The revised Payments Services Directive (PSD2) goes into effect in Europe in January 2018, but few banks are ready. By law they will need to make customer data available in a secure manner, and eventually to give third-parties access to their customer’s accounts. But equally important to these compliance efforts are the strategic implications for banks. How they will organise themselves and operate in a world of “open banking” is what we’re examining in this post.
The context in which PSD2 enters into force: payments market and trends
Global non-cash transactions broke a decade-long record for growth in 2014-2015 with volumes exceeding 11% growth to reach +433 billion. According to World Payment Report 2017, global non-cash transaction volumes will record a Compound Annual Growth Rate of 10.9% during 2015–2020.
The increasing digitisation was favoured mainly by three areas:
- a greater propensity of users, from all population groups, in using tech devices;
- a change in consumer habits, who find these paying methods more efficient;
- an evolution of the market offered by players that adopt marketing strategies aimed at increasing the use of electronic tools and collecting information on customers’ behaviour.
Furthermore, the emergence of new players is increasing the level of competition, the over-the-top players, e.g. Google, Amazon, and Apple and new TTP -third party providers, e.g. Sofort and Trustly, are changing the traditional context of the banking services, creating new business models for banks to deal with.
In Europe, new competitors are gaining market share. Case in point: In Germany, Sofort has become leader in e-commerce payments with over 2 million transactions per month and 35,000 merchants in less than 10 years.
In this context, the new Directive PSD2 takes care of encouraging the use of innovative digital tools and, at the same time, of regulating services and payment practices already in force, such as apps which aggregate the balances of several bank accounts or send money via social networks.
A lack of readiness
The world is going to change radically for banks after January 2018. That’s the date when the revised Payments Services Directive (PSD2) goes into effect in the European Union. The date when banks’ monopoly over customer account information and payment services will cease.As from September 2019, banks should have the legal, operational and technological systems in place for strong customer authentication (SCA) so they can make customer data available in a secure manner.This will give third-parties access to customers’ bank accounts (XS2A), providing a definite end to banks’ gatekeeper role of customer payment data.
So the clock is ticking, with far reaching consequences. Not surprisingly, 94% of banks are currently working in some manner on PSD2, according to PwC survey Waiting Until the Eleventh Hour conducted in 18 European countries in the first half of 2017. However, 38% of banks are still in the early stages of assessing the impact of this Directive.
PSD2 interdependency with other regulations
Another striking element of PSD2 lies in the interdependencies with other regulations. The General Data Protection Regulation (GDPR) promises a complex implementation with multiple stakeholders. For many banks, compliance by 2018 will be a challenge. But mere compliance – though challenging in itself – cannot be banks’ only concern. As of today, few banks have experience granting third parties access to customer data or payment functionality via application programming interfaces, so-called APIs. According to PwC survey, such data and functionality sharing, commonly referred to as “open banking”, is currently pursued by only 47% of banks.
That’s understandable given the competitive risks associated with opening data to third parties. Banks need a proper strategic response to avoid becoming disintermediated by more customer-oriented third-party offerings. Further, real revenues are at stake. We can mention the lucrative card business, since third-party providers could offer low-cost “payment initiation services” to compete for that business.
The bottom line is that it’s time for banks to move beyond talk and analysis to take decisive steps.
New business models
Encouragingly, two out of three banks in PwC study say they want to use PSD2 to change their strategic positioning. Doing so, banks will need to analyse the emerging payments landscape bearing in mind their main strengths as well as FinTech players’. They can then begin to identify new revenue opportunities for services. This can include AISPs (Account Information Service Providers) or PISPs (Payment Initiation Service Providers, and consider new business models.
As the graph shows, half of banks aspire to be a platform aggregator. This would mean developing an open platform that allows partners to integrate their products and services into the bank’s offering while providing an open platform for generating new products and services based on the bank’s API and data. Any bank that could achieve this would be a powerful operator. However, the reality is that only a handful of large banks could reasonably expect to build a truly powerful partner ecosystem.
In fact, few third parties will be willing to connect to multiple banks as long as there is no common API standard across Europe. Third parties will instead turn to data consolidators to accomplish this cumbersome job for them. Only those banks that are important enough due to their size, that offer attractive, value-adding APIs or that are a compelling strategic partner will be attractive to third parties.
Without acknowledging it, most banks are actually in a wait-and-see mode. They might be focusing on compliance and a few short-term tactical moves. This might include collaborating with a couple of FinTech without an overarching strategy. So why is there a lack of strategic direction at this late hour? One reason may be that PSD2 is still a “niche topic” at many banks.
What we think
PSD2 promises a complex implementation with multiple stakeholders. So for many banks, compliance will be a challenge by 2018. But mere compliance—though challenging in itself—will not be their only concern. Banks need a proper strategic response to avoid becoming disintermediated by more customer-oriented third-party offerings. They will need to analyse the emerging payments landscape and identify new revenue opportunities for services. And this is something most have yet to do.
The main challenge for banks is that PSD2 requires action on two fronts. On the one hand, banks need to ensure compliance by January 2018. On the other hand, they need to adapt their strategies to stay competitive, which at most banks is likely to lead to long-term, profound changes to the business model. To manage these two aspects of PSD2, we recommend separating compliance efforts from strategic initiatives. Banks can and probably should pursue both in parallel but keep them separate and led by different inter-disciplinary teams.