PSD2’s Elephant In The Room

Open banking is here, but baby steps abound as financial firms grapple with PSD2’s fragmented landscape.  Token.io CEO Steve Kirsch tells PYMNTS that giving users full control over what happens with their financial lives means addressing PSD2’s elephant in the room: standardized APIs.  

The old adage — timeworn, but true — is that a journey begins with a single step.

In the world of Open Banking, the steps are tentative, but march toward a goal of greater financial transparency and flexibility. The promise — far off, but in sight — is that individuals will have greater control over how and where their data is used, by whom and when.

Technology, of course, is part of the journey. One might know that Open Banking — which launched in the U.K. at the beginning of last year — is tied to open application programming interfaces (APIs), which allow third-party developers to build services for financial institutions. The APIs are used to share bank data among various financial industry players and should, ultimately, spur competition and new product development that benefits the end user.

However, the journey has been marked by baby steps, and evolution (rather than revolution) is at hand. That’s according to Steve Kirsch, CEO of Token.io Limited, which offers what is billed as a “turnkey” Open Banking platform that helps banks achieve compliance with the Second Payment Services Directive (PSD2). The March 14 deadline for compliance with PSD2 has, in turn, spurred banks to open up to third parties.

“PSD2 is just the start of Open Banking. And it is a very small start … we are in the early days,” Kirsch said, adding that “I don’t think I’ve [ever] seen a case where a PSD2 payment is as convenient to, [say], something like PayPal or credit card. … Technically, there’s no reason it can’t be.”

The Elephant In The Room

The elephant in the room, as he termed it (one that has yet to be addressed by various stakeholders), is the lack of standardization that continues to define the API landscape. He noted that standardization has marked the success of the internet, computers and mobile phones. The hallmarks have been single platforms, or perhaps two operating systems — in other words, convenient and widely adopted frameworks, and jumping-off points for innovation.

Right now, Kirsch said, there are hundreds of different APIs, “and they are all incompatible. They all do consent and authorization in different ways,” he explained to PYMNTS. There will never be cohesiveness and success seen, he continued (using the internet as an example), until there is an embrace across the financial services industry of a single platform — or two platforms (to spur competition). After all, no software developer has the resources to write to multiple bank APIs.

He pointed to his own firm — which, late last month, announced a deal with Tandem Bank to comply with PSD2 and enhance end users’ experiences, allowing developers to write to single APIs and access all banks. Token.io is authorized in the U.K. to act as an Account Information Service Provider (AISP) and as a Payment Initiation Service Provider (PISP).

Looking Toward The Future

Such standardization, Kirsch noted, is key to secure and frictionless payments, whether done for a checkout as an individual consumer navigates an online retail setting or for a corporation making a significant number of payouts. The user experience today, in authorizing online payments, crosses anywhere from five to 15 screens.

“[When] we truly transition to Open Banking, that will drop down to one screen,” he said, adding that the payments experience should be one where the user brings their own identity to the bank and transaction. “The user should be able to choose what piece of software they want to use to authenticate themselves.”

Choosing among software tied to Android phones or Apple hardware, he added, will be more secure because it will be done with private keys unique to individuals. That would be an improvement over today’s methods (even as PSD2 and Open Banking take their first steps), where banks employ and deploy their authentication and authorization methods, then check against their own internal records.

“It’s a little like the fox guarding the henhouse,” said Kirsch, “because the bank has both sides of the process — they are both providing the identity and verifying the identity,” often through manual processes.

The Aggregated Financial Services Model

Putting the control in the users’ hands means they can, for example, limit Uber transactions to $100 a month or remove authorization entirely without having to take a journey into Uber’s app. Ideally, an Open Banking interaction “should work pretty much the same way that a credit card does, except it is much more secure. I can authorize it directly with a digital signature … and I can revoke it at any time without Uber’s consent,” Kirsch said.

“The future will be that I have full control over what the authorization is, and I can revoke or change it at any time. To do a recurring authorization, I only have to do it once, … and there is no party in the middle that is going to compromise that,” he added.