The banking industry as you know it is about to radically change. And it’s all because of the revolutionary EU regulation called the PSD2 (Revised Payment Service Directive).
In simple terms, PSD2 will force banks to give up their monopoly on precious consumer data, allowing third-party providers (commonly known as TPPs) to access this treasured information, as long as consent is given.
In other words, the keys to valuable customer data vaults will become openly available.
The PSD2 could be thought of as the EU’s way of saying: “We want to drive greater competition and innovation in the banking sector.”
This spells out a near future in which Facebook, Google, FinTech startups and even telecommunication firms will begin to encroach on banks’ territory to offer bill payments, P2P money transfers and any other adjacent financial service you can think of. These new companies will change how you run your business accounts forever.
The PSD2 therefore marks an important moment in the history of finance, by creating two distinct eras: a time before the directive, when banks mostly ruled the game, and the time after the directive, when banks will not only have to compete against other banks, but also against a growing world of TPPs offering smart money solutions too.
To better understand the new world that the PSD2 will create, we have come up with a helpful guide of FAQs regarding its impact on the future of banking, including:
- What does PSD2 mean for banks?
- What does PSD2 mean for customers?
- Are PSD2 and open banking the same?
- When does PSD2 come into force?
- Where did PSD2 come from?
- How do companies become PSD2 compliant?
- What comes after PSD2?
What does PSD2 mean for banks?
As a result of PSD2, legacy banks will lose their long-held traditional advantages. As it stands, the banks’ advantage lies not in their financial capital, but in the volume of data about their customers they have access to.
This transactional data is so valuable because it can be used to sell customers relevant banking products and services. Having this knowledge has historically given banks the edge — they were the only ones with visibility on important financial user data like inheritance deposits, credit history or bank loans.
However, the PSD2 is perhaps one of the most disruptive challenges presented to banks this decade because it will strip away their monopoly on data. This thereby opens the floodgates for a new wave of competition from multiple directions. In turn, we’ll see a strategic and operational shift in banks as they work to adapt to a financial ecosystem in which they have to share databases with countless new players.
With this more competitive landscape comes the necessity for banks to invest in innovation labs and build collaborative partnerships with TPPs. Banks will also need to invest in new security requirements and the infrastructure to open up their APIs to share transactional data safely.
The disruptive potential of the PSD2 demands a clear assessment of risks. Failure to engage with this leaves legacy banks at risk of becoming irrelevant within the new financial ecosystem.
What does PSD2 mean for customers?
Post-PSD2, customers will have significantly more banking options to choose from. When using a financial product or services, users can consent to TPPs accessing their data to create smarter solutions.
This access to customers’ transactional data drops a lot of market-entry barriers. Non-banks can now compete with traditional banks, and customer demand for innovation and digitalization will increase. A likely result will be that the average customer will diversify to use a portfolio of financial service providers, rather than just relying on a single bank.
This increase in diversity is enabled by two new figures created by PSD2, Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP).
An AISP organization is licensed to use a bank’s API to allow for account aggregation of customer data in order to provide better financial accounting services, such as the Account Aggregation engined offered by Unnax. Personal finance mobile applications that manage and track savings, debt and expenses using bank’s open API are a good example of this at work.
PISP organizations are involved in executing direct payments via direct bank transfers from a user’s bank account. Instead of paying by credit card or logging into your bank to provide banking information to make a payment, PISPs including Unnax’s Payment Initiation Engine use open API to make the payment directly. Customers simply give the PISP authorization to make the payment, and the transaction is then executed on the user’s behalf by interfacing directly with the bank’s technological infrastructure.
Are PSD2 and open banking the same?
Not quite. In this context, the concept of open banking usually refers to the Open Banking Implementation Entity (OBEI) initiative that was created by the UK Competition and Markets Authority (CMA) to promote a financial services future fed by open data. This Open Banking regulation made it mandatory for the top nine largest current account providers in the UK to open up access to information on consumers’ payments, accounts and bills in a single place through TPPs by January 2018, with all of them managing to do so. Moreover, this Open Banking initiative only applied within the UK.
