European banks struggling with complexity of API implementation

European banks’ inability to get up to speed with technical standards under the second Payment Services Directive (PSD2) underlines the complexities of rewriting a bank’s existing technology infrastructure, according to API providers.

“Creating a completely new technology environment for third parties is new territory for banks,” said Tomas Prochazka, vice president at Tink. “It’s like being asked to build a bridge without ever having seen one. The banks know what the connections are supposed to do, but they’ve never seen a dedicated interface in real life, nor let anyone else into their environments before.”

“It has been a challenging process. Some banks have explicitly said they will not be ready, and that third-party providers (TPPs) will be able to use a fallback mechanism to continue accessing their data.”

Tink conducted a survey of 117 APIs representing 2,500 banks across 12 European markets. It found none of the APIs were totally PSD2 compliant, whilst only 15 percent met the requirements for an access interface. 23 percent supported basic functions, while 26 percent of bank APIs were unavailable or undeveloped.

Under PSD2, account providers which rely on a dedicated API interface are generally required to put in place a contingency mechanism to provide fall-back access in the event that the dedicated interface fails.

European Commission directive 2018/389 set out an exemption from these rules could be applied for by account service providers if they operate with an external dedicated interface and a testing facility for authorised TPPs to sandbox their systems.

“APIs are extremely fragmented in the market,” says Todd Clyde, CEO of Token. “There are three different standards, there are multiple proprietary formats. That’s why companies like ours exist, to simplify things. But often it’s like opening a Russian doll. You can hit a problem at one door, make it through and then find yourself at another problem.

“There is huge variation across the industry, in both documentation and sandboxes. There are also very significant differences in support. Some banks won’t even respond and others will be tremendous.”

According to Prochazka, banks and TPPs across the market are working together to ensure that the technology environment mandated by PSD2 is one that can be implemented as quickly as possible.

“We are seeing a number of banks being open to feedback and we are in direct contact with them every day. Although banks were supposed to give TPPs enough time to test sandboxes and switch to production APIs by June 14 – we are now working together every day to make it work. We are now trusting regulators to do their part.”

The Tink vice president believes that it will be take a minimum of six months “even for the best-in-class bank APIs” to get to a point where a TPP could build a business-critical function. For the average bank, Tink predicts it may take 12-18 months.

Token’s Clyde believes that 50 percent of banks won’t be live in time for the production deadline. “But why would we expect anything different? This is following on from what happened in the UK. The CMA9 banks had their deadline January last year. Half of them missed it and didn’t go live for three months. The APIs were unstable for 12 months. Why wouldn’t we expect Europe to follow the same pattern?

“What happened in the UK will happen in Europe. Banks will at first see it as a bare minimum to comply and not consider customer experience. Yet in the UK every bank for the last six months has been looking into how to get on the front foot and go beyond compliance to improve customer experience.”

He adds that Token was receiving requests from banks from March 2019 through to the end of August asking for aid in the creation of compliant API infrastructure. “It’s far too to build out your own APIs, banks need to find a third-party off-the-shelf solution to get them live as quickly as possible.”

Related reading