PSD2 RTS – What is worth waiting for…

Data protection with person using a laptop on a white table

Markus Orth, Director Business Development, APIIDA AG

As England, Italy and other EU countries now also the German Bafin indirectly adjusts the deadlines for the implementation of the delegated regulation supplementing the PSD2 guideline, industry, trade and banking associations overturn with comments on this intervention. The stated aim of the Directive is essentially to simplify payments, to promote a competitive spirit and to improve consumer protection. After all will it live up to that?

The revised Payment Services Directive has been transposed into national law throughout Europe since 13 January 2018 – at least in most European countries. Only 3 of the 28 countries have not fully transposed the Directive to date. [1]

However, if the Directive, with its 117 articles had to be interpreted on impact and implementation for banks and payment service providers, this is particularly true of the supplementary Regulation on Regulatory Technical Standards (RTS), which was published more than a year later in March 2018. Numerous additions, comments and extensions have followed to date, attempting to fill the technical details of the RTS and to ensure reasonably consistent usage for regulated third parties. Even without a further qualitative review of the test environments provided on March 13, 2019, it was observed that the majority of banks did not meet the timeframe set – in some cases with strong national differences. [2] Initiatives such as the Berlin Group standard on the NextGenPSD2 XS2A application protocol and the related NextGenPSD2 Implementation Support Program (NISP) have been seen as a promising approach to overcom regulatory deficiencies.

A few weeks before the technical standards for two-factor authentication and the dedicated account access interface will take effect on September 14, 2019, it becomes obvious what many experts feared: banks are unable to introduce the requirements with all the exception rules and options. In some cases, these are also implemented in very different flavors, so that even a review of conformity and admission process by national supervisory authorities becomes a feat. Fintech service providers are faced with the challenge of sometimes addressing inadequately and non-compliantly implemented interfaces. As the last in the chain, retail complains about too little time to implement the new payment methods and the authentication process. Fears are voiced that European payments are in dire straits: customers of online retailers may be cancelling their purchases on a massive scale.


Why is it?

In view of the timely and compliant provision of the technical interfaces, the technical and the process complexity were massively underestimated by impacted parties. Largely open standards, different implementation options, lack of standardization and ongoing regulatory clarification have all contributed to the situation. In addition, the planning, design, and implementation of interface technologies (APIs) for the direct access of unknown third-party service providers to the core of banks via a public network has been new territory for many banking IT organizations. It means that formerly closed systems, which have been explicitly designed to protect sensitive customer and payment information, should now be opened up and secured online. Third, the combination of the required technologies in a strongly regulated market and the legacy of a banking IT did formerly not exist on this scale. Even the individual elements of secure API-based access, certificate-based identification of API consumers, and two-factor authentication is mastered only by a fraction of providers in terms of actual operability and in conjunction with banking and regulatory expertise.

Many institutions have either followed a “minimum compliance approach” in order to manage the risk and to minimize costs. Or they played the big strategic card to renew themselves and cut off old braids. As a result, one is too little and the other too much. Proprietary interfaces and out-of-control project plans as well as stressed IT budgets are the result. Only the institutions, whose IT and departments cooperated closely and who built up an industrial API management solution and necessary API security mechanisms as part of their service fabric were able to compete successfully with the development of the regulatory standards.


To look ahead

Originally, the national supervisory authorities in Europe proposed that as of September 14, 2019, European banks should only offer a new dedicated interface or continue to operate their existing customer interfaces adjusted to the RTS requirements. Now the financial supervisors, such as the Bafin in Germany, grant the banks more time for the provision and existing interfaces can be operated unchanged for a certain term. This is to the benefit of fintech service providers, who can continue to use the existing interfaces. Conversely, this could complicate or even block cross-border payments, as countries even more so move on different timelines.

In summary it can be stated that the PSD2 RTS is not sufficiently binding at the technical level as far as the concrete implementation of the requirements is concerned. PSD2 has far-reaching technological and security implications for banking IT, both in implementation and in operation. After initial experience from the few test environments and market testing of proprietary implementations, more and more regulators, credit institutions, fintech service providers, and IT companies are realizing that the impact of the PSD2 Directive has been underestimated. Few institutions or associations had a comprehensive view beyond the “sandbox” due to the drastic changes happening and were able to react promptly to necessary adjustments.


...find more Details about APIIDA PSD2 Solution Pack


In face of the extension of time now granted and the imminent deadline for implementation, a standardized solution with scalable components that have already proven their resilience and flexibility, it is the CHANCE for market participants to switch to a compliant battle-hardened technology in the short term in order to avoid notice from consumers, consumer associations and regulators.