PSD2 ‘Access to Account’ (XS2A): time to get real about banking API business strategies

  • Mounaim Cortet Douwe Lycklama
  • PaymentsArticlePSD2English content

European lawmakers have reached an informal agreement on a revised Payment Services Directive (PSD2) on 5 May. The agreement comes after trilogue negotiations between the Commission, the European Parliament and the Council of Ministers. Following the technical work thereafter a final compromise text of the PSD2 was published on 2 June. These developments further pave the way for realization of the most debated part of PSD2, i.e. the provisions for third party ‘access to account’ (XS2A).

The final text still needs to be approved by the Council. Hereafter it will be submitted to the European Parliament for a vote in first reading, and to the Council for final adoption around September 2015.

Although key security concerns regarding XS2A are formulated in rather abstract terms, it is clear that ‘third party access’ is going to happen in some shape or form. It is up to the European Banking Authority (EBA) in London to develop their ‘Regulatory Technical Standards (RTS)’, on the basis of which market actors (banks and third parties) are supposed to implement XS2A.

The key message of this blog post for banks (and third parties) is that PSD2 XS2A is not ‘just another regulation’ requiring only an operational and compliance approach. PSD2 XS2A can be considered an accelerator for technology driven disruption of incumbent banks by flexible and innovative service providers that target not only the payments value chain, but every single ‘piece’ of the universal banking model. These innovative players threaten to capture revenues long taken for granted by incumbents. This development of digital transformation will disrupt the complete banking sector as we know it today and will require incumbents to adapt their business and operating model.

APIs for banking executives: accelerating digital transformation

PSD2 and the draft regulatory technical standards on security, authentication and communication to be developed by the EBA to enable account access by ‘third parties’ triggered a lively discussion on Application Programming Interfaces (APIs [1]). APIs are foreseen to allow all Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) to connect to Account Servicing Payment Service Providers (AS PSP) in a secure and effective manner.

APIs are not new: In the past decade APIs have become the de facto paradigm for sharing data, and have enabled organizations that hold large amounts of data to become platforms for third party innovation. Large platforms such as Google, Twitter and Facebook offer APIs to third parties, e.g. for login or for initiating messages. In the payment space PayPal has pioneered external APIs since 2010 on the basis of which a whole new ecosystem flourished.

Now, amplified through PSD2, external APIs are becoming a pan-European business topic for bankers. With these APIs customers will have more options to interact with their bank, next to usual online and mobile banking applications. Put differently, driven by XS2A, APIs will open up banks’ ‘Pandora’s box’ (i.e. account and associated data) through dis- and re-intermediation by so-called Third Party Providers (TPPs).


Figure 1: PSD2 XS2A adding more bank account interaction options for customers (i.e. payers and payees)

PSD2 XS2A is not about payments only. Also account information is in scope, enabling big data business models for banks and TPPs. Also lending could become integrated in real time commerce transactions offering a whole array of opportunities (due to better risk assessment and management). This is why PSD2 XS2A has impact across traditional banking silos, making it a top management priority for decision makers in both retail and commercial banks.

Bank boardroom questions are divers and cover various topics. A sample is provided in the table below:

Topic Sample questions
1. New revenue sources & business models
  • How to stay relevant for our customers?
  • Do we want to be a third party provider (TPP) ourselves?
  • What new transaction services do we (fore)see?
  • How are we going to monetize our API business strategy?
  • How are we going to improve our digital time-to-market?
2. IT landscape 
  • How will we realize the necessary IT changes? Make, buy or share?
  • How to implement efficiently given our legacy IT landscape?
  • Are we able to realize any cost savings?
3. Compete or collaborate 
  • Is it possible to create a bigger market for transaction services through collaboration with bank and non-bank service providers?
  • How to shape new partnership business models?


The key message of this post is that PSD2 XS2A is not ‘just another regulation’ requiring only an operational and compliance approach. Top management in banking is strongly challenged on vision, decision-making and execution capabilities for at least the coming five years. As a result, XS2A is accelerating the trend of digital transformation in banking that is driving further unbundling of the universal banking model. 

[1] API is a technology concept that allows software applications to communicate without human intervention. An API specifies: mechanism to connect to the software, what data and functionality is available, and a set of rules (standardization) that other software applications have to follow to access data and functionality

〈  Back to overview