Does all banking information really become public now? 6 statements about the payment service directive PSD2 answered

Will all my banking information become public with PSD2?

Will all my banking information become public with PSD2?

With recent news about EU’s second payment services directive (PSD2), there has been a lot of discussion on what PSD2 means and what it doesn’t mean, and what different players in the PSD2 area can and cannot do. This blog posting comments six statements related to PSD2 and two related to Skadi’s CreditWorthy service. The statements are inspired by the Taloussanomat article on account information services, published on Aug 20, 2019 (article in Finnish).

Through the statements, the article also provides an overview of key points related to PSD2, as well as detailed insight into business that it enables.

1. PSD2 makes things worse


PSD2 may add extra authentication steps to making payments.


On the other hand, the above mentioned extra steps increase information security. PSD2 also enables access to banking using companies other than banks, if the customer so wishes, and lowers the consumer’s responsibility in fraud cases to 50 euros.

With PSD2, customers can use their bank accounts using other companies than banks, too. Banks need to provide their customer’s account information, and enable payment initiation from the customer’s accounts, to other companies, if the customer so wishes. This is enabled by creating special interfaces to these and only these functionalities. In a way, this can be thought as a very limited web channel to a few banking functions, that the customer can authorize, i.e. permit, a licensed company to access, using strong authentication provided by the bank. Licensing is controlled by national financial supervisors in EU countries. E.g. in Finland, the Finnish Financial Supervisory Authority (FIN-FSA, Finanssivalvonta) has registered Skadi as an account information service provider (AISP).

In addition to AISPs, other key roles related to PSD2 are payment initiation service providers (PISPs), which are also new players like AISPs, and the traditional banks, which PSD2 calls account servicing payment service providers (ASPSPs).

With PSD2 in force, payment information is not stored in web shops anymore, but payment is done directly from the bank account with strong authentication, like when paying from one’s account in a web bank. No cards are needed in the middle. This increases information security, as the customer always has control over what is done under her authorization related to her account. Looking at this from the ease of use point of view, there may be additional steps in making payments or accessing the account information compared to some existing services, as the strong customer authorization requires a login kind of an action with almost every event. In early September 2019, it seems likely that the strong customer authentication will not be immediately enforced, which means that web shops can continue to store payment card information for the time being.

Regarding account information services, the customer can have e.g. her bank account info collected from several banks by requesting an AISP to do so.

2. Bank account transactions become public information - external companies can access anyone’s accounts without a separate permission


Bank account transactions do not become public information, and no AISP or PISP will have access to accounts at will. AISPs get access to individual customers’ accounts, if authorized by the customer using strong authentication. This cannot be done without the customer, and the customer cannot do this by accidentally clicking something, because a normal bank authentication is required. The authorization information is stored by the bank and can be checked later if necessary.

Nobody will be able to authorize on behalf of someone else, and banks, AISPs or PISPs cannot authorize themselves to access a customer’s account or to make payments from it.

3. Now somebody can easily impersonate me and just give authorization to my bank account


The authorization is done by the customer, using strong authentication provided by the bank. The authorization information, including the customer’s identity, the amount of payment accounts at the bank, etc. remains between the bank and the customer. Only information explicitly authorized is provided to the AISP or PISP. For example, an AISP will only get the transactions from the accounts that were authorized, but will not know if the customer has more accounts at the bank, and a PISP will get the permission to make a payment of a certain amount from a specific account to a specific other account, but will not be permitted to make other payments, or payments of other amounts.

Because the strong authentication, where identity is provided, remains between the bank and the customer, the AISPs or PISPs will not even know whose bank accounts they are accessing – unless they separately identify the customer themselves. Many AISPs or PISPs may do this, Skadi’s CreditWorthy doesn’t – it just analyses the provided account transactions and provides a report of them, without knowing whose data is in question. The analysis and report are thus not connected to anyone’s identity, but the customer obviously knows her identity.

Just knowing someone else’s account number or national ID number does not enable giving an authorization – a strong authentication using the bank’s authentication is required.

4. Banks have to report when my information has been given to AISPs or PISPs


Banks store the information about authorizations the customer has given. Since the authorizations are made using strong authentication, the customer is aware of the authorization being made, and the authorization can be made only by the customer herself. Thus, banks need not separately tell the customer about what was authorized, or when the authorization was used. The customer can however check with the AISP or PISP what was done, and with the bank what was authorized. When using AISPs or PISPs, the customer is in a contract relation with them, not with the bank. Also, the banks and AISPs/PISPs are not in a contract relation, since PSD2 requires that AISPs/PISPs be able to use the PSD2 interfaces without a contract.

