Towards the API Economy (1) - The new role of APIs in the Payment System
The new role of APIs in the Payment System...
A payment
initiation service is defined as a service to initiate a payment order at the request of a PSU with respect to a payment account held at another PSP. Payment initiation
services enable the PISP to provide comfort
to a payee that the payment has
been initiated, as an incentive to the payee to release goods or deliver a service without undue delay.
APIs can help customers share their transactional data with other players or initiate transactions via third party applications.
****************************
PSD2 introduces two new types of licence for TPPs: a licence for Payment Initiation Service Providers (PISPs) and a licence for Account Information Service Providers
(AISPs). In terms of the types of services that can be offered, both licences are more restrictive than those held by regular payment institutions. AISP and PISP services are relevant to a PSP and its corporate and retail customers – not to services between PSPs, such as in correspondent banking.
An account information service is an online service to provide consolidated information on one or more payment accounts held by a PSU with another PSP or multiple
PSPs.
**************************
With the Revised Payment Service Directive (PSD2) entering into force on 12 January 2016 it is now official: providing payment account access (XS2A) to third party providers (TPPs) will be a requirement for European banks as of 13 January 2018.
The exact security requirements for XS2A will heavily depend on the Regulatory Technical Standards (RTS), on strong customer authentication and secure communication channels that the European Banking Authority (EBA) will need to deliver.
Anyway, many aspects regarding XS2A implementation are still unclear.
So, here’s what we know
Banks (account servicing PSPs under PSD2) will need to ‘open up’ two types of services:
- payment initiation services (PIS); and
- account information services (AIS).
Both services require account holder consent and apply to all consumer and business payment accounts that are accessible online.
This opening up will enable two types of licensed TPPs to enter the market: payment initiation service providers (PISPs) and account information service providers (AISPs). To obtain a license, these service providers will need to meet less stringent requirements, than e.g. the current payment institution licensees.
For PIS and AIS no contract between a TPP and a bank should be required.
In case of disputes over unauthorised transactions where a PISP is involved, the bank remains the first point of contact for the account holder.
Implications for banks
Regardless of the exact content of the RTS, we can already see the following implications for banks.
From January 2018, banks will find TPPs offering new services to banks’ account holding customers.
Since these services build on the AIS and PIS offered by the bank, these services are very likely to overlap with today’s bank services.
"This may have implications for the way in which a customer sees and interacts with its bank".
This is most visible for AIS on the account holder – bank relationship, where a TPP could replace existing internet and mobile banking apps.
Obvious examples of services in this domain are aggregation services (where account information of multiple bank accounts, held in different banks, is aggregated into one comprehensive view) and account balance services.
For PIS a bank may experience more direct impact on its business model "as TPPs can directly compete on product and price with existing payment services offered by banks".
TPPs do not require a contract, which seems to imply they are not subject to direct charges from the bank.
The implications for PIS are most visible in the ‘acquiring’ or ‘creditor bank’ domain of a bank, where payment services are offered to merchants and banks will, thus, face more competition.
This competitive pressure adds to disruption in the ‘issuing’ or ‘debtor bank’ domain, where interchange-based revenue from both cards and alternative payments might be at risk.
Advice to banks
For banks to effectively operate amongst FinTech and bigtech challengers in the PSD2 era, it should know exactly what it wants to be to its customers.
Banks need to determine a strategic value chain position that fits the bank’s capabilities and ambitions.
With the Revised Payment Service Directive (PSD2) entering into force on 12 January 2016 it is now official: providing payment account access (XS2A) to third party providers (TPPs) will be a requirement for European banks as of 13 January 2018.
The exact security requirements for XS2A will heavily depend on the Regulatory Technical Standards (RTS), on strong customer authentication and secure communication channels that the European Banking Authority (EBA) will need to deliver.
Anyway, many aspects regarding XS2A implementation are still unclear.
So, here’s what we know
Banks (account servicing PSPs under PSD2) will need to ‘open up’ two types of services:
- payment initiation services (PIS); and
- account information services (AIS).
Both services require account holder consent and apply to all consumer and business payment accounts that are accessible online.
