The new regulatory framework is a challenge for banks and credit/debit card networks, which are threatened by the arrival of new digital alternatives
The new European directive on payment services (known as PSD2: Revised Payment Services Directive), along with other legislative measures approved in recent years, has the aim of facilitating the development of an integrated and efficient retail payment services market in the European Union that promotes competition and innovation, with the ultimate goal of providing consumers and businesses with reliable and secure services at the lowest possible price.
This new regulatory framework, which is more open and competitive, is a challenge for traditional players (primarily banks and credit/debit card networks) that are threatened by the arrival of new digital alternatives. On the other hand, it also provides an opportunity to innovate in the development of services and attract additional business in the new digital ecosystem.
Although the PSD2 directive was approved on November 25, 2015, it will not take effect until January 13, 2018, which is the deadline for its transposition in the laws and regulations of member nations. This means that traditional players and new alternatives entering the market will only have 24 months to adapt their infrastructures and services (as well as their business models, in certain cases) to this new competitive framework.
The main challenge in making progress towards this objective is that although the directive clearly defines the market conditions, the specific regulations and technical standards that make it possible to guarantee the compliance and interoperability of services have not been developed yet.
Main aspects of the existing European regulation
The retail payment method market defined by the European Union regulation focuses on the following key aspects to reach the set objectives:
SEPA (Single Euro Payments Area)
The implementation of the SEPA model in the 27 European Union member nations has made it possible to establish an integrated retail payment market in euros with a single set of standards and regulations for bank transfers, direct debits, and credit/debit cards. This allows users to benefit from a shared framework—in terms of simplicity, security, and effectiveness—for national and cross-border payments between the countries that make up the SEPA area.
Regulation 2015/751 MIF (Multilateral Interchange Fee)
Limited interchange fees
Since December 9, 2015, the European Regulation 2015/751 has established a new economic framework that limits the interchange fees between issuers and acquirers for card-based payment transactions. This framework has had a direct impact on the fees (discount fees) that acquiring banks charge merchants.
Separation of processing entities
The Regulation 2015/75 also includes the mandatory separation of payment card scheme and processing entities in terms of accounting, organization, and decision making processes. This separation allows the entry of new payment service providers in a free competition setting.
Shared brand and payment brand selection
As of June 9, 2016, issuers will no longer face restrictions in sharing multiple payment applications or brands in a single card-based payment instrument. Businesses will be able to define at the point of sale the priority selection of a certain payment brand, which consumers may cancel if they prefer to use another option within the categories accepted by the corresponding establishment.
Online payment security
To increase user security, reinforced authentication will be required through the use of at least two independent factors (something that the user knows, has or is) for online access to payment accounts, electronic payment transactions, or any other action through a remote channel that could be at risk.
The new framework of the PSD2 directive
Within the framework of the retail payment service regulation, the PSD2 directive has two main objectives:
- To contribute towards the development of a European retail payment method market with a higher degree of integration and efficiency.
- To promote a market with equal opportunities and that favors the entry of new payment service providers as well as the development of new digital and mobile services.
- To expand the area of application by including providers and services that in the past were excluded, and by reducing the previously applicable exceptions of the PSD1 directive.
- To increase the level of user protection and payment security, resulting in less fraud and consumer abuse.
- To reduce the service costs throughout the value chain as well as the prices for end users.
The PSD2 directive will enter into force in early 2018, although the technical regulatory standards will not be mandatory for another 18 months
The first payment service directive (PSD) was approved in 2007 and implemented throughout Europe between 2009 and 2010. This directive quickly became obsolete with the development of new online and mobile services as well as new and innovative digital business models. This led to the idea of launching updated regulatory initiatives, including the need to review the existing payment services directive.
After the corresponding transposition, the PSD2 directive will enter into force in early 2018, although the technical regulatory standards for security and authentication will not be mandatory for another 18 months.
- Expansion of the area of application, which will cover all European Union currencies and include transactions in which the registered address of at least one of the parties is in the EU.
- Reinforced authentication, with mandatory identity verification through at least two secure and independent factors when users:
a) Access their online payment account.
b) Begin an electronic payment transaction.
c) Use a remote channel to perform actions that could involve the risk of payment fraud or other abuse.
- Establishment of new payment service provider profiles:
a) Payment Initiation Service Provider (PISP ): Provides the ability to initiate an order of payment involving a payment account opened with another payment service provider.
b) Account Information Service Provider (AISP ): Online service that provides aggregate information about one or multiple payment accounts of which the user of the payment service is the titleholder or in another payment service provider or in multiple payment service providers.
- Greater user protection by requiring and ensuring that payment service providers implement appropriate and effective procedures for resolving claims within 15 working days.
- Limited user liability—up to €50—for losses caused by unauthorized payment transactions as a result of the use of a misplaced or stolen payment instrument.
- Greater supervision by the corresponding bodies in terms of managing operating risks and security, in which service providers must report serious security or operating incidents.
- Technical regulations for:
a) Guaranteeing appropriate security levels for payment service users and payment service providers by establishing effective requirements according to the risks.
b) Guaranteeing the protection of the funds and personal information of payment service users.
c) Ensuring and maintaining an appropriate level of competition between all payment service providers.
d) Guaranteeing the neutrality of the business model and technology.
e) Allowing the development of affordable payment methods that are easy to use and innovative.
