Aiming at accelerating innovation and developing a unified payment services sector, the European Commission has adopted the Payment Services Directive (PSD2), which is expected to bring vital changes.
What is PSD2?
Lately, regulators have been increasingly focussing on ensuring consumer protection, competition, and security in the area of financial services.
The PSD2 is a data and technology-driven directive, which was introduced as a way to respond to the changes in the landscape of payment services since the introduction of the original directive in 2007, and to drive further improvements in payment services across Europe.
The revised version includes a number of changes and enhancements to the original paper, with the main goal of providing clarity, efficiency and ease-of-use of European payment services.
Ensuring access, liability and transparency
The directive significantly extends the scope of the original PSD regulations beyond Europe and revises the definition of a ‘Payment Institution.’
Other features of the reform package include: new rules on access to payment accounts, liability allocation provisions, transparency requirements and customer authentication measures.
The clauses included in the directive reflect the growing number of account aggregators - businesses that enable customers to access different online banking accounts including credit cards, current and savings accounts using a single online portal, and other fintech companies starting in the payments services sector.
According to the directive, under the new regime, businesses which provide and maintain customer’s payment accounts are required to give certain third parties which have a license to provide payment services access to customers' account information, providing the customer has given their explicit consent to that access.
The right of customers to be provided with information which properly informs them about the extent of their access is also extended.
What is there in the new regulation?
Under the new regulation, payment services are banned from placing restrictions on third-party account information access. In addition, payment services are prohibited from treating payments which go through third-parties differently (e.g. applying added charges, treating them as being of lower priority, etc.) from those which come directly from customers.
Separate provisions have been included to cover payments made under framework contracts which provide for a series of payment transactions and those which do not.
Now both the payer and payee in a transaction are entitled to receive information from their respective payment service providers about the charges applied to transactions. EU countries are also required to ensure payment service users are given information on any charges or interest applied.
Before each transaction, under a framework contract payment service, providers are required to provide customers with explicit information on the maximum execution time and the charges payable by the payer and, where applicable, a breakdown of the amounts of any charges.
Strong customer authentication required
The directive contains significant restrictions of rules on payment service user authentication, with the purpose of ensuring that payment service providers can be confident that the people using their services are who they say they are. Therefore, payment service providers are required to apply strong customer authentication when payers initiate an electronic payment transaction.
The proposals, however, would allow the European Banking Authority (EBA) the scope to set guidelines on exemptions to this general rule.
Given that security measures are becoming more and more complex and sophisticated, and that they are constantly driving towards a frictionless experience for consumers, some conflict between the direction that industry and regulators wish to travel in is expected.
It is still unclear if, or to what extent, consumers will benefit from the mandated security procedures given that the liability provisions largely protect consumers from loss. Payment service providers who fail to apply strong customer authentication for payments made online or over the phone cannot require payers to bear any financial consequences unless those payers themselves act fraudulently. In all circumstances where strong customer authentication is required, the Council said payment service providers must adopt specific security requirements to protect the confidentiality and the integrity of the payment service users’ personalised security credentials.
Golden opportunity to accelerate the digital revolution
The financial sector is one of the most complicated and highly regulated, therefore it might be hard for many to greet the introduction of new rules with open arms. At first sight it might seem that regulators have made the rules of the game stricter and forcibly unveiled the backstage of payment services scene. On the other hand, PSD2 certainly expands the space for development for financial institutions, once they embrace adopted regulations and revise their growth strategies.
Regulators actually give banks and financial institutions a golden opportunity to accelerate the digital revolution they ought to embrace - not for the sake of compliance, but for the sake of growth. Some large players of the fintech arena have already started making use of the new regulatory framework.
Yobie Benjamin from Token shared his perspective at Arctic15, in Helsinki last week:
“We have always been interested in building the next generation global payment system, and the opportunity showed itself with the introduction of PSD2. The European financial sector unites around 19,000 registered banks, which are regulated by the European Central Bank. Now all of them are required to open up their system for other players with the aim of increasing regulation and competition. It would be silly not to use the opportunity to ensure development of the sector. We decided to team up and write software for compliance with PSD2”.
Yobie explains that the most magic was in the fact that in order to comply with the new regulatory framework, all European banks have to be connected to one single system.
Working on the software, the team found out that connecting all registered European banks, large American and Chinese banks automatically connect to the system as well, since they all operate in Europe. Therefore, they basically created the basis for a new global payment system.
One lesson can be drawn here - if earlier financial institutions had doubts as tp whether to go digital or not, the directive basically forces them to start doing things differently.
Players in the fintech arena now have the chance to go ‘all in’ and excel at creating the new experiences possible in the new digital market context.