Open banking not only for banks. PSD2 on the home stretch
The PSD2 directive, which opens up the financial market to non-banking entities (TPP), is entering its implementation phase. From March 2019, banks are obliged to make their interfaces available for testing and will open them in accordance with the applicable Regulatory Technical Standards (RTS) by September this year at the latest. Communication between the bank and third parties requires a suitable interface and appropriate protection. There are two special, qualified certificates for PSD2. On the Polish market, both types of certificates are offered only by KIR (National Clearing House) which also provides a solution facilitating the implementation of PSD2 - HUB PSD2.
The new regulations open up the financial market to so-called Third Party Providers (TPP). Fintechs and companies whose main activity is not based on financial services, such as Facebook or Google, will be admitted to areas previously reserved exclusively for banks. Thanks to PSD2, third parties will be able, with the customer’s consent, to obtain their bank account details, e.g. to have an insight into the transaction history. They will also be given the opportunity to initiate payments from the customer’s account with his/her prior consent. Importantly, in order for TPP to be able to order a payment transaction at the customer's bank, the TPP does not have to have a signed contract with the bank in question.
The European Directive entered into force in January 2018 and has been implemented into Polish law. The turning point in the implementation of the new regulations will be September 2019. Experts working on the Polish model of open banking (Polish API) unanimously emphasize that maintaining a high level of security is crucial in the implementation of the new regulations. The Directive limits the liability of customers for unauthorized transactions, mainly by transferring it to the service provider.
- In order to enable effective communication, banks are obliged to provide an appropriately secured interface, says Elżbieta Włodarczyk, Director of Electronic Signature Business Line at KIR. According to the Polish API, ensuring the confidentiality of communication and authentication of communicating parties requires the use of appropriate qualified certificates, adds Elżbieta Włodarczyk.
Qualified certificates are issued in accordance with the rules set out in the eIDAS Regulation. The Regulation introduces three types of certificates. In the context of PSD2, two of them are used: a certificate for website authentication and a qualified certificate for electronic seal. The entity authorized to issue them in Poland is KIR which has the status of a qualified trust service provider.
- A qualified certificate for website security is used to establish a secure TLS channel which will guarantee data confidentiality, says Elżbieta Włodarczyk. - In addition, each inquiry sent to the bank and its response within this secured channel is provided with a qualified electronic seal, verified with a qualified certificate. Importantly, a qualified certificate for PSD2 contains special data identifying a specific entity in the context of PSD2.
The certificates may be applied for by any entity which received from the Polish Financial Supervision Authority an authorization to provide services under PSD2. The roles that the company will play in the context of the EU directive will be included in the certificate. Their term of validity is from 1 to 2 years. The validity of the certificate can be checked on the CRLs published on the KIR website or by using the free OCSP service also made available by KIR.
Security is the keyword that appears in the discussion about PSD2 and open banking. An important aspect is also innovation and modernity in payment services which the directive aims to strengthen. In this field, the situation of Polish banks is unique, as the payment sector in Poland is one of the most modern and technologically advanced in Europe.
On the one hand, the banks themselves often play the role of Fintechs and provide their customers with innovative payment services, on the other hand they guarantee a high level of security which, as is particularly important for Polish consumers. As many as 43% of them declare that they would not feel comfortable if they had to share their account details with external entities. According to the same survey, nearly 30% of banks believe that new EU law may be an opportunity for them, and 43% of them have a neutral attitude towards it. It may turn out that one of the key beneficiaries of the changes brought about by the PSD2 directive may be high-tech banks.