In October 2015, the European Parliament passed the revised Payment Services Directive (PSD2), with EU member states given two years to make the required changes in national legislation to comply with the new rules.
It’s a regulatory shift that has been described as “one of the biggest changes that the banking sector has ever faced“. The updated rules will have repercussions including more openness to new players in the payments market, as well as some significant implications in terms of fraud.
The nuts and bolts of PSD2
One of the fundamental goals of PSD2 is to open up the European payments market to new entrants, which will mean opportunity for innovative fintech firms and payment providers. Some financial institutions might take a negative view of the new rules – which will mean increased competition and more work for compliance departments – but it has been noted that PSD2 could hold promising potential for established banks as well.
The legislation introduces and regulates two categories of third-party service providers. Payment initiation service providers (PISPs) are firms separate to the account holder’s bank who will be given the power to initiate payment transactions, while account information service providers (AISPs) will be able to connect to bank accounts and retrieve information from them.
What this means is that authorized third parties will be able to complete payments on a customer’s behalf, giving people another option for conducting digital transactions without a credit or debit card. Payment service providers (PSPs) will be prohibited from implementing any additional surcharges that go beyond their direct costs.
The European Parliament said PSD2 will cut the cost of paying bills and make online payments safer by enforcing data protection and liability rules for all online PSPs.
Lead parliament member Antonio Tajani said: “The EU payment services market remains fragmented and expensive, costing €130 billion, or over one per cent of EU GDP, a year. The EU economy cannot afford these costs, if it wants to be globally competitive. The new regulatory framework will reduce costs, improve the security of payments and facilitate the emergence of new players and innovative new mobile and internet payment methods.”
In an article for bobsguide, Sarkis Akmakjian, senior director for product management at business solutions provider Accuity, pointed out that PSD2 requires banks to take responsibility for increased data-sharing with third-party service providers. However, he stressed that this “does not have to be a one-way street”.
“PSD2 mandates the flow of customer information in one direction – from the bank to the PISP or AISP,” wrote Mr Akmakjian. “However, there is nothing in the legislation to prevent banks from coming to a reciprocal arrangement with PISPs and AISPs, opening up rich new channels of data.”
The fraud implications
Boosting the safety of online payments and reducing the risk of fraud is one of the key aims of PSD2. Banks will have the power to deny PSPs access to a customer’s account, but only for “objectively justified and substantiated” security reasons that have been reported to supervisory bodies. Third-party payment providers will have an obligation to guarantee safe authentication of the user and to ensure that personal data is transmitted through secure channels, and only with the customer’s consent.
However, there have been concerns raised over some of the unintended security implications of the new rules. In April 2016, financial and business solutions firm Fexco highlighted some inconsistencies in how the PSD2 guidelines were being implemented. Some regulators, such as the Central Bank of Ireland, opted for immediate implementation, while others, like the UK’s Financial Conduct Authority, were biding their time and seeking more clarity on the measures.
Ruth Wandhofer, chair of the European Banking Federation’s payments regulatory expert group, has suggested that stronger guidance would help to reduce the risk of fraudulent third-party providers (TPPs) gaining access to customer data in a more open marketplace.
“Consumers could be shopping on a spoofed website, provide their credentials, and the fraudulent TPPs would use these to empty the consumer’s account,” she told PaymentsCompliance. “We have seen these incidents before, and we’ve seen them increase in the market – especially in certain European countries where due to the presence of TPPs for payment initiation people are used to sharing credentials.”
While the full effect of PSD2 in terms of fraud and the payments sector as a whole remains to be seen, it’s clear that banks need to be prepared for the new rules – for compliance reasons but also to make the most of any opportunities that arise as the industry enters its next phase of growth.
For those interested in learning more, NCR, Payments Cards & Mobile and PSE Consulting will be taking part in two webinars next month on the opportunities (December 1st) and risks (December 14th) associated with PSD2.