2019 is set to be a game-changing year for retail banking. As the PSD2 (Revised Payment Service Directive) becomes implemented, banks’ monopoly on their customer’s account information and payment services is about to disappear. The new EU directive opens the door to any company interested in eating a bank’s lunch. For a detailed time-line, when and what should have been implemented, see below attached diagram.
In short, PSD2 enables bank customers, both consumers and businesses, to use third-party providers (TPP hereinafter) to manage their finances. In the near future, you may be using Facebook, Google or another applications to pay your bills, making P2P transfers and analyze your spending, while still having your money safely placed in your current bank account. It is not only the access point to this account that is dramatically changing in line with changed attitude of young generation of customers preferring the on-line web tools for their shopping and spending. Another dimension of this issue is that newly developed tools will help to smooth also the payment agenda on corporates level. And finally, PSD2 initiative will sooner or later materialize in onboarding of new customers and designing the new approval processes for on-line consumer loans that have already tapped banking industry.
Banks, however, are obligated to provide these TPP with access to their customers’ accounts through open APIs (application program interface). This will enable third-parties to build financial services on top of banks’ data and infrastructure. But, naturally it increases requirements for:
a) Security and prevention tools preventing frauds, data-leaks, accounts phishing etc.;
b) Allocating certain competence levels to all users getting in touch with accounts and related data;
c) Creating general and simplified rules for customers identification;
d) Improving the business and IT architecture and creating common platforms (API) that would be free to use by all customers etc.
Banks will no longer only be competing against banks, but everyone offering financial services. PSD2 will fundamentally change the payments value chain, what business models are profitable, and customer expectations. Through the directive, the European Commission aims to improve innovation, reinforce consumer protection and improve the security of internet payments and account access within the EU and EEA. It introduces two new types of players to the financial landscape: PISP and AISP. AISP (Account Information Service Provider) are the service providers with access to the account information of bank customers. Such services could analyze a user’s spending behavior or aggregate a user’s account information from several banks into one overview. PISP (Payment Initiation Service Provider) are the service providers initiating a payment on behalf of the user. P2P transfer and bill payment are PISP services we are likely to see when PSD2 is implemented.
For banks, PSD2 poses substantial economic challenges. IT costs are expected to increase due to new security requirements and the opening of APIs. In addition, 9 percent of retail payments revenues are predicted to be lost to PISP services by 2020. And, as non-banks take over the customer interaction, banks may find it increasingly difficult to differentiate themselves in the market for offering loans.
This, in addition to changed customer expectation and increased digitalization, may be why we today are witnessing more and more banks experimenting with their APIs, collaborating with fintechs (financial technology companies), focusing on customer centricity and setting up innovation labs. This is due to the fact that this changing environment is seen as opportunity to distinguish themselves among other market players and to become the market leader (when offering more “user-friendly” applications to customers for electronic banking services etc.).
Introduction to framework
The entry of PSD2 requires that banks take a number of strategic choices. This is not an easy task, as the choices partly depend on how the payment/lending landscape will evolve after PSD2. It is possible to forecast some future scenarios based on three variables coming into account:
1) how domestic or European the financial market will be, and
2) whether the consumers will stick to traditional banks or trust non-banks for making payments and lastly,
3) whether the proposed PSD2 initiatives will be or not conflicting with generally adopted business policies and rules (like GDPR for instance) – then the Banks will be opting for a lower (reputational) damage and risk especially in case of more conservative (and traditional) institutions.
Will PSD2 unify the European market for financial services?
The globalization illusion
How global is the world today, really? Surprisingly little, many might say. Following figure 1, we rarely interact with people abroad. And regarding financial services, as few as 3 % of European consumers have bought banking products from another EU country. Of course, many consumers have a bank relationship with a bank originating from another country, like Danske Bank in Norway and Santander in Portugal. But then it is usually Danske Bank’s Norwegian subsidiary and Santander’s Portuguese subsidiary, and therefore considered as not a cross-border relationship.
Figure 1: Infographic showing average level of activities across borders. Source: Ghemawat.com
You might think that this is because the services and prices are homogeneous, that it does not ‘pay off’ to look beyond the borders of your current country. But the statistics in figure 2 shows otherwise: Average prices among four consumer finance products vary greatly from country to country. Despite this, consumers do not seem to have a cross-border bank relationship.
Figure 2: How will financial product prices differed in 2018 across Europe. Source: European Comission
So why is it like this?
