Back to Basics: What is the PSD2 Story?
First published: 06/04/2022
updated: 21/10/2022
Kaity Roberts
PDS2 has undoubtedly affected the development of the Open Banking financial industry around the globe. To honour this, we kick off our first Back to Basics series by visiting the origin of SCA: the Revised Payment Services Directive 2 and its predecessor, the Payment Services Directive. While you could skip ahead and find the PDS2 SCA compliance checklist on our website, we suggest this informative read to help you understand the importance of PSD2 today and its role in the future.
What is the Revised Payment Services Directive (PSD2)?
The Revised Payment Services Directive (PSD2) is an EU Directive administered in 2015 by the European Commission. Its purpose is to regulate payment services and service providers throughout the European Union and Economic Area. The PSD2 is an updated version of the Payment Services Directive (PSD), first released in 2007. The PSD had two key objectives:
1. To create a more integrated European payment market and
2. To make payments more secure, better protecting European consumers, especially in a digital era.
The History of PSD
PSD aimed to provide a level playing field for all financial players (not just traditional banks) by neatly organising payment providers, payment users, and consumer protection rights and obligations. As such, PSD's purpose within the payments industry was to increase European competition and non-bank participation. But for consumers, PSD's goal was to increase their rights and move toward frictionless payments. From this, we can split PSD into two main sections.
Market Rules: describe which type of organisations could provide payment services. Outside of credit institutions, banks, and government bodies, the PSD also included electronic money institutions (EMIs) - a new category of payment institutions that emerged a few years prior.
Business Conduct Rules: specify the information payment service institutions need to provide, including charges and transaction references. It also stipulates the rights and obligations of payment service providers and users, including how to authorise transactions and who holds liability in the case of unauthorised payments.
The History of PSD2
The primary purpose of the first PSD was to increase European competition and participation in the payments industry. When it came to its revision, the 2008 financial crisis definitely helped initiate a push. However, PSD2 ultimately resulted from some converging trends within the EU and the European Banking Authority (EBA), including a single financial market (i.e. the 1999 Euro), SecurePay, and the legalisation of web scraping-based payment services. On top of this PSD also had some significant weaknesses, namely, the security of online and mobile payments and cross-border European payment services.
Once PSD2 was on the table, two important new requirements were clear: the first was common and secure communication (CSC) between financial institutions, the second was Strong Customer Authentication (SCA) during payment transactions. However, PSD2 also allowed even more competition to enter the market via Open Banking. The result was a new type of organisation - Third Party Providers (TPPs), consisting of Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). Note: PISPs initiate account-to-account payments (a clear alternative to cards), and AISPs aggregate banking data from several bank accounts into one place.
Here’s a simple example of how Open Banking works:
Let’s say you wanted to buy a house. But instead of doing all the work yourself, you want your real estate agent to go directly to your bank and find out which loans you qualify for. Essentially, to collect financial information on you. In this scenario, there are four separate interactions:
- From your agent to the bank: hello, I am my client’s agent, and I am requesting their information.
- From the bank to you: hello account holder, an agent is requesting your information - do you give release consent?
- From you to your bank: yes, I give release consent.
- From the bank to your agent: here is your requested information.
So, how can these requests be processed and sent, and how can the sensitive information they contain be transferred safely and securely? Through the use of application programming interfaces (APIs) - the essence of Open Banking.
Back to Strong Customer Authentication
For many, Strong Customer Authentication (SCA) came onto the scene under PSD2. However, SCA was defined explicitly in the Regulatory Technical Standards (RTS), which prompted the EBA to have some strong follow-up opinions and questions. You can imagine how the SCA regulatory system became quite complex after this, with layered binding texts: first PSD2, then RTS, then the EBA opinions.
Today, market players need to meet specific requirements laid out in the RTS to comply with PSD2. The SCA aspect ensures that electronic payments are performed with multi-factor authentication (MFA) and appropriate security mechanisms to increase the security of the transaction. Before PSD2, many European countries already had ‘SCA’-qualifying physical card transactions because of their chip + PIN combo, but nothing for e-commerce or contactless card payments.
After many extensions, the last European area - the United Kingdom - reached the final deadline for SCA implementation on March 15th 2022. All issuers in the EU and EEA must now have updated payment flows on their websites and apps. If authentication is not supported, transactions will be declined.
While SCA has many good intentions, adding extra authentication measures to the checkout process also introduces additional friction. To mitigate this, some types of low-risk payments are exempt from Strong Customer Authentication requirements - but we will cover more on this topic in the next instalment of our Back to Basics series on SCA.
Can We Consider PSD the Origin of Open Banking?
Technically no, as we can cite the origins of Open Banking back to 1980s Germany. However, open Banking often feels new as there has been little progress in the banking industry since the invention of the credit card. Even though many of our day-to-day services are evolving digitally, the banking sector is notoriously slow to make their own digital changes.
One small exception is in the United Kingdom, where CMA9 did drive a significant amount of Open Banking progression through regulation. Still, other European countries never matched the UK’s initiative, and therefore have had much slower adaptation rates. In this way, PSD and PSD2 represent an unwanted but much-needed regulation for progression for the EU as a whole.
The Future of Open Banking
Today, APIs are being used to make the data of incumbent banks available, opening the door for new payment propositions to be developed (i.e. PayPal and Klarna). Similarly, new peer-to-peer payment systems are on the rise (like Norway’s Vipps and Sweden’s Swish). If such providers can continue to overcome the challenges of two-factor authentication to create a seamless user experience, these types of platforms could grow to become the preferred, low-cost alternative to credit and debit cards.
Of course, people prefer simplicity. So if customers can gather all of their banking data in one place and interact directly with their financial products rather than going through a bank, they will. However, to achieve the right balance between ease of use and security, users need to trust new financial players and fully control their data. As such, simplifying the user experience in an Open Banking landscape will be one of the most significant focal points for improvement in the years to come.
The combination of Open Banking with PSD2 has made it much easier for new industry players to launch innovative products and services, all while transforming how banking propositions work. In the future, we see Open Banking continuing to offer creative ways to capture new customers, expand services to existing customers, and improve authentication and security worldwide. In this way, the future is undoubtedly open.
Time to Say Hello to PSD3?
Well, not exactly, as the entire industry is still digesting PSD2. In other words, don’t expect a PSD3 to be released anytime soon - at least not in the next few years. Similarly with Open Banking, although the UK has enjoyed some success with 5M users to date, the same cannot be said about continental Europe where Open Banking is still in its infancy. PSD2 has accelerated some change and created new business models through Open Banking, but for most of Europe (and even for other countries like the United States) there still is a long way to go.
One important thing to note, however, is the tremendous momentum surrounding data sharing. Now seeing Open Finance as a rising topic, PSD3 should certainly leverage data sharing and bring related innovation to more verticals than just banking and payments.
—————
This is the first of a four part series reviewing some of the basics of SCA. Tune in next week where we dive deeper into SCA, and the role it plays in today’s financial industry.