Readiness for PSD2: APIs Fall Short, but More Time for SCA

By Christian F. McDermott, Jagveen Tyndall, and Amy Smyth

In an effort to evaluate the readiness of banks to comply with the revised EU Payment Services Directive (PSD2), Tink, a banking platform and data provider, has reported that it tested 84 application programme interfaces (APIs) spanning 2,500 banks and 12 European markets. According to Tink the results showed that none of these APIs were sufficiently robust to meet the new regulatory standards. Separately, the UK’s Financial Conduct Authority (FCA) has delayed the implementation of the strong customer authentication (SCA) requirements introduced by PSD2 to enhance the security of all electronic payment services.

Background

As the authors of this post explained in a May 2019 post, PSD2’s regulatory technical standards on SCA are set to come into force on 14 September 2019. PSD2 allows third-party providers (TPPs) to build payment services infrastructure upon the existing platforms of financial institutions; such institutions must provide TPPs with access to client account information via open APIs if the client has given their consent. Financial institutions can provide TPPs with such access by either constructing dedicated interfaces built on these APIs or adjusting existing customer interfaces.

APIs on a Cliff Edge?

Tink used several criteria to measure the technical readiness of the proposed APIs to support payment services; its findings are available here. Tink’s report concludes that these APIs fall short on several grounds, ranging from insufficient accessibility to incomplete explanatory documentation and unsatisfactory functionality for TPPs to readily identify themselves.

Banks, TPPs, and other financial institutions should ensure compliance with API standards. Failure to comply could impact all sides, potentially compromise financial services for millions of consumers, and create a “cliff-edge scenario”, as outlined in Tink’s report.

Furthermore, PSD2 allows institutions that are building dedicated interfaces to seek an exemption from also providing a “contingency mechanism” with “fall-back” access. The FCA received exemption requests between 14 January 2019 and 14 June 2019. How many exemptions will be granted is unclear; however, if existing APIs are inadequate, TPPs and ultimately end users may be adversely impacted.

All is not lost. Tink’s report suggests that, in many instances, solving present shortcomings would not require monumental changes to APIs; often the question is one of improvement rather than a complete reinvention. For example, it said that meaningful improvements could be achieved by simply taking the following steps:

• Restructuring existing instructions manuals advising TPPs on their proposed integration with new APIs to make them more comprehensible
• Including relevant specifications and transparent descriptions

In parallel, traditional financial services providers may look to diversify the use of APIs. According to an Accenture report, challenger banks are moving beyond the APIs simply required to ensure compliance with PSD2 and moving into “value-add APIs”. In these platforms, offerings are much broader, whereby institutions focus on a core product (such as a current account) and simultaneously give customers access to a full suite of services from other providers, providing for an enhanced consumer experience.

An Extension for SCA Compliance

Notwithstanding that the diversification in the use of APIs is clearly a positive development, the general unpreparedness of the financial services industry to ensure PSD2 compliance has been noted, particularly in relation to SCA readiness (see this blog’s 18 June 2019 post). The European Banking Authority released an opinion on 21 June 2019, acknowledging that “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, [competent authorities may] … provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA” (italics added).

On 13 August 2019, the FCA accordingly confirmed an 18-month phased implementation plan for SCA in relation to e-commerce transactions, to give card issuers, payments firms, and online retailers more time to ensure compliance. The FCA confirmed this phased plan in a Dear CEO letter published on 20 August 2019. Significantly, the FCA has confirmed that it will not take enforcement action against firms within the scope of the plan that do not meet the relevant requirements by 14 September 2019, if there is evidence that they have taken necessary steps to comply with the plan. However, the FCA expects all firms to have made the necessary changes and required testing to apply SCA for online sales by March 2021.

Financial institutions and the payments industry would likely welcome a similar transition period for APIs. Whether the EBA, and national regulators, will grant such a period remains to be seen — and there is not a lot of time left on the clock. Meanwhile, impacted organisations should continue to work toward implementing compliant APIs by the current 14 September deadline.

Originally published at https://www.fintechandpayments.com on August 23, 2019.