5. I can get rid of this by moving my bank accounts abroad as other countries don’t implement PSD2


PSD2 applies in all EU countries.

6. I can analyze my account transactions myself in Excel


In many web banks, the customer can e.g. export her transactions into Excel, and make calculations and classifications herself. Thus, anyone will be able to manually do the same thing as AISPs do, if willing to put up the effort.

7. Skadi sees the customer’s identity anyway even though it claims not to


Skadi does not identify CreditWorthy’s customers, and the authorization, where identity is used, remains between the customer and the bank. Other AISPs or PISPs may however identify the customer themselves, too.

After the customer has made the one-off authorization to the bank, the bank’s interface returns the account transactions, but not the customer’s identity, to Skadi. Skadi can only access the account information when authorized, and when the customer is present. Skadi provides the result of the account information analysis, a report to the customer, and not to the bank. The customer will obviously know whose report it is, but Skadi will not. Skadi just makes a report based on the data the bank’s interface provides.

8. Credit scoring is a purpose of Skadi’s business


Skadi has built CreditWorthy to demonstrate its capabilities in financial data analysis. Skadi’s capabilities can be applied by businesses in various data-intensive domains, including credit scoring, financial audits and gambling. All account information related business is nevertheless based on the account owner’s authorization.

Skadi’s new cost-free service utilizes finance industry’s big change

Skadi logo.JPG
  • Finnish Skadi brings its cost-free CreditWorthy service to consumers in September. The service enables to create a holistic picture of one’s finances and supports everyday decisions by combining data from several parties.

  • The service is enabled by EU’s new payment service directive PSD2, with which banks must open interfaces to customers’ account information to third parties licensed by national financial supervisory authorities.

  • Skadi is the first Finnish company who has been granted a PSD2 license by the Finnish Financial Supervisory Authority.

CreditWorthy creates a comprehensive overview to a consumer’s personal income, spend and ability to pay. The user authorizes CreditWorthy to retrieve the information required for the analysis from the banks she uses.

“Many Finns are caught between banks, when e.g. a household’s grocery account can be in a different bank than a salary account. CreditWorthy gathers the information from several banks as required and creates an overview of the user’s finances” says Skadi’s development manager Mikko Nikkanen.

In addition to income and spend, the service gives a traffic light estimate of the consumer’s ability to pay. Often one’s finances get derailed when surprise costs need to be covered. By the end of June, 382 700 Finns were registered with a default of payment.

“Information about one’s finances and ability to pay helps in making better everyday decisions. This is why we created CreditWorthy”, says Nikkanen.

When giving the authorization, the user can decide herself which accounts she wants to include in the analysis. The data is in the user’s control, and there are e.g. no ads targeted to the user. The service is based on a one-off authorization, which expires once the user gets the result of the analysis.

The new service is enabled by the new payment service directive (PSD2), which obliges banks to open their interfaces to third parties like Skadi. Skadi’s operation is supervised by the Finnish Financial Supervisory Authority.

“For Skadi, this free service is a way to demonstrate the change potential of PSD2. From now on, an excellent user experience is not tied to the relationship with a bank”, Nikkanen says.

More information:

Mikko Nikkanen

Development manager

Skadi Oy

050 487 6604


Skadi is a privately held software company, established in 2017. Its services automate finance processes based on manual work. Skadi is licensed to offer in the EU the CreditWorthy account information service which gives consumers a free analysis of their availability to pay. The company also helps pioneering finance and technology companies in Central and Northern Europe to save costs and to improve their customer experience using machine learning and automation.

Skadin maksuton uutuuspalvelu hyödyntää finanssialan isoa muutosta

Skadi logo.JPG
  • Suomalainen Skadi tuo syyskuussa kuluttajille maksuttoman CreditWorthy-palvelun, joka auttaa muodostamaan kokonaiskuvan omasta taloudesta ja tuo useilta toimijoilta kootun oman talouden datan tukemaan arjen valintoja.

  • Palvelun mahdollistaa EU:n uudistunut maksupalveludirektiivi PSD2, jonka myötä vanhat pankit joutuvat avaamaan rajapintansa asiakkaiden tilitietoihin Finanssivalvonnan luvan saaneille kolmansille osapuolille.

  • Skadi on ensimmäinen suomalainen yritys, joka on saanut Finanssivalvonnalta direktiivin mukaisen toimiluvan.

