Innovation and digitalisation in payment services
Speech by Yves Mersch, Member of the Executive Board of the ECB, at the Second Annual Conference on “Fintech and Digital Innovation: Regulation at the European level and beyond”, Brussels, 27 February 2018
The payments industry is currently experiencing considerable transformation driven by innovation. I welcome such innovation as it will increase both efficiency and competitiveness, and this will ultimately benefit society. We are seeing the emergence of new players, new channels to access payment services and new means of payment, all of which will significantly change the payments market. These developments are largely driven by digitalisation and the opportunities it brings. But there are also challenges, some of which I will explore here today.
One of the objectives of the revised Payment Services Directive (PSD2) is to foster innovation and enhance competition. We are already seeing numerous innovative solutions that make use of the opportunities created by PSD2, including services such as payment initiation services (PIS) or account information services (AIS). These were initially provided by new entrants to the market or fintech companies, but I understand that some banks are also preparing to provide these services and become third-party providers (TPPs) themselves. There are opportunities here for all players; each institution must find the right business model and strategy to be competitive in providing these services, an approach which will benefit their customers.
In order to provide PIS and AIS, a third-party provider will need access to the relevant information from banks, and this will need to be communicated securely, via an adapted customer interface or via a dedicated interface. While access via the former is possible in principle, it would create fragmentation, as providers would have to develop and maintain a huge number of connections to all the different banks they communicate with. The plethora of technical solutions required would be an obstacle for new entrants. I therefore reiterate that only a dedicated and standardised technical interface – an application programming interface, or API – constitutes an efficient access solution that serves the needs of an integrated European payments market. I also believe that there should only be one – or at most a few – technical API specifications so that competition takes place at the service level and not at the technical specification level. We need to ensure that innovative services are built on harmonised and standardised technical foundations so that they can be made available across Europe.
Let me add some more general remarks in this context. We are in the process of building Europe’s financial market infrastructure for tomorrow. Building it on individual or national solutions is anachronistic as these will no longer meet the needs of the market. Europeans demand services that are safe and efficient and give them pan-European access. We therefore need to apply common standards that work on a pan-European basis. The same principle was agreed when we built the Single Euro Payments Area – SEPA – and that is why SEPA uses the global standard ISO 20022. The Eurosystem also uses this standard for the infrastructures it operates – be it T2S or TIPS, as well as upgrades to TARGET2 or its new collateral management system. Looking at the digital transformation and innovation under way, I urge all market participants to plan their investments based on common and future-oriented standards that ensure pan-European accessibility.
The regulatory level playing field
In order to increase competition in the area of payments, EU legislators introduced “payment institutions”, a new category of payment service providers, in the first Payment Services Directive. These institutions are allowed to provide payment services, and PSD2 states that PIS and AIS fall under the definition of payment services. Providers of such services have to be duly authorised and supervised.
I heard from some bankers occasionally that there was an issue of level playing field between new TPP entrants and incumbent banks. TPPs, they claim, face a lighter regulatory regime than do banks. In this context, let me just say that PSD2 as well as banking legislation govern the respective activities and that an institutional licence is required to conduct them, which implies that the entities will be supervised in line with the risks involved. Payment institutions are only allowed to provide a limited set of services, i.e. payment services. They are not allowed to take deposits and are only allowed to hold funds for the provision of payments. Credit institutions, by contrast, have a much wider scope of activities than payment institutions; they can engage in the whole spectrum of banking activities, including the holding of deposits and the granting of loans. Thus, while banks and payment institutions are indeed subject to different authorisation and supervisory criteria, this does not per se mean that there is an unlevel playing field. I have the feeling that those bankers who complain about the playing field forget that some of their colleagues in the bank perform activities that go far beyond the provision of payment services. So I believe that there is indeed a level playing field and that the legislator has taken into consideration a risk-based approach.
Another request I sometimes hear is for regulatory sandboxes for fintechs. This is an area where, I would suggest, we exercise caution. It raises a lot of questions – where to start and where to stop, who to involve (or not) and which activities to include – to name just a few of the challenges. I’m not sure we have the right answers yet, but this is ultimately a matter for the legislators.
Before concluding, I would like to mention cyber risks and the challenges of digitalisation. A virtue of central bankers is that they are, by nature, worried about risks and security. And one concern that is very closely linked to innovation and digitalisation is that of cyber risks. Increasing digitalisation exposes the entire ecosystem to increased cyber risks because of a greater reliance on the internet and thus a broader attack surface, which can be exploited by hackers using increasingly sophisticated techniques. As a result, financial market actors and infrastructures become susceptible to cyberattacks. Central banks and other authorities have identified those risks and issued guidance in that respect. The G7 published its “Fundamental elements of cybersecurity for the financial sector” and the CPMI/IOSCO issued its “Guidance on cyber resilience for financial market infrastructures” – to name just the most important publications. I strongly encourage all market players to consider cyber risks as critical to their institution and to draw up a fully fledged cyber strategy and response plan.
Innovation and digitalisation in payment services will significantly change the payments market. They offer opportunities for efficiency gains and improve the competitiveness of actors that embrace them. The legislative framework established by PSD2 supports such innovation and enhances competition. It offers a legislative basis for a level playing field between new entrant TPPs (fintechs) and incumbent banks. Regulatory requirements for TPPs and banks obviously differ but so does the spectrum of services that they provide and the level of risk that they encounter and need to protect against. I welcome if both fintech TPPs and banks were to make use of the opportunities granted by law and to compete for the most innovative and efficient provision of payment initiation services and account information services. They should build their services on common technical standards with a pan-European reach to benefit their customers and the Europen citizens in general. But they should pay careful attention to the cyber risks that accompany digitalisation and prepare their cyber strategies thoroughly.