Payment Services Directive – II (or PSD2)

EXECUTIVE SUMMARY

EXECUTIVE SUMMARY

In plain terms, PSD2 seeks to improve the existing EU rules for electronic payments. The text reflects recent developments seen in internet and mobile payments. In particular, the directive sets out rules concerning:

  • strict security requirements for electronic payments and the protection of consumers’ financial data, guaranteeing safe authentication and reducing the risk of fraud
  • the transparency of conditions and information requirements for payment services
  • the rights and obligations of users and providers of payment services

The directive is complemented by Regulation (EU) 2015/751 which put a cap on interchange fees charged between banks for card-based transactions. This is expected to drive down the costs for merchants in accepting consumer debit and credit cards.

PSD2 establishes a comprehensive set of rules that will apply to existing and new providers of payment services. These rules seek to provide a level playing field which in theory should lead to greater efficiency, choice and transparency while strengthening consumers’ trust in a more harmonised payments market. In general, PSD2 should deliver a better integrated EU payments market but it does so through an ever expanding and more prescriptive rule book.

As with all EU directives there is a strong focus on consumer rights. In PSD2, these are enhanced by:

  • reduced liability for non-authorised payments from €150 to €50
  • an unconditional refund right for direct debits in euro
  • removal of surcharges for the use of a consumer credit or debit card

Of the greatest importance, PSD2 seeks to open up the EU payment market to companies offering new retail payment services based on access to information about the payment account.

  • Account Information Services (AIS): allow a payment service user to have an overview of their financial situation at any time, allowing users to better manage their personal finances
  • Payment Initiation Services (PIS): allow consumers to pay via simple credit transfer for their online purchases, while providing merchants with the assurance that the payment has been initiated so that goods can be released or services provided without delay

As PSD2 is maximum harmonising EU legislation and there is very limited discretion for Member States to depart from or gold-plate in areas within its scope. PSD2, as with the original directive, will be implemented in the UK largely through regulations. The Payment Services Regulations 2017 (PSR 2017)will replace the Payment Services Regulations 2009.

As a directive, PSD2 is unusual as it has been identified by all not just as the usual mixed bag of well-intended regulation but this time as a real potential game changer. To take advantage of PSD2 and the new AIS and PIS, the UK government and Competition and Markets Authority (CMA) are demanding more competition in the banking sector and championing an open standard Application Programming Interface (or open API). This is a tremendous catalyst for the FinTech industry.

We should not forget, however, that the incumbent UK banks hold the vast majority of current accounts and have all the benefits of scale and umpteen years’ worth of customer data. The big UK banks are expected to be reinvigorated by core infrastructure replacement and by embracing an open standard API ecosystem. Linking with FinTechs for market-leading consumer-centric services, they should be more than capable of maintaining their dominance in this evolving landscape, although there is no guarantee. Cynics will also say that the rules concerning secure customer authentication (SCA) may yet lead to some restrictions on access in this open market which could greatly disadvantage some FinTechs. We could just see an evolution in online payments rather than the banking revolution demanded by politicians. One thing is certain. The future is digital.

WHAT IS THE AIM OF THE DIRECTIVE?

The Revised Payment Services Directive (PSD2) is an EU legislation governing firms that provide payment services. It provides the legal foundation for the further development of a better integrated internal market for electronic payments. As such, it puts in place comprehensive rules maintaining the original goal of making international payments within the EU as easy, efficient and secure as payments within a single Member State. Of great importance, it seeks to open up payment markets to new entrants leading to more competition, greater choice and hopefully better prices for consumers. As with the original directive, it also provides the necessary legal platform for developments with the Single Euro Payments Area (SEPA).

BACKGROUND

The original PSD was introduced in 2007. It became UK law in 2009 through the PSRs (Payment Services Regulations). Its primary aims were to:

  • create a single market for payments in the European Union
  • open up the market to new entrants
  • create a platform for the Single Euro Payments Area
  • protect consumers’ rights when making payments

The new PSD2 was published in the EU Official Journal on 23rd December 2015. The directive aims to:

  • contribute to a more integrated and efficient European payments market
  • improve the level playing field for payment service providers
  • promote the development and use of innovative online and mobile payments
  • make payments safer and more secure
  • protect consumers
  • encourage lower prices for payments

It should be noted that the scope of PSD2 includes the authorisation and prudential requirements for payment institutions (PIs) and the provision of conduct of business rules for providing payment services.

