14 August 2015
The PSD2 and Open API – a matter of mutual trust?
The Council of Ministers recently published the final edition of the PSD2. In parallel, UK Treasury Open API consultations continue. These initiatives require the sharing of personal data, with consumer consent, on an unprecedented scale. Success is about much more than technology – it’s about building a culture of trust. Banks, aggregators and payment services providers can benefit from VocaLink’s experience of building a payments ecosystem that is founded on collaboration, competition and reciprocal trust.
Promoting competition and transparency
The Second Payments Services Directive (PSD2) seeks to improve customer choice through increased competition and innovation. One of the fundamental changes is the extension of account information and payment initiation services to third party aggregators. In parallel, the UK Treasury Open Data & API consultation requires UK banks to provide account information through API technology to account aggregators and similar service providers.
On the face of it, these complementary initiatives may seem at odds with one of the traditional obligations of banking – the safeguarding of customers’ information. Naturally, a great deal of the recent debate has revolved around maintaining security, assigning responsibilities and protecting access to customer information. Clearly there are many technical issues to resolve but ultimately the success of these initiatives requires mutual trust.
The exact detail of how these legislative initiatives will be enacted in the UK is still emerging but it is likely that UK banks will need to be PSD2 compliant by the end of 2017. This is an ambitious timetable as the challenges involve multiple banks, jurisdictions and currencies.
Impact on banks
Banks already manage vast amounts of personal data but their primary role is to protect it against misuse. Customers trust banks to respect their privacy and confidentiality is tacit in any bank relationship. The dissemination of customer data to third parties is not something banks will undertake lightly or without careful consideration of the possible consequences, although they must comply with PSD2 itself.
Banks are acutely aware of the potential damage that can be caused by consensual data sharing that is poorly administered, say when a rogue aggregator captures a large volume of personal data and uses it fraudulently. They must trust third parties to protect and control personal data with sound data governance procedures. But banks are also aware that, if account data aggregators are successful, this may alter bank relationships with their customers.
Successful account aggregators will be able to access large amounts of consumer transaction information and leverage that information – for example, to back-price comparisons of banking products. With so much at stake, an absence of trust makes progress impossible. Given the mandatory nature of PSD2, now is a good time to start discussing roles and responsibilities.
VocaLink – building a circle of trust
VocaLink occupies a unique position at the heart of the payments industry. Many of the world’s top banks and financial institutions trust us to manage their payments in accordance with scheme rules and stringent regulations. Our systems routinely process large amounts of personal data in line with UK and EU data protection requirements and the Bank of England’s requirement for a national payments infrastructure. In practice, we cover all the essential elements that create a trusted payments environment.
Feedback from our PSD2 and Open API industry forums have enabled us to define eight ‘trust elements’ that are essential to build a successful market:
Mutually assured trust
All of the elements outlined above combine in equal measure to build a payments ecosystem founded on trust. To a certain extent they are all likely to apply to PSD2 and Open API. As the PSD2 is an EU Directive, it will be necessary for multiple organisations to perform roles like VocaLink to build a trusted infrastructure. To create a healthy market, they will need to compete and provide different service levels of different geographic coverage, creating a new ecosystem of providers.
The PSD2 and Open API initiatives are gaining momentum and we are discussing practical considerations with banks and third party providers. We would like to invite more participants to join in the discussion at our industry forums and will publish more information on the debate in due course.
To find out more, please contact firstname.lastname@example.org