PSD2: Banking on the Edge

Europe continues to influence data privacy around the world. First, there was General Data Protection Regulation (GDPR) and now we have PSD2, the new phase of Europe’s Payment Services Directive. And as with any new compliance measures, there is a lot of confusion about what it does, what you have to do, and what it all means. You can basically sum it up like this:

PSD2 forces banks to make data available.

To be honest, that sentence is a bit tricky because of two words: banks and data. There are a lot of definitions of “banks,” but let’s assume we mean companies who hold onto your money and provide access via services like checking, credit and debit cards, and online banking.

Defining data is even trickier, as there are basically three kinds of data PSD2 is forcing banks to expose: public information, customer transactions, and the necessary data to make money transfers.

Making public information available over an API

Surprisingly, banks are now forced to expose information like bank locations and services over an API. This data may have been available on websites, but now it’s required to be available over an API, allowing for easy integration into third-party apps.

This means a third party will be able to create apps for finding specific kinds of branches (an obvious example is branches with good services for people with disabilities or those that employ different native language speakers). But, interestingly, once a standard is established, it will be suddenly very easy to compare bank services, find contact information, and use that information to help consumers navigate the big banks.

Making customer transactions available over an API

Banks know a LOT about you — your spending habits tells them where you are and what projects you’re working on. For example, they know a customer spends a lot of time traveling but buys a lot of home improvement hardware. That data has always been considered an asset of the bank so they can develop new products and services and sell them to a ready customer base

However, under PSD2, that information can be released to third parties. Say you grant a tax management application access to not only your main checking account, but also to your credit cards from other banks and your savings accounts. Finding your deductions suddenly got a lot easier.

Allowing third parties to trigger payments

And here’s the big one: now third parties can send requests to your bank directly to move money from point A to point B. Moving money around has been tricky for years; credit card machines in retail shops connect to a card processor, not the bank. That card processor then contacts the bank and money starts to move around. PSD2 makes it so anyone can write software to contact the bank, and – with the right credentials – move money from one account to another.

Sounds great! How do I start?

PSD2 is a body of European law that European banks have to comply with. We’re not sure how it’s going to affect U.S. banking, or what the APIs are going to look like, or what brilliant applications are going to come out of it.

The problem with compliance law is that the people who write it aren’t the people who have to implement it or make it work. When a body of law is brand new, there haven’t been any wins or losses, so no one has a model for what to do and what not to do.

The UK’s OpenBanking site is probably the most sophisticated example at this point, but third parties still have some pretty big gaps they are going to have to deal with, including:

  • User Identity: Each bank has their own identity management system. If you’re going to build a third-party app against, say, the nine major banks in the UK, you’re going to have to coordinate all nine identities and have a secure way to maintain those identities in such a way that doesn’t make them have to log in nine times every time they want to look at a report.
  • Services Identity: Your app and your microservices are now playing with people’s banking and livelihood. Every little app, whether it’s your front-end web app or individual microservices on the backend, needs specific permissions so something doesn’t go rogue and start eating everyone’s money. (And even if it isn’t going to eat money, you need your customers to be confident that it won’t. See our blog on Why We Secure Our Systems to learn more.)
  • Thing Identity: Obviously, a big part of the opportunity with PSD2 is changing the tools we use to transact business. Kiosks, mobile devices, and embedded systems are going to become more and more important. Trusting that device means tagging and identifying the device as much as a human being.

At the end of the day, this is all part of the GDPR world. You need end-to-end tracking so that if something does go wrong, you know exactly who touched what, why, and how to fix it.