But as well as the benefits of ’open data’ generally, and Open Banking specifically, there are also significant costs for firms preparing for openness and while much of the discussion has focused on the banks, the openness obligation extends to all payment and e-money institutions that offer online payment accounts. These firms, referred to as account servicing payment service providers (ASPSPs), have to meet the binding Regulatory Technical Standards on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) (the RTS) by 14 September 2019.
Among other things, the RTS sets the standards that firms offering online payment accounts must comply with when granting access to payment initiation service providers (PISPs) and account information service providers (AISPs), collectively known as third party providers (TPPs).
Remember that time is a critical factor here. Whatever option you choose in terms of your interface, you must make it available for testing by 14 March 2019. That is only seven months away. So, if you haven’t yet started your preparation, you really need to get moving.So, there is a key decision you have to make.
Do you want a smartphone or an old Nokia?
What we mean by this is you must pick what type of interface you use whether it is your current interface with payment service users (PSUs), or to use a dedicated interface specifically for TPPs. The legislation shies away from calling these interfaces what they really are, open APIs (dedicated interface) and screen scraping+ (PSU interface).
The smartphone (open APIs) is new, modern and has a lot of potential.
The old Nokia phone (screen scraping+) has proven reliable, and is robust and cheap; however, its potential is waning.Both do exactly what you need them to - allow communication - but there are differences you need to consider.
The type of interface you are going to use to communicate with TPPs is a major business decision you must make, and soon.
Why would you choose to use a dedicated interface, apart from the fact that the FCA has voiced a preference that you do?
The first and most obvious reason is it introduces your business into the open banking ecosystem. This system, at the moment, benefits TPPs most. However, it is a system in which both ASPSPs and TPPs can prosper. While only some payment service providers, including banks and new players, will add AIS or PIS into their business model, acting as both an ASPSP and a TPP, there are other benefits to being part of this ecosystem.
PSD2 grants a lot of power to TPPs and, as such, these institutions can either benefit or hinder your business. TPPs can and will recommend certain products to customers and if its API can communicate with your API easily and in a standardised manner, they will, effectively, advertise your business.
Secondly, it gives you, as the ASPSP, the power to limit the data that the TPP can access to the minimum necessary for them to carry out their functions. By only offering the TPP access to the PSU interface, they will see everything the customer sees, including any non-payments data that you show. So, for example, the TPP could see information about FX forwards or loan deals etc. (unless, you move that data to a different area but at the risk of detracting from the customer experience).
If you choose the dedicated interface route, then the Open Banking Implementation Entity (OBIE) has developed a set of API specifications which can be modified and implemented for your business. This means that not only is some of the heavy lifting already done and therefore the cost of implementation/testing is lowered, but these standards are likely to become industry-wide, and so TPPs can access the information easier making it a frictionless customer experience.
Perfect, sounds great, why would I not use such an amazing interface?
- Those who opt for a dedicated interface have to have a ‘fall-back mechanism’ in the form of the PSU interface, so the adaption has to be done anyway (unless the FCA awards the exemption).
- Better the devil you know; open APIs are still in the pilot phase and there is no guarantee that they will work as effectively as customers and the industry need them to.
Remember, if you choose to simply use the PSU interface, that interface still needs to meet the general requirements of the RTS.
The issue is, though, you are limiting your firm’s ability to maximise this new opportunity. Instead, you are just giving others the tools to capitalise on it with no benefit to you.
While there is a lot of buzz around revenue potential and anticipated innovation possibilities, 92% of consumers don’t know what Open Banking is. Your decision is whether to take the leap of faith with the value-added dedicated interface option (the smartphone) or take the basic-compliance screen scraping+ route (the old Nokia).
This blog has only covered a small portion of the RTS, which require significant changes to how firms operate. If you require any advice on the standards your firm faces for both SCA and CSC, please do not hesitate to contact me, or a member of the IT/Infosec team at fscom.