On 24 July 2013, the European Commission (the Commission) published its proposal for a revised version of the Payment Services Directive ()1 (see ‘related links’ below). One key element in the proposed PSD2 is access to accounts, which will require banks to open their customer accounts to third party providers (TPPs). An intense debate was ignited even before this date around whether and how banks should open up. Especially the ‘how’ is still unclear for many market participants and some suggestions will be made in this article on how the opening can be conducted in a safe, secure, regulated and fair way. For this it is also necessary for some further boundary conditions to be set.
First it is worthwhile to step back and have a look into other industries. When IBM pioneered information technology in the last decades, their initial approach was to build a closed system. Interoperability and connectivity were limited to IBM hosts, IBM peripherals and IBM networks. But only when IBM and others opened up (through the advent of the open internet) did the IT revolution really gain momentum. Today, not only the economy has benefited tremendously from IT, but – surprisingly – so did IBM as well. This is also due to the fact that all participants developed a mutually beneficial ecosystem: contracts regulated liabilities, fair market-based fees were paid for services rendered etc. Another example, from the smart phone arena, shows the rapid surge of market share of the (open) Google Android operating system to around 80 percent globally, again demonstrating the inexorable rise of open systems (for details, see ‘References’ below). While these situations may differ from financial services, where several banks compete in every single European market, many argue it may be an indication also for this industry how opening up can benefit all parties in the end.
Time to open up in payments
While open systems can thus often be beneficial even for the incumbents, they sometimes have to be forced into their luck. (Apple was forced to open its initially closed app store through jailbreakers; telecoms were forced to allow third party access through regulation.) It is now the banks’ turn to open up. The PSD2 proposal is clearly demanding access to bank accounts (or more correctly: to payment services) for third parties. Banks can potentially benefit, if they take the right decisions now and if the regulator and market ensure a fair ecosystem where – as in the successful examples in other industries above – contracts regulate liabilities and fair prices are paid for services rendered.
Looking into the current e- and m-commerce space, there are already strong alternative payment solutions including PayPal or Amazon Payments, even without access to accounts legislation. PayPal offers proprietary virtual accounts and so far the majority of their transactions in Europe are funded from the user’s current account via a direct debit mandate (i.e. without paying anything to banks for use of their infrastructure). The competition in online payments is thus not lost by anybody, but all players (including banks, the ex-incumbents) face significant opportunities that should now be addressed.
Most of the current ‘winners’ in online payments are overlay services riding on bank infrastructure. Building on banks’ card or automated clearing house (ACH) networks, these overlay services provide significant additional convenience to consumers and merchants. On the one hand, most of these service providers have not signed contracts with banks for infrastructure usage. They are therefore, not tied into any liability partitioning, hinder harmonised communication, dispute management and redress procedures, and no compensation is paid for providing the underlying infrastructure, issue resolution and contact points in case of problems and much more. On the other hand, alternative providers face difficulties establishing innovative payment solutions, e.g. due to the diversity of payment products across markets, or due to the lack of a standardised interface to online banking. The absence of a standardised online banking interface in most European markets is one of the obstacles for TPPs to enter the market more widely and in a pan-European harmonised way in line with the Single Euro Payments Area () vision.
In this world of overlay services, banks run the risk of being increasingly disintermediated, degraded to commodity providers and losing many transactions to TPPs (e.g. through wallet-to-wallet or mobile-to-mobile transactions without immediate connection to the current account). AT Kearney predict that one third of banks’ revenues will migrate to these non-bank players. Thus also banks have an interest in consumers (or their applications) using the customer’s bank account directly, (via a standard payment service interface rather than the current multiple layers of third party intermediaries).
