PSD2: Experts Call For Nuance In Authentication Debate

European payments experts have suggested that banks building application programming interfaces (APIs) should consider creating a better authentication process than provided by their customer-facing offerings, to ensure market uptake and regulatory approval.

Under regulatory technical standards that take effect in September 2019 and accompany the revised Payment Services Directive (PSD2), banks can avoid offering a “fallback” account access mechanism to third-party providers — but only if their primary access interface is given the green light by their national regulator.

One of the most contentious aspects around whether an API should be approved is the authentication process for a user of a third-party provider (TPP). The dominant model, where the payer is redirected to their bank’s site, is widely viewed by fintechs as an obstacle to their operations.

Speaking at Tuesday’s PaymentsCompliance PSD2 Summit in London, banking and payments expert Gijs Boudewijn said that issue has long been divisive within a cross-industry working group established earlier this year by the European Commission.

“One of the things in these discussions in the API Evaluation Group, in the redirect context, was what is the benchmark against which you can say something is an obstacle,” said Boudewijn, who is deputy general manager of the Dutch Payments Association and a committee chairperson at the European Banking Federation.

“For the banks, the benchmark was a good customer journey, so the one thing they were expected to deliver was as good a journey as they provide today to their customers.

“The TPPs, on the other hand, said that’s not what they meant. They said they can deliver a way better customer journey, so what banks already provide is not the benchmark.”

If any feature or attribute of an API is deemed to be an obstacle, the regulatory technical standards demand that the API cannot be approved and the fallback mechanism must be made available.

Examples given in the text state that redirection “may” be an obstacle, and June’s draft guidelines from the European Banking Authority (EBA) said an authentication journey that “directly or indirectly” dissuades customers from using TPPs would mean no exemption is granted.

Scott McInnes, a partner at Bird & Bird, explained that from a legal standpoint that effectively means the national regulator’s decision depends on how redirection is implemented by the individual financial institution.

“Essentially it’s a case-by-case assessment as to whether or not a particular form of redirect to the banking environment, for the purposes of strong customer authentication, is an obstacle or not,” he said.

Much of the discussion has centred on how the TPP user experience compares to that of a customer interacting directly with their bank, for instance through their online banking web or mobile interface.

“These are two totally different concepts for what redirect is: a ‘thin’ redirect which is only for the authentication part, and a very ‘thick’ redirect which includes the full payment initiation until it is approved and then sent back to the TPP,” said Gijs Boudewijn of the Dutch Payments Association and European Banking Federation.

Nilixa Devlukia, head of regulatory at the UK’s Open Banking project, said: “If you go through three steps on your online banking in order to make a payment, why would you really need to go through more than three steps on the payment initiation journey?

“It’s that kind of discussion and detail that is helpful for the ecosystem in overcoming some of the very big questions.”

But Devlukia, a former policy expert at the EBA and the UK’s Financial Conduct Authority (FCA), said that in her view a simple comparison between the two offerings may not be the most fruitful approach.

“This is where the conversation has to change, because the legislation says to make it as good as the customer journey,” she said, speaking at the same event.

“But what we all know now, from experience, is that going in via a dedicated interface is totally different. That’s the challenge.

“‘As good as’ is the right starting point as a comparator, but personally I think the conversation has to move towards ‘just making it good’.”

Another emerging issue is that different redirect models actually function in considerably different ways.

Boudewijn said at least one major European retailer had expected the bulk of the checkout process to take place via the TPP, with redirection only encompassing authentication of the payer.

From a fintech’s perspective, that would ideally involve the user being presented with a pre-populated form containing the payee’s account details.

“These are two totally different concepts for what redirect is: a ‘thin’ redirect which is only for the authentication part, and a very ‘thick’ redirect which includes the full payment initiation until it is approved and then sent back to the TPP,” he said.

“These are typical things that are considered totally unacceptable by TPPs, because if that is the case they claim they will never be able to innovate and provide for a better customer journey and customer experience than banks are providing today.”

Open Banking’s Devlukia added that there are further questions as to how a pre-populated form could be produced for a one-time payment journey, where the user has no existing relationship with a payment initiation service provider (PISP).

“There does have to be that granularity,” she said. “If you have a PISP that has an ongoing arrangement with a customer, then the customer journey may well be different because of the contractual arrangements between the customer and the TPP.”`