John Harvie, Director at Protiviti
Hiding behind the four characters PSD2 is perhaps one of the most exciting opportunities in a generation to reform the way that goods and services are bought and paid for. The second payment services directive has the potential to create a ripple effect that could change the entire financial services market.Following on from its predecessor (PSD1), this far sighted piece of European regulation creates a new set of rules, structures and technical standards that are designed to lower the frictional costs associated with trade in the European Economic area, reduce dependency on structures owned and controlled by those with vested interests in the status quo, and increase levels of competition.
Like any good piece of regulation, PSD2 is disruptive but at the same time opens up a world of opportunity to those that are willing and able to grasp it.PSD2 introduces a number of key reforms. First, it defines new types of regulated entity:
- Account Servicing Payment Services Providers (AS PSP) that provide and maintain payment accounts. (i.e. the role played by traditional banks today)
- Payment Initiation Service Providers (PISP) that initiate a payment from an account at the request of a customer.
- Account Information Service Providers (AISP) that consolidate information across one or more payment accounts, held at one or more AS PSP.
Under PSD2, with the permission of customers, firms will be able to directly and electronically instruct a bank to make a payment from a customer’s payment account to a third-party bank account.
Again, with permission, a firm will be able to extract data from a payment account to enable it to offer a range of value added services.
PSD2 extends the scope of its predecessor directive to payments in all currencies, and to payments where only one provider is located in the EU/European Economic Area (EEA).
The directive introduces a new technical standard for payment account access and customer authentication that will be implemented thought an application programme interface (API). PSD2 API’s must be made available free of charge to any API developer.All banks in the EU will therefore be required to have APIs available that conform to the PSD2 standards.
Although this all sounds quite dry, the implications are quite profound:
- The institutions and associated infrastructure, which for decades has controlled the way payments occur, no longer have a monopoly, card based schemes including VISA and Mastercard, for example.This creates the opportunity to generate more competition, increase levels of innovation and reduce the costs associated with payments.
- Secure but open access to payment accounts will be enabled by accepted and regulated standards. This opens up the potential for new types of financial services that use the data held within payment accounts to the benefit of the customer (consumer or business).These new services could involve:
- Account aggregation, which provides an overview of all accounts held by one customer across different institutions. All without using the clumsy, insecure and ineffective methods available today.
- Automated balances sweeping across multiple accounts to maximise interest payments and minimise debit balances.
- “Market place” banks that offer best-of-breed or lowest cost services for loans, overdrafts, foreign currency transfers, etc., transparently to the customer.
- Credit decisions can be based on actual data by any institution and not just the institution currently providing bank account services.This could have the effect of increasing choice and competition.
- Payment facilities for the “internet of things.”A fridge that has direct access to make payments on a customer’s behalf to replenish groceries, for example, or a car that can pay for fuel or a recharge without the customer leaving the vehicle.
- Automated best price advice can be provided based on actual spend data.For example, if a family is paying £100 per month for mobile phone use then the service can shop for a better deal for the customer and present the offer at an appropriate time.
- Improved services to business customers to help identify payments that are made in error, duplicate payments, etc.
There will be winners and losers as a consequence of PSD2. Potentially the biggest winners will be the consumers and SMEs making and receiving payments within the European Economic Area.The hope is that costs should come down as competition increases, more choice will be available and value will improve.New services can be created that serve the interests of the customers rather than the interests of the institutions with which they currently bank. In the context of Brexit, it seems unlikely that the UK Government will not wish to pursue PSD2 with equal vigour to European counterparts.
PSD2 has the potential to disrupt the earnings potential of banks that only act as ASPSPs. These banks will have to offer valuable data and processes to others without any guarantee of a commercial return.A bank that fails to respond to the opportunities of PSD2 could be disintermediated and relegated to a simple deposit holder with all the value added services stripped away along with the profits they bring. PSD2 is likely to force banks to innovate to take a position within the emerging API economy that PSD2 creates.
Card schemes and merchant acquirers will see new types of competition with potentially lower costs.This may drive down costs and introduce a much more innovative and dynamic payments landscape.
PSD2 isnot without its risks, however, and the risks are perceived differently from the multiple parties impacted by the directive.Going into these risks in detail lies beyond the scope of this paper but one of the most significant risks revolves around the opening up of customer accounts and the use of the associated data.The technical standards brought about by PSD2 seek to make this as secure as possible, however this has a down side as it requires stronger authentication at the point of sale, which potentially disrupts the customer experience and slows down or stops payment altogether.These issues are not new.This is the reason why historically petrol stations had limits of £50 per transaction.Before network technology was sufficiently advanced this was the sum that that was permissible without having to centrally authenticate the transaction and was done to ensure the customer did not experience frustration and inconvenience and the filling station did not lose business and suffer from long queues.The European Banking Agency’s decision to relax the technical standards for payments under €10 goes some way towards addressing this risk.However, the real challenge lies in the implementation of the technical standards and this is where the software engineers building the APIs need to think carefully about the customer experience as well as the security requirements.