Since its publication in 2007, the Payment Services Directive (PSD) has worked to guarantee fair and open access to the payment market across Europe and increase consumer protection.
As intended, the legislation had a significant impact on how transactions could be made throughout the EU in a unified manner and new players, outside of traditional banks, quickly emerged.
While initially very successful, a revision of PSD is now needed. In this article, we will take a look at some of the reasons for a revision and what you can do now to stay ahead of the changes.
What’s driving PSD2?
One primary goal of PSD was to improve the overall customer experience around paying for something. And while satisfaction is most commonly driven by convenience and price, it also comes from the peace of mind knowing the transaction is secure.
The emergence of new non-banking players such as Sofort in Germany, IDeal in the Netherlands or Trustly in Sweden for example created convenient, inexpensive ways for customers to initiate a transaction yet the question quickly arose… in the event of a non-validated, fraudulent transfer out of a customer’s account, who was liable?
> See also: How to understand and fight the four faces of payment fraud
The banking industry is of course heavily regulated and in the absence of regulations for third party payers who fall outside pre-existing banking regulations, liability started to fall to the bank to some extent and to the consumer who initially accepted to provide his credential to a third party. And then the EU was missing its primary objective of protecting the consumers.
While market competition proved to be a good thing, a revision of PSD became necessary. PSD2 seeks to standardize digital payments across the EU and better protect consumers as they conduct transactions.
As you’ve likely read about, the EU Directive was voted on by Parliament in October of 2015. In December, the EU Council of Ministers formally adopted PSD2 with a transposition deadline in all Eu countries of January 2018. This means every EU member has (now just under) 2 years to comply with PSD2’s new rules.
PSD2 will establish the respective rights and obligations of both users and payment service providers such as banks, electronic money institutions, post office giro institutions, payment institutions, but also new players : the Payment Initiation Services providers and the Account Information Services providers (regrouped under the designation of Third Party Providers: TPP).
It establishes rules concerning transparency of conditions and information requirements for payment services. PSD2 also calls upon these organizations to prove to regulators they have the appropriate security measures in place to prevent fraud and protect confidentiality.
Additional key differences between PSD and PSD2 include:
Scope. PSD2 will regulate any payment that occurs within the EU and when payment flows through the EU.
Security. Payments security is critical – a strong authentication of the customer will be required by the TPP.
Innovation. Europe is requiring banks to open access to account information: this is recognizing that it’s better to put it within the regulation rather than letting this happen through screen scrapping in a much less secured way for the end-user.
What is the implementation timeline?
The tricky part in all of this is timing. While compliance will be expected at the start of 2018, the regulatory guidelines for any solution to initiate payment or access to a customer account information outside of the bank are still to be defined.
And they aren’t set to be published until later 2017. Best case estimates say start of the year while others say mid-year. Regardless, both estimates leave very little time between the publication of standards and the time in which banks must show compliance.
These guidelines will cover:
A definition of payment initiation. Until now, the transaction initiator and the payer was one and the same – the bank/the PSP. With PSD, the one who initiates isn’t always the same as the payer.
Technology standards that outline information provided by account holders (the bank), and strong authentication rules to Access to Account (XS2A).
What should you be doing now?
At its core, PSD (the original directive as well as its revision) seeks to reduce the cost of payments. This reflects the principle that 'payment' is becoming a commodity in today’s business interaction.
Looking ahead, it’s time for banks to go beyond PSD2 and provide customers with more than just payment capability; it’s time to provide real, improved value.
And actually the XS2A part of the PSD2 is boosting innovation far beyond the original PSD was and with PSD2 quickly approaching, the time to start this evolution is now.
But in the absence of set guidelines, where do you begin? Clear direction is incidental in this case. Banks should begin to set up an agile architecture that enables seamless integration of various services that include but are not limited to 'payment' In other words, it’s time to innovate.
PSD gives customers more opportunities to interact with their bank and comprehensive account information servicing is critical. Agile layers of APIs will enable you to channel your information services yet to do it right, organisations must embrace authentication, authorization and identity management.
> See also: PCI DSS: what's the right compliance path for your business?
As regulators redefine Access to A, it is important to be both thoughtful and cautious. Who has access to the account (authentication) and what can they do (authorisation)? Authorisation methods will be defined.
For example, will authorisation be more stringent if the payment is $10,000 vs. $1.00? Regardless of what the guidelines will look like, a flexible architecture will be key. And real-time insight over accounts will also be required. Agility that copes with regulation is important now and in the future.
With the quickly approaching PSD2, you have a choice. You can do the minimum; compliance can be a strategy. Or, you can do much better. Set up an agile architecture that complies with PSD2 but also test new innovation that can deliver more services to your end customer, and more value. This is how you will keep customers rather than risk losing them to the competition.
Sourced from Bruno Cambounet, vice president of financial services, Axway