FIRMS AFFECTED BY PSD2

The following will be in scope of PSD2:

  • All existing payment service providers (PSPs), including banks, building societies, credit card providers, money remitters and e-money issuers.
  • Providers of ‘payment accounts’ which are accessible online. These are accounts held in a payment service user’s name and used to make payments. They include current accounts, e-money accounts and credit card accounts. Firms providing these accounts will be required to give access to their customers’ accounts to providers of account initiation and/or payment initiation services, with the customer’s consent.
  • A range of firms that are not currently required to be FCA-authorised or regulated, including firms that:
    • provide services that are currently exempt from regulation because of the limited network, ‘digital download’ or commercial agent exemptions
    • provide, or plan to provide, account information and/or payment initiation services
FIRMS AFFECTED BY PSD2

The following will be in scope of PSD2:

  • All existing payment service providers (PSPs), including banks, building societies, credit card providers, money remitters and e-money issuers.
  • Providers of ‘payment accounts’ which are accessible online. These are accounts held in a payment service user’s name and used to make payments. They include current accounts, e-money accounts and credit card accounts. Firms providing these accounts will be required to give access to their customers’ accounts to providers of account initiation and/or payment initiation services, with the customer’s consent.
  • A range of firms that are not currently required to be FCA-authorised or regulated, including firms that:
    • provide services that are currently exempt from regulation because of the limited network, ‘digital download’ or commercial agent exemptions
    • provide, or plan to provide, account information and/or payment initiation services
CURRENCY AND GEOGRAPHIC SCOPE

The original PSD only applies if the PSP of both the payer and payee are located within the EEA and the transaction is in sterling, euro or another non-euro Member State currency. The exceptions are value dating and immediate availability provisions which apply to ‘one-leg out’ transactions (ie where only the payer or payee’s PSP is in the EEA).

PSD2 will apply, with some exceptions, to ‘one-leg out’ transactions and all currencies. As a result, many more conduct of business and information requirements will apply to international payments.

ACTIVITIES OUT OF SCOPE OF PSD2

The list of activities excluded from regulation has been amended by the new directive.

These exclusions now include:

  • Commercial agents who negotiate or conclude the sale and purchase of goods and services on behalf of either a payer or payee ( the ‘Commercial Agent Exclusion’)
  • Providers of limited network payment instruments, such as shopping centre gift cards (the ‘Limited Network Exclusion’)
  • Mobile network operators who enable payment transactions for digital goods and services using a telecom, digital or IT device. PSD2 replaces this with an exclusion for transactions provided by electronic communication network providers for digital content and voice-based services, tickets or donations to charity which are charged to a subscriber’s bill, subject to per-transaction and cumulative monetary thresholds (the ‘Electronic Communications Network Exclusion’)

Firms that benefit from the Limited Network Exclusion will have to notify the FCA if their transactions are over €1 million in any 12 month period and provide a description of their activities. When the FCA receives this notification, they will decide if these services are exempt or not! Firms in this position (ie transactions over €1 million in any 12 month period) must continue to give the FCA such notifications annually unless transaction values dip below the threshold.

All firms relying on the Electronic Communications Network Exclusion must notify the FCA and give them a description of the service. The FCA must be forwarded an annual audit opinion confirming that the customers’ transactions fall within the financial limits of this exclusion.

AUTHORISATION OF PAYMENTS INSTITUTIONS (PIs)

PSD2 does not substantially change the conditions for granting authorisation as PIs. However, PIs offering AIS will be required to have PII (professional indemnity insurance) as a condition of authorisation. PSD2 also contains rules on the supervision of authorised PIs, as well as penalty measures in the case of non-compliance.

HM Treasury and the FCA recognise that the requirement for AISPs and PISPs to have PII in place is causing some uncertainty due to the perceived lack of an existing market for insurance that meets the minimum standards of cover set out in EBA guidelines. We are assured that HM Treasury and the FCA are working with market participants and the insurance industry “to understand and address this issue” [HM Treasury Implementing PSDII: Consultation response’ July 2017].

