In an article titled “PSD2 deadline extension signals ‘lack of preparedness’ among banks,” the Verdict has found banks guilty of dragging their feet:
“The 14th of September was supposed to be the day that the last part of the Payment Services Directive, or PSD2, was rolled out across the EU.
However, the deadline came and went and the directive has yet to come into force, as the UK pushed back the deadline for compliance by 18 months in order to give banks more time to prepare.
In the works since 2015, the directive is set to have a significant impact on the world of banking and fintech, with open banking paving the way for more innovative financial services. However, the benefits it offers to consumers may not be realised if financial institutions are slow to act.”
While large U.S. banks are certainly not known for their agility, they have moved relatively quickly to deploy APIs to their large corporate customers. They are able to do this because they don’t need to adhere to standards that are incomplete, nor do they need to rely on others to properly vet those who will access the released APIs.
In the U.S., the bank does it all. In the E.U., the European Banking Authority (EBA) sets the standards, and there is an entire organization being built from the bottom up to determine what companies will have access to the open APIs that banks release. Personally I don’t believe for a second that the E.U. will take the blame should an authorized entity commit a crime—they’ll find a way to blame the bank.
Then there is Strong Customer Authentication. Certainly banks should have already implemented this to protect bank accounts, but when that implementation also need to be extended out to cardholders making purchases online, the complexities mount. The EBA only recently stated that EMV 3D Secure, the networks approach to securing eCommerce, does not meet the SCA threshold. Expecting that to be resolved quickly is unreasonable.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group