CreditWorthy luo kuluttajalle kattavan katsauksen henkilökohtaiseen tuloihin, menoihin ja maksuvaraan. Käyttäjä valtuuttaa CreditWorthyn hakemaan analyysia varten tarvittavat tiedot käyttämistään pankeista.

”Moni suomalainen elää usean pankin loukussa, jossa vaikkapa kotitalouden ruokatili voi olla eri pankissa kuin palkkatili. CreditWorthy kokoaa tarvittaessa useastakin pankista tarvittavat tiedot ja luo kokonaiskuvan käyttäjän taloudesta”, Skadin kehityspäällikkö Mikko Nikkanen sanoo.

Menojen ja tulojen lisäksi palvelu antaa liikennevaloilla arvion kuluttajan maksuvarasta. Usein talous suistuu raiteiltaan yllättävien menojen iskiessä, kun omasta taloudesta ei löydy joustoa. Kesäkuun lopussa jo 382 700 suomalaisella oli maksuhäiriömerkintä.

”Tieto omasta taloudesta ja sen maksuvarasta auttaa tekemään parempia päätöksiä arjessa. Tähän tarpeeseen loimme CreditWorthyn”, Nikkanen sanoo.

Antaessaan valtuutuksen käyttäjä voi itse päättää, mitkä tilit hän haluaa tuoda osaksi analyysia. Data on käyttäjän hallinnassa, eikä käyttäjille kohdenneta esimerkiksi mainontaa. Palvelu perustuu kertavaltuutukseen, jonka voimassaolo lakkaa käyttäjän saatua analyysin tuloksen.

Uuden palvelun mahdollistaa syyskuussa voimaan tuleva maksupalveludirektiivi (PSD2), joka pakottaa pankit avaamaan rajapintansa Skadin kaltaisille kolmansille osapuolille. Skadin toimintaa valvoo Finanssivalvonta.

”Skadille tämä maksuton palvelu on tapa osoittaa, millaista muutospotentiaalia PSD2:ssa on. Jatkossa loistava käyttökokemus ei ole sidottu pankin asiakassuhteeseen”, Nikkanen sanoo.


Mikko Nikkanen


Skadi Oy

050 487 6604


Skadi on ohjelmistoyritys, jonka palvelut automatisoivat rahoitusalan käsityöhön perustuvia työtehtäviä. Vuonna 2017 perustetulla yrityksellä on Finanssivalvonnan myöntämä toimilupa tarjota EU:ssa CreditWorthy-tilitietopalvelua, jossa kuluttaja saa maksuttoman arvion maksuvarastaan. Lisäksi Skadi auttaa Keski- ja Pohjois-Euroopan rahoituksen ja teknologian edelläkävijäyrityksiä säästämään kustannuksia ja parantamaan asiakaskokemusta koneoppivan automaation avulla.

Winner's formula: RAT-directed marchitecture


They say that starting a growth business is scary because it involves high capital investment and high risk. No, it isn’t! Here’s how to make it fun, while living a normal life.

Validate business ideas with zero cost

Yes, starting a new growth business involves risk. Nobody guarantees you will make any money with your ideas. Starting a business involves an investment also, but that does not immediately have to involve capital, as in money. The investment can well be just some additional hours now and then, while being paid for a day job.

Most new businesses need not and should not be started as full-time ventures, where the founder(s) spend all their time in figuring out which business idea could fly. Often, it makes sense to validate new ideas on the side, while mainly being paid for something else. That may involve evening and weekend work, but not necessarily extra money.

Done this way, starting a new business is fun. The main risk is that time spent learning and formulating business ideas does not bring in money. In other words, the main risk in starting a growth business is that you don’t get paid for learning. Not a huge risk, as in the 21st century, those who don’t invest time in learning are not likely to be paid for long!

RAT-directed marchitecture in business development

At Skadi, we appreciate the concept of the Minimum Viable Product (MVP). However, we love the concept of the Riskiest Assumption Test (RAT) and apply it to all new business opportunities. That way, we eliminate everything that is not absolutely required to find out if an idea provides a meaningful opportunity.

Skadi was originally founded to test a hypothesis regarding chatbots being able to increase retail and media, especially newspaper, revenue. We built a few chatbot prototypes for media, mobility, and entertainment, and quickly found out that the opportunity for chat bots in retail or media sales was not lucrative in the UK or in Finland. However, our biggest learning was the afterthought that we would have been able to learn the same lesson faster without building anything. Developing a chatbot framework took us time which we could have skipped if following the RAT guidance.