This opening up will enable two types of licensed TPPs to enter the market: payment initiation service providers (PISPs) and account information service providers (AISPs). To obtain a license, these service providers will need to meet less stringent requirements, than e.g. the current payment institution licensees.
For PIS and AIS no contract between a TPP and a bank should be required.
In case of disputes over unauthorised transactions where a PISP is involved, the bank remains the first point of contact for the account holder.
Implications for banks
Regardless of the exact content of the RTS, we can already see the following implications for banks.
From January 2018, banks will find TPPs offering new services to banks’ account holding customers.
Since these services build on the AIS and PIS offered by the bank, these services are very likely to overlap with today’s bank services.
"This may have implications for the way in which a customer sees and interacts with its bank".
This is most visible for AIS on the account holder – bank relationship, where a TPP could replace existing internet and mobile banking apps.
Obvious examples of services in this domain are aggregation services (where account information of multiple bank accounts, held in different banks, is aggregated into one comprehensive view) and account balance services.
For PIS a bank may experience more direct impact on its business model "as TPPs can directly compete on product and price with existing payment services offered by banks".
TPPs do not require a contract, which seems to imply they are not subject to direct charges from the bank.
The implications for PIS are most visible in the ‘acquiring’ or ‘creditor bank’ domain of a bank, where payment services are offered to merchants and banks will, thus, face more competition.
This competitive pressure adds to disruption in the ‘issuing’ or ‘debtor bank’ domain, where interchange-based revenue from both cards and alternative payments might be at risk.
Advice to banks
For banks to effectively operate amongst FinTech and bigtech challengers in the PSD2 era, it should know exactly what it wants to be to its customers.
Banks need to determine a strategic value chain position that fits the bank’s capabilities and ambitions.
Admission requirements for these new Payments service providers
In order to be authorised, an AISP is
required to hold "professional indemnity
insurance" and be registered by their member state and by the EBA.
There is no requirement for any initial capital or own funds. The EBA will publish guidelines on conditions to be included in the indemnity insurance (e.g. the minimum sum to be insured), although it is as yet unknown what further conditions insurers will impose.
There is no requirement for any initial capital or own funds. The EBA will publish guidelines on conditions to be included in the indemnity insurance (e.g. the minimum sum to be insured), although it is as yet unknown what further conditions insurers will impose.
The minimum requirements for authorisation as a PISP are
significantly higher. In addition to being registered, a PISP must also be licensed by the competent authority, and it must have an initial and on-going minimum
capital of EUR 50,000.
The EBA Register
The EBA must operate and maintain
a central electronic register of the
information notified to it by the national registers and make this
publicly available on its website without charge, granting easy access and providing
easy research functionalities. Any Account Servicing Payment Service
Provider (ASPSP)
– the PSP of a PSU – should be able
to ascertain electronically, immediately and reliably,
whether a service
provider is authorised to initiate payments or collect account information (Art. 15).
The EBA Register is not expected to incorporate such data on a
real-time basis – meaning that ASPSPs must assess the risk of this register suffering from time gaps,
such as:
a)
a time gap between a new TPP being
listed and its first transaction,
b)
a time gap between a national supervisory authority realising that a provider has acted
fraudulently and that provider losing
its licence.
Payment Institutions’ access to
payment systems
PSD2 gives authorised and registered payment institutions access to payment
systems, and also to credit institutions’ payment accounts
services (Art. 35, Art. 36).
The Directive stipulates that such access shall be extensive enough to allow them to provide payment services in an unhindered and efficient manner. Access must be allowed on an objective, non-discriminatory and proportionate basis. Furthermore, credit institutions shall not inhibit account access unless necessary to safeguard against specific risks. Where a credit institution rejects a request for access, it must provide the competent authority with a detailed statement of its reasons for rejecting the request.
The Directive stipulates that such access shall be extensive enough to allow them to provide payment services in an unhindered and efficient manner. Access must be allowed on an objective, non-discriminatory and proportionate basis. Furthermore, credit institutions shall not inhibit account access unless necessary to safeguard against specific risks. Where a credit institution rejects a request for access, it must provide the competent authority with a detailed statement of its reasons for rejecting the request.
Comments
Post a Comment