The first Directive on Payment Services (PSD), which was adopted in 2007, was enacted to create rules and guidelines for modernising payment processing across Europe with a view to simplification. With the dynamic development of fintech in recent years, the EU decided to update the directive. On January 12 2016, PSD2 came into force and a subsequent update in February of this year incorporated the use of behavioral biometrics as a key authentication tool. The directive is scheduled to be implemented into national law of member states by January 2018.
The New Era of Fintech
Financial and payment processes as we know them are undergoing profound change. While in the past, banks had a monopoly on their customer’s account information and payment services, bank customers (businesses and individuals)are now chafing against these restrictions and are striving to use third-party providers such as new FinTech companies or even Facebook and Google to manage their finances and cut costs.
Under the new regulation, retailers will be able to ask consumers (the Payment Service User - PSU) for permission to use their bank details. The PSU will then be required to authenticate with their bank or the Account Servicing Payment Service Provider (ASPSP) using multifactor authentication. Once authenticated and successfully authorized, the retailer will receive the payment directly from the PSUs’ bank, making intermediaries like payment schemes and acquirers redundant.
New Players in the Financial Landscape
When PSD2 comes into effect, two new types of players are expected to enter the financial ecosystem: PISP and AISP. AISP (Account Information Service Provider) refers to service providers with access to the account information of bank customers. Such services could aggregate a user’s account information from several banks into a single overview. PISP (Payment Initiation Service Provider) refers to the service providers that initiate a payment on behalf of the user. P2P transfer and bill payment are PISP services that we are likely to see when PSD2 is implemented. All this will undoubtedly make life easier for end users seeking to save time and money when handling transactions and payments.
The Rise of Mobile Banking
The new regulation is coming not a moment too soon. According to a MEF Global Mobile Money Report, 69% of mobile device users globally carried out a banking activity through their mobile phones in 2015. A recent Global Mobile Banking Report, published by KPMG in conjunction with UBS Evidence Lab, indicates that the number of mobile banking users globally is forecast to double to 1.8 billion over the next four years, representing over 25% of the world’s population. With the introduction of the new directive enabling seamless third-party processing, it is likely that even more consumers will move to frictionless banking activities using their phones, but not necessarily via their banks. The need to provide a seamless mobile user experience while ensuring security against hackers, has driven companies to seek robust privacy protection solutions that do not require constant re-authentication. Behavioral biometrics, which uses inherent individual traits to ensure identification, is fast becoming the authentication solution of choice for commercial organizations and financial institutions.
Rising Challenges for Banks
PSD2 poses considerable challenges for banks. They will be obligated to provide third-party providers access to their customers’ accounts through open APIs (application program interface), enabling the latter to build financial services on top of banks’ data and infrastructure. This means increased IT costs due to new security requirements and the opening of these APIs, while ensuring that banking infrastructure integrity remains sound. In addition, 9% of retail payments revenues are predicted to be lost to PISP services by 2020. And, as non-banks gain stakes in customer interaction, banks may find it hard to differentiate themselves in the market for offering loans.
How to Ensure Your Compliance
Increased costs, keeping up with the competition and protection against outside risks are only a few of the major issues banks are currently facing. In addition to the obligation to develop open API’s, initial compliance with the authentication aspect of the complex directive is undoubtedly the foremost challenge. The PISP’s mentioned above depend on strong electronic identity verification to be viable. Banks will need to have safeguards in place to ensure that each customer’s identity is verified before each interaction with a third-party service provider. European countries will be required to cooperate on interoperable eID schemes via a platform enabling practical connectivity between eID means, and detailed criteria is set out, including technical specifications and procedures for the management of electronic identities.
Article 4(30) PSD2 defines strong authentication as a form of authentication that:
- is based on the use of two or more elements categorized as:
- knowledge (something only the user knows, such as a four-digit PIN)
- possession (something only the user possesses, such as a token in a mobile app)
- inherence (something the user is, such as an inherent biometric trait like his fingerprint, typing style or signature)
- ensures the elements are independent from one another, in that the breach of one does not compromise the reliability of the others.
- is designed in such a way as to protect the confidentiality of the authentication data.
Due to the strictness of these regulations, smart PISPs will need to rely on eID software already designed to integrate the functions of identity verification, electronic document signing, user authentication, and secure integration with other APIs.
Going Beyond Compliance
Traditional banks will need to invest considerable resources in order to meet the requirements of the new directive, but it is really a question of point of view. While some banks regard open APIs as a threat because they enable third parties to access their data and systems, others view them as an opportunity to connect to FinTech enterprises in order to develop enhanced products and services for customers. Admittedly, banks will have to develop new APIs to achieve compliance, but this interface can also be used strategically to create and test new models and concepts independently.
Banks can boost cross-selling efforts and extend their reach into new markets by providing these APIs to third parties. And they can use consumer behavior and preference data accumulated from these activities to achieve insights into new consumer products and services. Obviously, a bank will have to design these open APIs to be attractive to the intended developer/user, whether they are built to achieve basic PSD2 compliance or achieve a larger, comparative advantage as an Additional Optional Service.It is fair to predict that the new PSD2 paradigm will usher in a new era for streamlined and competitive financial services, which should ultimately prove to be profitable for all of the parties involved, including retailers, customers, and fintech innovators, and even classic banking institutions, if they choose to rise to the challenge.