One of the most challenging elements of PSD2 is the development of a secure interface to allow banks to share appropriate information with third party providers (TPPs).
These must be up and running by the 14 September deadline and there's a lot to do before then. But will you be ready in time?
Security is the top priority
Most banks are developing Application Programming Interfaces (APIs) - typically working to the Open Banking API standard from the Open Banking Implementation Entity (OBIE) or the EU Next Gen PSD2 standard. However, if these API implementations are not available or performing as required, banks and Account Servicing Payment Service Providers (ASPSP) may be required to provide a regulated / secure screen scraping of account websites as a fallback to ensure TPPs can still access users’ accounts and transactions. If ASPSPs can demonstrate their API is robust enough and satisfies the detailed exemption requirements, the regulator will grant an exemption from providing the fallback option. The deadline to apply for an exemption was in June, but many firms have not completed the exemption request while many others are still waiting for the outcome of this decision. If the FCA decide not to grant an exemption, banks may struggle to implement the fallback option by the 14 September deadline.
Meeting EBA guidelines
The FCA may seek additional information and clarifications before making a final decision regarding a firm's exemption status - most likely in response to supporting documentation as outlined in EBA's guidelines on exemption conditions (EBA/GL/2018/07). Key areas where banks may struggle include:
Guideline 6: Design and testing to the satisfaction of PSPs
ASPSPs must provide significant documentation to help third parties utilise the API they are offering. It should demonstrate technical and legal compliance with the PSD2, and if the firm has worked with PISP, AISPs and CBPIIs to develop the API. Where a firm has adopted an existing API, they should make it clear which one is being applied, any variations from it, evidence of compliance with that API's standards and how it fulfills the obligations of PSD2.
The FCA will also be looking at the extent of, and feedback from, the testing stage. This includes checking for a secure connection, error messages, payment initiation orders, account data, confirmations, the use of certificates and security authentication requirements. The outcome of these tests will be a key element in assessing the robustness of the API.
Guideline 7: Wide usage of the interface
The FCA is interested in the extent of testing and making sure that third parties and developers are aware that the API is available to them. This includes publicising the availability of the API to third parties - and producing adequate evidence of that in the FCA documentation.
Guideline 8: Resolution of problems
Banks should have adequate processes in place to monitor, track and resolve any reported issues quickly - especially if reported by a third-party provider.
What to do now?
Banks that are still awaiting decisions on the fallback option should consider the key areas above and how they can strengthen their exemption requests if the FCA requests further information. This may include establishing further engagement with a wider range of TPPs, documentation for TPPs, including greater publicity that the API is available to developers. Banks should also establish effective processes to improve these services once they are up and running, and factor it into their operational resilience programmes to make sure essential services can be restored quickly to minimise financial harm to consumers.
Please contact Paul Olukoya for more information on the points above and how we can help.