Does the U.S. Need Its Own Version of PSD2?

In January 2018, the Revised Payment Services Directive (PSD2) takes effect in the European Union, requiring banks there to open their payment infrastructure and data to third parties. The consumer-focused initiative is intended to give individuals control over their financial data while simplifying the payments ecosystem. Belgium, Germany and Italy have had a common protocol for providing third-party access to account information since the 1990s, and Australia is considering measures similar to the EU’s PSD2 initiative, according to a report from McKinsey & Co. With so much momentum behind the concept of open banking, should the United States explore a similar uniform data sharing policy?

Currently, the U.S. sees data sharing between banks and third parties take place through a patchwork of one-off deals. Often, agreements are struck between a financial institution and an intermediary that aggregates data from several institutions and provides that information to third parties, such as personal financial management apps, lending platforms or other consumer-facing service providers. These types of agreements do little to further a holistic national agenda of financial innovation and inclusion.

Many stakeholders—banks and technology companies alike—believe that these one-off data sharing agreements are not enough. For banks, current methods used by technology companies to gather data from their systems can result in security breaches, and carry the potential for brand or reputational risks. These issues illustrate the need for a uniform protocol that addresses both the technical aspects of connecting with third parties and the liability issues that can arise in cases of consumer financial loss.

What’s more, while the demands of secure API implementation are huge expenditures for a financial institution, the shift to open banking can also lead to new opportunities. (An application program interface, or API, controls interactions between software and systems.) As an example, PSD2 requires that banks provide access to data, but it does not prohibit an institution from monetizing its data in ways that go beyond the statute. Banks can capitalize on this mandate by providing more detailed data than is required by PSD2, or by providing insights to accompany the raw data for a fee. In addition, the development of API expertise will move institutions closer to offering many different financial services through a digital platform. Leveraging APIs can allow institutions to efficiently provide advice and services that customers demand today. (For more on this, read “The API Effect” in the May 2017 issue of Bank Director digital magazine.)

For technology companies that require access to bank data to operate, open APIs offer more reliable, accessible data. Without a direct line to bank data, technology companies must often resort to “screen scraping” to gather needed information. This technique requires a bank customer to provide log-in credentials to the third party. Those credentials are then used to collect account information. This method is much less secure for banks than controlling an API interface would be, and it’s a lot less smooth for bank customers that want to provide the technology company with access to their data.

Also, the process of entering into data-sharing agreements with multiple financial institutions is a daunting task for even the most sophisticated technology companies. Connectivity requirements vary from bank to bank, as do security protocols. Add to that a significant price tag for each deal, and the task of building a customer’s financial profile across multiple institutions is a significant barrier to entry that prevents the delivery of innovative financial services to consumers.

While the U.S. has been slow to act on open banking initiatives, there have been some signs of life. In October of 2017, the Consumer Financial Protection Bureau released its principles on data sharing and aggregation and confirmed its view that individuals, not the companies they work with, own their financial data. While this is only guidance coming from an embattled regulator, it hints at American interest in the open banking movement.

“Innovation, enhanced security and the drive for greater competition are the golden triptychs at the heart of PSD2,” wrote Alisdair Faulkner of the digital identity company ThreatMetrix, based in San Jose, California, in August 2017. Those would seem to be values that every government should strive to uphold, and with benefits for both incumbents and new technologies, perhaps exploration of a PSD2-like initiative can take hold in the U.S.