PSD2 – a Regulation for All

By Neil Smith, Head of Issuer Sales & Partnerships, EMEA and APAC at Verifi

It seems that there is always a new, disposable buzz word being thrown around in the finance sector, but PSD2 is definitely not one of them. The introduction of this new financial regulation is a rare example of one that’s impact will be felt extensively across Europe’s financial services industry.

Building on the foundation of the first Payment Services Directive (PSD), which was originally adopted in 2009, PSD2 aims to better protect consumers when they pay online, promote the development and innovation of online and mobile payments including open banking, and make cross-border European payment services safer.

By September 2019, all companies within the EU must adopt the new regulations, which will also lower fees for payment services while encouraging more frictionless payment methods, such as mobile, voice, and fixed internet payment services.

While frictionless payments and greater choice are obvious benefits to customers, fighting fraud is the most urgent issue facing issuers and merchants. In the UK alone, almost three-quarters of a billion pounds were lost to financial fraud across payment cards, remote banking, and cheques in 2018, according to UK Finance.

More specifically, the Home Office and its National Audit Office found that between 2011 and 2016 there were 1.4 million incidents of card-not-present (CNP) fraud. The Home Office has said that by 2019 it “wanted to see a very significant reduction” in CNP fraud, even though it has not been able to quantify what reduction will meet its expectations because “it depends on the solutions.”

Can PSD2 be the solution that the Home Office is waiting for? Broadly speaking, the answer is yes. Customer security is one of the cornerstones of PSD2, requiring merchants to implement strong customer authentication (SCA), such as two factor authentication (2FA) to verify transactions.

PSD2 and merchants

Merchants will now be able to take online or mobile payments by drawing directly from a customer’s bank account. Since merchants will be able to securely access the customer’s bank account for payment, complex authentication processes at checkout might no longer exist nor be easily circumvented by fraudsters.

Both Visa and Mastercard are strongly encouraging banks and merchants to implement 3-D Secure 2.0, which allows biometric authentication and meets requirements of PSD2. In 2019, Mastercard will dictate that merchants must use biometric authentication, known as Mastercard Identity Check. In fact, both Mastercard and Visa will mandate 3DS 2.0 on a market-by-market basis, which will force merchants to support 3DS 2.0.[4] [5]

The time for processing customer complaints has also been cut from eight weeks to 15 business days, so we can expect increased pressure on the chargeback process.

PSD2and issuers

PSD2 introduces opportunities for new payment initiation service providers (PISPs) to bring products to market. With PISPs, customers have the option to make payments direct from their bank accounts, rather than using a credit card or debit card as an intermediary. This means that they lose the protection that their card schemes afford them, so PSD2provides protections to tip the scales in their favour, including:

• Legislation around the unconditional refund right which applies under SEPA Core Direct Debit scheme
• With regards to pre-authorisation of card payments, when the final amount is unknown in advance, the payee will only be able to ‘ring-fence’ funds on the payer’s account when the cardholder has approved the exact amount to be blocked
• Payment Service Providers must introduce dispute resolution procedures and will be required to respond to payment complaints within 15 business days of receipt
• Member States are required to designate competent authorities to ensure and monitor compliance within PSD2 – this is the FCA in the UK

Retailers also will not be able to enforce a contract term requiring payment of a banned surcharge. In fact, they must repay it. This could well lead to customers initiating chargebacks for the excess amounts via their card issuer. Can we then expect an increase in chargebacks? As the Home Office insinuates, only time will tell.

PSD2 and acquirers

For remote electronic card payments, acquirers can avoid using SCA if their fraud rate (unauthorised transactions/total transactions) is below certain thresholds. For transactions up to €100, frictionless flow is allowed if the acquirers fraud rate is less than 0.13%; for amounts up to €250, the acquirer’s fraud rate must be less than 0.06%; while for transactions up to €500 require a fraud rate that is less than 0.01%

These are certainly stringent requirements and achieving such low rates of fraud can be a challenge for many acquirers that lack the purchase details needed to legitimise the transaction.Therefore, acquirers cannot easily discern “friendly” fraud from “true” fraud. Since only “true” fraud will be used to determine fraud rate, distinguishing “friendly” fraud from “true” fraud will be essential practice, since higher fraud rates will likely result in an increase in SCA demand and decrease the conversion rate for merchants.

If the acquirer uses a Transaction Risk Assessment (TRA) exemption, they have not attempted to validate with the issuer, but instead have opted to conduct their own risk analysis on whether the transaction was performed by the cardholder. As such, if the transaction is disputed, the liability is with the acquirer since they have not asked the issuer for this additional level of validation.

PSD2 and the industry

Card brands such as Mastercard, Visa and American Express have already made great strides towards implementing PSD2. Mastercard has already set out concrete plans, for what it calls a “world, not only beyond cash, but beyond cards as well”with Mastercard Send, an account-to-account transfer service that does not use its traditional card processing system.

But card issuers are only one side of the coin. Given the rapidly approaching PSD2 deadline, the entire payments industry needs to urgently double down on its efforts to improve education and collaboration. From the issuers’ side, it is very important to implement all the exemptions to help customers smooth their transactions.

Implemented correctly, PSD2 will completely change customers’ relationships with their money, through a multitude of new services including personalised financial dashboards, lifestyle payment apps, and uniquely tailored financial products and services for each customer.

This is a unique opportunity for the payments industry to make a drastic change to the way it operates, and it cannot afford to miss it. Ensuring that all involved know and understand the revolutionary potential that PSD2 can provide it paramount. This regulation will impact all parties involved in payments from sharing the data of those customers that consent with authorised third parties, to delivering more vigorous safeguards against fraud, it’s a win-win for everyone.