How Deutsche Bank is forging a path to PSD2 compliance

By Alex Hammond | 4 December 2017

Are you PSD2-Ready?, a new whitepaper published by Deutsche Bank, outlines a number of challenges for banks tasked with becoming PSD2-compliant. 

bobsguide sat down with Christian Schaefer, Global Head of Payments, Cash Management, Deutsche Bank, to discuss the report's key findings.

What are the key takeaways from the report?

Our report stresses that market participants should not delay implementing PSD2-related changes. This is despite the fact that transposition into national law in some member states may be delayed beyond the implementation date of 13 January 2018. Our report also highlights that an implementation gap exists between this date and the point at which the highly important Regulatory Technical Standard (RTS) for Strong Customer Authentication (SCA) and Common Standards of Communication (CSC) becomes effective. Given its 18-month implementation period, the RTS on SCA and CSC will now come into force in the first half of 2019 at the earliest.

While this implementation gap had been subject to market debate previously, it is hoped that the current – and final – version of the RTS can create a workable compromise among market participants. The final RTS on SCA and CSC, which were submitted by the European Commission to the European Parliament on 27th November, should incentivise the evolution of a pan-European API standard that works in the interests of all market participants. And the Berlin Group, as the only pan-European payments interoperability standards and harmonisation initiative, is best positioned to achieve this.

The report also outlines some areas of clarity with respect to the regulation: namely, what will be required to establish a compliant account interface and how to deal with value dating of incoming transactions in a non-euro EU/EEA currency. However, it also identifies areas where further confirmation is needed, such as around the all-important third party interface, and whether Account Servicing Payment Service Providers (ASPSPs) will need to provide third-party providers with a “fall-back“ option.

What will the reaction be of banks to the report’s findings?

Our hope is that our report will incentivise ASPSPs to conclude their IT projects and deploy PSD2-related changes as planned, prior to the January start-date. With respect to compliance with their third party interface obligations, we would also hope that ASPSPs realise that there is no value in waiting until late in 2018 or early 2019 to get going. Indeed, there are some significant provisions in PSD2 that are either dependent on or closely bound up with compliance to these obligations.

Overall, the message is positive. We rest on the cusp of a payments revolution. PSD2 presents a significant opportunity for ASPSPs to get API and Open Banking-ready – to future-proof themselves in an age of rapid technological change.

What is the appetite of the banks to be ready for PSD2 by the implementation deadline?

Banks understand that compliance is necessary, and that there are major competitive advantages that can be gained from the opening up of the payments market. The only thing holding back some banks is the lack of clarity around transposition into national law in some member states, as well as the implementation gap we’ve outlined.

Are there areas of PSD2 that are proving more difficult to find a compliance solution for than others?

With respect to the all-important third party interface, we continue to seek confirmation on whether ASPSPs will need to provide TPPs with a “fall-back“ option in the event that their dedicated interface becomes unavailable. This would endorse the hotly-contested practice of “screen scraping” – and would place an additional compliance burden on ASPSPs. 

Is finding resources for PSD2 compliance an issue?

Numerous initiatives have been developed to support market participants through the PSD2 implementation process. These can be categorised into three groups: initiatives drafting specifications and building consensus for compliance, such as the Berlin Group and PRETA; Banking Association initiatives, such as the PSD2 Practitioners’ Panel, hosted by the Euro Banking Association; and national initiatives.

There has also been a steady increase in sources of help and support stemming from consulting firms and providers of key elements of infrastructure, software and services. Moving forward, we hope that our new whitepaper will act as another valuable source of support for those affected by PSD2.

While sources of support are available, being ahead of the game remains important. Relevant resources are likely to become increasingly stretched as the implementation date approaches and every payment service provider across Europe dedicates increasing amounts of time, attention, and expertise to implementing PSD2.

In terms of the roadmap for PSD2 compliance, will it be uniform or will we see banks take differing approaches?

I think we can expect different roadmaps depending on ASPSPs’ business, operations and jurisdiction.

However, there are two major milestones for all. The first is to ensure compliance with the bulk of PSD2 by 13th January 2018. This first milestone will involve changes to business terms and conditions and possibly some client procedures.

In this first implementation phase, organisations will be concentrating on understanding and implementing the legal and regulatory changes that will be required. Legal and Compliance departments will need to take the lead in this early phase. However, Product Management and IT departments should also be involved in this first stage – not least to avoid fragmentation between project phases. From an IT perspective, preparations at this early stage will likely focus on core payment processing.

ASPSPs will be required to comply with further guidelines when necessary, such as the guidelines on fraud reporting under PSD2, which are applicable from 13th January. While reporting to the competent authority is only likely to take place from Q3 2018, this will need to account for fraud statistics from 13th January, meaning that data collection and preparation will need to commence at that point.

Once this first milestone has been attained, the second, far more technical phase of implementation can begin: implementing the third party interface and meeting secure customer authentication requirements.

What role will fintech providers play in the PSD2 compliance journey?

When it comes to the third-party interface, we see fin-techs playing a significant role. ASPSPs will need to consider whether to start their own API development programme (possibly in collaboration with others) or engage a fintech provider to supply their needs. This choice will depend entirely on the individual ASPSP’s service offering, market sector, long-term strategy and resources.

Ultimately, what position is the industry in leading into PSD2 implementation? Are banks actually PSD2 ready?

Financial institutions are in different stages on their compliance journeys. All should regard PSD2’s implementation deadline of 13th January 2018 as a wake-up call: not only to get PSD2-ready; but also to take the leap towards getting API- and Open Banking-ready as well.

PSD2 is a project requiring significant investment from organisations, but in the long term may prove the first step towards new ways of doing business and provide the seedbed for new revenue, business, and partnership models.

As matters currently stand will PSD2 be able to be enforced in 2018 in any case?

PSD2’s implementation may get off to an uneven start across member states. To date only Denmark, France, Germany and the United Kingdom have transposed PSD2 into national law, with a number of other member states having draft legislation in place.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development