Two months after the final PSD2 deadline: where are we with the APIs?
In this guest blog, Rafael Plantier - country manager for the UK and Ireland at Tink, discusses the results of their latest research into the status of European bank's APIs, two months on from the PSD2 deadline.
With the September PSD2 deadline now visible in our rearview mirror, what is the status of the bank APIs in Europe two months later?
The industry still faces big challenges as an industry to make sure the banks’ individual technical environments improve. But what we’ve experienced is an encouraging shift in terms of collaboration and cooperation between some of Europe’s biggest banks.
We’ll say this straight off the bat – the number of PSD2 APIs that are compliant is still zero. But given the scale of the technical challenge to improve these environments, it’s unreasonable to expect they would be different just two months after the deadline. Everyone needs more time to see those numbers tick up – something we’ve been advocating for since well before September.
Just look at the UK’s experience with Open Banking. In November 2018 – nine months after the legislation came into effect – the uptime of the APIs was hovering at a dismal 96% (imagine one out of every 25 emails just getting lost). Now uptime is over 99%.
Some banks are now understanding...what it’s like to be on the customer side of the PSD2 APIs
This is progress that should be celebrated. And the progress we’re seeing in Europe is an uptick in the number of more open and productive conversations we’re having with some banks around the technical issues and troubleshooting of their PSD2 APIs. The handful of banks taking this approach are proactively improving their APIs – and moving closer to providing a user experience via third parties that’s similar to what their mobile apps offer.
After all, this is the ultimate aim of PSD2 – and the reason why we’ve been advocating for stronger PSD2 APIs: so that as customers gain control over who accesses their data, they also get a consistently great customer experience that matches the one they get directly with their banks.
Stepping into the customers’ shoes
The biggest change we’re seeing is that some banks are now understanding – and getting first-hand experience – of what it’s like to be on the customer side of the PSD2 APIs.
Some bankers we’ve been in touch with are trying out the experience provided by their APIs. And when they compare it with what other banks are offering, they’re realising that improvements could be made.
In the past few months, we’ve been collaborating with them to make adjustments to their APIs. In many cases, this means removing hurdles. A couple of banks have cut out some of the strong customer authentication (SCA) processes – or two-factor authentication – that customers were going through to authenticate themselves. Instead of having users to go through two SCAs, now it’s just one.
We’re seeing a handful of major banks start to acknowledge and proactively improve their APIs
In other cases, they’re rethinking the authentication flows. Some banks see that the web redirect method they were using for SCA was providing a far worse experience than what their app-loving customers were used to.
Making progress with closer communication
In the months we’ve spent integrating with the PSD2 APIs, we’ve gotten to know the people working on them at many of Europe’s biggest banks. We are in Slack chats, WhatsApp chats, email conversations, phone calls and working group meetings.
Our integration teams in Sweden, Poland and Serbia have exchanged a staggering 3,000 emails with tech experts from banks across Europe. And here’s what we’re seeing:
- Some Swedish, Dutch, UK, German and Austrian banks have begun or are planning to deploy new authentication flows and measures that improve the user experience. Some examples include:
- Implementing a decoupled or app-to-app authentication flow – instead of the headache-inducing web redirect flow. It means users don’t have to go through nearly as many steps to authenticate themselves with their banks.
- Removing the ‘IBAN flow’, a multi-step authentication flow that requires users to input their IBAN number in order to authenticate themselves with their bank through a third-party service. Most users don’t even know what an IBAN number is.
- Reducing the number of times a user has to do two-factor authentication when they’re fetching more than 90 days worth of transactions.
- Allowing customers to use authentication credentials obtained at any bank, such as BankID (rather than a bank only accepting credentials obtained through them).
- Two Spanish banks that previously had their documentation available in Spanish have now made it available in English – which now makes it possible for developers across Europe to integrate with their PSD2 APIs.
Some PSD2 APIs are demonstrably improving in key ways. In the example above, a major Swedish bank substantially improved the number of successful authentications for customers.
- Failures can happen for two reasons: 1) a user is not able or chooses not to finish an authentication journey because of complicated steps, unclear instructions or non-mobile friendly flows; or 2) the bank’s server is having issues.
- In the case of this bank, they improved the user experience and reduced the number of technical errors – bringing success rates up from 50% to 80%.
A positive trend despite negative numbers
There is still a long way to go, but our assessment just eight weeks on is that we’re seeing a handful of major banks start to acknowledge and proactively improve their APIs. And they’re setting a powerful example that other banks can follow.
Of course, we wish we could say the challenges haven’t continued. We wish the regulations had been crystal clear, leaving no room for doubt as to what the APIs were supposed to look like in the first place. But the reality is there are many grey areas, which leads to many different interpretations.
Players across the industry are working to find solutions. As a group, we’re creating common definitions for what a good user experience should look like. Or how to best deal with strong customer authentication (SCA) requirements. All for the first time.
We applaud the forward-thinking banks that are taking these concerns to heart to improve their APIs
In the past few months, we’ve sent letters to more than 100 of the biggest banks in the 12 European markets we serve to help identify areas for improvement.
And we applaud and cheer on the forward-thinking banks that are taking these concerns to heart, using the recommendations to improve their APIs and moving closer to compliance. These are our favourite conversations, and the ones that keep us going.
We hope it marks the start of a trend – one that leads to more collaborative conversations with big banks about how we can work together to improve the APIs. We’re already doing this with dozens of banks and, as you can see above, the results are impressive.
Everyone wants this massive effort and investment to be a success – to preserve the customer experience and make way for a powerful new generation of financial services. So if you represent a substantial population in your market and would like to improve your PSD2 API – then we would love to talk to you.
For more detail on the SCA portion of PSD2, check out this blog from 11:FS Head of Research, Sarah Kocianski, on how banks in the UK are reacting.