PASSPORTING

The right of firms to passport their payment services activities into another EEA country is included in PSD2, as it was under the original PSD. Under PSD2 firms with agents in another Member State may need to provide a ‘Central Contact Point’ within that state if they have passported under the ‘right of establishment’. They may also have to provide additional reports to the host state.

NEW REGULATED PAYMENT SERVICES: AIS and PIS

PSD2, as part of a program promoting the development and use of innovative online payment services, brings two types of payment services activity under regulation for the first time (AIS and PIS). Very importantly, firms offering payment accounts accessible on-line must allow third-party providers to access users’ accounts if with the users’ express consent. These third parties – account information services providers(AISPs) and payment initiation services providers (PISPs) – are fully regulated under PSD2.

AIS

An AIS is ‘an online service which provides consolidated information on payment accounts held by a payment service user with payment service providers.’ These services already exist in the UK but PSD2 will bring them within the scope of regulation and ensure that AISPs can receive access to payment accounts if compliant with various security safeguards.

PIS

A PIS is ’an online service which accesses a user’s payment account to initiate the transfer of funds on their behalf with the user’s consent and authentication.’ PIS will provide an alternative to paying online using a credit card or debit card.

This type of service is used widely across the EU but very rarely in the UK. The new rules for PIS bring them within the scope of regulation and ensure that PISPs receive access to payment accounts if compliant with various security safeguards.

In the UK, the FCA will be responsible for ensuring AISPs and PISPs are registered or authorised. For firms that only carry on AIS, there is an option to become a ‘registered AIS’. These providers will have no capital requirements and will need to meet fewer conditions than authorised firms. Businesses that provide PIS must be authorised and have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs will have to hold PII (professional indemnity insurance). The EBA has developed Guidelines on PII. (See http://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-the-criteria-on-how-to-stipulate-the-minimum-monetary-amount-of-the-professional-indemnity-insurance-under-psd2).

ACCESS TO PAYMENT ACCOUNTS

Firms that provide ‘payment accounts’ to their customers that are accessible online will have to give AISPs and PISPs access to these accounts, if with the user’s consent and authentication. Under PSD2, providers of payment accounts are referred to as ASPSPs (or ‘account servicing payment service providers’). The EBA is responsible for developing RTS which will introduce common and secure standards for communications between ASPSPs, AISPs and PISPs.

OPEN APIs

To take advantage of PSD2, and further to rulings by the CMA, the UK government is demanding more competition in the banking sector by ensuring the big banks adopt an open standard Application Programming Interface (or open API). An API is a set of routines, protocols and tools for building software applications. The goal is that the ‘outcomes’ for consumers should be based on the best product or service available rather than on any historical advantage.

HM Treasury in ‘Implementation of the revised EU Payment Services Directive II: response to the consultation’ published in July 2017 state:

‘Use of application programming interfaces (APIs)

1.7 While PSDII prevents HM Treasury or the FCA from mandating a particular method of access, we believe that the use of secure application programming interfaces (APIs) provides significant advantages. In line with the Competition and Market Authority’s (CMA) order on Open Banking, which applies to nine UK banks, we believe there are benefits to customers and market participants if these APIs are developed according to common standards and using secure common infrastructure where necessary – ‘the Open Banking Standard’. Such standardisation will support innovation by reducing barriers to entry – as third parties will not have to integrate with different technology on a firm-by-firm basis – and can enhance security across the industry.’

The CMA’s order on Open Banking applies to a more limited number of products and providers than those affected by PSD2. However, it is clearly the view of HM Treasury and the FCA that the Open Banking approach will become the most suitable option for all firms once a solution can be delivered that can comply with PSD2 and the related RTSs. HM Treasury is very keen that all ASPSPs, AISPs and PISPs work towards using the Open Banking API Standards as the basis on which secure API access to other payment accounts is provided in future. ‘…..we encourage prospective AISPs and PISPs to work with ASPSPs to transition to the use of secure APIs as soon as possible during 2018.’

By adopting Open Banking APIs, the UK can establish itself as a global thought leader in the safe and effective sharing of banking data.’   [HM Treasury ‘Implementing PSDII’ July 2017]

It is hoped by all that access to a vast pool of transaction data from banks and other financial institutions will enable financial market innovators, the Fintechs, to develop a whole new range of exciting products. Many see these as helping consumers manage their income more effectively. We should see better account comparison tools and, very importantly, it may also help deliver tailored and affordable financial advice.

