
PSD2 – a directive that will change banking in Europe - ptrptr
https://www.evry.com/en/news/articles/psd2-the-directive-that-will-change-banking-as-we-know-it/
======
jslampe
I can appreciate the concerns some have voiced, but there's two main arguments
for this approach.

1\. It's better than what we have today. 2\. PSD2 is standardizing and
increasing access to financial data, making the entire ecosystem more
competitive.

Regarding #1: I understand the concerns regarding privacy and security, but
this injects a whole new range of improvement that quite honestly we don't
have today. Unlike many countries that have rendered their bank account number
useless, the US has not. Today, we all provide our bank account numbers to a
variety of companies (our jobs for salary, rent, etc.) via a direct credit or
debit authorization form to a third party. The proliferation of Private
Account Numberss in the digital age is exactly what's makes them such a high-
value target for criminals. A digital authentication and authorization
approach allows us to set parameters around authorization, rotate keys, create
programmatic constraints, inject real-time security, and a number of other
consumer controls (e.g. remove authorization for that annoying magazine
company that charges me every month for that Better Homes and Gardens magazine
I never ordered). This can all be done without providing the level of access
we and banks provide on our behalf every day.

Regarding #2: Banks are great at a number of things, like holding and securing
our money. They're terrible at responding to market forces or consumer
concerns. Instead, they use the mountains of red tape and regulation to
fortify themselves from new market entrants. Greater, more open access to
financial information levels the playing field; thus, increasing both
innovation and better pricing for all.

TL;DR - this is way better than what we have today.

~~~
fsimoneschi3
Something that is often overlooked about PSD2 is the introduction of a real
liability model and explicit customer consent. What happens today is that
account aggregators and payment initiation providers (this is true in US and
EU) are operating in a gray area where transparency, consumer protection, and
liability are either completely neglected or totally insufficient.

PSD2 will create a clear regulatory framework, will introduce consumer
protection, oversight from competent authorities and ultimately will create a
transparent liability model for all the actors involved in the flow (data and
payments). I think this is a great outcome for consumers and market
competition. PSD2 is not perfect but is shaking the industry quite a lot.

I'm working on TrueLayer ([http://truelayer.com](http://truelayer.com)) which
is a universal bank API platform in the context of PSD2. Email in profile if
you want to chat about this topic.

~~~
candiodari
I wonder how much this regulation has to do with the EU commission being
terrified after Brexit and wanting to create more financial linkage between
member states. I feel this regulation may backfire in that regard. What will
an institution like Deutsche do if/when they fuck up implementing this ? What
will the government do in response ?

Especially given the state of European banks (TLDR: who are going to need a
bailout soonish).

~~~
ErrantX
A lot of PSD2 was pushed for by the UK I believe, pre Brexit

~~~
robhu
Indeed, and the EBA is based (for the moment at least!) in London.

------
dade_
The fact is that banks already use 3rd parties to provide new features and
share data with them today. As I understand this post, it forces banks to
allow 3rd parties that I can choose. Even if I choose not to use any of these
services, the services my bank offer will need to be competitive for those
that do. I think this sounds great as it also means that companies that do
develop new products aren't going to have to resort to hacks to access client
data or risk being locked out by the institution. Great post, I hadn't heard
anything about this before, but I don't live in Europe.

~~~
jslampe
This guy gets it.

------
legulere
> AISP (Account Information Service Provider) are the service providers with
> access to the account information of bank customers.

I do not see why I should entrust anybody but the bank with information about
my wealth. This will get abused and I will probably get nudged into this, so
that the company selling an unrelated product can sell my information.

If you want to do a product using my banking data, then do a product using
FinTS
([https://en.wikipedia.org/wiki/FinTS](https://en.wikipedia.org/wiki/FinTS))
and not as a service that grabs my data to you.

> PISP (Payment Initiation Service Provider) are the service providers
> initiating a payment on behalf of the user.

No thanks! Direct debit and wire transfer work good enough. This probably will
open the door to insecure payments without 2 Factor Authentication.

> For banks, PSD2 poses substantial economical challenges.

They are already under stress to provide low-cost bank accounts with the low
interest rates of today.

I am currently with a bank that I can trust (credit union) and I really do not
see much of a need to change.

