An evolution from bank control of payments

Banks have traditionally controlled the payments business, with the major card schemes such as Visa and Mastercard originating from bank associations. However, regulatory concerns over concentration and lack of competition, along with the global financial crisis, has opened up the payments industry to greater competition. The major development over the last decade is the growing importance of data to financial services, and regulatory decisions to force banks to share customer data in order to drive competition in payments.

The UK’s Open Banking and Europe’s PSD2 regulations are similar, and refer to the opening and sharing of bank data. In both cases, the new regulations were implemented in order to create greater competition in banking and payments services. The idea behind these directives is to allow people to authorise the sharing of their own financial data and allow other businesses to use that data to offer better services. Under these regulations, banks must allow third-party access to customer data through APIs. 

The first implementation of the EU’s Payment Services Directive was in December 2007, and laid down rules and necessary authorisation for payment services including credit transfers, direct debits  and card payments. This opened up the market to payment services beyond banks, and encouraged existing and new players to enter the payments business.

The Second Payments Services Directive was implemented in 2018, and added third-party providers (TPPs) into the market as new authorised service providers. These third-party providers are either Payment Initiation Service Providers (PISP) or Account Information Services Providers (AISPs).

While the UK was the first country to implement Open Banking, the process was met by foot-dragging from established banks who were unhappy about being compelled to hand customer information over to potential competitors. In March 2019, the UK’s Competition and Markets Authority issued directions to five major UK banks that had failed to comply with the order to open up customer data to third parties.

AISPs and examples

One early and widely adopted innovation is mobile applications that aggregate user financial information through APIs to offer an overview of personal or business finances by drawing all financial data into one portal.

It’s not unusual for bank customers to have a number of financial accounts, such as a current account and a credit card, along with a mortgage account or other loan, and a PayPal account holding a balance, while having no way other than a manual process to calculate an overall balance.  

In 2016, in anticipation of the implementation of open banking ING Bank launched Yolt as a standalone service that aggregated a customer’s financial information into one account. Yolt was one of the first businesses to acquire an AISP licence, and then also acquired a PISP licence.

The opportunities to aggregate information for customers leads to businesses such as Yolt acquiring data and training algorithms that enable analysis of customer spending which can in turn lead to offering customers better services. In September 2021, Yolt announced it would stop offering its consumer app and focus entirely on providing Open Banking and infrastructure services.

PISPs and examples

As we will detail later, there are many players involved behind the scenes any time a person makes a card payment, including the issuer, the acquirer, the processor, the card network or scheme, and possibly a payment gateway. All will take a small share of a card transaction. With an account-to-account payment, most of these players and fees are eliminated. PISP players can initiate bank transfers on behalf of customers, using faster or instant payments networks to move money in real time. 

Allowing businesses the ability to request to pay is a significant change in payments. With PISP authorization, businesses can send requests for payment through any channel, from email to WhatsApp. When received, the customer can make payment by opening up their banking app, for instance, and confirming the payment with their standard authorization procedure, such as fingerprint on mobile, or PIN. Request to pay processes remove the need for extensive sharing of payment information.

PISP operators can account-to-account payments to bricks-and-mortar and e-commerce merchants in place of more commonly used card payments. E-commerce merchants for instance can offer a Pay by Bank button, which takes the customer to their own bank website or app, where the payment details are automatically filled in. The customer authorises the payment through his or her own bank, and is then returned to the merchant’s website. The payment is then completed instantly.

Strong Customer Authentication 

The theft of card information is rampant, with stories emerging regularly of hackers and thieves gaining access to business details of millions of card users. Strong customer authentication is a major part of Open Banking legislation.

Yet to be fully implemented, Strong Customer Authentication (SCA) required a lot of infrastructural work. The Financial Conduct Authority in the UK states that SCA applies when a payer:

  • Initiates an electronic payment transaction
  • Accesses their payment account online
  • Carries out any action remotely that may imply a risk of payment fraud, unless an exemption applies.

Regulators have instructed payments businesses to offer solutions that include all consumers, including those who do not have or do not want a mobile phone.

Strong customer authentication requires the customer, who is initiating the payment, to provide two out of three possibilities:

  • Something the customer knows (Password or PIN)
  • Something the customer has (Phone or Hardware Token)
  • Something the customer is (Fingerprint, Face ID)

This provides an extra layer of security to card and electronic payments. For the extra layer of security, banks make wide use of 3D Secure, developed by Visa and adopted by Mastercard and other card schemes under different names. The process is designed to deliver financial authorisation over the internet. 3D Secure refers to three domains: the issuer domain, the merchant domain, and the interoperability domain which includes the internet and the card infrastructure.

After providing the usual details, and completing the checkout process, the bank or payments business will prompt the customer to authenticate the payment by delivering an SMS message to the phone or through a one-time token provided by a piece of hardware, which may appear similar to a small card terminal. Alternatively, the customer may use their phone’s security feature such as a fingerprint or Face ID. 

Initially planned for introduction in 2019 in the EU, SCA is now due for implementation in 2022 as the process required both banks and other providers to upgrade processes for providing SCA. Major processors such as Stripe pointed out that SCA or two-factor authentication resulted in growing abandonment of ecommerce transactions.

Banking as a service

Banking-as-a-service adds another layer, where bank customers can gain access to third-party services provided by other banks or financial providers. This is known as a marketplace model, where customers can engage new services through pre-approved apps in the bank app marketplace, which they can simply turn on or off. Banks that make their services open to a wide variety of customers are likely to win more business, and to function better in an ecosystem environment. The days of banks being the one-stop shop in financial services are long gone.