01
In this section, we are covering the most important information about PSD2.
What is PSD2?
PSD2 (Revised Payment Services Directive) is a European Commission’s regulation for electronic payment services. It is a second version of the Payment Services Directive that was introduced in 2007 and then updated in 2015. It’s a legislative response to the changing financial market that has been disrupted by the latest technology. The main goal of PSD2 is to give consumers protection when they perform online transactions and other banking operations.
The invention of technology often precedes the creation of the laws that define its use. That is why the EU had to face the challenge and regulate the digital finance landscape before it got out of hand. PSD2 aims to make payments and other financial services more secure in Europe. Coincidentally, it also boosts innovation and helps traditional financial institutions adapt to new technologies. The directive levels the playing field between new financial instruments and banks that have been present for years on the market. Thanks to PSD2, old and new can work together on equal terms, regulated by the same entity.
What types of services does PSD2 regulate?
PSD2 regulates two types of banking services that have become popular in recent years:
- Payment Initiation Services (PIS): collecting and storing information from a consumer’s different bank accounts in a single place
- Account Information Services (AIS): initiating a payment from the consumer’s account to the merchant’s account; those services create an interface to bridge both accounts, fill in the information needed (amount of the transaction, account number, message, etc.), and inform both parties of the transaction.
Which countries are affected by PSD2?
PSD2 regulations apply to the following countries within the European Economic Area (EEA): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. (The status of the UK may change in the future due to Brexit.)
When will PSD2 be enforced?
The initial deadline for applying the PSD2 regulations was scheduled for September 14th, 2019. However, institutions across the EU asked for an extension of the deadline. The request was accepted and the date of the new deadline was set on December 31st, 2020. Since then there, some countries have asked for further extensions due to the crisis caused by COVID-19.
The ask for the deadline extension was motivated by the necessity of implementing Multiple Level Authentication for better protection of consumers. The task has been proven to be a challenge from a technological standpoint.
COVID-19: has the pandemic affected PSD2?
At the moment of writing this guide, the COVID-19 pandemic that occurred in 2020 does not affect the deadline for PSD2 compliance (December 31st, 2020).
However, the European Commission has received requests for additional deadline extensions. The UK was the first country to extend the delay by 6 months due to the Covid crisis. The new deadline for the UK is September 14th, 2021. Denmark has announced an 18-month delay and set the new deadline for March 14th, 2021. Delays have also been announced by France, Belgium, Ireland, and Poland. Other countries have not declared any need for an extension. They are expected to meet the initial deadline.
The main reason behind the delay is the challenge of adapting IT structures in times of health crisis. The implementation of Strong Customer Authentication has been particularly challenging. PSD2 and the coronavirus outbreak have exposed the necessity of establishing solid IT architectures in financial institutions.
The first wave of COVID-19 has been an unfortunate catalyst for major technology advancements in many sectors of the economy. Banks and finance companies are one of them. To keep the cash flow, institutions all around the world have to run towards modern banking solutions. The pandemic caused lockdowns that included financial facilities. Therefore, they have been pushed towards the introduction of online banking services. Banks have to come up with new offers to keep their customers satisfied and, more importantly, safe.
The pandemic has also greatly affected consumers’ behaviors. Online and cashless payments are in favor. It’s safe to say that the pandemic has sped up the process that has been accelerated by PSD2.
Are there consequences of not being compliant with PSD2?
In the light of regulations provided by PSD2, the banks that conduct non-compliant financial transactions might be violating the law of their home country.
Are merchants affected by PSD2?
Although PSD2 applies to banks, merchants should make sure that their transactions with banks are conducted in a law-abiding way. Merchants outside of the EEA may notice an increase in declined transactions from EEA. However, there might be exemptions available for consideration.
What banks have to do to be compliant with PSD2?
Banks have two major challenges ahead of them:
- update the authentication elements they provide their customers,
- open their API in accordance with technical protocols,
- develop systems and processes that will allow smooth cooperation between the bank’s API and Third-Party Providers.
What is a Third-Party Provider?
