Equipping the EU payments market for the digital age – the second payment services directive (PSD 2)
Consumers, especially millennials, are quickly adopting new digital payment methods and are now used to engaging directly and immediately with retailers. They expect their needs to be anticipated across a range of products and services and expect similar responsiveness from their payment service providers (PSPs). Traditional PSPs do not have long to adjust to this new reality and avoid going the way of the dodo.
The EU is responding to these changes with the long-awaited revised Payment Services Directive (“PSD2”) which member states need to transpose by January 2018. This replaces the Payment Services Directive (“PSD”) that has been in place since 2007.
When the PSD was published, its scope was to help develop the Single Euro Payments Area (SEPA) by setting a common set of standards to be applied throughout the European Economic Area (EEA). The main aim of PSD2 is to form a regulatory framework for a Digital Single Market in Europe, which is essential to ensure the EU’s single market is fit for the digital age. Its need can be seen from the use of innovative online and mobile payments which have made significant gains since the first PSD was published. You could argue that the PSD2 is playing catch-up to regulate new Fintech companies.
The Directive also aims to increase competition in an already competitive payments industry, by making it easier for start-up companies to join the European payment infrastructure. Banks will be required to be more open and accessible. In fact, the Directive requires banks to provide information and share infrastructure with new types of licenced providers brought within scope of the Directive. New and enhanced customer protection and security requirements will also see changes in the way consumers interact with technology to make payments, provid- ing new opportunities for innovative companies.
Existing companies need to understand what needs to be done to avoid being overtaken by emerging players with sharper business models. Leaner companies which are unburdened with legacy systems and cross-subsidised products are well placed to take advantage of the changes brought about by PSD2.
Some of the main changes are discussed below.
PSD2 sets out a common legal framework for businesses and consumers when making and receiving payments whenever one counterparty is within the EEA. In addition, it widens the scope both in terms of geographical coverage and the currencies involved. Its provisions shall also apply to payment transactions in currencies of third countries when one of the PSPs is located within the EEA. This will have a direct effect on banks and PSPs outside the EEA which have extensive business with EEA banks and customers as they need to also adapt to the new requirements.
Third party access by banks
Under PSD 2, Banks will be forced to open their interfaces to other providers. These might include Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) which were brought within the scope of the Directive. AISPs enable customers to access account information from different banks and credit card issuers using one single interface online. On the other hand, the key function for PISPs is to initiate payments through the banks’ payments systems and infrastructure on behalf of the payers.
A number of innovative PSPs are providing products such as FX conversions, multi-currency payment cards and mobile payment facilities at a fraction of the price charged by traditional institutions.
Security and authentication
Information security is a key issue for many payment users, most notably retail consumers when paying via the internet. The new directive provides for a high level of payment security with the introduction of strict security requiring “strong customer authentication” for the initiation and processing of electronic payments. It also includes enhanced provisions for the protection of consumer financial data.
The Directive uses the same definition of “strong customer authentication” as the EBA guidelines, which is based on the concept of two-factor authentication. This requirement is already being criticised by Fintech companies who have developed technology which is easier to use for consumers, but is not two-factor authentication, yet is claimed to offer the same level of security. Traditional banks on the other hand are heavily invested in two-factor authentication. This remains an area of uncertainty as the European Banking Authority (EBA) still needs to develop a number of guidelines and regulatory technical standards on strong customer authentication and secure communication.
Liability for consumers
Under PSD2, the liability of unauthorised transactions for consumers is reduced to EUR 50 from EUR 150 previously. PSPs will soon bear the burden of proving a payment transaction was authorised and will need to provide evidence of any alleged fraud or gross negligence on the part of the user. On the other hand, intentional fraud or negligence by the consumer, if proven, means that they would bear the whole loss.
PSD 2 aims to lower charges for consumers and ban “surcharging” in the vast majority of cases both online (e.g. when using certain credit cards for payments) and in shops. This will apply to domestic as well as cross-border payments. Merchants will also be banned from surcharging consumers for the use of payment instruments such as debit and credit cards which are covered by the interchange fee caps or the SEPA Regulation.
Whilst none of the expected changes will fundamentally alter the activities of financial institutions offering payment services and accounts to consumers, the impact of the work required to comply with the requirements will be considerable. Additionally, new, agile players are emerging and are disintermediating traditional incumbents. The new Directive may make it easier for new players to access certain information and infrastructure whilst legacy systems and infrastructure may prevent existing players from responding to these threats. Stefan Lia is a manager at Deloitte Malta Risk Advisory. For more information, please visit www.deloitte.com/mt/riskadvisory