Digging into PSD2
PSD2 came into full effect in September 2019. Building on the first Payment Services Directive, it is a more up-to date piece of legislation, aimed at improving digital payments capabilities and enabling consumers in the EU to have greater control over their financial data.
New technologies, the rise of fintech and consumers ‘going digital’ means that banking and payments ecosystems are converging more and more. The barriers between buying channels and between geographies have also lowered significantly in recent years, driving near-borderless, digital-first commerce.
For a number of years, regulators in Europe have made steps towards creating a single market for payments to support digitalization, innovation and better data security, as well as to regulate the key providers of these payment services.
Since the introduction of the first Payments Services Directive, (PSD) the drive to digital has been relentless and revolutionary. A side effect of this innovation was that new payment providers, especially in the online and mobile space, lacked regulatory clarity and supervision. A refresh of the legislation was needed to better support digitally-enabled ways of transacting, reduce online fraud, increase consumer data rights and ensure a level playing field for all payment providers, including new ones.
What is PSD2?
At its core, PSD2 has provided a regulated way for consumers to give service providers of their choice safe, secure access to their accounts. This can enable these third parties to either initiate payments on the customer’s behalf or simply to gather and consolidate financial data.
A huge advantage of Open Banking is the ability for consumers to use Online Banking Payments to pay merchants. PSD2 has acted as a catalyst for this by requiring that all banks allow and support authorized service providers (called PISPs) to initiate payments. This is already making Online Banking Payments a much more widely available payment method across Europe.
Online Banking Payments can deliver a range of benefits to both consumers and merchants, by offering a highly secure, simple user experience which moves money instantly between bank accounts. Online Banking Payments can also help merchants take control of their costs by simplifying fee structures and reducing the number of fee-charging ‘middlemen’ in the payments process.
The account information services that can be provided as a result of PSD2 include the potential to use an app to have a single overview of all their finances and one place to manage it all, even if they have different accounts across different banks. The framework also offers the opportunity for providers to overlay innovative services such as finance management or budgeting tools that create real value for consumers and strengthen their customer relationships.
Lots of these potential value-added services and innovations are still in the pipeline from fintechs and other service providers. However, open banking payments are already firmly here and gaining significant adoption across Europe (and around the world).
The services you need to know about:
PIS: Payment Initiation Services
A service that initiates a payment directly from a consumer’s bank account – for example when a customer is shopping online and chooses the bank transfer payment option at the checkout.
AIS: Account Information Services
A service which is allowed access to consumer bank account information, including transaction and balance history, often for credit scoring or to offer tailored financial products/money-saving opportunities
The companies involved:
TPP: Third Party Provider
Authorized online service provider that can connect to banks to offer AIS or PIS services
PISP: Payments Initiation Services Provider
A Third Party Provider licenced to offer Payment Initiation Services (PIS) to merchants
AISP: Account Information Service Provider
A Third Party Provider offering Account Information Services (AIS) to merchants
ASPSP: Account Servicing Payments Services Provider
The company who provides the payment account to the consumer - usually a bank.
The technical bits:
API: Application Programming Interface
Method for Third Party Providers (AISP/PISP) to access bank accounts. It allows systems of different companies to connect and work together.
MCI: Modified Customer Interface
Enables Third Party Providers to securely identify themselves to the bank, with a certificate proving they are regulated. This is an alternative to using APIs.
RTS: Regulatory Technical Standards
Part of PSD2 which sets out the common and secure open standards of communication between parties. It also details the requirements for customer authentication.
SCA: Strong Customer Authentication
Ensuring payments are authenticated in a secure manner and to a specified standard.
PSD2 Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a huge part of PSD2 – and perhaps one of the biggest impacts of the regulation from a merchant perspective. This part of the Directive was designed to reduce fraud and make online payments more secure.
To accept payments and meet SCA requirements, merchants must now include additional authentication tools at the online checkout.
SCA requires authentication to use at least two of the following three elements:
SOMETHING THE CUSTOMER KNOWS (e.g., password or PIN)
SOMETHING THE CUSTOMER HAS (e.g., phone or hardware token)
SOMETHING THE CUSTOMER IS (e.g., fingerprint or face recognition)
Aside from several exceptions and exemptions, this new authentication process now applies to all forms of payment over €30, including debit and credit cards – and is soon to be enforced for all ecommerce payments too.
The original deadline for SCA implementation in e-commerce had been extended, but has become enforceable in the EEA since 1st January 2021 (and the UK will follow from September 15th 2021).
Merchants accepting card and certain alternative payments may face friction at the checkout, due to the additional authentication steps that customers will have to take to complete their payment. This may cause cart abandonment, reduced conversion rates, lost revenue and reputational damage.
The growth in biometrics and improved integration with APIs means that bank transfer payments from PISPs deliver a more convenient, friction-free authentication process – but one that still meets the criteria for SCA.
Many Third Party Providers have relied on connecting to consumer bank accounts via an API callout. In fact, banks are not compelled to offer an API under PSD2 – some have engaged the FinTech community to build high performing APIs, whilst others only offer modified web interfaces (MCIs). These MCIs, like APIs, allow third parties to provide the right credentials to prove they are an authorized provider. They can also act as a back-up route in the event of technical glitches or API downtime, which could otherwise prevent a transaction from being processed.
To offer robust Online Banking Payments and a strong user experience to a wide range of customers, the ability to integrate using various different methods.
The concept of Open Banking has been around for a while and it is a growing phenomenon around the world. But gaining real traction on Open Banking innovation has been challenging in many geographies, because of the complexity involved, as well as a lack of willingness to share data and account access.
