PSD2 – What is it and how is it likely to affect me?
Nov 8, 2017, by Danielle Herndon
We look at the incoming Payment Services Directive and speculate on what changes the average consumer could expect.
The Second Payment Services Directive (PSD2) is a set of requirements for firms that provide payment services within the EU and whilst these were first introduced in 2015, they must be implemented in 2018. Their goal is to make the EU’s single market fit for the digital age and improve the financial sector for the consumer.
Whilst it is difficult to speculate on exactly how things will look before knowing how the industry will respond to this change in regulation, there are certain consequences that are likely to arise. PSD2’s breadth will cause many changes, but this blog focuses on the Payment Initiation Service model, the Account Information Service model and Strong Customer Authentication as three fields that will alter financial experiences for the consumer.
Account Information Service
Leveraging the Account Information Service (AIS) model will allow third parties to extract a customer’s bank account data, including transaction history and balances. Whilst this is possible now, firms must resort to screen scraping - a clunky process that consists of navigating a user’s internet banking interface and obtaining limited details directly from the screen.
The AIS model opens up this information in a regulated and controlled manner and creates many opportunities in terms of money management. Third parties will now be able to act as an aggregator to highlight and compare options based on full and entirely accurate data.
For example, users are likely to see tools appear which, based on balance and transactions, will inform them how much they may stand to make if they invest their money with startups such as Nutmeg or Moola, or perhaps the benefits they could reap by transferring to another bank.
This type of service may well weaken banks’ relationships with their customers, as consumers will have full information as to which bank/service is best suited towards them. However, this is the banking industry - it won’t go down without a fight. The business models of banks are likely to adapt to prevent their customers from adopting other services, which again is ultimately to the benefit of the consumer. First Direct have already announced a partnership with FinTech firm Bud, which will push personalised energy and broadband deals to its customers.
It should be noted that third parties having access to your bank information does not equate to a lowering of security standards or a higher level of risk. In fact, the opposite is true. Currently, the interactions between third parties and banks are not regulated, but devised on a case-by-case basis. With banks being forced to become more transparent, however, third parties will have to adhere to a certain set of standards. So whilst consumers will have access to a greater level of choice, they will also receive a higher level of protection than they currently do.
Payment Initiation Service
The Payment Initiation Service (PIS) model will allow third parties to initiate online payments to a merchant or other beneficiary directly from the payer’s bank account. So what will this look like?
Imagine you are buying something on Amazon. Currently as a consumer, payments are made by entering your card details. But using a Payment Initiation Service Provider (PISP), Amazon will be able to create a transfer directly from your bank account. This is done by the user logging into their bank account at the checkout phase - with their details then being saved for future purchases. So instead of taking out your card and typing in the details, you will just need to verify yourself to the PISP (with your bank details already stored), which will then initiate the transfer from your bank.
The user journey will not only be slightly different, but by not having to go through an acquirer and card scheme, payments are much less likely to be denied. At present, card schemes offer the authentication service 3-D Secure to provide an additional layer of security to payments. It provides enhanced measures in attempts to prevent fraudulent activity which can, however, mean payments are disrupted unnecessarily. But with the PIS model, there is no 3-D Secure equivalent. PISPs enhance security by focussing on account access - if there is greater confidence in who is making the transaction, it does not have to be screened as stringently. This policy of secure account access is known as Strong Customer Authentication (SCA).
Strong Customer Authentication
If companies wish to become a PISP or AIS Provider (AISP) they will have to comply with SCA requirements. The rules of SCA are very simple. For an online payment to be made utilising the PIS model a customer must provide two or more of the following elements: knowledge (something only the customer knows such as a password); possession (something only the customer possesses such as a secure key or specific mobile phone number) and inherence (something the customer ‘is’, such as a fingerprint or face scan). Janis Graubins of Notakey prefers to separate the categories into ‘something that can be easily guessed’, ‘something that can be left in a taxi’ and ‘something that can be chopped off’.
Blunt as it may be, the point Graubins makes is fair - none of these forms of authentication are particularly strong on their own. However, producing two out of three of these elements is far more difficult for hackers and fraudsters. So what can customers expect? It is likely that when making purchases in the future, you may need to enter a code that is texted to you by the merchant after entering your password. Certain merchants may request access to your camera for facial recognition and TouchID is likely to become even more commonplace for purchases on mobiles.
Will this make the checkout journey slower for the user? Possibly for some businesses, but with the retail industry aware that 74% of purchases are abandoned at the checkout stage, it will be keen to make SCA as smooth as possible. What can be said is that online payments will be far more secure.
PSD2 and Paybase
Along with being fully PSD2 compliant itself, Paybase offers a solution to its partners which ensures they are fully covered for the PSD2 regulation changes. But what Paybase offers goes further than this.
Along with the features already discussed, there are many more that PSD2 mandates. But what it does not mandate, in any form, is that banks or financial institutions should make the account opening process API driven. However, the Paybase Platform allows eMoney accounts to be opened quickly and easily, complementing the consumer-driven, innovative nature of PSD2.
As for SCA, requirements are still to be finalised, but Paybase can currently meet the challenge of complying with all requirements without negatively impacting user experience. Our solution allows a user to fulfil the 2/3 SCA elements without having to leave the app/service. There is no reason the end user will have to check a text or enter a pin into a separate device in order to comply with SCA, meaning the user journey is not compromised in order to make way for higher security.
Firms will need to be ready for PSD2 and by partnering with Paybase they will be not only prepared but equipped to take advantage of the new changes in regulation.
As aforementioned, we should be wary of being too speculative around PSD2 at this stage. However, there are certain basic assumptions that can be made on how the regulation changes will affect the average consumer:
• AIS will inform consumers on the best services they can receive based on their balance and spending habits.
• The relationships between banks and their customers will change as banks will need to offer more in the wake of financial service aggregators.
• PIS will change the way online payments are made to many retailers, altering the payment experience with fewer payments being declined.
• Customers will be required to provide at least two elements of authentication when making payments online, which will make payments more secure.
The speed in which these changes are implemented, and the responses to these changes by banks and financial institutions, is still unknown due to the ongoing finalisation of the technical standards. Furthermore, there are many more elements of PSD2 to be explored which will have (or are already having) effects on consumers and businesses, such as reauthorisation with the FCA, IT security requirements and Open Banking. All we really know is that PDS2 is set to give the world of finance a much needed shake-up, and should provide better services for the consumer.
For more information on how Paybase can help you with PSD2. please get in touch!