At a high level, the aim of the PSD2 is to secure the flow of data, modernizing the original (2009) Payment Services Directive. The PSD created the legal foundation for the Single European Payments Area (SEPA), and provided European-wide consumer protection rights and obligations for Payment Initiators (IPs) and banks. Until the introduction of PSD2, the PSD was the foundation of all European laws related to payments. As economies became more digital, payment habits shifted, and new players entered the payments ecosystem. The EU recognized that a revised law was needed to improve competition, increase payment security, and protect users.
The PSD2 also defines new categories and players of the market. For example, the label Account Servicing Payment Service Providers (ASPSP) is given to deposit-taking institutions that hold consumer or business accounts. The PSD2 also subdivides the previous TPP label as either Account Information Service Providers (AISP) or Payment Initiation Service Providers (PISP). Under the regulation, AISPs can offer end users aggregated views of multiple payment accounts in one place, with the goal of helping end users better manage their various accounts. PISPs enable consumers to make transfers by providing a bridge between a user’s bank account and a merchant (or other user’s) account.
Regulatory Technical Standards (RTS)
One of the most important provisions of the PSD2 is the introduction of the Regulatory Technical Standards (RTS), which provides a framework and rules for standardizing bank information interfaces, customer authentication, and secure communications. The RTS’ draft phase was extended due to vocal industry criticism. The final RTS was published after the implementation of PSD2, resulting in slow or delayed implementation. Without any technical instructions or standardization, various group set about creating their own standards, resulting in a fragmented market. This will be discussed in more detail later on.
The RTS provides specific technical frameworks related to access-to-accounts (XS2A), strong customer authentication (SCA), and common and secure open standards of communication (CSC). XS2A provision requires banks to “open” access to customer data to authorized payment institutions. SCA specifies customer authentication methods for electronic payments. For example, a payment service provider (PSP) must use at least 2 of 3 authentication methods corresponding to a user’s unique knowledge (like a code or PIN), possession (debit card or mobile phone), or something inherent to the user (biometrics). CSC states that an ASPSP must provide a secure communication channel for a TPP (either AISP or PISP) to access customer data. This can be done through an Application Programming Interface (API), with the practice of accessing a customer’s online banking interface, known as “screen scraping”, as a backup if the API does not work.
Prediction 1: PSD2 will lead to an innovation explosion
One of the main reasons for the introduction of the PSD2 was to facilitate innovation within the financial services sector. This was to be accomplished by mandating banks to share customer data under the PSD2’s access-to-account services (XS2A). The European Commission concluded that if software developers had better access to data, it would enable them to build and offer new services faster than through traditional means. Access to customer data can occur via open-source foundations on which developers create new products and services or through bank led applications. By giving TPPs access to data and improving the flow of information, it was predicted that a wave of innovation and collaboration among TPPs and FIs would flourish.
“Open access to bank accounts has the potential to lead to an explosion of innovation, competition and new services. New revenue streams will evolve and the banks themselves could even be one of the main beneficiaries from this dynamic environment – if they position themselves in a timely and proactive manner.”
Executive at equensWorldline