Third-Party Providers or TPPs are licensed external parties that can offer certain financial services to consumers. Banks and other financial institutions will be required to give TPPs access to relevant customer information in order to take over the direct relationship with the customer. A variety of fintech companies can be considered as TPPs.
Is PSD2 about Open Banking?
Open Banking is an idea based on Open API (Application Program Interfaces). It’s a banking practice that provides Third-Party Providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions. PSD2 directive is a regulatory push that made this idea the standard for financial services providers.
The standard for information released through the Open API is that it’s the information necessary to process transactions. The members of EEA work on their own protocols to ensure that the transformation to Open Banking triggered by PSD2 is unproblematic for the local institutions.
BinarApps has been a proud contributor to the Polish API Standard.
02
Here we briefly discuss the business potential of the changes brought out by PSD2.
What are the biggest changes caused by PSD2?
The entire impact of PSD2 on the banking sector will be fully known in the upcoming years. Since laws regarding finance are different in each European country, we can expect that PSD2 will be challenged in the future. For now, the regulations included in PSD2 have triggered 3 major changes.
Open API and Open Banking
PSD2 highlights the importance of Application Program Interfaces (APIs). An API is a software intermediary that allows application programs to interact with each other and share data. It’s a very important part of every bank’s and TPP’s infrastructure because it’s pretty much their framework for communicating. PSD2 requires banks to open their API, making way for the era of Open Banking.
Third-Party Providers: New Players on the Financial Market
PSD2 names and specifies the role of new financial services backed up by technology advancements: now they’re called Third-Party Providers or simply TPP. Because of PSD2, TPP now can act on equal footing with traditional banking. That is beneficial to the banks as well since they can provide new services to their customers. There are two types of TPP in general: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
Consumer Protection – Strong Customer Authentication
PSD2 includes an obligation for payment service providers to implement Strong Customer Authentication (SCA). This makes the transactions more secure. In order to go through with the transactions, the consumer will have to confirm their identity by using at least two of the safety precautions based on the following principles:
- knowledge – something the consumer knows (password, PIN, key combination),
- possession – something the consumer has (device, credit or debit card),
- inherence – something the consumer is physically (a fingerprint or other biometric).
How does it look in practice? For example, if the consumer makes an online payment, they will have to confirm their identity by entering the password to their banking account and providing a number they received via text message. Without one or the other, the transaction will fail.
The SCA has to be applied to every transaction over 30 euro or 5 low-value transactions in a row. SCA is currently only required when both the acquirer and the issuer of the transactions are located within the EEA.
Why are these changes relevant to business?
Each of the 3 changes mentioned above is basically a new business venture.
In the area of Open API and Open Banking, there’s already a spike of interest in services that help financial institutions with the process. Services that help banks open their APIs, from engines to technical support, are in demand.
The definition of a Third-Party Provider is an open door for innovation. That is the area where fintech can truly flourish.
The necessity to protect consumers creates a need for reliable, solid ways of securing data. TPPs have to build a sophisticated and adaptable infrastructure to provide the best services while respecting the consumer’s right to privacy.
All of these should be considered as part of the broader picture. There is space for new products, software, and platforms. Every new service requires a working environment to grow, so the area of business consulting for finance is expected to peak in the upcoming years.
The decisive factor for a successful launch is always the same: provide a product that solves a real problem of your users.
Consumers – What PSD2 changes for them?
PSD2 changes how the electronic payments of the consumers are processed. Third-Party Providers work as a bridge between the consumer, their bank, and the payment process. It’s faster and much more secure. Consumers won’t see a lot of change apart from the ones started by SCA – to complete the payment, they will have to go through a multiple-level authentication process.
Who can become a Third-Party Provider under PSD2?
To become a legitimate TPP, companies must obtain a relevant license: AISP (Account Information Service Provider) or PISP (Payment Initiation Service Provider). Both new and existing companies can apply for one or both. However, they do need to meet the national PSD2 requirements of their member state. Please contact your local authority for more information.
Why becoming a Third-Party Provider could be a good idea?
