The Implications and Requirements of PSD2 open banking for Programme Managers

In a recent dialogue with the EBA, they stated about PSD2 open banking regulations   that: “Ignorance of them can of course not be used to justify non-compliance”. Further adding: “Non-compliance amounts to a breach of law, with the resultant consequences for the legal entity.”

With that mind and with a deadline of March 14 2019 looming less than 6 months away, whereby all Financial Institutions offering an API solution, which allows Third Party Providers (TPPs) access to end user transactional account data, must have it available for external testing, we can’t help but wonder if Prepaid and Debit Programme Managers (PMs) fully understand what they need to do in order to be ready.  

BIN sponsors in almost all cases will push down the regulatory responsibility from themselves to the Programme Managers.  Thus, the reality is that the timelines are likely to be even shorter, as we can assume that PMs will need to provide proof of compliance to their BIN Sponsors, and the BIN Sponsors will almost definitely require documentary evidence of compliance to PSD2 open banking before we reach the March 14 2019 deadline.  In addition, to avoid implementing a fallback mechanism, an exemption certificate from the National Competent Authority will need to be obtained.  As the BIN sponsor is the regulated entity they will need to work with the PM to obtain this prior to March 14.

So, here are the key things that a PM will need to implement to ensure they are PSD2 open banking compliant.

Firstly, there are two options available to the PM: they can offer an API solution, or alternatively offer a dedicated interface for TPP approval. Each option has slightly different requirements:

Option 1 – API solution

1.     API interface - live for six months prior to externally going live

2.    Exemption certificate from NCA or fallback option

3.    SCA solution

4.    TPP regulatory checking

5.    eIDAS Seal Certificate checking if operating in Europe

6.    Access token issuance

7.     Management of Consents by PSU

Option 2 – Dedicated interface: Not API

• 4,5,6 also needs to be done from above
• Take the necessary measures to ensure they only access, store or process data the consumer has consented to
• Log the data they access and make it available to the relevant NCA if requested
• Justify to the NCA, upon request, the use of the interface

A key area of complexity for the PM is TPP identity and regulatory checking, as they must only provide data to registered/approved TPPs, no matter how they access the data – via the API or dedicated interface.  

But how can they tell if a TPP is approved?  This is an additional challenge as there are over 100+ databases (31 National Competent Authorities and over 70 eIDAS Qualified Trust Service Providers) that need referencing, and unfortunately for the PM none of them are online or real time currently.

These are just some of the challenges Programme Managers face as they work towards meeting their PSD2 requirements.