The EU’s second payment services directive (PSD2) included revolutionary concepts – but also accusations of adding friction for consumers. With the European Commission having closed its public consultation on PSD3, we ask what it might contain – and will it deliver?
The EU’s first payment services directive, PSD1, came into force in 2007 and aimed to build the groundwork for a single European retail payments market.
Its successor, PSD2, brought Open Banking into play and aimed to secure online transactions via its mandate for Strong Customer Authentication (SCA), a contentious if well-meant regulation we’ll revisit soon.
Now that the European Commission has closed its public consultation for PSD3, “son of” PSD2 – and Europe’s payment players have given their views.
PSD2: a qualified success…
To judge from the European Banking Authority (EBA)’s response, industry will be looking for PSD3 to do the job begun by PSD2, provide greater clarification in certain areas – and go further towards Open Finance.
In a letter worth quoting at length, the EBA state that “there are significant issues that should be addressed to more fully achieve the objectives of PSD2 of enhancing competition in retail payments vis-a-vis incumbents, facilitating innovation, increasing security of payment transactions, protecting consumers, enhancing customer convenience, ensuring technological and business model neutrality, and creating a single EU retail payments market.”
Wow. That’s quite a list.
Buried in such generalised corporate speak we might find more specific problems, such as banks’ impression that PSD2 disadvantaged them from a regulatory point of view when competing with “giant pays” like Apple Pay and G-Pay.
That’s because banks are subject to far more regulatory scrutiny (read: cost) than tech companies.
Where the EBA speaks of “increasing [the] security of payment transactions”, they mean SCA needs to be reconsidered – and indeed, later in the same document they call for clarification of when and how various exemptions to SCA should be applied, whether such exemptions are optional or mandatory and, in brief, a re-think of how SCA works.
“SCA compliance was above 80 percent by mid-2021”
In itself, this can hardly be a surprise.
Although PSD2 came into force on 1 January 2018, it took over four years for SCA to be fully implemented, with exemptions being granted to merchants in many markets.
There was a round of the blame game, with merchants, banks and national regulators all accusing each other of lack of clarity, poor communication and other ills.
All of which said, fraud prevention alliance the MRC estimated that SCA compliance across the EU was above 80 percent by mid-2021 – not a bad average.
Open season
SCA may have been cumbersome to implement – but the Open Banking side of PSD2 has been more successful, albeit slower to be fully implemented.
The latest Mastercard/Konsentus study into Open Banking implementations in Europe reveals that hundreds of companies have successfully registered as Third Party Providers, with the UK – which is ploughing its own furrow in Open Banking after leaving the EU on 1 January 2021 – leading the pack.
While the UK has made a roaring success of implementations, with around ten percent of consumers already using Open Banking and some 130 applications already in-market, the rest of Europe has been somewhat slower to grasp the opportunity.
At a minimum, we should expect PSD3 to open the way for easier Open Banking implementations – though it already looks as though this is going to happen via multiple open API sets, and not a single open API set as the EU may have initially envisaged.
Based on the questions asked in the EC’s consultation, PSD3 is likely to feature a full review of the provisions and implementation of SCA, contactless payment limits, speeding up cross-border transactions, the regulation of “alt pays” such as BNPL and crypto, and more.
These are likely to be combined with a review of the path to Open Finance, which is the subject of a closed (i.e. industry-only) consultation.
Long walk to PSD3-dom…
Given that PSD2 was subject to public consultation in 2015, enacted in 2018 but not finally implemented in any meaningful way by the end of the second quarter of 2022, we can expect PSD3 to come fully into force perhaps by the end of 2029 or 2030 – quite some distance away.
Nagging questions remain, though, including the extent to which exemptions under PSD2 will remain in the new framework, and how far the UK will continue to follow EU regulation or seek competitive advantage through divergence.
These bigger questions aside, some in the industry continue to seek clarity on issues exposed in PSD2. As Charles Damen, Chief Product Officer at Token.io puts it, “PSD3 must address the issue of regulatory equivalence and ensure a better user experience across the board.
For instance, some regulatory regimes permit a “tap and go” open banking payment, while others require users to enter the recipient’s IBAN. There needs to be a level playing field across the EU.”
Lena Hackelöer, founder and CEO of Brite Payments, adds: “For TPPs, PSD3 is a welcome development, expected to focus on the clarification and streamlining of existing PSD2 concepts.
The revision is set out to address some legal uncertainties in the current directive, which will lead to more consistent application of the rules, both by institutions and supervisory authorities.
We believe this will prove beneficial in clarifying industry approaches, however, further analysis is required on how TPPs will be affected by some of the proposed regulation e.g. data sharing, standardization of APIs and the shift in application of SCA and liability.”
The UK – stealing a march, or following along?
Having formally left the European Union on 1 January 2021, the UK retains – at time of writing, at least – most EU regulations in its statute book.
However, the current government could be in power until early 2025, meaning there’s time for it to fulfil its manifesto pledge to scrap more than 1,000 EU regulations as part of what it calls “the Brexit dividend.”
It’s worth recalling that the UK moved independently to introduce Open Banking legislation for its top nine banks in 2017, one of the reasons it is now so far ahead in that area.
Will Britain now choose to steal a march on the EU in the drive to Open Finance and greater transaction security, or will it follow any future provisions in PSD3 to achieve smoother trade with its continental partners?
While it seems a technical detail, geeky or of interest only to we payments nerds, PSD3 could be one of the defining moments in shaping Britain’s relationship with the EU in the decade ahead.
The post Feature: Easy as PSD 1… 2… 3…or is it? appeared first on Payments Cards & Mobile.