Payment Services Directive 2 (PSD2) to Benefit Consumers and Businesses

The implementation of the Payment Services Directive 2 (PSD2) by the Council of the European Union in late 2015 has brought about the equitable treatment of Third Party Providers (TPPs), granting them assured technical access to the Banking Payment Systems. This stand has supported innovative online transactions, mobile payments, and the safe facilitation of cross-border European Payment Services. Commissioner Jonathan Hill, accountable for Financial Stability, Financial Services and Capital Markets Union, had stated, "This legislation is a step towards a digital single market; it will benefit consumers and businesses and help the economy grow."

This statement sufficiently establishes the objectives of the revised directive to accelerate industrial competition in the EU market, with the majority of the population not using Credit Card(s).

Amendments

The PSD2 displayed significant amendments to the earlier PSD1 adopted in 2007, such as the goals to establish standard requirements for electronic payments while covering a wide range of domains, including Direct Debits, Credit Transfer and Card Payments. As per the revised directive, the "Payment Initiation Service Providers" (PISP) may access customers' payment accounts while executing their bank transfers, allowing Third Parties to aggregate the information of the payment account(s), including those of asset portfolio, insurance contracts, amongst others. In this context, some of the significant long-term benefits have been cost minimisation and data-driven risk management. However, this also came with the undeniable dangers of data sharing with third parties and escalated IT Costs.

Strong Customer Authentication

At the core of PSD2 lies the Strong Customer Authentication (SCA) that was mandated for all European e-commerce transactions. This key aspect, coupled with Multi-Factor Authentication based on "Knowledge", "Possession", and "Inherence" Elements, resulted in Standardised Industry Protocols meant to propel advanced authentication measures like facial recognition.

Consequently, it was considered suitable for transmitting rich transaction data, thus leading to higher authentication rates and a smooth user experience. One of the significant changes was the provision of APIs (Application Programming Interfaces) by the banks on request concerning the Account Information Service Providers (AISP). This measure was expected to critically bolster Financial Technology (FinTech), considering the emergence of new Payment Aggregators in the European Market.

While PSD2 visibly exhibited its security objectives through the inherent Transaction Risk Analysis (TRA) component, the repeated postponements of the transition to SCA indicate circumspection regarding Open Banking.

Accelerated PayTech Startups

The advent of PSD2 has considerably boosted the European PayTech Sector. PSD2 enabled the PayTech start-ups to operate on a pan-European level. With a relative surge in the number of incorporated start-ups, PSD2 leveraged an open business environment, thus sustaining competitive entrepreneurship.

For the EU Payment Market, PSD2 implied critical structural changes that brought about radical transition for the incumbent banks. Besides the fundamental conditions, the directive attempted to strengthen consumer rights while empowering the European Banking Authority (EBA) to ensure better collaboration between the supervisory authorities. Apart from Account Information Services (AIS) and Payment Initiation Services (PIS), the related banking improvisations also pertained to Fund Availability Confirmation Services. However, with the EU Member States not presumably homogenous, the policy implementation was exposed to cultural impacts and other perceived risks that could potentially hinder customer satisfaction.

Risk Mitigation

The PSD2 attempts to mitigate data risks like identity theft and illegal pricing by mandating only payment services by the Payment Service Providers. Precisely, Article 1(1) of PSD2 does entail an exhaustive list of payment service providers, such as the Member States, Public Authorities, National Central Banks, credit institutions, and electronic money institutions, amongst others. Moreover, Article 4(15) of PSD2 describes a payment initiation service as "a service to initiate a payment order at the request of the payment service user concerning a payment account held at another payment service provider". Examples of such services include Sofort in Germany, Trustly in Sweden and Ideal in the Netherlands. Understandably, these were meant to ensure seamless and streamlined payment processes.

It is to be noted that the obligations to provide information regarding payment transactions stand irrespective of any contractual relationship between banks and PISPs, as elaborated in Article 66. Consequently, banks are not supposed to charge fees to access the account(s).

Conclusion

The revised directive is more stringent than the General Data Protection Regulation (GDPR), considering that it dictates that Payment Service Providers can avail personal data only for the execution of services based on definite consent of the user. However, PSD2 also reflects irrefutable laxity for Account Information Service Providers, with the broad definition of the service giving an opportunity to the provider to circumvent the limitations. Article 5(1)(g) of the directive obligates the payment organisation to provide a descriptive account of the process used to limit access to sensitive payment data. To address prevalent risks, Articles 66(3)(b) and 67(2)(b) state that the payment service providers are obliged to ensure that personal security credentials are not accessible to external parties barring the consent of the user and the issuer.

By implementing such safeguards and opening up the payment processes, PSD2 attempts to restore the payment order's integrity and provide confidence in the payments ecosystem. It has made consumers feel safe in the digital financial realm where online frauds and scams are a significant threat.