Berlin Group and the path to PSD3

In the European Union, PSD2 has created an important initial framework for open banking. API standardization is essential for building a fully-functioning open banking ecosystem – and the Berlin Group’s NextGenPSD2 has emerged as the leader among several PSD2 API standardization initiatives that have been launched.

Over the past few months, versions 1.1, 1.2, and 1.3 of NextGenPSD2 have been released, incorporating clarifications from the European Banking Authority (EBA) and regulators. Also, NextGenPSD2 is no longer focused solely on PSD2: the initiative has been opened up to enable FinTechs, consulting firms and software companies to contribute enhancements.

In November 2018 the Berlin Group held its second conference in Berlin, with attendees including the European Commission (EC), the European Central Bank (ECB) and the EBA. The conference discussed open questions and opportunities around PSD2 and—above all—a vision beyond PSD2.

The leading PSD2 API standard in the EU – and beyond

According to an ECB survey, there are currently six or seven different API standards as well as several national standards—but 78 percent of EU countries use the Berlin Group’s NextGenPSD2. However, the fact that NextGenPSD2 allows for different interpretations means it can at best minimize fragmentation, not remove it entirely.

PSD2 and the UK’s Open Banking regulation are regarded as blueprints for regulation worldwide. The question of API standardization also arises in other countries with open banking regulations—and the Berlin Group conference included representatives from the Middle East, Japan and the US among others.

Version 1.3 and still open questions

The most pressing questions were discussed with the EC and ECB participants. While the Berlin Group is not itself authorized to interpret the RTS, there is a thought leadership ecosystem that includes the Berlin Group, the API Evaluation Working Group, the EC and ECB. Nevertheless, ultimately only the requirements of the national competent authorities (NCAs) of the EU member states are binding. While the API Evaluation Working Group has published recommendations for interpreting the RTS, several questions remain unanswered. Here are some of the most relevant:

• Final requirements for banks regarding "authenticated screen scraping": The fallback solution requires banks to provide screen scraping on their online banking sites to third-party providers (TPP) as a stopgap solution if they are unable to provide reliable and high-performance APIs. The requirements for exemption from this fallback are defined by the NCAs, supported by the API Evaluation Working Group to specify metrics for the exemption. Currently, greater clarity is required on timelines as well as additional and specific KPIs on performance and downtimes. The EBA just recently published a final “guideline” for the exemption on December 4th, 2018.

• PSD2 RTS-compliant security procedures: There are still various interpretations among the NCAs of the RTS requirements for strong customer authentication (SCA). Some see SMS-TAN as compliant and others do not. There is no doubt that TAN and iTAN lists (paper list of one-time codes) will no longer be compliant. What about Touch ID and Face ID? 

• Various directory and registry services: The central EBA registry of licensed and approved TPPs is considered inadequate by market participants, and lacks machine-readable APIs and real-time query capabilities. Currently, there is intense competition between various TPP directory services looking to meet these needs and even provide additional information.

• eIDAS Certificates from Qualified Trust Service Providers (QTSP): After a TPP has received a PSD2 license with one NCA, this information is passed on to all other NCAs under the passporting process, making the license valid across the EU. Subsequently, TPPs with this license can buy an eIDAS certificate from any EU-based QTSP. In Germany, the federal printing office (“Bundesdruckerei”) will be offering the first test certificates early next year. Time is short and the market is currently less experienced in this space.

• TPP Registration: The PSD2 and the RTS say TPPs must be able to access APIs in a non-discriminatory way and without a contract. Is a TPP registration allowed in a developer portal or maybe even the standard? Onboarding is technically possible without direct registration via an established session between TPP and bank and the eIDAS certificate in the background, but is more complex technically. Subsequently, fragmentation is likely.

• Test Phases before September 14, 2019: There will be two test phases before September 14, 2019 – the first with selected TPPs and a test environment beginning on March 14, 2019, for three months. From June 14, 2019, for another three months, the banks must provide TPPs with access to their production systems. A harmonized approach throughout Europe is required, but different interpretations apply, with some banks favoring running the second phase on near-production test systems. On testing, the Berlin Group has launched the "NextGenPSD2 Implementation Support Program" (NISP) to help save banks from potential fallback. This program aims to generate synergies in implementation and testing for all participants.

…And the Path to PSD3

“After PSD2” and “before PSD3” – a frightening idea for many banks. There remain open questions and increasing fragmentation, which opens the path for the regulator to make improvements or introduce further measures. The conference could inspire the regulator to discuss the directions in which open banking in the EU could go, including:

• Instant payments is decoupled from the PSD2, though a closer link between open banking and instant payments could increase competition in payments services.

• Access to other types of accounts – not just online current accounts, but all accounts including credit cards, loans and more.

• The regulator could specify API standards, directory services and infrastructure more precisely to eliminate fragmentation.

• Not just open banking should be considered, but the open data economy as a whole. Other industries such as retailers, tech firms and utilities could open up as well. However, this goes beyond payments and PSD.

• Regulation goes agile – rigid regulations may no longer be suited to a rapidly-changing world.

What do we learn from this?

The next iteration of the regulation will allow much more than PSD2. To prepare, banks must understand the market dynamics, communicate their interests to the regulator and actively participate in industry initiatives and forums. A "compliance only" approach will not be enough. PSD2 is just the beginning of a complete shift in how banking will work in the future.