The review of PSD2

Eppo Heemstra
Connective Payments

The Call for advice on PSD2

In a series of Insights articles we have paid attention to the European Directive 2015/2366, which is better known as Payment Services Directive 2 (PSD2). The Directive has three main topics: consumer rights, security and access to payment data by so-called Third Party Providers (TPPs).

We have mainly focused on the latter aspect, because this reflects the ambition of the European Commission to drastically shake up the European payment landscape. The idea was that banks and other payment services providers (in jargon: Account Servicing Payment Service Providers, ASPSPs) make the current payment details of their customers available. TPPs can request a license to use that data, such as balance and credits and debits. With the explicit consent of the user, the TPP can obtain the data via an open API call. This will put an end to the relatively closed payment market and create a new level playing field (“Open Banking”) in which multiple parties can develop new, innovative services based on payment data.

At various times we have considered whether the PSD2 Directive has produced the desired results. Now, some 4 years after the actual implementation of PSD2 by the Member States, it is time to formally evaluate the Directive. The European Commission has submitted a request to this effect to the European Banking Association (EBA) (1). The EBA has until June 30, 2022 to report and advise on this. We are curious about the results, but think that you don’t need to have a crystal ball to be able to anticipate it to some extent.

The questions addressed in the review process

Article 108 of the PSD2 Directive already provides an advance on the questions to be addressed in the evaluation. These questions were then further elaborated, first in the communication on the Retail Payments Strategy of 20 September 2020 and finally in the “Call for advice to the EBA” of November 2021. (2)

The purpose of this Call for advice is “to gather evidence on the application and impact of the PSD2, and to identify areas where amendments to the PSD2 might be appropriate”.

In summary, the topics on which the Committee wishes to be advised are:

  • Access to payment data: are there in practice barriers to access to payment data for TPPs?Think of poor interoperability, deviating standards or data sets. The underlying question is whether credit institutions create barriers that impede competition. And if PSD2 were to be expanded to other areas, what would be the opportunities and challenges?
  • Scope and definitions: are there, for example, matters that do not fall under the PSD2 but should? Think of new products and services that arose after 2015 (BNPL?), or new types of providers. The Commission also wants to know whether it is necessary to change definitions or clarify or tighten parts of the PSD2 Directive. Perhaps some items should be deleted because they are no longer relevant due to changed market conditions.
  • Licensing, supervision: the granting of the AIS and PIS licenses and their supervision is the task of the national central banks. The question is whether this works as wished in practice. Central banks use different procedures for this. In practice, this can lead to lower or higher entry barriers per Member State. Is there any reason to harmonize this any further? The Commission also asks the EBA whether the enforcement of PSD2 by the competent supervisors could be improved and whether a sanction regime should be considered.
  • Reservations: The Commission explicitly asks for a review of Article 75, which deals with payments where the amount is not known in advance.
  • Security: Articles 97 and 98 deal with the application of Strong Customer Authentication (SCA). The Commission first asks whether there are safety risks that have not (yet) been addressed in the PSD2 Directive, and then whether there are unintended effects of the application of SCA. Here the Commission seems to be prelude to criticism from the sector that customer journeys are becoming unnecessarily complex as a result of the overly rigid regulations.

The evaluation process

The EBA is conducting a market consultation and will report to the European Commission, the European Parliament, the European Council of Heads of Government and the European Economic and Social Committee by 30 June 2022. It is to be expected that the EBA will also include the issues and recommendations issued by various EBA working groups. For example, the “Working Group on APIs under PSD2” issued seven reports between February 2019 and October 2021 on the Regulatory Technical Standard (RTS) for strong customer authentication and communication under PSD2 (SCA and CSC). Various technical topics are discussed, such as (reliability of) test platforms, downtime, authentication, certification and the machine readability of the API specifications. (3)

As already implied in the purpose of the evaluation, the Commission will accompany the report with a proposal to amend the PSD2 Directive.

Prediction

The report that the Commission will publish will undoubtedly discuss in detail the positive impact that the PSD2 Directive has had on the payments market. Europe is proud to be the cradle of the Open Banking revolution. Indeed, there is no doubt that PSD2 has had a significant impact on the European payments industry. There are now over 300 companies in Europe that are authorized to provide account information (AIS) or payment initiation services (PIS). Payment services, which practically did not exist before the introduction of PSD2. The only question is whether it will all go fast enough. Has PSD2 delivered what was expected so far? The EBA and the Commission will elaborate on practical and legal barriers and make proposals to remove them.

Based on our contacts with various participants who have gained experience with PSD2, we venture this prediction:

