Game changer: the countdown to PSD2
May 2017 | FEATURE | BANKING & FINANCE
Financier Worldwide Magazine
A game changer. That is how many in the payments industry are describing the forthcoming Payment Services Directive (PSD2) – revised legislation scheduled for implementation across European Union (EU) member states from 13 January 2018.
PSD2 is certainly transformative. Not only does it end banks’ monopoly on their customers’ account information and payment services, it also forms part of a rapidly evolving financial environment in which banks will struggle to survive if they do not embrace the new payments regime.
Deloitte’s 2016 report, ‘PSD2 opens the door to new market entrants’, provides a breakdown as to what the revised legislation means for both customers (Payment Service Users (PSUs)) and the banking and payments industries, stating that the most significant change proposed by PSD2 is the use of Third Party Providers (TPP), of which there are two new types: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
PISPs, notes Deloitte, will encourage competition in European payments, as the payer, rather than initiating the payment directly with their bank, carries out the transaction via the PISP, which then passes the instruction to the bank. With AISPs, providers act as aggregators of customer payment account information, for example, presenting the PSU with an aggregated viewpoint of transactions and balances from more than one account (at present, a PSU with multiple accounts has to access each individually through a separate interface). Under PSD2, AISPs will be able to consolidate information from several accounts on behalf of PSUs.
“The usage of TPP provides consumers with additional options to access their bank, removing the need to interact with the bank directly”, outlines the Deloitte report. “To enable TPPs to connect directly to a customer’s bank, new technical standards are being developed by the European Banking Authority (EBA), which will define the connection requirements and application programming interface (API) to be used, also known as ‘Access to Account’ or XS2A”.
Also highlighted by Deloitte as key changes enforced by PSD2 are new security and authentication requirements and an extension to the scope of transactions captured under the directive. The most significant new security requirement is for payment transactions to be subject to strong customer authentication. In addition, PSD2 includes in its scope ‘one leg out’ transactions, i.e., payments made to or from locations outside Europe.
“The stated goals of PSD2 are to make payments more secure, cheaper and safer, as well as to create a more integrated and efficient European payments market and level the playing field for payment service providers (PSPs),” says Mike Wallberg, content marketing manager at Zafin. “What this will mean in the short-term is increased transparency and access to payment services for third-party – meaning non-bank – payment providers. Longer-term, it will likely mark the start of a shift toward ‘open banking’ – not just with respect to payments in Europe, but across banking in general, globally.”
PSD2: legislation origins
The first payment services directive, PSD1, came into force in 2007 and was transposed into national legislation by all EU and European Economic Area (EEA) member states in 2009. PSD1 was designed to increase pan-European competition and participation in the payments industry, and provide a level playing field by harmonising consumer protection and the rights and obligations for payment providers and users.
“PSD2 goes further in legalising and opening up the market for new players to challenge incumbent banks, stimulate innovation, competition and create an integrated and efficient market,” explains Frode Lervik, a financial services consultant at PA Consulting Group. “The directive is driving strategic thinking in the banking industry, both within individual banks on how to remain competitive and at an industry level on how payments infrastructure should be developed.”
For John Burns, client projects director at Compliancy Services, PSD2 aims to update the provisions of PSD1 to meet the challenges of today and reflect the technological advances that have occurred since the first directive. “Banks and other PSPs providing online access to accounts will need to change their systems and procedures to allow access to the newly authorised AISPs and PISPs, as well as using strong customer authentication in all but a few exempted situations. This will change the customer experience. The restriction of exemptions will also mean that a number of existing business models will be brought within scope, although many firms offering these still seem to be unaware of this.”
Looking beyond the entities that presently fall within the scope of the directive, Mr Lervik believes that PSD2 affords substantial opportunities for new players looking to enter the market and compete. Alongside numerous FinTech companies, global giants such as Apple, Google and Samsung are looking for opportunities, and Facebook, with its massive user base, is also likely to be a strong challenger in the payment services space.
Challenges and uncertainties
Given the significant changes to systems, processes and procedures that the forthcoming PSD2 implementation engenders, it comes as no real surprise that many firms are encountering difficulties. Those that adopted the draft regulatory technical standards (RTS) at an early stage are clearly better placed to meet the deadline for implementation. A particular difficulty is the tension between banks, third parties and regulators as regards what data the banks need to provide through their API, how it should be made available and how third parties should authenticate themselves to the banks.
