New FCA rules to spark ‘intense payments change’

by Scott Thompson, freelance journalist and contributor to PaymentEye

UK banks will now be forced to publish complaints and security breach data as part of a move to shake up the sector. This forms part of the Financial Conduct Authority’s (FCA) final rules, requiring providers of personal and business current accounts to release information to help customers compare the service they could receive from different providers.

Regulators have for some time now been looking to address the low numbers of customers who switch banks in the UK’s £16 billion personal and small business account market. A 2-year inquiry by the Competition and Markets Authority (CMA), concluded in 2016, found that just 3% of Brits switched current accounts in the preceding 12 months and that 57% had been with the same bank for more than a decade.

The FCA move has sparked a range of talking points. The payments industry is now entering a period of intense structural change, according to Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu UK & Ireland.

“With the number of threats continuing to increase exponentially, customer trust has never been so valuable or hard to come by and as such, it has never been more important for banks to be open and honest about their security. It is paramount that the industry does not overlook, or get complacent about security or place it in the ‘too big to fix’ category, and instead takes a proactive approach,” she says.

The focus on security threats and breaches arising from the mandatory adoption of Open Banking APIs could also have very significant strategic implications for the four-party card scheme model in payments, argues Paul Rohan, Advisory Board Member, Priviti and author of Open Banking Strategy Formation.

“There are millions of merchants in Europe that accept customer credentials for payments in the form of cards. It is completely impractical for regulators to monitor the effectiveness of these millions of merchants in securing these card-based credentials,” he says.

“When we look at the numbers of banks that hold customer credentials for bank-to-bank payments, we see 122 eurozone banks under a Single Supervisory Mechanism because they hold 80% of the eurozone loan assets (which means they probably have about 80% of the payment accounts). Regulators that are tasked with ensuring that hundreds of millions of European citizens can carry out their digital business securely probably want to supervise a manageable number of banks rather than millions of merchants.

“This regulatory logic could become global rather than just European. If so, the implications for FinTech and the wider banking market are far more significant than a FinTech complaining about a bank having unreliable APIs from time-to-time (i.e. the four-party cards scheme model could be facing an existential risk).”

Meanwhile, Winston Bond, Technical Director EMEA at Arxan Technologies, flags that banks will have to publish data for the number of ‘major operational or security incidents’. The numbers will be broken out separately for telephone, internet and mobile banking, but there is no distinction between a security problem and an operational problem, he observes. A hack on a mobile app counts the same as someone unplugging the mainframe.

“One of the concerns raised (and ignored) in the FCA’s consultation was that publishing this data would direct hackers to the banks with the weakest security. Perhaps it will, but the FCA’s open approach is commendable. Arxan sees a huge range of attitudes towards mobile app security and we hope that openness will push every bank to be as security-conscious as the best-in-class already are,” says Bond.

“Mobile banking security is particularly important to new entrants trying to gain the public’s trust. Many of them already take app security very seriously, but putting security into the standardised comparison data will inevitably move it even higher up the to-do list for the management team. It’s no longer a back-of-mind concern that a headline might hurt their developing brand one day. The data will be out there.”

The impact of PSD2

All roads here lead to the forthcoming PSD2 directive and Open Banking initiative. It has been a long, long road to PSD2 (it was approved in November 2015 by the Council of the European Union), but it will finally come into force in January 2018 and is set to drive significant change. It could, for instance, enable consumer platforms such as Facebook to become their own payments processor and connect to the bank accounts of billions of users directly through APIs. PSD2 is also likely to help Europe’s booming FinTech sector and deliver more user-friendly payment services through digital integration.

“The greatest minds in FinTech and banking are working together to build great products. But with PSD2, this mission is being proliferated, faster than ever before, because the responsibility of financial innovation is being pushed all the way down the chain, from the conventional banker in a suit, to independent tech people in flip-flops,” says Lav Odorovic, CEO and co-founder of German challenger bank Penta, which has just officially launched a new digital bank account for startups and SMEs in its home market.

“The beauty of FinTech is that money is part of everyone’s life. Everyone can relate to spending money and problems with banking. With PSD2, banking data via APIs will be (and are slowly) open to everyone to take advantage of and innovate with. Just a few years ago, if you wanted to build an innovative financial product you’d have to be a banker. Today, anyone can change banking. And that’s the biggest advantage, because non-bankers look at the world differently. They fundamentally think differently than bankers – because they are different.”

So, how will customers benefit? “When the Apple Store came out in 2008, Apple had no idea where it was going. But it gave developers the ability to be creative. The result? SnapChat, Twitter and Uber, and the beginning of mobile banking. What will the future of PSD2 hold? We have no idea. And that’s the beauty of PSD2 because it allows teams and developers to be the pioneers in financial innovation just as the App Store enabled people to build multi-billion dollar businesses that make our lives so much easier today. However, we do know banking products will be commoditised; providing more options, less friction, at lower costs,” says Odorovic.

Just as mobile phone operating systems and use-cases (apps) shifted from a few big telco players to millions of developers worldwide, financial service innovation will shift from legacy banks to new entrants, Odorovic believes.

“The developer community will be able to leverage existing infrastructure and data via PSD2 in order to help spread ideas and the message that there’s a better way to bank to more Europeans at an increased rate, including those that are unbanked and unbankable.”

API banking is coming, slowly but surely. “Banks will have to offer great, cost-efficient solutions that will compete for customers across Europe since their lock-in effect will fade away. The winners will be those that recognise the benefits of enabling the developer and innovation community to get creative. Those that recognise this and put a massive focus on this, will win. Others will slowly suffer the fate of BlackBerry,” he concludes.

Related reading