Fintech vendors believe there are still obstacles in place as banks “drag their feet” – and potentially put hurdles in place - to comply with Strong Customer Authentication (SCA), due to come into force on September 14.
“Some [financial] institutions dislike people like ourselves who can access the other account types so they’ll build their walled garden earlier than they need to,” says Matt Cockayne, vice president of EMEA at financial data sharers, Envestnet Yodlee.
Europe’s second payments directive (PSD2) - under which SCA falls - and the Open Banking initiative have laid out guidelines to better protect customers.
Cockayne believes the way SCA is being deployed is at odds with the objectives of Open Banking and will “limit consumer choice and the ability to manage their finances” should banks choose to apply SCA to both payment accounts and non-payment accounts.
“It’s a benefit for the banks in the way they’ve interpreted the [regulations] so they can deploy SCA on all account types. SCA is at risk of breaking the progress that Open Banking is doing. By this I mean, the law of unintended consequences on SCA is that it’s actually going to make it very hard and frictionful for consumers to see other types of accounts that sit with a bank,” he says, recounting how there can be conflict over how broadly and when SCA is deployed between departments at the same bank.
Ultimately, Cockayne believes this form of deployment could stifle market competition and uptake of Open Banking products among consumers while also adding that it raises security concerns.
“Either people will stop using these types of apps and services or they’ll end up changing their passwords to the same which would increase fraud significantly,” says Cockayne. “We’ve raised it with the FCA and with the Treasury - everyone acknowledges there’s a problem but no solution at the moment.”
But PSD2 has been “very clear” that banks cannot increase friction or obstacles for third party services against their own, according to Mark O’Keefe, Payment Systems Regulator panel member and founding director of Optima Consulting. He does suggest there are grey areas, however.
“An organisation can interpret the rules and decide to add an extra step for fraud reasons. If it were uncovered that additional steps were only applied to third parties, then that is not compliant with legislation.”
But the delay to the implementation of proposition three – app to app authentication – could “put a hurdle in place” says O’Keefe, particularly following news that five CMA9 banks – Santander, Lloyds, HSBC, Danske and Bank of Ireland - missed key initiative functionality deadlines.
“When a customer wants to authenticate in their own banking app they can just use touch ID and off they go. When they use a third party they’ve got this horrible process until proposition three is in play,” he says. “Is that deliberate? Are the banks saying, the harder we make it for someone to use a third-party service to initiate payments and so on, then we’ll maintain our position? I haven’t seen evidence of that at the coalface,” he says.
Francesco Simoneschi, CEO of Truelayer - the data and payment API firm – believes banks will be up to speed with their SCA requirements by the rules’ deadline.
“Some of the banks are dragging their feet,” he says. “The big milestone for them is September 2019, when they may or may not be completely ready. My expectation is that by the deadline, there should be enough capabilities and functionalities in app to app authentication in production, so I don’t see all the issues,” he says.
Lloyds, one of the CMA9 most recently issued with a new direction, said by email they were “sorry for this delay” adding they are working hard to roll it out in April and May.
A Nationwide spokesperson said by email: “Enabling [Open Banking] with a consistent, high quality, secure and resilient experience is a hugely complex undertaking for the entire industry. Nationwide has certainly not ‘dragged its feet’ but worked extremely hard to give its Members this choice for circa three years and has met the regulatory deadlines set including the most recent requirements for March 19.”
The spokesperson said only 1.5% of its members made use of the Open Banking ecosystem underpinned by third party providers.
Research from YouGov in August 2018, revealed that 72% of UK consumers were not aware of Open Banking while only 18% understood how they could use an Open Banking product.
“I’ll be very honest, the whole thing of banks being scared about losing customers to Open Banking is overplayed,” says Truelayer’s Simoneschi, “no banks are happy to give away data but it doesn’t keep them awake at night. I think they’re trying to be compliant with regulation by doing the minimum of what is required.”
Barclays, RBS and Santander did not respond to comment, and Danske Bank declined.