20 November 2016 Rene Hodde

Ximedes PSD2 for starters

1. Overview

The revised Payment Services Directive (PSD2) is set to bring payments in Europe to the next stage of development; it is a data and technology-driven Directive that aims to help develop a unified payment services sector that better fosters competition, innovation and security of internet payments and account access. Major benefits around cost, convenience and speed for consumers will spread across the region.

By providing standardized access to customer data and banking infrastructure, PSD2 will lower the barriers for entry to third party providers (TPPs) and financial technology companies (fintechs) in Europe’s payments ecosystem, and it will stimulate the development of new business models and a wide range of new banking services. The growth of “push” payments directly from bank accounts and instant or real-time payments transactions are some of the major goals introduced by the new regulation.

However, not all stakeholders in the payments industry have welcomed the new regulation, showing strong skepticism to its benefits. Critics believe PSD2 will increase costs and complexity of doing business in the regulated payments space. For instance, it increases the attractiveness and use of unregulated payments such as Bitcoin; it encourages the growth of alternative players in the payments sector who do not manage money but who provide data tools, etc.

Nevertheless, depending on how stakeholders choose to respond, the new directive can be either a catalyst for the development of valuable new business models or a threat that will spawn serious competitive challenges.

2. PSD2 – What is it?

The Directive on Payment Services (PSD), adopted in 2007 provides the legal foundation for the creation of 2007, an EU-wide single market for payments. The PSD aims at

establishing a modern and comprehensive set of rules applicable to all payment services in the European Union (EU). In October 2015, the European Parliament has adopted the revised  Directive on Payment  Services (PSD2).  This new law, proposed  by  the  European

Commission (EC) in  July  2013,  enhances  consumer protection,  promotes  innovation  and  improves  the security of payment services. PSD2 is the latest in a series of regulations recently adopted by the EU in order to provide for modern, efficient and cheap payment services and to enhance protection for European consumers and businesses

Key changes introduced by PSD2

  1. Extension of scope beyond Europe
  2. Regulation of new types of PSPs and their ability to access customers’ bankaccount details or initiate payments on behalf of customers
  3. Prohibition of card surcharges (details
  4. Transparency of Payment Institutions
  5. Security of online payments and account acces
Timeline

The proposals within the PSD2 have now been finalized by the European Parliament, and in the near future there will be a vote by the European Union (EU) member states to officially endorse the Directive. After this vote has taken place member states will have two years to introduce the changes into their own national laws. This is, PSD2 will come into effect by 2018. According to research (F2), the first countries expected to transpose PSD2 will be the UK, Bulgaria, Denmark, Germany, Austria and France. Poland and Iceland are expected to be among the last.

 

Afbeelding1

3. What does it change?

Main changes introduced by PSD2 include:

  1. Extension of scope beyond Europe: scope of regulated transaction has been extended to transactions in any currency and to transactions where at least one (and not anymore both) party is located within EU borders.
  1. Third-party access to accounts (XS2A): The main scope of the PSD2 is to encourage new players to enter the payment market. Indeed, PSD2 mandates banks to allow external parties to access their clients’ bank accounts. These Third Party Players (TPP) are divided in two types:

Account Information Service Providers – AISP

Payment Initiation Services Providers – PISP

  • Account Information Service Providers (AISPs) are providers that can connect to bank accounts and retrieve information from them. An AISP acts as an aggregator of data relating to a payee’s accounts held across one or many different Account Servicing Payment Service Providers (ASPSPs), or banks 5. This is, AISPs allow consumers to view all of their multi-bank details in one portal. The AISP connects directly to the online platform of the ASPSP using authentication details provided by the payer. The AISP can typically provide the payee with details such as the payer’s combined balance across all accounts, as well as tailored analyses of payment trends and classifications, both per account and as a whole.

Afbeelding2

Note:
AISPs must register under PSD2 as a Payment Institution. Examples include Mint and moneydashboard. (Accenture, 2015)

ASPSP provides and maintains accounts – traditionally the core business of banks.

  • Payment Initiation Service Providers (PISPs) are players that are granted permission by a payment service user (PSU) to initiate payments on behalf of that PSU. Currently only banks can access a client’s account, but in the future new payment options will be able to move money from the account. Although the PISP does not actually hold the buyer’s funds, it does provide comfort to the merchant that the money is available to be released from the payer’s account. In turn, the PISP also benefits the consumer in that they are provided with the ability to view their account balance at the point of payment initiation.

Afbeelding3

Note: The PISP would typically be made available as a payment option on a merchant’s website. Examples include Sofort and Trustly. (Accenture, 2015)

These new categories of service providers, along with the traditional Account Servicing Payment Service Provider (ASPSP), must all register under PSD2 as a Payment Institution.

