2019 has just started and for banks and FinTech companies the magic month of the year is due in September. This is when PSD2 (Payment Services Directive 2) comes in to play, as formally approved by the European Parliament and the European Council in February 2018. Since then there has been an 18-month implementation and testing period. So, in just 8 months’ time, banks and FinTech companies must comply with the new directives.
PSD2 is another step towards a digital single market in the EU. The objectives with the legislation from an European Union perspective are to support new innovative banking services and channels as well as to improve customer experiences and security*. PSD2 follows the new “API economy” where services and data are made available in a standardized way also to applications and players outside the traditional scope of that application. In particular for non-banks (FinTech), but also banks, this opens up doors for new innovative services that gathers data from multiple sources, mix and match, and create something new. An important piece of the puzzle of enabling new “PSD2 – banking services” is the trust and long-term commitment offered by many Trust Service Providers (TSP). This trust is based on secure communication and authorization between the bank and FinTech companies, through eIDAS QSEALC and QWAC. In other words, the PSD2 legislation opens new opportunities for TSPs who have invested in PKI and an eIDAS compliant infrastructure, electronic signatures, electronic seal and time-stamp services. PSD2 mandates that banks need to open their APIs for allowing third-parties to access customer accounts, to read data or to initiate transactions. This is done to enable two new types of service providers; Account Information Service Providers (AISP) and Payment Information Service Providers (PISP). AISPs typically provide aggregated information to the end customers and PISPs initiate payments for the end customer from the customer’s selected bank. Apart from establishing trust, this also requires the banks to properly gather and manage customer consent for these new third-party services. To assure reliability and security in this new extended eco-system PSD2 mandates strong customer authentication, multi-factor authentication (MFA), of end users. The legislation also requires, as mentioned above, eIDAS qualified certificates (PSD2 QWAC and/or QSEALC are specified in ETSI TS 119 495) to secure the communication between the banks and third parties.
PrimeKey has since many years been working with TSPs in Europe and in December 2018 we had over 30 customers that are certified eIDAS Trust Service Providers. In our continuous customer dialogues, we have in the past 9-12 months gotten more and more requests from our TSP customers with regards to PSD2 and it is apparent that it will mean new business for them. Over hundred thousand organizations, Fintechs and banks, are right now involved in the support for, or development of, new services that are driven from new innovative online and mobile payments opportunities that have become possible with PSD2.
PrimeKey’s PKI platform EJBCA Enterprise 7.0.1, due end of February 2019, supports certificates required by PSD2 and together with our customers and partners we want to support innovation and best practices in the banking sector.