  • Increased opportunity to attract and grow business using compliance as a competitive advantage
  • Opportunity to decrease fraudulent payments and chargebacks via new payments monitoring controls, SCA and increased transaction security
  • Increased effort/cost of regulatory compliance and embedding mandatory assurance
  • Increase in cost of implementing operations, technology and controls changes required for compliance
  • Improved cash flow due to instant clearing and settlement
  • Improved availability of financing through instant commercial and consumer lending decision
  • Increased risk of fines, fraud, loss of market share, business and customers due to non-compliance

For further information on how we can help, please contact Paul Olukoya.

Cryptoassets - a new regulatory landscape

Cryptocurrency’s not dead – it’s just evolving