PSD2 will take two years to transpose into national law in each member state. This gives businesses some time to digest and plan around the 100 or so pages of dense legislation that comprises the Directive.
This new Directive is not simply an update of the previous version. While the new rules aim to cut the cost of paying bills, they also attempt to make online payments safer by clearly outlining liability and authentication rules, as well as creating more competition in the market. This article aims to summarise the key changes and effects of PSD2, which will impact corporates more directly.
- Access to Bank Accounts
The first directive created a new legal framework for payments and PDS2 is an extension of that. However, this time it is creating a new market in which both corporates and consumers can control their bank accounts using ‘third party providers’. This means that business customers will be able to use organisations – such as those that provide their business and mobile applications – to access, for example, account information or initiate payments.
What this means is if the service currently being used by the business fails to meet their specific banking needs, they have the option of using a third party that will be able to meet those requirements, and even offer a better service.
For example, if businesses give permission to third party providers (referred to as payment initiation service providers in the PSD2), to integrate say with their enterprise resource planning (ERP) or payroll system, they may find they are able to initiate payments in a much more effective manner. Essentially, this creates more competition, and ultimately both businesses and consumers can benefit.
Under the new rules of PSD2 some liability will now lie with the payment initiation service provider, who will need to insure themselves in case anything goes wrong. While this is undoubtedly a good thing, it comes with a price: these providers will no longer offer their services for free.
There’s a second advantage for businesses in terms of access to accounts: PSD2 has also created another new category, the account information service provider. This allows third parties to go into a business’ bank account; analyse the information, such as statements; provide a benchmark to help the business understand its current position; and enable it to see whether it can make improvements.
- Security and authentication
The payments market is more open now than ever before, especially as third parties now sit between the bank and its users. This raises questions around the issue of security.
Both consumers and businesses need to feel reassured that their data and their systems are protected. They want to rest safe in the knowledge that their information is only being accessed by those who should have access to it. PSD2 aims to tackle this: each payment initiation service provider is now required to have strong customer authentication processes in place, whether they are the main service providers or one of the new third party providers. This means establishing:
- Something you know, such as a password or username.
- Something you have, such as a token.
- Something you are, such as biometric authentication.
PSD2 also states that for authentication to be seen as ‘strong’, it must not be replicable. This is to ensure that fraudsters who simply replay authentication data will not get a successful payment.
This is a positive move for everyone involved in the payments process and for the first time common standards on how a bank knows who their customer is will be established.
Some of the authentication processes have yet to be finalized. For example, the industry is eagerly awaiting news on exactly what form the biometric verification will take, whether tokens will be used and whether they’ll be available on a single device.
- Changes to scope – what’s in and what’s out?
Finally, there are two key changes to bear in mind.
When the first directive was published in December 2007, it was unclear whether payments and receivables ‘on behalf of’ (POBO/ROBO) were covered under the laws.
PSD2 addresses this and makes it very clear. Things are likely to become even more transparent as time goes on and the legislation is implemented further. This means that all providers will know exactly where they stand.
Furthermore, PSD2 now covers ‘one leg in’ and ‘one leg out’ transactions: these are payments that either start in Europe and end elsewhere, or start elsewhere and end in Europe. It also covers all currencies beyond just member state currencies.
There are also a number of technical changes included in PSD2, which clarify how these payments should be directed. This includes giving member states more control over how account identifiers, such as bank codes and account numbers, are used.
While this article aims to summarise some of the key changes to bear in mind, there is a significant amount of information to take on board. There is, of course, some time yet before any changes actually filter down to national and business level, but it makes sense to start considering them sooner rather than later. Ultimately, it means improvements for all payments users.