PSD2, the (EU) 2015/2366 directive has laid out a framework as to how the third party providers which include PISP (Payment Initiation Service Provider), as well as AISP (Account Information Service Provider), are going to access a customer’s financial information. This information which is primarily kept by banks as their financial service providers, is needed by the TPPs to build their own services. Banks would provide the required information to the third-party providers via an application programming interface (API). There has been a lot of discussion going on ever since these third party providers have come into the picture.
All these service providers in the world of PSD2 like TPPs, AISP, TPPs, come under the umbrella of Open Banking. On one end, banks are said to have adopted a defensive stance and are sharing information meeting the minimal requirements of the compliance. On the other end, TPPs are saying that under Open Banking, the banks are only sharing the “payment information” of the customer and not about his savings account or fixed deposits. The information left out is vital and hampering the TPPs build better services for the customer.
Let’s go beyond the drama and try to understand who all can become a third party provider under PSD2.
Open Banking opens opportunities for all sorts of companies to gain the TPP status, specifically for enterprises that are already working in the financial sector like:
· Fintech companies
· Big tech companies
· Insurance companies
To become a TPP and have access to the customer’s banking and transaction information, enterprises need to apply for AISP or PISP license. An enterprise can apply for either or both the licenses, as long as they are meeting the requirements of their area of work.
Here are the five important steps that the third-party providers need to check:
Define your use cases
Just like before beginning any other business, you define what your business will entail, do the same with TPPs, and define its business use case. The strategy that you would need before becoming a TPP is going to vary according to your business plan. You might be a bank looking forward to merging the account information for the customers across various banks or you might be a Fintech company aiming to launch a revolutionary payment system for the customers. In both these cases, you would need a strategical plan for scaling. Moreover, you would need to reach a broad audience as well as merchants to push cross-selling and complimentary services.
Taking the APIs from the banks
To bring the TPPs business case to fruition, the enterprises need to rely on the banks for some vital information. To begin with, the banks need to install open APIs to gather quality, reliable, and stable information and data to build the TPP services. So far, the banks were operating as an individual unit and not experienced in delivering APIs to external entities. This means that a TPP would need to rely on the bank’s capability or their chosen technological partner for the strength of the API.
Scope of business
PSD2 has been implemented across all EEA countries, and it is definitely going to be a difficult task for a third-party provider to build a business across the entire region. So, a sensible thing to do would be to define the target audience as well as the geographical area of work. If you are looking forward to offer services across border, there might be legal criteria that need to be kept in mind or legal formalities that need to be completed. Consider all the information before making a move as a TPP.
Central or individual registration of TPP
There is still no formal procedure designed to register as a TPP. If you go by central registration, then it is likely to be supervised by EBA (European Banking Authority). The national financial supervisory authorities are definitely taking care of defining the practices and processes for TPP approvals. Post the fintech company, or the bank gets a TPP approval, they need to put the actual integration — SCA and 2-factor authentication in place.
Connecting the merchants
Currently, the process of identifying and authenticating between ASPSPs and TPPs is a little blurry. However, there are a few elements that are well-defined by the Regulatory Technical Standards (RTS). A significant question that arises here that if an aspiring TPP needs services of a merchant that doesn’t look forward to being a TPP itself, then how the integration is going to work?
One of the biggest challenges for a third-party service provider will be to not overindulge into the multifaceted and evolving legislation. They should better concentrate on developing an innovative service under PSD2.