How FinTech-friendly is PSD2?

The new Payment Service Directive 2 (PSD2) challenges the emerging FinTech sector. What are the real struggles for FinTechs and how should they deal with them? 

FinTechs will need to collaborate

FinTechs are new players who seize opportunities due to the gap between the current offering of financial institutions and the actual customer needs. This is reflected in the proposed value-added services and the creation of new digital financial products.

There are several reasons why FinTechs specifically are able to answer to these needs: 

  • They continuously innovate in order to survive and to grow,
  • They move fast due to their lean & agile mindset and
  • They deliver efficient and digital processes.

Nevertheless, in the world of tomorrow, FinTechs will need banks in order to bring real and concrete value for their clients. Because banks have something that FinTechs do not have: large volumes of customers. On the other hand, FinTechs bring a fresh view on the customer journey when doing banking activities. Therefore both parties actually reinforce each other.

Before PSD2, the only way to truly collaborate with a bank was through long-term partnerships or “alternative” methods such as screen scraping. PSD2 levels the playing field by offering easier access to a customer’s payment account data which means that FinTechs will now get less resistance to access the information they need to develop innovative services for their customers. That is at least supposed to be the spirit of PSD2.

Gain trust

The main problem for FinTechs will be gaining the trust of the banks’ customers. As we observed with the Facebook and Cambridge Analytica issue, making sure that the customer clearly understands what data will be used and for which purpose, is crucial in delivering new financial services based on PSD2. Building that trust will not be easy.

Another challenge from a business perspective is the fact that banks show some resistance towards FinTechs acting as TPPs due to the different levels of risk appetite. Some banks (still) seem to be resistant to open their customer data to TPPs as it might imply a higher risk of cyber attacks. Therefore, it is crucial for FinTechs to illustrate the implementation of appropriate organizational and technical measures in order to gain sufficient trust from banks in an increasingly security sensitive environment. 

Additionally, some banks are afraid of losing their competitive advantage when opening their back-end systems. And you cannot blame them: open banking implies a huge, even a revolutionary, change for banks; not only system-wise, process-wise, regulatory-wise, but especially with regards to their mindset. A big challenge will be to grasp the opportunities at the right moment by leveraging on regulations like PSD2.

Be compliant

A FinTech that acts as a TPP and that wants to obtain direct access to the payment service user’s data, will need to comply to several laws and regulations. The three main regulations in the context of payment services are PSD2, AML and GDPR. Each regulation gives rise to its own particular challenges. The implementation of each one of them has proven to be a highly complex task, especially when there are discrepancies between the regulations.

The main five compliance-related challenges that should be looked at are:

  • Defining who the data gatekeepers are as we are moving more and more towards a data-sharing economy,
  • Capturing and managing the consent and authorization of the payment service user,
  • Managing the transferred payment and personal data in a safe and secure way,
  • Defining accountability, especially because PSD2 does not require a contractual relationship between banks and TPPs. This implies that FinTechs acting as TPPs should guarantee an appropriate level of data security,
  • Assessing and setting up the relevant AML processes and controls on the right moment of the PSD2 chain,

Another non-trivial element that we should bear in mind is the fact that new regulations seem to be lagging behind the market. This results in legal requirements for FinTechs (and banks) that are not adapted to market trends, which is not really fostering an innovation-friendly environment.

Find the right balance 

FinTechs will try to do what every start-up does: choosing the path of least resistance. If they find a bank integration option that is cheaper and faster than implementing by themselves, most will favor that option. That is the value proposition of most API aggregators. Some TPPs will invest the time and money to integrate with all the banks they would like to reach. However, the core business of most FinTechs is not bank integration; it is to deliver added value on top of said integrations. Today, banks don’t make the life of TPPs easy and it will probably take a few years to get to this point, even with globally adopted standards.

From a compliance perspective, collaboration with aggregators or big TPPs could be an option for FinTechs in order to outsource compliance-related processes. However, this does not mean that FinTechs can ignore their minimum requirements because they remain accountable. Therefore, it is important to find the right balance when outsourcing processes. The roles and responsibilities of all parties in the chain should be documented properly.