A survey conducted by the European Commission revealed that 80 % said they would not consider buying a financial product in another EU Member State in the future because “they can purchase all the financial products they need in their own country, or they prefer to do so” . This shows how far from a unified market the EU really is. We view this as a consequence of the European market lacking effective mechanisms supporting cross-border banking, such as communication of its benefits, smooth on-boarding processes and harmonized regulations. Regarding the latter, differentiated domestic legal frameworks is identified as the main barrier for both providers and consumers to enter a foreign market by the European think tank CEPS. The costs related to regulatory understanding and compliance might be seen by banks as too large compared to the market’s potential revenues, making the bank’s investment into a new country unattractive.
Aiming to open up
The European Commission’s commitment to unify the European market for financial services is strong and it is working with several initiatives aimed at harmonizing the domestic regulations. For example, PSD2 lets third party providers of financial services operate in the entire EU as long as they are licensed by their home state’s financial authority. So even though banks still need bank licenses in each country they are operating in, the third party providers (TPP) only need one. PSD2 was a response to unsatisfactory consequences following the first PSD, and we would not be surprised to see a PSD3 initiative if PSD2 fails too. The question is: If it succeeds in cutting the actors’ compliance costs related to multinational retail banking, will that be enough? We do believe that it will be reinforced by four other factors, accelerating the transformation from autonomous domestic markets into one unified European market:
1. Bigger return: As the European market grows from several autonomous markets into a unified big market, the ‘pie’ gets a lot bigger. This will attract new entrants and new services as the reward goes up.
2. Scale: It is cheaper for banks to operate in several countries when their legal frameworks are harmonized and the compliance costs are reduced.
3. Well-informed consumers: As the competition in the unified market increases, the transparency in the financial services and prices offered by European banks will increase, which in turn will equip the European consumers with improved market information. This will likely motivate the consumers to consider offers from abroad.
4. International e-commerce: Consumers are increasingly more open towards online purchasing from international companies. This shopping behavior could also influence the consumers’ banking behavior.
Will PSD2 be the end of banks´ monopoly?
The traditional way to think about banking and financial services, is to think about banks as the main providers. This might be explained partly by the required bank licenses that makes it difficult and troublesome for new entrants to enter the market, and partly by a low consumer-trust towards third-parties. However, with PSD2 this might change, as it will be easier for non-banks to enter the market with financial service solutions. The belief that non-bank FinTech companies will play a significant role in the future financial landscape is well established in the investments markets. Cumulative investments globally in financial technology have more than doubled in 2018 and exceeded $55bln according to Accenture research.5 For a near future, it is estimated to reach at least additional $150bln in next 3-5 years.
A changing financial market
There are several reasons why the entrance of non-banks to the financial market is predicted to become easier and faster, among them: PSD2, innovation fueled by technology and changed consumer preferences.
One way that PSD2 opens up for non-banks is through open APIs. By using banks’ APIs non-banks can enter the financial market without the heavy compliance and infrastructure which banks are required to maintain. This opens up the financial market to new entrants with fresh ideas about how to shape the banking experience. Some banks have already started making their APIs available. Examples hereof are the Danish Saxo Bank, that opened up for their APIs in September 2015 and Capital One, a UK based bank, that already now enables affiliates to benefit through their APIs. Recently, for British commercial banks, Open Banking API standard has been implemented, that has currently adopted nine largest credit institutions in country like Barclays, RBS, HSBC, Santander etc., however the British FCA and Treasury try to stimulate all market participants including TPP to accept those standards, as well. 1
Innovation fueled by technology
The innovation within technology has been moving fast. This maturity of technological development forces banks to keep up with the speed of change. Up until now, many banks have traditionally been hesitant with fully using new technology, as old business models gave them full control. This is a risky approach as 37% of European consumers say they would change their bank if it did not offer them up-to-date technology. 2
One prediction in this perspective is that new entrants no longer will offer the full banking experience package to enter the financial market due to the increased use of APIs. New entrants can now focus on offering just a single service and connect to other service providers through cloud solutions or APIs. Also, new improved services within payments are emerging, making banking both faster and easier. Contactless payments and mobile solutions are services that technology have recently led to.
Consumer preferences and trust
With the consumer becoming more digital and mobile in their approach to companies, the banks as well as non-banks will need to follow this trend. These tech savvy consumers are asking for financial service offerings that are faster, less formal, more personalized, easy accessible and cheap . So far, non-banks have proven to meet these requirements in a more innovative and human-centric way than many traditional banks.
Consumers are slowly getting used to using non-banks for financial tasks and it seems like this trend is only continuing. Paypal has already existed in close to 15 years and has gained great consumer trust. Swedish Tink and the Danish Billy are companies that have also gained a great market share without a banking license. And every fifth European consumer say they would use by financial products from challengers such as Google, Facebook and Amazon.
