PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure in Europe, boost innovation and help banking services adapt to new technologies. PSD2 is evidence of the increasing importance Application Program Interfaces (APIs) are acquiring in different financial sectors.
The new regulation, which progressively began entering into force between January 13, 2018 and September 14, 2019, entails fundamental changes in the industry as it gives third parties access to bank infrastructure.
1. What is PSD2?
It all began in 2007, with the Payment Service Providers Directive (PSD), which sought to contribute to the development of a single payment market in the European Union to promote innovation, competition and efficiency in the EU.
In 2013, the European Commission proposed an amendment (that’s where the two comes from in PSD2), which aimed to enhance these objectives. It seeks to improve consumer protection, boost competition and innovation in the sector and reinforce security in the payments market, which is expected to facilitate the development of new methods of payment and ecommerce.
2. What are the biggest changes?
The changes will have multiple implications, many of which are still unknown, but banks opening their payment services to other companies, the so-called Third Party Payment Services Providers (TPPs) is causing the most commotion.
PSD2 regulates and harmonizes two types of services that were already in existence when the first PSD was adopted in 2007, but which have become more popular in recent years: on the one hand, the Payment Initiation Services (PIS); and Account Information Services (AIS) on the other.
Account Information Services (AIS) include the collection and storage of information from a customer’s different bank accounts in a single place, allowing customers to have a global view of their financial situation and easily analyze their expenses and financial needs.
Meanwhile, in Payment Initiation Services (PIS) other providers facilitate the use of online banking to make payments online. These services help to initiate a payment from the consumer’s account to the merchant’s account by creating an interface to bridge both accounts, filling in the information needed for the bank transfer (amount of the transaction, account number, message) and informing the store of the transaction. PS2D also allows clients to make payments to a third party from a bank’s app using any of the client’s accounts (whether they belong to this entity or not).
So far, TPPs have faced multiple obstacles that have prevented them from offering large scale solutions in the different countries of the European Union. By eliminating these barriers, greater competition is expected due to the arrival of new players and the provision of these services by existing actors. In return, the TPPs will have to comply with the same rules as traditional payment service providers: registration, authorization and supervision by competent authorities.
The other major development in PSD2 is the introduction of new security requirements, what is known as Strong Customer Authentication (SCA). This involves the use of two authentication factors for bank operations that were not previously required, including payments and access to accounts online or via apps, as well as a stricter definition of what counts as an authentication factor.
Continuing with the example of online purchases, customers will notice changes in the way they authorize their purchases, primarily in the authentication factors they use, with reinforced authentication in the level of security by default, and the written information on the card (card number, expiration date and CVV) will no longer be a valid factor for authentication.
3. How is the new regulation put into practice?
In terms of security, banks had to update the authentication elements they provide their customers, replacing coordinate cards or tokens, with cell phone messages or more advanced tokens, for example.
In addition, they had to develop systems and processes that allow the bank to make use of the exceptions permitted by the strong customer authentication regulations for transactions whose risk is considered low.
In terms of TPP access, PSD2 never explicitly mentions APIs, most professionals in the technology and finance sector presume that APIs will be the technical medium that will allow banks to comply with the regulation’s requirements. However, this expectation has not fully materialized yet due to the authorities delaying the publication of regulatory technical standards and the ongoing debate among different actors in the market. This has pushed back the establishment of common standards and protocols.
In any case, regardless of the technical mechanism that is developed, PSD2 now makes it possible for consumers to authorize a third party to add their financial information on their behalf and make payments on their behalf using their bank account.
4. And when will all of this take place?
Although several delays have occurred in the development of this regulation (delays in the transposition of the directive into local regulation and the European Banking Authority (EBA) postponing the creation of technical standards to regulate third party access and strong authentication), PSD2 began gradually entering into force on January 2018.
However, the biggest regulatory milestone was the authentication and thirty party access requirements entering into force on September 14, 2019.
That said, not all of these technical requirements have entered into force due to the possible negative impact that PSD2 taking effect could have on ecommerce. As a result, financial institutions had an additional transition period whose maximum duration had been established by the EBA at December 31, 2020.