3 of the most common mistakes banks make when it comes to PSD2

August 23, 2019 | Louise Basse

With just a few weeks to the final PSD2 deadline in September, the clock is ticking away faster than ever.

As banks and third parties are looking to build user-driven services that people love, banks are in a race against time to better the quality of their dedicated interfaces.

Because our developer teams have spent hundreds of hours testing the banks’ production APIs, it has become clear that banks make some severe errors when implementing EBA’s regulatory technical standards (RTS).

To give the Open Banking project a better chance of succeeding, we’ve created a full list of the most common mistakes and sent it out in personalised letters to major banks across the Nordics.

Curious? In this edition of the series “PSD2 and beyond”, you can check out 3 of the biggest misconceptions and mistakes that make banks fail to comply.


1. Banks are not allowed to ask for consent in their SCA flow

Short for Strong Customer Authentication, SCA is all about creating a strong and secure authentication flow for the end-users.

But as we’ve tested the banks’ dedicated interfaces and SCA flows during the last months, we’ve discovered that many banks use their SCA flow to ask for a separate consent given by the end-user to the bank.

In some cases, we’ve also seen that banks even use the flow as an additional check on the consent which is given by the end-users to the AISP or PISP. 

And what’s wrong with that?

First of all, it increases friction as the third party provider has to get the consent anyway. Therefore, the end-user is being dragged on a long journey in which he or she has to accept multiple consents from different parts.

Secondly, we’ve discovered that banks use the consent to ask users to narrow down the number of accounts available. As third party providers are required to present this as well, there is a big chance that the same information is presented multiple times. Ultimately, this will create an obstacle for the AISP or PISP.

But as it's stated in EBA’s regulatory technical standards, banks must ensure that the interface does not create an obstacle for AISPs and PISPs to offer their services. Such an obstacle is described as “requiring additional checks of the consent given by payment service users to providers of payment initiation and account information services” (RTS Article 32 (3)).


2. Dedicated interface does not expose the same amount of information as other interfaces

Although the main goal of PSD2 is to create more transparency and competition in the financial industry, we’ve discovered that a lot of the banks’ dedicated interfaces do not provide the same level of information as is exposed through the bank’s consumer-facing interfaces.

Put simply, it’s a huge issue for AISPs and TPPs that want to innovate on top of transaction data to the benefit of their customers if they can’t access the same amount of data as banks make available to their own customers. 

More importantly, such a practice is not compliant with the EBA's regulatory technical standards, as it is stated in RTS Article 36 (1) that AISPs should have access to the same data as the bank’s customers are presented with through web, tablet or app interfaces combined.

To solve the problem, banks must make sure to provide the same amount of information that they offer their own customers through all their channels combined.


3. Sandbox interface does not allow for testing production functionality

Last but not least, we’ve struggled with the fact that some banks do not make a testing facility available that enables the AISP and PISP to test their software and applications before using the production API.

And why is that important?

Well. It’s the only way that AISPs and PISPs are able to test their software and applications. 

Put simply, third party providers don’t have a chance of testing the functionality of the connection if the sandbox interface doesn’t allow for testing production functionality.

With these remarks, we hope that banks become more aware of the severe compliance issues we’re still experiencing just week up to the final PSD2 deadline.