PSD2 and the future of payments
Under the revised Directive on Payment Services (PSD2), which is to be implemented in January 2018, new rules will be introduced designed to open access to payment account information to third parties. Banks will need to facilitate access via an API to their customers’ accounts and provide account information to these third parties should the account holder give consent to that access.
The third parties will be providers of account information services (AIS) and providers of payment initiation services (PIS) under PSD2 and will need to be licensed as such. AIS providers will be able to extract a customer’s account information data, including transaction history and balances, while PIS providers will be able to initiate online payments to e-merchants directly from the payer’s bank account via an online portal.
Currently, banks own the customer data and this gives them a huge advantage over payment services innovators when it comes to customer loyalty and cross-selling opportunities. Payment services innovators have good, imaginative ideas but are held back by the lack of customer data. Allowing third parties access to this data will mean not only that they can provide similar services, but more importantly, new and innovative payment solutions.
As a result of this transfer, banks will lose some of their competitive advantage. By obliging banks to share customer information and access to their APIs, PSD2 risks jeopardising the customer loyalty that they currently hold.
PIS providers will be granted the tools to provide new payment options using customers’ online banking credentials and AIS providers will benefit from being able to extract and analyse customer account history. The tech giants such as Facebook, Amazon and Google (to name a few) will clearly benefit from becoming AIS providers.
This, then, presents banks with a challenge. At best, PSD2 puts at risk an important income stream for banks and at worst will relegate them to the status of a utility; acting as simple data holders. Banks need to do more than just comply with PSD2. To survive, banks will need to embrace these changes. Banks might, for example, launch their own APIs and offer innovative payment solutions and customer experiences themselves in competition with the third parties, using either their own customer data or by entering into partnerships with PIS and API providers.
Challenges of delaying the Regulated Technical Standards (RTS)
Security and flexibility will be key to the success of API and PIS providers. It is important that payments are secure but in such a way that innovation is not fettered as a result.
As licensed entities the third parties will need to comply with PSD2 requirements, including those surrounding customer authentication and secure communications. The European Banking Authority (EBA) has been mandated to draft Regulated Technical Standards (RTS) to deal with these issues.
The EBA published its draft RTS proposals recently, which were met with criticism. The final RTS were due to be published in January 2017 but will now be delayed by at least three months as a result of the backlash from the industry. The EBA’s proposals were criticised as being too stringent and effectively ruled out one click purchases, making, for example, PayPal’s method of payment no longer permissible. The EBA has indicated that they do not have capacity to deal with all of the responses to its draft RTS and publish the final RTS within the required timescale. A delay of at least three months is expected as a result.
The RTS will not come into force until 18 months after the final RTS has been published. This means that it will be in force well after the implementation of PSD2; a 9 month gap seems likely. This will create significant uncertainty and risks for clients.
Given the publication delay of the RTS, it is unlikely that the banks will be able to support open access on day one. Equally, it is difficult to see how third parties will be ready to meet the RTS requirements in time.
This is not ideal. However, it is important that sufficient time is spent balancing security and innovation. There needs to be adequate customer security and authentication but third parties will want to use their own interfaces and be able to initiate innovative payments solutions including the likes of one click payments. If the security and authentication measures are too stringent, they will not be able to offer the innovative payment services PSD2 is designed to promote and the fuss surrounding open access will fizzle out. It is the customers who will lose out as a result.
Jacqui Hatfield, partner, Reed Smith