PAYMENT SERVICES DIRECTIVE (PSD2)
Revised by the European Parliament in October 2015, the new Directive on Payment Services (PSD2) is the latest in a series of legislation by the EU to enable modern, efficient, and inexpensive payment services. As European legislation, PSD2 is a requirement for all banks that operate in the European Economic Area and enforces an implementation deadline of January 2018. For those banks already progressing in their digital transformation, this is a reasonable timeframe to incorporate the necessary technology and business change. For those that have yet to embrace digital, key components of a digital infrastructure are needed and time is short.
The main impacts of PSD2
PSD2 has numerous new requirements, some impacting banks more than others, depending on the specific institution’s service portfolio and strategy. Three with the most significant impact include:
1. Strong authentification & secure communications
Strong Customer Authentification (SCA) is required in three situations: 1) online acces to the payment account, 2) initiation of electronic payment transactions, or 3) actions carried out via a remote channel that may imply a risk of fraud or other abuse. Exemptions might be considered based on the amount and/or recurrence of the transaction, the level of risk involved in the service provided and the channel used for executing the transaction. SCA is a two-factor authentification that requires independency and dynamic linking.
2. Third party provider regulation
PSD2 extends the definition of Payment Institution by introducing new types of Payment Services Providers (PSPs). Credit institutions and electronic money institutions are considered Account Servicing Payment Service Providers (ASPSPs) that provide and maintain payment accounts. Third-party providers (TPP) that are also considered payment-services providers under the regulation include Payment Initiation Service Providers (PISPs) and Accoun Information Service Providers (AISPs) that act as aggregators of customers payment accounts information. PSD2 brings AISPs and PISPs in the scope of regulated entities.
3. Acces to payment account (XS2A)
Under PSD2 all registered PISPs and AISPs and alllicensed PSPs are to have access to payment accounts held at ASPSPs under explicit consent of the client. ASPSP must share all data enabling the AISP or PISP to perform the service requested by the client. PISP/AISP may not use, access or store any data for other purposes than provision of the requested service.
The business risk PSD2 presents
A main difference between PSD2 and PSD lies in the new requirements to provide third parties with “access to the account”. After PSD2 implementation, third parties can obtain access to customer accounts for account information and payment initiation services provided the consumer provides consent. This poses a security concern for banks to ensure that account access is controlled and authorized. It also poses a liability concern that, if something goes wrong in the customer’s service from the third party, the consumer may hold the bank liable. While these are important considerations as banks plan their PSD2 compliance, perhaps the biggest risk for banks is disintermediation.
Allowing third parties to access a customer account enables them to come between the bank and its customer, and strain the bank’s customer relationship. It also lowers the barriers to entry for third parties with new ideas for value-added services.
Today, third parties with innovative ideas are often unable to execute because they don’t have captive customers and banks are not willing to or even allowed to provide access to account information. PSD2 will make it easier for third parties to provide value-added services and grow viable businesses as banks will be required to provide access to customer data with permission.
Banks have no choice but to ensure they comply with PSD2. But, to help them remain relevant into the future, banks should look at PSD2 compliance as not only a requirement, but as an opportunity for value creation. Banks’ strategic options are plentiful if they think more broadly than just complying with PSD2. Through different collaboration models, banks can offer advanced payment and account information services, expand to services in other areas of banking and explicitly expand their service portfolio beyond traditional banking – all of which can lead to differentiation and new sources of revenues.
An open API platform strategy could be very helpfull, builds on the banks’ core strengths of trust and brand recognition and customer information assets. It also allows the bank to build on the stregths of non-banks innovators that are often more agile and fast-paced in innovation.