As of 13 January 2018, the revised payment services directive (PSD2) will apply in all EU Member States. This is good news for consumers, who will benefit from a wider choice of better payment services thanks to increased competition and innovation. In addition, PSD2 introduces high security standards for online payments. This will mean consumers can be more confident when making purchases online and using innovative payment services. Many of these benefits will only materialise gradually, as some implementing rules have yet to be finalised. This is the case, in particular, of the regulatory technical standards (RTS) on strong customer authentication and secure communication between payment services providers (mainly banks on one side and new third-party payment services providers on the other). The RTS should be published in February or March. After publication market players have 18 months to adapt their systems to the new rules and deliver the full benefits of PSD2 to consumers.

Innovation in payment services

PSD2 was adopted at the end of 2015 in response to the fast-paced evolution of the retail payments market spearheaded by Fintech companies. The revised payment services directive increases security for consumers when making payments. At the same time, it allows them to use innovative services based on secure access to bank account-related information and payment operations. This greatly enhances the possibilities offered by a simple payment account. Simply put, banking as we know it will soon be a thing of the past.

PSD2 allows new service providers (called 'third-party providers') to be licensed across the EU. These are typically FinTech companies, but long-established banks can also offer new services linked to bank accounts. The new services that PSD2 regulates are payment initiation services (PIS) and account information services (AIS). PIS represent a cost-effective payment alternative for merchants. A consumer can choose to pay through a PIS rather than using a credit card or e-money wallet. In such a case, the PIS will initiate a credit transfer from the consumer's account to the merchant's. The PIS will confirm to the merchant that the money is on its way, allowing the purchases to be sent immediately. Account information services, or AIS, give customers an aggregated view of their accounts and available balances.

PSD2 defines strict rules under which providers of PIS and AIS may access an account to provide their services, obviously with the consent of the customer. The RTS sets out more detailed technical requirements for common and secure standards of communication between the providers of these new services and banks.

Banks are obliged to put in place a communication channel ('access interface') that allows third-party providers to access the data that they need to provide their services. Such access for third-party providers will always be made at the request and with the agreement of their customers. These communication channels, or interfaces, will allow banks to clearly identify which third-party provider accesses an account. They will also guarantee secure messaging at all times. Banks are free to choose how they allow third-party providers to access accounts on behalf of their customers. They can either establish a dedicated communication interface ('application programming interface' or API) only for third-party providers. Or they can allow third-party providers to use the online banking interface that is also used by bank customers. 

Many banks plan to, or have already, set up a dedicated interface for third-party providers. This is expected to lead to an open banking environment, particularly if banks adopt standardised APIs, as are currently being developed. At the same time, the infrastructure for instant payments and mobile payments is being put in place. As a result, consumers can look forward to much more convenient payment solutions. What remains to be seen is which market players take most advantage of these new opportunities – banks, FinTechs, internet giants, mobile phone producers or network operators.

Enhancing the security of payments

The modernisation of payment services can only be a success if the security of payments is not put at risk. The RTS therefore also outlines detailed security requirements for electronic payments (whether at a cash register or online). 'Strong customer authentication' will be the new security standard. This entails the use of two or more elements of three categories to validate a given payment transaction. These categories are: (i) knowledge (something you know, such as a pin code or password); (ii) possession (something you own, such as a token or a mobile device); and (iii) inherence (something unique to you, such as your fingerprint, your iris or your voice). For online payments, the authentication of the transaction goes even further. A different code will be required for each payment. The code is linked to a given payment with its specific amount and specific payee. This 'dynamic linking' provides a very high level of protection against mistakes or fraud.

Strong customer authentication (SCA) is not justified or appropriate in all situations. The RTS therefore also defines the precise conditions under which payment service providers can opt not to require SCA. For instance, there might be exemptions from SCA when fraud risks have been successfully kept low thanks to transaction risk analyses (monitoring mechanisms that enable payment service providers to detect unauthorised or fraudulent payment transactions and that analyse numerous factors related to the user, payment history, location, etc). There can also be exemptions for contactless payments of small amounts or for recurring payments to the same (trusted) payee.

Read more on PSD2 and payment services