While moving out of chatbot business, Skadi quickly RAT-tested and dropped e.g. machine learning in image categorization. One of the ideas that survived the RAT was automating mortgage and other loan processing. Having learned from the unnecessary chatbot development, we validated the idea with slideware, which contained also technology details about the implementation of the solution. However, we did not build any of the solution before going to meet customers with a product description. Knowing that in finance, lead times may be long, we estimated that our marchitecture description of the solution was sufficient for iterating towards a feasible design.

Don’t build it before they buy it

The RAT-directed marchitecture approach proved valuable. We visited several finance and lender organizations with our story and slideware, improving the story and our customer understanding with each visit. After a few of the first meetings, it became obvious that we were on to something feasible. Even though the concept wasn’t fully shaped yet, we built a demo, which solicited further valuable feedback.

With the marchitecture and demo, we were able to create the concept for Skadi CreditWorthy, while mostly running on the financing we got for testing the opportunity of chatbots in retail and media. We built the solution when the concept was already rich and validated with prospects.

RAT-A-TAT-TAT – it’s fun!

We got traction with CreditWorthy within a short period of time, and developed related leads in e.g. car finance, collateral processing, and automated handling of several types of documents. Most of the business ideas beyond loan automation came from the prospects that we approached with our RAT-based marchitecture for loan automation. Thus, the ecological validity was high, and we successfully RAT-tested many of them.

Using the RAT-directed marchitecture approach, business opportunities can be validated without dropping your current job or assignment before you know it is worth it. Funding, or the courage to spend more time on the ideas, is easier to find with validated opportunities. Risky? No! Fun? Yes!

"No business card? I have something better for you!"

Skadi's Aarne Ylä-Rotiala, Timo Koola and Mikko Nikkanen at the Future Digital Finance Forum in Helsinki in April 2018. Many visitors at Skadi's stand did not carry business cards.

Skadi's Aarne Ylä-Rotiala, Timo Koola and Mikko Nikkanen at the Future Digital Finance Forum in Helsinki in April 2018. Many visitors at Skadi's stand did not carry business cards.

Should you carry business cards to fairs and meetings? Will they just be thrown away on the same evening?

While business cards may be considered old-fashioned, they are still useful in exchanging contact information. However, many people do not carry them these days.

At fairs and events, if you are presenting at a stand, you want to make it easy for visitors that have interest in your products to leave their contact information. At Future Digital Finance Forum in April 2018, Skadi's team did the following to make it convenient for cardless visitors to leave their contact info:

  1. Allow visitors to type their e-mail address using a full keyboard (on the laptop that we used for presenting the CreditWorthy product).
  2. Send an immediate greeting on the spot.
  3. Include something useful in the e-mail message. (We sent the Skadi research report on mortgage markets in the EU).

This method brought us a higher amount of relevant contact details than business cards did, so it was a good complement in engaging people. See how the method works for yourself at

How FinTechs will impact the mortgage landscape - read the Skadi white paper

Fintechs are bound to change the mortgage market to an instant, automated business.

Fintechs are bound to change the mortgage market to an instant, automated business.

The emergence of financial technology in Europe bears both opportunities and challenges for FinTechs. The new EU-level payment services regulation (PSD2) empowers third parties to offer solutions for financial processes that until now only banks were entitled to. FinTechs are already peaking beyond borders and endeavors a fast market entry in multiple European countries.

Skadi's white paper sets the way for how innovative FinTechs can reshape the mortgage market. Germany, Denmark and the UK are covered as case examples.

Download the Skadi white paper at

Skadi CreditWorthy as a case for Aalto University School of Business students

Skadi's Mikko Nikkanen pitches the CreditWorthy assignment to Aalto business students.

Skadi's Mikko Nikkanen pitches the CreditWorthy assignment to Aalto business students.

Creating a go to market plan for Skadi CreditWorthy is a case study for Aalto University School of Business students in spring 2018. In Aalto's master's level Capstone business development course, students solve real life business problems.

In Skadi's case assignment, students learn about a new business area in automating loan processing and loan decisions, as well as about related EU regulation, which becomes effective during the assignment.

Skadi opened a fidget spinner shop in Telegram - delivers to Finland

Fidget spinners in four colours in Skadi's Telegram-based shop.

Fidget spinners in four colours in Skadi's Telegram-based shop.

