A lot has been written about Payment Service Directive 2 (PSD2) and there will be more in the coming months. The regulation has been pictured as disruptive. On one hand it paved the way for new entrant in an area which for decades operated in close fences.
On the other-hand it challenges positions of existent players by encouraging transparency. There were rare opportunities for startups, but all of that is about to change. Though despite its disruption, for those of us in the UK the whole PSD2 raises fresh
questions about its relevance after Brexit (refer to Britain exit from European Union). Before going any further, let's first refresh our memories about original PSD and PSD2. PSD2 extends the scope of initial Payment Service Directive (PSD), which was launched
in 2007. PSD was an attempt from the European Commission to bring harmony and set the stage for a European-wide payment standard framework. Right from the initial draft of PSD2, banks, payment processors, and retailers are nervous about its implementation
and there are serious questions that need to be answered around the implementation of PSD2. However, the scope of this article is not about implementation, and focuses mainly on the changing situation occurring after the 23rd of June when the UK opted to
come out of European Union (EU). Does the UK institute need to concern with PSD2 after Brexit? In this article , I will touch on what PSD2 is, the key changes it will bring, and touch on a potential area where the UK institute has to comply or at the very
least be aware of its impact.
The first Payment Services Directive was assembled in 2007, which created a framework for Single Euro Payments Area (SEPA) for payments made throughout the European Union (EU) and the European Economic Area (EEA). The aim of PSD was to create a level playing
field in payment domain, increase competition, reduce costs and increase payment efficiency.
PSD2 carries the same theme set out in the original Payment Services Directive with the focus on three key areas. The key inclusion are concepts and roles of third party providers, strong customer authentication, and one leg out transactions.
Third Party Provider
The introduction of third party providers (TTP) is considered the most significant change brought by PSD2. It fundamentally changes our relationship with the bank. This is the first time banks with their customer consent will allow third party access to
accounts. By allowing access to accounts, PSD2 creates two major roles for third parties to play.
1. Payment Initiation Service
It will allow payers to make payments using third party payment initiation service providers, which in turn using the mechanisms provided by the banks. Such mechanisms are largely referred to as APIs. APIs are basically a mechanism which facilitates developers to
easily access data. It is noticeable that under PSD2 banks are obliged to provide such access with customer consent. Payment initiation service will provide an alternative to card payments by moving money from payer accounts to merchants directly. This will
certainly hit card company revenues, at least in Europe.
2. Account Information Service
This will allow third parties to provide aggregated views of customer accounts. That means quicker, more transparent services, access to money and digital apps, which gives consolidated views of finances as well as more help to manage funds. For example, if
you have accounts in multiple Banks, you typically have access to accounts through each Bank platform, the account information services API encourage third party to provide a consolidated view of all the accounts.It is noticeable that PSD2 will not allow banks
to discriminate differently to payments initiated using third party providers than the one initiated through their own system.It is obvious that such access of accounts and payment initiation opportunity fuelled innovation by allowing technology startups to
operate into an area which was not available earlier. This means a level playing field for new entrant and incumbent fosters competition, innovation, and regulated environments.
Strong Customer Authentication
Regulators are well aware of security concerns raised due to inclusion of third parties in the area which was previously available only to bank-specific channels. PSD2 has taken that concern seriously and has laid down new security requirements for payment
initiation and account access. PSD2 brings the concept of Strong Customer Authentication (SCA), which is a more secure authentication mechanism that goes beyond two factor authentication (first factor : something a user already knows, such as a password and
second factor: possession like a mobile device code). SCA introduces a third dimension referred as inherence (something that identifies that customer, such as a finger prints or voice biometrics).
One Leg-out Transactions
One Leg-out transaction is an expression that emerged from the original PSD, which refers to the transactions where payers or recipients are based outside of the EU. In the original PSD, one leg-out transactions were out of scope. It was the only
EU currencies that were originally targeted. PSD2 extended the scope of the original PSD. Transactions in any currency where both the payers' and recipients' payment service provider is located in the EU come under PSD2 remit. Transactions in any currency
where either the payer's payment Service Provider (PSP) or the recipient's Payment Service Provider is located in the EU, irrespective of other PSPs located outside the EU, come under the PSD2 remit. PSD2 introduced more favourable refund opportunities for
direct debit.
Conclusion
PSD2 clearly disrupts the way bank and other Payment Service Providers operate. It also changes our relationship with the banks by introducing TPP. Though the majority of the disruption is caused due to the role of third parties and APIs. One leg-out
transactions would be of particular interest to UK payment provider. PSD2 offers favourable refunds rights for direct debit scheme, and the UK PSPs come under one leg-out transactions, and has to oblige to such rights. Direct debit is just one example of a
detailed impact analysis of one leg-out transactions that will be needed in the coming months to understand the scope.
This article is based on my own opinions developed after reading various articles and discussions about PSD2 inside and outside of my organisation, as well as in various industry groups. It’s part of a learning process, so if you want to challenge, correct, or
add to this in any way, please go ahead and leave a comment.