On 14 September 2019, new rules on payments entered into force. The rules are intended to make payments safer and more secure for consumers, and to encourage innovation in the EU payments market. Part of the revised payment services directive (PSD2), the rules introduce two key new elements: ‘strong customer authentication’, which is a two-factor authentication model, and ‘open banking’, which is regulated/conditional access to customers’ payment accounts by FinTech companies. Nicolò Brignoli, policy officer at the European Commission, explains in more detail.
Strong customer authentication
PSD2 was adopted at the end of 2015 in response to the fast-paced evolution of the retail payments market, particularly online. The rules are designed to encourage competition and innovation and reduce the level of payment fraud in the EU. Card payment fraud in the Single European Payment Area amounted to €1.8 billion in 2016, according to the latest available data from the fifth European Central Bank report on card fraud. The majority of these fraudulent transactions (73%) were so-called ‘card-not-present’ transactions. These are transactions where the cardholder does not or cannot physically present the card, for instance online transactions.
With PSD2, users are better protected when making electronic payments, both in ‘brick & mortar’ shops, as well as online. The rules introduce strong customer authentication as the basis for both making payments online and online banking. This means that to prove their identity, users have to provide at least two of the following:
- something they know (e.g. a password or PIN code);
- something they own (e.g. a mobile phone);
- something they are (biometrics, e.g. fingerprint or iris/face scan).
Strong customer authentication applies to online transactions above €30, although there are a number of exceptions (e.g. low value transactions, trusted beneficiaries, etc). For online payments, security will be further improved by ‘dynamic linking’. This means that a transaction requires a one-time password that is specific to both the amount and the recipient. It ensures that in case of hacking, the information obtained by a potential fraudster cannot be re-used to initiate another transaction.
Strong customer authentication is already being used in some EU countries and could ultimately lead to a significant reduction in online payment fraud. For online card transactions, the roll-out of strong customer authentication will be progressive. The new rules bring other improvements that will ensure safer payments and higher standards for consumer protection. For instance, banks are now liable if a customer is the victim of online payment fraud and strong customer authentication was not carried out.
On 14 September, PSD2 also introduced new rules opening the EU payment markets to competition from innovative players, the so-called ‘open banking’ policy. In recent years, new services have emerged in the area of online payments, where FinTech firms – known as ‘third party providers’ – offer specific payment solutions based on access to a customer’s bank account data. Third party providers can offer ‘payment initiation services’, which allow EU consumers and companies to pay via credit transfers when buying goods or services online. They can also offer ‘account information services’, which – by giving a consolidated view of payment accounts held with different banks – provide users with a global view of their financial situation and can offer budgeting solutions and financial planning suggestions.
Until now, these FinTech companies faced difficulties when entering new markets, as they were operating outside of the financial services legal framework. Now, as they will have to follow the same rules as traditional payment service providers – in other words registration, licensing and supervision by competent authorities – they will be able to offer their services across the EU.
Read more about PSD2 and payment services