Skadi, the forerunner in e-commerce chatbots, conversational robots, has opened a fidget spinner shop in the Telegram messaging service. Spinners in four colours are sent to the customer’s home in Finland, when purchased in the shop, and the payment is handled through a credit card directly inside Telegram. Thus, Skadi is arguably the first in Finland to utilize the commerce function that was recently enabled by Telegram.

In addition to ecommerce, Skadi has implemented chatbots focused also on e.g. events and news.

You can try Skadi’s Spinnerkauppabot shop, in Finnish, in Telegram using this link:

Find things to do and places to go with Kontula Bot

Kontula Bot finds activities and events for you.

Kontula Bot finds activities and events for you.

Skadi has developed an enjoyable conversational chatbot for finding things to do. Kontula Bot is best suited for active city dwellers, but includes attracting activities for all age groups and lifestyles.

As the summer holidays are ending and back-to-whatever parties are booming, Kontula Bot proposes especially evening program. But don’t let the surface fool you – the bot knows also news, restaurants, movies and some surprise activities.

Try out what Kontula Bot can do at

Konala Bot user experience fine-tuned with students

Skadi's Mikko Nikkanen talking about startups and running a group usability test at  Helsingin Uusi Yhteiskoulu . See the original tweet in  T  witter .

Skadi's Mikko Nikkanen talking about startups and running a group usability test at Helsingin Uusi Yhteiskoulu. See the original tweet in Twitter.

Skadi develops its solution in iterations, and each iteration is validated with user feedback. In early May, Skadi visited local Helsinki schools to find out how Konala Bot is perceived by teenagers. In return, the students learned about entrepreneurship and software development.

Findings: Konala Bot is straightforward to use, and movies and events are a hit.

Wishlist: add restaurants and improve the bot's conversation skills.

Feedback noted - the Skadi team is working on it!

Skadi's Konala Bot is a useful and fun conversational chat bot. You can try it out at

Skadi and Eximap to take Smart Traffic to chat

Skadi and Eximap have agreed to jointly develop chat based mechanisms for Smart Traffic solutions.

The AutoMopus(r) system is popular among Finnish car owners, and a useful channel for car related service providers to provide information, get feedback and increase their engagement and customer satisfaction among drivers and car owners.

The companies will develop and publish AutoMopus based information on Facebook messenger platform to make the valuable material easily available to the drivers. This will make Smart Traffic smarter and easier for the drivers to use and interact with.

For further information, please contact:
Eximap: Pasi Pohjala
Skadi: AarneYlä-Rotiala


Your 15 minutes of fame - every day, every hour

15 minutes of fame for you

It would be great to know where your consumers are and what they are doing, wouldn't it?
Offline you'll see them when they show up in your store, and with in-store tracking systems like you can form a pretty accurate picture of their movements.

Online you can follow general insight and data mining, especially for the consumers that visit your site. Predictive analytics and SEO help with that. All that is great to gain historical insight, but how does that help with your next offer, sale, transaction at the cash register?

People like to talk. We talk on the phone, we all over the place, and we listen to those we trust. We follow those who we trust, to the extent that if a trusted party recommends something, we are much more likely to believe it that.

Which brings us to the question - what are your customers about to do now, in the next 15 minutes? Where is your fifteen minutes of fame, right now? Do you know, or are you looking at the history just like a Nautilus? Those are fabulous animals, but their direction of travel is opposite to their eyes - just see
All Nautilus ever sees is the past - and that is just about the same as looking at visitor data on your site, social media behavior, search engine patterns from the past hour, day, week, month. You are looking at the rear view mirror only, and trying to find the right location.

Your consumers are on line, they are chatting, so the perfect way to find out and possibly influence them is to engage them and match the consumer intent right now, to give an offer when it matters, to make the most of the next 15 minutes.

This is possible with the help of Skadi bot system, whichprovides the tools to identify the next 15 minutes for your business. Skadi does that by letting chat bots know about the topics where you can help consumers so that your offerings can be brought up with people who are looking for it right now.
What would be a better opportunity to help your customer than the moment they are asking for your product or service?

CTO Koola interviewed for Lit Hub

Lit Hub wrote a nice article about publishing books, poetry etc on Twitter and they interviewed Skadi CTO Timo Koola for the article.

It is somewhat unexpected how a great work like Ulysses is read as tweets - but based on the number of followers of @Ulyssesreader or @finnegansreader, a bot is a great way to help people read through a book they are interested in.

The article is in LitHub . Timo Koola is not a bot (seriously, he is not) and you can reach him at If he sounds a little bit like Alexa, that is just you imagination:-)