The Unintended Consequences of PSD2

Posted January 30, 2018

The Unintended Consequences of PSD2

With PSD2 now officially in force, a new study finds 48 percent of major retailers in the UK have no idea what the directive is, let alone what it means to their business.

Titled, “Unaware, Unprepared and Paralyzed: Retailer Readiness for PSD2,” the study was released just days before the Revised Payment Services Directive (PSD2) was formally adopted into the domestic laws of EU member states on January 13.

It’s also unclear whether consumers are dialed in, either. A survey last summer, for instance, found that 89 percent of consumers in the EU have no idea what PSD2 means to them—and most don’t like what they’ve heard so far.

And that’s just for starters. As the businesses required to comply with the directive are about to find out, there are still plenty of other surprises ahead.

The Start of Something (Really) Big

PSD2 is designed to usher in a new era of “open banking” that tilts the center of gravity away from traditional banks and toward emerging fintechs and other third parties.

First proposed by the European Banking Authority (EBA) in 2015, the directive mandates that banks must now grant third parties—rivals, retailers, even the likes of Facebook and Google—access to the banks’ own account data via open APIs whenever a customer authorizes it in order to receive offers or to make a purchase. Banks must also securely authenticate these transactions.

That means, for the first time ever, a peer-to-peer lender, such as Twino, or a mobile-first challenger bank, such as N26 for instance, can now offer customers of say, Barclays or Deutsche Bank, the best loan possible based on their personal, real-time financial picture.

Twitter users could soon be tweeting funds to good causes, retailers or each other. And all eyes are on the likes of Amazon and Alibaba, with many wondering how long it will be before one or both decide to disrupt yet more industries.

Putting Consumers in Control

However things play out, consumers stand to win big. One of the first changes they’ll see: an end to extra fees for online payments made via credit card or bank transfer. But that’s just for starters.

Longer term, they’ll benefit from an expanding universe of better solutions and offers. They also gain more control over financial transactions through strong customer authentication (SCA) for digital transactions they initiate.

Each transaction will include a one-time password (OTP) that locks the amount of a transaction to the designated beneficiary to ensure hackers can’t re-use that information for another transaction. And for lower-cost and recurring transactions, risk-based authentication (RBA) is allowed, so long as payment service providers have mechanisms in place to prevent fraud.

A Price to Pay

For all this opportunity, fintechs and other third parties will face unprecedented regulatory scrutiny. And incumbent retail banks? They could see losses of up to 40 percent.

Some stand to lose quite a bit more. A PWC survey of senior banking executives in 18 EU countries last month found that, while two-thirds anticipate PSD2 will affect all their banking operations, only 9 percent say their own banks are ready to implement it. Just 38 percent have even started assessing the impact.

Sure, BBVA, Fidor (along with Barclays and Deutsche Bank) and others have started streamlining operations and even partnering with fintechs to remain competitive in the age of open banking. But they may be the exception. Which means it’s rather fortunate none of this has to happen overnight.

Truth and Consequences

According to the EBA’s final Regulatory Technical Standards (RTS), systems do not need to be in place until 18 months after PSD2 is adopted by member nations. That places rollout sometime around September 2019.

Of course, none of this will be easy, and there’s no telling what unexpected consequence PSD2 will bring. Among just a few of the possibilities:

Getting ‘Amazoned’: We aren’t kidding about Amazon and Alibaba. Word’s out that Amazon is already investing in PSD2-related capabilities. That means banks, retailers and third-party players should accelerate implementation plans—or risk losing the game before it even gets started.

Clueless Consumers: Considering current awareness levels, you’d better plan on staffing up call centers to handle blocked payments and consumers frustrated with any payment friction.

Interoperability Nightmares: The RTS establishes standards for open banking, but is technology-agnostic about how businesses meet them. Each member state may have its own technical specifications, and every business’s systems must work with every other business’s.

Foot Dragging: Banks aren’t exactly enthusiastic about sharing data. Third-party competitors should expect incumbents to roll out their own next-gen services while slow-walking access.

Increased Fraud: We’re seeing increased account creation and takeover activity in the EU, indicating criminals may be getting in place for PSD2. Most authentication systems can verify whether a transaction originates from a valid customer account—but not if the account itself is fraudulent. Organizations should deploy authentication solutions able to ferret that out.

New Threats: As cybercriminals prepare for PSD2, look for new forms of malware, man-in-the-middle attacks, API hacks and more. Also look for insider fraud at payment service providers—and even bogus providers ready to launder money from illegitimate transactions.

Game On

For all the handwringing, there are some encouraging signs. That same study on retailers finds that once PSD2 is explained to them, they’re eager to capitalize on it. In fact, 94 percent report they would like to reduce fees, and 74 percent want to reduce the impact of fraud.

Ditto for consumers. In December, PwC’s survey found that once explained, two-thirds of consumers in Germany say they’re open to PSD2—rising to 86 percent for those under 30.

Which is all good news. Because with PSD2 now written into national laws, the race to regulatory compliance—and conquering industries—is officially on.

To learn more about the unintended consequences of PSD2, download our exclusive white paper—PSD2: Revolutionizing the Payments Landscape.

ThreatMetrix Team

ThreatMetrix Team

close btn