23 November 2017
James Higgins

Cash Management and Payments

James Higgins - AccessPay

1Posts 5,491Views 1Comments
Finextra community

Financial Services Regulation

This network is for financial professionals interested in staying up to date on financial services regulation happening anywhere in the world. CFOs, bankers, fund managers, treasurers welcome.

PSD2: Has enough been done?

24 October 2017  |  5492 views  |  4

PSD2, the much vaunted reimagination of the original EU Payments Services Directive, is to be implemented by member states in 2018. The aim of PSD2 is to revolutionise the payments industry, influencing everything from the way we pay online, to what information we see when making a payment.

The Big Changes

The headline change PSD2 is set to deliver is the dissolution of the major banks’ monopoly of their users’ data. Only with explicit permission, approved third parties, often referred to in industry literature as ‘merchants’, will be granted the ability to retrieve a person’s account data from their bank. It will mean that when an individual purchases something, this third party can make the payment directly, without having to redirect the customer to another service (eg PayPal or Visa).

For consumers and businesses who hold multiple bank accounts, the changes will also allow providers, known in the legislation as Account Information Service Providers (AISPs), to display all account information in one place, allowing for unprecedented real-time visibility of multi-banked cash positions and finances.

PSD2 will also require more robust identity checks when paying online. Like various elements of the directive, specifics are still being defined, but checks will undoubtedly become more rigorous and necessitate more permissions from the purchaser, particularly for high value transactions.

But is it enough?

With the changes that are coming, including some pretty major ones, a question that no-one has really thought to ask (or maybe even dare to ask!) is; has PSD2 gone far enough? In order to answer this question, as well as seek to explain why it even needs to be asked, there are certain themes within PSD2 that need a little scrutiny.

Getting technical

One of the key ways that PSD2 will open up the market, is by implementing a standardisation of how the banks share data with approved third parties. This is a big and necessary step that has rightly been applauded. That is, until we scratch at the surface and realise that no technical standards for the sharing of this data have been delineated at all. And we may not see any until as late as 2019.

The likely reasoning for the delay in technical standards is that changes to technical architecture to facilitate standardisation, is a lengthy process. Therefore, technical standards cannot be released for another couple of years. However, such a view is short sighted when countered with the reality that the banks have to provide the data in some form in January 2018, and we will therefore see a proliferation of different standards and data formats.  Navigating this will be impractical for customers, delaying the benefit of PSD2, and leading to an unnecessary burden on the banks to re-architect solutions when the technical standards finally are released.  It was October 2015, that the European Parliament adopted the European Commission proposal to create safer and more innovative European payments, i.e. PSD2. Obviously, the proposal had been floating around for some time before that, so there has been ample time for all interested parties to act on technical standards.  Without this guidance on standards, consumers will, as will those banks wanting to take advantage of the new regulation themselves, as they will have to manage a range of data formats as wide as their nostro network. 

Exclusion of the corporations

With even the most cursory of glances at the finer points of PSD2, it is clear that this is a directive with the consumer and retail in mind. Removing the spotlight from the corporate sector is perhaps understandable. Since the 2008 global financial crash, big business has come under renewed scrutiny. Scandals involving tax avoidance and evasion, exorbitant CEO salaries whilst shop-floor workers barely survive on zero-hour contracts, environmental negligence, and an array of other unscrupulous business practices have soured public opinion.

PSD2 appears to be an attempt to redress the balance by making the paying public the almost sole focus of attention, but how wise a move is this? After all, the corporate sector in most EU member states is an enormous contributor to tax revenues. Any enhancement of payment processes for the sector will likely aid quicker and more secure transfers of capital, boosting business opportunity and growth, and thus swelling treasury coffers across the continent. The lack of focus on the corporate sector from the directive appears a risky move.

Lack of a roadmap

“Roads!” bellowed Doc Brown in the final scene of Back to the Future, “Where we’re going, we don’t need roads!” Unfortunately, this sentiment also seems to be shared by those whose job it is to assemble the European Payments Directives.

The original Payments Services Directive (PSD1) was a ground-breaking piece of legislation, but was always going to need updating at some point, in line with technological advancements and consumer demands. After the enactment of PSD1, the regulator and EU Commission should really have built a roadmap with a clear vision of how payments processes needed to evolve and improve going forward.

For all the changes PSD2 brings, many of which are welcome (if not a little overdue) it still has that feel of ‘sticky plasters’ being applied to an original. One can only assume that in time work will begin on PSD3, PSD4, PSD5, each one unleashed on a public with the same frequency, and, quite possibly, to the same sense of anti-climax as the latest smartphone or games console.

A roadmap, with defined checkpoints, goals, and target groups for each stage would surely clarify thinking and pave the way for a proactive approach to payments, rather than the current, largely reactive approach.

Coming to the rescue

OK, ‘to the rescue’ might be a bit grandiose, but FinTech companies have been quietly working away whilst PSD2 has been under construction, ready to deliver on the directive’s objectives whether they are delivered or not.

