Do you remember the introduction of the Single Euro Payments Area (SEPA), about five years ago? SEPA is the initiative of the European Union and joint European banks to harmonize euro payments within Europe. The main goal was to establish a single set of tools and standards that have made cross-border payments in the Eurozone as easy as national payments.
Like the PSD2 today, SEPA had to be implemented on a pan-European basis and required several adjustments to the processes and infrastructures of finance stakeholders. However, there are also major differences between the implementation of both standards: from the start, the European Payment Council (EPC) established a clear SEPA framework with which all financial institutions had to comply. The European Banking Authority (EBA) used a different method. The regulator did not formulate the technical criteria regarding the Regulatory Technical Standards (RTS) relating to the PSD2 too specifically. In retrospect, I do not think this was a wise decision.
The EBA chose this method to ensure that the requirements are flexible enough to adequately tackle both current and future security issues while maintaining user-friendliness. This way there was room for innovation, said regulators. In practice, however, this led to a degree of uncertainty regarding the interpretation of the RTS. That is why the RTS regulations were interpreted differently in each European country.
This has led to an organized chaos, as a result of which a large number of issuers, acquirers and merchants are currently not compliant with the SCA (Strong Customer Authentication) regulations, less than two months before the deadline. SCA provides an extra layer of security for customers. That is why finance stakeholders want to extend the deadline via a grace period.
The current situation has not contributed to a positive image of the PSD2 and SCA. At this moment, merchants expect banks to strictly apply the new rules. They fear that transactions will become unnecessarily difficult, which will lead to friction in the online payment process. Consumers will be more likely to leave the digital shopping basket without paying. As a result, the number of cart abandonments could increase, and sales could fall.
You could say there are already some lessons to be learned from the way the PSD2 is being introduced. Of course, it is not always easy to implement standards in 28 European countries, with more than 500 million users, 5,000 banks and 25 million merchants. Europe is diverse; we are not a single platform, which has an aligned global infrastructure. Next time, however, it would be sensible to present a framework with minimum requirements, a protocol and also maybe more interactions with industrials from the beginning of the process.
There might also be a need for better coordination between different stakeholders: in recent years, the European finance industry has undergone many changes due to the GDPR, the PSD2 and other security requirements. This is too many deadlines in a timeframe of no more than three to four years.
We tend to forget what the PSD2 has already brought us. Five years ago, nobody in the banking world knew what APIs were, while today everyone is wearing ‘technical glasses’. The mindset in the finance world has completely changed, so that we, the European finance market, will soon be able to compete with large bigtechs with their future-proof infrastructure.
With the PSD2, we are laying the basis on which we can build finance solutions that are scalable. Without introducing API technology to our legacy systems it was impossible to prepare for the future. The PSD2 is a necessary step towards a new era of payments. The implementation may be difficult now, but we must not forget that this will soon provide all Europeans with a method with which customers can authenticate themselves and have access to new, more secure and user-friendly payment services in many countries. We must not lose sight of these benefits.