Okay LogoOkay Logo
Go back to Okay blog

Will a PSD2 come to the US?

First published: 08/12/2021

updated: 21/10/2022

artifact

Open banking has gained strength over the past 18 months, ever since Europe began enforcing the Payment Services Directive 2 (PSD2). Now we are starting to watch similar initiatives pop up across the globe, all the way from Australia to Canada. But what about the (possibly biggest) payment market, the United States? Has PSD2 had any impact there, and can we expect a similar set of regulations to be implemented? 

Does PSD2 Matter for US Businesses Today?

The answer to this question is a definite yes. Although PSD2 is only enforced in the European Economic Area (EEA), it mandates Strong Customer Authentication (SCA) to all payment service providers (PSPs) doing business in the EEA. So, if you’ve got a US-based business, you’ll be affected (at minimum) in the following ways:


  • US business with entities in the EU/EEA:  US businesses active in the EEA through a subsidiary must be PSD2 compliant and Strong Customer Authentication (SCA) enabled.
      
  • US-based merchants accepting payments from EEA-based customers: US-based merchants with EEA-based customers should implement 3D Secure 2 because PSD2 legislation requires it as the standard authentication method for card-based online transactions taking place in the EU region. Note: Visa announced that it will discontinue 3D Secure 1 from October 2022.

The important thing to remember is that PSD2 grants chargeback rights to EU-based payees, at least as long as they’re using an EU-based issuer. According to the EBA, if the EU-based issuer cannot technically impose the use of SCA, “the issuer shall make its own assessment whether to block the payment or be subject to the liability requirements under Article 73 vis-a-vis the payer in the event that the payment has been unauthorised”.

Unlike US-based merchants, US-based issuers have it a bit simpler; they’re not under the jurisdiction of the EU and therefore under no obligation to require SCA or offer chargebacks under the PSD2.

How is Banking Regulated in the US Anyway?

Here in Europe, we’ve gotten used to cross-country banking regulations that each country must implement. There are still many national differences, such as access to digital identities and electronic invoicing. Still, in general, banking regulation has been harmonised across the European Economic Area, first through the PSD1 in 2007, then the PSD2. 

There isn’t really any existing equivalent to the PSD2 or the European Banking Authority (EBA) in the US, as authority and regulation exist and overlap on two levels: state and federal. For example, there are some state-wide regulations, such as the California Consumer Privacy Act (which looks a bit like the GDPR), but no federal regulation that requires consumer privacy to the same extent.

Similarly, banks can either be chartered on a federal level or through the state level, where each state can have its licensing regulation. Also, much of what Europe regulates through the EBA is - in the United States - left to big companies like EMVco (for card-based payments).

The Impact of Politics and Philosophy

In my opinion, the USA's chances of seeing some form of PSD2-like regulation comes down to the difference in political philosophy between the US and the EU. Such a difference can easily be illustrated with their respective governing constitutions: The United States Bill of Rights grants personal freedom from government interference, puts limitations on the government’s power and declares that rights not explicitly granted to the federal government by the constitution are up to the states. 

Conversely, while the EU doesn’t have a constitution (a 2004 attempt was abandoned), the rights of citizens towards the government have been established through a series of treaties, the latest being the Treaty of Lisbon, which came into action in 2009. Each EU country then ratifies these treaties, and while they leave a lot of the practical aspects up to each country, the fundamental rights are universal.

An example is how the EU (through the Lisbon treaty and the Charter of Fundamental Rights) made access to healthcare a right, even when abroad. Another is how the PSD2 regulates banking across Europe: the regulation requires open banking but doesn’t specify how it’s done, as that is also left up to individual countries.

The combination of wide-reaching “federally” required rights and obligations defined in the PSD2 most likely puts a stop to a wholesale transfer of regulation such as PSD2 from Europe to the US, as it simply doesn’t fit with the framework.

Moreover, from a practical perspective, trying to regulate banking to the degree required in PSD2 might lead to 1/3rd of the states suing the government, as with the Affordable Care Act. If improving healthcare is this hard, then it is unlikely that anyone will spend significant “political capital” on something as dull as consumer rights and enhancing competition within the payment industry.

Would a PSD2 be Useful in the US?

This might be a strange question for those of you coming from the US. However, compliance with Government regulation can be quite an arduous task, and even seemingly benign regulations can force individuals to follow rules that inherently limit their freedom. 

On the other hand, regulations like the PSD2 make me think about the opening of the telecom markets in the 1990s and early 2000s here in Europe; We moved from mainly state-owned monopoly enterprises that rented you a phone to a dynamic market with multiple (virtual or otherwise) mobile operators. This gave us the freedom to move our phones between operators to get the best prices. 

If the existing telecoms had been allowed to merge to avoid competition, we would most likely be stuck with a small cartel of Europe-wide telecom operators, successfully extracting as much profit from their European markets as possible. That’s because, much like in the banking market, the natural state of an unregulated telecom market is a few big players taking all the profit, as the existing players can set the roaming costs & interbank fees high enough to keep out any new entrants. 

Judging by the latest report on the efficacy of PSD2, it seems that it has been successful. As a percentage of the total volume of transactions experienced by issuers, the average fraud rate has roughly halved between June 2020 and June 2021 and is now down to 0.06%. Recent numbers are harder to get for the US, but at least one source has the current card-not-present fraud level at 4% and a stunning 24% of transactions for Mexico. 

The cost of handling large amounts of fraud is a great reason why regulations, such as the PSD2, can be essential to the customers of the services who shoulder the cost of fighting fraud through the fees they pay. And, with payment security becoming stronger in Europe, criminals are likely to go after the easier targets, meaning that we may see even higher fraud rates in the US over time.

Follow us on LinkedIn