PSD2 - Payment Service Directive 2
Tatra banka brings a secure and modern API solution.
The licensed company will gain access to the client's account after granting the client's consent.
Basic information
The original directive on payment services (Payment Service Directive, PSD1) created the fundamental legal framework which defined equal rules for processing of payment orders in Europe. However, further development in the area of payments brought along new services which were not regulated by this directive.
The new directive PSD2 should simplify entering the European market for new providers of payment services and also bring the rules by which these entities will be able to provide payment services to end users.
PSD2 brings along changes in the area of provision of payment services. The main change is the obligation to provide access to selected services to so-called third parties by means of API interfaces (Application Programming Interface).
These interfaces will enable placing a payment order or obtaining information about a payment account – of course not earlier than after client´s consent is granted.
Who are “third parties”?
Third parties are new providers of payment services, i.e. third parties or Third Party Payment Service Providers (TPP). We will be able to experience two types of providers of payment services in practice:
- Account Information Service Provider – AISP. The provider processes basic information about the account and transactions in the account with the bank upon client's consent. For instance, if a client has maintained accounts in several banks, the provider can see the balances in all of these accounts at the same time through a third party application.
- Payment Initiation Service Provider – PISP. The provider allows creation of a payment order from an account maintained with the bank upon client's request. For instance, a client will be able to select a payment via a third party in case of making a purchase in an e-shop. A payment order will be placed via a third party application and subsequently executed from the client´s account maintained with the bank.
The day when funds are credited to an account and payment instruction will change for foreign payments.
SHA (so-called “shared”) payment instruction is applied for all payments made within the territory of the EEA (European Economic Area). This means that the processing fee of the payer is borne by the payer and other fees related to the respective order are borne by the payment beneficiary. PSD2 also brings shortening of the period for processing of foreign payments in the currencies of the EEA member states.
Applications of third parties
Account Information Service Provider - AISP
Online provider of payment services who processes basic information about the account and transactions in the account with the bank upon client's consent.
Account Information Service Provider must:
- meet the terms and conditions for provision of the services according to the payment service directive (PSD2)
- have a license for provision of the selected payment service
- execute a technical access to the client's account with the bank not later than upon client's consent
- meet the terms and conditions related with protection and use of client´s data and must notify the client about the manner in which the respective data will be used
- Install a third party application in your device, e.g. “TPP Application”
- Create a profile in the application and select a possibility of adding a bank account
- you will be redirected to the bank's authorization portal, where you will log in in the same way as in Internet bankingTB
- you select the accounts to which you want to grant access to the application "TPP Application" and confirm your selection.
- You will be directed back to the “TPP Application” which downloads the account balance and history of transactions
- Find the “TPP Application” in the Internet bankingTB menu Settings – Applications of Third Parties and you can remove or modify the assigned accesses
Payment Initiation Service Provider - PISP
Online provider of payment services who allows placing a payment order from an account maintained with the bank upon client's request.
Payment Initiation Service Provider must:
- meet the terms and conditions for provision of the services according to the payment service directive (PSD2)
- have a license for provision of the selected payment service
- initiate a payment order exclusively upon client´s consent
- meet the terms and conditions related with protection and use of client´s data and must notify the client about the manner in which the respective data will be used
- Install a third party application in your device, e.g. “TPP Application”
- Create a profile in the application and select a possibility of creating a payment
- After entering the payment in the “TPP Application”, approve the payment execution via bank´s authorisation portal by entering a code from the ReaderTB (or Card and ReaderTB) application
Security
PSD2 aims to increase the level of security and strengthen consumers' trust in the entities which provide payment services but are not necessarily banks.
These institutions must guarantee the same level of security and protection of client data as is provided by banks to its clients. Services of third parties and payment institutions are available to the consumers in the EU yet today. Unified legislation rules and technical standards are currently missing in the EU. This situation will change in Slovakia when PSD2 will be introduced after 13 January 2018.
PSD2 also determines that these entities are supervised by the respective national authorities. In Slovakia, function of this authority is performed by the National Bank of Slovakia. PSD2 imposes a third party how to handle the obtained information about a client's account. The Bank has no means for controlling further use of the provided information. Two-factor authentication and authorisation is used for client's security.
What is two-factor authentication?
It is a technical method of identification used for confirmation of user's identity. Clients know it for instance from withdrawing cash from an ATM when using their card – “something I have” and PIN code as “something I know”.
If a client uses online services of third parties, a third party verifies client's identity based on its own rules and system possibilities. Afterwards the Tatra banka client automatically moves from the third party application to the authorisation portal. The authorisation portal is a secured interface of the bank where the client can enter their registration data without any fear. The registration data will be the same as the registration data the client currently uses for signing in Internet bankingTB. In the authorisation portal of Tatra banka the client will subsequently authorise access to the selected account or confirm a payment by means of a code from the ČítačkaTB mobile application or via the Card and ReaderTB tool.
Can a client provide their Internet bankingTB registration data to a third party?
Tatra banka prepared such solutions that the clients can comfortably use the services provided by third parties with guaranteed highest security standards at the same time. For their own security, clients should enter their registration data only in a secured environment of Tatra banka where they also authorise their payments placed via a third party. A client will have a possibility to assign the accounts with access of a third party in advance when providing services related with information about client´s account.
Information for developers
We kindly invite you to join us in our effort to innovate the field of banking. Our primary goal – satisfaction of clients. We want to achieve it by combining ideas and experience of third parties with loyalty and stability of Tatra banka. As part of the Raiffeisen Bank International (RBI) group we have been cooperating on an acceleration programme entitled Elevator Lab since summer 2017 with over 300 FinTechs having joined the programme. Open bankingTB solution and developer portal allows you study the technical documentation, try out API interfaces above the test data and register your firm and application for development until production is launched.
Basic information about Open bankingTB is available in the below references
The portal contains a detailed technical documentation for:
- Procedure for registration of the organisation and publication of third party applications
- API “Accounts” – access to account balance, movement and info for authorization API calls and sandbox
- API ”Payments” – access for payment initialization and info for API call authorization and sandbox
Basic information is available without registration. The sandbox is fully functional only after logging in. To move to the production environment, it is necessary to follow the instructions on the Developer portal in the Documentation section.
https://www.tatrabanka.sk/en/personal/account-payments/open-banking/