PSD2 will unleash an open banking revolution, says PwC’s Sinead Ovenden. But, for that to happen, banks need to protect your data and open it to emerging fintechs.
Sinead Ovenden is a partner at PwC Ireland.
Ovenden has specialised in regulation for more than fifteen years, working in banking in Ireland and Australia, and regulatory consulting in Ireland and the UK.
‘I think it is a very exciting opportunity that opens banking in a way that consumers can benefit from all sorts of products and services’
– SINEAD OVENDEN
Last Saturday (13 January), the second Payment Services Directive (PSD2) became law across Europe, potentially unleashing a new world of open banking.
Under PSD2, banks in Europe will need to make customer data available in a secure manner, and eventually give third parties access to their customers’ accounts.
According to research from PwC, nine out of 10 European banks intend to use PSD2 to change their strategy, and the majority of European banking executives say PSD2 will impact all of their core banking operations.
What could PSD2 potentially do to the banking system as we know it?
At the moment, payments are made purely out of your bank account. But what PSD2 is doing is creating an open, level playing field so that the payments can be made through other intermediaries other than, say, a credit card. At the moment, if I do any online shopping, the chances are that I would log on to a website, use my credit card, and that payment will go through a payment services intermediary and eventually be taken from my current account.
So, there are a lot of intermediaries involved, and what the PSD2 is doing is facilitating other players to come into the market, to remove some of those intermediaries and to allow direct access to your current account.
It will facilitate third parties to access my current account directly, to be able to go in and take the cash out without having to use other payment service providers or credit cards.
Obviously, this needs to be very secure because they are accessing data in your current account and taking funds out, and they can’t do any of that – access the data or your funds – without your permission.
A huge amount of security needs to be put in place.
But the big impact on the banks is that they currently have a monopoly on all of your data and they know what you are spending every day, and that will no longer be the position for them.
Instead, you or I will have the ability to share that with third-party providers.
With new fintech players on the scene, what will banking look like in the next couple of years?
At the moment, the banks have more data than anybody else about all of our spending, and what PSD2 is doing is opening that floodgate.
It is going to provide open access for payments, but the bigger impact here is the sharing of data, so that volume of data can be shared with third-party providers. As a result, we will have a large number of fintech and innovative organisations coming up with all kinds of new services and products we haven’t seen before.
They can start to analyse it and see trends. For example, if they have access to this live, and with some clever data analytics, they would be able to identify opportunities to sell additional products. For example, if they can see you are spending money in a certain jurisdiction, they can use that information to tell you that there are alternative ways to purchase the same products or services at a lower cost.
The value there is the access to the data.
Are banks set up for this?
They have known about this European directive for a number of years and, for it to be transposed into legislation, all banks have had large projects getting themselves ready for this, to be compliant.
But being compliant and taking advantage of this legislation are two different things. If they were to take advantage of this legislation, they would start to use that data in a way for fintech companies to use.
Are they at that stage? Possibly not. Will banks ever be at that stage where they will start to design completely different products and services based on the wealth of data they have? Possibly not.
There will be some large institutions who will make the decision to do that but it is a very different way of thinking, providing financial services, borrowing money, lending money and taking deposits. It is actually using the data that they have on our financial transactions to come up with different products and services.
I think what a lot of them will do – because it is a different way of thinking – is that they will go into partnerships with fintech suppliers, and develop new products and services.
Is this something banks will grasp as an opportunity or will they circle the wagons?
I think it is both. It is a threat because you could find very clever fintech companies coming up with ways to give financial advice that consumers are not getting from a branch manager, because they will be monitoring online in real time. And, if financial services started to be provided by third parties and not your local bank, then the banks could start to become just utilities, purely somewhere to put finances and be a source of information for other third-party providers.
But it is also an opportunity for the banks to work with fintechs and it could be an additional revenue stream for them.
Would you urge banks to embrace this wholeheartedly or cautiously?
I think it is a very exciting opportunity that opens banking in a way that consumers can benefit from all sorts of products and services.
How should banks be organising their IT systems to embrace this?
I think banks will still be your borrowing and deposit providers, and that core banking isn’t going to change. This is about moving above and beyond and outside the current banking trends to provide new products and services.
So, can our banks change? Absolutely. They need to look at PSD2 as a strategic opportunity to diversify into a different type of service than ever before.
The banks’ primary concern up until the deadline was to make sure they were compliant. They had a lot of work to do – because they have a lot of legacy systems that have been around a long time – in order to be able to provide that real-time access to third-party providers.
So, there’s a lot of work in that.
I suspect that really their core priority was compliance up until now, and a number of banks are looking at it from a strategic perspective. But I don’t think we will see those products and services appear right away; we will see them evolve over the next 12 months more and more.
What are the security implications, and does it open up consumers to considerable risk?
It does. However, having said that, all the banks are working hard to comply with GDPR in May. So, as a result of that, they all have significant programmes in place to enhance the existing security that they have. I would also say, in Ireland, the Central Bank has really focused on cybersecurity in the last number of years – so, as a result, the banks already are very focused on protecting your data.
In relation to PSD2, it does require strong customer authentication, so there are some additional requirements above and beyond GDPR that are in legislation as a result of this.
Yes, it is opening up the access, but not without your permission and not without additional strong customer authentication.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.