What major changes are coming in with PSD2, and how can institutional payment service providers adapt in order to comply?
The second Payments Services Directive (PSD2) comes into application on 13 January 2018 and will introduce three major changes, as well as a number of minor ones. First, PSD2 extends the scope of its predecessor directive to payments where only one payment service provider is located in the EU or European economic area (EEA), or ‘one leg out’ transactions, and to payments in non-EEA currencies. This means that the bulk of the directive’s information and transparency requirements will now also apply to these types of international payments. However, certain provisions under PSD are excluded from the scope extension (such as the provision on amounts transferred and amounts received), so providers need to take advice or check carefully which provisions apply to their particular circumstances.
The second change is that PSD2 seeks to strengthen payment security, and the security of customer account details, by requiring two-factor authentication for all electronic payments and remote account access, though certain payments will be exempt.
However, the most fundamental transformation brought about by PSD2 will be the opening up of the European payments market to a number of different types of ‘third party providers’—the most important of which are payment initiation service providers and account information service providers—that will be given a new type of license and subject to new requirements.
Payment service providers will have to undertake a substantial volume of change work to adapt their systems and processes to implement these changes. However, what will probably have the most far-reaching effect on the European payments market as a whole is the licensing of the new third-party providers, as this is likely to usher in a whole new innovation ecosystem in European payments.
What do you anticipate emerging as the biggest challenge for back-office processes?
Each of the three main changes implemented by PSD2 has potentially significant consequences for back-office processes. Payment service providers will need to make changes to ensure they comply with all relevant provisions regarding international payments in consequence of PSD2’s scope extensions. They will also have to ensure all their customer authentication processes for electronic payments, as well as for other forms of remote account access, are geared up to require two-factor authentication. How challenging each of these changes will be for any given institution will depend on its current systems and processes, but there should be sufficient time—and help where required—to implement the necessary changes, provided institutions don’t delay.
Setting up the third-party interface is an entirely new requirement affecting all payment service providers that offer access to online payment accounts. The European Banking Authority will publish further details regarding this soon, although it is unlikely to define the interface’s technical specifications, common standards or interoperability. In this light, Deutsche Bank is taking a pro-active approach that strongly favours banking industry collaboration as the means of developing a single pan-European technical standard for third-party provider access, which further promotes the vision of a single European domestic market with the single regulations, formats and technical standards. In that respect, currently we see Berlin Group, a pan-European payments initiative focused on interoperability standards and harmonisation, as the most international and advanced working group.
What will Brexit mean for UK institutions, with regards to PSD2?
Until the UK‘s withdrawal from the EU becomes effective, EU regulation remains binding. After that, we don’t yet know what shape UK replacement regulation will take. However, UK institutions with operations located in the EU or EEA, or processing payments one leg of which are located there, will still be obliged to comply with its provisions, so most institutions operating internationally would do well to gear up for the changes, whatever happens regarding Brexit.
The UK is a very technology- and innovation-friendly environment, and is likely to continue to be supportive of the best in fintech and of innovation in payments. Also, there are other moves pushing the market towards more open banking. Take, for example, banks developing and implementing open application programming interfaces.
How does the directive aim to promote innovation in corporate payments while also improving the safety of transactions?
Third-party providers working in close proximity and cooperation, as well as competition, with incumbent providers is likely to stimulate a lot of innovation, both in the kinds of products and services offered to corporates and in how these are delivered. In corporate payments, unlike in the retail sector, the journey has only just begun to transform the customer experience and add value to payments. Accessing multiple account balances and real-time complex transactions—processed through various providers, channels, devices and jurisdictions—is only the starting point. Corporates will also expect substantial added value from their payment service providers. More sophisticated services might result, such as tailored decision-supporting analysis of data calculating anticipated comparative outcomes of different courses of action.
Naturally, where there is more frequent and easier access to customer account information by more parties, this gives rise to worries concerning the security of customer account information. This is precisely why PSD2 is raising the bar by requiring two-factor authentication as standard in both electronic payments and for all kinds of remote access to customer accounts and account information.
Does PSD2 favour ‘disruptors’ over legacy service providers, and is this a sustainable provision?
The EU institutions have expressed themselves in favour of payment innovation on many occasions, but PSD2 does not seek to favour any particular type of provider.
Its likely effect is rather to level the playing field by allowing third-party providers access to the market, bringing them under regulatory supervision, and guaranteeing them access to customer account information.
The new business models and customer-friendly channels of communication that these organisations bring with them are bound to stimulate innovation. However, it is by no means clear who will deliver the bulk of these new services—it might be established incumbents, leveraging their natural advantages of global footprints, deep-rooted customer trust and regulatory expertise, or it might be technologically nimble fintech providers—but many of the successful solutions are likely to arise from collaborations between the two.
The result should be a vibrant, innovative and secure payments market in Europe, benefitting corporates, consumers and the market as a whole.