Starting from 14 September 2019, banks and other financial institutions are required to share customer banking, transaction and other financial data for free with so-called third-party providers (TPP), provided the customer grants explicit consent. This is achieved through the use of technical interfaces, i.e. application programming interfaces (APIs). These APIs are intended to enable TPPs (including financial service providers and FinTechs) to create efficient and client-tailored banking solutions.
PSD2 outlines two new types of regulated TPP that will be granted direct access to customer accounts: Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP). Banks and similar institutions are denominated as Account Servicing Payments Service Providers (ASPSP) to emphasise the difference between institutions that hold customer accounts and new players that merely access them. PISPs would be allowed to issue payment instructions and initiate online and mobile banking directly from customer accounts, so long as they have the customer's consent. This can lead to the reduction of fees related to online card-based transactions, the ability to collect cash more quickly (through SEPA Credit Transfer Instant or Classic) and better liquidity. AISPs, on the other hand, would be able to access customer data with the customer's consent to provide an overview of a customer's payment account with a different bank in one place.
Further applications of Open Banking could facilitate the process of switching from one bank account to another or finding the best financial products. It could also assist visually impaired customers, help small businesses save time through online accounting and assist with fraud detection. Many FinTechs are currently developing or already offering new types of services based on their access to bank transaction data.
While Open Banking may result in better customer service, lower costs and better technology, it could also pose threats to traditional banking models, because banks may find themselves pushed into a position where they increasingly serve merely as a banking infrastructure provider rather than a full banking service provider. However, banks could see it as a strategic opportunity to differentiate themselves by providing more choice and innovation to customers by collaborating with TTPs.
Despite the promising prospects, Open Banking is not without challenges. Because many detailed technical specifications of the APIs are not yet sufficiently harmonised, reports show that access to client data by TPPs via the APIs is currently impaired or often does not work seamlessly. Also, the obligations regarding strong-customer authentication (SCA) and their differing implementation at various credit institutions can make it difficult for AISPs in particular to gain access to the data of a single client's bank accounts held at different credit institutions (see our detailed blog article on SCA).
Similarly, some issues still need ironing out on the regulatory side. Since the PSD2 APIs should allow secure access to data since 14 September 2019, TPPs should not have been permitted to access customer interfaces using the rather unsecure former access method of "screen scraping". However, in the course of an evaluation conducted by the Austrian Financial Market Authority (FMA), it turned out that the APIs put in place (and the implemented contingency mechanisms) still have certain deficiencies, which in certain circumstances prevent proper data access by TPPs. Also, the functioning of contingency mechanisms could not be safeguard in all circumstances.
As a result, and in the interest of a seamless functioning of data access and payment transactions, the FMA has decided to grant a further transitional period and to continue to accept the former access methods (e.g. "screen scraping") by TPPs until all technical difficulties have been resolved.
Authors: Matthias Pressler, Viktoria Stark