What is PSD2 & what does it mean for retail banks?

Responding with mere compliance is not enough

Daniel Lempke

By: Chandar Lal, Daniel Lemcke

As a customer, how close is your relationship with your bank? Just think about all the personal information they have about you. Intimate, to say the least! But things are about to open up in the banking industry…

For many consumers today, the ideas of ‘my money’ and ‘my bank’ are almost inseparable. It’s the one place that stores your financial record. Let’s consider the basic duties of a retail bank:

  • As a deposit taker, the bank is the trusted custodian of its customers’ money.
  • As a lender, it helps its customers buy homes, start businesses, and obtain credit when it is needed.
  • As a payment provider, it enables customers to transact and move their money through payment systems.
  • As an account provider, it is the one authority that tells the customer how much money they have, and how they spend it.

From January 2018, the latter two roles will be opened to unprecedented levels of competition, as the revised Payments Services Directive (PSD2) comes into force. As a result, banks’ relationships with their customers will change dramatically.

So what exactly is PSD2?

PSD2 is an EU directive aimed at encouraging competition in the retail banking sector.

It’s a wide-ranging piece of regulation, setting out a range of requirements including:

  1. Major structural changes to customer data and payment infrastructure, over which banks currently hold control
  2. Broader geographical reach, as PSD2’s scope extends beyond its predecessor to include ‘one leg out’ transactions, where one transacting party (rather than both) is located within EU borders
  3. Strong Customer Authentication – payments must be authenticated using two or more aspects categorised as knowledge (something only the user knows, such as a password), possession (something only the user possesses, such as mobile phone) and inherence (something the user is or has uniquely, such as a fingerprint)
  4. Right of refund as an unconditional legal requirement for direct debit schemes
  5. Consumer protection for unauthorised payments, where the maximum amount a payer could be obliged to pay has decreased from €150 to €50
  6. Prohibition of surcharges on most card payments

We’ll focus on the first of those points, and its game-changing implications.

PSD2 states that retail banks must make customer data freely (yet securely) accessible to third parties, using a common standard of open APIs. The result? Any organisation – not just the bank itself – can act as a payment initiation services provider, or an account information service provider. This means that customers can manage their money using any third-party service provider they choose, rather than relying on their bank as the sole servicing channel.

For retail banks, this might well seem like bad news. Third-party organisations can now get access to rich and valuable banking data – previously accessible to banks only – without having to undergo the process of becoming a bank.

“Third-party organisations can now get access to rich and valuable banking data without having to undergo the process of becoming a bank.”

With this barrier removed, new market entrants will be granted an opportunity to compete with retail banks as service providers – for instance, by launching innovative cross-bank products and services. Incumbent banks stand to lose visibility in their customers’ eyes, which makes it ever more difficult to maintain loyalty and trust.

Indeed, there is huge potential for banks to be rendered mere utilities, displaced and disintermediated by nimbler, more customer-centric firms. We expect to see a rapid growth of aggregator platforms which create financial services marketplaces – see Yolt for a flavour of what to expect.

Ultimately though, a customer’s money will remain in the custody of their bank. The aggregator stands to have very little control over service quality, unless it formally agrees service levels with the bank. While PSD2’s technical standards will set out minimum standards of service quality and response, there is nothing to prevent aggregators or intermediators from negotiating bespoke bilateral service level agreements (SLAs) to differentiate their service offering.

The customer experience then, will become a hotly contested battleground – and he who delivers the experience owns the relationship.

How can banks respond?

There’s a major decision point for retail banks amidst this change. Should they accept PSD2 as a threat, and respond merely with compliance? Or can they look to maximise value, transforming their businesses to engage with customers in a new way?

Here are three ideas to get the ball rolling…

1. Launch cross-bank utilities

For the first time, retail banks will be empowered to see and present a customer’s financial position holistically. Suppose that a customer, Jane, holds current accounts with Bank A and Bank B. Today, she has an app for each, each limited to showing its own balances and offering its own transactional functions.

(Jane, by the way, is far from an isolated case. The Social Market Foundation finds that 25% of UK retail banking customers currently hold current accounts with more than one bank.)

From 2018, Bank A will be able to launch a single utility, bringing in data from Bank B via the latter’s open API. This app would be able to show Jane a consolidated view of her financial position, and allow her to operate accounts across the two banks via a single portal.

Taking this further, a bank could offer a single-platform wealth aggregator (consolidating all current accounts, savings, investments, loans and mortgages, regardless of provider). This could be combined with a financial management and planning tool, to assist with budgeting, goal-setting and data visualisation.