PSD2 has catapulted Europe to a leading position when it comes to Open Banking, because it has created a legal and technical framework that supports and encourages open banking solutions.
Most importantly, all banks must support ‘Access to Accounts’ which is the crucial foundation for enabling consumers to securely bank directly from their bank account, via a merchant site. Given the growing preference for debit payments in Europe, this development has offered a valuable leap towards offering greater convenience and choice to consumers – as well as an enhanced customer experience.
There has also been some uptake of Account Information services powered by PSD2. For instance, some providers now offer personal finance management tools that help consumers analyze their spending and identify where they can save money.
There has also been some PSD2-driven innovation in the business world, where businesses can integrate their bank accounts with their accounting software, implement cash flow management tools and more easily apply for the best loans, for example.
The catalyst for Open Banking Payments
When it comes to Open Banking Payments, there are two types of services, or providers, which can support customer bank payments.
Initiation-only service providers can enable a push payment from a customer’s bank account to a merchant’s account. However, this is usually the limit of the functionality.
Full-service Payment Initiation Services (PIS) are the top tier solutions which can offer far more through a more extensive range of integrations, and the ability to handle not just the initial payment instruction, but much more beyond that, including instant customer refunds and a variety of benefits for merchants.
The shortcomings of PSD2
Naturally, legislation can deliver enormous benefits – and the catalytic effect of PSD2 cannot be denied. However, regulations take years to develop and implement – and in the time it took to develop PSD2, technology, customer expectations and many other factors, continued to evolve.
Lack of standardization
PSD2 did mandate certain principles, guidelines and standards, including the functional requirements and security measures around accessing accounts and authenticating customer payments. However, it didn’t dictate how to build the connections between back end systems, which means it’s been largely up to each bank and each country to choose their own route.
As a response to this lack of standardization, there have been some industry-led initiatives in Europe from organizations such as the Open Banking Implementation Entity in the UK, and most notably The Berlin Group. These organizations have developed standards that have been adopted by multiple banks, to create a little more harmony between solutions. A big part of the aim in these projects was to boost adoption by offering a better user experience.
However, in some markets, banks did not adopt industry standard APIs, (and in some cases, opted for a different type of interface altogether) which, of course, resulted in even more diversity.
A rough start for APIs
Initially, many APIs did not deliver a simple user experience, with consumers facing unnecessary friction when making a bank transfer payment - even more so sometimes, than paying by card.
The additional steps in the checkout process were mostly caused by the way PISPs were made to connect with the banks’ APIs or interfaces. Manual data input and excess security checks, caused a lengthier, more frustrating process for customers, putting conversion rates and customer satisfaction at risk.
Some banks didn’t allow TPPs to use their apps to authenticate customer payments, which meant they were unable to use biometrics to authenticate the customer. This was less than ideal, given that biometrics can support a very positive, easy, secure customer experience.
Another common problem, (which to some extent still remains) is that a few banks required customers to enter their 16 digital IBAN number if they wanted to pay using a bank transfer. This has been a real pain for customers, since very few people know their IBAN by heart. As you’d expect, this tiresome process caused customers to give up and go elsewhere, in favor of a more friction-free alternative.
Unfortunately, the popularity of Online Bank Payments was also underestimated by many providers and banks, who were left unprepared for the volume of transactions coming through their connections – testing their platforms to (and beyond) their limits in some cases.
PSD2 has driven enormous progress for Open Banking, for improved online security and for customer-centric innovation in general. But we still have a long way to go before the real benefits come to fruition.
Removing the obstacles
In 2020, the customer experience issues were raised with the European Banking Authority (EBA); the independent authority responsible for shaping PSD2. In their response, the EBA agreed that TPPs should be enabled to deliver a simple and frictionless payment experience which means the checkout process “cannot have unnecessary steps or friction”.
This means that banks can no longer require customers to enter additional information, complete multiple SCAs (except in rare circumstances) or show unnecessary messages such as confirmations or warnings. It also means no more unnecessary redirections in the checkout process, or forcing the customer to bounce between different pages just to authenticate themselves. Any app redirection must be immediate and automatic, with a seamless return back to the PISP.
The real win is that bank apps supporting payments with biometrics – such as fingerprint or face-ID – are now a major asset for PISPs. Banks must now allow third party PISPs to use that app for biometric authentication. This means that many more customers will now enjoy the simplicity and security of paying directly from their account with just one swipe of their fingerprint or a quick scan of their face. For Gen Z consumers in particular – this kind of simple, digitally-enabled experience is the ideal.
Lastly, customers will not need to type in their 16+ digit IBAN or select their account twice to pay, instead the information can be passed through the flow by the PISP, or by the bank, or the customer can select the account details from a list.
All these changes will help to power a far more seamless experience, with improved security and user trust – in other words, it will better support the kind of choice and innovation that PSD2 was designed to encourage.
Going beyond the regulation
While PSD2 is a significant step forward, these improvements will not convert PSD2 APIs into a complete payment solution.
Merchants will still need a refund (or pay-out) solution and reconciliation services. The changes also do not affect the speed of transaction processing, which means some transactions will still fail to settle, unless the PISP utilizes instant payment capabilities and intra-bank accounts. Currently, these benefits are only available from full-service PISPs.
While some believe that a PSD3 is inevitable if the industry wants to keep up with changing technology and market entrants, there’s a lot to be said for market-led change. While regulation has its place and has certainly achieved great advances, it can sometimes stifle and delay innovation.
For merchants and financial services providers who want to offer valuable and innovative services to their customers, it is important to work with Open Banking providers who go beyond the regulation itself. These are the providers who can enable a truly customer-centric approach and a more complete payments solution.