Sign up to our newsletter
As Europe is on the cusp of what some see as a sea change or an earthquake to the payment services landscape and banking in general, the time is ripe to provide a bird’s eye view of the EU’s revised Payment Services Directive (known as ‘PSD2’) and, from this vantage point, to allow the reader to gauge just how much of a shake-up the new law, going live in weeks, may be.
Following in the footsteps of PSD’s first iteration adopted in 2007, PSD2 is upping the ante by aiming to further unify electronic payment systems across the EU while fostering competition, innovation and the safety and security of payments – all in the name of ‘open banking’ and to the ultimate benefit of consumers.
In a bid to iron out the legislative wrinkles from PSD1 and keep up with the rapid pace of technological change, EU lawmakers are seeking to improve the level playing field between different payment service providers (PSPs) and allow for new market entrants. The EU is also extending the directive’s geographic reach, as ‘one-leg-out’ transactions where only one of the PSPs is located within the EU now also fall under the scope of the legislation.
EU countries have until 13 January 2018 to incorporate PSD2 into national law, although in some countries there have been some bumps in the road to the directive’s implementation. Belgium, Sweden and the Netherlands all reportedly anticipate delays in the transposition of the legislation into their respective national bodies of law. In addition, recent probes that the European Commission has conducted in the Netherlands and Poland also indicate that not everything may go swimmingly with the actual application of the new rules.“EU lawmakers are seeking to improve the level playing field between different payment service providers (PSPs) and allow for new market entrants.”
At the heart of the regulation is the requirement for banks to allow licensed third-party providers (TPPs) of financial services to access securely their customer-account data, as long as the customer has given prior consent. With this access, which is set to be provided by digital links known as application programming interfaces (APIs), TPPs will receive a wealth of customers’ financial data, including on income, histories, spending habits and profile, which will give them a 360-degree view of the customer, and enable them to offer the customers a range of innovative and à la carte services.
The legislation introduces two previously unregulated categories of players to the game – payment initiation service providers (“PISPs”) and account information service providers (“AISPs”).
PISPs will be able to trigger payments on behalf of the account holder by creating a software ‘bridge’ between the payer’s account and the payee’s account, without customers needing to access their bank accounts directly or use debit or credit cards.
AISPs, for their part, will receive access to bank customers’ account information and will be able to analyze a customer’s spending patterns and to aggregate information from the customer’s multiple accounts in different banks.
Unlike, say, retailing, taxi and hotel trades, European banking has so far been largely spared the effects of the digital disruption. In the post-PSD2 era, however, banks will be thrust into the middle of a crowded field, surrounded not only by other banks (both traditional and ‘challenger’), but also by tech behemoths and agile fintech upstarts, which are poised to act as third-party providers of financial and payment services. Tech titans, many of which already have their own digital payment services in place, are believed to entertain plans to “launch their full arsenal come January 2018”.
In addition to the risk of losing out on payment revenues, banks may run the risk of losing customer touch points and becoming a mere utility service used by TPPs. But as Albert Einstein said, “in the middle of difficulty lies opportunity”.
Indeed, the new opportunities ushered in by the advent of PSD2 could be used by banks to recapture some of the projected lost revenues from payments and to grow new revenue streams. There is nothing preventing banks from acting also as AISPs or PISPs, after all.
In other words, the incumbents could either chafe at the challenge and act defensively — or embrace the new opportunities by enhancing their product and service offerings to customers and, in so doing, stave off the challenge from disruptors. A number of banks are nimble about change, having already adapted to the new reality by starting their own fintech firms or buying upstarts.
If recent surveys conducted in the UK are any indication, banks may find some encouragement in the fact that, when it comes to their personal financial details, customers appear to trust banks more than retailers and social media.
On the other hand, and perhaps worryingly for banks, a global survey showed that close to one-third of consumers said that they would be willing to switch to Google, Amazon or Facebook for banking if any of them provided such services.
Either way, customers are set to benefit from greater choice of offerings, lower costs, improved convenience, and enhanced security.
With extra conveniences come considerations of security, as clearly anything to do with electronic payments has profound implications for security, doubly so in times of ever-evolving cyberthreats.
PSD2 introduces strict security requirements for the initiation and processing of electronic payments by mandating what is termed as “strong customer authentication (SCA)”. Authentication is strong if at least two of these three possible authentication elements are involved:
These elements must be independent of each other so that the breach of one element does not compromise the reliability of the others.
In addition, the European Banking Authority (EBA) has developed, in close cooperation with the European Central Bank (ECB), draft Regulatory Technical Standards (RTS) on strong customer authentication and secure communication. These, EBA believes, are “key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union”.
Citing the need to allow for future developments, PSD2 mandates “technology and business-model neutrality”, which is why the RTS final draft pins down the requirements in a rather neutral way. The few requirements that are described include the use of appropriate encryption for data exchange, the shortest possible communication processes, and clear references for the data exchanged.“At the heart of the regulation is the requirement for banks to allow licensed third-party providers (TPPs) of financial services to access securely their customer-account data, as long as the customer has given their prior consent”
The RTS proposal was subject to a consultation process during which many questions were raised, ultimately resulting in delays to the submission of the final draft. In addition, the EBA and the European Commission have been at loggerheads over several aspects of the RTS, with the latter asking for several substantive changes. The EBA acknowledged and agreed with the Commission’s aims, but disagreed with three of the four proposed changes.
Fast forward and the final draft of the RTS is now awaiting approval by the European Commission. If greenlighted, the RTS “will be applicable 18 months after its entry into force”. According to EBA, the intervening time (not until the spring of 2019 at the earliest) gives the industry “time to develop industry standards and/or technological solutions that are compliant with the EBA’s RTS”.
Whether a change is revolutionary is only manifest in hindsight, so a judgment is better withheld at this time. At any rate, PSD2 and concomitant changes are shaping up to be a major step in the evolution on our journey of technology-driven transformation. PSD2 presents a host of unprecedented opportunities and challenges and, once the dust settles, we’ll see whether it turned out to be a boon or bane for banks. After all: “Prediction is very difficult, especially about the future.”
Author Tomáš Foltýn, ESET