Community

I reckon I can answer most of these, just contact me under ro@paypractice.com.

Rather than reinventing Open Banking, the UK should have looked at other EU countries practicing it for over 10 years already and having very successful bank-agreed payment execution services (PES) and bank-independent payment initiation services (PIS).

Listening to their advice and not taking the worst of both worlds, would have helped to understand the difference between the two and what needs PSD2 licensing and what not.

Rather than prescribing a “user experience” it is of paramount importance to leave this area to innovation and competition. After all, that’s the whole point of Open Banking!

The UK version of Open Banking forces customers to do all the authentication and authorisation themselves using the bank's user interface.

Replacing screen scraping with APIs is great, but depriving TPPs from acting on behalf of the customer and automating the payment flow defies the whole point of PSD2 and throws the baby out with the bathwater.

The user experience is the key element here and any single unnecessary screen or click can kill the take up. Don't expect mass adoption as long as consumers are redirected back and forth and have to go through more than one screen.

Open Banking, at least in the form of PSD2, wasn’t designed to eliminate credential sharing. It was designed to secure this common practice by bringing it under a licensing regime to ensure that credentials stay safe within supervised and security audited financial institutions. This is to allow licensed TPPs to own the front end and compete in providing the best user experience and most compelling services. Open Banking in the form of bank-redirect services like iDEAL, MyBank, giropay, etc. do not fall under PSD2, because they do not need that level of supervision, exactly because they don’t use credential sharing. Open Banking, as designed in the UK, should fall into that latter category, because it allows the banks to control most of the user experience, at least from a PISP perspective. I would argue that users are actually initiating the payments themselves in that case, meaning that the use of OB UK should not need a PSD2 license either. Why burden UK OB PISPs with all that regulatory overhead, if they don’t have to secure anything and can’t do anything different to PayByBankApp aka Zapp for which no license is required? Many more TPPs would enter the UK market if UK OB was either license free or would allow them services, which do not require a redirect to the bank’s website or app.

Because the EU authorities (rightly!) decided to bring such activities under regulation so that they can get i) security audited before getting the license, ii) supervised on an ongoing basis to ensure that credentials are not abused, iii) forced to obtain a liability insurance, iv) mandated to identify themselves, so that banks can deny non-licensed access, and v) everyone must now use SCA, so that the sharing of static credentials (first factor), which are not secure anyway, is now secured with a second factor.

A 5-click, 5-screens payments flow, redirecting users around web sites, is not a compelling proposition and if TPPs are not allowed to do better, then they can't compete against existing bank-owned APMs of that type.

Originally, it was the whole idea behind PSD2 to secure a MINT type business, not to kill it.

When comes the day when people will finally understand the difference between credential sharing and screen scraping? And please note that PSD2 allows credential sharing and redirects, as well as screen scraping and APIs.

Google “push vs. pull payments” pand you will find all the good arguments why push will win over time. Yes, it will take a while, but push is just more efficient and secure. ‘Pay by Bank’ app looks better than Open Banking (at least for now) and you don’t need a PSD2 PISP license to offer it.

You got it! And I can only hope that many other banks will realize the same and push the PSD2 API initiatives currently under way towards providing much broader functionalities than needed for an MVP!

Currently, and for the last 15 years, TPPs have had flourishing businesses in most EU countries, because they offer services, which their customers‘ banks don’t. Now we are forcing them to get licensed and use new APIs provided by their (competing) banks. Gift horse? The least we must do is to ensure that these APIs provide better not worse data to them so that customer offers can be improved not worsened! This „Future of European Fintech“ alliance is trying to achieve just that and that their „horses“ are not beaten to death.

I bet they use screen scraping like 99% of similar apps. It is incomprehensible that EU regulation seriously considers banning such technology. PSD2 was not build to ban it, but to improve its security by requiring licensing/supervision, audits, identification towards the banks and strong customer authentication. APIs may take over over time, if they work well, but the world has not yet seen one offered for free to competition. This is a completely new concept and it is questionable - to say the least - that banks will make it easy. Elevators were build in addition to staircases not to replace them - same here. If regulators want to start banning successful technologies, which have risk elements, they should better put their eye on nuclear power or AI.