PSD2: regulation as a catalyst for innovation
PSD2, the new European Directive on Payment Services in the Internal Market, comes into force on 13 January 2018. It aims to open up the European payments market to greater competition and transparency, but Christian Schaefer, global head of payments, cash management, Deutsche Bank, believes its effect will be more far-reaching, acting as a catalyst for innovation not just in payments, but in the wider financial services market.
Just over a decade ago, PSD1 laid the foundation for the Single Euro Payments Area (SEPA) and introduced faster, safer and more convenient payments to millions of payment service users (PSUs). The revised directive, PSD2, will usher in even greater changes in payments. However, the combined force of flexible enabling technology and favourable regulation is likely to make these changes spread into wider banking services as well.
PSD2 seeks to further harmonise the payments market in the European Union (EU) and European Economic Area (EEA), make electronic payments and remote account access more secure, and enhance consumer protection. However, its potentially most radical and transformative provisions are those licensing third party providers (TPPs) to join the market and giving them guaranteed access to the customer account information they need, which is held by traditional account servicing payment service providers (ASPSPs) including banks and payment institutions. The legislators’ aim is to encourage competition and transparency and kick-start innovation in this market.
I believe it is no exaggeration to say that the result will be a fundamental reshaping and renewal of the European payments and wider financial services markets over the next two to five years, with a host of new players and a range of innovative and tailored services being offered to customers, who will be the prime beneficiaries of these changes.
After becoming compliant by the January implementation date, the next step on this journey is Europe’s ASPSPs developing or buying in third party account interfaces to comply with PSD2. These may either be dedicated third party interfaces, or customer interfaces suitably modified to be PSD2-compliant: ensuring that TPPs can access only the data needed to provide a given service to their customers, that they can identify themselves, and can communicate securely with each other.
Both routes – dedicated interface and modified direct access – require considerable investment and change work. Many ASPSPs may be preparing for both, following the European Commission’s recent decision in November 2017, confirming that it will require ASPSPs offering a dedicated interface to have a fall-back option, in the form of a modified customer interface. This is required as a contingency measure should their dedicated interface not be available or fail to deliver the required level of performance, which must be at least as high as that of their customer interface.
European Commission requires fall-back option
The European Commission’s rationale for a fall-back option is to ensure fair competition and business continuity for TPPs: to suffer a failed or inadequately performing dedicated interface when at the same time the ASPSP’s customer interface is functioning perfectly would clearly put them at a competitive disadvantage.
However, the Commission has compromised by allowing national competent authorities to exempt individual ASPSPs that have a demonstrably fully functional dedicated interface reaching the quality criteria defined by the relevant regulatory technical standards (RTS) from having to maintain the fall-back option. This exemption may be revoked where the relevant quality criteria are not met for more than two consecutive weeks, and then the fall-back option must be functional within two months.
This means that many ASPSPs may now be deciding whether they are sufficiently confident of gaining and retaining an exemption, or should in addition make preparations for the fall-back option. While the criteria for granting exemptions are those outlined in the RTS, banking associations and market initiatives will be checking procedures for obtaining them carefully with their competent national authorities.
Is a dedicated interface still the way to go?
Of course, PSD2 does not oblige ASPSPs to set up a dedicated TPP interface: modified direct access, the fall-back option, would suffice – if this were indeed a mere compliance exercise. However, there is so much more at stake: the business advantages promised by dedicated TPP interfaces using open application programming interfaces (APIs) should in the long run richly repay the additional investment in time and resources.
This is because rolling out the third party interface is merely the first step in an evolution of payments, and financial services in general, through open APIs and towards open banking. The wide-spread sharing of standard open APIs is expected to inspire payment service providers, both ASPSPs and TPPs, connected in this way to develop a host of convenient and innovatory payment-related services tailored to the needs of their own and each others’ PSUs.
The momentum inherent in this next stage is likely to spill over into other banking services. After all, a customer used to convenient and immediate payments, and easy and instant access to account information on accounts at different institutions will soon expect similar ease and access with respect to his investments, his borrowings and trading transactions with multiple service providers. This will bring many opportunities to cross- and upsell and offer new services to existing and new customers. ASPSPs and TPPs, singly or in collaboration, will leverage their respective strengths to gain their share in this expanding market, and the following step will be for the variety, richness and specificity of services widely available to retail customers to be mirrored in the corporate sphere.
PSD2: remaining uncertainties and asynchronicities
However, there is still much detail to fill in concerning the initial step on this journey, that of PSD2-compliance. For starters, it is already clear that not everything will happen on time. Albeit 13 January 2018 is the deadline for member states to have transposed the directive into national law, it looks as though many will not be ready on time, with only Denmark, France, Germany and the UK having transposed PSD2 into national law at the time of going to press.
More importantly still, there will be a major implementation gap between the Directive as a whole and the crucial RTS on strong customer authentication (SCA) and common and secure open standards of communication (CSC). These specify PSD2’s requirements for the new third party interface and for secure customer authentication. As the European Commission only published its amended version in November 2017, these requirements will now only become effective in September 2019 at the earliest.
Nevertheless, for a number of reasons, it is crucial that all affected organisations comply with PSD2 as a whole from 13 January 2018, and this includes preparations for the interface and for secure customer authentication.
The most obvious reason is that implementation will eventually be required, so it is prudent to ensure readiness and performance when required. Add to this that the level and complexity of changes will in many areas call for considerable adaptability to respond to further late developments – take for example the fall-back requirement recently published, or the awaited final versions of some Guidelines published under PSD2.
The second, even more powerful reason is that the majority of PSD2’s requirements benefit customers. Laggards will lose out on any first mover advantages in what promises to be one of the most far-reaching market transformations this decade in financial services, which makes timeous implementation not just a regulatory chore, but a shrewd business choice.
Lastly, there are a number of important provisions in PSD2 that are closely bound up with interface requirements effective from 13 January 2018, regardless of whether an organisation’s third party interface is up and running, or whether it has implemented SCA.
For example, from 13 January 2018, ASPSPs may no longer cancel payments involving a TPP. However, an ASPSP without a dedicated interface for TPPs will have difficulty telling whether a transaction was initiated by a TPP or not. Similarly, where TPPs make payments in error, ASPSPs will be obliged to reimburse PSUs and recover from TPPs. Yet an ASPSP lacking some or all requirements for SCA, in particular dynamic linking of every transaction to a specific amount and payee, may not be able to show who changed a transaction.
It should therefore be clear that there are no good reasons to delay, and many strong incentives for all PSPs, including those who intend to become TPPs, to press ahead with preparations for all aspects of PSD2. Much work needs to be done, not limited to ASPSPs working on their interfaces.
Finally, no PSP should delay preparations because of the perceived complexity of the Directive, or the technical difficulties of compliance. Not only are there now many providers able to take on the entire task of compliance, or deliver tailored support in specific areas, but there are also industry associations and market initiatives that offer knowledge, advice, networking and support, as well as working to develop common standards and protocols or useful registries. We list them in our latest white paper on PSD2. It’s time to get going.