Controlled access to payment services (CAPS)
If bank accounts (or online payment services) are to be opened up to third parties (as the proposed PSD2 stipulates, and as may be of benefit to the market and the banks as shown in the first section), this must happen in a controlled, secure, trusted, safe and fair way. An analogy may be seen in the app store model provided by e.g. Apple or Google. What they do is to provide a platform with a common standard and interface and allowing third parties to develop applications under a well-defined set of rules. These rules specify, inter alia, what the liabilities of the parties are, how the revenue is shared, and how conflicts are handled in a harmonised way – to the benefit of all. This is highly attractive for both developers and Apple or Google, as a clear commercial framework ensures benefits sharing and a worldwide standardised platform ensures harmonised use, rules, communication and distribution. It has also led to an explosion of creativity and innovation benefitting Apple, Google, their users, the developers and the whole market. The important thing is that this platform access is not open to everybody but only to those who comply with the rules. Since everybody can calculate their risks and have a benefit, everybody aims to enhance the system and everybody wins.
The alternative is that the banks are forced, against their will, to provide the new services in a risky way (without contracts to contain liabilities etc) and / or for free. This would not only be unsafe and unfair, but would also constitute a major tactical mistake: it will only lead to years of open and covert battles, resistance and wrangles – and everybody loses. Instead, as proposed here, let a fair and safe infrastructure develop and everybody wins.
Especially in payments one particularly critical issue is security: no consumer or bank would endorse a situation where unregulated third parties would be granted uncontrolled access to users’ accounts. This is why this article develops the need for controlled access to payment services (CAPS). This is in contrast to current practices where the users’ full online banking credentials are passed on to third parties allowing them potentially full access to everything on the account: past history, salary incomes, security settings etc. It cannot be in the interests of the user and of a secure financial ecosystem to allow access to an account (often referenced as ‘XS2A’). Instead, we should insist only on certain secure, individually controlled payment services (i.e. CAPS).
The new services defined in the PSD2 proposed by the Commission (information on funds, payment initiation) must only be permitted under specific conditions to ensure the risks will be contained. This is essential since, if the infrastructure were to be compromised, all electronic funds would be endangered, posing not only a risk to users and banks but even a severe systemic risk to society and the economy. For this not to happen, some prerequisites for the success of CAPS need to be fulfilled. Third parties need to be certified and regulated, e.g. by PSD2. There need to be contracts with banks and merchants in place that clarify the liability partitions etc. The system needs to be secure, handling access to accounts in a controlled way with authentication being given only for specific accesses. Transactions need to be entirely controlled by consumers to avoid a situation where consumer account data is exploited without permission. And last but not least, there needs to be a fee attractive enough for all parties, including merchants, banks and TPPs, to provide the infrastructure, develop innovative services and offer customer support. But what would be a fair price? This is a discussion of its own, and no definite answer can be provided here. However, it seems only fair that cost-based fees in recompense for the infrastructure be set for basic services (e.g. yes / no answer to a query on availability of a fund) and value-based fees for premium services (e.g. to allow TPPs to do extensive data analytics or send guaranteed payments across Europe). No-one can expect the premium fees extant in the Apple, Amazon or Vodafone ecosystems (where 40-60-80 percent margins are ‘de rigueur’). Yet modest and fair recompense to the banks (like the ‘last mile’ charge for third parties to use the incumbents’ telecommunications network) seem only fair and reasonable. Let the market forces decide.
According to the proposed PSD2, the initial CAPS services will likely focus on two types: sufficient funds requests and payment initiation (though more can be envisaged). The former requires parameters of the International Bank Account Number (IBAN), amount, reserve time and TPP certificate (reliably identifying third parties to ensure that only trusted / regulated players may ask for the account information in the name of the user). The payment initiation service needs two IBANs (from / to) and optionally a quality of service (best effort, guarantee, real time etc) ruling the funds transfer. Through these services an application can directly access the bank account without the need for multiple layers in between. Several options exist to physically implement such a standard interface, ranging from a pan-European standard application programming interface (API) across all banks to local solutions such as these services being provided by, for example, iDeal in the Netherlands.
