Missed the September 14th deadline? Consequences and sanctions for not meeting the PSD2 implementation.

Time is drawing nearer and it is pushing banks that have not yet implemented a PSD2-compliant interface to make an important decision: How do I make my company PSD-ready? Make or buy? What happens, if I cannot meet the deadline?

by René Pongratz

The first stressful three months of the year are over. Vacation times are being planned. But the time to implement PSD2 is getting closer and closer. By March 14, 2019, banks and payment services have to provide the so-called third-party providers with a test environment (sandbox), and the associated technical documentation for the interface. Starting September 14th, 2019, the productive operation will begin.

According to a study by Tink, 41% of the banks in the EU are, at the moment, far from ready. But it is only about three months to the deadline. That means, they will not be able to provide a technically reliable and secure authentication. And there are some reasons for this: there are not enough resources in the IT area, full development roadmaps need to be created, and, shockingly, also a lack of know-how about PSD2.

Banks are spoiled for choice.

So should and could banks now even start with an in-house implementation, or would it not be better to resort to the “simpler” solution of outsourcing? By now, this decision is more and more influenced by the ever mounting pressure of time.

But no matter which solution one will choose: without the intervention of the bank itself, the requirements cannot be implemented.

One of the most important decisions that those who are in charge have to make for the first time is choosing which PSD2 strategy they want to pursue. Should only the minimum requirement “compliance-only” for PSD2 be met, or should real added value be created in the future?

The demand for fast and efficient all-round solutions is high. adorsys is already successfully cooperating with over 52 banks in Europe, including Consorsbank, DAB Bank, Deutsche Bank, Spardabank, ARZ, and the number is rising.

The consequence of non-compliance with the deadline

Banks that are not ready by the set deadline will run into a problem.

A provision allows third-party providers – in the case of unreliable banking APIs – to access customer accounts through their normal account access data (screen-scraping-method). This procedure is the so-called fallback solution, which comes into effect in case of non-compliance with the XS2A interface. Since this is a legally controversial practice, the motivation to meet the PSD2 requirements is all the greater.

Conversely, banks that use a reliable interface are automatically rewarded. And that simply because the more customer-friendly solution takes effect, in which third-party providers always have to identify themselves with a certificate when accessing customer data.