HOW DOES OPEN BANKING WORK?
  • Open banking will mean reliable, personalised financial advice, tailored to your particular circumstances delivered securely and confidentially.
  • To provide tailored advice banks and other financial service providers need to know how you use your account. At the moment, to get personalised advice, you have to hand over your confidential banking information to price comparison websites.
  • Open banking will use Application Programming Interfaces (APIs) to share customer information securely. This tried and trusted technology is used by many well known online brands, such as Uber providing information about the location of a taxi.
  • Third party providers will be able to use open banking APIs to see your transaction information to tell you what you might save when considering the current account best suited to you. Or if you run a small business you could find the best deals for your business accounts and loans.

Source: Competition and Markets Authority 2016

REGISTRATION AND AUTHORISATION OF AISP AND PISP

All firms which started to operate as an AISP or PISP after 12th January 2016, and who wish to operate as such going forward, must be registered or authorised by the FCA before 13th January 2018. Firms operating as an AISP or PISP before 12th January 2016 will be able to continue to operate without registration or authorisation prior to the RTS being applied. However, they will not benefit from the right of access provided in PSD2. Accordingly, HM Treasury wishes to ‘ strongly encourage these AISPs and PISPs to apply to be registered or authorised as soon as possible, given the real and significant benefits to these firms of doing so, and we would expect many of these firms to choose to become registered or authorised well ahead of the RTS.’

The Payment Services Regulations 2017 allow for applications from 13th October 2017, to enable firms to apply and be registered or authorised by 13th January 2018. The FCA has up to three months to determine the outcome of each application. The level of scrutiny by the FCA and the information they require will vary according to the risk and complexity suggested in the firm’s proposed business model.

PSD2 does not substantially change the conditions for granting authorisation as PIs. However, PIs offering AIS will be required to have PII as a condition of authorisation. PSD2 also contains rules on the supervision of authorised PIs, as well as penalty measures in the case of non-compliance.

HM Treasury and the FCA recognise that the requirement for AISPs and PISPs to have PII in place is causing some uncertainty due to the perceived lack of an existing market for insurance that meets the minimum standards of cover set out in the EBA guidelines. We are assured that HM Treasury and the FCA are working with market participants and the insurance industry “to understand and address this issue” [HM Treasury Implementing PSDII: Consultation response’ July 2017].

With regards to the security requirements, the FCA will be assessing applicants until the advent of the RTS against the EBA’s Authorisation Guidelines (eg security policies, governance, business continuity arrangements, access to sensitive data processes and the firms’ business models). The draft RTS provides firms, of course, with an indication of the likely future requirements. It is important to stress that PSD2 requires that ‘directors or persons responsible for the management of the institution possess appropriate knowledge and experience to perform payment services and the level of this should be proportionate to the nature, complexity and scale of risk inherent in the business activity.

TRANSITIONAL ARRANGEMENTS

PSD2 contains transitional provisions to allow existing authorised PIs, authorised e-money institutions and small e-money institutions to continue to provide payment services and issue e-money until 12th July 2018. If these firms want to carry on providing payment services after this date, they must have provided the FCA with the information specified in the PSRs 2017 or amended EMRs respectively. This information must be received by 13th April 2018.

Existing small payment institutions may carry on their activities until 12th January 2019. If they want to continue providing these services after this date then they will have to apply to the FCA before 13th October 2018.

Key dates for existing firms authorised/registered under PSD1

Firm type Can provide new information from: Must provide new information before: …to remain authorised/registered after:
Authorised payment institutions 13 October 2017 13 April 2018 12 July 2018
Authorised e-money institutions (Authorised EMIs) 13 October 2017 13 April 2018 12 July 2018
Small e-money institutions
(Small EMIs)
13 October 2017 13 April 2018 12 July 2018
Small payment institutions
(Small PIs)
13 October 2017 13 October 2018 12 January 2019

Following CP17/22, the FCA will consider feedback on the authorisation and registration forms and make the final forms available in September 2017.

