What Does Open Banking / PSD2 Mean to Banks?

What Does Open Banking / PSD2 Mean to Banks?

Many banks have been toying with Open Banking for a number of years now as a way to improve the customer experience, however, they are generally trying to do this only for their own customers. As a concept, this is almost diametrically opposed to what Open Banking is supposed to offer, however, now that the EU has provided the stick that is PSD2 (Payment Services Directive 2), the banks must open up their data to authorized individuals. In this blog we will discuss the issues for the banks and how they might eventually deal with them.

Security and Culpability

This is potentially one of the things that keeps most bankers awake at night. The potential is there for someone to compromise their security and thus steal many millions of euro from customer accounts or simply even customer data with GDPR (General Data Protection Regulation) on the horizon. In the past, only the bank and its own internal applications and some select external partners could access the data. This enabled them to ensure a belt and braces attitude to security and avoid any potential breaches. Most have now moved to include behavioural monitoring to determine if unexpected behaviour is seen on an account. As they open up access to their data, monitoring this will become even harder as determining what is ‘unexpected behaviour’ on an account will be even more difficult as Third Party Providers (TPPs) will find new and unusual ways to use the data to which they have been given access. This is a major challenge for the banks at the moment.

ost open bank app 02

Legacy Systems

All of the legacy banks (as against the new entrants to the market today) will have 40 years or more of legacy systems managing their accounts and payments systems. While these systems have run successfully to date, the concept of opening those systems up to potentially unlimited users raises a number of problems:

  • Some of the legacy technologies do not adapt well to the open banking paradigm which by their nature use technologies and standards that have only appeared in the last number of years.
  • How does one plan from a capacity perspective given that up until now, the bank knew more or less how many users of their systems would appear at one time?

While these are not insurmountable issues for the banks, the second issue above is totally new territory and thus perhaps causes most concern.

On Boarding TPPs and Access to Test Environments

Once a Third Party Provider (TPP) is approved by the local regulatory authority where they wish to operate, banks have to make their systems and services available. This can cause issues with on boarding of such TPPs because even though they have been approved by the regulator, it does not certify technical competence and that they will use the APIs correctly.

A second issue is the sharing of a testing environment. This means that any TPP that causes issues with the test system will potentially have an impact on all TPPs using that system. As the numbers of TPPs accessing the system grows, the potential for problems grows exponentially.

Finally shared systems also mean that data is shared which may represent issues around GDPR. If a TPP is testing with some sensitive data, this could potentially be seen by other TPPs using the system.

These issues can be addressed by the banks using standalone on boarding and testing environments for each TPP with a final conformance test being run against the real test system. As the ‘real’ test system is expensive in terms of hardware, licensing and management, it is not practical to stand up a real test system for each TPP. This is the reason many banks are turning to using simulated testing environments which are fully conformant with the API standards but can be made available in minutes in the cloud. This means that TPPs can develop and test in their own sandbox environments thus ensuring that when they cause a problem, they only impact themselves and ensuring that any data they use in the sandbox is only available to their developers.


The culture of each bank will determine how the banks deals with this new world. Many banks do not have a culture of sharing their data in this way as the data they have on their customers is intrinsically valuable to them and see the sharing of this data as a threat. Others see this as an opportunity to set up a new eco system that developers and TPPs will want to work with which, in turn, will lead to new revenue streams and potentially new customers. While some banks will see opportunity in partnering with those in the world of Fintech, others will see Fintech companies has potential competition.

Where banks are seeing PSD2 and Open Banking as a threat, their spending is likely to be restricted as they see this purely as conformance issue. Where banks are seeing this as an opportunity, there is a constant battle for budget as it’s difficult if not impossible to quantify what may be gained and thus show how a Return On Investment (ROI) will be made. Banks like all businesses need to show a ROI so this battle is likely to rage for the foreseeable future.

How will things progress from here?

The bottom line is that banks must comply with the PSD2 regulation and so this is going to happen. It seems that many banks are struggling to comply with the standards being published (where there are standards such as in the UK) while others are struggling to implement their own. It is also likely that as happened with the Single Euro Payments Area (SEPA) initiative, dates for compliance may be pushed back as we go forward. There is no doubt that some banks have embraced this and are leading the charge which, in turn, will force banks who see this as a threat to try to catch up. Once the first phase of services are made available based on PSD2 and the various issues outlined in this blog have been addressed, it’s likely that Open Banking will then come into its own and we will see consumers benefit from that.

In the next of these blogs, we will discuss Developer Ecosystems and Portals being made available by the banks.