Wijnand Machielse and Ortwin Scheja, part of the team that edits and moderates Berlin Group activities, have agreed to share with The Paypers readers their take on the latest updates of a post-PSD2 European open banking scene.
What is the pulse of the market right now, post-PSD2 deadline? How do you feel the European banking and the TPP ecosystems have handled the deadline?
Although the majority of TPPs were rather late in starting to test the bank systems when approaching the official regulatory deadline of 14 September 2019, it is also fair to say that the deadline has moved a bit because the market still required some regulatory clarifications (e.g. on handling of standing orders in account information services reporting or in presenting the account owner name) and the IT migration challenges for TPPs were high.
Several National Competent Authorities (NCAs), assigned as the sole responsible entities for providing compliance approval) have shifted the timelines, so as to allow the market (TPPs and banks) a little bit more time to achieve full compliancy. Finalisation of market migration is expected in 2020.
The current NextGenPSD2 Framework already offers sufficient options to facilitate regulatory requirements and sometimes differences in national legislation, as well as bank infrastructural differences related to the different online banking environments in Europe. Implementations can be recognised by the set of Implementer Options that banks are offering. In order to offer TPPs a flexible and dynamic onboarding at banks, NextGenPSD2 will develop in 2020 a Discovery API which, together with directory services, will allow TPPs to configure their implementation dynamically when approaching banks’ production systems.
The NextGenPSD2 common API standard developed by the Berlin Group incorporates pan-European requirements on customer consent handling, SCA architectures, payment products for retail and corporate business and is now being used by banks and TPPs for implementing PSD2 access to account (XS2A) services. What do you see as the biggest hurdles that TPPs are facing when striving to achieve compliance?
When achieving compliance, TPPs are facing a lot of questions from NCAs that they need to respond to. Before they even get there, they will go through the design, development and testing phases. Development as such is not too difficult but TPPs will have to read and understand lots of documentation.
During testing TPPs have acknowledged that sandbox functionality is only part of the production functionality (e.g. SCA can only be emulated) and like production environments, sandboxes differ per bank (remember: it is a legal requirement that PSD2 XS2A has to mirror the online banking environment which differs per bank).
In accessing the production environments TPPs are facing a multitude of onboarding processes (e.g. OAuth presteps are not standardised and/or not automated). Over time this will definitely improve but it takes time to develop e.g. full discovery APIs and bank registers.
Last year, The Berlin Group announced that a major release update to the standard will incorporate additional functionalities and the first set of extended value-added services that go beyond the core PSD2 requirements. What is the status on the updated standard and what will be the most relevant changes that come along with it?
With the shifting regulatory timelines we had to spend more time as well in incorporating the final regulatory clarifications into the core compliancy part of the standards. Obviously, this also impacts our timelines for working on the extended (non-core) value-add services. And at the same time as a pan-European standard our developments are a bit dependent on further progress in scope of pan-European SEPA API Access Schemes, as envisaged by e.g. the ERPB (Euro Retail Payments Board).
These efforts have also been put on hold for the time being. Nevertheless we expect to be able to issue a first release of the major update before the summer next year. This update will most likely cover data model extensions to be future-proof for covering value-added services like e.g. installment payments and pushing incoming instant payments through the NextGenPSD2 APIs.
One of the legal possibilities for banks that did not implement dedicated APIs such as NextGenPSD2 is the so-called “identified screen scraping”. How did this phenomenon evolve on the banks’ side and do you see it decreasing in time as banks prepare better for collaborating with TPPs?
While the majority of European banks has already implemented and offer dedicated APIs (more than 3,000 banks in Europe have implemented NextGenPSD2, i.e. the largest part of the market) we certainly expect that also the remaining banks will ultimately offer dedicated APIs. The benefits in better controlled access and the future possibility of adding value-added premium services are simply very attractive for both banks and TPPs.
One of the other themes debated within the Berlin Group European Standards Initiative is ISO20022 and SEPA Card Clearing. There have been talks in the industry that the standard and the Open Banking API are incompatible and that the ISO standard might be too thick and cumbersome for a modern banking API. How would you comment on this and what would be a possible workaround to harmonising the two?
SEPA Card Clearing is a separate standards theme related to backend payment processing and not related to Open Banking APIs. An important effort for next year will be the focus on continued alignment and convergence with other standardisation initiatives in a process facilitated by SWIFT. This is not an easy process because investments have already been made but further convergence could ultimately benefit all stakeholders. This topic will in future also be discussed further within ISO20022, where a dedicated workstream started to focus on API developments.
In August 2019, the Financial Conduct Authority announced that it agrees on a phased implementation of Strong Customer Authentication. How do you see this panning out in the coming months and what do you forecast the TPP compliance rate will be at the end of the exemption period?
Migration to SCA for card transactions in ecommerce was proposed in an EBA Opinion Paper in October 2019 to be postponed until end of 2020 which was acknowledged by many of the European NCAs. Still, the requirements on SCA within the context of the PSD2 APIs are not addressed by this Opinion and still apply.
About Wijnand Machielse
Prior to joining SRC, he worked for almost 20 years in Dutch payment schemes and interbank processors, most recently as Advisor to the Board of Equens SE (now: equensWorldline), and represented the Dutch payments industry in the EMVCo Advisory Board from 2000 – 2009. He represents the German banking industry in several international and European payment standardisation initiatives and is part of the team that edits and moderates the Berlin Group NextGenPSD2 Framework.
About Ortwin Scheja
Ortwin Scheja is Managing Consultant at SRC Security Research & Consulting and is an editor and moderator of Berlin Group NextGenPSD2 and NISP. He has more than 20 years of experience and expertise in conception and implementation of complex transaction systems, in interbank card processing, clearing systems and scheme services, and in retail-banking IT standardisation at a European and international level. He holds a PhD and a master’s degree in mathematics and computer science from Saar- land University, Saarbrücken.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”