“The bank with the best platform will win, not necessarily the one with the best current account.”

Certain inter-bank customer journeys – notably account switching – could also be run within a single utility. As well as creating potential for operational efficiencies, there may be a revenue upside facilitated by easier switching and customer acquisition.

What emerges is a service that brings Bank A closer than ever to its customer – offers the cross-selling potential that comes with fuller exposure to the customer’s finances. The quality of this service will be paramount. It’s unlikely that the APIs will be real-time in the first instance, and experiences will resemble what we’ve seen through the likes of Yodlee.

We’re expecting to see banks race to become the platform provider of choice. The bank with the best platform will win, not necessarily the one with the best current account. Competition will be based on customer experience, the ability to aggregate, and provide value-added services on top of the core banking experience.

2. Develop partnerships to enhance value

Using an open API, a bank can grant its corporate partners direct access to its infrastructure. This makes it easier than ever to offer co-branded credit cards, loyalty programmes, and e-commerce marketplaces – with payment infrastructure built into the product offer itself.

The bank can now reach the customer before the customer even reaches the checkout.

There’s a new opportunity for the bank to serve as a platform bringing together financial and non-financial services, while leveraging insight from each. As an example, consider the following customer journey:

Even before the initial transaction is processed, the bank can make its presence felt within the airliner’s website. It can offer auxiliary financial services, such as pre-approving credit to protect the customer from a projected cash shortfall. The bank can then not only process the payment, but also serve as the bridge between one provider and the next – for instance, by using a loyalty platform to deliver relevant rewards based on the customer’s known interests.

In this case, the bank would receive fees from both partners, the customer would receive relevant and discounted services, and the partners would benefit from easier customer acquisition and servicing.

There is, however, a threat in this. If a third-party service provider can initiate transactions, it may be that the provider can choose which bank they route the transactions through. In fact, the very same thing is happening in the wallet space. Android and Apple Pay can easily allow their merchants to influence which bank card ultimately makes the payment. If the provider taps into an analytics engine to assess which bank product offers the best value for money, or offers the best loyalty reward for a specific transaction, it is the ‘default’ bank which stands to lose out.

3. Generate revenue through data itself

PSD2 requires banks to make customer data available to third parties free of charge. However, some third parties may be willing to pay for enhanced APIs which exceed PSD2’s basic requirements. Expect to see bilateral SLAs negotiated, granting certain third parties exclusive access to these enhancements.

These enhanced APIs might, for example, provide location-based information, integrate with accounting/ERP systems, or give more detailed transaction data. In the draft Regulatory Technical Standards – due for finalisation in 2017 – there has been no explicit restriction on such enhancements. By offering extra insight via a ‘freemium’ pricing structure, banks could gain direct revenue from APIs themselves.

This naturally raises questions over customer treatment. To what extent will customer data be a saleable asset in a post-PSD2 world? What kind of third parties will have access? What consent will be required? How will consumer data be protected against fraud and identity theft, in this new era of openness? In the absence of clear legal precedents on the commercialisation of banking data, banks will need to be alert to regulatory developments.

“By offering extra insight via a ‘freemium’ pricing structure, banks could gain direct revenue from APIs themselves.”

There’s another challenge to consider. If you sell your data, the quality thereof is going to be crucial. Many banks struggle to maintain high-quality customer data. If this data is to be offered commercially, there is a huge implication for the back-end data storage and management of customer data. Ingestion practices also need to be professionalised to a higher degree.

Today, credit bureaux define voting rules and data confidence levels to decide which data records they publish, as they hold disparate sources. They classify sources and assign levels of confidence depending on the source, age and frequency of data obtained. Banks will need to start doing this in preparation for PSD2.

In conclusion…

While the full technical standards of PSD2 haven’t yet been announced, there’s a lot that banks must do to be leaders in a new competitive marketplace. Will they let data escape, losing control of their customers as competitors step in to service them? Or will they seize the opportunity, by offering services compelling enough to ‘own’ customer relationships across the industry?

We’ve helped our clients:

  • define new cross-bank customer journeys, to simplify customer experience and ensure seamless integration between providers
  • develop data strategies to prepare for PSD2 and GDPR
  • transform their operating models and IT architecture, adapting to the growing volume of data flowing between financial institutions
  • seize fast-mover advantage, by fostering relationships with the startup community to co-develop innovative products

To discuss what your future could look like in more detail, do get in touch.

Surviving disruption: how fit is your business?

Take the test.