On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.
The Payment Services Directive Two - or PSD2 - is one the most radical pieces of legislation aimed at the payments industry and the banking sector to see the light of day since the aftermath of the global financial crisis.
To the surprise of a great many Europeans, who used to believe that the EU system was far too bureaucratic to ever take the lead on innovation, the PSD2 turned out to be disruptive in a way a bank would otherwise only expect from some of the most innovative fintech start-ups.
Obviously, the new directive, conceived by the European Commission and adopted by the European Parliament and the Council of The European Union, did not come out of thin air. PSD2 is an enhancement and further development of PSD1, which was adopted by the EU in 2007. The Commissioner of Competition, Margrethe Vestager, said in a press release at 8 October 2015:
"We have already used EU competition rules to ensure that new and innovative players can compete for digital payment services alongside banks and other traditional providers. Today's vote by the Parliament builds on this by providing a legislative framework to facilitate the entry of such new players and ensure they provide secure and efficient payment services. The new Directive will greatly benefit European consumers by making it easier to shop online and enabling new services to enter the market to manage their bank accounts, for example to keep track of their spending on different accounts."
There are several new articles in the PSD2 concerning strong customer authentication (article 97, article 98, and article 74 paragraph 2), liability (article 74), fees and a general ban of surcharge (article 62 paragraph 4). However, the single most important part of the new directive and the main reason for the huge attention that it attracts, is the introduction of new roles in the ecosystem: Payment Initiation Services Providers (PISP) and Account Information Service Providers (AISP). Both roles are open for current and new player in the fintech ecosystem and – this is the single biggest news – the banks will be required to support these new service providers if the banks' customers want to grant access to their (payment) accounts as described in the directive's Article 66 and Article 67. This new practice is commonly referred to as "Access to Account" or XS2A.
From PSD1 to PSD2
A successful realization of The Single Market Strategy has for many years been one of the most important overall goals of the European Commission and the European Union as such. The strategy has been divided into separate sub-strategies for the Single Market for Goods, the Single Market for Services, and the Digital Single Market.
Legal platform for SEPA
As part of the latter the Single Market strategy for Payments materialized for the first time in 2007 in the form of the first Payment Services Directive or PSD (Directive 2007/64/EF) that became law in November 2009 and - among other things - provided "the necessary legal platform for the Single Euro Payments Area" or SEPA.
The idea behind SEPA was not at all new in 2007. In fact, it was already part of the Lisbon Agenda launched in 2000, and later that year the Commissioner for Internal Market, Frits Bolkestein, stated that:
"There is a clear need for a change. [...] The Commission's political objective is exactly that: a modern Single Payment Area for the entire EU where there is no frontier effect for cross-border payments."
Cost reduction of up to 28 billion Euro
In a later speech Bolkenstein said that "A Single Payments Area will mean lower costs for payments, an end to unnecessary delays and much greater certainty over security and legal responsibility." Furthermore, he underlined that a Single Payment Area would also be "crucial for the competitiveness of the EU economy." And the creation of a stronger competitiveness was exactly one of the main reasons for the launch of the first Payment Service Directive – PSD1.
In December 2007, the EU Commission stated its ambition of generating a reduction in costs of up to 28 billion Euro a year thanks to the new directive:
"Currently each Member State has its own rules on payments, and the annual cost of making payments through these fragmented systems is as much as 2-3% of GDP. Payment service providers are effectively blocked from competing and offering their services throughout the EU. Removal of these barriers could save the EU economy €28 billion per year overall."
These significant economic benefits and synergies of this type of European consolidation pave the way for new pan-European legislation.
PSD2 - the most important news
The PSD2 (Directive 2015/2366/EU) starts out with 113 introductory recitals setting the scene and explaining the reasoning to the new directive.
The main reason for updating PSD1 was the immense development and growth within the retail payment market and the relating digital technologies – such as mobile payments - since the first directive in 2007. The developments "have given rise to significant challenges from a regulatory perspective. Significant areas of the payments market, in particular card, internet and mobile payments, remain fragmented along national borders."
This fragmentation combined with the rapid technological advancement (resulting in many new products and solutions which fall outside the scope of the old directive) had, according to the EU Commission, resulted in "legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas."
The Commission's conclusion was that the PSD1 framework was no longer adequate and an update was necessary to take the next steps towards full integration across the EU:
"The continued development of an integrated internal market for safe electronic payments is crucial in order to support the growth of the Union economy and to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to benefit fully from the internal market."
The final draft of the RTSs for SCA from EBA can be found here.
Access to Account (XS2A)
The one most talked about, and most important innovation in the new directive is that banks are required to provide access to payment accounts for Third Party Providers (TPPs) – of course on the condition that the TPP has received a permission from the bank customers to whom the accounts belong. This new requirement is stated in the directives' Article 66 for Payment Initiation Services (PIS) and Article 67 for Account Information Services (AIS):
"Article 66. Rules on access to payment account in the case of payment initiation services. 1. Member States shall ensure that a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I."
"Article 67: Rules on access to and use of payment account information in the case of account information services. 1. Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I."
Disrupted by the EU
The two XS2A articles, written and proposed by the European Commission and adopted by the European Parliament and the Council of The European Union, are nothing less than ground breaking in their perspective and potential impact on the entire European financial sector.
Strategy vs Compliance
As this diagram from Norfico shows PSD2 is unique in the sense that it represents both a strategic and an operational importance at the same time. This is also challenging for many organisations as the compliance teams and the strategy teams are often unfamiliar with working together.
Concern among bankers
The access to account requirement is disruptive in several ways. It imposes both operational risks and costs on the banks since they have the responsibility to find secure and efficient ways to provide access for the potentially huge number of very diverse TPPs.
Furthermore, as the banks continue to have the liability for all transactions – also those initiated by a TPP. At the same time, the banks must give the TPPs access to the bank customers' accounts. The TPPs can include both the most innovative fintechs of the world as well as the global tech giants. All of this means that banks face the risk of losing money as well as the risk of losing the direct relationship with their customers and thereby risk being reduced to a role as basic infrastructure provider.
Seen from this perspective it comes as no surprise that 88 % of all bank senior executives in a survey conducted by PwC in 2016 expressed their concerns about the possible direct consequences of these new requirements for the European banking industry.
Despite these reasons for concern PSD2 primarily represents a unique strategic opportunity for the banks, if only they have the courage and the innovative power to seize and unfold it.
Although the typical TPP will most often be a fintech company providing a dedicated online payment solution, banks can become TPPs too and tap into competing banks' accounts in case they want to launch payments solutions themselves (as a PISP) or launch information/data aggregating services in the role of an AISP.
It is not only in the consumer-facing services that the opportunities lie – the banks also have the option of offering the TPPs services beyond those stipulated by the PSD2. These premium services could for instance include real-time account information access for AISPs.
These new opportunities for banks are key reasons why the access to account requirements might be in favour of the creative and forward thinking banks. But more than this, the PSD2 requirements might animate the banks to start using open APIs (although there is no obligation in the directive for the banks to do so) and gather initial experiences with the concept of Open Banking.
In conclusion, PSD2 points in the direction of Open Banking and is likely to inspire banks to innovate faster than they otherwise would and keep the bank account in the center for this innovation. We will come back to this important point later in this white paper, but first we will narrow our focus from Europe to the Nordics.
- Business Insights