Note : An exemption to registration as a Payment Institution is provided within the PSD2 for ‘credit institutions’ as defined under Regulation (EU) No 575/2013 of the European Parliament and of the Council.

  1. Prohibition of card surcharges: PSD2 seeks to standardize the different approaches to surcharges on card-based transactions, which will be not allowed for those consumer cards affected by the Interchange Fee cap. PSD2 will align with the proposed regulation in order to promote cost transparency for European card payments; it imposes limitations on transaction fees and stricter rules on refunds to lower transaction costs for consumers. The EC said both the payer and payee in a transaction are entitled to receive information from their respective PSPs about the charges applied to transactions
  2. Security of online payments and account access: The regulation introduces new security requirements for electronic payments and account access, along with new security challenges, such as data protection, relating to AISPs and PISPs. The most notable change is the requirement for all Payment Institutions to implement what is deemed as “strong customer authentication” for electronic payments and online account access.The latter is reflected in the European Banking Authority Guidelines for the Security of Internet.
    Payments, with further regulatory technical standards also due to be developed by the European Banking Authority ( §3.2.1).

Example Account Information Service Providers (AISP)

Yodlee, Money Dashboard, Mint, First Direct, Money Supermarket, Starling

Example Account Servicing Payment Service Provider (ASPSP)

HSBC, Santander, Nationwide, Yorkshire (YBS)

Example Payment Initiation Service Provider (PISP)

Amazon, John Lewis, British Gas, Sofort, Trustl

3.1 Payment processing

The regulation of Access to Account (XS2A) has been the most controversial aspect of PSD2 because of expected implementation and risk mitigation efforts needed to put it in place, as well as business and technical impacts. Though, it offers business opportunities for established and new market participants to improve, enlarge, or even re-engineer current product and service offerings.

XS2A holds the potential to revolutionize the way payments are made. Currently, payments follow a “pull model,” where consumers give the merchant their credit or debit card details, from which the merchant can “pull” the amount owed via the card scheme. Under PSD2, this changes. Instead, PSD2 allows an online merchant to “push” the payment directly from consumers’ bank accounts. The PISP executes a credit transfer on behalf of the consumer directly to the merchant.

This new “push model” is allowed through the introduction of Application Program Interface (API) for processing payments. Merchants communicate via an open Application Program Interface (API) either directly with the consumer’s bank or via a TPP, effectively cutting out the merchant’s acquiring bank and the card schemes. Effectively, this means PISP allow merchants to conduct transactions without requiring a debit or credit card.

Note: Application program interface (API) is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact. A good API makes it easier to develop a program by providing all the building blocks. A programmer then puts the blocks together.

Afbeelding4

Despite the IT complexity and cost to implement the changes, this new model cuts the middlemen – all those classic third-party payment intermediaries are disintermediated. Indeed, this change could be detrimental to the interests of card issuers, which would lose a significant revenue stream. They may result in reduced fees for both merchants and even consumers, if the savings are passed on. It is noticeable that PSD2 will not allow banks to discriminate differently to payments initiated using third party providers than the one initiated through their own system.

The European Banking Authority (EBA) has been given the responsibility for defining the Regulatory Technical Standards (RTS) for the use of APIs. That basically means the standards that all APIs will need to comply with (i.e. what data is transferred, what are the security protocols, what happens when things go wrong, etc.).

Moreover, PSD2 also clarifies about liability. Under the new regulation, liability should broadly be shared between PSPs acting on payer’s instructions and those receiving payments on behalf of payees, with each PSP liable for problems with their part of the transaction.

But PSD2 is not only about payments efficiency. New AISPs and PISPs will acquire insightful data about consumers, offering them lucrative cross selling opportunities to offer value-added services (e.g. calculate in real-time the credit risk of a particular individual, identify clients marketing likes and dislikes, asset worth, etc.) that financial institutions are not currently in a position to provide.

Currently, a bank can only use their customers’ data (e.g. customer’s purchases, transfers, mortgage repayments) for the specific banking services they have signed up for, unless they obtain their customers’ explicit consent to do differently. TPPs, however, can obtain consent upfront from a customer to use the data for multiple services, such as a benchmarking pricing comparison of insurance rates or bank fees. They not only gain valuable screen visibility with the customer, but can also offer new, valuable services.

Nonetheless, PSD2 mandates TPPs to ensure that customers always understand what permissions they are granting, how the data will be used, and the level of security around it.

 3.2 Security

According to research, security is the largest concern about PSD2 and its new XS2A rule. The new regulation authorizes AISPs and PISPs to officially become payment service providers. Main security concerns focus on the entrance of these new players in the payment landscape and their access to personal account details.