TPPs are seen as the innovators. PSD2 encourages creating brand new propositions that have a positive impact on the financial sector and consumers’ satisfaction. As long as the security requirements are complied with, the possibilities are near endless. By establishing your business idea now, on the brink of PSD2 becoming the standard in every EEA country, you gain the opportunity to be a true trailblazer. It is still uncharted territory.
What are some examples of AISP and PISP services?
The biggest strength of Third Party-Providers, no matter if it’s an AISP or a PISP, is their novelty. They are limited only by the security requirements and technology currently available. Some examples to consider:
- Merchants, eStores, or eCommerce becoming a TPP and taking the payments process in-house for a quicker, more satisfying customer experience.
- More attractive loyalty programs for customers based on their preferred paying option (e.g. pay with our eWallet and gain more points).
- More attractive, secure, and faster ways of obtaining loans.
- Mobile applications that work as a management interface for accounts across different banks.
- Saving apps that track your monthly expenses and spending patterns.
The key is to identify the needs of users and create a solution that adds real value to their lives. Those solutions can be created for everyday customers, merchants, B2B or B2C systems, and many more. These are all new challenges for business development in finance.
What advantages TPPs have over traditional banking systems?
The beauty of this concept is that most TPPs are not subject to the same stringent regulatory burden as traditional banks and are typically not weighed down by the legacy IT infrastructure that constrains most banks. As a result, they can be much more innovative and adaptable, allowing them to meet market demand quickly and efficiently.
Banks and TPPs: why is it the perfect match?
At first, it may seem like the new regulations don’t work in favor of banks. The new requirement to give third parties access to data through open API might sound like a disadvantage on the market. However, this is a great opportunity for banks to become more innovative. TPPs can help them improve customer relationships and become more competitive. A customer-focused approach is what is going to win in the long run. It’s also worth noting that banks do not have to rely entirely on outside TPPs: they can create their own in-house TTP as a means to expand their offerings and keep their independence. Investment in new technology will be an important factor in the race for customers’ approval.
Is PSD2 a chance for startups?
For startups that offer innovation in the financial sector – absolutely. The creation of PSD2 gave an indirect boost to the financial technology industry (fintech) because the regulations allow innovation to grow in an environment regulated by law. New companies can emerge without worrying about their legislative status. That is a crucial point in the world of finance. Thanks to clear rules and regulations, it will be easier for startups to find investors as the risk of a failed launch due to an inexact law is now reduced. It’s especially important for startups that want to be present in the EEA. Operating under PSD2 regulations makes the product preparation and release a lot faster. Startups can become a TTP or provide solutions linked to PSD2, e.g. API connection engine for eCommerce.
Does the COVID-19 outbreak have an impact on business in the finance sector?
Without a doubt, the coronavirus pandemic in 2020 has left a mark on the financial market. It has accelerated the digital transformation by making open banking a more obvious solution for players in financial markets. Full digitalization is now the only viable option. Banks need to be aware that almost all of their activities must, and will increasingly, rely on technology, services, and platforms from external providers. In order to successfully digitize, banks must digitally open up to cooperation with new suppliers. Open banking is truly the only way to go.
03
See why the directive has a huge influence on how eCommerce will function in the future.
How does PSD2 affect eCommerce?
Every eCommerce business that receives electronic payments is directly affected by PSD2. The directive established standard rules about how to conduct credit transfers, direct debits, card payments, and mobile and online payments.
To be able to keep your business receiving those sorts of payments, you will need to ensure that:
- your eCommerce is compliant with the technical standards for SCA (Strong Customer Authentication),
- your eCommerce has a 3-D secure protocol in place (the name of the 3-D protocol refers to the action performed between three domains: the issuer, the acquirer, and the interoperability domain).
Online stores generally do not fall under the Third Party-Provider category. However, it could be an exciting opportunity to explore.
How to prepare my eCommerce for PSD2 regulations?
Here are a few tips on how to prepare your eCommerce business for changes caused by PSD2:
- Analyze the payment options offered by your eCommerce and learn more about how they work. Check which ones are favored by your customers.
