Last October, the European Parliament adopted a set of revised Payment Services Directive rules, also known as PSD2, to enhance consumer protection and data security provisions and address the role of third-party providers in the European e-commerce and mobile payment landscape.
Besides the regulatory guidance, the PSD2 protocol provides guidance for financial service companies and retailers when it comes to securing and sharing their data. Many within the burgeoning peer-to-peer lending industry, both overseas and in the United States, view the directive as a welcome catalyst for increased transparency, and consequently, greater investor confidence in this sparsely regulated market.
The revamped rules must be incorporated into the national laws of the various member states of the European Union by 2018, and will ultimately likely emerge in some form in the United States as well. In addition to greater protections for consumers, the directive will look to stimulate the development of new products, services, and investment strategies within the FinTech (financial technology) arena. These revolutionary new platforms and applications will modify how financial data is secured, who has access to it, and how it is used. Besides the promotion on the use of mobile and online payments, FinTech also signifies a seismic shift toward open banking and how financial regulators perceive technological innovation in finance.
Looking ahead, the impact of PSD2—both in the European Union and United States—could be profound. A PricewaterhouseCoopers analysis published last month titled “Catalyst or Threat? The Strategic Implications of PSD2 for Europe’s Banks” found 88 percent of European consumers already use third-party providers for online payments, indicating, it declares, “a large, primed base of customers for other digital banking services.”
“PSD2 imposes many new requirements (e.g. related to scope of payment services, information and cost transparency, security, innovation and competition) on financial institutions vis-à-vis the existing regulatory framework that was put in place by the first PSD (in 2009),” explains Vincent Jansen, principal at Innopay, an Amsterdam-based e-payments and FinTech product development company, in an email to New York Financial Press.
The most “hotly debated” of those requirements, he continues, are those relating to the “opening up of banks,” known as Account Servicing Payment Service Providers, or AS-PSPs, which will be mandated to grant third-party providers and FinTechs access to business and consumer payment accounts for payment and account information services. Traditionally, only banks had access to such data.”
Additionally, Jansen says, the directive imposes multiple consumer protections, among these: requirements for strong customer authentication; mandates requiring AS-PSPs to immediately refund consumers for unauthorized transactions; limits on consumers’ liabilities for such transactions, from 150 EUR to 50 EUR; and protection against “lock-in” to sub-optimal payment and account information services offered by their bank.
Increased Consumer Protections
While the peer-to-peer aka marketplace lending industry has grown exponentially in a very short period of time—from its humble beginnings in 2005 in the UK and 2006 in the United States to an estimated $180 billion global industry today—regulation has been comparatively slim to none.
PSD2’s requirements would fill this void, mandating a host of safeguards for consumers while also increasing transparency among lenders.
A spokesperson for the Retail Financial Services and Payments Department within the Directorate-General for Financial Stability of the European Commission in Brussels outlines some of the directive's intentions in accommodating and securing the burgeoning e-commerce and digital payment world in an email to NYFP:
“On the consumers’ side, PSD2 will contribute to the reduction of charges paid for card payments,” it explains. “They will be better protected against fraud unauthorised transactions and other abuses and payment incidents. Improved security measures will also be put in place for payment transactions. [Regarding] losses that consumers may face, the new rules streamline and further harmonise the liability rules in case of unauthorised transactions, ensuring enhanced protection of the legitimate interests of payment users.”
Consumers will be better protected in cases of direct debits where transaction amounts are not known in advance—such as in transactions regarding car rentals or hotel bookings, for example, the spokesperson continues. They’ll also gain a stronger position in cases of disputes with their banks and other service providers, explaining that in such instances, the banks will now be mandated to answer in writing any complaint within 15 business days.
Regarding transfers and money remittances outside Europe or paying in non-EU currencies, consumer rights will also be increased, as the new directives also cover the “EU part” of such transactions, “contribut[ing] to better information about money remitters”—while also lowering the costs of money remittances as a result of this higher transparency,” according to the statement.
The European Commission spokesperson also addresses the potential implications for peer-to-peer lending and crowdfunding, acknowledging the directive’s impact on the marketplace and its effect on transparency and the movement of capital, and stressing what PSD2 will mean for third parties acting as trustees and custodians with client monies:
“The national rules implementing the Payment Services Directive could apply to crowdfunding platforms/marketplace lending, covering the payment side of their activities, if the latter, depending on their business models, act for both the payer and the payee and handles their funds. In this case, the platforms are subject to an obligation to safeguard all funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions and deposit them in a separate account in a credit institution.”
“However, the approaches to regulating the lending activity vary depending on the business models and by each Member State,” the representative adds.
“New Way Of Doing Payments”
Janis Graubins, co-founder of Notakey, a startup based in Riga, Latvia that focuses on secure mobile authentication, notarization and payments, contends the directive could revolutionize e-commerce through its encouragement of closer collaborations between banks and financial institutions and its greater security for consumers.
“PSD2 could be grounds for a new way of doing payments,” he tells NYFP via email. “Separate from PSD2, banks in Europe have been working on real-time payments between bank accounts. Currently, you can only use a credit card for that, and a transfer from bank to bank might take a long time.”
