Tom Hay is the Head of Payments at Icon Solutions, an IT consultancy that works with some of the biggest financial services companies. Based in London, Icon Solutions provides services into banks as well as wider financial institutions, with a definitive focus on payments.
Bobsguide spoke exclusively to Tom Hay to discover his views on PSD2, how banks and financial services should prepare for the regulation, and how the industry will transform following the implementation in 2018.
You recently published a blog on the key tips for preparing for PSD2, what were the main takeaways?
The article highlights the top aspects that businesses should be aware of for the PSD2 Final RTS, from the final draft published by European Banking Authority. The main takeaways include the lack of an agreed standard for interfaces, the importance of real time fraud detection and prevention, and how banks are responsible for strong customer authentication on behalf of third parties.
We’ve been tracking the progress of PSD2 for a couple of years, and have commented previously on the different drafts of the regulatory technical standards. Our general view is that the latest regulatory technical standards are a big step forward since the previous draft that went out for consultation last year. However, there are still a number of key areas that are left ambiguous and undefined. The European Retail Payments Board has engaged experts in the payments industry to highlight the gaps, and to fill in those gaps with their own initiatives. Icon is participating in that process, working with organizations in the UK and mainland Europe. Part of our challenge is harmonising the UK specific requirements with the wider European requirements.
How will PSD2 re-shape the banking industry?
That’s a huge question! It’s certain that a degree of PSD2-realism has dawned over the past several months. When we first started talking to financial institutions about PSD2, there was a lot of buzz in the market for how the regulation was going to further enable fintechs and start-ups. The main thinking was how it was going to drive a lot of innovation, and there is certainly still some of that present.
However, the realisation has dawned that the regulation also opens the doors to some very major tech companies who have their eyes on the payments industry. The most obvious one is Apple, who made their move a couple of years ago with Apple Pay, but we’ve also got Google, Facebook and even Airbnb, all for different reasons who want to get involved in the payments market.
PSD2 gives businesses in Europe the opportunity to innovate on different platforms which opens the payments industry to different sectors. Previously, companies had to either use card rails, or they had to become direct or indirect members of the different payment clearings across Europe. PSD2 gives them a way of accessing all the different European national and cross-border clearings directly through the APIs that banks are exposing.
Certainly, the dynamic for how these giants are going to use the opportunity and how it will affect the usage of cards across Europe will be very interesting to watch.
We are now six months away from the implementation of PSD2. What advice would you give to banks and fintechs preparing for change?
There is undoubtedly a lot of uncertainty for banks and fintechs, who are unsure of how the industry will shape up with the regulation in force.
I think that any company or bank that hasn’t got their plans in place and is already working on the implementation will miss the compliance deadline of January 2018. The banks that we’ve been working with have been designing and building their platforms, testing them, and putting the operational process in place for many months now. However, there is an interesting period between January 2018 when PSD2 comes into law, and the date when the RTS will be enforced. The date for the RTS is yet to be determined, but the current best guess is that it will be fully enforced in Q1 2019.
So, during this transitional period, banks are supposed to be compliant with PSD2 articles 65,66,67, which mandate the exposure of their services, but are not yet obliged to implement the new security measures specified by the RTS. Some banks may see this is as a ‘get out of jail free card’, allowing them to defer implementation of the Payment Initiation and Account Information services until 2019. PSD2 explicitly states that existing TPPs can continue “business as usual” until the end of the transitional period, but does not say how new TPPs should be treated. This is the area that causes the most confusion.
If we take a step back to when we first started looking at PSD2, there’s a regulatory drive for introducing APIs and open banking, but there’s also a commercial drive to do this because banks are moving into the API economy that’s been in place in other business sectors for several years. The travel industry, for example, has been completely transformed by the use of APIs.
Banks need this capability in place. Compliance with the regulation should be seen as part of the bigger strategic move towards API banking and open banking rather than being seen as an end in itself.
Any bank that settles for just compliance will lose out in the longer term to the more progressive banks who know that APIs are the way forward. We’re seeing that outside of Europe, for example in the US, banks are adopting APIs purely for commercial reasons and not because of regulatory drivers. The question all financial institutions ask is how they’re going to drive revenue from PSD2. The answer is, it’s not PSD2 APIs that will drive revenue - it’s the wider API services that are offered that will enable banks to drive revenue and give a better customer experience to differentiate the business.
Will PSD2 introduce new collaborations, or will we just see banks acquiring fintechs?
It’s clear that most banks have realised that fintechs bring unique capabilities to the party, that the banks themselves do not have. These may be generation of innovative ideas or launching products very rapidly, which banks can be challenged to achieve. But, on the other hand, banks also bring things to the party which fintechs do not have, such as scale and regulated status.
In an ideal case, a fintech has a great idea which a bank implements, giving immediate access to their huge customer base. That allows the fintech to scale much more quickly than would be possible if they tried to grow organically.
A negative dynamic that we have seen is when fintechs get absorbed by banks and lose their edge because the bank is unable to adapt to the agile way that the fintech needs to move. Forcing fintechs to conform to the bank’s traditional ways of working is a guaranteed way to kill the goose that lays the golden egg.
Where does Icon Solutions step in to assist in preparing for PSD2?
Icon’s sweet spot is to operate is at the intersection between business and technology. That’s really what fintech is all about; it’s a two-way relationship between business and technology.
Historically, the way that things have worked is that the business decides that they want to launch a product and the technology team builds IT systems to support the business requirements. But now there are many technical capabilities becoming available which enable the business to do things they might not have imagined to be possible. It is no longer simply a case of automating existing business processes.
The people on the business side need to be much more aware of the art of the possible in terms of technology and therefor there needs to be a much closer relationship between business and technology. APIs are just one example, and innovations such as artificial intelligence, distributed ledgers and the like are enabling completely new ways of doing new business, so the whole dynamic within financial institutions is changing.
Icon’s philosophy is to simplify complexity, so we provide the translation between technology and business. We also draw on our deep experience of converting ideas into reality to ensure that solutions are pragmatic, robust and operable in the real world.