- Contact your Payment Service Provider and discuss the matter of compliance with the SCA standards for online payments.
- Inform your customers about the changes. Implementation of SCA means that there’ll be an extra step in the User Experience Path which may cause uneasiness, especially if customers do not follow the news about financial regulations. Be transparent and reach out to them with the information.
- Stay informed about new payment options. With the growing fintech market, there’ll be plenty of new possibilities available very soon that could take your eCommerce business ahead of the curve.
Above all, try to follow these steps as soon as possible.
04
The services that are already in use now have legal definitions and rules to follow.
What is ASPSP?
Account Servicing Payment Service Provider, or just ASPSP, maintains a payment account of the user. ASPSP has an API that has to be open, as stated by PSD2. Therefore they enable, with the user’s consent, payments initiated by TPPs and/or make their customers’ account transaction data available to TPPS.
What Are AIS, PIS, CAF?
Third-Party Providers can offer different kinds of services. Those services have been categorized into 3 types:
- AIS (Account Information Service) – access to information about the customer’s payment accounts in various banks.
- PIS (Payment Initiation Service) – payment initiation by the service provider, directly from the consumer’s account.
- CAF (Confirmation of the Availability of Funds) – with this service, the service provider will check if the consumer has enough funds in the bank account to complete the transaction.
TPPs can provide one, two, or all of the services above. They are obligated to obtain a separate license for each of the services.
Account Information Service: The Access to Data
The AIS services can, at the user’s request and with their consent, transfer consolidated data about the online payment accounts maintained by one or more other payment service providers.
As part of the AIS service, a user who has online payment accounts in several banks or other ASPSPs may commission a TPP, i.e. the provider Account Information Service Provider – AISP), preparation of collective information concerning e.g. balances and turnover on individual accounts. For this purpose, AISP, at the user’s request and with his consent, obtains access to the user’s accounts via electronic banking43, then aggregates and presents to the user all the necessary information. The user, therefore, has immediate access to information about his current situation financial, receipts, and turnover on individual accounts.
Payment Initiation Service: Necessary for Online Transactions
The PIS service is mainly used in e-commerce. The TPP as the provider of the payment initiation service supports the user in the process of making payments on the Internet.
After placing an order in the online store by the customer, they are redirected to the PISP website, where they are asked to indicate the ASPSP maintaining their account from which the payment will be initiated. Then the PISP, with the customer’s consent, gains access to the user’s electronic banking account and collects all the data necessary to order the payment. Then the user can approve the transfer order to the recipient’s account payments (merchant). After approval of the transaction by the customer’s bank, PISP immediately informs the merchant that the payment has been initiated. The merchant begins the order fulfillment process and delivers the order to the user.
Confirmation of the Availability of Funds: Checking the Balance
CAF service allows TPPs to check whether a specific amount of funds requested is available on a payment account. A TPP can request that kind of information ahead of processing a transaction. In answer, the ASPSP sends a short message (simple YES or NO) or required
the amount is available, without indicating the amount of the balance on the account in question. Confirmation of the availability of funds on the account does not enable the ASPSP to block these funds on the account payer. CAF service does not process any sensitive data.
Who Takes the Responsibility in the Case of Unauthorized Transactions?
Errors happen and there is a risk of unauthorized transactions is real, especially as a result of a security breach or an identity theft. PSD2 regulates the responsibility between the parties involved in an unauthorized transaction.
In the case of an unauthorized transaction made as part of the PIS service, the party responsible for the return of the payment is the ASPSP. The ASPSP should do so immediately, not later than by the end of the next business day, and restore the customer’s debited payment account to the state from before the unauthorized payment transaction.
If the PIS provider is responsible for the unauthorized payment transaction, it should immediately compensate the losses to the ASPSP (at the request of the ASPSP). The PIS is obligated to prove that, as far as it is concerned, the payment transaction made has been authorized, correctly recorded in the PIS system, and that the payment transaction was not affected by a technical failure or another type of bug related to the payment service on the provider’s side.
Who Issues Licenses for AIS, PIS, and CAF services?
