With the changing consumer habits and IT sector (r)evolution of the 21st century, markets live through new innovative services and rapid digitalization. One of such markets currently undergoing a switch of old ways is a market of payments. Many changes come from a new law, Payment Services Directive 2 (PSD2), enforcement in the EU by the very start of 2021.
PSD2 is an innovation that aims to curb banks’ monopoly over their customer data and simplify the infrastructure of consented customer data sharing between different parties, from new FinTech startups to banks. However, with lukewarm or even hostile responses from current market players, this new directive brought as many opportunities as it did challenges, especially in implementation and smooth expected operation.
Historical background
As its name suggests, PSD2 is a continuation and expansion of a previous law passed in the EU in 2007, called the Payment Services Directive (PSD1). PSD1 aimed to set a new technical standard for a payment landscape within the union. It was done to enable the banking sector to install the Single Euro Payment Area (SEPA).
PSD1 was built on the idea of achieving higher transparency on fees paid by the customer during payment and more robust protection of the consumer’s data and account access. It also aimed to increase competition through a lower barrier of entry into the market for a new payment provider. In addition, it made sending and receiving payments easier and safer within the EU members’ internal borders.
The rapidly changing landscape of the payments market
The period of 10 following years after the introduction and enforcement of PSD1 proved to be a real technological boom. Rapid digitalization and innovations of financial services and institutions made parts of the old directive obsolete. Consequently, regulators moved in to make needed changes and accompany the changing landscape of the payment market with PSD2.
PSD2 was supposed to go into effect on the 14th of September 2018. However, after a vague implementation, lukewarm response from the market incumbents, poor communication by regulators of the urgency and severity to the parties involved, especially the consumers and online retailers, the deadline was moved to the 31st of December 2020.
Changes and opportunities of PSD2
PSD2 aims to bring the EU’s single market to the speed and requirements of the digital age. It is also an important step towards realizing the single digital market in the EEA. The directive brings many new opportunities for different businesses to enter the market and become Payment Service Providers (PSPs) rather than just banks as it was with PSD1, which means boosting competition and innovation.
There are also two new regulated financial market participants: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), collectively called Third Party Providers (TPPs). PSD2 goals are achieved by forcing banks to create Advanced Programming Interfaces (APIs) in their system, enabling the sharing of consented customer data. New market participants would have the ability to request access to either customer’s account data or initiate payment into or out of the customer’s bank account.
PSD2 also focuses on increasing the security laid out in PSD1 of consumer’s financial data, account access, and payment authentication. Therefore, a two-factor Strong Customer Authentication (SCA) was required to be implemented for most digital transactions in the EEA. The new directive also bans card transaction surcharges for Business-to-Consumer (B2C) transactions. Additionally, retailers may now directly ask customers for consent to use their bank information rather than making the transaction through the bank’s provided payment system.
No more screen scraping
PSD2 also prohibits screen scraping, a controversial and insecure practice to provide the same services now described and regulated in PSD2. This practice worked by impersonating a person using a web browser to access the bank’s website to extract data or perform actions as if it was the user itself. Instead, banks will now have to provide APIs with the needed information or interactivity to provide services laid out in PSD2 more safely and effectively.
Challenges of PSD2
The release of PSD2 was seen as a possible threat to banks’ competitive advantage and simply additional costs to be allowed to operate. Not surprisingly, with such a view of the new directive, the industry incumbents greeted it with lukewarm or even hostile responses. Therefore, PSD2 is a modern example of “imposed innovation”. Imposed innovation is an innovation ordered by non-market stakeholders or pressure groups such as the regulatory body European Banking Authority (EBA) in the case of PSD2. However, the influenced market participants, such as banks, do not see it as profitable or advantageous to their business model.
No set standard for the compliance of PSD2
The EU policymakers tried to boost innovation within the banking and payment industries by passing PSD2. Unfortunately, regulators made several critical mistakes hindering the implementation of the new law by the market participants. The majority of the banks did not fully understand the implications of the PSD2, so they had to interpret the policy and establish a framework of actions to comply with it independently. It was inefficient, as every participant had to interpret it individually without a set standard, slowing the adoption pace.
Communication failure by the regulators
Moreover, PSD2 influenced not only banks or possible TPPs, but also all industries that were using online payments. They were supposed to implement policies, such as SCA, from the new directive into their systems just like banks. Regrettably, those parties were not knowledgeable enough about the changes needed because the regulators did not communicate new requirements adequately, which led to uncertainty and delay of PSD2 enforcement. Therefore, the adoption of PSD2 by the market incumbents was passive or even actively ignored.
Covid-19 crisis
The global coronavirus pandemic has also played a part in the slowing of implementation of PSD2 within the markets. Many countries unexpectedly fell into rapid lockdowns in fear of complete healthcare system failure, greatly affecting global and local economies. The priorities of governments and companies changed. Many market participants, fearing bankruptcy and trying to survive, forced PSD2 compliance down the pecking order of their short-term priorities, mainly because it was seen as an additional burden rather than an opportunity for growth. The full implementation of PSD2 is not expected to be complete any time soon due to the ongoing global crisis.