PSD2 is driven top-down by the European Commission and the European Banking Authority (EBA). But it is built bottom-up by the banks and other service providers themselves. And the Commission/EBA don’t regulate PSD2 providers. It’s the “national competent authorities.” In other words, it’s the regulator in each country. Unlike the UK, where the CMA9 regulations are defining what the banks must do, PSD2 leaves things entirely in the hands of the banks and related businesses.
This creates an immediate problem. There might only be one set of regulatory technical standards for PSD2, but there are more than 30 national competent authorities interpreting the standards. Providers will have to ensure that they comply with the interpretation of the standards in each of the countries they wish to operate in.
And one thing that can be guaranteed – if there a single standard with multiple authorities attempting to interpret it, there will be at least as many interpretations as there are authorities. Worse still, if we are to believe the EU on this issue, the enforcement and compliance mechanism will be based on arbitration and complaint handling by the national bodies.
This sounds like a recipe for chaos.
What needs to be done?
As ever, the best solution is to approach the problem from both ends. Given that the Commission and the EBA want to create an effective single market in payment services, hopefully the EBA will steer the national competent authorities towards exactly how the regulations should be interpreted.
Pan-European industry bodies, such as the Berlin Group, can influence both the EBA and national regulators to adopt consistent best practice across the continent.
Furthermore, the EBA, national competent authorities, trade organizations, banks, service providers and other stakeholders should be searching constantly to discover what works well in open banking for all parties. For instance, in areas like service performance and quality monitoring,we can work to disseminate this knowledge through the industry to minimize the problems caused by different countries adopting widely different approaches.
The banks we work with are already seeing this challenge. They want to understand not just how well their services work, but how they can measure the other services they are going to be integrating to. They recognize that it’s not enough to have an understanding of what their server logs say, but to have a full and transparent view on what their services are actually doing and what the services they have to integrate to look like.
This goes beyond self certification – without clear and completely transparent standards used and agreed upon between partners on what constitutes good performance and the buy in of the national bodies, PSD2 will be a very painful process.
Obviously, at APImetrics we see ourselves as a part of the process, but more importantly, if we didn’t exist, somebody would need to invent us.
Photo courtesy of Aaron Poffenberger
Get in touch to learn more about active API monitoring for PSD2 compliance.