Unsecure techniques (e.g. ‘screen scraping’) where a third party impersonates a user vis-à-vis the bank must clearly not be allowed. In the interest of TPP developers and in line with a harmonised pan-European SEPA vision, the variability of standards across Europe should clearly be minimised. A developer should be able to write an application that works across all European banks in a harmonised way (avoiding individual interfaces for each of the approximately 7,000 banks). The TPP should contract (for reasons given before) with contract aggregators, speaking for and bundling banking groups across Europe, to avoid having to negotiate with each bank individually. The above rules and control are imperative for account access to work and CAPS can provide some cornerstones of a framework within which the full potential can be unlocked. This controlled access to specific payment services – as opposed to a free access to all data and settings and information on an account suggested with the term ‘access to account’ (often abbreviated ‘XS2A’) – is infinitely safer. CAPS is therefore, overall better for users compared to the current situation where online banking credentials are passed on to often unregulated third parties who can then potentially do everything on the user’s account. Thus the maybe misleading and potentially dangerous term ‘XS2A’ should indeed be dropped in favour of the safe ‘CAPS’.
The future is already happening
Although even this controlled access to payment accounts by third parties may sound very disruptive and futuristic, there are already some examples from the payments industry that today demonstrate this potential of open innovation. PayPal opened up its services to the developer community in 2009, allowing developers to leverage PayPal assets for innovative services. Indeed Paypal actively invites third parties to develop new and creative ideas on how to use their payment services – they even host developer conferences and sponsor competitions to energise the payment market. The provision of the PayPal payment APIs, supporting tools and a community network has already led to some interesting services, including Venmo, Playspan or Expensify. Not only new innovative TPPs are attracted to this: the API has also enabled more traditional payment players (Discover, Moneygram) to deposit / withdraw funds easily to / from Paypal. Coinstar counting machines to be found in many US supermarkets allow the coins deposited / withdrawn to be added / taken out of Paypal accounts. Greendot (prepaid voucher cards) and many more specialist developers are jumping on this opportunity to grow with Paypal. Paypal already has several hundred partners enrolled and is known to be in talks with Google, Facebook and large internet and mobile players to allow their services to be charged to / from Paypal (rather than clumsily inventing their own wallets (Google) or own currencies (Facebook)).
But it is not only Paypal that has understood the potential of opening up. Selected banks are also active in the field, which have signed contracts with independent developers and make their apps available to bank customers. These developers create new applications in less than three months.
CAPS will allow for secure and convenient use cases. Instead of laboriously entering credit card details, card verification value (CCV) numbers, 3D secure codes, home address, and the title of the registered name etc, the consumer could simply see a screen that:
- Asks: “Approve €24 for 2 tickets to Hamlet at Court Theatre on 24 January 2014 at 8 pm?”
- Allows the consumer to click “Pay”2.
- And that’s it.
Figure 1: Sample use case - “now” and “future with CAPS” (source: author).
When paying within an app, the consumer will need to provide their bank credentials once and can grant permission for this app to access the balance on any future occasion. There are many more – to be highly controlled – services one can think of:
- Balance query across multiple banks by the consumer to get instant ‘net worth’ status and allow better cash balancing / management across accounts.
- Option to issue an electronic mandate, or indeed a more general signing service.
- Information request that builds on online banking credentials to authenticate the consumer in wider non-banking scenarios, i.e. reliance on electronic identification (eID) rather than the current dozens of user identifications and passwords normally managed by an individual.
- Provide a bank-verified postal address to the merchant, or the consumer’s bank-verified age (as opposed to the current ridiculous “I am over 18” button click), the mobile number or other pieces of data in a secure and controlled way – always under full user control.
These, and possibly other, services provided by TPPs would solve many problems in the current e- and m-commerce landscape and, consequently, offer significant added value to merchants. Consumers would benefit from increased security and convenience. Ultimately, CAPS would boost the online economy as a whole.
