What’s the deal with PSD2?
If you’ve been following any conversations on payments or fintech, you’ve probably heard about ‘PSD2’. It’s applicable from January 2018 and there’s been a lot of discussion about all the changes it could bring, but what exactly is PSD2?
First, let’s take a step back. The first Payment Services Directive (PSD) came into force in 2009. The Directive was developed by the European Commission and then transposed into national law by each of the Member States. The aims of that first Directive were to:
- Create an integrated payments market across the EU and encourage competition and innovation
- Create a new category of regulated firms that could provide payment services
- Establish a set of rights and obligations that apply both to payments providers and to consumers
Many companies, including GoCardless, took advantage of the opportunities PSD presented for new players to provide innovative payment services and to expand across the EU.
Since then, there have been changes across the market and brand new services have launched that the first PSD doesn’t cover. The regulators have also seen a need for stronger consumer protections and want to encourage even greater innovation. This has led to the development of PSD2, also known as the Revised Payments Services Directive.
Ok, so how does PSD2 differ from the first PSD?
There are several updates and changes, though the core of PSD2 remains similar to the first PSD. Key additions include:
- The creation of two new categories of payment services (Payment Initiation Services and Account Information Services) which mean that providers of these services will need to be authorised
- Changes to the types of providers and payment services that will be exempt, to create greater consistency across the EU
- Common and secure standards of communication between the various parties to an electronic payment
- Requirements for ‘Strong Customer Authentication’ for account access, electronic payment and remote communications
- A ban on surcharging for the vast majority of card payments
Isn’t it all about APIs?
You’ve probably heard quite a bit about open banking APIs and the potential impact they will have on the market. Banks and other payment account providers must allow third parties (with customer consent!) to access their accounts and account data. In practice, this means that some form of open API will probably be needed across the market and the European Banking Authority (EBA) has been tasked with developing the common and secure standards that will apply.
This will enable consumers and businesses to use innovative services to initiate payments and better manage their finances. For example, businesses collecting payments may be able to check a payer’s account for funds before a payment is initiated, leading to reduced failures. Consumers might use an account information service provider to see all their finances at a glance in real time, with information pulled directly from their accounts.
Will my data be protected when it’s shared?
Of course, access to financial data requires protection. PSD2 outlines requirements for ‘Strong Customer Authentication’ (SCA). Account providers will need to make sure that account data is only accessed by Trusted Third Parties (TTPs) with the explicit consent of customers according to the requirements of SCA. Remote electronic payments (i.e. those taken through mobile or the internet) will also be subject to SCA.
When is all this happening?
Banks, regulators and payment service providers are working on implementing these changes as we speak. There is a lot to coordinate and the technical standards for these changes are still being hammered out. The EBA is due to deliver its recommendations by 13 January 2017.
We expect that some banks are ahead of the curve and providers such as ourselves will be able to test out their APIs soon, while others may take longer to launch.
However, PSD2 is just one driver for change in this area. Separately, UK regulators have been leading a project to open up access to banking services and stimulate competition through innovation. The Competition and Markets Authority (CMA) in the UK recently mandated the largest nine banks to create open APIs by early 2018, and the UK's Payment Systems Regulator is keen for this open access to be rolled out more widely, so the UK may be the first market where we see significant change.
What does this mean for me?
Most of the changes will be happening behind the scenes, so consumers and businesses will mainly see new products launch, as well as improvements to the services they already use. There’s lots of talk about how the opening up of data could help provide greater access to finance while also enabling the development of better financial products tailored to customer needs. More tangibly, you may see the way you authorise payments online change to be compliant with SCA.
Some of the items coming out of PSD2 (like SCA) are significant topics in their own right. We’re paying close attention to them. GoCardless is well positioned to take advantage of the changes taking place and leverage these opportunities to make collecting payments online even easier and more secure. Stay tuned!