PSD2 is due to be implemented into EU Member States, which currently also applies to the UK, effective from 13th January 2018. This revision stems from the Payment Services Directive (PSD) created in 2007. This law created a single market for payments including credit transfers and direct debit cards within the European Union, providing the legal foundation for the Single Euro Payments Area (SEPA). The PSD was the first European law to affect sterling payments.
Why revise the Payments Services Directive?
As the growth of digitalisation progressed rapidly, the European economy has also digitalised steadily, creating the need for new regulations not covered by the PSD. New services with new entrants to the field have been quickly appearing online and this created the need to implement a revision.
The intention of the PSD2 is to make payments safer, further protect consumers, allow for competition and innovation to continue while levelling the playing field for new competitors and services. When implemented, these new services will be regulated and the Single Market will see increased integration.
Most Important Changes
Access to Accounts (XS2A) to third-party players (TTPs)
These new TPP services will be registered, licensed and regulated by the EU which opens up competition. While this sounds bad for banks, it is excellent news for consumers as this should translate to lower costs for purchases and savings in removed card surcharges.
There are two types of TTP-
- Payment Initiation Service Providers (PISPs) – who can trigger payments from one account to another without holding the consumers money in a wallet, in the way that PayPal or Pingit currently do
- Account Information Service Providers (AISPs) – who can link to bank accounts and fetch information
The way in which these new payment services would work is by allowing access to a consumer’s account, with their consent, to make payments on their behalf. This allows merchants to change the way in which payment is charged.
When goods are bought online, instead of supplying card details to the merchant directly, you could consent for the payment to be redirected to your internet banking. So instead of the merchant requesting funds from your account, you simply send the payment directly to them through PISPs. This method can be seen in companies such as iDEAL and Sofort.
XS2A creates a more open playing field for these TPPs as it challenges banks to be more transparent. A consumer’s bank can give access to TPPs via Application Programming Interface (API), whereby they can complete the purchase for the consumer without having access to all the consumer’s details. There are further opportunities raised by PSD2 for TPPs, as the possibilities to build and enhance products and services could directly translate as savings as well as increased security for consumers.
The scope for AISPs is especially exciting as they would have the power to access information from bank accounts which will allow them to develop new products for consumers. This could be comparison apps which use your information to find better banking deals or perhaps advise consumers on investments, without having to input the sensitive information each time.
Increasing internet payment security through Strong Customer Authentication (SCA)
As the digitalisation of Europe rapidly changed the way in which consumers purchased items online, there has been an increased risk of fraud and theft of sensitive data. Many have fallen victim to online scams or have had details stolen. Banks and companies have been advising customers of increased security while purchasing online, but few have done more than ask for a second password.
PSD2 aims at helping to reduce fraud by enhancing security that would protect consumer data. The revision demands strong customer authentication (SCA) for all electronic payments or transactions. In the past, a second tier authentication may have been issued by the banks through a separate keypad, or the input of a secondary code.
PSD2 insists upon using a minimum of two of the following elements for authentication, if not all of them –
- Something you know such as a password or a pin number
- Something you possess such as a key pad or a randomised card detail
- Something you are, such as a finger print or voice recognition
- For remote transactions such as internet or mobile purchases, a unique code will be issued that links the transaction to a specific amount and payee
SCA will be applied every time a user:
- Makes a payment, unless the payment is below a certain amount or the payee has been previously identified
- Wishes to access their payment account
- Every 90 days at the minimum
This extra layer of security ensures consumer details are much more secure and the risk of fraudulent behaviour is significantly lowered.
Extending the geographical scope beyond Europe
The PSD2 aims to broaden the reach seen in PSD to include all non-digital currencies and transactions where one payment service provider is a non-EU member, referred to as “one-leg-out” transactions.
In practice, this means that consumers should be told upfront information about any fees or conditions attached to international payments from the European side of the transaction. Therefore any PSPs operating in Europe will have to present all information and be completely transparent regarding charges and conditions relating to both national and international payments for the part of the transaction they are responsible for and can be held liable if any issues were to arise.
Unconditional refund rights for direct debit purchases
The PSD2 also clarifies the position of unconditional right of refund for SEPA Direct Debits (SDD), which confirms that consumers now have an unconditional right of refund for up to eight weeks after payment. The UK already has this unlimited guarantee due to the UK Direct Debit scheme.
