PSD2 Implementation Congress
The PSD2 Implementation Congress organised by LBCG in London on March 28th and 29th 2017 brought together speakers from across Europe to talk about PSD2. The event was interesting due to the depth of engagement evident among the speakers and attendees in PSD2 related activities, with many concrete and informed discussions on a wide ranges of topics. Banks were well represented, including Swedbank, AIB, KBC and ING, Capital One, JP Morgan, Lloyds Banking Group, PostFinance AG, and Santander UK.
Some of the interesting and useful things we heard:
- Large retailers could be the big winners (issuing their own cards and onboarding them directly to the banks).
- PSD2 doesn’t say anything about whether credit transfers are to be instant. But banks can take advantage of SEPA Instant Payments. The UK can use Faster Payments.
- Screen scraping is banned.
- Use risk-based analysis. Holistic risk assessment is most of the time more effective than SCA (Strong Customer Authentication).
- PSD2 will help the web based payment process. But the UX for in-shop payments will be problematic because of requirements around SCA. TPPs and banks could resolve this through bilateral contracts.
- There will be a TPP register similar to the BIC register, and eIDAS may be used to authenticate TPPs.
- “For a good PSD2 implementation a test environment for the developer is not only important but mandatory.“ says Nadine McKeone from AIB.
- Norway has implemented a BANKId that is used by 86% of the population and a ‘common trust infrastructure’ that can be used by developers for strong authentication. This allows banks to focus on APIs and added value services. Other Nordic countries have something similar.
- The industry needs to arrive at a business model that supports infrastructure.
XMLdation was co-sponsor at the event and was represented by Tricia Balfe on a panel moderated by Francis Chlarie. The panel covered topics such as standardisation and the potential for a drift away from harmonised payments, and the importance of corporate APIs.