On September 14, 2019, the EU Payment Services Directive PSD2 came into force. An event that caused heated debate months in advance and was dubbed "the biggest change in banking for many years", and not without good reason. On the one hand, the reform was intended to make competition between financial service providers fairer by abolishing the banking monopoly on access to account data. [1] On the other hand, it was intended to make online banking more convenient, transparent and secure.
2019 is now drawing to a close and the reform has been in force for a good three months. A good time to take stock. How well have the goals been achieved? Where do we stand three months after the introduction of the PSD2 reform? It can be assumed that the answers to these questions are largely determined by the eye of the beholder. For this reason, we will focus on this in the following and offer an assessment of the current situation from four different perspectives: customer, bank, BaFin and FinTech.
1 PSD2 - a brief introduction
PSD2 is an EU directive on the regulation of payment services and payment service providers, the aims of which are to increase security in payment transactions, strengthen consumer protection, promote innovation and increase competition in the market. It was implemented in two stages. The first stage came into force on January 13, 2018. It included, among other things, the reduction of the no-fault liability limit for abusive card transactions and the extension of the scope of application to non-EU/EEA currencies. The second stage came into force after a test phase on September 14, 2019 - and with it also the obligation for "strong" authentication ("two-factor authentication") and the opening of payment accounts for third-party providers. [2]
On the one hand, this means that customer authentication must be carried out with the help of at least two input elements that are conveyed by knowledge (something that only the customer has knowledge of, e.g. a PIN), possession (something that only the customer has, e.g. a smartphone) or inherence (something that can only be assigned to the customer as a biometric characteristic, e.g. a fingerprint). In particular, transaction numbers (TANs) printed on a sheet of paper may no longer be used. Secondly, financial institutions must also provide a standardized, open interface to enable certified third-party providers such as financial start-ups (FinTechs) to access account data. Third-party services are now subject to supervision by the German Federal Financial Supervisory Authority (BaFin).
Figure 1: PSD2 changes at a glance, source: Bundesbank.
2 Interim assessment from four perspectives
In the following, we will refer to specific examples to discuss how the main players - generally speaking - are judging three months after September 14, 2019.
(1) Customer Perspective
Shortly after the introduction of PSD2 on September 14, 2019, BaFin received numerous complaints about banks. Most of them concerned difficulties with two-factor authentication for account log-in. In addition, customers were regularly annoyed by the poor availability of customer services (hotlines were often unavailable) and poor access to accounts. According to an online survey conducted on behalf of "Der Bank Blog", many German consumers are completely unaware of the new EU Payment Services Directive PSD2 and its implications. 59% of the participants surveyed in August 2019 stated that they had never heard of PSD2. The remaining 41% were familiar with the term, but only 7% of respondents knew what it meant. Of those surveyed, 15 percent named their bank as the most important source on the subject of PSD2, followed by traditional media with 11 percent and social media with 10 percent[3].
In a survey on "Black Friday & Christmas shopping 2019", 1,000 internet users were asked whether they feared problems with online purchases as a result of the introduction of PSD2. A quarter of respondents answered this question in the affirmative, and a quarter of respondents were not even aware of the regulation.
Figure 2: Survey on "Black Friday & Christmas shopping 2019", source: OmniQuest GmbH for G Data CyberDefense AG, 2019.
The biggest concern, cited by almost one in two (45%), is the misuse of personal data - and the aim of strong authentication is to minimize this.
Figure 3: Survey on the topic of "Black Friday & Christmas shopping 2019", source: OmniQuest GmbH for G Data CyberDefense AG, 2019 [4].
Against this backdrop, it is worth knowing what customers in Germany generally think about authentication methods. The results of a study published by VISA in December 2019 on the most popular biometric authentication methods are revealing in this regard. Among other things, 1,000 credit card holders over the age of 18 in Germany were surveyed. The results showed that German account holders believe that biometric authentication methods during the payment process are more secure and easier than traditional methods such as passwords or PINs. The most popular authentication method among German consumers is the fingerprint (90%), followed by the iris scan (85%) and facial recognition (79%) - even if they are still hardly widespread. When it comes to traditional methods, one-time passcodes (e.g. TANs, which are determined and delivered via application-specific apps) enjoy the greatest approval (81%), followed by authentication via PIN (77%) and passwords (73%)[5].
Figure 4: Visa study on the most popular biometric authentication methods, source: Fabrizio Ward, LLC, 2019.
(2) Bank Perspective
And what does the PSD2 changeover look like from the banks' perspective? The results of two recent, representative surveys give an impression of this: according to the FINANCE survey on "Open banking among banks", most institutions were fully occupied with implementing the regulatory requirements of PSD2 this year. Of the German financial institutions, only Deutsche Bank and Commerzbank opened up more to third-party providers than was required by PSD2.[6] According to the Roland Berger study "Adapt or die? Why PSD2 has so far failed to unlock the potential of Open Banking", the vast majority of European financial institutions (81%) still see the PSD2 reform as an opportunity. However, the majority of banks are still hesitant to seize the new opportunities - leaving the field to (agile) FinTechs with new business models. According to the results of the study, only 35% of banks are currently prepared to take on the role of a third-party provider themselves[7].
