Does PSD2 have to be complicated?
Does PSD2 have to be complicated?
There has been a huge amount written about PSD2 recently and much of it appears to be, with the greatest respect, over complicating the issue.
Very fundamentally, to provide for all of the requirements of PSD2, we have three transaction types: balance, transaction list / statement and payment.
Obviously, since these requests are coming from companies that are not the account holder, the requests must be authorised. The most straight forward way of handling that is by a set of account holder mandates. The company sends a request to the account holder, by way of their bank, requesting a mandate to complete the desired transaction. The account holder is notified that a request for mandate is pending on their account, and the next time they log in to their account they can choose to accept or reject the request.
The mandate request should be of the form:
Company: XYZ Ltd has requested access to: see your account balance on your account: 12345678 Sort code: 12-34-56 from: dd/mm/yyyy to: dd/mm/yyyy
It must be possible for the account holder to rescind the mandate at any time.
On successful acceptance of the mandate request, a mandate key is to be sent to the company. When the company later sends a transaction request they will include the mandate key under which they have been authorised.
So far, so simple.
Of course account holders will not want to be constantly bombarded with mandate requests from all and sundry so it would make sense to ensure the companies making the requests have a bank account with a European bank and that the bank has authorised them for the request. This has the added benefit that, should the banks request any transaction fees, these are then just a matter of cross charging between banks.
So how does it work? The company’s bank provides an API that the company can use to request a mandate. The account holder’s bank provides an API, only accessible to banks, that allows the company’s bank to forward the mandate request. When the request has been approved by the account holder the account holder’s bank calls an API, only accessible to banks, provided by the company’s bank, that allows the mandate to be given. The company’s bank will hold the mandate for the company and provide a unique reference to it to the company.
You can see where the complexity is creeping in. Each of those API’s must be agreed and created according to a standard such that each bank is able to communicate with each other effectively and that standard doesn’t exist. If nothing is done now, each bank will create their own API according to their own standards and a whole, unnecessary, industry will be born aggregating and unifying them so that they can actually be used.
In fact the whole business lends itself to the universal payment system I have discussed previously, although this could be better described as a universal banking network. On such a network these transactions, with associated mandate management, are simply another way for banks to do business together in a competitively cooperative manner.
Once you have introduced the concept of a mandate you can go further though. How much more confident would you feel about a direct debit mandate that was of the form:
Company: XYZ Ltd has requested access to: Directly Debit on your account: 12345678 Sort code: 12-34-56 once a month on the 13th of the month, for an amount in the range: £10 – £200
Is that not a bit more controlled than what we have now? Effectively:
“I give company: XYZ Ltd free rein to take from my account as much as they like whenever they like and we’ll fight about it later if I disagree with what they have done.”
Or how about banks becoming the main KYC repository for all industry? If a company wants to confirm the identity of a customer they send a request, via the network, to the customer’s bank. The customer can approve the request, including how much information should be given, and the KYC confirmation can be returned to the company. Clearly this is a service the bank could charge for and the account holder remains in control of their data.
So, in answer to the original question: no. It doesn’t have to be complicated. But we could do with a decent inter-bank communication system to enable this and all the other transactions that banks have with each other.
Please feel free to contact me if you would like to discuss this further.