CONSUMER PROTECTION

PSD2 continues to protect consumers from unauthorised transactions but aims to enhance the existing regulations. All PSPs will need to prove to the satisfaction of the FCA that they have put specific security measures in place to ensure safe and secure payments. In addition:

Limiting payers’ liability for unauthorised transactions: Under the current regime a payers’ liability for unauthorised transactions is capped at £50 in the UK. This cap will not apply if the payer has acted fraudulently or, with intent or gross negligence, failed to comply with the conditions governing use of a payment instrument or failed to notify the PSP without undue delay on becoming aware of its loss, theft, misappropriation or unauthorised use.

The liability cap is reduced to €50 under PSD2. Payers will only be liable in cases of user fraud, gross negligence or failing to notify their PSP without undue delay on becoming aware the loss. Please note, the European Commission will publish a leaflet by Q4 2017 which will explain the changes under PSD2 to the liability regime and to consumers’ rights and obligations.

Incorrect transactions: PSD2 requires PSPs to be responsible for undertaking payments in an accurate and timely way. It also specifies that payers should always be entitled to make any relevant claims for refunds to their Account Servicing PSP (ASPSP), whether or not other PSPs are involved in the transaction. These other PSPs will, of course,  be liable to the payer’s ASPSP although each PSP’s liability is limited to correct execution within their area of competence. As with the original PSD, payers will need to notify the PSP of incorrect transactions as soon as possible and within a maximum of 13 months from the date of the payment. Please note, if the payer has given the wrong unique customer identifier, the payee’s PSP is now required to ‘cooperate‘ in efforts to recover the funds.

Complaints handling: Under PSD2, PSPs must give a full response to complaints that involve rights and obligations under PSD2 within 15 days. In exceptional circumstances, this is extended to a maximum of 35 days with the firm in the interim sending a holding letter to the payer.

Strong Customer Authentication (SCA)

This a very key area. PSD2 has the potential to dramatically change not just the payments sector but the wider banking market. SCA could be a limiting factor and It has, of course, been the subject of heated discussions and very aggressive lobbying.

PSD2 requires Strong Customer Authentication (SCA), which is also known as two-factor authentication. Payment service users will need to use SCA whenever they access their payment accounts online, make an electronic payment or carry out any action through a remote channel with a risk of fraud or abuse.

The FCA website states: ‘SCA is made up of two or more elements, including knowledge (something you know, such as a password), possession (something you have, such as a card or mobile device) or ‘inherence’ (something you are, such as a fingerprint or voice recognition). Each element must be independent from the others so that if one is breached this does not compromise the integrity of another.’ SCA is designed to protect the confidentiality of customers’ personalised security credentials.

The EBA is still developing the regulatory technical standards for SCA (see Limehouse commentary).

REGULATORY TECHNICAL STANDARDS (RTS)

PSD2 mandates the EBA, working in close cooperation with the ECB, to draw up draft Regulatory Technical Standards (RTS) in specific areas to ensure that the implementation of the directive is effective and harmonised across the EU. The EBA published its final draft report in February 2017, following 18 months of intensive policy development work and consultation with the different payment market players.

The publication of the EBA’s last ‘Opinion’ and its submission to the EU Commission in June 2017 concludes the EBA’s work on the PSD2 mandate. The EU Commission must now make the final decision on the text of the RTS and to adopt the standards as a delegated Act in the Official Journal of the EU. During the adoption process, the EU Council and EU Parliament have a scrutiny right. Once the RTS have been published in the Official Journal, they will enter into force the following day and will apply 18 months after that date.

It is, of course, a big bugbear that the ‘access to account’ services specified in PSD2 Articles 65-67 have to be available from January 2018 whilst the security and communications standards in the RTS will not become mandatory until the end of the 18 month “transitional” period.

However, HM Treasury and the FCA expect firms to adhere to the principles of safety and security from day one (i.e. 13thJanuary 2018). For example, HM Treasury expect that the firms concerned should:

  • transmit credentials and data securely, in ways that safeguard against the risks of interception
  • be transparent and open about their identities when interacting with one another, in order to limit the potential for criminal actors to operate in this space
  • ensure that data are stored in ways that mitigate the risks of illegitimate access, and that credentials are only held if permitted under PSD2.
REPORTING TO THE FCA

Statistical data on payments fraud: At least every year, PSPs must send to their competent authorities the statistical data on fraud affecting different types of payment. Competent authorities must provide this information in an aggregated form to the EBA and ECB.

