October 2015 will be known as the month that has probably changed the way payment processors, banks, lenders and other financial services players operate in EU. After a long waited Payment Service Directive is released, FinTech is on the raise. Find out why.
Do you know what PSD is? No, I don’t mean the Photoshop file format. This acronym stands for Payment Services Directive, and you should be aware of the things to come soon in the EU, resulting from the latest PSD regulations. The PSD2, adopted by the European Parliament on October 8, opens a whole new world of possibilities for the banking and financial industry.
The first implementation of the Directive, the PSD, was adopted in 2007. It provided the legal foundation for an EU single market for payments, and established safer and more innovative payment services across the EU. Following this document, in 2013 the European Commission proposed new regulations for the updated PSD2. Let’s watch a short video about it PSD2.
Lots of changes in the banking environment have occurred since the first PSD came into force. New players arrived from the outside world of IT innovations offering services, which were previously unavailable in banks. These newcomers were mostly third party companies acting as middlemen between clients (and their banks) and merchants or other financial institutions. Their services and practices were unregulated and, as such, regarded by banks and many potential customers as insecure and risky. The need for setting standards in this area soon became apparent – and PSD2 addresses the issue.
AIS, PIS, banks and us
The third party providers in the PSD2 are referred to as account information services (AIS) and payment initiation services (PIS). Both access client’s financial data stored in a closed environment of the banking system, but the difference is the purpose of this action.
AIS collect and consolidate information on the different bank accounts of a consumer in a single place. Imagine a financial platform, which allows you to have a global view on your financial situation and to analyze your incomes, expenses, savings, and loans, suggesting better deals on the market based on what you currently have in your financial institutions. Imagine applying for a loan or a credit card as a total stranger in a new bank and getting the decision within seconds. Imagine transferring everything from your old account to a better one in another bank with just one tap or mouse click…
PIS use online banking to make Internet payments. They help to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts, fill-in the information necessary for a transfer (amount of the transaction, account number, message) and inform the merchant once the transaction has been initiated. Since as many as 60% of the EU citizens don’t have a credit card, this technique allows customers to avoid wasting time for transfer schedules of their banks and pay for online goods immediately. And merchants, both companies as well as and individuals, don’t have to sign up to – and pay for – any payment service providers – an online bank account is all they need to instantly receive money from their buyers.
Reality kills, the PSD2 heals
Unfortunately, until now AIS and PIS providers in the vast majority of the EU countries had no official and approved “channel” (aka Application Programing Interface, or API), through which they could communicate with banking systems. They were forced to use some workarounds like “screen scraping”: this technology involves logging to clients’ accounts with their credentials and obtaining the necessary information by mimicking user activity in a web browser.
What’s worse, some national regulators restricted or even banned this kind of data aggregation, e.g. Polish Financial Supervision Authority advised banks not to use any form of external APIs.
The only help for the innovative services could come from the updated PSD – and so it did. With the PSD2, all AIS and PIS providers that are already established in the market can continue to perform their activities. Moreover, the EU countries are required to maintain the status quo, allowing these third party providers to operate in accordance with the currently applicable regulatory framework.
This green light to existing AIS/PIS solutions is a great news, but the most promising part of the PSD2 are the requirements that shall be met by the EU member states within the next two years: payment services providers will be authorized and regulated, and all the client’s financial information currently held close by banks will be available to these legitimate third parties – of course, only when the client agrees upon that.
Contextual and secure API
The service providers will not have full access to the account of the user. Those offering payment instruments or payment initiation services will only be able to receive information from the payer’s bank on the availability of funds (just a “yes/no” answer) on the account before initiating the payment (with the explicit consent of the payer). Account information service providers will receive the information explicitly consented by the user and only to the extent they are necessary for the service provided to the user.
The PSD2 introduces strict security requirements for the initiation and processing of electronic payments. Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. SCA is an authentication process that validates the identity of the user of a payment service or of the payment transaction. It’s based on the use of two or more elements categorized as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the use of biometrics) to validate the user or the transaction. These elements are independent (the breach of one element does not compromise the reliability of the others) and designed in such a way as to protect the confidentiality of the authentication data.
For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimizing the risks in case of mistakes or fraudulent attacks.
The impact of the PSD2 regulations on the banking and the financial world can be really enormous: new players, new services, new experiences and more competitive environment leading to lower costs and better deals for consumers. Just wait and see.
by Darek Rzeźnicki