This also divides the camps: while FinTechs take the position that the same data quality and data scope ("data parity") as for customer interfaces are fundamental for the business model and for achieving the goals of PSD2, banks usually rely on a very narrow interpretation of PSD2 and the RTS, the Regulatory Technical Standards for strong customer authentication and secure communication finally published in the Official Journal of the European Parliament on March 14, 2018.
In addition, the banks have opted for different PSD2 implementation methods. Some banks send a TAN via SMS, while others implement the "control procedure" using an app or well-known TAN generators. Some banks require two-factor authentication for every login (e.g. ING), while other institutions only want an (additional) TAN confirmation every 90 days, such as Comdirect or the savings banks.
These aspects show how the industry thinks about this internally. An old mistake is often made: the customer is forgotten. What do the customer problems listed above look like from a banking perspective?
At Postbank, for example, there were difficulties with customer login and reaching customer service. This was confirmed by a spokesperson for the bank, but he explained that there were no technical problems behind it. The reason was rather a strike in a service unit. A similar situation is said to have occurred at Commerzbank and its subsidiary Comdirect. Other financial institutions such as Deutsche Bank, however, spoke of a smooth transition. "In retrospect, the implementation of PSD2 went very well. Our customers and the bank were well prepared. For example, we started migrating our customers to alternative security procedures (photoTAN / mobileTAN) back in 2018 and gave our customers the opportunity to familiarize themselves with the introduction of two-factor authentication when accessing their accounts as early as July. Customers only occasionally ask for help," explains Michael Koch, Chief Digital Officer of Deutsche Bank's Private Customers division.
ING-Diba bank manager Martin Schmidberger sees the large platforms (GAFA or BigTechs in general, which certainly include Chinese players that are only partially known here - apart from Alibaba and WeChat) as the real winners of the now mandatory interface for account information and adds: "Data sharing mainly uses Google, Facebook and Apple [...] Thanks to the interfaces, the tech giants can act like a bank without being one".
(3) Bafin Perspective
As already mentioned, BaFin has received over 1,000 complaints about banks since September 14, 2019. According to a BaFin spokesperson, it is not yet possible to conclusively assess whether the problems described are primarily due to errors on the part of the institutions or whether they are due to operating errors or uncertainties on the part of customers[9].
Payment expert Maik Klotz takes a different view. Although it is understandable that technical innovations also cause difficulties when they are introduced, this is not the main problem. "The way some banks implement the requirements is anything but customer-oriented. Even before the implementation, customers were not sufficiently informed by the banks," he criticizes.
The President of BaFin, Felix Hufeld, commented as follows: "Some consumers found the two-factor customer identification so complicated that they carried out fewer banking transactions online as a result. [...] Well meant is by no means well done," Hufeld stated. More information does not necessarily lead to greater transparency. From his point of view, this is a pseudo-transparency. He therefore also asked: "Who is reading this?" [11]
Even more important were the intensive discussions with the banks that the third-party providers had initiated with BaFin in summer 2019 based on their test results of the developing interfaces. [12] As a result, the financial supervisory authority issued specifications for the interfaces to the banks and also made transitional solutions possible. After several workshops and a mutual exchange between the banking associations and third-party providers, BaFin, banks and FinTechs finally came to a fundamental agreement (or rather, a rapprochement) in mid-October 2019 and a joint nine-point paper.
(4) Financial Technology Perspective
They should be the beneficiaries of the reform through the goal of fairer competition: Service providers in the financial services sector that do not have a banking license. FinTech companies should be mentioned here in particular.
This is how Cornelia Schwertner, Chief Risk Officer at the Berlin-based FinTech "Finleap Connect", sees the PSD2 changeover: "During the introduction of the SCA, it was easy to see how the regulation of technical processes can have a significant impact on practice. Unfortunately, the consumer is once again left with 'It's the EU's fault' instead of 'My data is more secure now'. With regard to account information and payment initiation services via the new PSD2 interfaces, everyone involved still has a while to go before a conclusion can be drawn."
In her opinion, the biggest problem today is that there is always more than one way to achieve technical PSD2 compliance. The trick is to find ways that are not only compliant, but also user-centric - and to have the necessary time and IT resources to do so." [14]
The nine-point "joint declaration on migration to PSD2-compliant interfaces" agreed between BaFin, banks and FinTechs comes too late for some or does not go far enough for others. However, one thing seems to be agreed: a better understanding on all sides can only be achieved through broad(er) public relations work. "Compliance" is a necessary but not sufficient condition for adequately taking into account the needs of all those involved. And these need to be formulated more clearly and addressed during implementation. [14]
3. conclusion
Even though the PSD2 reform has now been in effect for three months, there is still work to be done - especially in the interests of customers. It is therefore not yet possible to draw an overall conclusion.