We are at a point now where real-time banking information, bank agnostic solutions, and the development of richer data sets will all be set for enterprise organisations and multinational corporates to utilise and enjoy. The opportunities are out there, but customer value and experience could be so much enhanced with technical standards and a long range roadmap. 

As ever, as the industry is getting itself ready; FinTech players are once again leading the way.

PSD2: Has enough been done? TagsRisk & regulationInnovation

Comments: (5)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 26 October, 2017, 09:56

Third-party PFM / MoMMAs like MINT have asked and received online banking credentials from millions of people. With these creds, they've been in a position to access every bit of banking info that accountholders can themselves access. This has been happening for over a decade. 

TBH, I fail to understand what's the big deal about lack of technical standards for customer data sharing in PSD2.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
James Higgins
James Higgins - AccessPay - Manchester | 26 October, 2017, 10:48

Thanks for the comment Ketharaman.  MINT are operating in the retail consumer space whereas I'm focussed in this post on the corporate customer.  Handing over of online banking credentials to third parties breaches security policy for many of these organisations.  The same organisations do however want the benefits that an AISP can deliver to their multi-bank portfolio.  Without the technical standards, then there will inevitably be a proliferation of data formats, some of which may not be machine readable, some of which may come from APIs and others from Host to host connections.  Will the AISP be able to deliver the products and services customers are hoping for under PSD2 without defined technical standards?  I think it's going to be difficult.  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 26 October, 2017, 12:15

@JamesHiggins:

TY for your reply.

When I read "Without this guidance on standards, consumers will, ...", I thought you were referring to retail consumers.

From your line "With even the most cursory of glances at the finer points of PSD2, it is clear that this is a directive with the consumer and retail in mind. Removing the spotlight from the corporate sector is perhaps understandable.", I never thought you were referring to corporate customers.

Now coming to technical standards for data interchange, back in 2011, this was brought up as an issue. As I'd highlighted in my personal blog post How Many PFMs Do We Need at the time, there were at least two standards available at the time (apart from proxy login by PFM by using customer's online banking creds) viz. OFX and QIF. More recently, as I'd highlighted in my Finextra post, OFX-API is yet another standard.

IMO, data interchange standards are aplenty. The real problem lies in finding a way to objectively establish that PFM accessed only the permitted info and nothing more AND still maintain frictionless nature of PFMs, as touted by their vendors.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Roberto Garavaglia
Roberto Garavaglia - Innovative Payments Strategy Advisor - Milan | 26 October, 2017, 20:10

@Ketharaman:

You're definitely right when you say that the real problem lies in finding a way to objectively establish that AISP accessed only the permitted info and nothing more, by - still - maintain frictionless nature of their services.

In fact, looking at in depth PSD2 and the Final Draft of EBA RTS on SCA & CSC, one can see:

1)   AISP (PFMs or something like that) access only the information from designated payment accounts and associated payment transactions (PSD2 Art.67.2.d)

2)   ASPSP (banks and any other PSP) shall provide AISP with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly requesting access to the account information, provided that this information does not include sensitive payment data (FINAL REPORT ON DRAFT RTS ON SCA AND CSC Art.31.1.a)

Since what I put in bold is fairly clear that refers to only “payment data” (for instance, no portfolio’s data must appear), it’s arguable that the ASPSP is liable for providing AISP the same information made available to the payment service user when directly requesting access to the account information, provided that this information does not include neither sensitive payment data nor “not-payment” data.

 

IMHO, I think ASPSP can/(must) follow such a flow:

 

WHO’S ACCESSING THE ACCOUNT?

1)   The Payment User via an AISP (ASPSP must be able to detect this independently to the interface used by AISP)

  • Has Payment User given the consent to access the account via TPPs?

                                     i.    YES -> Provide stream data by obscuring sensitive payment data and “not-payment” data;

                                    ii.    NO -> Sorry data not accessible goodbye;

2)   The Payment User himself

  • Provide stream data with no obscuration;

3)   Goodbye and enjoy your reading;

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 27 October, 2017, 19:56

@RobertoGaravaglia:

TY for the clarification.

As they say, proving the negative is one of the toughest things in law. But, we're not yet there. The challenge is in explaining this to the common man well before and doing it in a simple manner. Without that, consumer adoption of PFM might be a big challenge.  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from James

PSD2: Has enough been done?

24 October 2017  |  5492 views  |  4 comments | recomends Recommends 0 TagsRisk & regulationInnovationGroupFinancial Services Regulation

James's profile

job title Product Director
location Manchester
member since 2017
Summary profile See full profile »
With more than a decade of experience in the banking sector, having held a number of cash management and FX technology focused roles at BNY Mellon and Morgan Stanley, James has all the knowhow to help...

James's expertise

Member since 2017
0 posts1 comments
James writes about
Risk & regulationInnovation
James's blog archive
October 2017 (1)

Who's commenting on James's posts

Ketharaman Swaminathan
Roberto Garavaglia