In 2015, the European Parliament adopted a reformed Payment Service Directive, also known as PSD2, which can be considered as the starting point of “open banking”. The new rules aimed to promote the development and use of innovative online and mobile payments through opening consumer banking data up to third party providers (TPPs) in a secure way. In other words, banks and building societies allow access and control of customers' personal and financial data to third-party financial service providers such as retail businesses, telecommunications providers, payment services, financial account aggregators, and others.
By providing access to the banking data of consumers, this allows TPPs to develop and offer a range of new financial products and services for the benefit of consumers. The ultimate result of the changes is that the world of financial services will be opened up to more than just banks, allowing fintech and other innovative upstarts to create new solutions based on the data that was previously the exclusive domain of banks.
While the new regulations and the open banking paradigm gives clear benefit to TPPs, what opportunities does it offer to clients and the banks? Firstly, open banking allows clients to centralize their financial management into a single point for all their accounts. Through open banking clients can also get access to a far broader set of capabilities than banks can provide on their own. It could be a personalized quote for a loan based on a detailed history of income and spending, a debt management tool with overdraft alerts, recommendations for better products with lower interest rates, or a tool that gives recommendations to save money based on analysis of their fixed payments and variable spend.
Clearly, customers may be concerned about sharing their account details and spending history with TPPs, which is why the open banking legislation has a strong focus on prioritizing customer data protection. Implementation of the open banking changes is strictly regulated and customers are asked to provide an explicit consent to any company wishing to access their data. All data is encrypted and its usage is tracked.
Banks mainly benefit from collaboration with third-party services in improving customer engagement by providing a better and smoother experience, as well as building and selling more innovative financial products. The changes that open banking brings provide a very promising opportunity for the financial services industry. According to the survey report conducted by Tink, before 2020 many financial executives in Europe approached open banking from a purely compliance perspective — in particular to meet the set requirements of PSD2. But as we begin a new decade, open banking investments have become central to the digital transformation of the industry itself.
However, implementation of the PSD2 regulation compliance and open banking concepts do require major investments by the banking industry with a median estimated investment between 50-100 million euros. To better understand where the required complexity comes from, let’s take a closer look at the PSD2 and open banking requirements.
In the open banking approach financial data is shared by banks through standard-compliant APIs. The data can be shared with TPPs of two classes: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). PISPs initiate payments on behalf of a user dealing with the actual transfer of money in the form of Peer-to-Peer (P2P) transfers or bill payments, while AISPs can only analyze a user’s spending habits.
PSD2 requires the restriction of access to personal and financial data by third parties until the explicit consent of the client is obtained in a secure manner. Before the open banking approach, TPPs typically used screen scraping to gain access to customer financial data. That approach obviously had a high risk of fraud because a customer had to share their account credentials with a third party application. The open banking approach implements a principle of communication between Account Servicing Payment Service Providers (ASPSPs), users, and TTPs based on consent and trust. This very important part of the standards is known in PSD2 as the Strong Customer Authentication (SCA) requirement, which requires two-step authentication for getting access to account information or executing payments.
The European Business Association (EBA) has published the final draft of the Regulatory Technical Standards (RTS) for requirements on SCA and common and secure communication under PSD2. It is important to note that the RTS doesn’t actually provide an explicit set of established rules. Instead, various standardization bodies in coordination with the EBA have created a set of binding frameworks and options based around market standards. These effectively act as a guideline for implementation. For banks, this can be seen as both a positive and a negative. It is advantageous in that it allows for a greater variety of technological innovation pathways to be explored. However, it also means that banks and financial institutions have to work out the specific design and form of workflows and items themselves. For many banks and TPPs, especially smaller institutions, this is considered to be quite an onerous undertaking. Further details and use cases are still to be finalized and will be determined soon.
Another challenge is that the EBA doesn’t provide a concrete definition of PSD2 interfaces. In addition, the open banking API standards in the EU (as well as world-wide) could be specific for different countries and even for groups of banks - any organization that participates in the open banking implementation is regulated by a country-specific authority. It has explicitly left this up to the market and emerging bodies. Even the guidelines for PSD2 APIs are provided by a variety of different standardization bodies. For example, financial institutions in Germany use the NextGenPSD2 XS2A framework of the Berlin Group as the main standard, STET is applied in France, and in the UK the UK Open Banking Standard is used, which is overseen by the Competition and Market Authority (CMA) and Financial Conduct Authority (FCA).
As a result, implementation of open banking touches a variety of concerns such as handling SCA and exceptions, customer consent management, TPP transactions monitoring, customer authorization options, and managing certificates issued to TTPs. On top of that comes uncertainty surrounding the ongoing evolution of the PSD2 and RTS standards, which requires that open banking solutions are ready for future changes.
Taking into account the challenges outlined above, how exactly will banks and financial institutions in Europe approach the digital transformation of their services towards PSD2 compliance and open banking? The main industry players have all taken different paths, but one of the fundamental decisions that each institution must make is how to integrate existing systems into the new concepts.
There are various strategies that can be adopted in regards to integrating into existing systems. One is simply to upgrade the existing system. This strategy is good if the bank’s information system already supports many of the required capabilities meaning the open banking standards can be adopted into the system with only a minimal amount of upgrading required. However, it is unlikely this approach will work for legacy information systems. It is a better fit for institutions running custom built solutions or a hybrid (custom and proprietary) solution with a high level of control over implementation.