The PSD2 comes at a later date, is much broader and impacts all payment account providers in the EU, including the UK. Under the UK’s Open Banking initiative, a single, open platform to view customer data, such as an open API, had to be implemented by the UK’s top nine banks. The PSD2 builds on top of Open Banking, allowing the movement to spread while proving to be more expansive, including both payment and current account providers, as well as more secure thanks to amendments on fraud prevention. However, the regulation doesn’t set concrete parameters in the way that Open Banking did, choosing instead to have individual countries hash out technical details that must fit within their legal framework.
This means that UK banks will still have to be PSD2-compliant, adhering to EU Commission rulings on Regulatory Technical Standards (RTS), including on strong customer authentication (SCA) and secure communication. Currently, the Berlin Group is actively funding a task force called NextGenPSD2 to identify and resolve the greatest implementation challenges — SCA and payment initiation services — through an Access to Account (XS2A) Framework.
When does PSD2 come into force?
PSD2 was adopted on January 12, 2017. EU member states had until January 18, 2018 to enforce PSD2 into national law and to ensure local banks began following the regulation.
However, the implementation has not gone as smoothly as hoped. As of the first deadline to meet PSD2 compliance in March 2019, only about half (41%) of EU banks have managed to become PSD2 compliant, according to a survey of 442 European banks conducted by Swedish FinTech firm Tink.
The next PSD2 compliance deadline is September 14, 2019.
At the moment, given issues faced during the first deadline, even banks that have large resources may continue to struggle to implement the IT, security and structural overhauls required of them. Continued failure to meet further deadlines would hinder the open banking movement – as TPPs would remain sidelined, awaiting the opportunity to access banks’ APIs.
Where did PSD2 come from?
As the official name suggests, the PSD2 is a second iteration of the first payment service directive of the EU. The original PSD was adopted in 2007 with the mission of laying down a single set of rules across the whole European Economic Area (which includes Norway, Iceland and Liechtenstein) to govern all types of electronic and non-cash payments.
Under this original PSD, payment service providers faced new regulations that forced them to inform users about their rights, affecting credit transfers, direct debits, card payments, and mobile and online payments.
Perhaps most groundbreaking was the regulation’s founding rules for creating the Single Euro Payments Area (SEPA), which now allows customers and businesses to make euro payments under the same conditions in the eurozone.
Since the PSD, many financial service entrants have been operating outside of the benefits of this regulation, prompting the ECB to take action to provide an update that covers FinTech companies and a future blueprint for a Digital Single Market. Thus, the PSD2 was born.
How do companies become PSD2 compliant?
To become PSD2 compliant, companies must adhere to the latest revision of the Regulatory Technical Standards (RTS) set forth by the EU Commission on March 18, 2018. The legislation includes a list of new security measures and technical standards that must be met by banks.
One of the subjects of greatest debate within the RTS is compliance with the strong customer authentication (SCA) regulation. In a nutshell, SCA requires that banks add new layers of authentication when customers make online purchases. For instance, previously, customers simply entered their card number and CVC code to make a purchase. Under PSD2, that is no longer sufficient.
To comply with SCA, banks have begun to implement an improved security protocol called 3D Secure, which was first launched in the early 2000s. With this tool, it will be easier for banks to collect SCA-required information at the time of the transaction.
What comes after PSD2?
The PSD2 represents the first step in creating a Digital Single Market for the EU. It builds upon the public’s new perception of customer privacy, including the open data and GDPR movements, and instills a greater adherence to best practices in anti-fraud measures to fight against growing cybercrime threats.
Perhaps most importantly, the PSD2 creates a new rule book from which companies of all sizes and backgrounds stand to gain, in the form of access to precious data. This is the future of FinTech.