  • Access to payment data: Much work has been done within the EBA in recent years to clarify the Regulatory Technical Standards. The practice is nevertheless that banks and other ASPSPs use different API formats, include or exclude various data in the datasets and report differently about the PSD2 service. Another example is the so-called 4-requests rule. For API calls that are not triggered by the user himself, a limit of 4 requests per 24 hours applies. This rule limits the ability of TPPs to provide their customers with instant feedback and push notifications, based on real-time data. Some ASPSPs allow more than 4 requests, others do not. Finally, the technical documentation that the ASPSPs make available is in many cases unclear and not up to date. As a result, the IT costs for new entrants are higher than necessary. It is expected that the Commission will call on the sector to implement the RTS 1 on 1 and possibly attach sanctions to it. The situation in the UK, where the Open Banking Implementation Entity (OBIE) has established unambiguous technical standards and also enforces compliance, can serve as an example. It remains to be seen whether the 4-requests limit will also be extended in the future.
  • Scope and definitions: not all account types fall under the definition of “payment account”, and therefore under the PSD2 Directive. For example, mortgage accounts are excluded. With credit cards it is less clear whether the PSD2 rules apply. Or take savings accounts. For a TPP like Buddy Payment [link to Buddy Payment article] it is essential to have a complete picture of the financial situation of the customer (the Buddy app helps people with problematic debts to get a grip on their income, expenses and available budget ). In addition to a current account, most Dutch people also have a (virtual) savings account that is linked to it. Because that savings account does not have an IBAN format, it is not accessible in the Dutch APIs. This means that an essential part of the financial housekeeping book is missing from the app. The same applies to managed accounts, with which administrators collect income and make payments of, for example, fixed costs on behalf of their clients. It can be expected that the Commission will want to expand the scope of PSD2 so that TPPs gain as complete a picture as possible of a user’s financial situation. The more complete the insight, the more valuable the service that is based on it. Other services such as mortgages, loans, insurance and asset management may also be included in the scope, and the Commission will thus want to pave the way to “Open Finance”.
  • Licensing and supervision: an AIS or PIS license obtained in the Netherlands is valid in all EU member states. However, differences in interpretation have arisen with the introduction of the PSD2 Directive into the national legislation of the various countries. We have already mentioned credit cards as an example. In one country credit card data is made available, in another it is not. As a result, TPPs operating in multiple countries are forced to implement different versions per country. The Commission will want to remove these differences of interpretation by clarifying the PSD2 Directive where necessary.
  • Reservations: the well-known example of a reservation is a refueling at an unmanned petrol station. The issuer temporarily blocks a fixed amount, for example € 150, on the customer’s account. That reservation is later replaced by the actual coupon amount. The EBA will most likely go along with the Commission’s suggestion to set a maximum limit on the amount to be set aside.
  • Security: several stakeholders have probably pointed out in the review process that the authentication requirements for TPPs are unnecessarily complex. Compared to the authentication of a PSU (Payment Service User) with direct access to his payment account, the customer journey of a TPP has extra steps, extra security measures and vague and ambiguous messages. The EBA writes about this on 30 July 2021: “As clarified in the EBA Opinion on obstacles, the authentication procedure with the ASPSP as part of an AIS/PIS journey should not create unnecessary friction or include unnecessary steps, including multiple SCAs, or require the The EBA deemed such unnecessary steps or information required as obstacles under Article 32(3) RTS on SCA&CSC.”

    The question is indeed whether the security requirements imposed on the customer journeys of TPPs are not partly double. Does it make sense for a TPP to repeat all AML compliance requirements that the supplying ASPSP has performed before making the data available? In some cases yes, for example because the TPP has insight into multiple aggregated accounts. The ratio is less clear with other checks, such as with sanctions checks. In any case, this obligation means a high cost item for the TPP, and therefore a high barrier to entry.

    Another obstacle is the so-called “90-day re-authentication rule”. The PSD2 guideline states that the user must renew his consent for the use of his account by the TPP at least every 90 days. Things get even more inconvenient when a user has multiple accounts, all of which are aggregated by the TPP. The 90-day reauthentication period is not synchronized. This means that the user has to verify his consent separately for each account at different times. This requirement creates unnecessary friction in the customer journey of AIS applications. The EBA has proposed extending this 90-day rule to a minimum of 180 days, but the advice may further refine this.

“The 90-day rule is unnecessarily rigid. Ideally, a user should be able to indicate how long the permission is valid for. This can also be a one-off, or for an indefinite period until cancellation.”

Marco van Etten, CDO of Buddy Payment

PSD3?

The PSD2 Directive has changed the European payment landscape. Nevertheless, European payments, both in physical stores and online, are still dominated by a limited number of non-EU players, with MasterCard and Visa leading the way. There has been no complete makeover of the payment landscape based on the legal PSD2 basis. For a long time, the European Payment Initiative (EPI) seemed to be the vehicle through which the European Commission’s wish for a pan-European payment system would be fulfilled. Now that the development of EPI in a slimmed-down form is only being continued in a limited number of countries, this European ambition has slid further out of the picture. The Commission may well use the evaluation of the PSD2 Directive to breathe new life into this old wish. In other words, a new revised version of the Payment Services Directive (PSD3?) as a legal framework for pan-European instant payments in all currencies of the EU Member States, and as a basis for increasing competition and innovative power.

We are currently seeing a transition to real-time payments worldwide. While preparations for the massive rollout of FedNow instant payments in the United States in 2023 are underway, Europe should not be left behind in this regard. The European Commission will want to prevent the well-known law of the handicap of a head start from taking its toll.

June 2022

Notes

(1) In addition to the Call for advice to the EBA, the Commission has launched  targeted consultations on the review of PSD2 to professional stakeholders (deadline 5 July) and to the general public and a broad range of stakeholders (deadline 2 August).

(2) Source: https://ec.europa.eu/info/sites/default/files/business_economy_euro/banking_and_finance/documents/211018-payment-services-calls-advice-eba_en.pdf

(3) Source: https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/eba-working-group-on-apis-under-psd2

Connective Payments is happy to help innovative entrepreneurs obtain a PSD2 license. Connective Payments also develops, builds and implements products in co-makership with clients based on the possibilities that PSD2 offers.

For our service offering, click here.
Download our free PSD2 whitepaper here:

Eppo Heemstra

Eppo Heemstra

Partner Connective Payments
Partner, PSD2 lead & Compliance
+31 620 352 007
eppo.heemstra@connectivepayments.com

Leave a Reply