There is an awful lot of hot air circulating over PSD2, and rightly so. The impending regulation marks a change within the payments and banking sector to a degree not seen for a long time. Anna Milne speaks to CGI’s Jerry Norton to assess some of the impacts
Consulting is the most obvious and immediate area ripe for business in the run-up to the second Payment Services Directive.
How to implement a new business strategy, deciding what strategy to implement in the first place, or gauging what the impact will be on a business as a result are all cash cow questions, from a consulting point of view. From security to regulation, there are myriad angles for a pitch.
CREATE A PORTAL
The first piece of advice from Jerry Norton, head of financial services strategy at CGI, is to “create a portal.
“Whether that’s a portal for your internal customers or your external customers, you need a portal to advertise these APIs [application programming interfaces],” Norton explains.
“In the main, it is down to technology to facilitate these changes and implementations. The impact on a business could be about security, regulation or developing APIs – although, apparently, they are not too taxing.
“Then you need some tools to police it. By that, I mean security, volumes, how many people are calling me, monitoring the APIs that are coming in, all of that.
“You also might need some things like the registration and authentication of third parties, and there’s a big debate about how that all works,” Norton adds.
“Software could cover those four aspects. You’ve either got to buy that software, or you’ve potentially got to build it. Some people might build it.
“You’ve certainly then got to operate that, and there are people talking about the concept of an API factory, so you employ us to build it. You can have an API factory using one of those tools.”
INITIATOR OR AGGREGATOR
A bank could be any of the following: the owner of the payment account, the account service provider or the third party which either initiates payments or becomes the aggregator.A common misconception is that an aggregation service simply lists all the activities of different accounts under the same name, with account-holder permission.
Norton describes this as a “very thin use case” and mentions Yodlee and Mindtree in the US who already provide such services.
As an example, Norton suggests energy company B2C, supplying energy to consumers, in PSD2 terms, being a trusted third party and initiating the payment for the energy itself.
However, while the advantage here for the energy company is obvious, there seems little incentive for customers to break away from direct debits.
More consumer-beneficial is the mortgage application scenario, which will enable banks to make a lending decision from viewing statements via an API, saving said consumer having to provide statements.
This can speed up the application process tenfold – or, as Norton puts it, to “seconds, rather than days and weeks” – and could be a genuine draw for a customer.
“I think that is what is behind PSD2. [The European Commission] is trying to achieve a market where there is innovation, where there is a combination of these things which will help the consumer, and which will help the small business.”
GDPR requires explicit consent for an external party to be able to use a person’s data.
And a person can change their mind, so the business or bank needs to be set up to accommodate a data set to be removed entirely at the request of the consumer – and have a record of it.
It also means that the consumer can control exactly what data is shared. They might, for example, decide that a third party may only access one account, such as a current account, and not a savings account. So the institution or bank needs to flexible enough to share subsets of data as well.
“That is described as a data-management problem,” Norton notes. “It’s not insurmountable. You’ve got to have care and attention to detail, and to some banks, that is a problem.”
And there is the authentication of the third party. It is a pretty safe bet that certain challenges will arise in the overlap between PSD2 and GDPR.