Graubins provided the above flowchart to demonstrate how PSD2 could simplify the European e-commerce landscape.
According to Graubins, one of the most effective ways the PSD2 protocol will protect consumers is by mandating stronger, two-factor authentication. In addition to traditional passwords, this authentication utilizes a second factor to authenticate transactions, such as something a customer owns and characteristics unique to them—a mobile phone, for example, or even a fingerprint. This will not only increase transparency, but ensure safer transactions for customers and cut down on fraud—which costs banks tens of billions in losses each year.
“In the future, it will change,” explains Graubins. “In order to do that in a proper way, banks first will need to agree on a common identification and authentication standard. Currently, even if the banks open their APIs, the barrier will be the different authentication solutions. For AISPs [Account Information Service Providers], they might give a token as they do not need such security. But PISPs [Payment Initiation Service Providers] will need to follow the bank’s authentication.”
Graubins believes a benchmark authentication protocol will be developed to overcome such a hurdle, particularly for integrating digital authentication between two parties.
“Eventually, of course, banks will agree on a standardized authentication solution,” he continues, “and [they] might even move into the identity management of people in digital world. Trust and security is something banks are very good at.”
Driving Down Regulatory Costs & Opening New Markets
While some observers worry about the directive’s additional compliance and due diligence costs for small businesses, Innopay’s Jansen contends that’s not the case.
“PSD2 does not impose direct requirements on small business using payments [i.e., demand side],” he explains. “PSD2 mainly applies to the following key actors involved on the supply side: Account Serving Payment Service Providers (AS-PSPs), which are aggregators of customer account information that allow users to utilize a single online portal to view all their payment account transaction history and balances and specialized payment service providers that seek authorization or registration under PSD2 to obtain access to payment accounts with explicit consent of payment service users.”
Jansen notes that since the PSD2 rules allow for various entities to become third-party providers, new players will be looking to enter the space. He adds that PSD2 enables Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) to be third-party providers (TPPs).
“As the names suggest, the former will be authorized to initiate payments, while the latter needs a registration to obtain access to consolidated account information,” he continues. “For PISPs and AISPs there are less-stringent license requirements vis-à-vis banks and payment institutions. PISPs will be subject to lower capital requirements, while AISPs have no capital requirements at all. They both need professional indemnity insurance instead.”
Similarly, Jansen points out that both PISPs and AISPs will not be required to put up their own funds as capital.
“These requirements will impose less impact on regulatory costs for PISPs and AISPs, making it easier for this new breed of players to enter the market with disruptive value propositions,” he says.
“The main purposes of PSD2 is essentially to respond to the technological developments unfolding within the payments and banking industry by putting in place a more effective regulatory framework,” adds Jansen. “This is expected to spur the development of EU’s FinTech industry.
Britain’s controversial “Brexit” vote to departure the European Union will do little to slow the shift to inevitable open banking, either, he explains:
“[This] also applies to the UK, whether it is a member of the EU or not. This is also evidenced by the UK government championing in the push for open banking and Open Application Programming Interfaces (APIs). If the UK is to successfully uphold its position as FinTech capital, it must (continue to) make UK payments regulation resemble the objectives of PSD2 very closely.”
Paul Rohan, a Dublin-based researcher and management consultant in EU payment systems and payments regulations, also believes that the PSD2 directive will be a major driver for the FinTech market. Rohan, who advises payment institutions and FinTech market service providers in the EU, doesn’t think that PSD2 will revolutionize the markets overnight, but it could open the door for other opportunities, particularly when it comes to transparency.
“The peer-to-peer lending platforms could extract cash flow data from payment accounts under PSD2,” Rohan says in an email. “This would help lenders have the best possible information about borrowers. For example, the borrower on the peer-to-peer platform could be a business. There is lots of general knowledge about the business in the payment account. The amount of revenues coming into the business can be seen. The amount of profits that remain after suppliers are paid can also be seen. A lender who sees data from a payment account is in a good position to give loans.”
Rohan, who authored the book PSD2 in Plain English earlier this year, recognizes other benefits as well.
“The platforms could guide lenders to borrowers that match their appetite for risk,” he says. “The account data can be taken without a commercial contract with the account holding bank. PSD2 could increase the growth of peer-to-peer lending platforms in the EU.”
Yet despite all of PSD2’s promise, Rohan also warns that with more data comes more responsibility.
“PSD2 is a double-edged sword for innovative and nimble payments and FinTech businesses in the EU,” said Rohan. “It gives access to a treasure trove of bank data and the rights to initiate payments from bank accounts, without having to pay the bank for the privilege, although customer consent is essential. However, with these valuable rights will come obligations, in the form of licensing and supervision.”
“We could foresee the same payment methods emerging in the US,” he predicts. “The ingredients for a rival method to the card schemes are clearly visible. There are regular complaints in the US about the high level of card acceptance costs for merchants, and screen scraping of banking data with customer consent is also a contentious issue.”
“PSD2 in the EU is moving the entire industry away from screen scraping and into legally required Bank APIs. Regulators all over the world are not keen on the combined strength of VISA and Mastercard.”