From speaking to our clients it’s becoming clear that the more farsighted are beginning to grasp the fundamental implications of the European Commission’s PSD2 regulation which forces banks to open up APIs to permit push payments and account information queries. Having spent a frustrating few months trying to convince executives in the payment industry that this is far from being a mere technical compliance issue, suddenly we have people knocking the door down to understand the profound business challenges that Open APIs offer.
Even at a pure compliance level the PSD2 regulations pose significant questions for the structure of the existing payments industry. Straight off, an open payment API allows a third-party – let’s say a giant internet retailer at a browser near you – to ask consumers if they’d mind permitting direct account access for payment. It won’t be too hard to these organisations to find some incentive for customers to do this and once permission is granted then the third-parties can bypass existing card schemes and push payments directly to their own accounts.
Meanwhile the account information API allows third-parties to aggregate consumer financial data and provide consumers with direct money management services. It’s not hard to imagine that these services will be able to disintermediate existing financial services providers to identify consumer requirements and directly offer them additional products such as loans and mortgages.
These APIs only exaggerate trends that are already occurring. In the Netherlands iDeal offers a push payment service direct from accounts which has been extremely successful at cornering a large part of the e-commerce payments market. No cards and no card not present transactions required, it’s all based on consumers authenticating themselves to the banks (another part of the regulations covers strong authentication, but we’ll deal with that another day). From the consumer’s perspective they no longer need to give the merchants their card details and hope that they can keep them safe.
This, you might think, is a bit worrying for banks and payment schemes – and you’d be correct. Unless they take action the banks will see their customers intercepted and a great deal of their cross selling opportunities will disappear. The payment schemes will simply see a large part of their online payment market disappear. Existing business models are being undermined, and the response to this from the industry has, so far, been slow and disjointed.
Generally speaking these changes are good for our industry and for end consumers, and it doesn’t have to be carnage among the existing incumbents, if they’re smart enough to embrace the opportunity. One way of thinking about this change is that it breaks up existing payment workflows. No longer is a payment simply a request in and a response out; now bits of the internal payment workflow – authentication, risk management, authorisation, tokenisation, rewards programs, key management, etc, etc – can be externalised through APIs. And one thing we know about APIs is that when they’re made available the generations of smart developers out there can do things we can’t even imagine, let alone build.
So banks and payment schemes can sit back, do the minimum required by PSD2 and try to protect their walled gardens a while longer if they wish. In a world in which consumers can initiate payments securely to their banks on their own devices it won’t work, but it will buy a few years. But the more far thinking will be re-engineering their businesses to develop a whole bunch of APIs outside of PSD2 and will be working out the business models behind opening them out to developers and businesses.
The payment industry’s incumbents’ monopoly on information and control of the payment infrastructure, particularly the end points, has protected them up until now but that monopoly is being broken by the regulations and control of the end points is being undermined by the pervasiveness of smartphones. But still, the core capabilities of the industry is something that other organisations will pay to access, rather than developing themselves, if they have the opportunity to do so.
Of course, some banks and schemes will thrive in this world of open APIs. Others will simply become utilities, highly regulated pools of capital. Both models are perfectly acceptable, but surely it would be better to choose what you become rather than being forced into a model you may not be well suited for?