The European Union (EU) will see the General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive go into effect in May 2018. My colleagues have already discussed these regulations in a number of blog entries, so I won’t dwell much further here, but I would like to dive into the revised Payment Services Directive (PSD2), another regulation for the EU banking industry that will become effective on 13 January 2018.
Officially known as Directive (EU) 2015/2366, PSD2 will open payment markets for more competition, offering greater choices and better prices for consumers. In short, this will enable bank customers to use third-party providers to manage their finances. These TPPs will be able to build financial services on top of data from multiple banks. In the United Kingdom, there is an order for Open Banking that is aligned to the PSD2 in this regard.
TPPs will fall into two general categories:
As TPPs will hold or process financial data, they will also face regulations to ensure appropriate measures are in place for security and confidentiality. As a case in point, the European Banking Authority (EBA) has a consultation paper open for comment through 7 August, 2017, that specifies guidelines to address security risks for payment service providers.
From the perspective of traditional EU banks, the PSD2 requires open access to their customers’ account data and payment infrastructure for authorized TPPs. This will be accomplished through the exposure of application programming interfaces (APIs) to TPPs. As TPPs proliferate or gain in popularity, banks can also expect more business-to-business (B2B) traffic in terms of the total number of connections and/or data volume. Their IT capacity planning process for the network perimeter will need to account for these demands.
By merely complying with the provisions of the PSD2, EU banks will face increased costs to securely enable TPP access to customer account information, increased competition for financial services and the potential loss of a channel for customer engagement. None of these can be viewed as positives by traditional banks. To combat this fate, EU banks may choose to become AISPs and/or PISPs as well. They can develop into aggregators of account information from other banks, initiate payments from those accounts and even offer additional tailored financial services based on a now-complete view of a customer’s finances. This puts them in a better position to compete with new TPPs using personalized services, remain relevant with their existing customer base, and even acquire new clients in the age of open banking in the EU.
With PSD2 just months away, cybersecurity professionals should approach this from one of a few angles based on where they reside.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.