Everything you should know about the new PSD2 Directive
What is PSD2? Should clients be concerned about the security of their data? The new Payment Service Directive is full of complicated names and formulations. We will explain to you what they mean.
- in Slovakia, the Directive enters into force on January 13, 2018
- Tatra banka offers OpenBankingTB – a secure and advanced API solution
- A licensed company will gain access to a customer's account after it has been granted customer's consent
What is PSD2 and how it differs from PSD1 regulation?
The original Payment Service Directive (PSD1) established the basic legal framework which defined identical rules for the processing of payment orders within Europe. However, further developments in payments resulted in new services that were not regulated by this directive. The purpose of PSD2 is to facilitate the entry of new payment service providers into the European market while introducing rules under which these entities will be able to provide payment services to end users.
What will PSD2 directive practically mean?
PSD2 brings several minor, but also some major changes in the provision of payment services. The most important is the obligation to make selected services available to third parties through an Application Programming Interface (API). Through these interfaces it will be possible to enter a payment order or get selected payment account information – indeed always with the customer's consent.
What is an API?
API is a communication interface – a set of programs and functions allowing third parties to communicate securely in an online environment with a bank. Through an API one application places a request that is processed by another application. Through this application customers will be able to enter payments.
An example of the use of a third party app from the perspective of a Tatra banka customer:
- 1the customer installs a third party app on its device, e.g. “TPP Application”
- the customer creates a profile and chooses the option of adding the bank account
- the customer will be redirected to the bank's authorization portal, to which the customer will log in just like to Internet BankingTB and enter a code from the ČítačkaTB app (or the Card and ReaderTB).
- the customer will choose the account to which the customer wants access granted to the “TPP Application”
- the customer reconfirms its decision by a code from the ČítačkaTB app (or the Card and ReaderTB)
- the customer is redirected back to the “TPP Application”, which will read the balance in the customer's account and the transaction history
- after entering a payment in the “TPP Application”, the customer authorizes the payment via the bank's authorization portal and by a code from the ČítačkaTB app (or the Card and ReaderTB)
- in Internet BankingTBthe customer will find the “TPP Application” in the Settings – Third party apps menu and can withdraw or modify the access granted to the app
Which banking products fall under this legislation?
PSD2 defines comprehensive rules for a third-party access to a bank account. The Directive specifies the execution of transactions over the customer's account, the display of balances and transaction history. To put it simply, the Directive also defines the rules for cash and cashless transactions made from one account to another or by a payment card.
Who are the “third parties”?
These are the new Third Party Payment Service Providers (TPP). Banks will only allow third-party access to payment accounts with customers' consent. Practically we will encounter two types of payment service providers:
- AISP – Account Information Service Provider. With a customer's consent it processes basic information on a bank account and account transactions. For example, if a customer maintains accounts with several banks, through a third-party application the customer can see balances in all these accounts at once.
- PISP – Payment Initiation Service Provider. At the customer's request it can create a payment order from a bank account. For example, when shopping online a customer does not choose a card payment, but a new method of the payment for goods. The customer will enter the payment order via a third-party app, which will then be made from the customer's bank account.
Who will supervise these entities?
PSD2 stipulates that these entities fall under the supervision of the competent national authorities. In Slovakia, the National Bank of Slovakia is such an authority. To maintain security, even before facilitating access to API interfaces for such TPP organizations, Tatra banka will verify the license and certificate against the NBS list and then will allow access.
What should be the main benefit for a customer?
The purpose of PSD2 is to increase the level of security and to enhance customer trust in entities providing payment services, which are not banks. These institutions must guarantee the same level of security and protection of customer data as that provided by banks to their customers.
Is Tatra banka preparing an aggregated (multi-banking) solution?
Common customers do not use API or aggregated services. They are more interested in their own goals and options and how the bank can help to achieve them. They want to keep track of their balances, enter payments conveniently and manage their finances efficiently. Therefore, for a long time, Tatra banka has offered digital instruments facilitating fast access to balances, functionalities like Spending ReportTB, overview of Assets and liabilities or Goals. A high standard of these services has been confirmed by awards from a number of prestigious Slovak and foreign institutions. Tatra banka is also working on a solution that will consolidate information and services from several banks and display them for a customer on one screen.
What will be the fees for these services?
Tatra banka will charge customers no new fees in relation to this change. Payments entered via third-party apps will be charged like payments entered via electronic banking. However, please note that any charges concerning third-party apps are outside the administration of Tatra banka.
Do third parties represent a threat or an opportunity for the bank?
The services of third parties, payment institutions or fintechs are already available to EU customers today. These service providers lack uniform legislative regulations and technical standards. By combining the ideas and experience of third parties with the trust and stability of Tatra banka, we aim to achieve higher customer satisfaction. As part of the Raiffeisen Bank International (RBI) since the summer of 2017 we have cooperated in the Elevator Lab acceleration program, which involves more than 300 fintechs (http://www.elevator-lab.com). Tatra banka will soon intensify its cooperation with third parties involved in a similar concept.
Will the use of an API solution be secure?
Tatra banka has developed an advanced and secure OpenBankingTB interface and has modified its systems to fulfil the legislative requirements for making customers’ accounts available to third parties. If customers want, they can conveniently use third-party apps. Customers’ login data are protected, because they are entered in the banking environment. Also a payment entered is authorized by a customer at a bank portal. When providing account information, the customer can preselect accounts to which a third party will have access. This means that third parties will only have access to bank accounts with customer's consent.
PSD2 Directive defines how a third-party can handle the information obtained about a customer's account. However, the use of the information provided is beyond the bank's reach. Customers can at any time withdraw their consent via Internet BankingTB, DIALOG Live or at a branch.
What is a two-factor authentication?
It is used to confirm a user's identity. Customers know it for example from ATM withdrawals when they use a card “something I have” and a PIN code “something I know”.
When a customer uses online services of third parties that concern Tatra banka, a third party will verify customer's identity based on its individual regulations and system options. From the third-party app, customers are automatically redirected to the authorization portal. There they enter login data currently used to log in to Internet BankingTB. Then the customer will authorize access to a selected account or confirm a payment by a code from the ČítačkaTB mobile app or via the Card and ReaderTB.
Where will it be possible to complain about the services?
Third parties will be ready to handle complaints regarding their services. If customer's money has been transferred without consent and a third party initiated an unauthorized transaction, it will be possible to contact the customer's bank directly.
Can a customer provide its login data to Internet BankingTB to a third party?
Tatra banka has developed its solutions so that customers can conveniently use the services of these institutions while ensuring the highest security standards. For safety reasons, customers should enter their login data solely in the secured environment of Tatra banka, where the payment entered via a third party is also authorized. When providing the services of information of customers' accounts, customers will have an option to assign in advance the accounts to which a third party will have access.
What is the preparation phase in Tatra banka?
For us, the priority is to meet customers’ expectations and have a secure solution. We have intensively worked on a high interface standard compliant with both legislative and internal standards. Tatra banka is prepared to fulfil legislative requirements as of January 13, 2018. We will provide more information about our OpenBankingTB solution soon.
Zuzana Žiaranová, Spokesperson
0903 641 846