The PSD2 compliance clock is ticking, but help is at hand
For those banks struggling with the complexities of PSD2, help is at hand, says Aleksandar Milosevic at financial technology solutions provider Asseco.
Many banks, particularly small and medium sized ones, are running late with their preparations for PSD2. It has been common to underestimate the work involved in compliance but the clock is ticking, with the deadline for testing being March 2019.
While large banks have typically assigned the necessary budgets and resources to PSD2, often taking a strategic view and seeing it as an opportunity for open banking, many of their smaller counterparts view it from a pure compliance perspective.
As such, there has been a tendency to delay appointing partners, perhaps to try to do it themselves, and certainly to keep the investment and effort to a minimum. However, in so doing, they have underestimated the task in hand.
There is the challenge of understanding what’s needed. The regulators have sought to be technology-agnostic so there are a lot of guiding principles rather than precise requirements which, from the outset, has caused issues with interpretation.
Second, as PSD2 touches on different areas, including security, fraud prevention, payments and digital channels, there are numerous stakeholders who need to work together. This has meant some things have fallen between the cracks, with requirements overlooked.
In part due to marketing by providers of API management systems, there has also been a common assumption that such offerings would solve most of the requirements. In fact, an API management system is no more than a foundation, with a lot of effort needed to build on top of this.
In South-East Europe, subsidiaries of Western European banks have sometimes had centrally sourced API management systems pushed on to them and this has exacerbated the problems.
Reflecting the complexities, a large European bank which operates across the globe, recently put its PSD2 compliance costs at around €35 million, with an additional €15 million for non-compliance needs, including refreshing systems and gaining third party provider (TPP) status.
Strategically, some banks also view this as the moment to refresh their mobile and online banking offerings as they can see the battle for customers will be around convenience. Others are working on adding new services beyond the regulatory scope, such as API-based payments options that would allow businesses, such as large retailers, to reduce their dependency on credit and debit cards.
The first thing we did was to take in all of the details. This included the 300 pages or so of dry regulations, plus opinion papers and guidelines. We joined the Berlin Group European Standards Initiative and have been active participants, including becoming part of the group’s implementation-focused Next Generation Implementation Support programme.
Distilling all of the expertise that we have built up, it became clear that API management is only part of the picture. That has directed our strategy towards a comprehensive, integrated solution. It spans API management, with developer portal and testing tools, plus specific PSD2 support that is missing from generic offerings, such as management of PSD2 certificates and support for a directory of payment service providers. Also integrated is security, including two-factor identification, and fraud monitoring.
We are complying with the complete specifications of the Berlin Group and will seek certification as soon as this is available.
We also appreciate that time is running out so from January 2019 we will offer the solution on a Software-as-a-Service (SaaS) and cloud model. This will allow banks to subscribe to the service if they want to keep their infrastructure and implementation workloads to a minimum.
This model would allow banks to meet the March testing deadline, with further work then able to continue, such as integration with core banking systems, which is not needed for the initial test phase.
While we have plenty of SaaS and cloud clients from our existing four service centres, we are partnering with Microsoft for the new cloud offering, using its Amsterdam and Dublin facilities, to comply with EU data sovereignty rules.
PSD2 is a challenge but, even for those that are late in their preparations, there is still time to meet the deadlines if they act now. It is complex, it does require compliance, but it is also an opportunity – which other banks will take, meaning it is important not to be left behind.