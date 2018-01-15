Anne Boden

Last Saturday, the revised payment service directive (PSD2) became a reality in the UK.

Banks’ retail customers should enjoy better deals from financial institutions, more secure payments, and easier and more transparent management of their day-to-day financial affairs.

To facilitate this, banks across Europe must open up customers’ account data to third-party providers should customers authorise it.

With wearying predictability, instead of highlighting its potential benefits, parts of the press have turned PSD2 into a black-and-white, us-versus-them story, with the EU cast as the bogeyman.

There have been uninformed claims that PSD2 will put banking customers at risk by requiring them to disclose their bank website logins and passwords to all and sundry. Inevitably, the truth is more complex.

Part of the problem, as so often with banking standards, has been timing. While PSD2 went live on 13 January, the technical standards that underpin it won’t arrive until September 2019. These standards will require banks to adhere to a strict set of guidelines for application program interfaces (APIs) and authentication procedures. With these standards in place, customers should be able to gain the flexibility delivered by PSD2 without having to sacrifice any security.

In the UK, this situation has been complicated by the retail banking market investigation by the Competition and Markets Authority (CMA). It concluded that larger banks – the so-called CMA 9, comprising of high street banks and a handful of large foreign banks – don’t compete hard enough for customers’ business.

The CMA’s remedy was effectively to implement PSD2 in advance of September 2019, under the guise of Open Banking.

Unfortunately, some of the big banks weren’t able to meet the CMA’s deadline to develop and adopt APIs. These CMA 9 banks, plus banks not subject to the CMA order, nevertheless need to comply with PSD2 and provide alternative means of data access.

In the absence of a secure API, the only option is to share logins and passwords with third-party providers, such as fintechs.

The greater involvement of fintechs in retail banking is unequivocally a good thing for customers. It will increase competition and make it easier for everyone to manage their money.

But banks encouraging customers to share logins and passwords with any third-party institutions could be a recipe for disaster.

As part of the preparations for the launch of PSD2, banks have sent out information telling customers that they can now choose to share logins and passwords with third parties. This is wrong on many levels.

First, it instills bad habits and weakens the crucial message that security credentials should be kept secure.

Second, given the impending introduction of APIs by all major banks by September 2019, it risks creating confusion about Open Banking.

Third, the practice legitimises so-called “screen scraping” – where logins and passwords are captured by a third-party and used to imitate the user. Screen scraping will be banned from September 2019 as part of PSD2, because, unlike the use of APIs, it offers no way to control access or information, putting customers at unnecessary risk.

The major objectives of Open Banking and PSD2 – to improve banking competition and enhance customers’ convenience and security – are admirable. The concern is that the UK’s well-meaning initiative to promote PSD2 won’t achieve these goals in the short term.

Moreover, the mixed messages on security now being disseminated by banks could have unfortunate consequences for consumers’ trust in the banking system and willingness to heed security advice in the longer term.

Bar a handful of early adopters, few are likely to leap at the opportunities that became available from 13 January. The hope must be that CMA 9 banks (and others) quickly develop their own APIs, so that the potential risks to customers are minimised.

For everyone reading, our advice is straightforward. If your bank cannot connect to your chosen third-party provider without asking for your login and password, hold fire until they have a secure API in place. It’s simply not worth the risk.

