PSD2: An Open Concept in Banking Mandating the Use of APIs

A revolution is occurring in European banking and APIs are leading the way.

Adopted in 2007, the Payment Services Directive (PSD) “provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU.” Legislated by the European Commission, the objective of the PSD “is to make cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State.”

To accommodate the rapid rise of new online payment providers – third-party payment providers (TPPs) – the European Commission proposed a revision in 2013. Building on the PSD’s key principles, PSD2 was ‘born’ to make payments safer and more secure, enhance consumer protection, foster innovation and promote competition while ensuring a level playing field for all payment service providers.

In force since 2016, EU Member States must implement PSD2 by January 2018.

Opening (APIs) Up

Under PSD2, banks are required to make customer information available to Third party providers through bidirectional sharing of data via APIs

“Open Banking” is a standards-based, vendor-agnostic framework that has been mandated and promises to simplify interoperability. Interestingly, there are certain open source platforms being promoted to help facilitate compliance, but clearly, API security is paramount. While PSD2 is forcing the banking industry to expose open APIs, at the same time the General Data Protection Regulation (GDPR) overlays the data protection regulations that need to be applied to the APIs and the data exchanges.

PSD2 and Open Banking APIs define a set of framework requirements for the underlying technologies to be implemented to achieve PSD2 compliance. But further consideration of the ramifications of GDPR are prompting banks to focus on the API Security Strategy for the implementation that can provide for the required compliance aspects of authentication, authorization, and data privacy controls.

The fundamental tenants of PSD2 and GDPR regulations for APIs are not unique. In fact, we have been touting for many years that identity and data security belong together at the API Security Gateway such that information assurance and identity access control can be unified. The Forum Sentry API Security Gateway is uniquely qualified to address these areas via the three pillars of API Security:

  • API Identity – Multi-factor and multi-context authentication, SSO, and federation
  • API Security – Threat, trust, and privacy controls for the bi-directional data exchanges across the APIs
  • API Integration – Enabling IT apps across information boundaries and third party providers to securely and seamlessly communicate with each other.

Banks and TPPs are working in earnest to meet the January 2018 deadline, but questions remain.

What are the penalties for PSD2 and General Data Protection Regulation (GDPR) noncompliance?

What are the consequences of breached data?

We’ll be exploring these questions and more during our workshop at the European Identity & Cloud Conference 2017 titled, “How to Simplify and Secure your APIs in the age of PSD2, Open Banking Compliance, and GDPR.” Taking place Tuesday, May 9, from 9:00-13:00 CEST, we’ll also discuss API security gateway technology as the fundamental architectural capability to help establish compliance with Open Banking Standards and PSD2, as well as other emerging API-based mandates.

We look forward to seeing you at EIC 2017 next month in Munich!