Next January, the new European Directive on Payment Services in the Internal Market (PSD2) will open up the payments market to third-party providers. Shahrokh Moinian explains the implications and opportunities for the global payments community
A decade of change in the payments market
Since the first EU Payment Services Directive (PSD1) was introduced 10 years ago, the European payments industry has undergone far-reaching technological and market change. Indeed, advancements in technology (including instant payments infrastructures, blockchain, mobile authentication and the Internet of Things) have given rise to a host of new payment services and operators not covered by the first round of regulations.
But innovation in this area is still in its nascency and more significant advances are surely yet to come. Luckily, PSD2 will open up the field to more players and innovation. It introduces two new regulated roles: for Account Information Service Providers (AISP) – that equip users with consolidated and convenient online information on one or more of their payment accounts; and Payment Initiation Service Providers (PISPs) – that facilitate the e-commerce process and enable online payments to be initiated at the immediate request of a payment service user. Although some players existed in both these spaces before, regulating them will allow for much greater growth and development.
The EU has already experienced a surge in internet shopping and an accompanying rise in online fraud. Between 2014 and 2015, e-commerce sales in Europe grew by a staggering 65.6% (from €156.28bn to €455bn),1 while the EU’s 2014 figures on card-not-present fraud showed a 21.2% increase in fraud year-on-year.2
PSD2 – a major regulatory overhaul
In light of the developments that have occurred in the payment space since 2007, PSD2 provides a major regulatory overhaul – bringing three key changes to the first EU Payment Services Directive (PSD1).
First, to help ensure better legal protection, and reduced risk for payment service users in the EU, PSD2 widens the scope of its predecessor regulation – a change that comes into effect in January 2018. Certain provisions – primarily regarding transparency and payment terms, specifically the value dating of incoming payments – will now be extended to apply to payments where only one party is located in an EU/EEA country (‘one leg principle’), and to payments made in all currencies.
Second, from late 2018, PSD2 introduces higher levels of payment security and authentication. In response to the surge in online fraud in recent years, PSD2 stipulates that a payment service user must now adhere to stronger levels of authentication such as two-factor (2FA) customer authentication processes to each remote, online or electronic payment. In this context, a factor refers to something that asserts that a customer is the legitimate user of the service. One authentication factor might be customer knowledge, e.g. a password; a second, a customer’s possession, such as a smartcard; and a third factor a customer “inference” (something only the user is), for example, a fingerprint.
Finally, kicking in by late 2018 or early 2019, PSD2 licenses third-party providers (TPPs) of payment services, including the aforementioned PISPs and AISPs, and obliges banks to provide them with the information they require to operate effectively (dependent on customer consent). In turn, PSD2 will help level the playing field on which innovative companies can compete with established banks, and inject a new dose of competition into the payments market.
A directive to fear or embrace?
At Deutsche Bank we view the changes to the first directive as logical, however, they are not universally popular. Indeed, according to a PwC report released in the first quarter of 2016, 68% of bankers fear or resent the effects of PSD2.3
Payment service providers will admittedly have to undertake significant change-work to comply with the new directive. The extended scope of PSD2 requires financial service providers to make a series of process and system modifications. These modifications include not only value dating and availability of funds in international payments, but also the introduction of new 2FA systems, and the construction of a secure and accessible online account interface, through which TPPs can extract the information they require to operate effectively.
Spurring new levels of innovation
However, the directive is certainly not one to fear. Rather, PSD2 should be viewed as a catalytic force for heightened innovation, security and data transparency in the payment space.
Take PSD2’s new provisions for TPPs: by licensing new third-party providers, and injecting a new dose of competition into the payments market, PSD2 should in turn help stimulate further innovation in product and service offerings. Whether these services are offered by banks – leveraging their deep-rooted customer trust and regulatory experience – technologically nimble fintechs, or collaboration between the two, they are likely to be delivered through new, convenient channels of customer communication.
Moreover, if open application programming interfaces (APIs) are used to build the new interface between banks and TPPs – PSD2 might even usher in a new era of open banking. The European Banking Authority certainly encourages this development – recognising the potential of APIs to help banks innovate at pace, create new revenue streams and “disrupt the disruptors”.
A force for payment security
Naturally, where there is more frequent and easier access to customer account information by more parties, this gives rise to concerns about the security of customer data – particularly given the staggering rise in online card payment fraud in recent years. However, with PSD2 in place, practitioners, and customers, have nothing to fear. Despite some concerns that an extra authentication step might deter customers from completing online purchases, enhancing consumer protection is an aim which payment service providers, retailers and regulators should naturally prescribe.
Corporates and consumers today expect transparency, efficiency and security in their payment transactions. There is no question that PSD2 will help drive momentum in this direction. PSD2 should therefore be embraced as a major step forward – a clear indication of the EU’s commitment to fostering innovation in the payment space.
Shahrokh Moinian is Global Head of Corporate Cash Management Products at Deutsche Bank
1 See http://bit.ly/2nsv3YY at ecommercenews.eu
2 See http://bit.ly/1jwPKZ7 at ecb.europa.eu
3 See http://pwc.to/2a4AKUx at strategyand.pwc.com
Sign me up
Register for exclusive insights
relevant to your area of
Manage your profile and
preferences to receive exactly
what you need
Global Head of Cash Products | Cash Management | Deutsche Bank
PSD2’s impact for corporates
- We don’t foresee a strong mandatory change effort for corporates – certainly when compared to the changes required for compliance with SEPA
- However, corporates will have to use two-factor (2FA) authentication devices
- Treasurers may consider adapting their business models to include emergent third-party provider-related services
- Corporates can also be expected to benefit from the innovation ecosystem that springs up around the mandated third-party interface
- Finally, they will benefit from the scope extension with regards to price transparency and, in the case of receipts, value-dating practices
- 16 Nov 2015: Adopted by EU Council of Ministers
- 12 Jan 2016: PSD2 came into force
- 23 Feb 2017: EBA’s draft regulatory technical standards (RTS) on strong customer authentication and common and secure communication under PSD2 were published. Yet to be ratified
- 13 July 2017: Deadline for EBA to issue guidelines on the establishment, implementation and monitoring of security measures under PSD2 (guidelines will complement the EBA’s RTS)
- 12 Jan 2018: Deadline for transposition of PSD2 into national law
- 13 Jan 2018: PSD2 now applicable
- 13 Jan 2018: Deadline for EBA to issue guidelines under which a payment service provider (PSP) must notify the competent authority of a major operational or security incident “without undue delay”
- 23 Nov 2018: Earliest date that EBA’s RTS on strong customer authentication and common and secure communication will apply