Last year was abuzz with discussions and speculations on PSD2 – the new European regulation that will change the banking industry – and its Regulatory Technical Standards (RTS), which define how it is to be implemented. At the end of last year, we wrote about what the directive will mean for the sector and why banks should prepare themselves. Now that 2018 is upon us, the buzz will get louder, because PSD2 is getting very close. The details are being defined and banks must be ready soon.
But how soon is soon? Well, on November 27 last year, the RTS were finally released by the European Banking Authority (EBA). So there is finally a much clearer timeline to work towards.
Much of last year’s buzz was debate on the RTS requirements. Merchants were not happy with the balance between security and user convenience. Fintechs were not happy either, complaining about how they would access customer information held by banks. And both groups are perhaps still not completely satisfied. But today it seems that discussions are over, and the text should remain as it is – although the European Parliament and the European Council do have a three-month delay in which they could amend some points or tweak the calendar.
Let’s take a look at that calendar. Here are the key dates that we know already:
- January 2016: PSD2 came into force
- November 27, 2017: The RTS were released
- January 2018: Each country had to transpose the Directive into national legislation
- End of February, 2018: The RTS are expected to be formally approved by the European Parliament and the European Council, opening the 18-month delay for their actual implementation
- September 2019: Payment Service Providers (PSPs) must be ready to go, having implemented the RTS security and functional requirements.
The new version of the RTS introduces some interesting new elements to the calendar. The first new element is that banks will have to offer their open APIs to Third-Party Providers (TPPs) for testing and integration, 6 months before the final implementation date. This means that their APIs must be ready not by September 2019, but six months earlier: March 2019.
The second new element is somewhat hidden among complicated text. Basically, banks must have a back-up plan – known as “contingency measures” – in case their open APIs don’t work. They must give TPPs an alternative way of accessing their customers’ data, allowing them to use end-users’ login credentials while indicating that they are not really the end user.
But there is one condition under which banks can do away with these contingency measures: their open APIs must have been widely used for at least three months before the September 2019 deadline.
Confusing? Perhaps the image below can clarify the key dates – and the three-month period of using open APIs can occur at any moment during the timeline below:
So what is the key take-away for banks? Essentially, the buzz on PSD2 is getting louder because time is now very short. The calendar is tight, and European banks need to act now.
We’ll be returning to the topic of PSD2 a lot over the next weeks – discussing everything from security and authentication standards, to the role of Payment Service Providers and the requirements for corporate banking. So keep your eyes on the blog, but in the meantime if you have questions about PSD2 feel free to post them in the comments, or contact us via Twitter.