The entity authorized to give out licenses for AIS, PIS, and CAF services is specified by country. In Poland, it’s the Financial Supervision Committee (KNF).
05
In this section, we provide you the basic information about financial technologies that have been affected by PSD2.
What is Fintech?
Fintech (Financial Technology) is an umbrella term for all kinds of financial technologies that disrupt, digitize, or expand financial services. It includes software, platforms, mobile and web applications, and even devices. It encompasses inventions such as cryptocurrency and peer-to-peer lending. Fintech is strongly connected with other industries such as insurance and healthcare.
What are some examples of Fintech?
Most of the consumers who shop online have already interacted with fintech. Some of the most popular fintech solutions include companies such as:
- Klarna – “buy now, pay later” microloans provider
- Chime – fully mobile bank
- PayPal – payment provider
- Xero – online accounting software
- Avant – online lending platform
- Lemonade – an insurance company
- Robinhood – a platform for stock market investments
- Venmo – P2P payment service
- TransferWise – borderless debit cards
This is just a small sample of fintech companies. The shortlist above already showcases the variety of possibilities that can become reality with the right approach. PSD2 encourages such initiatives to develop and turn into business ventures.
Are there different types of Fintech?
Based on the list of examples provided in the previous section, we can differentiate many kinds of fintech. The distinction is made by the type of service or solutions they provide.
Payment
This type of fintech deals with money-related services. This includes consumer payments (e.g. e-wallets), back-end infrastructure (e.g. payment processing providers), and cryptocurrency transactions. What makes them especially attractive is the lack of fees.
Lending and credit
Peer-to-peer lending is a fintech solution that grows more and more popular every day. Consumers don’t need to turn to banks to borrow money. Loans are granted faster, with little to no bureaucracy involved.
Online banking
All kinds of banking services can be performed online or via a dedicated app. It includes a variety of innovative solutions, such as chatbots, spending tracker, push notifications, etc. The main characteristic of online banking is that it’s open 24/7.
Personal finance
Whether it’s saving or monthly budgeting, fintech apps take on the role of a financial advisor.
Insurance
More flexible and available than traditional providers, insuretech companies cooperate with fintech solutions in making the insurance market more customer-friendly.
Alternative financing methods
Crowdfunding platforms are a type of fintech, too. It can be based on donation-based financing, debt-based, or reward-based.
Regtech
Rapidly growing type of fintech that helps businesses comply with the latest regulations. Regtech monitors reports and informs when and what compliance is needed.
Why now is a good time to invest in Fintech?
In a special report, Deloitte predicts that an economic recovery after the COVID-19 pandemic will go hand in hand with new opportunities for fintech. Even though fintech suffered from some setbacks, it is clear that the demand for fintech services is at an all-time high. The majority of people around the world look forward to the digitalization of their finances due to the constraints caused by lockdowns and various safety precautions. That reason alone is responsible for a surge in fintech investment.
According to CB Insights, there are currently 66 VC-backed fintech unicorns worth a combined $248B. After the initial decline at the beginning of 2020, North America, Europe, South America, Africa, and Australia increased their fintech funding.
We can safely assume that the year 2020 is the starting point for fintech to reach peak maturity. It’s the perfect time to get involved in changing the global financial landscape.
What is the Fintech Action Plan?
In the second quarter of 2020, the European Commission has announced that they are working on a document that will further regulate the growth of fintech. The project “Consultation on a new digital finance strategy for Europe or FinTech Action Plan” is an open consultation process that is the first stage of creating new regulations. As of now, the consultations are ongoing.
The main objectives of the strategy are as follows:
- provide consumers with even better digital finance solutions with the best security possible,
- technological neutrality – none of the emerging technologies shall be favored by regulations,
- creation of a digital ID,
- the use of AI in financial technology,
- implementation of the green strategy for the EU – sustainable development in the banking sector.
The Fintech Action Plan has been partially inspired by the White Paper on Artificial Intelligence. This shows how important it is to start the digital transformation as soon as possible even in small and micro-companies. Fintech will have a major role in shaping the future.
Fintech Action Plan does not have a release date yet.