First published by Thomson Reuters during December 2017
The payments market is changing rapidly, driven by three main factors, with many of the old certainties being shaken up.
Firstly, there is a strong commercial and entrepreneurial interest in payments, where making payments is increasingly seen as a critical touchpoint for building customer engagement. This is leading to high levels of innovation in payment services, based on new business models and technology; examples include smartphone card payments, embedded payments inside popular smartphone apps, and depositing cheques using a digital image.
Secondly, the take-up of new electronic payment services has been accompanied by a significant rise in payments-related fraud, which has distressing and life-changing impacts on the victims.
Thirdly, linked to the above, is the active regulatory agenda in the UK and EU aiming to provide great payment services for all types of customer, enable innovation and competition in payments services and underlying payments infrastructures, and ensure customers and societies are protected from fraud. PSD2, the EU’s second Payments Services Directive, published by the EU on 23rd December 2015 and coming into force on 13 January 2018, is a key component of this.
With these factors driving the payments market, how should affected organisations be preparing for the PSD2-world from January?
Amid the operational preparations for PSD2, it is valuable to keep aware of the wider agenda that is playing through, and the reasons behind the regulators’ actions. While you are ensuring compliance, are you also thinking strategically about the commercial opportunities or challenges that PSD2 brings, and the impacts these could have on customers’ engagement with your business?
The aspirations for the directive
PSD2 updates and builds on rules put in place by the original Payment Services Directive in 2007; its overarching aims are to:
- Enable a more integrated and efficient European payments market
- Increase competition between payment service providers: incumbent, challengers and new-entrants
- Make payments safer and more secure
- Improve consumer protection
- Deliver lower prices for payments
Here, we focus on two of these: increasing competition between payment service providers and making payments safer and more secure.
Enhancing competition between payment service providers (PSPs) is a fundamental aim of PSD2, allowing consumers and businesses to benefit from better choice of payment services and providers. PSD2 includes two types of ‘third-party’ providers which were previously not regulated, Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP), and sets out requirements for how these parties can access payment accounts. PSD2 also introduces the term ‘Account Servicing Payment Service Provider’ (ASPSP) for payment account providers (such as existing current account providers), and stipulates that account providers must grant functionality to PISPs and AISPs at a level not less than that which they already provide to their online customers. The regulation also explicitly addresses issues which may arise around confidentiality, liability or security of such transactions, with the initial reparation to the customer being due from the account provider and expecting that they, in turn, would obtain reparation from the third-party provider.
Firms should be assessing the opportunities and threats to their businesses in a world of third-party payment initiation and access to data. They should be considering the high importance of their engagement with customers through their day-to-day usage of payment services.
In a number of EU states, new PISP-type players have emerged in recent years to offer e-commerce payment services (e.g. for online shopping or bookings) without the need for a credit or debit card. These services trigger the payment to leave directly from the customer’s online banking provider (ASPSP) to the merchant. Meanwhile the AISP model will, for example, enable third-party providers to gather transaction information from a customer’s main account that enables them to construct targeted product offers. In the jargon, the regulator is enabling new types of provider to offer payment services ‘over the top of’, or ‘as an overlay to’, existing account providers’ infrastructure platforms.
Until PSD2, Open Banking and other regulatory developments, incumbent providers have drawn competitive strength from integrating account platform infrastructure, customer data, and end-user payment services. This new world is creating separate layers for infrastructure and customer-facing services, enabled by more open access to customer data. Strength in front-line service provision will be much less dependent on strength in infrastructure platforms. Firms therefore need to plan how they will compete successfully in each layer independently, and be prepared for increased competition, from established and new players, providing great payments services, driven by smart use of customer data.
Making payments safer
Regulators are very concerned with the fraud and financial crime threat linked to take up of electronic payments. Many payments fraud issues relate to the misuse of identity, such as a payment card used by someone other than the card holder (FFA-UK reports that remote purchase fraud losses in 2016 on UK issued cards was £432m).
On 27th November the EU confirmed its proposals to tighten the processes used to authenticate users of electronic payments. There are exemptions available, but in the main part for transactions over 30 Euros, for e-commerce payments online, and for logging into and paying via an online banking service, all will require Strong Customer Authentication. These requirements reintroduce multi-factor authentication for remote payments, and mandate how these factors should be handled during the transaction process. This work also sets out requirements for secure communication links between payments providers.
Firms need to develop improved approaches to payments security in line with PSD2 (and the UK’s Payments Strategy Forum initiatives) which can bring direct commercial benefits: improved confidence and take up of services by ‘good’ customers, more effective prevention of ‘bad actors’ and the losses for victims, and reduced operational costs and fraud losses for the payments provider itself. Secure payments also achieve societal benefit in tackling organised crime and terrorist financing.
In other areas, PSD2 requires improved consumer protection and conduct of business, for example:
- For PSPs to handle payments-related customer complaints within 15 business days as standard
- For PSPs to provide more, and clearer, information to the payer or payee relating to transaction charges and timings, and encompassing transactions into or out of the EU/EEA
These areas need close operational attention and reviews of product terms and conditions.
PSD2 doesn’t exist in isolation
While focusing on PSD2 here, it’s important to set out three other regulatory and industry initiatives that are prominent in changing the UK’s payments landscape.
The Open Banking initiative aligns closely with PSD2, requiring account providers to enable third-party providers to access customer data held by the account provider via technical system interfaces and with the customer’s explicit consent. This will enable the third-party, possibly an established brand or new-to-market ‘fintech’, to build targeted customer propositions. There is an aligned approach between the implementation of PSD2 and Open Banking in the UK – and a shared guiding principle for both is that a customer’s data held by an account provider belongs to the customer, and not to the account provider.
Also running in parallel is the General Data Protection Regulations (GDPR) initiative setting out strengthened rules and requirements for the usage, privacy and security of customer data, including payments data. The interplay between GDPR, Open Banking and PSD2 requires careful consideration. There are higher fines possible under GDPR (up to 4% of turnover) and its scope extends to data processors as well as data controllers. Where processors are outsourced suppliers, the client firm retains liability for how data are used.
The UK’s Payments Strategy Forum is an industry strategy for collaboration in the provision of payments, overseen by the Payments Systems Regulator. This addresses separate issues to PSD2, but is driven by the same regulatory objectives to promote innovation and competition, to tackle fraud and financial crime, and to deliver payment services that better meet consumer needs.
an Important strategic OPPORTUNITY
So even from a helicopter view of the PSD2 landscape, there are huge changes giving rise to important concerns for senior executives. Firstly, there is a regulatory compliance programme that should be completed by now; the scope of compliance requirements has been significantly enhanced. But going beyond that, PSD2, alongside other regulations, is fundamentally re-shaping the playing field for payments, such that positions of strength in recent years may no longer apply. Overall, firms need to view PSD2 first and foremost as a strategic challenge, and must be consider closely the importance of retaining customer engagement with their brand through payment services.
To close, think of how smartphone apps and services started to proliferate 8-10 years ago once Apple and Android established device platforms that opened the services-layer (apps) to third-party developers. The changes driven by PSD2 and Open Banking are creating similarly open conditions, enabling vibrant competition in payment services independent of who controls the current-account and payments platforms.