Where are we now? PSD2 and the digital consumer revolution
March 21, 2023
“The deadline for PSD2 compliance has long since passed, but the challenges for banks and businesses are still unfolding across Europe. The payments industry is feeling the effects particularly strongly. Five months on, I’ve explored the impact of PSD2 on banks, merchants and consumers and what the future of compliance looks like.”
Hailed as “revolutionary” and “game-changing” the Second Payment Services Directive went into full effect in September 2019. The EU legislation promised to deliver a consumer advantage by shaking up retail banking and electronic payments, and giving challenger Fintechs a competitive edge in the Banking as a Service arena. But the September 14th regulatory standard deadline passed quietly and the enforcement of a key provision, Strong Customer Authentication, was postponed prompting commentators to question the directives real impact on consumers. Three months on, how are UK banks and Payment Initiation Service Providers (PISP) responding to the European Banking Authority’s (EBA) regulations? Has the impact of PSD2 been felt strongly within the wider European financial services ecosystem? And as we move closer towards EU withdrawal, how will the continental policies maintain their influence over an independent Britain?
Big Delays for SCA
A core component of PSD2 aims to reduce the amount of online payment fraud by implementing measures to verify customer identity. SCA, also known as 2FA (2 Factor Authentication) requires that electronic payments over €30 verify customer identity in two of three unique areas; something that a customer either knows (a password), possesses (a push notification to a mobile phone) or inherently has (biometric identification). PSD2 should be spurring on competition, but enforcing these requirements is an inconvenient disruption to tens of millions of consumers.
So three months before the PSD2’s September deadline, the FCA announced the compliance deadline for SCA would be extended to March 2021. The change reflected evidence held by the EBA suggesting the measures designed to boost consumer confidence would have the opposite effect. Consumers would actually purchase less (to the tune of about €50 billion) if simple ‘one click checkout’ was no longer available. In response, banks and financial services companies are building PSD2 SCA compliant solutions that offer as little disruption as possible to the customer. Some solutions are based on predictive analytics, leveraging global data to assess whether a payment is genuine, while others are investing in user friendly, biometric technologies. I would personally much rather sign into my Macbook with a fingerprint, than remember another password.
SCA exemptions allow PISPs to define a level of transactional risk that does not require 2FA, such as payments to trusted beneficiaries, recurring transactions and corporate payments. Adopting this risk-based approach has paid off for all parties; shoppers are more likely to complete their transactions and fraud will decrease. In the interests of reducing the customer friction at checkout, merchants can work with their PISP to develop an exemption strategy. When designing a consumer first strategy you want to think about how you can leverage outside data to model behavior and correctly identify which charges require SCA authentication.
PSD2 and Europe
The original Payment Services Directive was adopted in 2007 and was a self-regulatory initiative designed to support a Single European Payments Area (SEPA). Like the subsequent PSD2 legislation, the PSD aimed to provide a legal framework under which consumers would have greater protections, while increasing competition amongst the European payments industry, specifically from non-banks.
As with any pan-European policy, problems can arise when some countries are quicker than others to implement legislation. Some complications are due to a lack of education – just months before the September PSD2 deadline, only 25% of online merchants were aware of their obligations around SCA, with smaller merchants less likely to be moving towards compliance. Ecommerce Europe, and similar pan-European commerce groups have published accessible literature to help close the awareness gap and bring all ecommerce merchants up to speed on the regulatory requirements.
Uncertainty around Brexit casts the UK’s future in the Digital Single Market (DSM) in doubt. While a bilateral agreement could allow the UK to continue participating in aspects of the DSM, several major media communications companies have already left. Fortunately for consumers whatever negotiations are made with the EU, the UK government has announced that PSD2 will remain largely unaffected as it falls under the UK’s Open Data Initiative.
How can players in the payments industry stay on track with compliance ahead of the extended deadline? Like other aspects of the directive, successfully complying with SCA requires interacting with Third Party Service Providers such as Account Information Service Providers (AISPs) who aggregate personal financial data from across multiple accounts. These API driven interactions will be the easiest to implement for organizations that remain proactive and innovative with their integration strategies.
Prolifics and PSD2
Working closely with IBM, we partnered to develop a comprehensive solution that has been used to support the first UK banking groups’ exposure of public payment information in accordance with the Open Banking standards.
Based on IBM’s industry-leading API Connect platform and drawing on years of Prolifics’ own experience delivering integration projects to leading investment banks, we offer a fast, secure path to PSD2 compliance by leveraging pre-configured assets and an industrial-strength API management platform. If deadline extensions mean you’re still on your journey to PSD2 compliance, our fully managed Sandbox tests against the latest Open Banking standards including simulated SCA and consent management scenarios.