IFLR explains one of the EU’s most important regulatory changes in recent years, and how it has revolutionised payment services in member states and beyond
The EU’s second Payment Services Directive (PSD2), or Directive (EU) 2015/2366, was first passed by the EU Council in November 2015. Just under four years later, implementation has begun, but full compliance has been set back by market delays.
PSD2 primarily exists to enhance customer rights, including enhanced security through SCA [Strong Customer Authentication] criteria, increased rights for consumers to launch complaints and, crucially, the enablement of third parties to access account information allowing for new payment services to develop.
Fintech companies – from challenger banks to payment service providers – are now able to access data from traditional bank accounts. This move has helped newer entrants such as Monzo reach over two million users.
This has undoubtedly worried traditional banks, with one speaker at IFLR’s Fintech Europe event in May complaining of a “them and us mentality” between banks and fintechs during the PSD2 negotiation period.
However, it was also acknowledged that across Europe, the next step for financial services is open finance. This has spurred traditional providers into action. Earlier this year, NatWest launched an accounts with other banks feature, which enables customers to view their current accounts with competitors.
How did it come about?
The EU has always wanted lead the way with its digital market. In 2000, member states were keen to make Europe "the most competitive and dynamic knowledge-based economy in the world” as part of the Lisbon Strategy.
While not all has gone to plan – what with Brexit and the rise of populism globally, which was not widely predicted at the turn of the millennium – this direction is still the ambition, and PSD2 has been part of that.
PSD1 was adopted in 2007 and provided the foundation for a single market for payments within the EU. It pushed innovation and competition. However, with technology moving faster than regulation – particularly in the past decade – this proved not to be the long term solution many had hoped for.
“The whole point of PSD2 was to address the gap that had become apparent from the implementation of PSD1, enhance competition, encourage innovation and address security of payments," says Nilixa Devlukia, CEO at Payments Solved and former PSD2 lead at the Financial Conduct Authority (FCA).
Payment services such as payment initiation service providers (PISP) have been welcomed by the market and opened up opportunities for innovation though weren’t regulated. With PSD2, the Commission was able to increase transparency and create a level playing field between providers.
Who does it affect?
PSD2 affects payment service providers – companies like Paypal, Worldpay and Klarna, but arguably, its biggest impact is on more traditional banks.
“The directive has the potential to revolutionise the payments industry,” says Gibson Dunn partner Michelle Kirschner. “It can affect everything from the way we pay online to the information we see when making a payment.”
PSD2 aimed to break traditional banks’ monopoly on customer data, enabling others to receive account data (with consent) to facilitate payments. The directive also enables account information service providers (AISP) to access account dates across multiple accounts and provide combined data to customers.
“PSD2 impacts all firms involved in payment services, notably banks, but also provides opportunities to new entrants via open banking,” says Linklaters partner Harry Eddis.
What’s the connection to open banking?
Though not the same thing, the open banking initiative has a number of similarities with PSD2’s objectives. Whereas PSD2 is an EU directive, open banking is a broader financial services initiative based on innovating for consumer benefit. It has been particularly pushed by the UK government, though banking bodies across Europe including Germany’s DDK have been pushing for common standards. Open banking hopes to improve transparency and make the process more efficient for consumers when making choices as simple as deciding on an energy provider.
“The open banking initiative has been received positively by the market, although it has brought with it large implementation costs,” said Linklaters partner, Harry Eddis.
These implementation costs are evident in the new systems required to enable open banking and the secure sharing of customer data, plus the high staffing costs – in compliance, IT, and beyond.
“PSD2 has been and still is a fairly major implementation exercise for banks,” Hogan Lovells counsel James Black added. “Many established banks use legacy systems in comparison to digital-first challengers who can make infrastructure and systems changes more rapidly.”
Read more: Traditional banks warm to PSD2
Black pointed out that banks have no option but to take the view of compliance first, innovation second.
“Innovation is both costly and time consuming, however it isn’t mandatory,” he continued. “There is currently a huge focus on simply making sure that systems and processes are compliant with the law. Innovation is in the pipeline, but will necessarily lag behind the compliance work a little.”
What else does it involve?
PSD2 introduces enhanced identity checks when paying online. This element has been controversial as it is hard to implement, especially in so-called card-not-present transactions, such as online.
“The difficult thing with regulation such as SCA is that it’s always changing,” Monzo’s legal vice-president James Sullivan told IFLR in September. “The regulation is not fixed but in a sense, the law is only part of the solution.”
Delays to the implementation of these requirements in certain circumstances has been agreed, though it differs for the UK and other member states.
In August, the FCA agreed to a phased process for the Strong Customer Authentication (SCA) element of PSD2, showing just how much strain it is having on those who are regulated. In addition, the European Banking Authority (EBA) has pushed the transition deadline for SCA standards to 31 December 2020.
“The biggest challenge for us, alongside our regulatory obligations, is ensuring we deliver a great user experience,” continued Sullivan. “Engineering time is incredibly precious. There are always a million things that our engineers could be doing, so we have to use their time wisely.”
What about beyond the European Union?
A key difference with PSD1 and PSD2 is that PSD1 only applied to intra-EU payments. In line with other EU legislation such as the General Data Protection Regulation (GDPR), PSD2 goes further afield.
Financial institutions now need to provide information on international payments as well, and can be held liable for their part of the transaction if something goes wrong.
This change means that the same rules apply even to non-euro-denominated payments.
This should herald improved consumer protections for international payments.
What about Brexit?
While banks and fintechs may have their own differences, they are generally united in a dislike of the endless Brexit-related uncertainty, which has been a drain on resources and innovation.
London has a reputation for fintech, and with that, a head start in the race against other EU hotspots like Dublin, Stockholm and Luxembourg. More than 1,600 fintech firms call the UK home, with government statistics anticipating this to double by 2030.
Prominent figures such as TransferWise founders Kristo Käärmann and Taavet Hinrikus and Starling Bank CEO Anne Boden all moved from elsewhere in the EU to set up sticks in London.
So far it seems that the UK government and regulators alike are keen to maintain the status quo, shown with level playing field commitments in Boris Johnson’s revised withdrawal agreement. In addition, the FCA’s Andrew Bailey has repeatedly said that equivalence is the best solution for both sides.
“Brexit should not affect the UK application of PSD2, as existing legislation is effectively onshored post-Brexit,” assured Eddis.
However, once the UK is a third country and the transition period draws to a close, questions will undoubtedly intensify around how the UK will continue to interact with banks and fintechs in the EU27 with no single market access.
“As the hub for fintech and finance more generally in Europe, it will remain a primary concern in the UK to retain financial innovation and open finance in the post-Brexit environment,” summarised Kirschner.