Nevertheless, there have been no major disasters. Otherwise, it is necessary to differentiate between the objectives of the PSD2 reform in order to draw an (interim) conclusion. The goal of liberalizing the banking market can be considered to have been achieved in principle. An important step has also been taken with regard to the security of online transactions. The fact that it has become more convenient is denied by a considerable proportion of customers - standards will develop here or further requirements will (or may) come into play. Ultimately, however, the achievement of so-called data parity remains crucial: will the same data quality and the same scope of data ultimately be provided as with the previous customer interfaces, so that there are no restrictions on the previous functionality or information - and new business models, whether driven by banks or FinTechs, can (continue to) develop.
Sources
[1] Focus (2018): "PSD2 Directive: What is changing in banking" (13.01.2018) https://www.focus.de/finanzen/praxistipps/psd2-richtlinie-was-sich-beim-banking-aendert_id_8262977.htm
[2] Deutsche Bundesbank (2019) www.bundesbank.de/de/aufgaben/unbarer-zahlungsverkehr/psd2/psd2-775434
[3] The Bank Blog (2019): Christian Bock, "PSD2 brings benefits, but customers are still clueless" (26.11.2019) www.der-bank-blog.de/psd2-vorteile-kunden/regulierung-aufsicht/37658935/
[4] GData (2019): "Black Friday & Christmas shopping 2019: A quarter of Germans are afraid of payment problems due to PSD2 " (26.11.2019) www.gdata.de/news/2019/11/35635-black-friday-weihnachtsshopping-2019-ein-viertel-der-deutschen-hat-angst-vor-zahlungsproblemen-durch-psd2
[5]Visa study (2019): "These are the most popular biometric authentication methods among German cardholders" (9.12.2019), www.visa.de/uber-visa/newsroom/press-releases.2951882.html
[6]Finance (2019) Dominik Ploner, "Open Banking 2020: Much ado about nothing?" (28.11.2019), www.finance-magazin.de/finanzabteilung/treasury/open-banking-2020-viel-laerm-um-nichts-2048811/
[7] IT Finanzmagazin (2019) www.it-finanzmagazin.de/open-banking-banken-schoepfen-potenzial-der-psd2-immer-noch-nicht-aus-98606/ (09.12.2019), Roland Berger study: www.rolandberger.com/publications/publication_pdf/roland_berger_psd2.pdf
[8] finanz-szene (2019), Christian Kirchner, "PSD2 conversion: Here comes the first big résumé "PSD2 conversion: Here comes the first big résumé" (16.10.2019), finanz-szene.de/digital-banking/psd2-umstellung-hier-kommt-das-erste-grosse-resuemee/
[9] Heise (2019): "Bank manager on PSD2: Data sharing mainly benefits Google, Facebook and Apple" November 2019), www.heise.de/newsticker/meldung/Bank-Manager-zu-PSD2-Datenteilen-nutzt-vor-allem-Google-Facebook-und-Apple-4597032.html
[10] Gründerszene, "Fintech" section (2019), Christoph Damm: "'Anything but customer-friendly' - new payment directive causes trouble" (18.10.2019), www.gruenderszene.de/fintech/psd2-neue-zahlungsrichtlinie-aerger
[11] FAZ (2019), Antonia Mannweiler: "Bafin boss Hufeld: 'Who's reading this?" (12.11.2019) www.faz.net/aktuell/finanzen/finanzmarkt/verbraucherschutzforum-bafin-chef-hufeld-wer-liest-das-denn-16482100.html
[12] Handelsblatt (2019), Katharina Schneider: "Unmut über neue Konto-Schnittstellen" (03.07.2019), www.handelsblatt.com/finanzen/geldpolitik/kontozugriff-unmut-ueber-neue-konto-schnittstellen/24515602.html
[13] Handelsblatt (2019), Katharina Schneider, Elisabeth Atzler: "Bafin gives banks strict rules for account interfaces" (16.08.2019), www.handelsblatt.com/finanzen/banken-versicherungen/bankenaufsicht-bafin-gibt-banken-strenge-regeln-fuer-konto-schnittstellen-vor/24910032.html
[14] Handelsblatt (2019), Katharina Schneider: "Dispute over new account interfaces: Banks and fintechs come to an agreement" (17.10.2019), www.handelsblatt.com/finanzen/banken-versicherungen/psd2-schnittstellen-streit-ueber-neue-kontoschnittstellen-banken-und-fintechs-einigen-sich/25123558.html