If the final amount of a transaction is not known in advance, for example if a customer is renting a car or booking a hotel, the payee will only be able to restrict funds on the payer’s account where the cardholder has pre-approved the precise amount that can be restricted. The payer’s PSP is then required to release those funds without undue hesitancy once the information about the final amount is received and, at the latest, after having received a payment order.
The PSD2 states that Payment Service Providers (PSPs) must have dispute resolution procedures in place and will be required to reply to payment complaints no later than 15 business days after receipt. In some exceptional circumstances a holding reply could be provided, if an explanation is given for the delay, with final response being received no later than 35 business days.
PSPs in Member States are required to appoint competent authorities such as the FCA or the Financial Ombudsman Service to ensure compliance with PSD2 and handle any disputes that may arise between PSPs and customers.
There will also be a ban for surcharges and hidden fees implemented to attempt to standardise the practice throughout EU on card transactions, saving consumers an estimated €730 million per year. However, this part of PSD2 has not been implemented by the UK government. They have chosen to ignore measures to show “real costs and charges” of transactions in foreign currency.
At present, UK banks and brokers will still have the choice to hide charges in exchange rates once implemented. The UK government is currently consulting with consumers and will likely make a decision Q4 of 2017, before the revision’s implementation in January 2018.
Who benefits the most from the PSD2?
The biggest winners of PSD2 is undoubtedly the consumers and users of the various banking APIs that will be created. Increased security in all transfers and spending less on transactions are of course only the tip of the iceberg. The scope of the APIs could give consumers added market intelligence on their savings, their investments and a wider scope in applications for credit, all without ever having to re-enter sensitive information to many companies to get better deals.
The PSD2 could also help stimulate new markets that could potentially offer services to advise and assist those who are currently financially excluded. Popular theories on APIs that could be created are those linked to social network services, whereby payments could theoretically be sent and received instantaneously through Facebook or WhatsApp messenger services, which has already become quite popular in the USA through Venmo.
Other big winners will include the growing financial technology companies who can finally compete fairly with the banking giants, creating more competition and unmasking a whole new area of innovation for consumers. Overall PISPs will gain the most, especially if the banks do nothing or decide to wait and see how PSD2 is implemented.
Does PSD2 still apply to the UK after Brexit?
Now that the UK has voted to leave the UK and Article 50 has been triggered, many will wonder if PSD2 is actually still applicable. The short answer is yes, PSD2 will come into effect before Brexit is finalised. However, once the UK has officially left the EU it will be left up to Parliament to decide whether or not to implement it into British law.
How will PSD2 effect Payment Service Providers
Until January 2018, Payment Service Providers need to begin considering both threats and opportunities presented by the PSD2. The main issue will be to understand the technical requirements needed to be implemented and taking the necessary steps in meeting these within the time period left. The consolidation period will be strongly focusing on preparations in enforcing the PSD2, but PSPs should remember the changes will span far beyond this and begin discussing longer term strategy, namely:
- Strong authentication – How to ensure customers identities are correct and how to find this out for sure. There are already a number of ways in which payment providers are doing this; through finger print technology on mobile phones and devices, speech recognition, multiple passwords and pins. All of which could be implemented
- Opening up access to accounts – How to ensure consumer devices, such as mobile phones or tablets, allow access to the payment accounts.
PSD2 will be required for any payment service provider who wishes to keep exchanging and providing payments inside the EU. Execution is up to the PSP, but all companies should be considering how to serve their customers above all else.
At this phase of the discussion procedure, PSPs will in all probability have a lot of work to do. Amended procedures, new innovations and methodology will all need an upgrade and audit to support the PSD2.
Businesses that take card payments or set up direct debit collections online will also have to make changes to comply with the demand for strong authentication.
Once the PSD2 is in place, the most noticeable impact to the consumer will be the implementation of a stronger authentication method. This may mean companies will have to educate their customers on the new updated ways of accessing their data, through biometric technologies, better understanding of how to use their smart devices, such as mobiles and password or pin authentication. There are already positive signs that the UK is more mindful and prepared for biometrics to become more common place in their banking lives and are open to heightened online security, such as the proposed two-step authentication outlined in the PSD2.
The PSD2 will be a revolutionary change not just for consumers but for the financial industry as a whole. The next 18 months will undoubtedly bring about unavoidable change, but PSPs and banks must now guarantee vigorous, consistent practices that bring about change in a developing business sector to deliver the most amount of value to the consumer.
Bron: Henry Simmons is a Director of Centus Limited