- The new PSD directive promotes competition and facilitates the entry of new payment service providers. As a result, end users have more choices in terms of the providers and services available on the market.
- This increased competition and the development of new services creates a more efficient market that, according to what is expected, will offer users services with improved functionality and at more competitive prices.
- The new payment initiation services will allow users to make online purchases using mobile technology and without the need for credit/debit cards since it will be possible to make payments directly from the bank accounts to be charged through the use of payment instruments such as bank transfers or direct debits (SEPA). It will also be possible to use these new payment tools for in-person purchases at businesses and service companies.
- Improved user protection for international transactions since they are covered by the law when at least one of the points, either the user or the merchant, is located in Europe.
- In most cases, practices involving additional charges for credit/debit card payments will be prohibited.
- The new services for accessing account information will allow service providers to offer users improved overall control of expenses and deposits if they have more than one bank account.
- By increasing the level of requirements and supervision of payment service providers, there are fewer risks for consumers and more protection against fraud. In the case of unauthorized payments, the maximum liability will be €50, except in the case of user negligence.
- Claim resolution processes are improved by requiring payment service providers to increase their efficiency and limit response times to a maximum of 15 working days.
- Users can request the unconditional reimbursement of funds if there is a dispute regarding unauthorized charges, similar to what already exists with SEPA direct debits.
- Greater protection for transactions in which the final charges are unknown, such as vehicle rentals. In this case, rental companies will only be able to charge the maximum specified amount, and anything above this amount will require a new order of payment from the user.
- Improved payment security through reinforced authentication, which requires at least two authentication factors to identify the end user making the transaction.
Merchants and businesses
- The merchants, service companies, and public entities that use retail payment services in the B2C field will benefit along the same lines as their end customers.
- In addition, the PSD2 directive allows larger companies and entities, as well as online businesses, to become payment initiation service providers (PISP) so they may interact directly (and without the involvement of as many intermediaries) with the end providers of charge accounts, including banks as well as new digital players like PayPal.
- Merchants also benefit from a European market that is more integrated.
The new players in the field of payment services (TPP: Third Party Providers) benefit from the PSD2 directive’s definition of two new payment service provider (PSP) models:
1. Payment Initiation Service Provider (PISP)
2. Account Information Service Provider (AISP).
These new payment provider models, which are subject to PSD2 regulations and therefore also to user security and protection requirements, can access—in the terms described in the regulation—the payment accounts of traditional provider banks, (ASPSP: Account Servicing Payment Service Providers).
Access to a European integrated payment services market provides new players with access to a potential turnover that boosts the viability of the necessary investments.
The PSD2 directive creates risks and opportunities: On the one hand, lower income for credit/debit card business, but on the other hand, new business models based on payments with direct access to accounts
Banks and other PSPs
For banks and other traditional PSPs, the new PSD2 directive is a challenge in terms of adapting to the new situation. This challenge can be faced with reactive positioning by developing the minimum requirements for complying with the new regulation or with a proactive strategy that leverages the necessary transformation in order to adapt to the new regulation and the situation of the current market.
- The greatest impact of the PSD2 directive for banks is caused by the need to provide new players, including payment initiation service providers and account information service providers, with access to their customers’ accounts through APIs that will be defined by the European Banking Authority (EBA).
a) The design of these interfaces must be accompanied by higher levels of security and control as well as the development of the corresponding processes for the operational management of the service.
b) The PSD2 directive requires non-discriminatory treatment for new PSPs, so service levels must be guaranteed.
c) The new payment service provider profiles increase the risk of disintermediation in the relationships between banks and their existing customers for certain areas of business.
- Adapting the retail payment services currently provided by banks to the new PSD2 regulation, including the regulatory technical standards.
- PSD2 facilitates the establishment of new payment instruments, such as direct debits and direct transfers to accounts, and these new alternatives compete directly with the traditional business of credit/debit cards. Banks must consider the potential impact on lower revenue from acquiring and issuing cards, and the potential compensation or expansion with the business development induced by new instruments.
- The level of requirements of the PSD2 directive in the area of user data protection and the additional risk created by interactions with the new TTPs require special adjustment efforts.
- Although most banks have developed reinforced authentication initiatives, they must be adapted to the recommendations that the European Banking Authority will publish and also rigorously extended to all payment interactions.
User support processes for resolving incidents and claims must comply with the deadlines and service levels defined by the PSD2: immediate.
Like all changes, the PSD2 directive creates risks and opportunities, as in the case of new and alternative payment instruments, which will lower the corresponding revenue of the credit/debit card business, but also give banks the chance to develop new business models based on payments with direct access to accounts.
Society’s digital transformation is moving ahead faster than retail payment services, so just like in other areas of business, a major adjustment boost is needed that requires strong innovation and investments from all the members of the ecosystem.
Without this drive in the transformation of the payment services market, the gap between the needs of new digital users and the services available will inevitably grow and have a negative impact on the overall development of society.
In light of this situation, European regulators have undertaken new initiatives, including the PSD2 directive. Although the directive has taken longer than expected, it will help reduce the digital divide of this market. In addition, the European Central Bank has promoted the creation of initiatives aimed at developing interoperable infrastructures for instant payments, which will be the main driver of mobile payment services.
As a result, now is the time for new and existing payment service providers to leverage the latest digital technologies and undertake initiatives aimed at developing alternative business models and services that properly address the needs of the new digital society.