Best read articles of all time – PSD 2: a lot of opportunities but also big challenges (Part I)
| 15-05-2018 | François de Witte |
The Directive 2015/2366 on payment services in the internal market (hereinafter PSD2) was adopted by the European Parliament on October 8, 2015, and by the European Union (EU) Council of Ministers on November 16, 2015. The PSD2 updates the first EU Payment Services Directive published in 2007 (PSD1), which laid the legal foundation for the creation of an EU-wide single market for payments. PSD2 came into force on January 13, 2016, and is applicable from January 13, 2018 onwards. By that date the member states must have adopted and published the measures necessary to implement it into their national law.
PSD2 will cause important changes in the market and requires a thorough preparation. In this article, we are summarizing the measures and highlighting the impact on the market participants. In today’s Part I we will focus on abbreviations and main measurers introduced by PSD2.
List of abbreviations used in this article
2FA : Two-factor authentication
AISP : Account Information Service Provider
API : Application Programming Interface
ASPSP : Account Servicing Payment Service Provider
EBA : European Banking Authority
EBF : European Banking Federation
EEA : European Economic Area
PISP : Payment Initiation Service Provider
PSD1: Payment Services Directive 2007/64/EC
PSD2 : Revised Payment Services Directive (EU) 2015/2366
PSP : Payment Service Provider
PSU: Payment Service User
RTS : Regulatory Technical Standards (to be issued by the EBA)
SCA : Strong Customer Authentication
TPP : Third Party Provider
Main Measures introduced by PSD2:
The PSD2 expands the reach of PSD1, to the following payments:
- Payments in all currencies (beyond EU/EEA), provided that the two PSP (Payment Service Provider) are located in the EU /EEA (two legs)
- Payments where at least one PSP (and not both anymore) is located within EU borders for the part of the payment transaction carried out in the EU/EEA (one leg transactions)
A second important measure is the creation of the Third Party Providers (TPP). One of the main aims of the PSD2 is to encourage new players to enter the payment market and to provide their services to the PSU (Payment Service Users). To this end, it creates the obligation for the ASPSP (Account Servicing Payment Service Provider – mainly the banks) to “open up the bank account” to external parties, the so-called, third-party account access. These TPP (Third Party Providers) are divided in two types:
· AISP (Account Information Service Provider) : In order to be authorized, an AISP is required to hold professional indemnity insurance and be registered by their member state and by the EBA. There is no requirement for any initial capital or own funds. The EBA (European Banking Authority) will publish guidelines on conditions to be included in the indemnity insurance (e.g. the minimum sum to be insured), although it is as yet unknown what further conditions insurers will impose.
· PISP (Payment Initiation Service Providers): PISPs are players that can initiate payment transactions. This is an important change, as currently there are not many payment options that can take money from one’s account and send them elsewhere. The minimum requirements for authorization as a PISP are significantly higher. In addition to being registered, a PISP must also be licensed by the competent authority, and it must have an initial and on-going minimum capital of EUR 50,000.
Banks will have to implement interfaces, so they can interact with the AISPs and PISPs. However, payment initiation service providers will only be able to receive information from the payer’s bank on the availability of the funds on the account which results in a simple yes or no answer before initiating the payment, with the explicit consent of the payer. Account information service providers will only receive the information explicitly consented by the payer and only to the extent the information is necessary for the service provided to the payer. This compliance with PSD2 is mandatory and all banks will have to make changes to their infrastructure deployments.
A third important change is the obligation for the Payment Service Providers to place the SCA (Strong Customer Authentication) for electronic payment transactions based in at least 2 different sources (2FA: Two-factor authentication) :
- Something which only the client knows (e.g. password)
- A device (e.g. card reader, authentication code generating device, token)
- Inherence (e.g. fingerprint or voice recognition)
The EBA (European Banking Authority will provide further guidance on this notion in a later stage. It remains to be seen whether the current bank card with pin code is sufficient to qualify as “strong customer authentication”. This “strong customer authentication” needs to take place with every payment transaction. EBA will also be able to provide exemptions based on the risk/amount/recurrence/payment channel involved in the payment service (e.g. for paying the toll on the motorway or the parking).
PSD2 also introduces some other measures:
- Retailers will be authorized to ask to the consumers for permission to use their contact details, so as to receive the payment directly from the bank without intermediaries
- There will be a ban on surcharges on card payments
- There will be new limitations on the customer liability for unauthorized payment transactions
In a second article soon to be published on treasuryXL, François de Witte will focus on the impact PSD2 has on market participants.
François de Witte – Founder & Senior Consultant at FDW Consult and Senior Expert – Product, Business development and sales manager at Isabel Group
View expert profile