A Brave New PSD2 World
Posted April 27, 2017
Financial institutions are starting to wrap their heads around the details of the final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA), as well as come to the realization that the deadline for compliance is just 19 months away.
Established banks, emerging fintechs and others are just beginning to understand what these new regulations mean for them and how they must prepare for the challenges and opportunities that lie ahead.
Amazing New Era or Apocalypse Now?
In response to antiquated technology infrastructures that leave far too many banks and their customers susceptible to cyber-attacks, PSD2 is designed to establish new requirements aimed at dramatically enhancing security, transparency, innovation, and competition.
The game changer in all of this is the requirement of banks to modernize their systems, open their payment account data to third parties through APIs, and securely authenticate all account access and payment authorizations made through them.
According to the European Banking Authority (EBA), the idea is to make payments simpler and more secure, while spurring competition from providers offering innovative new services.
How this new era is viewed among those in the financial industry depends largely on who you are.
It’s no surprise if fintechs fall into the “amazing new era” camp. With bank customer account information thrown open to them for the first time, the opportunities may be boundless — whether it’s helping banks enhance their own offerings, or rolling out all sorts of new applications and services directly to consumers.
While it might be logical to assume that banks land decisively on the “Apocalypse” end of the scale, it’s a little more nuanced than that. Established financial institutions seem to be of three minds when it comes to PSD2, seeing it as:
- A largely unwelcome exercise in compliance
- A compliance issue with potential upsides to be identified at some point in the future
- An opportunity to transform the way they do business
However it is viewed within the industry, the final RTS will have tremendous business impact on all players.
The onus for authentication and payment is on banks. Payment Initiation Services Providers (PISPs) have the right to rely on the authentication procedures provided by the bank unless there is some substantiated reason for the bank to object.
This authentication must include real-time fraud detection and prevention. The final RTS calls for SCA on higher-risk transactions and many lower-risk transactions — parking meters, tollbooths, recurring subscriptions — to use risk-based authentication (RBA). Consumers may appreciate the added level of protection but, in general, RBA has been shown to increase transaction volume up to 4 percent for banks and merchants. Banks will want to enable SCA and RBA that afford as little friction as possible.
Given this specific role and the potential for disintermediation and customer loss, banks will need to leverage their reach and team with third-party processors (TPPs) to roll out new applications of their own. For most institutions, this will require a realignment of strategy, culture, skill sets and infrastructure.
This is also an opportunity for banks to build on existing margins by streamlining their internal processes through open infrastructures.
PSD2 will further accelerate innovation in the fintech sector by arming new entrants with the tools they need to offer compelling new apps and services.
However, all that open access comes with a cost. Largely unregulated until now, providers will now face more regulatory scrutiny. For example, they will no longer be allowed to engage in screen scraping, which is susceptible to man-in-the-middle attacks and other forms of fraud.
While customer account information is now open, access to it is narrowly defined. What’s more, they will potentially face market saturation, making it harder to gain a foothold.
To maximize the benefits of PSD2, providers will likely gravitate toward collaborating with more well-known and trusted banks, embracing “coopetition” if not full cooperation or even outright capitulation to partner mandates.
Payments and Commerce
For payment service providers (PSPs), the RTS puts them in new territory. With authentication squarely in the banks’ hands, PSPs are forced to cede to them to facilitate transactions. Should there be complaints made to PSPs or retailers, the banks can decline the authentication all together.
Merchants are allowed to maintain recurring (Card-on-File) charges to registered users, as well as payee-initiated payment methods, such as direct debit.
Cross-border payments represent an area where PSPs may have dodged a bullet. Previous versions of the standards stipulated both sides of a transaction needing to use SCA. Now, as long as the EU-based PSP has it, transactions can go through. The catch is that fraudulent transactions will no doubt reflect on the PSP, which could cause future transactions to be rejected by banks.
Like Sand Through the Hourglass
It’s worth noting that the RTS must still be ratified by the European Commission. That means the standards may still be amended before final approval. But once that happens, they will become law as early as November 2018.
As anyone undergoing a massive transformation effort will tell you, the days are long but the months are mercilessly short.
So, for those in the financial industry, it’s time to get started.
Click here for an exclusive white paper on the open banking mandates and solutions for navigating the fraud prevention measures needed to secure them.