It is arguable that the competition within the financial sector will be dramatically increased, due to the introduction of PSD2, technological innovations and changing customer demands. We see several reasons to this. One is, that new entrants in form of non-banks will get easier access to the market after PSD2. The regulation removes some entry barriers to the financial market, and hence, more competitors are likely to emerge. Furthermore, customers can easily choose new financial service providers with the introduction to PSD2. This means, that customers will be enabled to create their own collection of smaller service providers instead of choosing one specific bank for all financial needs.
In conclusion, this increased competition along with consumers increasingly turning to non-banks for financial services, we might see an exponential growth in consumer trust in non-banks in the future.
How will the change happen?
The framework we use to analyze the impact of PSD2 is based on two axis: multiple domestic markets versus one unified European market on the horizontal axis, and the presence of banks only versus banks and non-banks on the vertical axis. We can already today see a distinct trend that fintechs and other non-banks are emerging and taking market shares within financial services. As PSD2 will increase the opportunities for companies without a banking license to enter the financial market, it is likely that the trend of increased consumer trust in non-banks will continue to grow.
Following our analysis, we picture that initially we will see the financial services landscape moving towards scenario 2, an open domestic market, and finally to scenario 3, a free market.
As we already today see the trend of growing trust in non-banks and that PSD2 most likely will accelerate this further, an open domestic market is a likely prediction for the near future. A unified European financial market is also a change we believe will follow PSD2. However, this may take longer as there are more factors at play here than consumer habits and what the changes in the EU directive can offer, as described previously.
A unified European market has been one of the desired outcomes for both the first and the revised Payments Services Directive for the European Commission. When the Commission wanted to broaden the scope of the first directive, it tried again with the PSD2, and it is likely that the Commission will keep improving this through a PSD3 in the future.
But what does it mean for Customer?
All these changes are intended not only to bring the security measures in banking industry to higher level, but also to make the consumer life more comfortable with adopting all modern platforms. These steps are expected to lead to creating “digital profile” of each customers, so that their identification will be pretty much simplified going forward.
And this is creating great space of opportunities for external vendors and consultants who have capabilities to develop the multi-channel solution working on all platforms (iOS, Android, Windows) but decreasing the workload of current User verifications like SMS, Digital token, ID calls etc., but still respecting the “2FA” two-factors authorization methods in line with RTS (regulatory technical standards) based on tested users experience. These new methods are supposed to be built on mobile token, finger-print or voice biometry, which are in combination with each other totally unique and irreplaceable.
From regulatory perspective of PSD2 not only API platforms are concerned, but also validations of Users and authentication of TPP towards the external registers. Above attached diagram shows the usual referential architecture designed by external suppliers like Deloitte and other Peers, which is fully respecting the requirements for (i) API Management (ii) Centric security solution and (iii) Fraud transaction monitoring. 3
In the corporate world, there is also a lot of current steps going to change with implementation of PSD2, because current authentication measures for different hierarchy of eligible user within the Company will be transformed to more up-to-date processing, which will be tailored for optimal security monitoring, reporting and archiving of each transaction based on digital identity.
However, as mentioned previously, this PSD2 initiative does not interfere only with payment solutions, but also in larger extent does with New clients onboarding and transactional pre-scoring for a providing consumer loans when collecting the data from market regarding their payment discipline, frauds, late-payments etc. Nevertheless, this must be done in proper way to respect also GDPR rules, otherwise sharing the sensitive personal data with other market participants may represent violation and cause more reputational damage then benefits. Therefore it can be expected that each Bank will weigh its Business platforms, IT and security readiness in comparison with potential costs and penalties (up to 4% of consolidated sales revenues)4, which may the process of PSD2 implementation slow down, in the end.
On the contrary, and this is more or less dealing with GDPR rules itself, there is pretty much controversy discussion about the definition of “sensitive” and “personal” data in relation to payments. Having that said, it means that data on payments itself would not theoretically need to breach the GDPR rules (for more info, click here), however when it comes to sharing the identification data on customer, that is very close to personal ID data, which are considered as confidential and require the customers consent for storing, sharing etc. This discrepancy may lead to certain updating of currently valid rules, or the requirements for RTS (identification standards) that become effectively valid 18 Months after their publication in European Union Office Journal, may be in the end slightly amended in order not to be in potential conflict with GDPR.
References: 1/ Lindsay White “Why is the UK leading world in open API?”, dated January 2018 2/ Ernst and Young Regulatory agenda Updates – “Revised Payment Service Directive”, dated November 2018 3/ “PSD2 – Service offering by Deloitte Legal”, dated December 2017 4/ “EU Publications – Handbook on European data protection law, Sanctions, page 247” 5/ Accenture Newsroom – “Global Fintech Investments Surged in 2018 with Investments in China Taking the Lead, Accenture”, dated February 2019