In just one year, the second European Payment Services Directive—or PSD2 as it is better known—has created a new scenario combining innovation and security, in which banks have been progressively opening up access to their infrastructure to third parties. From fintech startups to companies looking to improve the services they offer their customers, employees and suppliers, these new players have found an ally in PSD2 when it comes to completing the services they offer and offering new added-value proposals in their businesses.
Although adaptation to PSD2 has been uneven and entities have progressed at different speeds, BBVA has been one of the pioneers in opening up to this new collaborative paradigm thanks to BBVA API_Market, a major repository of APIs containing combined solutions that aim to offer more complete service packages for more specific purposes.
This is the case with Regulatory APIs, a solution designed and managed by BBVA to comply with the regulations of all the countries and, more specifically in this case, Europe’s PSD2 regulation.
Ana Climente is the head of Open Banking at BBVA Spain and the Product Owner for this solution. She has previously worked as the head of transformation for business customers at BBVA Spain, leading the development of data-driven digital solutions for companies, businesses and institutions that help customers make better decisions. We spoke to her to get an expert perspective based on her experience of leading the Regulatory APIs solution project.
Q: What are the advantages of implementing a solution such as Regulatory APIs in a fintech company? Are they useful in other sectors?
Ana: Fintech companies currently play a major role in the PSD2 scenario. They have been a major driver of innovation in the banking sector, and they have become an industry. Access to the massive customer base of traditional banking through open APIs is a step forward for the development of new business models and alternative products and services.
PSD2 is not just a European directive that we have to comply with or just another regulation, It is the starting point for a new and open financial ecosystem. Together with other initiatives, it is creating a favorable framework for innovation and increased competition. It creates opportunities for companies whatever their sector. But customers are the real beneficiaries, as they own their data and decide who to share it with.
Q: At the regulatory level, what does PSD2 mean for businesses that aren’t necessarily involved in the fintech field? How does it affect them and what can they get out of it?
Ana: Large technology companies, telcos and companies in all sectors can apply for licenses to set up as payment service providers and offer the services regulated under PSD2.
Even if they do not have a license, companies can access new added-value solutions from third-parties based on PSD2 services, whatever their sector. This could involve: services to offer to their customers, for example, by completing the payment methods they offer with payment against accounts; or to improve and streamline their internal processes and make them more nimble, by improving the risk rating for each customer using financial information from their payment accounts.
Q: Describe the process of developing regulatory APIs under PSD2. What challenges did BBVA face along the way?
Ana: Adapting to PSD2 has been a challenge for the banks, with implications for our channels and the development of regulatory APIs.
The financial sector has had to transform its organizational structures and its reliance on earlier technologies and deep-rooted ways of working. The banks have also had to learn to work with the fintechs and other new players. BBVA had already taken a number of steps to prepare for the new world of Open Banking, technologically, culturally and commercially.
In the absence of existing European standards, decisions by the developer community and financial sector professionals have played a very important role, not only with regard to APIs as vehicles for implementing the PSD2 mandates but also in the technical requirements of these APIs.
Access and authentication protocols have had to be standardized to simplify the introduction and operation of these new services for all parties. Sandbox environments have also had to be made available to facilitate innovation and experimentation in a convenient and compatible testing environment.
In many European countries, financial institutions present their APIs in collaborative financial sector solutions to facilitate this access, making it easy for new players to connect with different financial institutions in the same way through a single approach. This is the case with BBVA, which is involved in the Redsys sector platform.
Banks have also had to update the authentication elements we provide to our customers to meet the new PSD2 security requirement – known as Strong Customer Authentication (SCA) – including for online purchases.
Q: What guarantees does the regulatory APIs solution offer at the security level? How is data access managed? What role do the stakeholders (customers, businesses, BBVA) play?
Ana: Firstly, these new services can only be provided by payment institutions with licenses for them. This involves complying with rules similar to those for traditional payment service providers: registration, authorization and supervision by competent authorities. They are identified by an eIDAS digital identity certificate in their communications with financial institutions. All payment service providers – banks, payment institutions and new providers – must comply with data protection regulations when processing personal data for payment services and must inform their customers about how they will process their data.
The regulatory technical standards (RTS) that are part of PSD2 guarantee higher security levels in payments for goods and services in Europe, as well as in access to the customer’s banking data by third parties.
OAuth is the security protocol for regulatory APIs, using tokens as an authentication and access process. The user authenticates themselves using their online banking passwords, for their security and convenience. The security protocol for communications ensures that only the account holders have control over the transmission of their financial data. Their data cannot be sent to a third party without their consent.
Q: What kinds of functionality do PSD2-related APIs offer when they are used in combination rather than individually?
Ana: The combination of account information and payment-initiation APIs gives third parties comprehensive capabilities. The PSD2 accounts API enables them to provide customers with aggregated information about their payment accounts with any entity, while making it easier for them to understand their customers and offer them personalized, data-driven services. This is the case with the Personal Financial Manager (PFM) and Business Financial Manager (BFM) solutions. The PSD2 Payments API allows third parties to complement these solutions with operational capabilities, so that customers can perform their main financial activity in one place.
For example, BBVA has developed a private aggregation service for individuals and BBVA One View for companies, with very positive results. These solutions help customers make better decisions, so we have a positive impact on their day-to-day life and help them achieve their life and business goals.
Q: What is the process for integrating regulatory APIs into a company’s ecosystem?
Ana: This is very simple with BBVA. As I mentioned, our regulatory PSD2 APIs solution is presented through Redsys, a collaborative sector platform. More than 80 entities are currently involved in this platform. This means authorized third parties can access the APIs of all these entities through a single connection.
Once all the registration procedures required by the regulations have been completed, third parties use the sandbox environment to confirm that their developments are correctly integrated with our APIs. The next step is access through the production environment with eIDAS certification. This allows identification of the third party and is a regulatory requirement under PSD2. The services regulated by PSD2 can then be provided, with the customer’s consent, of course.
Q: How do these APIs contribute to a business’ digital transformation?
Ana: Today’s businesses have financial needs that go beyond handling their problems with the infrastructure surrounding money. They are looking for a strategic partner, a personalized advisor. BBVA puts transformation at the service of companies, taking advantage of new technological capabilities. The speed and simplicity of integrating services using APIs makes information available to companies in one place and in real time, streamlining their processes. Through big data, this results in time savings, greater control of cash flow and anticipation of major developments in their accounts.
Q: Which BBVA APIs and solutions are worth combining with?
Ana.: These APIs can be combined with other BBVA solutions, such as:
- Customers: this API allows customers to share their BBVA identification data. This allows the business to streamline customer registration, improving their conversion rates by eliminating endless forms.
- QR Pay: incorporating Alipay’s payment option into a business’ POS through this BBVA API allows it to take advantage of the potential market of visitors from China, through a familiar and friction-free customer experience.
- Business Accounts: enables companies to streamline their bank reconciliation processes by incorporating account information (C43) directly into their internal management systems.