The Commission’s PSD2 proposal answers some questions but creates others
The Commission’s PSD2 proposal lays the foundation for CAPS in many ways. Articles 58 and 59 clarify that access to payment account information will need to be granted, including checking and card accounts. The forthcoming PSD2 will define new actors in the payment space, i.e. TPPs offering payment initiation services to consumers and merchants and will include these TPPs in its scope. These TPPs will therefore need to become licensed and registered and be subject to security and consumer protection requirements similar to banks insofar as the PSD is concerned. This is an important step towards a safe and level playing field in payments. The TPPs will be obliged to refund the amount in case of unauthorised transactions, take full responsibility for the parts of the transaction under their control, ensure the user has full control of information accessed and refrain from storing these or passing them on. In general, the proposed PSD2 is now extended to cover all transactions made through IT devices (mobile, internet etc) which were previously exempted. Also, the proposal explicitly mentions charges related to account access, implying it allows account access to carry an appropriate price3.
In general the requirements for third parties to enter the payment space without endangering customers or the financial system are:
- They are regulated (under PSD2 / certified).
- They are contracted (with bank, merchant including liabilities).
- They are secure (cf recommendations developed by the European Forum on the Security of Retail Payments (SecuRe Pay)4, preserve privacy, and are reliably identified (no impersonation)).
- They are fully under user control (allow who to see what).
- They pay fees (to compensate other parties providing the infrastructure used, new service development, customer service, conflict resolution and / or first point of contact).
With regard to the bullets above, there are still some areas where further clarification is needed. First and foremost, no cornerstones for contractual agreements between banks and TPPs have been specified. A legal framework will however definitely be required to specify, among others, liabilities, contact points, fees, redress procedures, harmonised communication, and dispute management in the interests of all market participants.
A wealth of opportunities – with potential to benefit all parties
The emergence of overlay services building on bank infrastructure has led to a very layered online payments landscape. Several overlay service layers have driven a wedge between the consumer and the bank, sometimes easing the way consumers pay, but often confusing them with multiple virtual accounts, wallets, passwords and so forth. Banks are clearly being disintermediated in online payments and need to act. The underlying conviction is that a world where both transaction volumes and customer value are maximised is one with a key role for banks. Providing a controlled access to the bank account can help reducing and simplifying the multiple layers observed today and provide new value to both banks and alternative providers. The value creation potential is seen across the board. Merchants have been looking forward to this and demanding it unequivocally5. According to the Payments Innovation Jury Report 20136, the experts who contributed to the report identified the availability of open APIs as a key technology trend driving innovation in payments (see figure 2). Given that we already witness over 300 e-payment mechanisms in Europe today, innovation and competition will likely explode thanks to CAPS in the years to come.
Figure 2: Innovation expected by experts: open APIs large driver (source: The Payments Innovation Jury Report 2013).
The disruptive potential and business opportunity from opening up accounts to third parties is not to be underestimated. New revenue streams will evolve and given the past history of open systems we expect that banks will benefit themselves (indeed may be the main beneficiaries) from this dynamic environment – if they position themselves in a timely and proactive manner. It is fruitless to wait and see, or to try and resist until being forced by the regulator to open up in a way that might not be in the best interest of consumers, merchants or banks. If open access is an inevitable step, then banks should act now to secure a vital role in the future of payments. It is not about fighting for a larger slice of a given pie, but about jointly growing the cake with the potential to make all parties better off. Banks could benefit from this by cooperating with the market and the regulatory authorities in order to get the rules right, (and that includes the currently critically missing contracts and fair revenue sharing), positioning them on the value chain, designing own service offerings, and seeking for partnerships with TPPs. 'Coalitions of the willing' between banks, TPPs, merchants and other market players are now being formed to encourage and shape this new environment. All this can lead to an open yet controlled and secure environment where banks and other payment service providers, merchants and customers (payers) are the joint winners and, as has been shown also in other industries, much better off than today.
Dr Michael G. Salmony is Executive Adviser at Equens SE. He also represents individual countries, banking consortia and international industry sectors, respectively, within such bodies as the European Commission, the European Payments Council and the European Association of Cooperative Banks. Previously, he was responsible for the application of innovation to business value at IBM. Today, he focuses on the internet and financial services space.
