PSD2 regulation: What are the changes

Designed by the EU and European Economic Area, the first Payment Services Directive (PSD) was adopted in 2009. The main goal was to promote EU-wise commerce by allowing non-banks to accept online payments. Years down the line, the industry and customer behaviour changes created a need for an updated version. That’s where the second payment services directive (PSD2) came in.

In 2013, amendments were implemented to PSD to level the customer protection up, and the revised payment services directive 2 rolled out. The updates were proposed by the European Commission and explained by the need to adjust payment regulations to the current situation on the market.

The updated regulatory technical standards introduced the requirements meant to keep all digital transactions on the safe side. They also regulate third-party companies, meaning that they strictly observe the way payment providers accept, aggregate and process transactions.

All in all, the main idea of PSD2 is to encourage banks to transfer customers’ sensitive data to the third-party companies in a secured manner and facilitate the payers access to that information.

The main objectives of PSD2 are:

• strengthen the foundation for a consistent European payments market;
• create equal opportunities for payment service providers;
• broaden the framework of the existing regulations;
• cement open banking to lay the foundation for better collaboration between banks and new players in the banking industry
• enhance customer protection and the overall transaction security;
• decrease the costs for businesses by promoting fair competition.

If online businesses fail to apply the regulations, there are penalties laid out by the EBA. Besides, organisations that neglect the rules could face an audit and prosecution by national authorities.

In fact, banks could even reject payment providers. Consequently, the purchases will not be able to go through, causing direct financial losses. By attempting to perform non-authenticated payments, businesses may lose considerable transaction volume.

The new regulations aim to enhance payment security and transaction transparency. While the PSD2 contains various measures, some of them have a more significant impact on businesses.

Stricter authentication

For card-not-present transactions, the PSD2 enforces strong customer authentication (SCA), i.e. two-factor authentication. Thus, if businesses want their consumers’ banks to accept transactions, there should be an extra step, namely 3D Secure – a three-domain model for card fraud prevention.

However, there is one downside of the additional action during payments, such as SCA. It may cause a drop in sales. Many buyers don’t want to wait until the code is sent to their smartphones. So, that’s where they can switch to another merchant. But that rarely happens as 3DS is a commonly-used countermeasure when it comes to online shopping.

Exemptions for the SCA requirement include:

• trusted sellers – beneficiaries can be whitelisted by users and not subject to SCA;
• recurring transactions – subscriptions or regular billings will only need to be authenticated once;
• low-value transactions – payments under €30; in some cases, such as every sixth payment, although banks may still require SCA;
• low-risk pays – this includes cases when the provider has been deemed to have low fraud rates.

Payment initiation and account information service providers

Banks are obliged to provide access to payment accounts to third parties by API: payment initiation service providers (PISPs) and account information service providers (AISPs).

The critical points of PISPs are:

• third-party providers perform credit transfers through their IT infrastructure/applications;
• the rules apply to payment accounts which are accessible online;
• contractual relations between PISPs and payment institutions cannot contradict the PSD2;
• a payer must give explicit consent for the payment to be executed.

Prior to the PSD2, the infrastructure of accounts servicing payment services providers (ASPSP), and the access to a payer account was limited to online banking websites/apps, branches and terminals. Now, the updated technical standards help businesses develop, broaden or redesign their existing offerings by opening up these services to third parties.

Account information aggregation through AISPs poses certain risks:

• perceived IT security flaws;
• possibilities of fraud;
• liabilities related to unauthorised transactions.

Therefore, the rules must be matched with regulatory and market solutions – such as payments account directives (PAD), interchange fee regulation (IFR), anti-money laundering directives along with real-time payment, blockchain, etc.

Additions to the registration requirements

Organisations that provide payment transaction services will have to obtain licenses and become EBA-authorised (European Banking Authority) institutions. The authorisation is granted by competent authorities varying from country to country.

The requirement to register covers the following natural or legal persons:

• payment institutions;
• agents acting on behalf of payment institutions;
• branches of payment institutions in the Member States;
• electronic money institutions;
• account information services.

Adopting new regulations may not be seamless, and organisations are facing certain obstacles on the way to becoming PSD2-compliant:

• PSD2 compliance requires businesses to identify trustworthy collaborative relationships;
• to adapt to the change, businesses will have to coordinate different departments as well as products, services, and operations within the company;
• due to unclear specifications, in terms of IT and design changes, the process may be slowed down;
• businesses may have trouble communicating the new rules to customers.

Even though the PSD2 requires a multi-faceted approach, businesses can ensure a smooth transition for their customers.

Lastly, regulations and the interpretations of the directive may vary depending on the country. Therefore, some rules may remain uncertain unless approached on a case-by-case basis.

For businesses, it will be valuable to learn all the intricacies of the PSD2. It will eliminate the possibility of misinterpreting the regulation and help you make sense of the payment processing rules.

There were several enforcement dates to implement the updated regulatory technical specifications. The European Banking Authority (EBA) approved the final amendments and published them at the end of November in 2017. All EU payment providers were required to comply with PSD2 until 14 September 2019. However, many European companies failed to do that as they simply weren’t ready. The EBA had no other choice but to postpone the deadline. Now all companies within the EU should adhere to PSD 2 standards until the end of 2020.

The chances are the new deadline will also be pushed back because of the coronavirus pandemic, but it’s not decided yet. It’s expected that payment providers will be able to implement all the developments.