CONNECT: Payments news from VocaLink


Sign up to receive Vocalink Connect updates direct to your email

Contact permission

I agree that Vocalink may use my contact details to send me email marketing communications about all products and services. You are free to withdraw your consent at any time, free of charge. More information on Mastercard’s privacy practices and on your rights including withdrawing consent is available in the Vocalink Privacy Notice. By clicking Submit I understand that my personal data will be processed by Vocalink in the context of Vocalink products and services as described in the Privacy Notice.

Thank you

Thanks for subscribing to the VocaLink Connect newsletter

The PSD2 and Open API – a matter of mutual trust?

14 August 2015

The PSD2 and Open API – a matter of mutual trust?

Deborah Souter,
Head of Content,

The Council of Ministers recently published the final edition of the PSD2. In parallel, UK Treasury Open API consultations continue. These initiatives require the sharing of personal data, with consumer consent, on an unprecedented scale. Success is about much more than technology – it’s about building a culture of trust. Banks, aggregators and payment services providers can benefit from VocaLink’s experience of building a payments ecosystem that is founded on collaboration, competition and reciprocal trust.

Promoting competition and transparency

The Second Payments Services Directive (PSD2) seeks to improve customer choice through increased competition and innovation. One of the fundamental changes is the extension of account information and payment initiation services to third party aggregators. In parallel, the UK Treasury Open Data & API consultation requires UK banks to provide account information through API technology to account aggregators and similar service providers.

On the face of it, these complementary initiatives may seem at odds with one of the traditional obligations of banking – the safeguarding of customers’ information. Naturally, a great deal of the recent debate has revolved around maintaining security, assigning responsibilities and protecting access to customer information. Clearly there are many technical issues to resolve but ultimately the success of these initiatives requires mutual trust.

The exact detail of how these legislative initiatives will be enacted in the UK is still emerging but it is likely that UK banks will need to be PSD2 compliant by the end of 2017. This is an ambitious timetable as the challenges involve multiple banks, jurisdictions and currencies.

Impact on banks

Banks already manage vast amounts of personal data but their primary role is to protect it against misuse. Customers trust banks to respect their privacy and confidentiality is tacit in any bank relationship. The dissemination of customer data to third parties is not something banks will undertake lightly or without careful consideration of the possible consequences, although they must comply with PSD2 itself.

Banks are acutely aware of the potential damage that can be caused by consensual data sharing that is poorly administered, say when a rogue aggregator captures a large volume of personal data and uses it fraudulently. They must trust third parties to protect and control personal data with sound data governance procedures. But banks are also aware that, if account data aggregators are successful, this may alter bank relationships with their customers.

Successful account aggregators will be able to access large amounts of consumer transaction information and leverage that information – for example, to back-price comparisons of banking products. With so much at stake, an absence of trust makes progress impossible. Given the mandatory nature of PSD2, now is a good time to start discussing roles and responsibilities.

VocaLink – building a circle of trust

VocaLink occupies a unique position at the heart of the payments industry. Many of the world’s top banks and financial institutions trust us to manage their payments in accordance with scheme rules and stringent regulations. Our systems routinely process large amounts of personal data in line with UK and EU data protection requirements and the Bank of England’s requirement for a national payments infrastructure. In practice, we cover all the essential elements that create a trusted payments environment.

Feedback from our PSD2 and Open API industry forums have enabled us to define eight ‘trust elements’ that are essential to build a successful market:

Mutually assured trust


All of the elements outlined above combine in equal measure to build a payments ecosystem founded on trust. To a certain extent they are all likely to apply to PSD2 and Open API. As the PSD2 is an EU Directive, it will be necessary for multiple organisations to perform roles like VocaLink to build a trusted infrastructure. To create a healthy market, they will need to compete and provide different service levels of different geographic coverage, creating a new ecosystem of providers.

The PSD2 and Open API initiatives are gaining momentum and we are discussing practical considerations with banks and third party providers. We would like to invite more participants to join in the discussion at our industry forums and will publish more information on the debate in due course.

To find out more, please contact

Back to the top of the page