PSD2 - Can You Feel the Buzz?

The plenary session of the European Parliament has debated and voted on the Payment Services Directive 2 (PSD2) on 7th and 8th October, 2015. It is a good time for a short summary of the main aspects and what PSD2 means for banks and for the new entrants on the payment services market, often called the disruptive FinTech startups. 

Why PSD2?

PSD2 replaces the existing PSD. It wants to open up the payments industry to non-banks. It also aims at providing clarity about some concepts, exceptions and exemptions that were interpreted differently by the financial regulators in the EU Member States. PSD2 also encourages innovation in mobile payments.  

Open access to customer data and account information services

This is by far the most controversial topic of PSD2. It essentially implies a shift in our way of thinking about banking and payment services. It’s not just about payments but also data stewardship, the value of data and (yes again) Big Data, about identity management and trust. My bank becomes the secure steward of my customer’s payment data. Who do I allow access and for which purposes? PSD2 mandates banks to give access to their customer’s accounts to Third Party Payment service providers (TPP) and to provide account information to third party apps with its customer’s explicit consent.

Technical standards and API

The technical mechanism allowing access to the account is yet to be finalised. Standardisation could help to resolve security concerns and to avoid fragmentation of the market. The European Banking Authority will be mandated under the PSD2 to develop requirements that will harmonise regulatory practices to ensure secure payment services across the EU. The EBA will submit these to the European Commission within 12 months of PSD2 entering into force.  As the security requirements under PSD2 are not expected to come into force until 2018, the EBA already issued its final Guidelines on the security of Internet payments (i.a. strong customer authentication), which have been applicable since 1 August 2015 and which will apply until the PSD2 requirements come into force.  It is likely that (open) API’s will be used to enable access the customer’s account. The idea of using API’s is not new and already on the agenda in several EU Member States and developed in e-banking projects (e.g. openbankproject.com).

Liability

PSD2 also addresses liability issues involved in late or incorrect payments and SEPA direct debits (SDD), also when multiple PSP’s are involved. In principle, the liability is shared between the involved PSPs.

Reaction of banks and payment processors

Three European payment processors for banks[1] have published a proposal on how to approach the X2SA. They advocate a “Controlled Access to Payments related Services (CAPS)” and a creation of a pan-European interoperability model that will ultimately benefit all stakeholders, users, merchants, banks, PSP’s, TPP’s, regulators. This CAPS model aims at allowing its participants a pan-European wide access with a single integration, thus avoiding market fragmentation. Instead of each TPP trying to access accounts individually for each of the 7000 European banks, a standardised interface is proposed that makes connectivity simple for TPPs. The CAPS framework would be defined as a set of rules, in a rule book, based on open and objective criteria (keep in mind competition law issues).

Other research[2] shows that financial institutions worldwide consider security, data protection and privacy, reputation risk and liability as the main concerns.

Timing  

The debate and voting in plenary session of the European Parliament was scheduled for 7th and 8th October. Publication in the Official Journal is somewhere in Q3 of 2015, after which the Member States will probably have until approximately Q4 / 2017 or the beginning of 2018 to transpose the directive into their national legal frameworks.

My Banking Dashboard: the good old banking vault revisited

It would not surprise me if by that time several banks have acquired some promising FinTech startup(s) or have developed innovative payment services themselves, or are cooperating with Third Party Payment service providers by offering e.g. a “banking dashboard” to their customers in which the customer can plug several third party services into the platform of his good old trusted bank, who is the secured steward of the customer’s data.

You can learn more about online payments in the Online Payments Market Guide 2015 here.

[1] Equens SE, Nets and VocaLink, “White paper on CAPS for PSD2”, August 2015.

[2] “PSD2 and XS2A – Regulation or opportunity? Report on a survey by Finextra and FIS”, May 2015.