In part 1 of our interview series, 'Ask The Experts: The Future of Banking & FinTech in Light of PSD2' we interview Damian Richardson, Head of Innovation and Strategic Initiatives, Payments, at The Royal Bank of Scotland plc (RBS).
Damian has specialised in payments for the past 25 years. He has worked for RBS for the last 18 years and his current role as Head of Innovation and Strategic Initiatives spans all types of payments, whether they touch on consumers, corporate or banks.
Open APIs Started with Open Banking
Question: PSD2 is expected have a significant impact on banking and banking functionality. The open API will bring major change. What was the bank’s reaction when learning about the new directive?
Answer: All this did not happen overnight. We have been involved in the regulation conversation for some time. The regulator’s desire for greater competition and innovation across the banking industry is well known and matched by banks. While the Directive is strictly speaking technology neutral, it is already common practice to adopt APIs in banking and other industries. It is widely seen as the preferred approach towards compliance with PSD2 third party access requirements from January 2018. As well the later expected mandatory Technical Standards (RTS) now being developed by the European Banking Authority (EBA).
In the UK, we are implementing Open Banking and the mandatory use of APIs that it requires. The first phase of this program is live and the second phase, known as APIs for payments and data, will begin as of January next year.
Q: You are not referring only to RBS. You are saying that Open Banking applies across the UK? How does it compare to PSD2?
A: Open Banking is a Competition & Markets Authority and HM Government required initiative in the UK, where the major nine banks (the CMA9), including RBS, are cooperating on the opening up of their infrastructure. It is similar to PSD2, which also requires controlled Third Party Provider (TPP) access to permitted customer online accessible payment accounts/related data; though PSD2 has a wider legal scope. However, there are differences in terms of definitions relating to the customers that are in scope. Open Banking specifies the use of open APIs while PDS2 does not.
Other differences result from PSD2 covering only “payment accounts” with TPP access to “online accessible payment accounts“. While Open Banking will eventually cover a much wider range of services, the focus is on consumers and SMEs with turnover up to £6.5m. PSD2 also covers corporates and in some countries treats some as microenterprises with consumer protection status. And of course Open Banking is a purely UK initiative for only nine banks, while PSD2 geography covers the whole European Economic Area.
Some Initial Challenges
Q: What are the big challenges RBS will face following the implementation of PSD2?
A: All banks are facing other significant regulatory changes. You also have several mandatory regulatory programs running at the same time so coordination is key issue. The GDPR initiative is one other example. There is also a challenge because while PSD2 goes into effect in January 2018, some of the related security technical standards have not been set yet by EBA.
They may not be agreed until the end of this year and then won’t take effect until 18 months of their official publication. So you have a period of some uncertainty. PSD2 will become law but due to the lack of technical standards in that interim period some uncertainty is bound to arise, on how the banks will manage their risk and legal obligations.
Q: Which entities will be involved in setting the technical standards? The banks? The Governments?
A: The EBA sets the Regulatory Technical Standards and subsequently each country ensures that they are adopted. In the UK, the CMA9 are collaborating and agreeing on standards for APIs as required of them under the CMA / HM Government Open Banking initiative.
Q: How will the new Directive affect user experience and business processes internally and externally? What do you expect during that interim period, known in this context as the “fuzzy period”?
A: In the UK, we will comply with the Open Banking API standards as they take effect from January 2018 at the same time as PSD2 requirements. Further changes will occur so that we have full compliance via APIs by the time the EBA RTS mandatory requirements take effect.
We see the interim period as one where existing practices such as so-called screen scraping will still be in use by some TPPs. But as more and more banks and Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) reach PSD2 and EBA RTS compliance, there should be a gradual shift to APIs as the preferred option.
The Opportunities PSD2 Brings
Q: What are the biggest opportunities opening up for RBS following the implementation of PSD2?
A: A bank will be able to operate as a TPP in the same way that other third-parties offer those services. As such, as an AISP and or a PISP, it can offer aggregated account solutions for customers. So if the customer banks with many banks, they can view their online accessible payment accounts on a single dashboard and make transactions from any of the banks they hold accounts with.
Banks also have the option to enhance their products by using other APIs that are available on the market such as mapping APIs or unstructured data APIs in order to attract new customers or ease some of the existing pain points. This all creates the ability to provide new services, help businesses run more efficiently and improve the customer’s life.
Q: The new Directive will enable PISPs to initiate payments on behalf of users. Do you envision that this step will cut out the current intermediaries? How will it impact the traditional role of banks and how will it affect a bank’s profitability?
A: It is too early to say. Clearly there will be an impact but the transition will be gradual, it won’t occur overnight. It is up to the customer to decide if an AISP or a PISP, be they a Bank or non Bank, can provide a better service. You can expect the banks and TPPs to act in a similar space. Any provider that listens to their customers and has their trust, as banks traditionally have, will find opportunities to provide new services in new directions, leading to a change in business models and roles over time.
While we’re excited by new products and services we need to bear in mind that some customers feel more comfortable using existing payment methods. It is only when you are able to offer a better and more secure service that is quicker and removes a customer pain point that you will see mainstream transition to new services. That kind of near frictionless experience and change in customer behaviours, trust and confidence in embracing those new opportunities does not happen overnight either.
Open APIs and Security
Q: With the opening of APIs and adding different providers there is a huge element of risk in terms of fraud and stolen credentials. Is the bank apprehensive about this?
A: The safety and security of payments, as well protecting our banked customers, are always front of mind. Cyber security is always a top priority for any bank, particularly when you offer services like online and mobile banking. Opening up APIs is another channel that customers can use, but in common with other services, we have to ensure that our technologies keep customer data safe and payments secure. As the world gets more and more connected, this becomes increasingly important and we are constantly improving the ways we achieve that. It isn’t only technology. Education and communication also play a key role.
Q: Mobile banking and mobile payments are on the rise. How will you address the related security issues?
A: The increased use of mobile banking has indeed been quite dramatic in the last couple of years. The mobile payment app is a secure app and we constantly update its security. We will continue to invest in this and for the protection of customer users that it yields.
Banking & FinTech following PSD2
Q: EMV started in the UK and then spread all over the world. We talked about how Open Banking already exists in the UK and overlaps with the PSD2. Do you think the Open Banking concept will expand to the Americas and other countries in the world?
A: The UK is often at the forefront when it comes to the payments market. I think it will be replicated and you’ll see different approaches in different countries. In some cases governments will make it mandatory. I think that in the United States it will be a more discretionary consideration to open up APIs. We have seen a lot of large banks open up their APIs because they regard it as an opportunity and an advantage. In some cases it will be enforced it but in other jurisdictions it may be viewed as a competitive opportunity.
Q: In the UK, are banks cooperating with FinTech? Will they expand cooperation with FinTech in the future?
A: UK banks are already cooperating with FinTech and have done for some time. At RBS, we have some very public collaborations with several companies in Israel, San Francisco, London, Edinburgh and Dublin. There are many cases where we see mutual benefit, where we are able to offer an additional service that provides a better solution or experience for the customer. We have cooperated with a growing number of FinTech companies over the last year as we develop more services, and we will continue to do so.
Q: To conclude, do you think PSD2 is a good thing for the banking industry?
A: At RBS we believe that it will ultimately be good for consumers, businesses and all Payment Service Providers (PSPs). In the UK there is a good fit between PSD2 and Open Banking, but there are still a few issues that need to be resolved.
In part 2 of this series, we interviewed Savino Damico of Intesa Sanpaolo. Check it out here