Customer payment credentials - the new era

Feature | 30 January 2017
PSD2

While PSD2 is not another SEPA, it is set to transform European payments and improve protection against online fraud. But what does it involve for payment services providers and customers? TFR investigates

From 13 January 2018, EU Directive 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD2) becomes applicable. It will bring about major changes and, rather than being a mere update, has the potential to revolutionise the European payments market.

With online and remote fraud figures rising at alarming rates everywhere - by 13% from UK retailers in 2015 (online fraud against UK retailers totalled an estimated £155.5m in 2015, a rise of 13% on the previous year1 and by a staggering 21.2% year-on-year for online card payment fraud in the EU,2 everyone is hunting for the perfect method of customer authentication.

Solutions range from ever-more secure, advanced forms of tokenisation to sophisticated biometrics - from mere fingerprints to iris recognition, heartbeat and even palm size measurements. Unsurprising, therefore, that one of the three main changes made by the forthcoming update in European Union/European Economic Area payment service market regulation, PSD2, is to online payment and remote account access security by the introduction of stronger customer authentication.

PSD2's predecessor regulation was introduced in 2007,3 to a very different kind of payments market. Since then, a step-change in technological development has thrown up a multitude of new payment methods and channels, and new operators have started offering types of payment-related services that were not captured by that previous round of regulation, simply because they did not exist.

PSD2 takes account of the major changes that have occurred since 2007. However, chances are that it will be far more than a mere update - it has the potential to usher in a new, more open and competitive era of payments in Europe. Besides widening the existing geographic- and currency-scope, this directive decouples the provision of financial service from the account itself, thereby establishing a new, more level playing field on which innovative companies can compete for market share with established banks.

"Competition will increase the frequency and intensity of innovation - which will benefit the market and the industry will benefit as a whole", says Shahrokh Moinian, global head of cash management corporates at Deutsche Bank, and contributor to a recently released paper on PSD2, Payment Services Directive 2 - Directive on Payment Services in the Internal Market (EU) 2015/2366.4 Monika Aminiova of BNY Mellon agrees: "We consider PSD2 to be a significant step in the evolution of payments. While PSD2 retains the same basic structure as the original directive, it captures a wider range of payment transactions, addresses some of the concerns raised during the legislative process regarding questions of liability, and will help to effect innovation in the payments sector."

What is changing?

There will be three major changes, alongside a number of lesser ones.

  • Scope extension: PSD2 extends the scope of many - but not all - of its predecessor's provisions to payments where only one payment service provider is located in the EU/EEA, and to payments in all currencies, not just those of the EU/EEA member states.

  • Customer authentication: PSD2 introduces strong customer authentication for electronic payments and remote account access;

  • Third party providers: PSD2 licenses new "third party providers" to provide two new specific kinds of payment-related service.

There is no predicting the range of innovation that the interaction triggered between existing banks and these new third party players may produce. Aminiova adds that "The key to unlocking the future of payments lies with collaboration, and by leveraging the complementary strengths of both banks and fintechs we have a real opportunity to transform payments and deliver a new optimal experience for clients. PSD2 should help to act as a catalyst for driving further bank-fintech engagement and partnerships."

Rainer Wolff, vice president, product management cash services at Commerzbank's Innovation Lab, believes these new partnerships will go some way towards satisfying the market's current appetite for change. "Companies everywhere are constantly searching for greater ease of access, flexibility and efficiency in their payments experience. Demand has grown for user-friendly interfaces, better internet navigation, and a secure mobile payments infrastructure. We believe that working with fintechs - harnessing their innovatory potential while at the same time leveraging banks' reputations, global reach and technological infrastructure, is the way forward."

Meanwhile, payment providers have their work cut out making the adjustments to systems and processes that PSD2 requires: changes in consequence of PSD2's scope extension, extending two-factor authentication (2FA), and - potentially most profound of all - changes they are required to make to assist new third party providers.

Customers, on the other hand, including corporate customers, need not be overly concerned about preparing for PSD2 - this is definitely not SEPA "Mark II". On the contrary, they stand to gain by being offered more, and potentially more convenient, services, both by the new types of payment service provider and - either by way of competitive contagion or collaboration - by their existing providers. Consumers will be better safeguarded regarding transparency of terms as well as with respect to the information they are provided, payment security and data protection, and will incur a lower maximum liability for unauthorised payments.

Cause for contention

PSD2 will bring significant transformation to the payments industry, and although opinions currently still differ concerning what each individual adjustment will mean in practice, its benefits have been generally accepted by the industry.

Probably most straightforward in principle are the system and process modifications that will need to be made in consequence of PSD2's scope extension - an anticipated and logical next step. Payment service providers will have to implement changes in international payments to ensure compliance with new provisions regarding currency conversion, value dating and availability of funds. However, a number of provisions at the core of payment processing - such as those on payment transaction execution times - continue to apply only within the scope of the first directive.

