After months of preparation across the continent, the revised Payment Services Directive has come into effect. Whilst its initial impacts may not be immediate, the effects will be wide reaching for both banks and corporates alike.
On 13 January 2018, the second Payment Services Directive (PSD2) officially came into force across Europe. PSD2 follows on from PSD1, which went live in 2009, and in fact replaces it in its entirety. PSD2 is a broad-reaching piece of legislation and aims to bring about increased competition, greater transparency and security across the European payments landscape.
The key areas of change are as follows:
- Expand the scope of payments to include non-EEA currencies for intra-EEA payments and so called ‘One Leg Out’ transactions (i.e. payments into and/or out of the EEA)
- Mandate the use of the SHA charging option for all intra-EEA payments, irrespective of currency
- Standardise Complaint handling
- Set minimum standards for Strong Customer Authentication
- Allow third party providers to enter the market as Payment Initiation Service Providers and/or Account Information Service Providers to pave the way for Open Banking.
Capturing a broader scope of payments
One of the fundamental changes is the increased scope in payments. Previously, PSD1 only regulated payments within the EEA and in member state currencies (e.g. GBP, EUR, PLN etc). This will change with PSD2 to cover any currency for payments within the EU/EEA, as well as payments both to and from non-EU/EEA countries.
Effectively, we will have three categories of payments for PSD2:
- Payments in EU/EEA member state currencies where both the Sending and Beneficiary Banks are based in the EU/EEA
- Payments in non-EU/EEA member state currencies where both the Sending and Beneficiary Banks are based in the EU/EEA
- Payments where the Sending Bank or the Beneficiary Bank is based in the EU/EEA, irrespective of the currency. These are commonly called ‘One Leg Out’ transactions.
Each payment category has differing levels of requirements and obligations, which are reduced as you go down the levels.
One aspect for important consideration is the changes around the SHA charging option. All intra-EEA transactions can only use the SHA charging option (sender pays their bank’s charges and the beneficiary pays their bank’s charges), irrespective of the currency. Whilst this is already in place for certain intra-EEA payments today, the use of the OUR charging option (sender pays all bank charges) for FX-linked transactions will no longer be available. This has clear implications for certain payment types.
How complaints are handled
PSD2 looks to harmonise how complaints are processed and managed:
- PSD2 related complaints must be dealt with within a maximum timeframe of 15 business days
- These may be extended to 35 business days where an answer cannot be provided due to reasons outside of direct control.
Requirement for Strong Customer Authentication
A key requirement for PSD2 is to ensure that there are adequate security protocols in place to authenticate clients when using online platforms and services). These requirements are specifically linked to the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication, which are expected to go live by September 2019. At a high level, payments must be authorised by using at least 2 of the following authentication factors:
- Knowledge (something only the user knows) – for example, a password
- Possession (something only the user possesses) – for example, a smartcard
- Inherence (something only the user is) – for example, a biometric fingerprint.
Third Party Access and Open Banking
The area that is creating the most buzz is around the creation of the new Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP) business models. These new models will allow new entrants to enter the market to provide value added services to corporates. Banks are obligated to provide open access to accounts for these new players (this is commonly called Open Banking). Of course, there is nothing preventing banks themselves becoming PISPs and AISPs (and, to a certain extent, some banks do this already).
Payment Initiation Service Providers (PISPs)
This new business model allows a PISP to initiate payments from a client’s bank account. Effectively, PISPs will sit in between the traditional client/bank relationship to facilitate the movement of funds. For many years, banks have had the capability to act as a PISP for clients. This scenario is derived from the fact that larger corporate clients are usually multi-banked, and that banks utilise the SWIFT MT101 ‘Request for Transfer’ service. This service allows a corporate client to initiate a payment from their account held with another bank.
The introduction of PSD2 will allow non-bank entities to become a PISP and replicate this functionality. Of course, all this can only be implemented under the client’s explicit permission and consent.
A PISP may be a bank or another non-bank institution and both must be registered by the local regulatory body. A non- bank PISP will naturally act as an intermediary between the client and its bank. The type of organisations that will play in this space remains to be seen, but you can expect banks, FinTechs, online retailers, accounting platforms, challenger banks and other payment service providers to play in this field. The aim is to stimulate competition in the European community and allow clients to have a wider choice of provider when initiating payments.
Account Information Service Providers (AISPs)
This new business model allows an AISP to aggregate balance and transactional information from clients’ bank accounts. Again, an AISP will sit in between the traditional client/bank relationship in the provision of basic balance and statement information.
In the same way that banks have historically provided a PISP service, they have also provided AISP services for many years. Banks have been using SWIFT MT940/MT942 messages to exchange balance and transactional data between banks on behalf of their respective clients. PSD2 now allows non-bank institutions to replicate this functionality by becoming an AISP. As with the SWIFT service, this can only be implemented under the client’s explicit permission and consent.
Similar to a PISP, an AISP can be a bank or a non-bank institution and will be regulated accordingly. We will probably see the same types of organisations becoming AISPs and some will combine the services of both a PISP and an AISP. Of course, this may provide further stimulus to the European community as new ‘value added services’ will be created alongside these standard solutions.
What will the PSD2 bring us in 2018?
These new models provide both a threat and an opportunity to the existing banking franchise. New entrants will relish the opportunity that PSD2 brings; we already have many organisations that operate in the PISP and AISP space today and this will only increase. All participants will be keeping a close eye on the European landscape to see how Open Banking evolves, identifying new opportunities and challenges.
Find out more about the current and future timelines for PSD2, see the Roadmap to PSD2 Infographic. PDF (37KB)†.