Equip­ping the EU pay­ments market for the dig­i­tal age – the sec­ond pay­ment ser­vices di­rec­tive (PSD 2)

The Malta Business Weekly - - FRONT PAGE -

Con­sumers, es­pe­cially mil­len­ni­als, are quickly adopt­ing new dig­i­tal pay­ment meth­ods and are now used to en­gag­ing di­rectly and im­me­di­ately with re­tail­ers. They ex­pect their needs to be an­tic­i­pated across a range of prod­ucts and ser­vices and ex­pect sim­i­lar re­spon­sive­ness from their pay­ment ser­vice providers (PSPs). Tra­di­tional PSPs do not have long to ad­just to this new re­al­ity and avoid go­ing the way of the dodo.

The EU is re­spond­ing to these changes with the long-awaited re­vised Pay­ment Ser­vices Di­rec­tive (“PSD2”) which mem­ber states need to trans­pose by Jan­uary 2018. This re­places the Pay­ment Ser­vices Di­rec­tive (“PSD”) that has been in place since 2007.

When the PSD was pub­lished, its scope was to help de­velop the Sin­gle Euro Pay­ments Area (SEPA) by set­ting a com­mon set of stan­dards to be ap­plied through­out the Euro­pean Eco­nomic Area (EEA). The main aim of PSD2 is to form a reg­u­la­tory frame­work for a Dig­i­tal Sin­gle Market in Europe, which is es­sen­tial to en­sure the EU’s sin­gle market is fit for the dig­i­tal age. Its need can be seen from the use of in­no­va­tive on­line and mo­bile pay­ments which have made sig­nif­i­cant gains since the first PSD was pub­lished. You could ar­gue that the PSD2 is play­ing catch-up to reg­u­late new Fin­tech com­pa­nies.

The Di­rec­tive also aims to in­crease com­pe­ti­tion in an al­ready com­pet­i­tive pay­ments in­dus­try, by mak­ing it eas­ier for start-up com­pa­nies to join the Euro­pean pay­ment in­fra­struc­ture. Banks will be re­quired to be more open and ac­ces­si­ble. In fact, the Di­rec­tive re­quires banks to pro­vide in­for­ma­tion and share in­fra­struc­ture with new types of li­cenced providers brought within scope of the Di­rec­tive. New and en­hanced cus­tomer pro­tec­tion and se­cu­rity re­quire­ments will also see changes in the way con­sumers in­ter­act with tech­nol­ogy to make pay­ments, provid- ing new op­por­tu­ni­ties for in­no­va­tive com­pa­nies.

Ex­ist­ing com­pa­nies need to un­der­stand what needs to be done to avoid be­ing over­taken by emerg­ing play­ers with sharper busi­ness mod­els. Leaner com­pa­nies which are un­bur­dened with legacy sys­tems and cross-sub­sidised prod­ucts are well placed to take ad­van­tage of the changes brought about by PSD2.

Some of the main changes are dis­cussed be­low.

Ge­o­graph­i­cal cov­er­age

PSD2 sets out a com­mon le­gal frame­work for busi­nesses and con­sumers when mak­ing and re­ceiv­ing pay­ments when­ever one coun­ter­party is within the EEA. In ad­di­tion, it widens the scope both in terms of ge­o­graph­i­cal cov­er­age and the cur­ren­cies in­volved. Its pro­vi­sions shall also ap­ply to pay­ment trans­ac­tions in cur­ren­cies of third coun­tries when one of the PSPs is lo­cated within the EEA. This will have a di­rect ef­fect on banks and PSPs out­side the EEA which have ex­ten­sive busi­ness with EEA banks and cus­tomers as they need to also adapt to the new re­quire­ments.

Third party ac­cess by banks

Un­der PSD 2, Banks will be forced to open their in­ter­faces to other providers. These might in­clude Ac­count In­for­ma­tion Ser­vice Providers (AISPs) and Pay­ment Ini­ti­a­tion Ser­vice Providers (PISPs) which were brought within the scope of the Di­rec­tive. AISPs en­able cus­tomers to ac­cess ac­count in­for­ma­tion from dif­fer­ent banks and credit card is­suers us­ing one sin­gle in­ter­face on­line. On the other hand, the key func­tion for PISPs is to ini­ti­ate pay­ments through the banks’ pay­ments sys­tems and in­fra­struc­ture on be­half of the pay­ers.

