Banks put open banking at risk by overachieving on XS2A compliance

05 October 2017 4 min. read

Banking executives need to carefully determine their strategic position and act accordingly and consistently with regards to their XS2A compliance approach, write Mounaim Cortet and Vincent Jansen, both consultants at Innopay.

The PSD2 discussion between the European banking and FinTech community is reaching a tipping point. Although it is clear by now that access to payment accounts by third party providers (TPPs) is going to happen in some shape or form under PSD2, there still is a lot of uncertainty. The key discussion point still at the table revolves around “non-discriminatory access to payment accounts (XS2A) for third-party providers to enable new transaction services” [In PSD2 terms these transaction services are: Payment Initiation Service (PIS), Account Information Service (AIS) and Confirmation Availability of Funds (CAF)].

Central to this discussion are three complex and interrelated elements: communication interface, functional scope of access and interaction model between bank, customer and third party. Banking executives should ensure that they make informed decisions regarding these three elements, as they otherwise overachieve on XS2A compliance and thereby risk eroding the business value of their Open Banking proposition.

Setting the ‘interface scene’

Banks are challenged to offer a communication interface that is compliant with PSD2 and the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) (Final Draft RTS on SCA and CSC). Specifically, it is about a compliant interface with similar performance and availability as the existing online (or mobile) bank channel used by bank customers today. Only such an interface will satisfy the payment account access requirements of third parties, EBA and national competent authorities.

Banks put open banking at risk by overachieving on XS2A complience

Banks have two options available to meet PSD2 and RTS requirements for the communication interface:

  • Option 1 - Online banking interface: allow access for TPPs via the (existing) interface Account Servicing PSPs (typically banks) provide to their customers for authentication and communication
  • Option 2 - Dedicated interface: most commonly referred to as “Application Programming Interface (API)” and is specifically designed to enable TPPs access to payment accounts of the banks’ customers

The EU FinTech community (Future of European Fintech Alliance) is a strong proponent of option 1, reusing the ’online banking interface’, to ensure non-discrimination, a level playing field and continuity of its services and business model in the PSD2 era. The banking community (European Banking Federation (EBF), European Savings and Retail Banking Group (ESBG) and the European Association of Co-operative Banks (EACB)), in contrast, is more lenient towards option 2 by designing APIs for the mandatory XS2A services (PIS, AIS, CAF) under PSD2.

Banks that consider reusing their online banking interface typically do not have that many choices to make. As most banks opt for APIs to ensure XS2A compliance, in this article we describe the challenges that those banks encounter. We discuss the informed decisions that these banks need to make on where XS2A compliance ends and their Open Banking proposition begins.

It is easy to overachieve on XS2A compliance

It is exactly this decision for APIs to meet XS2A compliance obligations where banks risk putting the business value of their Open Banking proposition at stake. We observe that banks are overwhelmed by API designs and specifications. Numerous European standardisation initiatives, technology vendors and individual banks are developing all kinds of solutions and specifications that often exceed minimal compliance requirements. The debate on PSD2 compliant APIs is characterised by (legal) uncertainty and is thus triggering various interpretations of said actors.

Banks need to be mindful of the considerations and trade-off decisions regarding APIs to ensure XS2A compliance. The most relevant areas of decision making are functional scope of access and interaction models.

Related: Innopay supports Euro Banking Association deliver Open Banking paper.