The European Banking Authority has released the final draft of its Regulatory Technical Standards on authentication and secure communication for PSD2. In follow up to my original blog, I’m back with my analysis of the affect their final guidance may have on the consumer experience.
As expected, PSD2 will allow consumers to view and conduct transactions using their bank accounts via Third-Party Provider (TPP) web sites and applications. However, the flow for these types of interactions will be relatively complex.
- Upon a first visit to the TPP site, the consumer must request authentication from their bank.
- The consumer will authenticate with their bank using the bank’s normal mechanism.
- How this must happen has not been mandated in the standard, but it implies something like a redirect that uses the OAuth 2.0 protocol (think Facebook Connect).
- The TPP can then query the account for the consumer’s history and balances and can conduct the consumer’s business.
- Every 90 days the consumer will have to repeat the process of authenticating with their bank to keep the third-party access available.
This alone makes using TPP services less than seamless for consumers. But there are other potential challenges that may be a greater barrier to adoption.
In spite of open APIs, banks still call the shots
PSD2 mandates that an open API’s messaging protocols must be based on an ISO standard. However, protocols for the other elements of an open API have not been set. APIs specify how software components should interact, so this internal “openness” means that each bank’s software may communicate using a different “dialect”. As a result, a TPP may have to go through the costly and time-consuming process of integrating separately with each bank.
And with each new integration may come a different authentication process. If the bank’s process is too cumbersome, with lots of steps and/or time delays, consumers may only be willing to ask for authorization once, if at all.
To make things even more difficult for consumers, banks can also decide to take a prejudicial stance toward transactions that come via TPPs. For example, certain bank services may be unavailable to a customer who does a “pass-through” transaction, or a payment that comes via a TPP may be flagged as higher risk.
So the real question is, will PSD2 final guidance be enough to disrupt the European banking market? I say the jury is still out. Banks will implement the PSD2 standard (because they have to but there is a lot of room for them to make the cost of doing business too high for a new entrant and too inconvenient for consumers.