The regulation was originally set to come into force between 13th January 2018 and 14th September 2019. Three years on from the initial deadline, certain elements of PSD2 are still causing difficulties for merchants and consumers alike.
This 4-part blog series explores PSD2, reviewing each major element of the regulation and identifying any merchant concerns. This first blog post provides a background to the PSD2 regulation with the remaining three blogs providing a review of each of the major elements of PSD2.
Aim of the Regulation
PSD2, as the name suggests, was an update to the first Payment Services Directive (PSD1) adopted in 2007. PSD1 encouraged greater transparency and competition in the payments sector and provided the foundation for further regulation introduced by PSD2.
The Main Objectives of PSD2 Were as Follows:
- To contribute to a more integrated and efficient European payments market
- To improve the level playing field for payment service providers (including new players)
- To make payments safer and more secure
- To protect consumers
"The continued development of an integrated internal market for safe electronic payments is crucial in order to support the growth of the Union economy and to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to benefit fully from the internal market."
Recital 5, Directive (EU) 2015/2366
To deal with the objective of making payments safer for consumers, PSD2 introduced a mandate for Strong Customer Authentication (SCA). This effectively meant consumers would have to authenticate themselves using two-factor authentication whenever they wanted to access a payment account online or initiate an electronic payment transaction. SCA requirements meant that any such transactions would need to be authenticated using 2 of the 3 distinct methods below:
- Possession – Something the consumer owns e.g. a card or mobile phone.
- Knowledge – Something the consumer knows e.g. a password or answer to a security question.
- Inherence – Something the consumer is e.g. fingerprint or iris scan.
The European Commission tasked the European Banking Authority (EBA) with producing Regulatory Technical Standards (RTS) relating to this SCA mandate to provide further detail. Included in the RTS were several instances where SCA was either exempt or out of scope for a certain transaction use case, such as contactless transactions (subject to individual and cumulative limits), low value transactions (subject to cumulative limit), and low risk transactions (Transaction Risk Analysis). More details on these will follow in our next blog post.
PSD2 also introduced a ban on surcharging cards that were covered under the Interchange Fee Regulation (IFR) of 2015. This meant that merchants would no longer be able to charge European consumers a fee for using credit or debit cards. (Some member states have extended the ban on surcharging beyond consumer credit and debit cards issued under a four-party card model as per their article 62(5) right.) Furthermore, for transactions on which surcharging was still allowed, the amount of the surcharge would not be allowed to exceed the cost incurred by the merchant in accepting that payment method. The surcharge ban would, therefore, allow consumers greater choice in using the payment instrument they desired without incurring any extra cost.
The rationale behind introducing this ban on surcharging, however, extended beyond the desire to allow consumers greater choice. There were different surcharging practices across Europe leading to situations where a cross-border ecommerce merchant located in an EU member state that permitted surcharging would surcharge consumers in member states where this was not permitted. Therefore, the surcharging ban would arguably allow for more uniformity and less confusion across Europe. Furthermore, the Commission argued that the IFR had capped the bulk of the cost merchants faced in accepting card payments through their regulation of interchange fees. Therefore, merchants would have no cost need to surcharge card payments. Finally, the Commission also suggested they had seen evidence of merchants surcharging beyond the cost incurred in accepting these payments.
PSD2 mandated banks to provide third party providers with access to customer account information. The idea behind this was to allow third party providers more scope to innovate and provide consumers with value-add services. This would also encourage greater innovation from traditional banks to retain business. Two new business models were formalised as part of the regulation, Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
Both PISPs and AISPs would be able to access accounts of behalf of customers with the key difference being AISPs would not be able to initiate transactions on the accounts. Instead, AISPs would simply provide value-add services to consumers such as aggregating information from multiple banks into a simple dashboard. The main beneficiary to this new business model would be consumers with greater visibility over their accounts and a greater incentive by banks to provide services similar to those offered by AISPs. Like AISPs, PISPs also have access to consumer accounts with the difference being PISPs are authorised to initiate transactions on these accounts. Given that PISP payments avoid both the card schemes and acquirers, the main beneficiaries of this model would be merchants. Bypassing both schemes and acquirers would allow merchants to avoid the various fees charged by acquirers and schemes when accepting card payments providing a strong cost benefit in leveraging PISP payments in place of traditional card payments.
It is evident that PSD2 was a huge piece of regulation intended to bring much needed change to payments in Europe. Strong Customer Authentication was intended to make payments more secure while the ban on surcharging was intended to provide greater choice to consumers in using the payment instrument of their choice. Finally, opening bank account access to third party providers was intended to provide greater transparency and innovation in payments for both consumers and merchants alike.
This blog series will review each of these major changes, three years on from the regulation, and outline the degree to which the changes have been successful as well as any concerns stakeholders have in the application of these changes.