Waygrid AI Gateway is now in General Availability. Secure, streamline, and simplify your AI initiatives. Learn more →

PSD2 is coming: European banking's API era has a date

Banking towers at the start of the open banking era

European banking now has a deadline it cannot lobby away: by January 2018, under the revised Payment Services Directive, banks must open their payment systems and account data to licensed third parties. The directive entered into force this year; the technical standards are still being drafted in London and Brussels; but the direction is fixed, and it points at the API.

It is hard to overstate how unusual this is. Regulators normally constrain what institutions may do. PSD2 compels them to build something: a machine-readable interface through which competitors, with a customer's consent, can initiate payments and read accounts. Europe is legislating an API into existence.

Two kinds of bank in 2018

Talking with institutions this autumn, we hear two postures forming. The first treats PSD2 as a compliance chore: build the minimum interface, on the deadline, and defend the perimeter everywhere else. The second has noticed that the capabilities the directive demands, publishing interfaces to outsiders, verifying third-party identity, monitoring access at fine grain, are the same ones that enable partnerships, corporate channels, and products nobody has designed yet.

The directive sets a floor. Nothing in it prevents a bank from treating that floor as a foundation.

Why the interface is harder than it sounds

Banks that have never published to outsiders tend to underestimate what the directive is really asking, because "expose an API" sounds like a technical task with a clear end. It is not. An interface used by third parties you do not control is a standing commitment: it must stay available, because someone else's business now depends on it; it must stay documented, because those consumers cannot walk down the hall to ask; and it must stay observably secure, because both a supervisor and an attacker are now interested in it.

This is a genuinely new muscle for most institutions, and it is not one that can be developed overnight in response to a deadline. The organizational habits, treating an interface as a product with an owner, a support obligation, and a reputation, take time to form. That is precisely why the interval before January 2018 matters so much: it is the difference between learning these habits in private and learning them in production, in front of the people least inclined to be forgiving.

Using the interval

  • Inventory what exists: most banks already expose interfaces to corporate clients and partners, undocumented and ungoverned. PSD2 readiness starts with knowing them.
  • Put the gateway and identity foundations in place now; the technical standards will change details, not the need for controlled, observable access.
  • Decide the posture deliberately, at board level. Drifting into the minimal reading is still a strategy, just an unexamined one.

January 2018 sounds distant. For institutions that have never published an interface to an outsider, it is uncomfortably close. The banks that start now get to practice in private. The ones that wait will practice in production, with the supervisor watching.

Share this article
X LinkedIn Email

Ready to see Waygrid in action?

Book a personalized demo. A solutions engineer will walk you through how Waygrid can help streamline your architecture, eliminate inefficiencies, and maximize your innovation.