PSD2 Draft Regulatory Technical Standards – Why all Payment Stakeholders Need to Act

The European Payment Services Directive 2 (PSD2) which came into force in January 2016 and will apply from January2018 will bring significant changes and opportunities to the payments and banking sectors in Europe and beyond.

FirstPartner has been working with The Human Chain to advise clients on the impacts of PSD2 and has collaborated on a joint blog post summarising why all those in the payments ecosystem should participate in the current European Banking Authority (EBA) Regulatory Technical Standards (RTS) consultation.

PSD2 – A Catalyst for Innovation, Competition and Security…..

The objective of PSD2 is to make it easier, cheaper, faster and more secure for consumers to pay for goods and services across the single market by driving harmonization, innovation and security. Two of its critical provisions are:

1.       Access to Accounts (XS2A) which will open up access by authorised Third Party Processors (TPPs) to consumer data and banking infrastructure. XS2A will enable new service providers (defined under the directive as Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), to offer innovative payment and account aggregation services respectively.  This will be facilitated through open APIs and the secure communication standards that the draft RTS proposes.

2.       The requirement for strong customer authentication (SCA) to be applied for all electronic payments in Europe.  This aims to address what is seen by the commission as a failure by the industry to address unacceptably high levels of e-commerce fraud.

A previous paper published by The Human Chain explains why PSD2 and Open Banking in particular, should be a major catalyst to innovation and growth in and around the banking and payments industries.

The Consultation Paper on the draft RTS published by the European Banking Authority (EBA) on 12th August 2016 is fundamental to the successful delivery of PSD2.  It specifies the requirements for and exemptions from SCA,  protection of customers security credentials and standards for secure communication via open APIs, between banks and third party payment and account information service providers.  As such it will have a major impact on consumers’ e-commerce experiences and the cost and complexity of integrating with bank APIs.

…..Or A Recipe for Confusion, Complexity and Stagnation

Of course, as with all regulation, PSD2 carries risks.  It needs to tread the fine line between encouraging competition and innovation and preventing costly and restrictive technology fragmentation, while protecting consumers and controlling fraud.

In drafting the RTS, the EBA has acknowledged the above challenges and risks and consciously followed a technology and business model neutral, “principles based” approach so as not to restrict payments and security innovation.  While these aims must be applauded, the current draft RTS falls short of getting the balance right between technical consistency, legal clarity and freedom to innovate.

We and many other players in the industry have real concerns that the way in which the requirements for SCA are defined are in danger of stifling e-commerce growth, whereas the approach to standardising secure communication and APIs leaves too much open to interpretation and conflicting proprietary standards.

Among the more high profile critics of the the currently proposed approach to authentication is Visa,  whose Executive Director of Risk Management Peter Bayley, argues that the RTS as currently drafted puts Europe’s Single Digital Market at risk by rigidly imposing crude, high friction authentication processes on e-commerce transactions.  A conference held by industry body Payments UK in London in July warned that development of standards is “at risk of fragmentation under pressure from tight deadlines, a lack of clarity about the technical requirements and competing domestic proposals”.

Please Participate and Comment

We share many of these sentiments and review the arguments in more detail along with proposing recommendations for addressing the key shortcomings.   Read the full post here and If you are an existing Financial Institution, or prospective PISP or AISP wanting to maximise the opportunities offered by PSD2 and you have not yet prepared your response to the EBA’s consultation, we urge you to do so ahead of the 12th October 2016 deadline.

You might also like…