European Banks Face Risks In Race To Implement PSD2
Banks and their customers have so far noticed little impact from the EU's second Payment Services Directive (PSD2), which came into force in the European Economic Area (EEA) on Jan. 1 last year. The full potential effect of PSD2--designed to boost competition and the variety of products in the payments space--will only materialize on Sept. 14, when banks' technical implementation needs to be in place. We see imminent and significant threats to European banks from PSD2, but also some opportunities. To navigate the changes successfully, European banks will first need to act swiftly to ensure technical compliance with PSD2 over the next few months. But, in a second step, we believe they will also need to develop a sound digital strategy that incorporates PSD2, so as to remain competitive and at the forefront of product innovation in financial services.
PSD2 establishes the regulatory framework for the creation of a single, open, innovative, and competitive market for payments in Europe. The directive's goal is also to strengthen security in the payments' ecosystem. In essence, PSD2 allows third-party providers (TPPs) such as fintech or big tech companies (Google, Amazon, Apple, or PayPal) to initiate payments on behalf of bank customers from their bank accounts. It also permits TPPs access to customers' financial account information to analyse their spending patterns and financial capacity. The introduction of PSD2 will therefore potentially enable TPPs to compete with banks by offering customized or innovative digital financial services to bank customers, provided that customers explicitly give their consent.
Tech Competitors Are Piling In
PSD2 has already brought new participants to the payment services market. These competitors will undoubtedly encourage the development of innovative payment services and help to improve efficiency, transparency, and security in the payment markets. According to latest European Bank Authority (EBA) data as of April 2019, 891 payment institutions and 53 account information service providers were registered under PSD2. The largest proportion of these are in the U.K., followed by France, Germany, and Poland (see chart 1).
National authorities remain responsible for authorizing a provider for the provision of payment or account services. Once granted, however, this permission can also be transferred to other host states where the provider intends to offer payment services. We nevertheless believe that many customers may be reluctant to share financial information with new and less established service providers, as they may initially raise security and data confidentially concerns.
Tight Timeline For Technical Implementation Opens Up Risks
PSD2 officially became live more than a year ago in January 2018 after all EU members transposed the directive into national law. At the same time, the directive also empowered the EBA to develop regulatory technical standards (RTS) on customer identification and communication. These aim to establish rules that create a level playing field among all types of providers, thus ensuring technology and business-model neutrality. The final version of the RTS was published in the official EU journal on March 13, 2018. This date also saw the launch of the 18 months' technical implementation phase--meaning that PSD2 will finally become operational on Sept. 14, 2019.
While European banks still have a few months to reach technical compliance with PSD2, the remaining timeline remains tight, in our view. Banks are having to develop dedicated application programming interfaces (APIs) to fulfil the regulatory requirement to allow third-party providers access to customer accounts. Data provided via those dedicated APIs can be used by third parties only in relation to a specific service, such as the initiation of a payment. A number of European banks rely on an access-to-account (XS2A) framework developed by the so-called Berlin Group that goes back to a European initiative, while other banks have developed their own frameworks.
All European banks nevertheless face the risk that their APIs do not meet the service level targets set by the RTS. Should that be the case, the directive would require banks to provide TPPs access to their customer-facing interface instead. This ultimately means that, if a customer uses a third-party service, the TPP could access bank accounts on behalf of customers, effectively by pretending to be the user, to initiate a payment from the user's account.
Screen scraping is not a new concept that came along with PSD2. For many years now, TPPs have offered account aggregation and personal financial management services to bank customers by utilizing screen scraping. There is generally no direct contractual relationship between a bank and TPP, and access to customer data does not require the consent of banks. Data extraction via screen scraping is widely unregulated. This raises privacy and security issues because bank customers effectively share login credentials, including passwords, with TPPs. There are no effective controls to prevent screen-scraping tools from theoretically copying all available customer data.
A Threat To Banks' Revenues And Customer Relationships
Customer relationships could be usurped by third-party providers that could build customized account management and transaction services via platforms. We see two main threats to banks in Europe. First, by allowing external parties to initiate payments on behalf of customers, PSD2 has the potential to change the traditional acquirer-issuer card-based payment model. The introduction of PSD2 already facilitated the entrance of a number of fintech and big tech companies into the European payment space, mainly by offering convenient payments and digital wallet services with innovative functions through digital platforms and mobile apps. A strong trend toward account-to-account transfers could effectively remove banks from the value chain in many payment transactions with a material impact on revenues from payments. We believe that card issuers have the most to lose because they currently generate a sizable portion of earnings from transaction revenues, specifically interchange fees. We nevertheless recognize that growth in card payments in Europe has been strong in recent years and will likely remain resilient for some time to come. We believe users find credit card payment convenient enough to prevent them from moving quickly to alternative mobile payment services. Banks often even remain part of the value chain in mobile payment services through smartphones, as credit cards issued by banks are used as the funding source. However, in Germany, PayPal, Google, and Mastercard have implemented a mobile payment service that effectively removes banks from the value chain. Customers can add their existing PayPal account to Google Pay as a payment method, where a digitized debit Mastercard is generated automatically. This leaves the banks with relatively narrow fees when funds are moved between PayPal and bank accounts.
The second main threat to banks from PSD2 is that it has the potential to disintermediate traditional banking relationships. Aggregation in financial services is becoming increasingly important in open banking and banks could lose customer proximity when customers increasingly manage their finances through third-party applications. This could reduce regular direct customer interaction and negatively affect the banks' ability to cross- or upsell its most income-generating products. It could ultimately leave the bank in the position of providing highly commoditized and competitive products, such as loans and deposits. If banks lose control of their customer relationships, they effectively become wholesalers for at least some of their customers.
An Opportunity To Innovate And Partner With Fintechs
While many European banks consider PSD2 a potential threat to their franchise, it may also offer them opportunities, not only by establishing a centralized platform for payment services or by becoming a data aggregator itself. Another positive is that PSD2 now allows banks a more detailed analysis of their own customer data, which will help gain a better understanding of their clients and improve their products.
We also consider PSD2 an opportunity for competitive differentiation. A powerful API that allows banks to easily partner with fintechs and onboard innovative financial services will help banks improve the customer experience. We consider larger banks in a slightly better position here, as they have the scale and IT budgets to establish a flexible API architecture that supports onboarding of external services. On the other hand, larger banks often face more challenges with heterogeneous, complex, and expensive legacy IT infrastructure compared to smaller and simpler banks.
In our view, banks could utilize PSD2 to become faster and more agile in product innovation. They could use connected fintechs as outsourced IT developers, especially for products in financial services where the banks lack the in-house talent and entrepreneurial spirit to develop their own innovative products. One of the challenges with PSD2 is to maintain a positive user experience when applying strong customer authentication that the directive introduces. Banks have already informed many customers they no longer consider payments by inputting login details secure enough, and will require two-factor authentication at the latest once PSD2 becomes fully operational.
We believe banks successful in implementing PSD2 will have the opportunity to gain market shares in certain market segments. In order to monetize their valuable customer data and significant investment in API architecture, banks could also offer additional services beyond the minimum regulatory requirements set by the directive.