With Britain due to leave the EU soon, this directive will only affect British banking for a shorter period than the rest of the trading bloc. But for those nations that have opted to remain in the EU for now, many banks and payment service providers (PSPs), online companies and businesses must be aware of the new requirements. The new directive will be one of the most disruptive laws in the payments industry when it starts in 2018. There will be exemptions that it will bring, but businesses need to plan accordingly.
The Payment Services Directive, or PSD/PSD1 as it was originally called, was introduced in 2007 to enable a wave of new competition into the evolving payments landscape. Payment institutions now compete with traditional banks who used to dominate and dictate the banking industry. The PSD2 is an EU directive which serves as a revision of this legislation.
Brussels has set a deadline that all EU member states must implement this legislation by January 2018. The only outstanding provisions will be on strong customer authentication which are expected to go live in EU member states during the middle of 2019, alongside the technical aspects regarding how banks are expected to provide access to the payment account to third party providers (TPPs). The European Parliament is still debating the two sets of provisions on SCA and TPPs.
Since PSD2 was proposed, it has created more questions and issues than answers. It is causing uncertainty in the payments industry. During a Payments International conference in London last year, many attendees were left muddled about where the risks and opportunities lie. 88 per cent of people who participated in an audience poll at the time for a panel called “The Payment Services Directive 3: This time we mean business”, stated PSD2 created more problems than solutions. Several major payment service providers and acquiring banks have said this EU directive was going to bring uncertainty.
In recent years, many customers have resorted to online retail and banking. However, many people are still reluctant to engage in these payment methods, particularly older generations, because they fear their online transactions are not secure click-and-pay experiences. Therefore, many merchants are looking to adapt to this environment. This market requires updated regulation. There is a new breed of fast-moving fintech firms competing with established banks by providing innovative services.
PSD2 was introduced with the goal to aid the use of innovative means of payment while simultaneously guarding customers against potential fraud. The two most prominent rulings are access to payment across accounts (XS2A) and the SCA.
The purpose behind the XS2A ruling is to ensure banks open customer payment accounts to TPPs so that they can access payment account information, provide payments and/or receive confirmation of available funds on a specific account to allow a card payment.
Many financial institutions hold payment accounts such as current accounts and credit card accounts. They are legally required to allow access to the account, free of charge, to TPPs.
With SCA provisions, all payment service providers must apply multifactor authentication to every electronic transaction triggered by the payer. This does not apply to direct debits, but card payments and credit transfers.
Providers can be excused from using SCA if they pursue risk-based authentication, which refers to the provisional regulatory technical standards (RTS) as “transaction analysis”, or TRA, due to its announcement by the European Banking Authority (EBA). This ensures all transactions are low-risk. PSPs can place transaction monitoring to comply with this exemption, which verifies every transaction against anomalies.
Despite this, multi-factor authentication hinders the payment experience. Customers are likely to abandon this payment method. SCA is defined by combinations of two or three factors, like “something only you know”, “something only you have”, or “something only you are.”
The lack of clarity from Brussels has caused figo to deliver an open letter to the three main bodies of the EU: the European Council, the European Parliament and the European Commission. It asked for confirmation about what will happen to screen-scrapping, which was also a controversial topic at last year’s Payments International conference. What figo’s letter demands to know is: does the final scraping solution reduce the climate of distrust between the banking and fintech industry and create a joint open banking market? And does it leave enough space for standardisation and automation of regulatory compliance?
Figo has provided useful requirements which Brussels would be wise to consider. Their proposed RTS requirements consist of a requirement for ASPSPs to define transparent key performance indicators, a requirement for PSPs to monitor their availability and performance data, a requirement for ASPSPs to make the interfaces available for testing and a review of the functioning interfaces.
Many of their solutions include forcing EU-authorities to provide the market with minimum standards for key performance indicators to unburden the market, prevent unnecessary efforts for the market to check monitoring tools for regulatory compliance, reject the EBA’s testing approach and align according review planning with a limited fall-back time frame.
PSD2 is flawed in numerous ways. The EU would be foolish to ignore advice from figo about how to improve this directive. Brussels’ ambition to have it implemented across the trading bloc by January 2018 is unrealistic whilst there are still many unanswered questions about its consequences. The solutions figo has provided will make this legislation workable as the advice has been provided by many industry experts who understand how the field works. Figo’s suggestions for key performance indicators to unburden the market and remove monitoring tools for regulatory compliance are practical as they allow more breathing space for firms operating in this area. It is important Brussels heeds this advice if they want to restore business confidence.