PSD2 Goes into Force: What Challenges Lay Ahead?
Posted January 11, 2018
It’s January 2018—do you know where your PSD2 implementation is?
You’d better. Your fraud prevention efforts may be riding on it. Then again, so might your company’s future. This Saturday, January 13 marks the formal deadline for the Revised Payment Services Directive 2 (PSD2) to be adopted into the domestic laws and regulations of each of the EU’s 28 member states.
While it looks as if Germany, France, Denmark and the UK may be the only countries to make the deadline, most others have draft legislation in place and won’t be far behind. After that, the only thing that changes is, well, everything.
Open Banking Starts Now
PSD2 brings banks, fintechs and other third-party payments providers under the same regulatory umbrella—and may be the most disruptive payments law ever devised.
Its goal is to make electronic payments far more simple, transparent and secure, while spurring a whole new level of innovation and competition in an increasingly mobile-first world.
For the first time ever, banks will be required to open their payment account data to third parties through APIs, and securely authenticate all account access and payment authorizations made through them. And fintechs and other payments providers will now face new regulatory scrutiny they’ve never had before.
With bank customer account information now available to them, third-party players—including big names such as Facebook, Amazon and Google—will now be allowed to deliver a host of new services to consumers. As Wired puts it, the next time you want to send a tenner to a friend on Facebook, it could be as easy as typing “+€10” via Messenger. One day soon, Amazon might send you the best mortgage, car loan or insurance policy based on your real-time finances—further disrupting, or giving rise to, new industries.
In the near term, banks are expected to lose up to 43 percent of payment-based revenue by 2020. But many are rising to the challenge—streamlining internal operations and working with fintech partners to roll out exciting new services designed to leverage their own considerable brand equity and reach.
But the biggest challenges for banks and payment players won’t be inventive new services. It’ll be the security behind them.
Now for the Hard Part
The European Banking Authority (EBA) isn’t set on who should win in this new era, other than today’s consumers who demand fast, frictionless and secure transactions. But the EBA is relentlessly clear about who should lose – cybercriminals.
With that in mind, the directive’s regulatory technical standards (RTS) call for, among other things:
- Strong customer authentication (SCA) for all electronic payments initiated by the payer (such as card payments and credit transfers) unless the payment qualifies as low risk
- Exemptions for SCA using risk-based authentication (RBA), so long as payment service providers (PSPs) have mechanisms that are in place to detect and prevent fraud
- The use of a one-time password (OTP) linking the amount of a transaction to the beneficiary in online payments to ensure a fraudster cannot be reuse payment info to initiate a new transaction
The good news is that, under the RTS, these security provisions do not take effect when PSD2 is adopted into member states’ laws beginning this Saturday. Instead, they go into effect roughly 18 months later—setting the countdown clock to sometime around September 2019.
The curveball is that these standards are tech-agnostic, which means each member state can implement them in its own way.
What It Means to You
The higher level of security mandated by PSD2 will require banks and businesses to adapt their systems and business models accordingly. Key considerations include:
Fraud vs. Risk
Implementation of SCA can create friction and affect customer experience if it’s applied in every transaction. RBA is allowed for certain low-risk transactions. PSPs can also apply it more broadly if they’re able to demonstrate low fraud rates. While acceptable thresholds are aggressive, PSPs will benefit significantly from deploying a combination of SCA and RBA to prevent fraud while delivering exceptional, low-friction services.
The New Risks Created by PSD2
While PSD2 is designed to enhance the overall security of digital transactions, it could also increase the risk of specific kinds of fraud, including account takeover through stolen credentials, malware targeting new apps, API hacking and more. During the past year, there has been an increase in botnet activity around account testing. It’s possible these accounts are being primed for fraudulent transactions once PSD2 is in place. Businesses should plan to enhance call center operations to handle increases in blocked payments, as well as for the impact of automated monitoring systems that are not property calibrated to new payment schemes.
Domestic Alone Won’t Do
Because the RTS does not mandate specific technologies required to meet new standards within each member state, businesses will need to ensure their systems are able to operate seamlessly for both domestic transactions and throughout the EU and beyond.
The Final Countdown
Getting from here to PSD2 compliance won’t be a breeze. And the considerations above are just the tip of the iceberg.
Organizations will be well served to find partners that can help them meet RTS security requirements without heavy infrastructure costs or the need for additional systems or staff. And they’d better step on it.
As of Saturday, the deadline for compliance is roughly 19 short months away.
To learn more about what PSD2’s new phase means to your business, download our exclusive white paper – PSD2: Revolutionizing the Payments Landscape.