When the Payment Services Directive (PSD2) replaces the PSD in January 2018, it will have wider scope to cover new payment services created by a period of innovation. The legislation aims to improve consumer protection and competition, and drive innovation. Tom Hay, head of payments at Icon Solutions, writes
PSD2 has created turbulence because it mandates banks to provide customer account access (XS2A) to third-party
payment providers (TPPs), transparency of payment charges, and strong customer authentication for all electronic transactions.
Despite years of negotiations between the European Parliament, Council and Commission, critical parts of the legislation remain ill-defined. For example, with XS2A a bank that “provides a mechanism for indirect access
should allow direct access”.
None of the legal experts I have consulted have been able to explain the difference
between “indirect” and “direct”. Regarding authentication, another clause says: “Where the payee or PSP of the payee fails to accept strong customer authentication, it shall refund the financial damage caused”.
However the payee does not determine the type of customer authentication and therefore can neither accept nor reject. With legislation littered with perplexity like these, rule makers have asked the European Banking Authority (EBA) to iron out the details by drafting Regulatory Technical Standards (RTS). The document covering strong customer authentication and secure communication is due in summer 2016.
The EBA’s statement that it will need to “make difficult trade-offs between competing demands” highlights the difficulties it faces. In any case, it is unrealistic to expect the RTS to resolve the ambiguities. After all, the EBA’s discussion paper acknowledged that the need to allow for innovation requires high-level requirements that provide certain flexibility.
This continued uncertainty is stifling market progress. PSD2 is designed to boost innovation, but what we are actually seeing is ‘planning blight’. Market participants cannot plan innovative new products, service and features because they do not know what will be allowed and what will be outlawed.
And even if the RTS rules are clear, they do not come into force until October 2018, 10 months later than PSD2. Which begs the question – why continue with a January deadline?
Taking a wider view, the potential of API technology has been overshadowed by a myopic focus on PSD2. Banks need to open up new revenue streams and the innovative use of APIs is central to this. Rather than exploring their transformative strategic potential, banks are increasingly fixated on PSD2 compliance.
The counterproductive nature of the regulation is most apparent when we look at PSD2’s stated objective to “make payments safer and more secure”. Central to this is the requirement for PSPs to apply “strong customer authentication” when payers initiate “an electronic payment transaction” – effectively two-factor authentication.
Given that security measures are growing in sophistication and that the drive is constantly towards a frictionless experience for consumers, there will be some conflict between the direction that industry and regulators wish to travel in. It’s unclear whether consumers will benefit from these mandated security procedures given that existing liability provisions already protect consumers from loss.
On the contrary, it may provide a boon for fraudsters as consumers will need to provide banking security credentials (rather than card security credentials) to initiate payments, which can easily be stolen through phishing sites. After years of telling consumers to keep bank credentials to themselves, rule makers are now asking them to splash them all over the web. It’s also likely to reduce customer convenience, as simple one-click checkouts like Amazon and PayPal become outlawed.
Visa and MasterCard attempted to increase online security by introducing 3D Secure, which is hated equally by customers who see it as intrusive and difficult, and merchants who can measure the number of sales that
are abandoned at that stage.
If PSD2 mandates the use of two-factor authentication, the majority of which relies on cumbersome one-time-passwords, the effect will be a similarly negative impact on the adoption and usage of these new payment methods. One alternative to imposing intrusive security measures is innovation in risk management.
For example, Klarna has built a $2.25bn business through dynamic risk profiling to achieve frictionless checkout. Imposing a ‘one size (mis)fits all’ approach to authentication will remove any competitive advantage afforded to those differentiating through cutting-edge approaches.
There are no commercial incentives for banks around PSD2. They will have to invest millions to open up their infrastructure to provide XS2A and make the myriad operational changes around pricing transparency, authentication and liability.
Once again banks are being forced to manage regulatory hurdles, rather than invest in services to boost innovation. How will they recoup these costs? They cannot, as PSD2 explicitly prohibits banks from charging third parties for access, creating a massive free rider problem as TTPs enjoy all the benefits without the costs.
And once established, PSD2 will reduce banks’ ongoing revenues. According to Accenture, UK banks could lose up to 16% of their online retail payments-based revenues by 2020 – approximately £1.45bn ($1.88bn). If combined with the recent reduction in interchange fees, customer accounts will become incredibly expensive to hold. It’s therefore highly likely that these costs will be passed to consumers.
Voices calling for the end of free banking have been growing louder in recent years. PSD2 may well be the tipping point that turns words into action. From where we stand today, far from harmonising the payments market in Europe, PSD2 is more likely to create fragmentation, inequality and complexity with the consumer paying as a result of less security, more friction and potentially higher charges.
With the voices of a few dissenters drowned out by a wave of approval, there is a major risk that instead of achieving its stated objectives to make payments more secure, boost innovation, create a level playing field and reduce the cost of payments, PSD2 will result in exactly the opposite.