Background and relevance
On November 25, 2015, the Directive on Payment Services in the Internal Market II (PSD II; Directive 2015/2366) was adopted by the European Parliament and will enter into force on January 13, 2018. The PSD II is the successor of the Payment Services Directive (PSD I; 2007/64/EC) which entered into force in 2007 and provided the legal basis for the creation of an EU-wide single market for payments and, in doing so, promoted competition and efficiency.
The PSD II widens the scope of the PSD I as it covers new services and players, enables new participants to get access to payment accounts and revises the liability features for service providers and users. With the PSD II banks have to face manifold challenges such as higher competition in the payments area, the requirement to meet new regulations or adjustments in the banks’ digitalization strategy (e.g. the integration of real-time push payments). Based on profound experience in the European banking market and close exchange with our clients, zeb observed that banks are already aware of the challenges ahead. For example, most banks predict changes in their current strategy resulting from the PSD II and a vast majority expects an increase in competition. In particular, banks are afraid of losing the customer interface and that large parts of the current retail banking portfolio could be fully substituted and provided by Fintech companies, which offer lower prices and more customer-focused services.
Objectives of the PSD II
There are two main areas addressed in the PSD II for which innovations are developed and that banks and Fintech companies need to bear in mind in order to fully leverage opportunities arising from the new environment in the payments area and comply with the regulations.
1. PSD II improves consumer protection
The current PSD I is only applicable for types of payment services made in EU currencies provided they take place within the EU and if both the payer’s payment service provider (PSP) and the payee’s PSP are located in the EU (“both legs in the EU”). Art. 2 of the PSD II extends the scope to “one-leg transactions” and all EU transactions, irrespective of the currency. Thereby, “one-leg transactions” mean that it is sufficient if one of the two PSPs is established in the EU.
Art. 4 of the PSD II requires stronger customer authentication procedures when accessing a bank account online or when starting a payment process. In particular, the authentication must be based on the use of two or more independent elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). A breach of one element does therefore not compromise the reliability of the others and is designed to protect the confidentiality of the authentication data.
Moreover, the PSD II introduces increased security management and reporting requirements for PSPs. In particular, the treatment of operational and security risks and requirements for effective complaints procedures are further specified. PSPs need to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to their provided payment services. In case of major operational or security incidents, PSPs have to notify the respective competent authority without undue delay. Furthermore, PSPs are required to establish and apply adequate and effective complaint resolution procedures for the settlement of complaints of payment service users.
2. PSD II affects the competitive landscape significantly
Another major aspect of the new PSD II regulation is the right for certain third-party payment services providers (TPPs) to access payment accounts of customers if they are licensed and the customers have given their explicit consent to the access. Practical examples are account aggregators or payment initiation service providers (ISPs). The ISPs can, for instance, obtain funding decisions for payments directly from consumer payment accounts and safe credit card commissions. Therefore, the bank that provides and maintains the customer’s payment account must grant TPPs access to account information of specific customers. The PSP is responsible for providing an application programming interface (API) in its IT systems to enable the exchange of data between PSPs and TPPs. Furthermore, the PSP is also responsible to “provide facilities to securely communicate with the account information service providers”[1] and also to restrict access if there is evidence that the activity is unauthorized or fraudulent. The PSP is barred from placing restrictions on third-party account information access and is prohibited from treating payments that go through third parties differently from those that come from customers directly. This includes applying added charges to those payments or treating them with lower priority.
The flexibility under PSD I allowing merchants to request a surcharge from the payer, with the option that member states may forbid or limit any such surcharging for their territory, has caused extreme heterogeneity in the market. The different regimes create problems and confusion for merchants and consumers alike, notably when selling or purchasing goods and services across borders via the internet. Under PSD II, surcharging is still allowed for payment cards that are not regulated by the MIF Regulation but strictly limited to the costs borne by the payee. For payment cards included in the MIF Regulation[2]—which represent more than 95% of the consumer card market—surcharging is no longer allowed. This provision is directly linked to the capping of interchange fees for debit and credit card transactions under the MIF Regulation and reduces the mark-up banks can collect for their services.
Major implications
One of the most significant changes resulting from the PSD II is that TPPs such as Fintech companies have to deal with increased regulations since they are now included into the scope of PSD II. In the short run, this may be rather a curse than a blessing for affected Fintech companies as they will face increased administrative work. However, in the long run, the situation can turn inside out and the benefits arising for Fintech companies, such as easier access to customer data and increased liability, which will likely result in a higher acceptance from a customer perspective, will probably outweigh the increased regulatory efforts.
Simultaneously, banks have to share their customer data—one of their key assets—with potential competitors, the TPPs. The related, but much broader General Data Protection Regulation (GDPR) additionally requires banks to ensure the portability of their customer data. Therefore, banks may be able to kill two birds with one stone when dealing with the PSD II and GDPR at the same time. However, the data is only shared between PSPs and TPPs if there is an explicit consensus between TPPs and customers about the processing of data and only to the extent necessary for the TPP to provide its service. With regards to the GDPR, it is also obvious that TPPs are only allowed to process the data for the single purpose they have been given consent for, e.g. aggregating different bank accounts.
Moreover, PSD II introduces enhanced requirements regarding a well-designed security risk framework and the reporting of incidents. Meeting this requirement is especially important as the GDPR requires similar processes from banks as the PSD II.
Conclusion
The PSD II is not only a set of new requirements banks have to comply with, it also offers major opportunities for banks if they act now, examine implications for the changing payment environment and adjust their digital strategy accordingly. Banks can, for example, exploit considerable potential from increasing digitalization and could thus save time and money by simultaneously addressing the PSD II together with other regulations, such as the General Data Protection Regulation (GDPR). The goal for banks must be to provide a customer journey with high-quality and customer-centered services by means of a highly automated secure and regulatory-compliant platform.
As one of the leading management consultancy for the banking sector, zeb supports the development of a future-oriented strategy focusing not only on the regulatory compliance with the PSDII frame but rather considering arising opportunities for banks. Decomposition of value chain, concentrating on effectiveness and efficiency to create competitive advantages or consideration of integrating new services and cooperating with fintechs are just some examples to be evaluated and considered.
