What is this whole fuss all about? Simply put, PSD2 is a directive whose aim is to regulate payment services and providers. The general rule is that third-party providers (TPPs) should be given access to any services available through banks’ online applications.
Announced in 2016, the EU’s Payment Service Directive 2 marks the implementation of open banking API across the European market. This enables third parties to initiate transfers and access clients’ bank accounts. The new regulations are the result of expected progress in the financial industry.
Before we focus on PSD2, let’s talk a bit about the General Data Protection Regulation (GDPR). These two might be unconnected at a first glance, but they have one thing in common – their aim is to better protect customer data. Introduced in May 2018, GDPR is a game-changing data privacy law. Failure to comply with its requirements is subject to rather heavy fines: up to €10,000,000 for less severe breaches and, if the case is much more serious, up to €20,000,000 or 4% of a company’s annual revenue, whichever is greater.
GDPR’s key principles are still consistent with the 1995 law, however, several changes make the new regulations better suited to today’s digital reality. These include expanding beyond the EU, prohibiting card surcharges, improving the security of online payments and accounts, and many more. Most companies unfortunately still struggle with data storage, sharing and protection.
According to a report prepared by PSD2 Tracker in January, more than 56% of UK-based companies admitted in the survey that their reputation might be tarnished if they do not comply with GDPR. Some of them still use old-fashioned methods of storing data which are unsafe and may potentially expose customers’ details. GDPR demands a high standard regarding the type of consent required for the processing of personal data. On the other hand, PSD2 does not offer a separate definition of consent. Companies that are applying PSD2 don’t always need a separate GDPR analysis though, as not all payment data is automatically personal data.
The new chapter in banking
PSD2 happened really quickly, indeed! Unfortunately, most companies – maybe with the exception of huge enterprises – found it hard to comply with the regulation due to the lack of necessary resources.
Whitepages‘ own S. McLain VP said: “When it comes to knowledge, we encourage the small to medium-sized enterprises to look to their payment service providers and their card schemes to figure out how to best implement measures to remain compliant [with PSD2] while sharing data.” Additionally, there are two ways in which regulation-compliant access can be provided: dedicated interfaces (APIs) and screen scraping where fintech companies use banks’ existing online interfaces.
The fact that banks have to adapt to the requirements of PSD2 will most likely mark the beginning of a new chapter in the banking industry’s history. It will also have a major impact on their position on the market. Areas that used to be exclusive to banks will now be open to fintech companies and other financial institutions. Technological innovations accompanying the directive’s implementation will allow the development of new services and products, all to customers’ benefit.
Fintech, eCommerce, payment trends straight to your inbox. Sign up
Balancing act summary
There are three main financial services available for bank customers via TPPs:
- issuance of payment instruments (cards, wallets) and acquirement of payment transactions (Article 65 of PSD2)
- payment initiation services (Article 66 of PSD2)
- account information services (Article 67 of PSD2)
Here are some additional examples:
- Money remittances
- Enabling cash deposits and withdrawals
- Execution of credit transfers, standing orders, direct debits
- Payments through cards or similar devices
Banks’ responsibility and transaction risk
Banks must have the right infrastructure to support Regulatory Technical Standards (RTS) on authentication and communication. Moreover, they can provide plug-ins and extensions for payment initiation services, so that merchants can integrate them with their online channels and enable buyers to make payments. Banks can also charge fees for using such services.
Most GDPR standards are met as long as companies are compliant with PSD2. These regulations are followed by all entities processing personal data. Such organizations are also required to allow other parties to perform contractual inspections in order to ascertain that they indeed adhere to the new law.
Unprecedented efficiency and unimaginable predictions
PSD2 makes payment providers’ services more transparent. It encourages competition by giving TPPs access to account data, so that they can initiate payments. TPPs can offer account information services which collect information from various accounts and present them to their owner in a simple, concise way. Banks have to give all authorized TPPs access to account information, should the latter request so via standard APIs. This is a great moment for all players on the financial market – both traditional institutions and newcomers – to embrace digital platforms and capitalize on the opportunities offered by PSD2.
As far as GDPR is concerned, many companies are likely to benefit from it. This applies especially to those who deal with their customers directly, such as Google, Amazon and Facebook. Transparency regarding the collection and protection of data is key. This is what helps companies win their customers’ trust.
One thing is certain – the world of financial technologies changes at a very rapid pace, making it impossible to make certain predictions about its future and the actual impact of both GDPR and PSD2.