PSD2: swimming in a new payments POND
15 January 2018
A mini revolution happened in the payments industry over the weekend. PSD2 came into force. ‘PSD – What?’ some might say. The title may mean little to those not ‘in the know’ but it is set to have a significant impact on the retail banking industry and on the way customers use financial services.
The Revised Payment Services Directive (or PSD2), came into effect in the UK and across the EU on 13 January 2018. PSD2 is a fundamental piece of legislation that regulates the provision of payment services and those that provide such services throughout the EU and the European Economic Area (EEA). It is implemented in the UK as the Payment Services Regulations (PSR) 2017.
The aim of PSD2 is to increase competition, promote innovation and transparency across the European payments market, while also enhancing the security of internet and electronic payments. As a result of PSD2, customers can expect certain common standards and protections when they make payments using their cards or mobiles, if they send or receive payments across the EU or if they are subject to fraudulent transactions.
But at the heart of PSD2 are measures set to disrupt the traditional way we think about banking and financial services. PSD2 requires banks to grant access to a customer’s online account and data to “payment initiation service providers” (PISPs) and “account information service providers” (AISPs) - so called third-party providers (TPPs). The regulators’ aim in granting access is to give customers greater control over their data and freedom to access financial services from many different sources – for instance, so they could access information on their bank accounts that may be held with different providers via a third party app so customers could see all of their accounts on one screen through the app interface.
Much has been made of the way opening up access to customer accounts could shake up banking competition and create opportunities for new FinTech entrants. The competitive advantages of open banking are welcomed by the regulators. For the consumer, PSD2 responds to changing customer behaviour and a demand for more secure, efficient and convenient payments. But banks run the risk of being pushed out of the banking process as customers use non-banks to meet their financial services and payment needs.
But while the “access to account” rule mandates banks and other account-holding payment service providers to facilitate secure access, TPPs should not expect an open door and banks should not feel commercially emasculated by the obligation. Under PSD2, banks are on the hook for payment errors caused via PISPs (although under indemnity rules banks will be able to recover any payouts from TPPs) so banks need to make sure they carry out effective due diligence on the firms to which they grant access.
And for TPPs, the advent of PSD2 means stricter regulatory requirements. This includes, among other things, having a business plan, a security plan, a procedure for monitoring, handling and following up on security incidents, complaints handling procedures, a fraud reporting process as well as meeting the access criteria set by banks. Access to banks is expected to be via Application Programming Interfaces (APIs) and the PSD2 rules require TPPs to have a digital certificate so banks can verify their identity. And in line with the General Data Protection Regulation (GDPR), TPPs will also need to confirm that they have the customer’s explicit consent to access their data. The FCA is already dealing with applications from TPPs and these firms will need to get used to rigorous supervision.
The banks also are not without some control. The regulators indicate that banks can have an application process, with access granted on a ‘POND’ basis – Proportionate, Objective and Non-Discriminatory. This means that the bank can (and should) take a risk-based approach to whether or not it allows access to a prospective TPP. This also means banks can refuse access!
Much of the focus has been on banks’ responsibilities in this new world but this is not a one-way street and TPPs will need to ensure they meet both regulatory and commercial standards.
So as PSD2 makes its long-awaited appearance, opportunities abound but the impact on market players is not as clear cut as it may first appear. Firms must proceed carefully and with due diligence as they enter into this brave new world.