You know PSD2 is important, but somehow you haven’t got round to reading the full legal document. MEF’s Members have of course been preparing for some time for the forthcoming EU regulation and last week held a workshop to discuss MEF’s forthcoming guidelines to PSD2. Tim Green was there and explains some of the main points.
The EU is mandating ‘strong customer authentication’ which effectively means two or even three factor authentication. For mobile payments providers, this is all a bit old hat. But any PSPs that fail to apply would be liable for losses.
I could only content myself that I, not they, represent the detail-challenged hordes. Which makes me well-placed to write a primer. Here goes:
What is PSD2? It’s a new directive drawn up by the EU – the sequel to the much-loved PSD1 of 2009. What a movie that was.
Not enough information. What is it actually for? Essentially, EU law makers think lots of things are wrong with the way payments are handled across Europe. It wants to make them faster, safer and more transparent. It thinks the same rules should apply across all 27 member states. And it wants to bring new entrants into the market.
What kind of new entrants? Primarily what are called ‘payment initiation service providers’ and ‘account information service providers’ (also known as third party payment providers). Examples include Sofort, Ideal and Trustly (of which more later). Meanwhile entities such as e-commerce marketplaces, gift card and loyalty schemes, bill payment service providers, public communication networks are all excluded from the scope of the PSD2.
When do they get to take part? Probably from 2017, when the directive is formally adopted by member states.
What stage is it at now, then? Get ready for some legal speak: the Council has still to approve the European Parliament’s position, which was published in October 2015. Once it is, the legislative act will be adopted. Then, after being signed by the president of the EP and the president of the Council, it will be published in the Official Journal. At this point it comes into force.
What took so long? Lawyers lobbying for tweaks and exemptions.
OK, so let’s get to the point. What are the big implications of PSD2? The first biggie is what they call Access to Accounts (XS2A). This means that banks will have to release APIs so that any third party – with your permission of course – can get access to your accounts.Merchants can use this to change the way payments are made.
Imagine you’re buying something online. Instead of giving the merchant your account details, you just give it permission to re-route you to your internet banking site where you complete the purchase.This changes the transaction from ‘pull’ (the retailer pulls the money from the account) to push (you push it to the merchant).It also gives new entrants the chance to be the intermediary that manages the process. A bit like PayPal. Merchants could add a new button at checkout to let these third parties handle the transaction.There are already a few of these TPPs (trusted payment providers) in Europe such as Sofort, Ideal and Trustly. XS2A will make things easier for them, and bring new players into the market.It’s a pretty big deal.
Why? It challenges the banks to open up. They’re not used to this. And they have to update their legacy IT to cope with it. In a survey earlier this year, Finextra found that only 14 per cent of banks were confident that on ‘day one’ they would have APIs in place to support open access.XS2A is also interesting for payment acquirers and the card schemes. It could cut them out of the picture.
How else could XS2A change things? Well, there’s the whole AISP thing.
The what? AISP: Account Information Service Provider. These are new entrants that can use the account information to craft new products. One often-quoted example is that a price comparison site could ask to see all your bank accounts and then tailor the best offers for you.These kinds of services already exist – Mint in the US, for example. But traditionally they’ve had to get the actual PINs and passwords from users. With these new APIs they won’t need to see any of that sensitive stuff.
Sounds bad for the banks. Well, it depends. There’s nothing to stop banks becoming TPPs themselves. Also, they could embrace the API thing and cultivate relationships with developers. They could, for example, create app stores full of useful added value products.Some already are. The new ‘challenger’ banks like Fidor do this, and even traditional banks like Credit Agricole have set up trial projects. In fact, the Finextra study revealed 65 per cent of banks said they wanted to create their own app stores.
How does PSD2 make electronic payments safer? The EU is mandating ‘strong customer authentication’ which effectively means two or even three factor authentication. For mobile payments providers, this is all a bit old hat. But any PSPs that fail to apply would be liable for losses.
Finally, how does PSD2 affect carrier billing? It’s all about how it doesn’t really.
Explain. Well, the main thing is to get charge-to-bill exempted so anyone involved with it doesn’t need to be regulated.
And is it? Yes. But the scope of the exemption is changing from PSD1. Charity donations and ticketing purchased ‘via an electronic device’ will be exempt as long as they purchased through carrier billing. The same goes for digital and voice services, regardless of which device they are purchased and consumed on.
Hang on. Some items in Candy Crush cost more than €50! Annoying isn’t it?
Is there anything I can do to derail this whole PSD2 thing? Well, if you’re a UK reader, there is one thing: vote to leave the EU.
* MEF will be publishing a full guide to the PSD2 in the next few weeks