“The Future is Open”, Jonathan Rosenberg, Think Quarterly - The Open Issue, Google, October 2012. “In 2009, Jonathan Rosenberg, then Google’s SVP of Product Management and now an advisor to Google management, wrote a memo outlining why open companies would win the future. Today, however, he finds a world that has outstripped even his wildest expectations.”
Joint “Position Paper on the Issue of Access to the Payment Account” by Consumers (Consumentenbond), Merchants (Thuiswinkel), leading payment scheme (Currence), National Bank (De Nederlandsche Bank) and Nederlandse Vereniging van Banken, April 2013
“A Dual Consent Approach for x-Payments”, Ron Berndsen and Daaf van Oudheusden, De Nederlandsche Bank, Amsterdam, April 2012
"Why is the Use of Cash Persisting? Critical Success Factors for Overcoming Vested Interests", Michael Salmony, JPSS Journal of Payments Strategy & Systems. Vol 5 No 3, April 2011
Related articles in this issue:
PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits). EPC identifies considerable scope for amendments to European Commission PSD2 proposal
PSD2: European Parliament Economic and Monetary Affairs Committee (ECON) Draft Report Introduces Improvements and Reveals the Need for Further Clarifications, Says Payments Regulatory Expert Group. Recommendation is to allocate sufficient time for the EU decision-making process on the PSD2 proposal to ensure best possible outcome
Related articles in previous issues:
Analysis of Selected Aspects of PSD2 Reveals: There is Considerable Scope for Clarification. A closer look at PSD2 with regard to the payer´s refund right and the introduction of third party payment service providers ( Newsletter, Issue 20, October 2013)
The Long Awaited Arrival of PSD2: a Summary of Some of the Key Provisions and Issues. The proposed changes could have a significant impact on the European payments market (EPC Newsletter, Issue 20, October 2013)
On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers’ Funds and Data with Payment Account Access Services. Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two (EPC Newsletter, Issue 19, July 2013)
European Commission Published 'Payments Legislative Package' on 24 July 2013. The package includes proposals for a revised Payment Services Directive and a new Regulation on interchange fees for card-based payment transactions (EPC Newsletter, Issue 19, July 2013)
Committee on Payment and Settlement Systems’ Working Group Publishes Report ‘Innovations in Retail Payments’. Central bank research identifies market trends and elements geared to assessing what an innovation-friendly environment should look like (EPC Newsletter, Issue 15, July 2012)
EPC Newsletter: Articles Published in the Section ‘Opinion and Editorial’
1 The proposal amends Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repeals Directive 2007/64/EC.
2 Or whatever security regime is agreed with the bank. This will in future be governed both by the SecuRe Pay recommendations of the ECB and whatever arrangements the bank makes with its customer. This can range indeed to the simple “pay” button if the user/his mobile is known and the risk/amount is low - up to a fully-fledged n-factor authentication for first-time usage with high risk/amounts/new clients. In this context it is critical to strike a balance between risk/security and usability (especially on the mobile – which on the one hand discourages long interactions, questions use of further external physical security devices – but on the other hand offers some unique identification and verification factors within the mobile such as location, sensors, personal identifications, behaviour patterns, preferences etc).
3 Compare PSD2 Articles 39, 72.2 and 82.2. Also merchants agree to a fair apportionment of value, even for basic services e.g. "banks could charge a reasonable fee for the yes/no service" according to EuroCommerce 'Basic Payment' Paper of August 2012.
4 The SecuRe PayForum was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.
5 “new non-banking providers must have secure access to account data” says the EuroCommerce position paper 2012, “web merchants encourage banks to ‘open up their accounts’ for third party merchant services, fostering innovation and competition” says E-commerce Europe 2012, and two of the top 10 requirements of the E-Payments Merchant initiative are “international and interoperable OBeP solution based on SEPA” and “clarity on the status of overlay banking services (security vs competition) and required standards”.
6 Payments Innnovation Jury Report 2013: http://www.ixaris.com/content/payments-innovation-jury-report-2013.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.