As we move toward the mandated adoption date for the Payment Services Directive 2 (PSD2), we can expect to see significant shifts within the payments industry.
Banks leading the pack and taking risks with early adoption may win big or lose big depending on how and what they implement. Increases in security requirements will inevitably force payment providers and merchants alike to re-think their user experiences.
But it will be third-party providers and fintech start-ups who will drive innovation as the PSD2 throws open the doors to an industry that previously provided limited opportunities for innovation outside of banks and payment processors.
In August of 2015, the European Parliament adopted the expanded rules for the Payment Services Directive (PSD), known as the PSD2. The original Payment Services Directive (PSD) laid the groundwork for payment rules that would apply to transactions within an EU country as well as cross-border EU payments. The PSD2 expanded that scope while leveling the playing field with required standardization, better consumer protections and increased potential for new players in the industry.
But while PSD2 brings a number of required changes, which must be implemented into national laws by all 28 EU member states by 2018, it also paves the way for an open banking environment. Some see this as an opportunity. Others see it as a detriment to the industry. Either way, everyone recognizes the security complications that need to be addressed as part of the new rules.
One of the most important changes that PSD2 brings with it is the requirement that banks open access to their data and infrastructure to third parties. Essentially, this decentralizes payment functions, dispersing the focus from only banks and adding fintech start-ups and other third-party providers into the mix.
European banks are reacting in three fairly predictable ways to these changes. Some banks see the move to open banking as a threat to their business and an exercise in compliance with little benefit to them. A second group is taking the risk-adverse approach of compliance but no action, preferring to wait and see what comes of the changes.
But a third group of banks are embracing the changes resulting from the PSD2 and seizing the opportunity to take the next evolutionary step toward open banking. These institutions have already begun to make changes and are adopting a philosophy that includes third-party providers in their plans.
The directive itself, and the acceptance by some banks, is great news for fintech companies formerly hamstrung by their ability to access a consumer’s account information. The potential service offerings are limitless, from building new standalone applications that utilize the data to offer previously unavailable functionality to creating product enhancements for banks and other financial institution’s own applications and services.
However, as is correctly pointed out by those concerned about the idea of open banking, the new levels of access available outside of banks means an increased level of security risk.
Security concerns under the PSD2 are multi-faceted. The required introduction of third-party providers into the mix has created a greater need for increased security measures. However these measures are likely to make the process more difficult for the end user, namely, the consumer.
Financial institutions are required to provide information to an authorized third-party, unless they have a substantiated reason why they object. In other words, if there has been a formal complaint lodged against a third-party provider, a bank can refuse to work with them. Otherwise, as long as the providers have met the criteria, including the connection being initiated by the consumer, the bank must agree.
To govern this, the PSD2 also outlines rules for increasing security for transactions between third-parties and banks. Strong customer authentication is required for most transactions and with very few exceptions. During the development of the PSD2, the payments industry had actually recommended that 2-factor authentication not be required in low risk situations, but that recommendation was not incorporated into the final directive.
However, the resulting complication from 2-factor authentication is increased friction at the checkout – the critical point in time when consumers demand a more streamlined purchase process. While this will certainly be a sticking point for brick-and-mortar retailers, it could mean serious problems for e-commerce merchants, where abandoned carts due to poor user experience is already a major issue.
However, the directive does leave flexibility as to the mechanisms of the 2-factor authentication. This provides opportunities for innovation in areas like biometrics to offer security solutions.