The EU Directive 2015/2366 on payment services in the internal market (PSD2) was published in the Official Journal on 23 December 2015, repealing Directive 2007/64/EC on payment services in the internal market (PSD1).
Member States are required to transpose this new Directive into national law at latest two years after the formal adoption of the Council and the EU Parliament, i.e., latest on 13 January 2018.
The aims of PSD1, adopted in 2007, were to regulate the payments industry and,to enhance consumer protection. However, the European Commission was concerned that many payment service providers have escaped regulation under the current PSD1 and, also due to the rapid technological changes in this sector, proposed an adaptation of this legislation.
The objectives of the European Commission on PSD2 are to further enhance consumer protection and convenience, to improve the security of payment services and, to promote innovation and competition.
Challenges of the PSD2
PSD2 announces a number of major challenges for Payment Services Providers (PSPs). In some areas clarification is needed. For example, lots of concerns remain about how to handle the gap of some six months between PSD2 being implemented and the technical standards designed by the European Banking Authority (EBA) to underpin the “Access to Accounts” element of the Directive being finally available.
In order to comply with the many provisions of PSD2 considerable planning and work is required, such as the change in handling of “one leg out” transactions (where one party to the transaction is outside the EEA or the currency is non-EEA, exempted under the original PSD1, but included under PSD2).
The requirement for enhanced security around payments is also likely to create considerable work for market participants. Banks and others are currently waiting to find out more details of what they will need to do from the technical standards.
By far the most discussed challenge for the banking industry created by PSD2, for which payments is a critical business, is the strategic impact for banks created by the requirement to open up access to account data to third parties at the request of customers and to support both account information and payment initiation services provided by those so-called “Third Party Payment Service Providers” (TPPs).
This represents a paradigm shift for banks in the payments business comparable to that experienced by telecoms providers one year ago when they were forced to open up their infrastructure and allow in new entrants. The banks must expose their data to other players, and these competitors can then build business propositions for the banks’ customers. To do so Banks, endeavored to protect their clients’ personal data, support an ecosystem of interoperable APIs providing TTPs with an access to personal accounts.
What do APIs mean for banking?
APIs are safer, more efficient and more reliable than the so called “screen scraping” that gives an unlimited access to financial data of consumers for no reason. More imortantly APIs enable consumers to stay in control of their data and thus are much safer than screen scraping.
The ABBL and PSD2
During 2016, the Payments Committee of the ABBL established a working group composed of payments, security and legal experts to support the transposition process.
The ABBL, in close co-operation with the EBF, provided valuable input to the discussion papers and Regulatory Technical Standards (RTS) issued by the European Banking Authority (EBA). PSPs, AISPs and PISPs must comply with the RTS by October 2018.
PSD2 and technology implications
The implications of PSD2 from a technology standpoint are also significant. Banks will obviously have to deal with open Application Programming Interface (APIs), which could be a challenge given the reliance of many banks on legacy systems. All impacted entities will have to grapple with the security and strong customer authentication demands of PSD2.
Another community likely to be able to capitalize on “Access to Account” is the FinTech. APIs will enable banks to integrate FinTech solutions on to the banking legacy platforms in order to offer services they don’t have. It’s an opportunity for FinTech under PSD2 to help traditional banks innovate and create new revenue streams while improving customer propositions.
In short, PSD2 is a business challenge as well as an IT challenge.
Extension of the scope of PSD II
As for PSD1, PSD2 applies to intra-EEA payments in EEA currencies. However, despite retaining the same basic structure of the text, the reach of PSD2 is broader than PSD1 due to the extension of the scope to:
- “One-leg transactions”: PSD2 applies as soon as one of either two PSPs is established in the EU Geographical Scope of PSD2
- Non-EU currency transactions: PSD2 applies to those parts of the payment transaction carried out in the EU regardless of the currency used, where both the payer’s PSP and the payee’s PSP are, or the sole PSP in the payment transaction is, located in the EU;
- Payments through telecom operators: the purchase of physical goods and services through a telecom operator falls within the scope of PSD2
- TPPs: “new” players on the payment service market are covered by PSD2
The extension of the scope of application to TPPs is one of the most significant changes with regard to PSD1. TPPs can be payment initiation service providers, account information service providers or issuers of payment instruments.
A payment initiation service will help to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts, filling the information necessary for a transfer (amount of the transaction, account number, message) and inform the merchant once the transaction has been initiated.
An account information service will allow consumers and businesses to have a global view on their financial situation, e.g., by enabling them to consolidate different current accounts, held with one or more banks.
Issuers of payment instruments already fell within the scope of PSD1, but the scope of application is now extended to payment instruments issued by payment service providers that do not manage the account of the payment service user.
This is clearly a boost for new entrants into the payment services space, giving them access to new customers, as well as to other new entrants in the payment initiation and account information businesses, which will be able to rely on guaranteed and robust access to customer account information at the banks to underpin their services.
PSD2 also enables TPPs to have better access to information on payment or bank accounts: Payment initiation service providers and providers offering payment instruments will only be able to receive information from the payer’s bank on the availability of the funds on the account via a simple yes or no answer before initiating the payment, with the explicit consent of the payer. Account information service providers will only receive the information explicitly consented by the payer. But open access is not necessarily such an awful perspective for traditional banks. All players will have an opportunity, especially organisations with large customer bases.
The key will be to monetise the investment that banks must make to open access.
In a world with an ever-growing number of electronic transactions, solutions to establish trust in online services will be vital. Banks have a good card to play when it comes to trust. A possible strategic option for them could be carving out a role in managing digital identity.