Ensuring seamless consent management is a cornerstone of PSD2 implementation. Here, Oliver Dlugosch, CEO of ndgit, explains how dedicated APIs can help banks reduce complexity and make processes smoother.
PSD2 is driving a myriad of new service opportunities between banks and third-party service providers (TPPs). But before they can commercially exploit an open financial service ecosystem, they must have robust customer consent mechanisms in place to ensure that access to bank account information and payments made on their customers’ behalf are fully compliant.
Customer’s permission must be explicit
Whether it’s a consumer that wants to shop online without a payment card, receive a consolidated view of their bank accounts or use a tool to analyse spending patterns; a financial services firm seeking rapid customer-checks; or a small business trying to arrange credit with an alternative provider, the customer must always provide explicit consent.
Consents must meet a range of rules on security, providing scope to cancel initiated transactions, and enabling traceability and the mitigation of fraud risks. Current parameters include:
The TPP’s identity e.g. who the customer wishes to share data with
What data they wish to share e.g. payment details
How frequently e.g. monthly
When consent will expire e.g. after 12 months.
What it doesn’t include is disclosure of information relating to the identity of the customer, such as their address, date of birth and social security number. This is because that information is not necessary or requested to initiate a payment or access account details.
When consent has been granted, consumers can exercise the account information or payment initiation service of the TPP. The TPP can then process the information request to the respective bank to see whether consent has been obtained. The bank then verifies whether consent has been granted and belongs to this person.
The bigger data picture
But PSD2 requirements are only part of the consumer consent story. There are important overlaps with the new General Data Protection Regulation (GDPR) which creates a regulatory framework to protect customers’ personal data, ensuring it is “freely given, specific, informed and unambiguously”.
GDPR also means consumers must have the ability to view, edit, download and delete all personal data (including their consent settings) that are being held on their behalf. This effectively puts banks in the position of data controllers of their customers’ information and makes them responsible for the purposes and the manner in which personal data is processed and shared.
Owning the consent process
While TPPs will likely initiate the process of securing customers’ consent, including consent for their own activities and use of the data once obtained, banks will ultimately remain responsible for confirming, or otherwise separately obtaining, the consent directly with their customers.
That means they must be able to deliver, via online banking, the tools that enable customers to opt-in and give consent for others to access financial data or make authorised payments on their behalf.
In addition, under PSD2, banks must either enable third party access to the data through the same interfaces they use for interacting with customers or alternatively develop a new ‘dedicated interface’ for that purpose.
Removing complexity
It’s clear that managing PSD2 and GDPR compliant, multi-channel consents and their lifecycles, with a myriad of TPPs, across a vast customer base, is a tremendously challenging process. This is not helped by the fact that banks are complex organisations with many internal services and IT silos.
To succeed, they will require innovative ways to request, record and immutably prove customer consent and to manage the use of customers’ personal data. This includes APIs that can be seamlessly embedded into their own existing, pre-authenticated customer touchpoints, as well as allowing TPPs to easily capture the customer consent via websites and user apps to facilitate their own services.
Getting the best out of APIs
To be sure of success, banks should look for well documented APIs, that:
can capture consent in real-time
generate auditable and immutable consent receipts
connect quickly, seamlessly and securely into existing systems
offer reliable, scalable, flexible and end-user centric platforms
deliver customisable preference centres so customers can easily choose, amend and revoke consent.
To make consent process as frictionless as possible, some TPPs will opt to use their own direct consent APIs which allow users to initiate payments/instructions, without visiting a banking channel.
In practice, however, most will prefer a two-part process, whereby the TPP initiates consumer’s consent using an API granted by the bank, and the bank remains responsible for confirming it directly with the customer. This will afford all parties the most protection from fraud. This is where ndgit comes in. ndgit’s API management platform includes well-tested consent management to help Banks make the permission process as secure and frictionless as possible.
The Payment Services Directive PSD2 came into force on 14 September 2019, with the aim of improving consumer protection and the security of electronic payments. The regulation also aimed to promote competition on the one hand, and innovation on the other. In 2022, the European Commission put PSD2 to the test. To this end, there […]
Launched 14th of September 2019, the European Second Payment Service Directive (PSD2) has now been in place for more than three years. Time for ndgit to have a look at the statistics, insights and outlooks of its PSD2 solution with the usage from Europe’s major banks in 36 productive instances and eight countries in EU […]
According to analysts, we may expect a continued strong growth for the open banking market. Thus, the global open banking market size will reach $135.17b by 2030, meaning a CAGR of 26.9%. Drivers of the expansion are the rise of open APIs, an increased adoption of innovative applications and services and the favorable government legislation. […]
Next level embedded finance platforms: From regulatory-driven to market-driven Open Banking infrastructure The introduction of PSD2 has put pressure on banks to implement the Payment Service Provider Directive by the deadline of early 2018. The result was a boom for service providers specialising in the management of PSD2-relevant interfaces (APIs). Ndgit thus made it into […]
Open Banking 2022: Trends in Business and Technology* (*Webinars only available in German) In 2021, the digitization of the banking world will accelerate significantly once again. In our webinars, we want to show what opportunities banks have to leverage this development for their business: both in the form of more efficient technological solutions and through […]
Working with an external PSD2 API solution provider can have various benefits: reducing costs and risks on the one hand and opening new business opportunities through enabling new business models or external service offerings by TPPs on the other hand...
In 2021, the digitization of the banking world will accelerate significantly once again. In our webinars, we want to show what opportunities banks have to leverage this development for their business.
Over the past 18 months, one topic or acronym has been the main concern of the banking industry: PSD2 or tendered Payment Service Directive II. Driven by legal requirements, banks had to develop strategies and solutions to open their systems to third party providers [...]
In an exclusive interview with Money Today in Switzerland, ndgit’s CEO, Oliver Dlugosch, and Head of Business Development, Franziska Zangl, share their thoughts on PSD2 toolkits, the importance of open banking and the role of Swiss banks.
PSD2 is a starter drug for many into open banking. PSD2 means implementing a software that follow all PSD2 rules i.e. an out-of-the-box solution from providers like ndgit.
PSD2 and Open Banking have paved the way for banking transformation. But compliance and regulation aside, what else is driving change, how should banks respond and how does this impact their service direction?
While current guidelines necessitate Two-Factor Authentication, some transactions are exempt. Oliver Dlugosch, CEO of ndgit, clarifies the secure ‘rules of engagement’ for Banks and Payment Service Providers.
In 2018, PSD2 effectively lit a touch paper to wholescale Banking transformation. It may be a slow burn but, according to Oliver Dlugosch, CEO of ndgit, it’s already generated far-reaching changes to investment attitude and strategy.