In recent years, the security of electronic payments has more and more become the subject of supranational guidelines and regulations in Europe.
The initiatives for these guidelines and regulations originated from the European financial regulators as well as the European Commission.
On Nov. 27, the European Commission published its final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) under PSD2. With the release of the final PSD2 RTS requirements, banks of all sizes can now take action to develop a compliance strategy and implement effective security solutions for electronic remote payment transactions.
The Revised Payment Services Directive, known as PSD2, harmonizes security requirements for online banking and online payments, providing a common regulatory framework for the European Union (EU). The security requirements in the final RTS are driven by two core objectives of PSD2: protect consumers from fraud by increasing payments security, and enhance competition and innovation in the retail payments market.
It is my belief that while change often causes initial disruption, the long term benefits of an initiative like PSD2 will be worth it, given that, fundamentally, the ideas and reasoning behind PSD2 are good. It opens up the market which will drive innovation, while increased competition is always better for the end user as it fuels advances from a security and convenience perspective.
With PSD2, Third Party Payment Service Providers (TPPs), which are often fintech companies, will have far greater access to users’ banking data. That’s because under PSD2, they will have the ability to build two types of applications: AIS (for Account Information Services), which gives customers an overview of their accounts at several banks; and PIS (for Payment Information Services), which enables customers to make transactions from different banking accounts.
In principle, every fintech company that meets the requirements issued by the European Central Bank can develop those applications, and while the benefit from a consumer perspective is obvious, it also means that companies not normally associated with banking, like Google and Facebook, can develop those applications to act as an AIS and PIS provider.
The upshot of this could ring alarm bells for anyone who has concerns about how much personal information tech giants already hold on their users; consumers may not feel comfortable knowing that those "data accumulators" could now have access to their financial data and behavior, too.
A further issue that consumers need to consider is the ease with which a company like Facebook could integrate in-app sales into existing applications, like Facebook Messenger, for example, thereby simplifying transactions in a way that encourages consumers to spend more money, more easily.
Although PSD2 is an EU banking and finance regulation, it does shake up the global finance sector, including the U.S., and other global banks should not ignore it. PSD2 forces U.S. banks, who have a footprint in the EU, to follow the PSD2 requirements. This essentially means they have to provide open APIs toward AIS/PIS and protect accounts using SCA mechanisms.
Second, PSD2 is generally seen as the early bird of open banking in the world, and it might trigger evolutions towards open banking in the rest of the world, including the U.S. It could therefore be interesting to look at the current state of open banking in the U.S., and compare it against PSD2. Lastly, PSD2 allows U.S. banks, which obtain a license as AISP/PISP in the EU, to obtain financial data about EU citizens. The other approach, whereby EU banks obtain data about U.S. citizens, is not possible yet through open APIs.
While there are some potential challenges to address, I am encouraged by PSD2. I see it as an opportunity for banks to bolster their service offering, while at the same time working with fintechs to respond effectively to changing customer demands, to drive convenience and security in the fast-paced, online world.