~~~
javiercr
> I do not see why I should entrust anybody but the bank with information
> about my wealth. This will get abused and I will probably get nudged into
> this, so that the company selling an unrelated product can sell my
> information.

Believe or not, many people (consumers) do this. For example: every Mint.com
user

------
ivan_gammel
Once the responsibilities for managing customers money will be spread between
banks and fintech services, its possible that at some point the system will
become too complicated to foresee potential risks (in this case it could be
cyberattacks on infrastructure or instability of the banks due to the lower
profits, increasing costs and faster money flows). As we know from our
history, misunderstood risks may eventually lead to crisis. What are the
guarantees that it won't happen in this case?

------
YeGoblynQueenne
>> banks’ monopoly on their customer’s account information (...) is about to
disappear

To clarify, this is presented as a good thing.

Of course, my bank doesn't have a "monopoly" on my account information: that
information _is not a commodity_. More so, it is definitely not something that
I would ever want to have change hands and be traded around. I entrust my
money to the bank, very grudgingly, because it's a convenience, but I
definitely, very very definitely, do not want it to share any information
about the services it provides to me with third parties.

I really hope the article is misrepresenting the new directive, or that at the
very least it will be a unique legistlative exception that somehow manages to
provide adequate safeguards to my privacy, otherwise... OK, I don't know what,
otherwise. This just sounds insanely stupid. In terms of protecting EU
citizens' privacy it's a giant leap backwards.

~~~
hopeless
It's not about the banks selling your information but about you having (or
giving) access to your information.

For example, manually retyping my bank account transactions into my accounting
software will hopefully become a thing of the past. And long overdue too!

------
matthew_192
I often wonder if authors of PSD2 whitepapers ever read the text of the
directive they're discussing.

PSD2 is _not_ a carte blanche for every regulated PISP/AISP to consume Bank
APIs for any arbitrary user. API access will be secured by the Account
servicing PSP (ASPSP) security credentials. I.e. in order to initiate a
payment the PISP will have to collect the users security credentials
(password, mTAN or other OTP) issued by the ASPSP.

Same goes for AISPs, where the customer must be initially authenticated with
ASPSP credentials and then authenticate again after 90 days.

~~~
nickonline
There's still so many open questions though

* How do I know the PISP/AISP is going to do what they say, how are they accredited?

* If Spain has a very lax accreditation process then fraudulent PISP/AISP's will congregate there to scam other europeans - how do you stop this game of wack-a-mole when each country in the EU is defining their own system?

* There's hugely complicated Strong Customer Authentication regulation that's just been released in draft adding complexity to an already complex system

The problem is not _any_ arbitrary user that people are worried about, it's
scams. If I approach 1000 people and 1 manage to scam one, I have access to
all their financials

------
Qantourisc
Anyone else wondering about potential security problems, and "hey where is my
money" ? Now I didn't look into the protocol or security measures. But this
has to be a risk.

~~~
ErrantX
So, the European Banking Authority (who wrote PSD2) have thought about this.
The Directive mandates "Secure Customer Authentication" (SCA) which is pretty
explicit about levels of security. It basically extends multi-factor
authentication to all sorts of existing and new payment vectors.

Here's a fun doc if you're interested:
[https://www.eba.europa.eu/documents/10180/1761863/Final+draf...](https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-
RTS-2017-02%29.pdf)

------
mschuster91
> Some banks have already started making their APIs available. Examples hereof
> are the Danish Saxo Bank, that opened up for their APIs in September 201510
> and Capital One, a UK based bank, that already now enables affiliates to
> benefit through their APIs.

The article author is sadly uninformed on this one. In Germany, HBCI is
employed since 2002 by 2000+ banks, approximately half of German banks
([https://de.wikipedia.org/wiki/Homebanking_Computer_Interface](https://de.wikipedia.org/wiki/Homebanking_Computer_Interface)).

