Introduction
The revised payment service directive (PSD2) is an update of theexisting PSD1, which was introduced in 2007 and provided a single market for making payments intheEuropean Union (EU).
Soon after the introduction of the initialPSD, many new service providersintroduced new ways to make online payments.As the open banking system gained recognition in the European market, small businesses and consumers engaged withnew financial services and applications.Since thenumber ofnew playershaveincreased, the EUhasrecognised the need for an update.PSD2 was implemented with an intention to enhance innovation and create competition in the banking sector.
This directive also aimsto make online payments saferforcustomers,improveprotection of consumer information, address payment fraud,and provide a common platform for competitors.
What is PSD2 regulation?
UnderthePSD2 regulation,the banksare required to provide account information to third-party service providers (TPPs) with consent from account holders. This helps customersto:
1.Get a consolidated view of their account information through Account Information Service Providers (AISPs)
2.Initiate online payments through Payment Initiation Service Providers (PISPs)
PSD2: What has changed since PSD1?
PSD2 builds on the previous version of PSD, incorporating the following changes:
1.‘One leg out’ transactions:This refers totransactions where a payment service provider (either payer or payee) is outside oftheEU. PSD2 will increase the scope for one leg out transactions, including cross-border payments in foreign currencies. Under PSD1, these transactions were out of scope.
2.Access to accounts (XS2A):PSD2 enables and regulates access to customer accounts based on consent. Under this regulation, the banks maintaining customer payment account information are compelled to give third-party providers (TPPs) secure access to customers’ banking information after getting thecustomers’permission.
3.Preventing payment surcharges: PSD2 willban surcharges on card payments made by the customer for transactions performed online or in shops.Surcharges were previously applied for online payments and specific sectors likethetravel and hospitality industries.
4.Increased security for online payments: PSD2increases security and improves the protection of consumer informationby providing strong customer authentication.It also addresses the increase in online remote payment fraud by adding an extra layer of authentication.
Access to accounts (XS2A) under PSD2
Access to accountsis one of the biggest technological innovations in the retail banking sector.It provides a channel for direct communication between the merchant and the customer’s bank. PSD2 uses XS2A to connect customers’ banks withthird parties.
Under PSD2,financial institutions that maintain customer accounts areknown as Account Servicing Payment Service Providers (ASPSPs).
With the customer’s consent, theASPSPs maintaining customer accounts must provideThird-Party Payment Providers (TPPs) a secure way to access customer information.
PSD2 introduces two categories of TPPs: AISPs and PISPs. AISPs allow customers to see integrated information from various service providers. PISPs allow customers to initiate online payments directly from their personal bank accounts.
Use case 1: Account Information Service Provider (AISP)—An AISP is a third-party service providerthat collects customers’ bank data,such as bank balance and transaction history, by gaining access to their account information from an ASPSP. Itcaneven help a customer manager multiple bank accounts.Examples include Mint and MoneyDashboard.
Suppose that a customer wants to viewtheir consolidated account information on MoneyDashboard, an AISP.
The customer interacts withthe third-party information service provider, MoneyDashboard, through an authorised channel.
MoneyDashboard gets the customer’s account information from different banks via open APIs.
Once MoneyDashboard collects all the information, it reflects the aggregated data in the form of a dashboard and displays it to the customer in an innovative, valuable way.
Use case 2: Payment Initiation Service Provider (PISP) —A PISP is a regulated entity such as a bank or a third-party service that allows customers to make payments without accessing bank account information or credit cards.Examples include Sofort and Trustly.
Suppose that acustomerispurchasing an item onAmazon and wants to make a payment online via Trustly.
The Amazon website takes the customer to the payment checkout page.
The customer consents to make the payment viathe PISP,Trustly.
Trustly sends a payment confirmation to Amazon and simultaneously initiates a payment via an open API to the customer’s bank.
The customer’s bank debits the payment amount from customer’s account and transfers it to the merchant’s bank.
Based on the type of request, the customer’s bank then initiates a credit transfer or a settlement to the merchant’s bank.
So far we have seen how transactions are carried out by third parties. But how do we know that these transactions are happening through secure channels?
Open banking standards
The Competition and Market Authority (CMA), which is responsible for strengtheningbusiness competition intheUK, is securing the payment channels under PSD2 by defining data interface and security requirements. Information can now be exchanged via open APIs in a consistent format because CMA has adopted OAuth 2.0 and OpenID Connect as authentication and authorisation standards for open banking.
1. OAuth 2.0 is an open standard authorisation protocol that enables third-party applications to have limited access to user accounts. This is made possible using access tokens, which define the security parameters of a login process.
2. OpenID Connectis a widely used standard for one-time sign-ons. It hasbeen successful because it provides simple JSON-based identity tokens, which, when delivered via OAuth 2.0 flow, enable resource exchange on web browsers and mobile applications.
Identity and access management (IAM)
Identity and access management (IAM) is a set of business processes that help in maintainingsecuredigital identities. IAM provides secure access toapplications, services, and APIs forvalidated users. It isused by both financial institutions and third-party providers.
A secure user experience isimportant for financial institutions.With the increasing number of services and applications provided by third parties, customers expect a hassle-free login experience across all of the applications they use. IAM tools like multi-factor authentication and secure user directories can help to keep these logins secure.Customer consent for third-party access to user account information will need to be freely given in accordance with GDPR (theGeneralDataProtectionRegulation).
What is strong customer authentication?
Strong Customer Authentication (SCA) is an additional authentication process for card transactions.SCA involves three factors—knowledge, possession, and inherence—of whichat least two must beused independentlyto verify the customers’ identitieswhile making online payments.
Benefits of PSD2
Forcustomers, complying with PSD2willgain a holistic view of their finances, whichwill helpthem managetheir spending. Itwill also give them a choiceof how to make their electronic payments: to paydirectlyfrom their bank accounts, orto make payments from other sources in a secure way.Either way, they can avoid paying the surcharges associated with card-based payments. Compliancewith PSD2also ensures protection from fraud, which will be advantageous toboth consumers andmerchant businesses.
PSD2 allowsmerchant businesses tooffer a wide range of payment options fortheir consumers. Increasing the numbers of choices for service providers increases the competition betweenpayment service providers. When businesses get paid directly from payers’ accounts,they can reduce interchange fees.
Conclusion
The revised payment service directive (PSD2) was introduced withthe intention to provide uniform grounds for the new players in the banking industryandto acquaintcustomers with new technologies.By adapting to this modern, IAM-centered banking approach,customers and third parties canshare their information through secure channels.For consumers, complyingwith PSD2 willbenefit from a more comprehensive view of their business finances, whichwill help themmake wise business decisions and control spending.
