As Europe is on the cusp of what
some see as a sea change or an earthquake to the payment services landscape
and banking in general, the time is ripe to provide a bird’s eye view of the
EU's revised Payment Services
Directive (known as
‘PSD2’) and, from this vantage point, allow the reader to gauge just how much
of a shake-up the new law, going live in weeks, may be.
(R)evolution?
Following in the footsteps of PSD’s
first iteration adopted in 2007, PSD2 is upping the ante by aiming to
further unify electronic payment systems across the EU while fostering
competition, innovation and the safety and security of payments – all in the
name of ‘open banking’ and to the ultimate benefit of
consumers.
In a bid to iron out the legislative
wrinkles from PSD1 and keep up with the rapid pace of technological change, EU
lawmakers are seeking to improve the level playing field between different
payment service providers (PSPs) and allow for new market entrants. The EU is
also extending the directive’s geographic reach, as ‘one-leg-out’ transactions
where only one of the PSPs is located within the EU now also fall under the
scope of the legislation.
EU countries have until 13 January
2018 to incorporate PSD2 into national law, although in some countries there
have been some bumps in the road to the directive’s implementation. Belgium, Sweden and the Netherlands all reportedly anticipate delays in
the transposition of the legislation into their respective national bodies of
law. In addition, recent probes that the European Commission has conducted in the Netherlands
and Poland also indicate that not everything may go swimmingly with the actual
application of the new rules.
At the heart of the regulation is
the requirement for banks to allow licensed third-party providers (TPPs) of
financial services to access securely their customer-account data, as long as
the customer has given their prior consent. With this access, which is set to
be provided by digital links known as application programming interfaces
(APIs), TPPs will receive a wealth of customers' financial data, including on
income, histories, spending habits and profile, which will give them a
360-degree view of the customer, and enable them to offer the customers a range
of innovative and à la carte services.
The legislation introduces two
previously unregulated categories of players to the game – payment initiation
service providers (“PISPs”) and account information service providers
(“AISPs”).
PISPs will be able to trigger
payments on behalf of the account holder by creating a software ‘bridge’
between the payer’s account and the payee’s account, without the customer needing to directly access their bank account
or use a debit or credit card.
AISPs, for their part, will receive
access to bank customers’ account information and will be able to analyze a
customer’s spending patterns and to aggregate information from the customer’s
multiple accounts in different banks.
Whither
banks?
Unlike, say, retailing, taxi and
hotel trades, European banking has so far been largely spared the effects of the digital
disruption. In the post-PSD2 era, however, banks will be thrust into the middle
of a crowded field, surrounded not only by other banks (both traditional and
‘challenger’), but also by tech behemoths and agile fintech upstarts, which are
poised to act as third-party providers of financial and payment services. Tech titans, many of which already have their
own digital payment services in place, are believed to entertain
plans to “launch their full arsenal come January 2018”.
In addition to the risk of losing
out on payment revenues, banks may run the risk of losing customer touch points and becoming a mere utility service
used by TPPs. But as Albert Einstein said, “in the middle of difficulty lies
opportunity”.
Indeed, the new opportunities
ushered in by the advent of PSD2 could be used by banks to recapture some of
the projected lost revenues from payments and to grow new revenue streams.
There is nothing preventing banks from acting also as AISPs or PISPs, after
all.
In other words, the incumbents could
either chafe at the challenge and act defensively or embrace the new
opportunities by enhancing their product and service offerings to customers
and, in so doing, stave off the challenge from disruptors. A number of banks
are nimble about change, having already adapted to the new reality by starting
their own fintech firms or buying upstarts.
If recent surveys conducted in the UK are any
indication, banks may find some encouragement in the fact that, when it comes
to their personal financial details, customers appear to trust banks more than retailers and
social media.
On the other hand, and perhaps
worryingly for banks, a global survey showed that close to one-third of
consumers said that they would be willing to switch to Google, Amazon or
Facebook for banking if any of them provided such services.
Either way, customers are set to
benefit from greater choice of offerings, lower costs, improved convenience,
and enhanced security.
Security
With extra convenience come
considerations of security, as clearly anything to do with
electronic payments has profound implications for security, doubly so in times
of ever-evolving cyberthreats.
PSD2 introduces strict security requirements for
the initiation and processing of electronic payments by mandating what is
termed as “strong customer authentication (SCA)”. Authentication is strong if at least two of these
three possible authentication elements are involved:
- Knowledge: something only the
user knows (such as a password).
- Possession: something only the
user possesses (such as a card).
- Inherence: something the user
is (such as a fingerprint or voice recognition).
These elements must be independent
of each other so that the breach of one element does not compromise the
reliability of the others.
In addition, the European Banking
Authority (EBA) has developed, in close cooperation with the
European Central Bank (ECB), draft Regulatory Technical Standards (RTS) on
strong customer authentication and secure communication. These, EBA believes,
are “key to achieving the objective of the PSD2 of enhancing consumer
protection, promoting innovation and improving the security of payment services
across the European Union”.
Citing the need to allow for future
developments, PSD2 mandates “technology and business-model neutrality”, which
is why the RTS final draft pins down the requirements in a rather neutral way.
The few requirements that are described include the use of appropriate encryption for data exchange, the shortest
possible communication processes, and clear references for the data exchanged.
The RTS proposal was subject to a consultation process during which a great number
of questions were raised, ultimately resulting in delays to the submission of
the final draft. In addition, the EBA and the European Commission have been at
loggerheads over several aspects of the RTS, with the latter asking for several
substantive changes. The EBA acknowledged and agreed with the Commission’s
aims, but disagreed with three of the four proposed changes.
Fast forward and the final draft of
the RTS is now awaiting approval by the European Commission. If greenlighted,
the RTS “will be applicable 18 months after its entry into force”. According to
EBA, the intervening time (not until the spring of 2019 at the earliest) gives
the industry “time to develop industry standards and/or technological solutions
that are compliant with the EBA’s RTS”.
Times
they are a-changing
That whether a change is
revolutionary is only manifest in hindsight, so a judgment is better withheld
at this time. At any rate, PSD2 and concomitant changes are shaping up to be a
major step in the evolution on our journey of technology-driven transformation.
PSD2 presents a host of unprecedented opportunities and challenges and, once
the dust settles, we’ll see whether it turned out to be a boon or bane for
banks. Prediction is very difficult after all, especially if it's about the future.