No room to pause on PSD2: Our 10-point compliance checklist

The PSD2 clock is ticking away, with just 2 months until the first of the hard deadlines takes effect. There are only 8 weeks to go until all European Account Servicing Payment Service Providers (ASPSPs – typically banks) need to have their technical specs, support and testing facilities available for third party access. So, we thought it would be an ideal time to share our view on the current landscape and state of industry readiness.

Over the past couple of years, we’ve been closely following developments around PSD2 and getting involved in key industry stakeholder groups. By working with solution providers and implementation support initiatives, we’ve been able to help our clients navigate the best way to achieve compliance. It’s also given us some interesting insight into the different approaches being taken across the industry.

At this point, banks fall into one of three categories when it comes to their readiness for PSD2 compliance:

1. Ready: those that started early have a solution in place and are now working towards the exemption. They’re also looking at how to add value to their user experience and extend the services beyond pure PSD2 compliance, which puts them in a strong position for commercial opportunity.
2. In progress: it’s no surprise that this is the largest group – with these banks busy developing their solution and focused (for now) just on meeting the regulatory and exemption deadlines.
3. Not started: there are still a surprising number of banks that have not yet started to implement a solution to meet their obligations under PSD2. This places them at risk from fines, reputational damage and potentially longer-term loss of market share.

Given the looming deadlines, there’s little time left for those who haven’t yet started to hit the compliance dates. So, to help ASPSPs in this situation to understand where to start – and what is achievable in the timescales – we’ve put together a quick checklist. This should also be a helpful reference for ASPSPs who are currently working on their solution but would benefit from a project health check:

1. Resources: allocate your budget and team to the project – you may need to take an ‘pragmatic exception’ route – the usual project management approach won’t work for such a short deadline (but the right delivery controls are more vital than ever)
2. Expertise: find the right external expertise to support you – it’s now too late to build a solution internally. There are several experienced consultancies and vendors out there who can take the pressure off and help deliver what you need.
3. Plan: assess the impact for your bank, define the scope and minimum requirements you need to meet the regulations.
4. Solution: select the most viable, relevant solution that matches your scope. There are several options to consider – screen scraping or APIs, which API standard, etc.
5. Vendor: select a vendor to deliver the solution – ensure it is an established solution that meets your individual requirements and is something that can be delivered in the timescales.
6. Security: ensure compliance with the Regulatory Technical Standards on Strong Customer Authentication and EBA Guidelines (Incident Reporting and Security Measures). This is vitally important and applies for all existing remote access channels, not just the new API solution.
7. Contingency: talk to your regulator regarding exemption options, and plan for implementation of these temporary measures – just in case. It’ll help protect your business.
8. Target Operating Model: define, design, document, then implement how the solution will operate, including individual roles and KPIs.
9. Reports: record everything! You will need all possible data available for regulatory reporting, notifications, queries, KPIs, Management Information etc.
10. Compliance: PSD2 isn’t the only regulation to consider – make sure your solution is compliant with other related regulations, laws and guidelines such as the GDPR, Anti-Money Laundering Directive, Brexit, Security and eIDAS.

The above should give you everything you need, but if you’d benefit from further help and advice, RedCompass Labs is here to help!

RedCompass Labs has a strong community of PSD2 SMEs who closely follow major API standard initiatives driven by key industry stakeholder groups such as the Berlin Group NextGenPSD2, UK Open Banking and STET. Over the past couple of years, our team has been working hard on developing and implementing PSD2 compliant Open Banking solutions at a number of banks across 15 European countries.

If you would like to talk to one of our expert consultants, please get in touch.