Passwords: The No. 1 Risk Factor in Companies
The introduction of the second payment services directive (PSD2) was designed to make payment transactions throughout Europe simpler–but more efficient, modern and secure. The European Council adopted the directive back in November 2015. However, it was only enshrined in national legislation on 13 January 2018. The focus of the PSD2 is on ensuring easy and secure online payments and promoting innovation and international competition. In May of this year, the European Commission initiated a targeted consultation to address ongoing digital developments in payment transactions and to establish a new framework for an open financial sector to incorporate developments such as open banking. Read on to learn how the possible introduction of a third payment services directive might affect the payment transaction market.
When it entered into force, the PSD2 directive represented a major step towards promoting the digital financial internal market of the European Union. It offers consumers better and wider choices regarding what is called bulk payments. Bulk payments include types of small and retail payments – in other words, any payments that are not private individual payments but are executed together with multiple payments in stack and batch processing runs. In addition, the directive attached great importance to ensuring security and consumer protection.
Despite this, experts still point to a lack of potential in implementing the directive. Specifically, disruptive technologies and approaches in open banking have further revolutionised the finance and banking sector. In this context, PSD2 still lacks full implementation of strong customer authentication (SCA), especially in e-commerce. The market here reacted too late or was inadequately prepared for the implementation.
Experts believe it would have been better to incorporate the entire contract management associated with all financial products into the PSD2 guidelines. Another point that experts believe was neglected is the variety of application programming interfaces (API) that are vital to ensure smooth and secure access to payment accounts. In particular, third-party providers who already operated their business using electronic transactions before the introduction of PSD2 faced problems implementing the guidelines. For instance, adapting their business activities to comply with the various technical specifications while at the same time ensuring a smooth customer journey proved a major challenge.
The market is also highly competitive. There are more and more players and new solutions, which means that current PSD2 guidelines must be amended. This is the only way to facilitate and regulate new payment methods such as 'Buy Now Pay Later (BNPL).
A step in the direction of PSD3
At the end of 2021, the European Commission announced a comprehensive review of the applications and impacts of PSD2. The European Commission initiated two targeted consultations on the topics' PSD2' and 'Open Finance' and a public consultation on both.
The 'targeted consultation on PSD2' was to gather information to assist in the amendment of the second payment services directive. The focus here was on effectiveness, efficiency, coherence, relevance, and added value to the European Union. The core group was made up of experts who have extensive knowledge of the payment services area and can evaluate the technical challenges of the directive.
During the public consultation, a target group with a general knowledge of the payments market and its associated regulatory provisions was mainly asked to provide its assessment.
During the third 'Targeted consultation on Open Finance Framework and Data Sharing in the Financial Sector', experts were consulted regarding PSD2 to supplement the two previous discussions. Different interest groups were included in this process: companies and consumers of financial service providers as well as financial institutions.
In October 2021, the European Commission sent a 'Call for Advice' (CfA) to the European Banking Authority (EBA) to study the PSD2. On 23 June 2022, the EBA returned its observations, which included proposed solutions to improve and amend the PSD2. The responses to the CfA cover nine areas, for example, the application scope and definitions, the authorisation of payment institutions (PIs), their supervision, SCA and access to payment systems and accounts.
The key proposed changes
To take account of the wide variety of business models that exist in the European payment services market, the EBA is calling for a clearer distinction between individual payment services. For example, one of the proposals is that "issuing” (issuance of payment instruments such as credit cards) and "acquiring” (acceptance and billing of payment processes, for example, by VISA or Mastercard) be divided into two separate payment services. This is because each would require a different supervisory approach.
Moreover, the EBA suggests that terms such as 'initiation of a payment transaction', ‘remote payment transaction', and 'payment channel' should be defined more clearly to harmonise all European member states.
For the revision of PSD2, the EBA calls for the greater clarification of exceptions for service providers that are not required to implement the directive; this applies especially to the commercial agent exclusion (a type of 'intermediary’ between buyers and sellers). Another aspect being debated is whether the regulations should be expanded to cover activities that are not currently regulated – such as payment transactions using crypto assets, Buy Now Pay Later (BNPL), mobile apps for payments or payment processing services.
The EBA also welcomed the proposal to merge the PSD2 with the Second Electronic Money Directive (EMD2), which experts had long anticipated.
Likewise, the Wirecard scandal did not escape comment. The EBA also suggests amendments to the requirements for liquidity controls for payment service providers and regulations for orderly resolution. The PSD3 is also likely to impact passporting and company registers.
The EBA also recommends setting standards for harmonised API interfaces. This would further reduce the barriers to third-party providers wishing to enter the market.
Regulations regarding Strong Customer Authentication also attracted a degree of criticism. The EBA suggests clearer regulation of the distribution of liability in cases where an SCA exemption is applied even though SCA should be required. There should also be a detailed requirement to implement SCA, including more details concerning two-factor authentication.
This approach aims to mitigate social engineering fraud risks and improve customer protection.
By moving to amend the PSD2 to formulate a possible PSD3 directive, the EU is not only taking account of the ongoing digital transformation in the industry but is also promoting competition for payment solutions in European member states. For customers, the amended directive should mean greater protection and more convenience.