Note: “PSD2 and XS2A – Regulation or opportunity?” – Finextra and FIS Global (2016)

Main perceived security concerns include:

  • Existing IT infrastructures and current architectural or technical restrictions not ready to accommodate new entrants;
  • Perceived increased security risks from sharing personal account data;
  • Data protection regulation and requirements;
  • Perceived increased fraud risks;
  • Liability in case of unauthorized transactions and data breaches.

Consequently, payment service providers must adapt their business, IT, risk and compliance departments to the new regulation, as well as their product and services strategy. IT revenue stream for developers and security experts are expected to increase due to new security requirements and the opening of APIs.

 3.2.1  Strong authentication

Under PSD2, the EBA also proposed regulatory technical standards on Strong Customer Authentication (SCA) and secure communication 13 . In other words, the new regulation mandates two-factor authentication as the minimum security standard. This is defined as the use of at least two independent factors as part of the authentication process across the categories:

  • Something you know (g. a password);
  • Something you have (g. a smart card);
  • Something you are (g. a fingerprint).

Note: The EBA has published a discussion paper on the proposed RTS on strong customer authentication and secure communication, which is available here: http://tinyurl.com/hjfom7

The authentication factors used must be from at least two different categories and independent, in that the breach of one does not compromise the reliability of the others.

Under PSD2, strong customer authentication will be mandatory for all electronic or online payments unless exemptions are otherwise published by the European Banking Authority (EBA). Indeed, stakeholders are worried that the EBA will require SCA for all transactions over EUR 10. This would have important consequences for the card payments industry, such as: issuers would be obliged to decline transactions that were not strong authenticated; merchant cannot allow consumers to authenticate in app – they have to be transferred to a separate authentication window (e.g. 3Dsecure), app or platform (i.e. initiation and authentication are isolated); issuers cannot apply RBA (Risk Based Authentication), so all transactions over EUR 10 may need to be challenged.

Analysts believe this outcome is a backwards step for the European cards market. It degrades the consumer experience at the point of payment, frustrates merchants who wish to allow customers to check-out easily, and annoys issuers who are promoting cards as a form of easy online payment. Some experts have suggested this is part of a political initiative by the European Commission to “level the playing field” between credit transfer and card based payments by removing many of the current advantages of the latter.

Draft technical standards will be submitted to the Commission within 12 months of PSD2 entering into force. PSPs that do not comply with these requirements will be responsible for any losses due to identity fraud.

4. Who wins and who loses?

PSD2 is set to introduce many changes in the payments value chain; all stakeholders will be impacted by the new regulation, some more positively than others. While PSD2 drives the process of disintermediation of acquirers and the card schemes, among others, many new business opportunities are also created for new entrants and current players.

 4.1 Merchants

Merchants will be one of the main winners of the introduction of the new regulation. First they will benefit from the move to “push payments” and new payment initiation services (e.g. balance checking, bank statement reconciliation, cash and liquidity management, enquiries, etc.).

They may form relationships with specific PISPs for the mutual benefit of both parties. Alternatively, merchants may also register as a Payment Institution under PSD2 and offer their own Payment Initiation or Account Information services directly, which would be a fundamental change to their payments operating model.

Benefits include:

  • Reduced transaction costs compared to card interchange;
  • Immediate settlement into merchants account;
  • Flexibility to accept multiple payment methods;
  • Even greater direct relationship with the customer.

 4.2 Consumers

When PSD2 will become effective, bank cards will no longer be the only option for online payments. Consumers will be able to simply confirm that they instructed a TPP to transfer the money directly from their bank account. Moreover, with AISPs, consumers will be able to access a global view of their financial situation and to consolidate different current accounts in order to better budget and plan their finances. They will also benefit from being able to make immediate payments, send higher transaction amounts and pay reduced costs thanks to increased market competition.

Benefits include:

  • Clearer information on payments : ability to consolidate all accounts in one place with continued protection under their product terms and conditions;
  • A wider choice of payment services and greater ease of use. For instant, consumers may choose the most convenient internet or app interface to check their bank account details;
  • Direct integration of their bank account with merchant acquiring sites is convenient and practical;
  • Better consumer protection, due to clarification of the liabilities in cases where transactions are unauthorized or incorrectly executed;
  • Reduced costs due to increased competition in the payments market;
  • Reduction in the dependence on cards to complete eCommerce transactions.