Like all EU regulation, PSD2 has consumer protection as one of its primary goals, and protecting consumers against online fraud, as well as safeguarding valuable customer data, are aims to which payment service providers, retailers, and regulators alike naturally subscribe. However, the way in which PSD2 - or the European Banking Authority (EBA) through its draft Regulatory Technical Standards under Art.98.2 - intends to implement strong customer authentication, has prompted a number of those involved with e-commerce, digital technology and fintech to raise concerns. It appears to mandate 2FA for each and every remote, online or electronic payment, no matter what the surrounding circumstances.

Some argue this would have a disruptive effect on the single market by making the "checkout" of online shopping more onerous, with potential negative impacts on SMEs, fintechs and other start-ups. Instead, they advocate a more flexible, risk-based, "technology-neutral" approach for certain types of online transactions. It remains to be seen to what extent the EBA will take this and other industry feedback into account in formulating its Final Draft Implementing Regulatory Technical Standards, due to be published this month.

However divided opinions may be about the best way to implement strong customer authentication, it is the licensing of third party providers in the EU/EEA payments market that is likely have the strongest impact on the payments market as a whole. Many such third parties have of course already begun operating, and by licensing them, PSD2 will bring them under regulatory supervision. But PSD2 also gives them a leg-up and access to the tools of their trade, customer information, by obliging all account servicing payment service providers who give their customers online accounts - such as existing banks and building societies - to set up an online account interface through which these third parties may extract the information they require, provided they have customer permission.

Moinian elaborates, "The new customer interface need not be EU-wide, or even national - there is nothing to stop each provider from building its own interface. However, we believe this would be neither in customers' nor providers' best interests. Instead, we see the banking industry voluntarily developing a detailed, pan-European technical standard for third party provider access as the best option. This will make for a smoother start once PSD2 comes into application - for existing payment providers, new third parties, and customers."

PSD2 licenses two specific types of payment service provider, the first in the area of internet payments, the second in online account services. Payment initiation services have emerged widely as a catalyst to e-commerce, giving comfort to a payee that a payment has been initiated. The payee is thereby incentivised to release the goods or deliver the service purchased without further delay. Account information services, on the other hand, provide consolidated and convenient information on one or more payment accounts to their users, giving them easy and transparent access to their finances as a whole.

Next phase

The entry of these new types of operator, using immediate and convenient channels of customer communication, and predicated on business models far removed from those of the incumbents, is likely to trigger changes in the market. Some predict it will thoroughly shake up the European payments market, leading to a profound change both in the mix of players and the range and type of services offered.

So are existing providers concerned about the changes or the competition from new third party providers? Many welcome PSD2 as a step forward. Aminiova believes "PSD2 is expected to help to foster greater harmonisation and efficiency across the European payments market, driving change in terms of innovation, security and data transparency - as well as increased competition. It should help to deliver significant benefits to customers."

Just as PSD2 makes headway, Ingrid Weisskopf, head of cash products and advisory financial institutions, Commerzbank, anticipates a general trend towards more innovatory services benefitting corporates: "Corporates nowadays require far greater clarity and comprehensive information from their banks regarding their payments and transactions than ever before."

Banks must understand that it won't matter to them whether it is an authorised account information provider, or a bank, or a bank and a third party in collaboration, that supplies this information, just so long as it is secure, easy to access and has the right level of detail on increasingly complex cross-border transactions. With or without PSD2, the industry must rise to these types of challenge, but PSD2 may help drive the momentum towards such innovation.

On the road to PSD2

What preparation work do existing providers need to undertake? Apart from making the necessary system and process adjustments required by PSD2's scope extension and for customer 2FA, the most immediate way in which they should be preparing for PSD2 is by ensuring they have a secure and easy-to-access online interface in place. Deutsche Bank's Moinian explains that "Industry collaboration is crucial to getting "PSD2-ready", for example by working together on the new third party interface.

Existing banks and new third parties should approach the introduction of PSD2 in the full spirit of cooperation, as this will make for the smoothest transition and will best serve customers. Beyond that, there will be further collaboration between existing providers and new third parties, as there are many ways in which they can complement each other."

Moinian's main message is that existing providers need not fear the effects of PSD2 - but nor should they treat it as a mere compliance exercise. "We should regard it as a major step forward along the road to a more open, digital payments market in Europe that refocuses from pure payment execution to service provision in which the payment is only one contributing element. Additionally, providers should be regarding PSD2 as a potential source of new business - there is no doubt there will be opportunities in its wake for all participants who welcome, and adjust to, an extended list of players in the payments market."

References: 

References

  1. www.financialfraudaction.org.uk/fraudfacts16/

  2. See http://bit.ly/2i4Ah7L at www.gtnews.com

  3. Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007

  4. See http://bit.ly/2hg7hgw at www.db.com

Already registered? Login to access premium content

Give Feedback