When the Payment Services Directive (PSD2) replaces the PSD in January 2018, it will have wider scope to cover new payment services created by a period of innovation. The legislation aims to improve consumer protection and competition, and drive innovation. Tom Hay, head of payments at Icon Solutions, writes

PSD2 has created turbulence because it mandates banks to provide customer account access (XS2A) to third-party
payment providers (TPPs), transparency of payment charges, and strong customer authentication for all electronic transactions.

Despite years of negotiations between the European Parliament, Council and Commission, critical parts of the legislation remain ill-defined. For example, with XS2A a bank that “provides a mechanism for indirect access
should allow direct access”.

None of the legal experts I have consulted have been able to explain the difference
between “indirect” and “direct”. Regarding authentication, another clause says: “Where the payee or PSP of the payee fails to accept strong customer authentication, it shall refund the financial damage caused”.

However the payee does not determine the type of customer authentication and therefore can neither accept nor reject. With legislation littered with perplexity like these, rule makers have asked the European Banking Authority (EBA) to iron out the details by drafting Regulatory Technical Standards (RTS). The document covering strong customer authentication and secure communication is due in summer 2016.

The EBA’s statement that it will need to “make difficult trade-offs between competing demands” highlights the difficulties it faces. In any case, it is unrealistic to expect the RTS to resolve the ambiguities. After all, the EBA’s discussion paper acknowledged that the need to allow for innovation requires high-level requirements that provide certain flexibility.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

This continued uncertainty is stifling market progress. PSD2 is designed to boost innovation, but what we are actually seeing is ‘planning blight’. Market participants cannot plan innovative new products, service and features because they do not know what will be allowed and what will be outlawed.

And even if the RTS rules are clear, they do not come into force until October 2018, 10 months later than PSD2. Which begs the question – why continue with a January deadline?

Taking a wider view, the potential of API technology has been overshadowed by a myopic focus on PSD2. Banks need to open up new revenue streams and the innovative use of APIs is central to this. Rather than exploring their transformative strategic potential, banks are increasingly fixated on PSD2 compliance.

The counterproductive nature of the regulation is most apparent when we look at PSD2’s stated objective to “make payments safer and more secure”. Central to this is the requirement for PSPs to apply “strong customer  authentication” when payers initiate “an electronic payment transaction” – effectively two-factor authentication.

Given that security measures are growing in sophistication and that the drive is constantly towards a frictionless experience for consumers, there will be some conflict between the direction that industry and regulators wish to travel in. It’s unclear whether consumers will benefit from these mandated security procedures given that existing liability provisions already protect consumers from loss.

On the contrary, it may provide a boon for fraudsters as consumers will need to provide banking security credentials (rather than card security credentials) to initiate payments, which can easily be stolen through phishing sites. After years of telling consumers to keep bank credentials to themselves, rule makers are now asking them to splash them all over the web. It’s also likely to reduce customer convenience, as simple one-click checkouts like Amazon and PayPal become outlawed.

Visa and MasterCard attempted to increase online security by introducing 3D Secure, which is hated equally by customers who see it as intrusive and difficult, and merchants who can measure the number of sales that
are abandoned at that stage.

If PSD2 mandates the use of two-factor authentication, the majority of which relies on cumbersome one-time-passwords, the effect will be a similarly negative impact on the adoption and usage of these new payment methods. One alternative to imposing intrusive security measures is innovation in risk management.

For example, Klarna has built a $2.25bn business through dynamic risk profiling to achieve frictionless checkout. Imposing a ‘one size (mis)fits all’ approach to authentication will remove any competitive advantage afforded to those differentiating through cutting-edge approaches.

There are no commercial incentives for banks around PSD2. They will have to invest millions to open up their infrastructure to provide XS2A and make the myriad operational changes around pricing transparency, authentication and liability.

Once again banks are being forced to manage regulatory hurdles, rather than invest in services to boost innovation. How will they recoup these costs? They cannot, as PSD2 explicitly prohibits banks from charging third parties for access, creating a massive free rider problem as TTPs enjoy all the benefits without the costs.

And once established, PSD2 will reduce banks’ ongoing revenues. According to Accenture, UK banks could lose up to 16% of their online retail payments-based revenues by 2020 – approximately £1.45bn ($1.88bn). If combined with the recent reduction in interchange fees, customer accounts will become incredibly expensive to hold. It’s therefore highly likely that these costs will be passed to consumers.

Voices calling for the end of free banking have been growing louder in recent years. PSD2 may well be the tipping point that turns words into action. From where we stand today, far from harmonising the payments market in Europe, PSD2 is more likely to create fragmentation, inequality and complexity with the consumer paying as a result of less security, more friction and potentially higher charges.

With the voices of a few dissenters drowned out by a wave of approval, there is a major risk that instead of achieving its stated objectives to make payments more secure, boost innovation, create a level playing field and reduce the cost of payments, PSD2 will result in exactly the opposite.