PSD2 - Part Two: Are You Sure You Know What It Means For You?
Last month, we looked at what significant changes the Revised Payment Services Directive (“PSD2”) will bring to the payments ecosystem in terms of new players, new business models, and new revenue-generating opportunities. That, however, is only half the story. So this week Mondato Insight asks, what else does PSD2 have up its sleeve for the payments industry?
Are these new transactions secure?
In order to ensure that all the services regulated by PSD2 are secure from fraud and loss or error (including Third Party Providers “TPPs”), PSD2 sets out complex security measures that must be implemented both when payment providers connect with the consumer and for communications between payment providers. Entities regulated by PSD2, including TPPs, must guarantee “strong” customer authentication when the payer accesses their payment account online or initiates an electronic payment transaction. In essence this means a procedure whereby the payer identifies themself via two or more of the following elements: something only the payer knows, possesses or is. As Neil Williams, Business Manager UK of Voice Vault put it, “If you have one super strong lock – it can be broken. If you have more locks that are not related it becomes painful and unrewarding to break. Blending biometrics with the rest of the option – have, is, know – makes it very difficult to gather all the requisite components to break the system.” Biometrics are currently not a required component of authentication, however, but it seems likely that nonetheless PSD2 will promote their growth.
And with regard to the initiation of electronic payment transactions, authentication must dynamically link the transaction to a specific amount and a specific payee (i.e. when the consumer is authorising a transaction, they must confirm both the specific amount to be paid and the person/entity receiving payment.)
This is likely to be a windfall for IT security providers (especially those specializing in mobile authentication solutions), and obviously ups the ante on a provider’s security obligations and thus may increase barriers to entry to the ecosystem for new players. Clive Bourke, President EMEA & APAC of DAON told Mondato Insight PSD2 is causing to people to re-examine what they are doing, particularly as many assume they are already providing strong authentication. Banks will have to overcome “a lot of inertia about existing mechanisms. Because banks are competing at service more than anything else they will have to examine not just what is the best practice but also what does the future look like?”
Mr. Bourke’s colleague, Ruth O’Toole, DAON’s Legal Counsel, noted that the extent to which regulators provide technical standards could be determinant of who emerges a winner. PSD2 introduces a liability shift as now those providers who fail to authenticate a transaction appropriately will be held liable for any breaches that occasion a loss, in contrast to the current card scheme rules on “card not present” transactions under which the e-merchant is liable for damages resulting from a failure to authenticate. Merchants two; banks and other providers, nil.
Extending geographical reach – into your back yard?
Another hidden change with consequential impact is PSD2’s increased geographical scope: a number of obligations, including information/ transparency, now apply to “one leg” transactions - payments to and from third countries, where one of the payment service providers is located in the EU - as well as transactions in non-EU currencies within the EU.
This extension has implications for the banks and other payment providers that are located outside the EU and who previously were outside the scope of regulation – in particular global money remitters. In practice, this means that these entities shall provide information to consumers on fees and other conditions on these international payments, at least in respect to their part of the transaction, and thus they can also be held liable for their part of the payment transaction (enter the security considerations discussed above).
Cap those surcharges
Adding insult to injury for card schemes, PSD2 also re-shapes the surcharging of credit cards, forbidding merchants from surcharging cards that are subject to interchange caps under the Interchange Fee Regulation (four-party schemes such as Visa and MasterCard), while other cards (3 party schemes such as AMEX and Diner’s) can still be surcharged under certain conditions. This is the Commission’s attempt to close a loophole around the Interchange Fee Regulation, and is not revolutionary on its own, but the cap in and of itself will challenge business models for issuers and acquirers, both of which will need to review their business models, including potentially increased card fees and market segmentation.
And for those who thought they were safe in the water…
There are also companies that are likely to be unhappy to be entering the orbit of PSD2, such as MNOs and e-trading platforms. Until recently, these companies benefited from large and, in certain cases vague, exemptions under PSD1. These exclusions have now been tightened due to perceived abuses, uncertainties and ambiguous application, to the dismay of some formerly-exempt players.
PSD1 contained a ‘commercial agent exemption’ that was relied upon by electronic trading platforms and some e-commerce platforms that handle payment transactions on behalf of both individual buyers and sellers to avoid the remit of the directive. This exemption has now been limited to only commercial agents acting on behalf of either payer or payee, in order to address the divergent interpretations taken by some Member States, but now threatens the business models of certain “marketplace” platforms, such eBay or Etsy, where the platform acts on behalf of both the buyer and seller, and which have until now escaped PSD regulation.
Under PSD1, payment transactions executed by means of any telecommunication, digital or IT device, where the goods or services purchased are delivered to and are to be used through a telecommunication, digital or IT device, are outside the scope, provided that the telecommunication, digital or IT operator does not act only as an intermediary between the payment service user and the supplier of the goods and services.
This “MNO exemption” has significantly changed under PSD2, as now the exclusion applies if MNOs accept only low-value payments (individual transactions below €50, with a monthly cap of €300 per consumer) for digital content and voice-based services. Given that some digital content is priced higher than these thresholds (such as professional editing software or photo treatment apps) and some customers may want to spend more than €300 per month on games and the like, this leaves MNOs in a quandary: limit their offerings and fear customer abandonment, or bite the bullet and become regulated (which in essence is what PSD2 is pushing for).
Gerry Tucker, CFO of Bango, a direct carrier billing provider, told Mondato Insight he believed that MNOs may be reluctant to fall under the directive’s aegis if margins are small. “They are quite heavily regulated and need to do certain things to keep their licenses,” he observed. “Being a payment service provider provides yet another layer of regulation. Do they want to add that extra cost?”
From compliance to catalyst
In Part One, we saw that PSD2 is attempting to create a level playing field for third party and alternative payment providers by opening up access to bank accounts, and opening up consumer's data along with them. This on its own has the potential to upend the payments industry, although banks are likely to quickly reconcile themselves to the new realities in a manner that preserves their margins. For all the talk we have heard about 'big data', here is one instance of 'little data' holding the key to what could be a paradigm shift in how retail payments are processed in the world's largest single market. This of course, comes with a heavier regulatory (and moral?) burden on banks and TPPs to keep that data safe and the consumer informed. And that, of course, comes at a cost which will inevitably be borne by the consumer.
Nevertheless, PSD2 is not just another compliance-heavy directive that will require back office and IT implementation. It is a catalyst for disruption of the payments ecosystem by technologically-advanced and consumer-friendly service providers, and its scope is broader than ever. This is the moment for banks, card schemes and institutional players to take notice, before they get swept aside, Christensen style…