Everything you need to know about PSD2 but were afraid to ask…
Just in time for Christmas, the Revised Payment Services Directive (or “PSD2” for short) was published in the Official Journal of the EU on 23 December 2015, meaning that as of January 12th PSD2 has entered into force in the European Union, and will need to be transposed into national legislation by 13 January 2018. While the various EU governments are busy figuring out how implement this mammoth 90+ page directive, you may be asking yourself what changes PSD2 will bring to the mobile payments ecosystem and to your business in particular.
With this in mind, over the next few weeks Mondato Insight will be bringing you two blog posts that together make our Mondato “cheat sheet” for navigating your way around PSD2. In Part 2 we will look at the new security requirements that are demanded by PSD2, and the broader compliance issues that arise in connection to it. But this week, we kick off our analysis with a high-level look at the main changes that are being put in place, and identify potential business opportunities that may render this compliance nightmare more of a payments goldmine.
You’ll be meeting new competitors
The original Payment Services Directive (or “PSD1” for short), issued in 2007, regulates payment services to a lower standard than banking licenses, with banks, credit institutions, post office giros, e-money issuers, and payment system providers (which include big guns such as PayPal and WorldPay), as well as money transfer businesses being the main focus. Due to the subsequent rise of FinTech, many payments related services have since appeared that, until recently, were outside the ambit of the PSD1 and thus were not regulated.
In order to put everyone on equal footing, the PSD2 now includes two new types of payment services - payment initiation services (“PIS”) and account information services (“AIS”). PISs offered by the likes of Sofort in Germany, IDeal in the Netherlands, and Trustly in Sweden allow consumers to make payments from their bank accounts directly to an online merchant, typically by establishing an electronic payment link between the payer and the merchant via the payer’s online banking module. AISs, on the other hand, provide customers with online consolidated information about their different payment accounts, offering consumers a global view on their financial situation and allowing them to analyse their spending patterns, expenses, and financial needs in an intelligible manner – similar to the US’s Mint.com.
Although these “third party providers” (“TPP”s) now have new compliance duties of consumer disclosure, transparency and security, they have also obtained the right to access credit institutions' payment accounts services in an objective, non-discriminatory and proportionate manner (this is the Commission’s attempt to stop the blocking of bank account access of money remitters), and, more controversially, the right to limited access to data in the bank accounts of payers who provide their consent. In particular, PIS providers will be able to receive information from the payer's bank on the availability of funds (a yes/no answer) on the account before initiating the payment (with the explicit consent of the payer), and AIS providers will receive information explicitly consented by the consumer, but only to the extent necessary for the service provided to the consumer.
This access to account data (or XS2A) is what everyone is fretting about, as it positions TPPs as forces in the payments ecosystem, given their consumer-focused strategies and their opportunity to strategically capitalize on the resulting business model revolution.
Will the payment business model do a 180°?
For consumers, online payments seem fairly simple - if you wanted to use your debit card to buy online an airline ticket to the Maldives, you would simply input your card details into the airline website and presto, your ticket would be issued. Behind the scenes, however, there are several intermediaries involved in the transaction - Maldivian will be using a merchant acquirer (e.g. WorldPay) who communicates with the consumer’s debit card scheme (e.g. Visa or AMEX), and the card scheme will debit or “pull” money from the consumer’s bank account to credit Maldivian with the payment (For a neat diagram see here).
PSD2 revolutionizes this process, as it now allows a merchant, such as an airline, to communicate via an open Application Program Interface (API) either directly with the payer’s bank or via a third party payment initiator, effectively cutting out the merchant’s acquiring bank and the card schemes. Thus online payments are moving to a new “push” model (taking money from a customer account via APIs and then transferring it to a merchant account), in contrast with the current “pull” model of credit card systems (merchants 'calling' for payments via a card scheme.)
No matter how you look at, this is disruptive stuff, and it will be piloted by the European Banking Authority (EBA), which is in charge of defining the Regulatory Technical Standards that all such APIs will need to comply with. Clearly the rise of an alternative payment business model threatens the disintermediation of all those classic third-party payment intermediaries, to the benefit of the merchant and possibly (if the savings are passed on) to the consumer. So banks and card schemes are right to be shaking in their boots.
Your data just got more valuable
Yet beyond the cutting out of the middle men in certain online purchases, what probably threatens the payment establishment more is that these new entrants will be able to access valuable consumer information and leverage it to offer consumers with value-adds that banks and other financial institutions are not currently in a position to provide.
Banks, with their detailed and rich data on each customer’s purchases, transfers and mortgage repayments, are sitting on a goldmine of information that could be used to calculate in real-time the credit risk of a particular individual – as well as identify their marketing likes and dislikes, asset worth, etc. But currently, unless a bank obtains explicit consent from their customers to use this data for ancillary services such as marketing, banks are limited in using the data only to provide the specific banking services the customer has signed up for.
TPPs, however, can obtain consent upfront from a customer to use the data for a benchmarking pricing comparison of insurance rates, bank fees or some other such service. From this, not only does the TPP gain valuable screen visibility with the customer, but it can now offer a new, valuable service that banks can only dream of – unless the latter are able to rejig their customer offerings to emulate these TPPs. Of course the TPPs need to convince consumers to trust them with their data, and that is where banks have an ace up their sleeve, especially in Europe, where there are strong data privacy concerns. But herein lies a strong business opportunity: banks need to seriously consider partnering with user-friendly TPPs to propose competitive joint offerings that have the backing of bank’s reputation while retaining the agility and innovative spirit of these consumer friendly start-ups.
For those involved in the payments space, PSD2 necessitates a complete rethink about strategy and planning, at least as far as the old certainties about who would be at the center of the payment process is concerned. Much of the current panic, however, is likely to subside as established players come to terms with the new landscape and adapt (and acquire) their way to stability. In the longer term, however, the opening up of consumer data is likely to be the most significant element of this payments revolution, and will significantly alter the arrangement of incentives and penalties across the ecosystem. How to keep all that data safe, and other ancillary security-related matters, will be the subject of Part 2 of this post in a few weeks.
Click here to subscribe and receive a weekly Mondato Insight direct to your inbox.