Another widely adopted approach is to introduce a middle layer that implements open banking capabilities and integrates with the existing core systems at the backend. This is usually the safest and quickest way towards PSD2 and open banking compliance because it provides a controlled and isolated impact on the legacy system.
This strategy allows for the onboarding process of the new capabilities to occur in one go or to be introduced incrementally depending on the “build vs buy” implementation strategy. The market offers a large variety of options for either approach. The “build” strategy is supported for instance by RedHat within the “agile integration” approach, cloud services providers like “Open Banking API on AWS”, or API management solutions like “WSO2 Open Banking”. The choice of available “buy” options is large as well and is represented by specialized open banking platforms that typically not only satisfy the regulatory requirements but also enable greater monetization potential via services in the future. It is worth mentioning popular open banking platforms like Tink, NDGIT, and BANQUP.
Some organizations may take the ongoing global adoption of the open banking paradigm as a trigger for comprehensive modernization of their information systems and services by building a brand new solution (custom or hybrid) in parallel to the legacy one.
This strategy gives great flexibility in the choice of the architecture such as custom microservices architecture, innovations, modern technologies, and approaches. This kind of digital transformation allows building a modern and cost-efficient solution by combining open-source technologies, managed services, and Commercial-off-the-Shelf (COTS) products. There is also a good opportunity to collaborate with TPPs for making joint improvements in business processes.
Grid Dynamics, being a recognized leader in digital transformation for the past decade, notes many similarities between the transformation of information systems in banks towards the open banking paradigm and the rise of services platforms in other industries. This can be applied to both the technology shift as well as to the unlocking of new business opportunities. Providing customers with a modern user experience through responsive web UI and native mobile apps; building cost-efficient distributed scalable backends in the cloud; driving insights from data with machine learning and artificial intelligence; building a high-performance engineering culture, DevOps, and automation to change and innovate faster and cheaper. Does this all sound familiar? These measures all work exceptionally well at elevating businesses as well as delivering enhanced opportunities to the banking industry.
So given our extensive history working on digital transformations, what is our viewpoint on the introduction of the new open banking regulations? It is important to stress the word “agility” as a fundamental driver of the decision making on the implementation strategy. PSD2 regulations with defined tight deadlines have already placed a large amount of stress on banks across the EU. Becoming compliant with these regulations has already cost banks millions of euros. However, that is not the end of the story. The growing utilization of financial services through TPPs will dramatically increase the load on banks’ backend systems and the cashflow will grow as well as the amount of data flowing through the bank systems.
Being “agile” means making the systems and business processes adjustable and flexible enough to cost- and time-efficiently adapt to changes whether it is a new regulation requirement, a new opportunity, or a growing number of customers and transactions. From that point of view, building a custom modern banking system provides the highest degree of agility. However, it is unlikely to be the optimal case for many organizations taking into account its overall scale and complexity and its time-to-market, which may negate all its benefits.
The opposite approach of building a business on a COTS banking product solves many “early days” problems. When properly considered, it can provide a great boost to business though long term it may become a containing frame for business development and eventually lead to stagnation and falling behind the industry mainstream. We have dealt with such situations many times in the online retail space. However, not all businesses properly recognize or mitigate the risks involved by implementing the necessary digital transformation steps in the right time frame.
The best of two opposing options, as is often the case, lies somewhere in the middle. Incrementally modernizing the banking information system in a hybrid way by combining pieces of custom developed components, some legacy systems, and highly customizable commercial products is usually the optimal approach. Of course, building the right enterprise and solution architecture must be prioritized as it supports the agile paradigm, defines and outlines the proper building blocks, and enables the introduction and development of new business capabilities. Nowadays it is typical to move along this route involving strategic partners, who accelerate the modernization process by bringing either pieces of a ready solution, or certain technical or domain expertise. Being such a partner for many Fortune 500 companies, we see the strong benefit of establishing a strategic, so called “agile co-innovation” partnership as it goes beyond the acceleration of digital transformation to growing new business capabilities.
PSD2 and the open banking paradigm represent a tremendous shift in one of the most conservative customer-facing industries. PSD2 is intended to make it easier for companies to offer different and innovative services and as it stands in 2020, this has already been a success. In addition, banks have recognized opportunities in this trend that go beyond compliance and have started investing more in the acceleration of digital transformation and modernization of their IT infrastructure and services. Taking into account the estimated impact of COVID-19 on traditional banking services, these efforts and the building of new capabilities may prove to be crucial for business development and long term success.
However, implementation of the new capabilities comes with many challenges, which traditional banking IT systems may not have faced previously. This includes scaling systems to handle the increased external traffic, managing public APIs, tracking access to customer data, collecting and analyzing large amounts of streaming data, and integrating with third-party fintech services, etc. That is where establishing strategic partnerships with companies that are capable of making a contribution in technology or business development may dramatically boost innovation and transformation.
The scale and flexibility of the banks’ information systems will dictate how they will approach these challenges. Regardless of whether it is an adoption of a new commercial product, modernization of an existing solution, or building a brand new platform, it is important to validate the approach from the perspective of future changes. It will help to reduce time-to-market and payback periods further and in doing so help to deliver important competitive advantages.