A num­ber of in­no­va­tive PSPs are pro­vid­ing prod­ucts such as FX con­ver­sions, multi-cur­rency pay­ment cards and mo­bile pay­ment fa­cil­i­ties at a frac­tion of the price charged by tra­di­tional in­sti­tu­tions.

Se­cu­rity and au­then­ti­ca­tion

In­for­ma­tion se­cu­rity is a key is­sue for many pay­ment users, most notably re­tail con­sumers when pay­ing via the in­ter­net. The new di­rec­tive pro­vides for a high level of pay­ment se­cu­rity with the in­tro­duc­tion of strict se­cu­rity re­quir­ing “strong cus­tomer au­then­ti­ca­tion” for the ini­ti­a­tion and pro­cess­ing of elec­tronic pay­ments. It also in­cludes en­hanced pro­vi­sions for the pro­tec­tion of con­sumer fi­nan­cial data.

The Di­rec­tive uses the same def­i­ni­tion of “strong cus­tomer au­then­ti­ca­tion” as the EBA guide­lines, which is based on the con­cept of two-fac­tor au­then­ti­ca­tion. This re­quire­ment is al­ready be­ing crit­i­cised by Fin­tech com­pa­nies who have de­vel­oped tech­nol­ogy which is eas­ier to use for con­sumers, but is not two-fac­tor au­then­ti­ca­tion, yet is claimed to of­fer the same level of se­cu­rity. Tra­di­tional banks on the other hand are heav­ily in­vested in two-fac­tor au­then­ti­ca­tion. This re­mains an area of un­cer­tainty as the Euro­pean Bank­ing Au­thor­ity (EBA) still needs to de­velop a num­ber of guide­lines and reg­u­la­tory tech­ni­cal stan­dards on strong cus­tomer au­then­ti­ca­tion and se­cure com­mu­ni­ca­tion.

Li­a­bil­ity for con­sumers

Un­der PSD2, the li­a­bil­ity of unau­tho­rised trans­ac­tions for con­sumers is re­duced to EUR 50 from EUR 150 pre­vi­ously. PSPs will soon bear the bur­den of prov­ing a pay­ment trans­ac­tion was au­tho­rised and will need to pro­vide ev­i­dence of any al­leged fraud or gross neg­li­gence on the part of the user. On the other hand, in­ten­tional fraud or neg­li­gence by the con­sumer, if proven, means that they would bear the whole loss.


PSD 2 aims to lower charges for con­sumers and ban “sur­charg­ing” in the vast ma­jor­ity of cases both on­line (e.g. when us­ing cer­tain credit cards for pay­ments) and in shops. This will ap­ply to do­mes­tic as well as cross-bor­der pay­ments. Mer­chants will also be banned from sur­charg­ing con­sumers for the use of pay­ment in­stru­ments such as debit and credit cards which are cov­ered by the in­ter­change fee caps or the SEPA Reg­u­la­tion.

Whilst none of the ex­pected changes will fun­da­men­tally al­ter the ac­tiv­i­ties of fi­nan­cial in­sti­tu­tions of­fer­ing pay­ment ser­vices and ac­counts to con­sumers, the im­pact of the work re­quired to com­ply with the re­quire­ments will be con­sid­er­able. Ad­di­tion­ally, new, ag­ile play­ers are emerg­ing and are dis­in­ter­me­di­at­ing tra­di­tional in­cum­bents. The new Di­rec­tive may make it eas­ier for new play­ers to ac­cess cer­tain in­for­ma­tion and in­fra­struc­ture whilst legacy sys­tems and in­fra­struc­ture may pre­vent ex­ist­ing play­ers from re­spond­ing to these threats. Ste­fan Lia is a man­ager at Deloitte Malta Risk Ad­vi­sory. For more in­for­ma­tion, please visit www.deloitte.com/mt/riskad­vi­sory

Newspapers in English

Newspapers from Malta

© PressReader. All rights reserved.