On September 14, the PSD2 comes into force. What fintechs need to know about the new payment services policy in order to benefit sustainably.
Was it the supremacy of the banks?
In September 2019, a new era in the banking business begins: The second Payment Service Directive, PSD2 for short , comes into force and thus sets in motion a revolution in electronic payments. The new Payment Services Directive, adopted by the European Union in 2015, will require banks in EU countries to provide third-party access to their customer accounts via an API interface as of 14 September this year. At the same time, strong authentications should additionally secure payment transactions.
The profiteers? The customers and fintechs. While the former can look forward to new services in online banking, start-ups with technological solutions for banking benefit above all from greater transparency, greater competition and low entry barriers. What Fintechs must pay attention to despite the new possibilities.
The new rules in payments – and how fintechs have to react
While banks have so far responded only modestly to the PSD2, fintechs benefit from the new regulation. Christian Seegebarth, expert for the new guideline at Bundesdruckerei, says: “The larger players have already accessed account information – through screen scraping, the reading out of customer information on the bank’s website. If you change the website of the financial institution just programmed after. The interface makes screen scraping obsolete – it gives companies the chance to offer their services without much effort. In order for third-party vendors to take advantage of this opportunity, they must be made aware of the PSD2 itself as well as the technical requirements of the directive. ”
Because: New providers of online payment services that want to use the bank interface, need access. The necessary license is awarded by the German Federal Financial Supervisory Authority (BaFin) – but attention: The application can take three to four months to complete. Fintechs should therefore seek to obtain the license sooner rather than later. This requires both payment initiation service providers (ZAD) – providers who access bank accounts to make transfers – and account information service providers (KIDs) – providers that only require information about account information – to meet certain requirements:
- the binding legal form “legal entity” or “partnership”
- a professional liability or similar guarantee
- a security strategy to protect users
- Descriptions on how to fix and prevent security incidents and customer complaints about security and how to continue the business in the event of a crisis
Once the BaFin license has been granted, payment services require qualified certificates, known as QWACs, to identify themselves to the bank as license holders and to access the API. Fintechs receive these certificates from qualified trust service providers such as D-TRUST GmbH, a subsidiary of Bundesdruckerei and the only German provider with QWAC issuing authority . In addition, some banks also require the additional use of a QSiegel, which protects signed data from changes and therefore allows payments to be traced back years later.
Why fintechs already need action
Even though the BaFin license has not yet been granted, fintechs should already take action now. The PSD2 will require a test phase for banks from mid-March, allowing third-party vendors to check the open interfaces. This allows companies to control the compatibility of their own system and the interface and to optimize it if necessary. An opportunity that fintechs should definitely take advantage of, because: The interfaces vary from bank to bank, which makes a test absolutely necessary. For this check, third parties can apply for free test certificates even without a BaFin license.
Starting in mid-June, a three-month market test for the banks will begin on the production system, meaning that third-party vendors will be able to use real customer information for the first time as a test. The necessary genuine certificates will be made available by Bundesdruckerei in May 2019 before Open Banking actually starts in September 2019.
Here, good preparation opens up many possibilities. While the big financial institutions have already set up the necessary interfaces, fintechs should definitely use the statutory test phase and seek the appropriate licenses and certificates. This is the only way to work smoothly with the banks.