Define your strategic ambition and positioning
Opening up the front-end of payments initiation and information services has the potential to dramatically shift the competitive landscape. The ability to engage directly with and add value to customers will no longer be just the advantage of banks but shared with FinTechs, technology firms, and even retailers and telecommunications providers.
You will need a clear strategy which articulates your role in the future financial services ecosystem, the business models with which you will drive value, how you will innovate, collaborate with other ecosystem partners and remain relevant to customers.
Address your technology and data capabilities
Most banks have legacy cores e.g. mainframe systems, data warehouses and payments infrastructure that were built years if not decades back. PSD2 works on an expectation of scalability, security and resilience that matches silicon valley firms that routinely offer open interfaces.
Banks also have slow change management processes, highly manual customer support and fragmented reference data which can make it difficult to respond to evolving customer needs with speed and effectiveness.
How will you systematically transform your operations and infrastructure for an open, rapid response future?
Assess, measure and manage cybersecurity and privacy risks
PSD2 has been introduced against a backdrop of high profile cyber attacks across industries. In a post-PSD2 environment, the primary responsibility for security risks will lie with payment service providers, and increasing the number of partners you interact with via APIs will increase your cyber attack surface and make you more vulnerable to data security breaches. Further, Cybersecurity breaches can expose you to severe financial crime and reputational incidents and fines.
While PSD2 requires opening up customer data to third parties, the new EU General Data Privacy Rules (GDPR) demand protecting customer data privacy as well as capturing and evidencing customer consent with potential steep penalties for breaches.
PSPs must ensure that comprehensive security measures are in place to protect the confidentiality and integrity of customers’ security credentials, assets and data.
Determine legal and regulatory compliance
Implementing PSD2 will require you to review key areas and processes across your organisation and is likely to increase compliance requirements:
The application of PSD2 across a wider geographical scope and to new currencies and transactions introduces new information requirements. All firms, including those already approved as PSPs, will need to confirm compliance with PSD2 and face new reporting requirements. Customers will need to be informed of revised rights and obligations. While, the obligation on account servicing payment service providers (ASPSPs) to grant access to customer accounts and to share data must implemented alongside the requirements of other key pieces of regulation such as the GDPR.
Optimise your finance/tax
The opportunities and challenges that PSD2 provides, are likely going to impact and change the service offerings firms provide to their customers.
In doing so, this will lead to a reconsideration of the business operating model and how the organisation seeks to provide those new services to customers.
This change provides an opportunity to review and optimise the group tax structure.