If there was one protagonist at the European Payment Summit 2019 in The Hague, it was without a doubt the Second Payments Services Directive (PSD2) and, more specifically, its Strong Customer Authentication (SCA) requirements, which then went into effect on 14 September 2019.
The original PSD was created in 2007 by the European Commission with the aim to create a single market for payments in the European Economic Area. After ten years, the needs and capabilities of the market had changed so much that it was time for an update on the existing regulations. The process wasn’t an easy one; the proposal for review, made in 2013, was accepted in late 2015 and the final directive was published only in 2017.
Although regulations might rarely be associated with innovation, that is not the case for PSD2. In fact, the directive’s objective was to drive competition between European banks and new payment service providers.
Under PSD2 bank customers can choose to use third-party providers to manage their finances and banks are obligated to provide access to their customers’ accounts through open Application Program Interfaces (APIs). Each third-party provider is classified as either an AISP (Account Information Service Provider) or a PISP (Payment Initiation Service Provider).
AISPs have access to the account information of bank customers, which, for example, they can use to analyse spending behaviours and help with budgeting.
PISPs, on the other hand, initiate a payment on behalf of the user without the need to provide credit card details with each transaction. PISPs are able to withdraw money directly from a user’s account if they had previously given their consent.
STRONG CUSTOMER AUTHENTICATION
One of the most important changes for organisations’ compliance processes refers to Strong Customer Authentication (SCA), which came into force on 14 September 2019.
To comply with the SCA requirement, payment transactions processed within the EU – excluding a restricted number of exceptions to allow for “frictionless flow” – need for the customer’s identity to be verified using at least 2 of the following:
- Something the user KNOWS (e.g. password, pin)
- Something the user HAS (e.g. ID card, mobile phone)
- Something the user IS (e.g. biometrics)
PSD2 has had a sensible impact on the payments sector as a whole. By advancing open banking across Europe, it is creating an environment where banking as we know it is beginning to change drastically. According to a PwC study, 2 out of 3 European banks intend to use PSD2 to change their strategy, with the majority of European banking executives saying that PSD2 will impact all of their core banking operations.
RISING COMPLIANCE COSTS
The consequences of the regulation for banks’ compliance teams are not to be underestimated. As an example, a large European bank with a global presence recently estimated its PSD2 compliance costs at around €35 million, plus another €15 million for expenses not related to compliance specifically, such as the ones connected to gaining third-party provider status.
One of the specific requirements that are certainly keeping compliance teams – and their IT departments – busy is Strong Customer Authentication.
Any organisation in the e-commerce and payments space has to review their existing systems to include SCA methods, but without sacrificing the smooth digital experience that customers have now come to expect.
The new requirements also have clear implications for the KYC process. More and more organisations have started combining the traditional collection of KYC information and the set-up of multi-factor authentication credentials within the same digital journey. This approach helps ensure optimal customer experiences and reduce the risk of drop-offs if the customer onboarding journey is divided into multiple steps, at different times.
Those payment service providers able to find the least intrusive formula for SCA are likely to reap huge benefits against their competitors. At the same time, although it might take a while for consumers to get used to multi-factor authentication, the need for measures to prevent card fraud – which is estimated to reach $31.67 billion in 2020 from $16.31 billion in 2015 – is hard to deny.
Last updated on May 22nd, 2023 at 12:44 am