In our last PSD2 update we discussed how the current implementation guidelines could potentially make things very difficult for third party providers: the AISPs and the PISPs*, even when one of the key aims of the new regulation is to increase competition in financial services, by creating a more level-playing field.
To recap, the issue was that, as things stood, new TPPs would have to individually integrate the APIs of every single bank within their market, if they hoped to provide a comprehensive service to their customers. This would of course be a time-consuming and costly process. Furthermore, in a last-minute surprise, the European Banking Authority decided to ban screen-scraping (the technology currently used by AISPs) under their final draft of the new regulations.
There have been a number of interesting developments over the past few months, but in the end (or at least to date) the situation remains essentially unchanged.
The screen-scraping AISPs were naturally very unimpressed with the fact that their business model was to be potentially wiped out with the stroke of a pen. They argued that there has been no reported case of fraud involving a screen-scraping AISP (despite the fact that users have to provide bank login credentials to them). They found support from the powerful European Commission who asked the EBA to review their decision and to maintain screen-scraping as a back-up in case the API access proved to be too restrictive. The European Banking Federation hit back, arguing that the ban should be retained.
The EBA’s final decision came down on the side of the banks as they argued: “The EBA is of the view that imposing such a fallback requirement would go beyond the legal mandate given to the EBA under Article 97 PSD2. The EBA is also sceptical about the extent to which the proposed amendment would achieve the desired objectives and efficiently address market concerns. Indeed, the EBA has identified a number of risks that would arise were PISPs to implement the Commission’s proposal.”
Ultimately, the final word will rest with the European Commission because while the EBA was mandated with creating the Regulatory Technical Standards, it is the EC who has to sign off on them, and they have the power to make changes before doing so.
We’ll have to wait and see.
On the APIs themselves, one interesting development was a proposal by the Berlin Group that a single standard for API access to bank accounts be created. This group does include some heavy-hitters from the European payments space including large processors, card schemes and clearing houses, but it is noteworthy that the membership includes almost no banks, despite it being open to them.
Their NextGenPSD2 Initiative will provide “an ‘Access to Account Framework’ with Operational Rules and Implementation Guideline documents in the Autumn of 2017”.
*AISP: Account Information Service Provider. PISP: Payments Initiation Service Provider