The opening weeks of 2017 provide a much-needed reminder for the European banking and payments industry, as it enters the decisive laps for compliance with the European Union’s (EU) new Payment Services Directive (PSD2) that if all goes well transposition of PSD2 to national laws will happen on 13th January 2018.
Why PSD2 now ?
November 2009 marked the incorporation of the original Payments Services Directive (PSD1) into national laws across Europe, to provide an EU-wide harmonised legal foundation for payments and make the single European payments market a reality. PSD1 was the first step towards encouraging enhanced competition (covering newer payments service providers (PSPs)), increased market transparency (streamlining the information flow between PSP, consumers and other stakeholders), and standardised rights and obligations to strengthen consumer protection rights (such as for refunds) across the EU.
However the payments industry has been continuously evolving, with growing influence of digital forces combined with changing customer preferences. This is disrupting the entire banking scenario and has made value movement progressively more dynamic and embedded within the transaction across business-to-business (B2B), business-to-consumer (B2C), consumer-to-business (C2B) and consumer-to-consumer (C2C) payment spaces, newer third party players (TPPs) like payments initiation service providers (PISPs) and account information service providers (AISPs) that extend payments-related services. Each have taken advantage of these developments and are providing cheaper alternatives in the payments space. PSD2 was thus necessary to address all these developments, expanding on the existing PSD1 scope and accommodating newer payment services and players.
What is changing with PSD2?
PSD2 revolutionises the European payments and the overall banking landscape, with a robust regulatory framework addressing the ambiguity in the current PSD1 and also covering newer services:
- Ensuring access to consumers’ payments accounts held at credit institutions to all payments institutions is one of the key member state obligations mandated by PSD2.
- Robust legal backing for any TPP that provides a level playing field for PISPs and AISPs and removes barriers for their functioning.
- Robust security frameworks in terms of providing a security policy document and detailed procedure for security incident management along with contingency plans.
- Improving consumer rights with the extension of PSD transparency rules (information and cost details) for “one leg” transactions as well under PSD2.
- The consumer liability threshold has been reduced to €50 from the current €150 and €300 for a billing month, to limit financial risks, with related annual reporting by telecom operators to the respective competent authority.
- Continuation of the waiver regime defined in PSD, although PSD2 provides for an additional option to lower the threshold to align with local market needs.
- Extended limited network exemption from PSD, albeit they must either notify or consult with a competent authority once the value hits the pre-defined threshold.
- Revived complaint management mechanism overseen by competent authorities to ensure written response to any complaints within 15 business days
- PSD2 directs all PSPs to abide by the strong customer authentication (SCA) along with common and secure communication (CSC) principles that will be mandated by the European Banking Authority (EBA) as part of the regulatory technical standards (RTS) that may come to force in the 18th month after adoption by the EU commission (probably by September 2018)
- RTS on passporting notification and related supervision also provided by the EBA may come into effect in the 18th month after adoption by the EU commission
- Set up and maintenance of an electronic central register (ECR) by the EBA.
- Narrowing down on the exemption for telecom operators (like direct to telecom-bill purchases) as they will fall under the PSD2 ambit for purchase of physical goods and services. Any exclusions will be limited to the purchase of digital services (digital media content), electronic tickets and charity donations.
How will PSD2 impact?
PSD2 has varied impact over the entire spectrum of the value chain, in one way or other, for all the stakeholders in the payments ecosystem:
- Business models: changes to PSPs business model based on strategy adopted that ranges from a compliance-only oriented approach to monetisation of TPP’s requests, along with new services to uptake of the TPP role.
- Operating structures: refinements to align with business model changes to stronger customer authentication (SCA) and consumer-to-consumer (CSC).
- Customer services: enhancements to a customer complaint management mechanism
- Technical enablement: accommodation of TPP requirements and access to the customer’s payments account. Traditional players also have to glide through their legacy labyrinths
- Current payments schemes: for example, align with adherence with “one-leg” transactions
- Regulatory reporting: such as adhering to passporting notification
This is a unique open race between traditional players – as well as TPPs – to reach a new level playing field that further encourages disintermediation of banking services. Thus PSD2 isn’t a mere compliance subject, but rather an opportunity for all stakeholders to devise a next generation digital strategy, complemented with collaborative and competitive constructs, and to make their value movement proposition more relevant for tomorrow’s market needs.
How can stakeholders get ready for PSD2?
