If there was one protagonist at this year’s European Payment Summit in The Hague last month, it was without a doubt the Second Payments Services Directive (PSD2) and, more specifically, its Strong Customer Authentication (SCA) requirements, which will go into effect on 14 September 2019.
The original PSD was created in 2007 by the European Commission with the aim to create a single market for payments in the European Economic Area. After ten years, the needs and capabilities of the market had changed so much that it was time for an update on the existing regulations. The process wasn’t an easy one; the proposal for review, made in 2013, was accepted in late 2015 and the final directive was published only in 2017.
Although regulations might rarely be associated with innovation, that is not the case for PSD2. In fact, the directive’s objective was to drive competition between European banks and new payment service providers.
Under PSD2 bank customers can choose to use third-party providers to manage their finances and banks are obligated to provide access to their customers’ accounts through open Application Program Interfaces (APIs). Each third-party provider is classified as either an AISP (Account Information Service Provider) or a PISP (Payment Initiation Service Provider).
AISPs have access to the account information of bank customers, which, for example, they can use to analyse spending behaviours and help with budgeting.
PISPs, on the other hand, initiate a payment on behalf of the user without the need to provide credit card details with each transaction. PISPs are able to withdraw the money directly from a user’s account if they had previously given their consent.
STRONG CUSTOMER AUTHENTICATION
One of the most important changes for organisations’ compliance processes refers to Strong Customer Authentication (SCA), which will come into force as of 14 September 2019, as stated in the European Banking Authority’s Regulatory Technical Standards (RTS).
To comply with the SCA requirement, payment transactions processed within the EU – excluding a restricted number of exceptions to allow for “frictionless flow” – will need for the customer’s identity to be verified using at least 2 of the following:
- Something the user KNOWS (e.g. password, pin)
- Something the user HAS (e.g. ID card, mobile phone)
- Something the user IS (e.g. biometrics)
PSD2 has the potential to have a sensible impact on the payments sector as a whole. By advancing open banking across Europe, it is likely to create an environment where banking as we know it might change drastically. According to a PwC study, 2 out of 3 European banks intend to use PSD2 to change their strategy, with the majority of European banking executives saying that PSD2 will impact all of their core banking operations.
RISING COMPLIANCE COSTS
The consequences of the regulation for banks’ compliance teams are not to be underestimated. As an example, a large European bank with a global presence recently estimated its PSD2 compliance costs at around €35 million, plus another €15 million for expenses not related to compliance specifically, such as the ones connected to gaining third-party provider status.
One of the specific requirements that are certainly keeping compliance teams – and their IT departments – busy is the one of Strong Customer Authentication.
Any organisation in the e-commerce and payments space has to review their existing systems to include SCA methods, but without sacrificing the smooth digital experience that customers have now come to expect.
The new requirements also have clear implications for the KYC process. We expect more and more organisations to start combining the traditional collection of KYC information and the set-up of multi-factor authentication credentials within the same digital journey. This would help ensure optimal customer experiences and reduce the risk of drop-offs if the customer onboarding journey is divided into multiple steps, at different times.
Those payment service providers able to find the least intrusive formula for SCA are likely to reap huge benefits in this phase. At the same time, although it might take a while for consumers to get used to multi-factor authentication, the need for measures to prevent card fraud – which is estimated to reach $31.67 billion in 2020 from $16.31 billion in 2015 – is hard to deny.