 4.3 New entrants

Third party access to accounts (XS2A), the use of API’s to connect merchant and the bank directly and the ability to consolidate account information in on portal are seen as the most relevant changes introduced by PSD2. They will undoubtedly disrupt payment services in Europe. The payments ecosystem will no longer be dominated by Payment Service Providers (PSPs) such as banks and financial institutions; new third party stakeholders will enter the market to offer innovative solutions that answer to consumer frustrations.

This is already the case today. New market entrants and innovative technologies have captured rising market share and disrupted traditional payments operating models and customer propositions. Companies such as moneydashboard, Trustly and Sofort are examples of this disruption. However, the unregulated status of these services, as they are not covered under the original definitions of a “Payment Institution” in the original PSD, has created uncertainty that has probably acted as a obstacle on their growth. Additionally, this raises issues in areas ranging from client data protection and security to competition, regulation and the legal domain.

Benefits include:

  • Guaranteed access to technical infrastructure of shared payment systems on the same conditions as traditional PSPs (non-discriminatory treatment);
  • Regulated liability for refunds in certain cases;
  • A requirement to seek authorisation from the relevant national competent authority in order to be enrolled onto the register of Payment Institutions;
  • Benefits springing from regulated competition standards — ASPSPs (banks) cannot charge different rates for payments depending on whether they are initiated via a PISP or directly by the user.

4.4 Financial institutions

Banks and financial institutions have showed strong scepticism to PSD2 and seen the new regulation as a direct attack and threat to their business. PSD2 directly attacks the banking monopoly by requiring banks open access to their customers’ bank accounts and to make automatic payment orders possible without financially benefitting from the transactions.

The new regulation will not only reduce their existing revenue streams, it will also require them a lot of investment while introducing a whole wave of competitors. Hence it is not surprising that more than two thirds of bankers fear that PSD2 will cause them to lose control of the client interface and many of them remain unsure how to respond to the new directive, causing them to adopt a defensive, wait and see stance, according to research.

Note “Catalyst or threat? The strategic implications of PSD2 for Europe’s banks” – PWC (2016)

Although it may be perceived as nefarious at first, PSD2 presents many opportunities for banks and FIs to benefit from increased innovation and free-market competition. They may change their processes and payments operations to accelerate the move towards push payments. FIs and banks can refocus part of their business model to become bank- provided TPP services, and open up the payments infrastructure through APIs. They may also provide more real-time and information-rich services and products in order to feed the demands of digital commerce.

Furthermore, they need to seriously consider partnering with user-friendly TPPs to propose competitive joint offerings that have the backing of bank’s reputation while retaining the agility and innovative spirit of these consumer friendly start-ups.

Advantages of banks to face PSD2

  • Banks already have a trusted relationship with their customers;
  • By creating their own financial oversight and management tools they, along with their customers, will be able to see their finances in one place, thereby enabling banks to offer more suitable products to their customers;
  • They can create a connections platform to act as a bridge between their core banking system, there only needs to be one set of API’s from the system;
  • The connections platform would quickly and easily integrate third party services, providing opportunities to sell more products to their customers;
  • The connections platform would carry significant benefits, including a reduction in the amount of development required, an environment where security can be managed, and an ability to leave the current core systems undisturbed;
  • The connections platform would also allow the bank to maintain control of the client interface and strengthen the customer relationship.

Note : “How banks can benefit from the new PSD2 regulation” – Trusek (2016)

Risks and challenges to be faced by banks include:

  • Risk and compliance impacts on products and operational functions;
  • Significant costs to change systems, especially IT;
  • Loss of screen time in front of consumer;
  • Increased security requirements for online payments and account access using strong two-factor customer authentication;
  • Increased security risks (due to engagement with new entrants);
  • A reduction in card usage may prompt card issuers to change their business models and search for alternative revenue streams;
  • IT development will be required to provide TPPs with access to consumer accounts, and to differentiate between when an AISP accesses information and when the PSU accesses information;
  • Increased competition from alternative Payment Institutions;
  • Definition of technical interoperability requirements between PISPs and AISPs (it is yet to be confirmed how these relationships will work).

Note: Welcoming a new phase of Everyday Payments in Europe” – Accenture Payment Services (2015)

Glossary

AISP Account Information Service Providers
API Application Programming Interfaces
ASPSP Account Servicing Payment Service Provider
EBA European Banking Authority
EC European Commission
EU European Union
FI Financial Institution
IFR Interchange Fee Regulation
OJ Official Journal
PISP Payment Initiation Services Providers
PSD Payment Services Directive
PSD2 revised Payment Services Directive
PSP Payment Service Provider
PSU payment service user
RTS Regulatory Technical Standards
SCA Strong Customer Authentication
SEPA Single Euro Payments Area
TPP Third Party Player
XS2A Third party access to accounts