What's in a name? It's hard to tell at face value exactly what lies behind the latest raft of European payments regulation, PSD2; snappy an acronym as it is. But the Second Payment Services Directive – known as PSD2 – is being positioned as a game-changing set of guidelines for Europe's payments specialists.
As you'd expect from a substantial piece of European legislation, the directive as a whole is complex, occasionally ambiguous and some of its detailed rules are yet to be finalised, so; we won't know all its details, or its full impact, until this summer or even later. Its ambitions are already well-known, but whether it can deliver them depends on exactly how it is implemented.
Simple aims for a complex market
Broadly speaking, PSD2's aims are simple ones. Its big focus is on stimulating business growth by encouraging a better-integrated and more efficient European payments market. In practice, that means promoting competition by encouraging the emergence of new players and innovation, especially in internet and mobile payment services. Security is also a strong theme, with multiple provisions for consumer protection against payments fraud and abuse – including the use of strong customer authentication for electronic payments, of which more shortly. And overall, it aims to reduce pricing for payments across the board, lowering the barriers to digital payments still further.
These are, of course, all laudable aims. Some of PSD2's provisions, in particular, have got industry observers quite excited, notably those that will facilitate access by third-party providers to consumer financial data held by banks. The general expectation is that a new generation of AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) will emerge on the back of PSD2, populated not just by traditional financial services organisations but retailers, social media companies, telcos and fintech organisations too. By giving these new players access to that data, the argument goes, PSD2 will stimulate new services that effectively bypass the need for interaction with banks. Personal finance apps could analyse banking transaction histories, for example, and make recommendations for savings or investments; similarly, mortgage apps could track the mortgage market as a whole and advise home-owners of better deals with alternative mortgage providers.
Unsurprisingly, banks are likely to feel threatened by the advent of legislation that puts their consumers in the hands of third parties. Anything that dilutes those customer interactions deprives banks of opportunities to sell them other products and services, for one thing, risking their relegation to so-called “dumb-pipe” status in the same way that mobile operators have been by the advent of over-the-top players such as Google and Facebook. But the extent to which this is a real danger to the banks’ business models is as yet hard to ascertain. One 2016 survey by Strategy& showed that 68% of banks participating in the survey thought that PDS2 would weaken their position in exactly this way, just as insurance brokers have weakened the link between the consumer and the insurance brands themselves. But other surveys, including one from Accenture, showed that trusted brands such as banks and e-retailers are likely to have a significant head start in a world where consumers have granted their consent for their banking data to be scrutinised, not least because they are already closer to those consumers and understand their needs better.
The challenges of levelling out the playing field
However, as this aspect of PSD2 plays out, any would-be market entrants looking for access to the consumer layer will have to deal with not just the incumbent (and deep-pocketed) banks, but also with a complex and still fragmented European regulatory marketplace. While PSD2 provides overall guidelines, payment institutions will still be supervised by the member state where they are authorised to operate. That in turn means a need to understand the differences (albeit fewer of them than in the original PSD) in interpretation across 28 countries – a non-trivial task for all but the very largest and heavily-resourced organisations. And regulators say that under PSD2, every bank must provide an interface for new players to access consumer data. But no single standard for this interface yet exists – a problem for new entrants trying to access the whole market. In the UK, the CMA has so far only insisted on a standard interface to 9 UK banks with sterling accounts only; a good start, but there is clearly a long way to go before the headline-grabbing fintech startups in Berlin and Shoreditch are able to directly benefit from PSD2 under their own steam.
One further challenge arises in relation to PSD2’s scope in certain areas. Today’s consumers may adapt quickly to new technology, but they are equally quick to ignore or abandon it when it presents a barrier to completing their tasks. Regulation, and the burden it places on payments providers, is one of those barriers. Strong customer authentication (SCA) is part of the scope of PSD2, and the impact it will have on consumers is cause for concern. Two-factor authentication is fine in high-risk situations and environments, but it may make some convenient applications – often known as “one-click” – unavailable to consumers. If PSD2 is to really deliver on one of its promises of encouraging innovation, it is vital that regulators do not tighten these types of controls too far.
Knowing your customer means knowing the risk
Paysafe is one of several organisations that has participated in the consultation on the detailed Strong Customer Authentication (SCA) rules due to be finalised in late summer or early autumn. We are concerned that keeping the thresholds too low at which SCA is to be applied will cause merchants to lose customers – an obviously undesirable outcome that would undermine one of the reasons for implementing PSD2 in the first place.
We think it’s critical that consumers are still able to buy, and merchants to sell, without two-factor authentication when the risk of fraud is low, and so we have argued for reasonable and practical thresholds to be adopted. We also think that organisations should be able to leverage their knowledge of a consumer’s normal behaviour when determining whether to trigger SCA. Furthermore, the rules should be flexible enough to accommodate the evolution of technology expected to make authentication faster and easier, whether it’s based on biometrics, analytics or authentication apps. There are some positive signs, however, and we welcome the proposals for appropriate exceptions to the SCA rules for innovative, low-risk payment types such as contactless. The industry’s experience to date with contactless payments, in particular, has shown that it is perfectly possible to keep fraud risk low while promoting both innovation and customer security. If implemented carefully, there’s no reason why PSD2 can’t achieve the same balance.