Assessments of operational and security risks measures: At least every year, PSPs must send to their competent authorities an updated and comprehensive assessment of the operational and security risks relating to their payment services. PSPs must also include information on the effectiveness of any mitigation measures and control mechanisms.

Reporting from inward passporting firms: Member States may require PIs that have agents or branches in their territories to report to them periodically on the activities they carry out in their jurisdiction.

Incident Reporting: If PSPs become aware of a major operational or security incident they must notify their competent authorities immediately. When the competent authority receives this notification they will be required to inform the EBA, ECB and any other relevant authorities in the Member State of all relevant details.

UK CONSULTATION PAPERS

HM Treasury issued a consultation paper ‘Implementation of the revised EU Payment Services Directive II’ looking specifically at the new draft PSRs in February 2017 with a follow-up ‘response to the consultation’ published in July 2017. The FCA issued CP17/11 ’Implementation of the revised Payment Services Directive (PSD2)’ in April 2017. The consultation looked at the FCA’s approach to applying the Payment Services Regulations 2017. The FCA also published CP17/22 ‘Revised Payment Services Directive (PSD2) implementation: draft authorisation and reporting forms’ in July 2017 which is a small follow-up consultation specifically on authorisation, registration and reporting forms under the new directive. The FCA will finalise the reporting and record keeping requirements and then publish a Policy Statement in Q3 2017.

NEXT STEPS FOR THE UK

The statutory instrument that transposes PSD2 into UK law was laid before Parliament on 19th July 2017 just before the summer recess. Following earlier consultations, the FCA and Payment Systems Regulator will need to compose their guidance to implement PSD2 and publish their final documents by Q3 2017. The Payment Systems Regulator is the economic regulator for the £81 trillion UK payment systems industry although it is also a subsidiary of the FCA.

All EU Member States will have to implement PSD2 into national law by 13th January 2018. The job of implementing some of the provisions has, of course, been delegated to the EBA including developing the RTS (regulatory technical standards) and guidelines. The RTS have not yet been finalised. When the RTS have been published in the Official Journal, they will enter into force the following day but will not apply until 18 months after that date. This delay will give regulators and market players a big headache.

The European Commission (EC) will produce a ‘user-friendly’ electronic leaflet by early 2018 listing consumers’ rights under the directive and related EU law.

GENERAL DATA PROTECTION REGULATION (GDPR)

The primary objective of GDPR is to strengthen and unify data protection for individuals within the EU as well as addressing the export of personal data outside the EU. The implementation date is 25th May 2018.

Both PSD2 and GDPR have a substantial area of common concern: customer data. However, the GDPR is all about keeping data private whilst PSD2 wants to make the data of individuals available to third parties!

The GDPR forbids sharing information with third parties and it is up to the individual to give consent and to provide the data to the data processor. This decision cannot be taken by other processors as with PSD2! A question many are asking is whether a bank can provide access to a third party without first checking that the consent to process the data is in place? In an electronic world, how does the bank verify this consent?

It is clear that the GDPR has been written in a silo by EU legislators as it makes no reference to PSD2. It also appears that PSD2 has excluded itself from the scope of GDPR but without supporting legal evidence. Sadly, the draft RTS can shed no light on the matter. The potential fine for a breach of the GDPR regulation is eye-watering (up to €20M or 4% of global turnover) while PSD2 does not specify the penalties for non-compliance. Clarity on the GDPR issue is urgently needed!

BREXIT

Whilst it is possible that PSR2017 will only be in place until the UK leaves the EU, it is thought highly unlikely that we will see any further changes in payments regulation in the short term. It is thought that UK  regulators will be chasing the market and no one yet knows where it is exactly going!

HM Treasury is giving nothing away too. In their ‘Implementation of the revised EU Payment Services Directive II: response to the consultation’ published in July 2017 it blandly states:

‘Exiting the EU

1.9 On 23 June, the EU referendum took place and the people of the United Kingdom voted to leave the European Union. Until exit negotiations conclude, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the government will continue to negotiate, implement and apply EU legislation. The outcome of these negotiations will determine what arrangements apply in relation to EU legislation in future once the UK has left the EU.’

