The revised Payment Services Directive (PSD2) is changing the rules of the game for the payment industry. By September 2019 Payment Service Providers (PSPs) in the European Economic Area (EEA) have to comply with the directive’s requirements for strong customer authentication (SCA) and provide third party access to consumer financial accounts or risk losing their payment provider licence.
The two specific changes with PSD2 are:
- SCA: Applying multi-factor authentication, requiring at least two of the following independent factors of authentication: Knowledge (password, pin), Possession (smartphone or hardware token), or Inherence (fingerprint/facial recognition, behavioral biometrics).
- Access to the account: The right for Third-Party Payment Service Providers (TPPs) to access the payment account held by the Account Services Payment Service Providers (ASPSP) (ex: banks, credit issuers) with consumer consent. The TPPs must provide the same service level as regular online banking.
The new directive is a response to some key market trends. One of these was the arrival of the Application Programming Interface (API) economy, facilitating third-party access to bank accounts. Open banking is a common topic within retail banking and payments. By having an open API this gives the third-party developers access under specified conditions. Companies such as Amazon, Google and PayPal use APIs as part of their core product proposition, and banks have already begun exposing their data for use by third party providers (TPP) through open APIs.
SCA requirements will likely increase consumer friction in the payment process. However, there are multiple options to ensure consumers continue to have a seamless experience while businesses stay in compliance. PSPs can seek exemptions from SCA by employing whitelisting, where a customer designates a business as a trusted beneficiary. A good example of whitelisting is when merchants rely on card-on-file payments. Merchants can also offer payment options that do not fall under the SCA requirements such as direct debit (for instance subscriptions and utility bills). Though there is a credit risk that the merchant could incur with either of these options, this could be an acceptable trade-off if it helps reduce friction in the customer journey.
To learn more about how PSD2 will impact the payments market worldwide, download the full Aite report iovation, a TransUnion company, developed with research and advisory firm Aite Group.