Are poor quality banking APIs threatening open banking’s success – the Swedish open banking platform Tink seems to think so. On 21 August 2019, Tink published its open letter to the European National Competent Authorities (NCAs) pleading for flexibility around the implementation deadline for the Regulatory Technical Standard (RTS) on “strong customer authentication and common and secure open standards of communication, which emanates from and supplements the second Payment Services Directive (PSD2)“.
We are now just weeks away from this final regulatory deadline for PSD2 of 14 September, yet Tink has compiled compelling evidence that the technology required by the RTS – a series of APIs that allow customers to give third party providers secure access to their bank accounts to retrieve financial information and make payments - is not ready. As such, Tink believes that financial institutions and these third party providers are heading towards a “cliff-edge scenario” where services will be migrated from the current method of using a customer’s bank login details (screen-scraping), which is banned under the RTS, to sub-standard APIs - with millions of banking customers suffering the consequences.
The migration to non-PSD2-compliant APIs could result in issues with the reliability of services that customers have become accustomed to using, clunky authentication processes and ultimately, a fall in the number of banking customers using what should be new and exciting services.
In the open letter, Tink praises the flexibility being shown by NCAs in the UK, France and Germany and urges other European NCAs to follow suit. NCAs in the UK, France and Germany have announced that banks will be given more time to establish a ‘safety net’ or contingency mechanism for their APIs, and third party providers will be permitted to continue using the existing customer interfaces via screen scraping until the contingency mechanism is in place rather than relying on the PSD2 APIs. Tink wants other NCAs to follow suit and to guarantee flexibility around the RTS implementation deadline in order to avoid a “cliff-edge scenario”. It also asks for NCAs to work closely with third party providers and financial institutions in order to address issues with PSD2 APIs, whilst ensuring continuity in existing services offered by third party providers.
On 14 June all banks were required to publish their APIs. Despite this deadline, only two thirds of banks did so. Tink carried out analysis of PSD2 APIs across 12 markets (Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Norway, Portugal, Spain and Sweden). They found that none of the 84 APIs tested currently meet the regulatory requirements for integration, with these APIs covering 90% of the population in the 12 markets tested. Tink’s evaluation found that just 15% of the APIs tested met the technical specifications set out by PSD2 for a dedicated interface. However, while the technical basics had been met, the quality, performance and user experience of the APIs fell short of compliance. In addition, 36% of the APIs tested had serious technical issues and 26% were completely unavailable.
With just a couple of weeks to go until 14 September deadline, time is of the essence for European NCAs to recognise the current state of banking APIs, to give financial institutions the time to bring the APIs up to the required standard, and to implement safety nets in order to avoid the progress of open banking being jeopardised.
The fantastic opportunity we have in front of us is in danger. Failing on PSD2 will jeopardise the level playing field that it was designed to create. Most importantly, it will remove from consumers the choice and great customer experiences they have enjoyed.