~~~
matt4077
The rather informed author is speaking of APIs using the the PSD2 standard,
which serves a completely different purpose than HBCI.

Of course ever bank everywhere has, for the last 20 years+, offered some way
for their customers to interact via an API.

~~~
mschuster91
> The rather informed author is speaking of APIs using the the PSD2 standard,
> which serves a completely different purpose than HBCI.

Sorry, you're flat out wrong there. You can implement both an AISP and a PISP
using HBCI.

An AISP needs only a bank that supports HKKAZ/HKEKA transactions (aka, fetch
transaction records). A PISP needs HKAOM/HKAUB/HKCCS (aka, initiate transfer
transaction) transaction support from the bank.

> Of course ever bank everywhere has, for the last 20 years+, offered some way
> for their customers to interact via an API.

In most cases only for professional customers. HBCI (in Germany, though)
changed the table as it was explicitly intended for private/small business
owners.

------
pjc50
The potentially huge implication of this is the marginalising of existing
payment processors. In theory it may be possible for merchants to directly get
a payment from your bank by a mechanism a bit like OAuth.

The underlying objective is the creation of a smooth and level market for
payment services such that competition between European financial services
companies increases, rather that being limited to banks which tend to be
restricted to the country.

Actual text of directive: [http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:320...](http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:32015L2366)

See also [http://www.thebunker.net/blog-psd2-is-a-disruptive-game-
chan...](http://www.thebunker.net/blog-psd2-is-a-disruptive-game-changer-and-
success-depends-on-security-privacy-and-trust/)

and [https://www.out-law.com/en/articles/2015/january/key-
feature...](https://www.out-law.com/en/articles/2015/january/key-features-of-
psd2-and-what-they-mean-for-the-payments-industry/)

and [https://www.starlingbank.com/explaining-psd2-without-tlas-
to...](https://www.starlingbank.com/explaining-psd2-without-tlas-tough/)

------
djsumdog
This seems backwards and terrible.

Every other nation in the world allows direct person-to-person transfer
between any bank. You put in your friend's name, BSB and account number into
your phone in Australia and the next day they have money. In Germany, you have
additional 1-time use TAN numbers.

Only in the US must we use PayPal, Facebook or paper checks. In fact, paper
checks are the only way to send money fee-free between banks. You can of
course just display a check on a screen and have the other person take a photo
of it with their phone, but that's still pretty ass backwards.

Banking should allow direct transfer at the state level, without third parties
or fees.

~~~
scribu
In the EU country where I'm from, you _do_ pay a percentage fee each time you
make a transfer to an account from a different bank.

~~~
otheotheothe
Where is that? SEPA room?

In germany all SEPA transfers are free

~~~
_pmf_
That's wrong.

~~~
geff82
It's not. Should I send you my business contract with a German bank?

~~~
icebraining
"All transfer are free for my particular contract with a specific bank" is not
the same as "In Germany all SEPA transfers are free".

I don't pay for SEPA transfers either. But they're not all free in my country.

------
AparnaC
Post PSD2, would a PSP be able to act as PISP and hold customer funds while
acting as PISP since it already has authorisation to hold funds as PSP?

------
ptrptr
This post was re-upped and is part of
[https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)
program.

Full message I've received: We thought you might like to know that we put
[https://news.ycombinator.com/item?id=13921072](https://news.ycombinator.com/item?id=13921072)
in the second-chance pool, so it will get a random placement on the front page
sometime in the next 24 hours.

This is part of an experiment in giving good HN submissions multiple chances
at the front page. If you're curious, you can read about it at
[https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)
and other links there. And if you don't want these emails, sorry! Tell us and
we won't do it again.

Thanks for posting good stories to Hacker News, Daniel (moderator)

