Blog Post

PSD2: Threat or an opportunity?

European financial institutions will have to implement the new European Commission Directive. The new Directive revises payment services regulations and is known as the Payment Service Directive (PSD2).

EC proposed PSD2 in 2013 and it will be enforced in 2018. The Directive main objectives are:

  • To improve payment efficiency throughout EU;

  • To offer new opportunities for payment service operators;

  • To promote innovation in payment services, in particular in the mobile and web services;

  • To harmonize the fees and improve security.

In the core of the Directive lays the Banks obligation to provide their customers with the means to authorize another payment service provider with access to their bank accounts and movements’ information, as well as information about their direct payments. The Directive goal is to improve customer service and stimulate competition and innovation.

PSD2 is seen as a great industry change. Its implementation will force the banks to open their internal systems to external service providers. Many banks see this process as a direct threat to their business model and a challenge to their security.

But is PSD2 a threat or does it open new opportunities?

What are PSD2 requirements?

With PSD2 enforced, each bank has to provide an interface, which allows access to information about accounts and means to conduct transactions. Such interface must be a public API (application programming interface), which allows third-party companies to access the services. Banks will not have a monopoly over their own public services. External companies will be able to offer alternative channels and competitive services.

Reactive or Proactive?

Banks still don’t know how to respond to PSD2. Some of them address the Directive just as a regulation and choose to be conservative, just meeting the formal requirements, and securing their market position. Others find new opportunities in PSD2 – they see the so-called FinTech companies not only as competitors but as partners as well. Thus banks are able to provide flexibility, loyalty programs, promotion of additional services, and FinTech companies are only able to provide access to such services.

The choice of strategy will have substantial implications on the banks’ future development. FinTech companies are on the rise and are starting to cut their share from banks’ traditional sources of revenue. Banks should act quickly and find their place in the new market chain so as to keep being competitive and to secure their growth.

Digital transformation

Customer focus is the core of the digital transformation. PSD2 completely changes the rules of the game in the industry, since it gives customers a choice, flexibility and control over the services they use. On the other hand this whole transformation gives the banks a chance to differentiate among competitors. The ability to operate multiple accounts from one application should not be underestimated. If banks want to take this opportunity and advance, they should act now.

The Bank must build a "bank-as – a platform" strategy. Its partners will be able to offer applications and services that will expand bank’s ecosystem and its influence on end customers. The keys to future growth in the digital economy are opening data and system functionality.

Using open interfaces provides new types of services. Such services do not depend only on a bank’s internal systems information but are based on information gathered from other partners, banks, retailers and FinTech companies. This creates new shared business models and shared cash flows. In this new economy it’s not necessary for the banks to be the only investors. They have the opportunity to build a partner ecosystem that offers traditional financial services in various combinations with other products and services, which adds new value to customer service.


To fulfill PSD2 requirements, banks must build an infrastructure that provides secure services:

Third-parties authentication. For example oAuth (Open Authorization) and 2FA (two-factor authentication) are sufficiently secure and flexible.

Delegation. This element is fundamental on defining who, how and when has access to what service features.

API versions and management. The interfaces will be in continuous development. This applies to internal systems as well, which are also subject to change. APIs should be updated accordingly. A clear application management model should be established with compliance with SLA commitments.

Protection from attacks and fraud attempts. The opening of the interfaces will make banks more vulnerable to attacks. The solution should use prevention and monitoring for protection.

Meeting standards. API must comply with specific standards such as ISO 20022 and REST / JSON protocols.

Developers tools. If the bank wants to develop a proactive strategy, it should define the standards and the rules for the use of its API components. Only thus the bank will be able to build a community of developers who will bring added value to its services.

Regarding the business aspect of the change, banks should provide the following processes:

Onboarding. Service payment operators should be provided with a test environment and certification program. The Bank takes additional risks – it shares the responsibility for breaking the system and compromising the data.

Support. The bank must provide business and technical assistance, incidents and exceptions management. Service Desk function should include servicing of open API interfaces.

PSD2 reference architecture on proven components

Opening the system to the public API components is a challenge for the security of the bank and its success in the process of digital transformation. If the strategy is to proactively seek new business models and provide a competitive advantage, it is necessary to build reliable, flexible legal and secure environment to ensure development in this new and still unexplored area.

Numerous successful implementations are based on the new IBM Datapower Gateway (DPG) solution in combination with Connect API. The figure illustrates an exemplary architecture.

DPG is a popular platform, which provides integration within and outside the organization. Besides being SOA applicable, DPG has firewall applications, which keeps security managers happy and the bank safe.

If the bank has Enterprise Service Bus (ESB), DPG can easily and securely terminate all services needed to build the API. Whether your internal services are SOAP-based or use more direct methods for integration, DPG can transform them into suitable REST services.

If the bank doesn’t have ESB, DPG can act as a fully functional one and help you build your SOA environment.

DPG provides the necessary level of security and protection of internal infrastructure and performance and scalability at the highest level, which is a prerequisite for building open API interface.

API Connect is a powerful platform for building and orchestration of API interfaces. Internal Services, provided to API Connect by DPG, are easily transformed in separate API components.  Bank system administrators have full control over built APIs.

API Connect builds a portal for developers, with published SDK and documentation, which facilitates and accelerates the application development.

Applying this architecture, the bank builds a platform, which not only meets the requirements of PSD2 Directive, but also starts a real digital transformation. The platform opens the way to new business models and new sources of revenue and profits.


Do not wait for the deadline. PSD2 will be enforced by the end of 2018. The process of technology and partner selection should start as soon as possible.

Do not limit yourself to PSD2. Choose a strategy and platform, so you can become a leader in the digital world.

Be bold. Digital transformation is no man's land. Experiment step by step. If an idea does not work, move on to the next. If it works, continue your development and improvement.

Share it: