According to the Open Banking Impact Report, one in nine people in the United Kingdom currently use open banking, and during the first half of 2023, payment volumes doubled. Although the Payment Services Directive (PSD2) aims to improve authentication and regulate third parties, provider adoption has not kept up with expectations.
In contrast to what was anticipated, the market has changed, leading to fragmentation and endangering PSD2’s sustainability to the point where the European Commission felt obliged to intervene and release a report on the use and effects of PSD2.
The report’s examination of the role that application programming interfaces (APIs) play in authentication and granting access to the back-end data needed for open banking services is particularly noteworthy.
Screen scraping, which made it challenging to identify who was logging into the account and considerably more difficult to offer richer data sources, has been replaced by APIs. Concerns are now raised by the way the industry has decided to use APIs.
A damning verdict
According to the report, there is a lack of cohesion and cooperation in the market as “APIs vary greatly from bank to bank, even though they sometimes claim to use the same standard.”
It continues by saying that a lot of these APIs occasionally “do not work properly.”
For instance, third-party providers frequently do not receive accurate status feedback for scheduled payments made by PISPs (Payment Initiation Service Providers), and some claim that because regulators have not taken action regarding API flaws, these providers are unable to provide services that they are legally required to provide under PSD2 regulations.
Finally, it concludes that “the reliability of the eIDAS certification is inconsistent throughout the EU, the availability of APIs remains patchy, and the scope of the data being accessed remains unclear.”
PSD2 establishes performance standards for APIs, but the industry sets the standards, which hinders access rather than helps it, leading to problems with interoperability. Multiple variations of a standard API are produced by banks’ freedom to adopt and modify various API standards.
It then becomes necessary for a third party doing business with these banks to establish special connections, which is a labour-intensive procedure. The report acknowledges that “the absence of a PSD2 API standard and the large number of APIs” are to blame for the emergence of aggregators, which create a single API on top of multiple APIs and then sell it to third parties.
Two-tier system
The complexity of the situation has increased with the introduction of Premium APIs. These make it possible to provide PIS (the capacity for third parties to initiate payment) or AIS (access to transaction data). Nevertheless, they may lead to unlicensed parties being able to access data that licensed APIs compliant with PSD2 do not, thereby weakening the standard.
Furthermore, unlicensed third parties are even able to offer AIS and PIS through an aggregator’s license-as-a-service offering. This creates an “uneven playing field” where two parties may provide the same service under different circumstances, potentially giving the unlicensed party a competitive advantage, because Premium APIs can offer services beyond those defined in PSD2.
In a survey done for the report, 58% of respondents said they were in favour of a global API standard to make payments easier and only 9% were against it. However, the qualitative interviews that were also conducted did not match the quantitative data.
According to that research, there were several reasons why the adoption of a single API standard was seen as controversial. It was thought that this might hinder banks’ ability to innovate and create their interfaces. Although there are several competing API standards, these have limited rather than impeded progress, and it was thought to be too late to introduce them.
Others proposed that in order for Premium APIs to overtake and compete to establish de facto APIs, the market needs to be opened up for business. This makes sense because some people have continued to scrape less secure data because they believe that the PSD2 requirements are too restrictive regarding the access they allow. The issue of unapproved third parties having access to banks would still need to be resolved, though.
Need to add carrot and stick
The issue with the current business model for API development is that banks are not incentivised to invest in high-performing APIs, which means that security won’t advance further. Account Servicing Payment Service Providers (ASPSPs) i.e., banks are the ones that must invest in APIs to provide access, whereas the third parties effectively get access to that data for free.
It makes sense that banks are choosing to “limit or at least complicate access to their data” and that third parties are reporting implementations have “mostly been poor (by banks)…with a significant number of obstacles built-in” given the lack of financial incentives, the slack enforcement, and the ambiguity of the regulations themselves.
Although opinions on the need for a single standard may differ, it is certain that the current approach is ineffective and that the industry is experiencing API sprawl as a result of the standard’s fragmentation. Due to the lack of incentive for banks to enhance API connectivity, third parties are becoming more dependent on aggregators.
Additionally, the system as a whole has allowed competitors’ offerings to grow, leading to the emergence of unlicensed providers and non-standard alternative APIs with greater functionality. As a result, we can anticipate that this year will see action from the European regulators. They will actively look into ways to get PSD2 back on track, so all of the participating providers should get ready for the regulations to tighten up and be strictly enforced.
Meanwhile, the “Payments Services Package” is a new regulatory framework that the European Union (EU) is introducing to update its payment services regulations. The European Commission released a set of legislative proposals in June 2023 to improve and modernise the EU’s digital financial environment.
The Payment Services Package consists of the Payment Services Regulation (PSR), the Payment Services Directive III (PSD3), and the Regulation on a Framework for Financial Data Access (FIDAR), which must be enacted in tandem. The goal of PSD3, an update to the current Payment Services Directive (PSD2), is to broaden and improve the payment services regulatory framework.
Additionally, it will replace and repeal the Electronic Money Directive (EMD2), creating a single regulatory framework that will control e-money services in addition to payment services. Since e-money institutions will be licensed as payment institutions under PSD3, there will be a single set of requirements for licensing, business conduct, and prudential supervision.