LIMEHOUSE COMMENTARY

Is PSD2 a real game changer? On paper, yes. It is hoped by all that access to a vast pool of transaction data from banks and other financial institutions will enable financial market innovators, the Fintechs, to develop a whole new range of exciting and highly relevant products. These should help consumers manage their income and savings far more effectively. We should also see better account comparison tools and, very importantly, it may also help deliver tailored and affordable financial advice. Theoretically, the comparison websites of the future could choose the best payment account to meet your needs and automatically change your bank to obtain a superior service and/or better rates.

For the new AIS and PIS to be a success, the ‘open API’ interface must become a reality although, equally, we must ensure the highest levels of protection from potential cybercrime. Sadly, this is a world where dark forces will seek to exploit ruthlessly any areas of weakness in a digital platform. In many ways it is unsurprising that SCA has become a bone of contention although, with January 2018 fast approaching, the lack of clarity is very disappointing. The EBA and the European Commission (EC) appear to be at war over SCA. In June 2017, the EBA in a published ‘Opinion’ strongly objected to amendments that the EC announced it intended to make to their final draft RTS. The RTS will, of course, not apply until 18 months after their adoption and with the squabbles continuing we are now looking at an early 2019 date!

Essentially, there are two key issues. Firstly, most PSPs believe that SCA will make it more difficult for customers to authenticate payments while also reducing the ability of firms to use technologies such as ‘Risk Based Authentication’ to counter fraud. Secondly, the new PISPs and AISPs have voiced concerns over the interface through which they will access customer accounts. If banks and other account providers can require access through a ‘dedicated interface’ surely too much power is in their hands? A mandatory dedicated interface could allow account providers to impede direct access to a customer’s account by PISPs and AISPs. Although this appears to be contrary to the aims of PSD2 (ie increased competition and innovation), the EBA insists that neither the directive nor the technical standards specify the nature of access but merely state the principles governing access. Just to add salt into the wounds, the EBA is also demanding that ‘screen scraping’ as a means of access be prohibited once the RTS apply. It is important to stress, that the EC has backed third party service providers in demanding that account providers must allow access via their customer user interface, as a contingency measure, whenever a dedicated interface is unavailable or working inadequately. This is a significant victory for PISPs and AISPs.

The EC must now make the final decision on SCA in the RTS text, although the European Council and European Parliament have a right of scrutiny.

Although PSD2 can be seen as a charter for the Fintechs, we should not forget that the incumbent UK banks hold the vast majority of current accounts and have all the benefits of scale and umpteen years’ worth of customer data. The big UK banks are expected to be reinvigorated by core infrastructure replacement and by embracing an open standard API ecosystem. Linking with FinTechs for market-leading consumer-centric services, and with deeper pockets, they should be more than capable of maintaining their dominance in this evolving landscape although there is no guarantee.

PSD2 should be viewed as part of the digital revolution that is transforming banking globally and making the branch network obsolete. The banks of the future simply must give their customers a far more informed view about their financial affairs and operate on a totally customer-centric platform. Competitive advantage and income will be generated by leveraging the personal data held on a customer’s financial lifestyle.

The goal of PSD2 is to foster innovation and to remove barriers to trade. It may be a headache in the shorter term for banks but it is also an opportunity that must be fully exploited. PSD2 is of vast strategic importance. There is no half-way house when the world is going digital. Banks must put in place the structures that will allow them to deliver more convenient services tailored for specific customer segments be it through cooperation with Fintechs, third party software houses and PSPs. The banking sector is changing fast as recognised by the establishment of ‘UK Finance’ in July 2017. This new trade association incorporates the BBA, Payments UK, Asset Based Finance Association, Council of Mortgage Lenders, Financial Fraud Action UK, and the UK Cards Association. Collaboration is the name of the game.

Who will be the winners and losers? No one at this stage can really be confident. A defeat for the consumer could still be delivered from the jaws of victory by a combination of ineffective SCA RTS and the GDPR. Old-style banks driven by number crunching legacy systems could still linger on across the EU protected by national interests but their days must now be numbered. One thing is certain. The future is digital.

Roger Davies is Principal Consultant at Limehouse Consulting.

Disclaimer

This publication contains general information only and is based on the experiences and research gathered by Limehouse Consulting and Strategy Limited (hereinafter “Limehouse”) practitioners. Limehouse, is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Limehouse, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. Please see www.limehouseconsulting.com for a detailed description of the legal structure of Limehouse and the organization’s offerings.

Copyright © 2017 Limehouse Consulting and Strategy Limited