TPPs, with their unique proposition that attacks a particular part of the value chain, are eagerly awaiting the transposition of PSD2 to the national legal system to explore the respective roles of PISP and AISP. Traditional players, however, have a different story to tell. Burdened with legacy infrastructure and rigid operations models, they are adopting varied approaches towards PSD2. Few of the banks are tuning their digital transformation and modernisation journey to accommodate the PSD2 requirements and look beyond compliance. However, there are many who are yet to embrace digital infrastructure and who are grappling with the PSD2 compliance concerns.
With the compliance timeline fast approaching, traditional players need to get their act right. This requires a comprehensive PSD2 plan that quickly takes the banks to compliance milestone through regulatory tools and accelerators. This plan should also augment future growth strategy for the bank.
Banks can expand their scope of services across collaborative constructs with broader payments services that would mean exploring monetisation opportunities from TPP requests, along with allied services or even take up the role of TPP to expand their collaborative and competitive constructs, and evolve as digital platform players with services beyond traditional banking.
Traditional players require more a holistic and pragmatic approach towards PSD2, right from strategy definition to a design, delivery and execution framework to operations and customer support services. Among the key aspects are:
- PSD2-based contextualisation of the bank’s payments strategy to elaborate its overall collaborative and competitive construct. This should focus on the payments proposition, newer products/services and reviving existing products/services.
- Assessment of the current business model and charting out the changes needed with a transformation plan to incorporate a PSD2- oriented payments strategy.
- The complexity of a bank’s legacy infrastructure poses as one of the key impediments to enabling the PSD2- based transformational changes. This will require an apt utilisation of micro-services-based middleware and wrapper solutions that can circumvent legacy limitations.
- The next key milestone would be to chart out targeted technical designs and solutions that will aid in realizing the envisioned strategy. This will primarily include:
- API factory blueprint to aid the development of open API platform that will form the backbone of digital infrastructure;
- API gateway that enables the connectivity with PISPs, AISPs and other players;
- Monetisation support mechanism that helps build the collaborative and competitive construct;
- API analytics to ensure the quality and health of the API platform;
- Security and communication framework to align with prescribed norms.
- Truly utilising PSD2 also requires a bank to change its delivery mechanism, by adopting an agile-oriented approach that comes with DevOps tooling and related frameworks.
- Operating structure alignments for AISP and PISP activities, along with allied process management and shared services model.
- Reviving customer services management, to ensure adherence with PSD2 customer reporting and complaint resolution requirements, is critical to ensure compliance.
- Enriching the regulatory reporting requirements is a critical step from the compliance perspective.
- Current risk management mechanism needs to be tuned to PSD2 requirements that mandate a robust mechanism to handle technical, operational and financial risks that arise due to a changing payments landscape.
- The bank’s innovation stream has become a crucial lever to propel the growth engines, while closely monitoring market and industry changes to timely recalibrate the bank’s collaborative and competitive construct. This will require banks to equip themselves with suitable innovation enablers, essentially consisting of tools and frameworks such as open innovation framework, application programming interface (API) sandbox, multi-party engagement model and consent management model.
As the clock is ticking in the PSD2 race, traditional players are at a competitive disadvantage vis-à-vis TPP. However, the Directive opens up newer forms of a collaborative construct that can overcome this disadvantage. While the traditional players can bring their large customer bases and reach to the table, TPP can provide their innovative service offerings and agility to adopt new technologies and thus create winning payments propositions for the customer, the bank and the TPP respectively.
With the payments game already evolved into the next level, traditional players will also have to leave behind their rigid legacy structures and moreover change their mindset to become more nimble and ensure quicker adaption to the dynamic customer and market conditions.
Africa presents the ideal environment for new cash and payments services architecture by linking rapidly changing customer expectations with new technologies. This puts banks at the centre of the creative clash of trends and technology as Africa’s financial institutions harness disruption for innovation and growth.
The only way PSD2 will function effectively and securely, will be through the mobile banking application itself. However, the directive does not specify how secure this access will be, nor, what risks will arise, and for who.
PSD2 heralds a new dawn for mobile payments, as the regulatory technical standards around the upcoming European open banking regulations are expected to put mobile devices at the heart of new payment techniques. But despite the regulatory environment nudging markets towards certain payment types, it is not easy to predict exactly how consumers will adopt the technology.
These are interesting – and uncertain – times for global retail banking, from Trump's desire to remove Dodd Frank to Brexit and new British banking regulations.