Payment Services Directive 2 Explained
Call it bad timing, but no sooner had the European Union delivered the first Payment Service Directive (PSD), to provide a legal foundation for the introduction of SEPA, that’s the Single Euro Payments Area, which effectively created a single market for payments across the European Union, covering credit transfers, direct debits and cards, when the payments industry entered possibly its most “disruptive” period ever.
Courtesy of the technological breakthroughs that democratised innovation and levelled the playing field when it comes to collecting and disseminating huge volumes of data, the emergence of Fintech “disruptors”, particularly within the payments industry, changed nearly everything and created a host of “new players” within the industry who began to threaten the hegemony of the so-called “big banks”.
Hence, in 2013, the EU decided that a new raft of legislation was required, as most of the new players’ activities fell outside the scope of PSD 1 which meant that they could not be regulated at EU level.
Welcome to PDS2!
PDS2 essentially means that emerging Fintech players can now be registered, licensed and regulated at EU level, which will inevitably increase competition and the knock-on effect of that is good news for consumers – cheaper services, and more choice.
New players will have access to the XS2A payments account, using APIs, and with the permission of consumers, making it easier for them to provide payments services across the same channels as the big banks, as well as providing oversight of all their different payment accounts.
With the expansion of XS2A, however, comes increased security risks, namely fraud, money laundering, and the protection of consumer data, and that is where Strong Customer Authentication (SCA) comes into play.
SCA requires that payments providers must use 2 or more of 3 independent elements – knowledge, that’s PIN code or password, Possession, a card or something only the user possesses, and Inherence, i.e. a fingerprint, or voice recognition.
For remote transactions, a fourth element, likely to be a unique authentication code, can also be used.
SCA must be applied each time a user makes a payment, unless the payment is below a certain threshold or if the beneficiary is already known to the payments provider.
PDS2 affects everybody within the payments industry, from Credit Institutions, i.e. banks, to Payment Institutions, Third Party Payments Providers with a more limited scope of services i.e. the Fintech disruptors, Payment Service Users (customers), Account Servicing Payment Service Providers, Account Information Service Providers, and Payment Initiation Service Providers.
Phew!
The PDS2 proposal was first outlined back in 2013, approved by European Parliament and the EU council in late 2015, published (in the official journal of the EU) in December 2015, and became official on the 12th January 2016.
The final draft is anticipated to be published by the European Commission before the summer of 2017, whilst the European Banking Authority (EBA) finalises requirements such as guidelines required to properly implement PSD2.
The deadline to transpose PSD2 in member states is the 13th January 2018, and the RTS on SCA will enter into force towards the end of the same year.
If all that sounds like something of a headache for firms then this handy infographic, created by the European Payments Council (EPC) will doubtless help clear things up a little.
Although the regulations may seem complex and onerous, it is good news for Fintech startups, not least because the big banks will have to significantly invest in revamping legacy systems and controls that startup companies do not have to worry about.
In fact, the likelihood is that banks will look to outside help when it comes to revamping their systems and even their services – which might explain why corporate Fintech accelerators are so prevalent today.
In a nutshell, PDS2 will promote innovation in the payments space because it allows new players access to the likes of XS2A, providing a direct connection between retailers and banks, enabled by APIs.
It will also introduce the requirement for 2 factor authentication when making payments, and grant the unconditional right of refund for direct debits under the SEPA CORE scheme, as well as a ban on surcharging, excess charges for using payment cards, and providing heightened consumer protection against fraud.
The disruptors that best understand, respond to and implement the new regulations will gain the most. It will not be easy for anyone, but it will, ultimately, benefit consumers, and ensure that another large step towards the digitalisation of nearly all cross border or domestic payments – bad news for the Western Unions and Ria’s of this world.
That is, at least, until Brexit et al creates the requirement for PDS3!
