Postmodern Banking | Michał Turalski, Paweł Kranzberg, Krzysztof Kubik

Postmodern Banking

The market for electronic payments will soon be experiencing revolutionary changes resulting from the Payment Services Directive 2, PSD2 within the EU Internal Market. The actual impact of PSD2 will not be confined to the small sector of electronic payment operators.


Related content

Why is PSD2 being adopted?

The essential framework for the functioning of the electronic payment sector is now largely a result of Directive 2007/64 / EC (PSD1), adopted 10 years ago, which introduced uniform rules for the provision of payment services, effectively contributing to the improvement of competition in this area, reducing transaction costs, as well as improved security when using payment services.

All this has translated into the dynamic development of industries based on such payments - in particular, it stimulated the growth of e-commerce and e-banking.

However, over the years and due to advances in technology, the increasing amount of solutions proposed in PSD1 have not matched the needs of the market and practices in this regard.
PSD2, enacted in November 2015, addresses the need not only of updating existing solutions but also of covering entirely new categories of payment services.

TPP - new players in the payment services market

The directory of payment services, designed in PSD1, which includes mainly payments and withdrawals from payment accounts, transfers and the carrying out transactions has been enhanced with third party providers (TPP). In the previous model, payment services were most often provided using an entity responsible for maintaining a payment account, supplied by the user by transfers from a "classic" bank account. Generally the user used to execute payment transactions only from an account replenished in this manner, e.g. by purchasing goods and services from entities operated by a given electronic payment system.

Many FinTechs are ready to quickly adopt the potential provided by PSD2 as at the moment they have already established their business activity upon at least one financial institution or they play the role of TPP without even using the interfaces provided in the Directive.

The PSD2 model of services provided by TPP assumes possibilities such as making electronic payments using an entity that will only be responsible for payment initiating services (PIS), at no moment in time being in the possession of funds transferred from the user's bank account. Unlike previous solutions for immediate payments without the necessity of having a separate payment account, the service in question will simply be about providing the payment initiation service provider (PISP) with all the data needed to log into the user's bank account, to block the funds due for further authenticating the order on the user's behalf, and to transfer the funds to the payee's account.

The PSD2 model of services provided by TPP assumes possibilities such as making electronic payments using an entity that will only be responsible for payment initiating services (PIS), at no moment in time being in possession of funds transferred from the user's bank account.


New categories of services

In addition, PSD2 provides an introduction to a completely new category of services designed to facilitate the management of personal finances by giving the customer aggregate information about the funds available on accounts run by different payment service providers (AIS - account information service). Also within this service, the account information service provider (AISP) will receive, from the customer, the data required to log into customer accounts of other providers, to collect account history data, monitor the receipts of the funds and purchases made via the account.

PSD2 and security

By enabling efficient delivery of services by PISP and AISP, payment account providers (usually: banks) will be required to provide public APIs (application programming interfaces), which allow for the merging of the TPP applications directly with the IT system supporting payments with the account operator. At the same time, in order to adequately adjust the security level to the expanded payment service catalogue (and in particular in order to safeguard services provided by PISPs and AISPs), PSD2 envisages far-reaching safeguards covering both:

  • an obligation to implement an IT security management system,
  • an obligation to report security breaches to supervising agencies,
  • an obligation to introduce so called strong customer authentication (SCA)

In an SCA-based security system client identification is required by using at least 2 of the 3 available authentication methods (for example, static login data along with a dynamic password generated through a cryptographic token or by using customer's biometric data).


Modern solutions in practice

Many FinTechs are ready to quickly adopt the PSD2 potential, as they already base their business activity on at least one financial institution, or play the role of TPP without even using interfaces provided for in the Directive. This applies in particular to e-commerce payment service providers, such as Blue Media (including pay-by-link and high-speed payments), and PayU (including online payments made using the electronic wallet model, pioneered by American PayPal). This section also includes Swedish-based Klarna portal, which takes over credit risk from online stores, allowing their customers to pay for goods after delivery. For such fintechs, PSD2 will open up a possibility of faster and cheaper payments from customer bank accounts, streamlining credit scoring, and providing additional services.

AISP equivalents

Another group of fintechs positions itself in the area for which PSD2 foresees the role of AISP. These include and other personal finance management services, which aggregate information for customers about their accounts at various banks. Entities such as the German use data to generate credit scoring for the clients and to offer them personalised credit products.

Existing AISP equivalents obtain bank data using screen scraping technology, which, according to the European Banking Authority (EBA), will be banned throughout the EU as soon as PSD2 regulatory standards enter into force – which will pose a challenge for them, as access to accounts required by the Directive does not include, for instance, mortgages and deposits. On the other hand, access to payment accounts will make bank data available to alternative credit scoring providers, such as the Friendly Score from Poland, which specialises in assessing creditworthiness on non-bank sources such as customer's activity in social media. (This is important for customers with no previous credit history, such as young people and immigrants).

A bank of banks?

Creating a common platform for banks to sell financial products sold by other banks, something like a "bank of banks", may be an interesting solution. With the growing awareness regarding the use of financial services, we are increasingly purchasing financial products where we get the best deal. For instance, we have a mortgage in bank X, current account in bank Y, current business account in bank Q, a credit card (in addition to the one at Y) in bank Z. It would be convenient to have access to them all in one place, logging in only once. And we will have such opportunity if, according to the new regulation, there is a bank through which we will be able to manage each of the above mentioned accounts.

Benefiting from the freedom of choice, we will be able to select the "bank of my banks" with an application that we like the most (assuming that most of the banks will use the opportunity to obtain data about customers from the competition and will create their own tools for managing complex financial services). The years 2018-2019 will show who and to what extent will exploit the new opportunities on the Polish payment services market, of course only if key regulatory technical standards for PSD2 are adopted by the European Commission in the second quarter of this year.

New possibilities

The most advanced country in terms of using the PSD2 philosophy is the United Kingdom, where the "Open Banking" initiative which goes beyond the requirements of PSD2 is being implemented. For example, access to accounts will include all customer products, including credits. Some industry pundits predict that the API specifications, currently being developed by a consortium of UK banks, will become de facto European standards. "Open Banking" in the coming years will probably also start operating in Singapore, among other places, where it enjoys the support of both the local regulator and the banking community. For example: Singapore Standard Chartered Bank this year launched a publicly available 'sandbox' service that allows FinTechs to experiment with its open APIs.

Michał Turalski
Senior Manager, Financial Services Advisory Team at KPMG in Poland

Paweł Kranzberg
Manager, Financial Services Advisory Team, Data & Analytics Expert, at KPMG in Poland

Krzysztof Kubik
Legal advisor in the D.Dobkowski sp.k. Law firm, associated with KPMG in Poland

© 2022 KPMG Sp. z o.o., a Polish limited liability company and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English  company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit Governance page.

Connect with us


Want to do business with KPMG?


loading image Request for proposal