“Getting regulation right is a challenging task as regulators need to balance a lot of conflicting concerns,” says Mr Lervik. “If it is too specific, it may hamper future innovation. On the other hand, incumbent banks may seek to take advantage of any lack of clarity to make life more difficult for their competitors. It is unlikely that it will be possible to solve all issues before implementation, partly because the issues will only emerge when the competitive dynamics kick in. We should expect regulators to be alert after the implementation date. Banks are well advised to try and comply with the directive within the specified timeline because the regulators are likely to be prepared to forcefully ensure compliance.”
Helping to address concerns, ensure compliance and play a key role in explaining how PSD2 works in practice is the EBA’s RTS. However, there is currently uncertainty surrounding the timelines for these RTS – a lack of detail which could provide the industry with significant challenges with regard to implementation.
“It is vital that a holistic approach is taken to drafting the RTS, to ensure the payments industry remains dynamic and responsive to customer needs,” believes David Song, European developments manager at Payments UK. “We are continuing to engage with the EBA, the European Commission, Parliament and domestic regulators to prevent the RTS from being too prescriptive, which could lead to requirements quickly becoming outdated, making it more difficult to innovate, and more challenging to react to cyber crime and fraud threats.”
Another area identified where banks and other PSPs may struggle is compliance with stringent client service requirements – reporting requirements, in particular. For example, PSPs are obliged to detail the interest and exchange rate assumptions that go into each and every payment charge, and the methodology used to calculate it.
“For banks, meeting PSD2’s requirements on time will require them to invest in capabilities that offer flexibility and good data integrity,” says Mr Wallberg. “One thing they should consider is using the compliance project as an opportunity to implement better pricing and billing capabilities more generally. A good pricing and billing engine can solve many of the PSD2 problems, and offer banks cost savings in the bargain. They also need to be able to provide detailed information about the time required and the expected charges to be incurred ex-ante, to allow customers to make a decision about where to execute their payment. Without a pricing and billing engine in place that is tracking and generating reporting that can handle that, they will struggle.”
“While the countdown to PSD2 continues and much uncertainty still exists, banks still have a lot to do just to become compliant,” warns Mr Lervik. “As always when a new regulation is introduced, you do not get the full picture as early as you would wish. We noticed a real shift in the market in the second half of 2016. PSD2 moved up the corporate ladder to become a key priority for chief executives and their management teams. Formulating a strategic action plan and making sure there is a programme of activities in place that delivers the strategy, in addition to taking care of the pure compliance aspects of PSD2, is clearly the way to go.”
Another implementation issue, which pertains specifically to the UK, is the delay to the Financial Conduct Authority’s (FCA) consultation on PSD2 caused by HM Treasury’s focus on Brexit. “This will mean that the FCA has only nine months to re-authorise existing payment institutions and e-money institutions, as well as dealing with applications for the new PISP and AISP permissions,” confirms Mr Burns. “There also remain significant questions of interpretation and firms will need to ensure that they do not make significant decisions based on incorrect assumptions. Careful reviews and expert advice will be essential.”
Going forward, banks will be looking to design strategies that include both elements of competition and collaboration with new players. Although, in theory, there is a modicum of risk that banks could fall behind TPP to become no more than capital-providing utilities, this is an unlikely scenario given the benefit banks enjoy of millions of existing client relationships; they could even create their own competing PSPs and subsidiary AISPs, with an obvious incentive to do so.
Countdown to PSD2 and a digital single market
Clearly, many payments industry practitioners believe that PSD2 has the potential to be a truly transformative piece of legislation, with the capacity to fundamentally enhance competition in the industry, bring into scope new types of payment services and enhance customer protection and security.
“PSD2 is an important step toward a digital single market in Europe,” concludes Mr Song. “The directive will also ensure that all PSPs active in the EU are subject to supervision and appropriate rules. PSD2 could help open up new markets and encourage new market entrants, with wide-reaching opportunities for a range of parties including banks, other PSPs, FinTechs and customers through the development of products and services that offer new ways to use account and transaction data.”
Once implemented, in a little over six months, PSD2 is expected to lead to a major change in the accessibility of customer data to authorised third parties. What it may also do is force banks to jettison their dependence on myriad legacy systems, reassess their systems requirements and, in order to protect their account base, turn their attention to embracing innovation in the payments space.
© Financier Worldwide