A brief state of affairs: PSD2 as of 2021
- Making online payments more secure through the PSD2
- Sharing financial data for Open Banking
- Compatibility between the PSD2 and GDPR
Although passed in 2015 and amended multiple times since, the Revised Payment Services Directive (PSD2) has been fully operational since January 1st, 2021 within the EU and European Economic Area (EEA). Make that "almost fully operational" because some countries have obtained extensions on certain aspects. The directive focuses on two key innovations: Strong Customer Authentication (SCA) and Open Banking. In short PSD2 focuses on making online payments safer and developing new business opportunities through customer approved data sharing. Eric Boulet, Project Manager at TriFinance, revisits this directive and touches upon its impact.
But first let’s refresh on the predecessor of PSD2: the Payment Services Directive (PSD). Its genesis as a concept dates from early 2000, it was put into law in 2007 and became operational in the following years. The idea was to harmonize the playing field across the EU and EEA on payments and to offer better customer protection. Case in point: the Single European Payments Area (SEPA). Transaction fees, refund rules for B2B and B2C direct debits etc. are defined in SEPA. With this new regulation came new players on the market who proposed new types of services. These fell outside the scope of PSD and were therefore not properly regulated. For example new types of payment services and Open Banking services materialized. It was in order to remedy this legal void that PSD2 was passed. Back to PSD2.
Reducing fraud and making online payments more secure are the goals of SCA. As such online payments require at least two of the following three elements:
- something the customer knows (e.g. PIN code)
- something the customer has (e.g. digipass or card reader)
- something the customer is (e.g. fingerprint)
Normally we all have experienced this when shopping online. To complicate matters, a great number of exemptions exist but in general these requirements need to be met for all customer-initiated online payments within the EU or EEA that are over 30 EUR. Direct debits are thus excluded from the scope of SCA.
In practice we see merchants having a rather negative opinion on what is essentially a form of 2-step verification.
In practice we see merchants having a rather negative opinion on what is essentially a form of 2-step verification. The argument is that the extra hurdles will lead to lower conversion rates, in other words website visitors will be less likely to buy something. One report expects that "SCA for PSD2 could cost merchants more than EUR 100 bln in 2021". Whether this will turn out to be true or not remains to be seen. What can be said: for merchants it becomes essential to define SCA strategies and for Payment Service Providers it provides business opportunities.
For Financial Institutions (FIs) the impact should be rather limited, at least on their IT as such online payment methods are often externalized; think Apple Pay, Visa, MasterCard, AmericanExpress, etc. These must all comply with SCA meaning that the banks can mostly rely that third parties will handle it. SCA will probably lead to less fraud, for FIs this leads to less handling of fraud cases which is beneficent.
Open Banking calls for financial data such as customer transactions to be shared outside of the bank where they originate from. To protect customers, opt-in is paramount. This allows for use cases such as account aggregation - which is having all the customer data originating from accounts possibly over several banks into one platform - or better credit risk assessment for lenders. In essence: extra available information leads to new (business) opportunities.
Open Banking calls for financial data such as customer transactions to be shared outside of the bank where they originate from.
Even though a 2017 report states that 90% of surveyed banks believe Open Banking will lead to a 10% organic growth, reality shows high resistance from the incumbents. Indeed, for Open Banking to succeed a small number or ideally a single standard is needed. If everyone speaks the same language, the exchange is greatly simplified. This gives newcomers an easier time to propose Open Banking services as less starting capital is needed. In truth each country or even each bank has its own standard. This is of course legal but it doesn’t facilitate the development of Open Banking.
The impact of Open Banking on FIs will be more pronounced. First of all, FIs need to be at least Open Banking compliant. In practice this will most likely go through Application Programming Interfaces (API). To keep it simple these are interfaces that allow for exchanges, incl. data exchanges, between different systems. The systems don’t need to know how the others function, they only need to know how to communicate with each other. Actually proposing services is a bonus that is not required. Some FIs are just compliant, others have also developed Open Banking services in-house and a last group has partnered with fintechs to propose such services. If an FI chooses to propose Open Banking services then partnering, i.e. the third option, can be a great choice. The partner is, unlike FIs, specialized in this and can propose its product to several FIs thus benefiting from economy of scale. This should mean lower costs for FIs. In the end, this is a strategic decision for each FI to make.
Another important topic to know is that PSD2 and GDPR are not incompatible but still questions arise about their coexistence.
Another important topic to know is that PSD2 and GDPR are not incompatible but still questions arise about their coexistence. In 2017 TriFinance had a mission at one of our clients where, among other things, a gap analysis PSD2-GDPR and aligning the interpretation of PSD2 requirements with the National Bank of Belgium were performed. This work was clearly needed. To help clarify, the European Data Protection Board (EDPB) published guidelines last year but this doesn't answer all questions and even gives rise to new ones. Coexistence between PSD2 and GDPR but also other legislation isn’t a trivial matter. Suffice to say that not everything is clear.
To finish, PSD2 will most likely force upon society a number of changes. How to envision these in order to gain a business advantage? It starts by having an excellent comprehension of PSD2 but also understanding other legislation such as Anti-Money Laundering (AML) together with having good business and market knowledge. A holistic approach seems favored. This requires being able to rely on teammates with the right expertise, experience and - maybe most importantly - mindset.