Since its announcement in 2015, European Union’s Payment Services Directive 2 (PSD2) has become the most debated and discussed topic at conferences and board-rooms around the world – well beyond the boundaries of the European Economic Area and the Financial Services Sector.
For an introduction to PSD2, see PSD2 101 but at a high-level, PSD2 enforces financial institutions to deliver the following capabilities:
- Open access to account information (everything you see on your statement).
- Allow access to payment services via APIs. This includes receiving, sending and checking status of payments in flight.
Under PSD2, account owners can authorise one or more third parties for either or both capabilities in return for potential value-add-services. For example, allowing a third party to access account information means that, particularly in the scenario of multi-bank/ multi-account individual who currently uses different apps from different banks/ product-type to check balances and transactions can use a single app. Similarly, allowing a third-party to initiate payments directly from the bank account without using long-card numbers has its merits.
PSD2 appears to create a level playing field for all market participants. It is democratising customer data held by banks (with permission) and gives customers choice in how they use some banking services without necessarily using their banks. However, there are some fundamental challenges that will prevent PSD2 to be as ground-breaking as it could have been. These are:
1. Customer Education and Motivation
There is little to no effort being put in to generate awareness about PSD2 that a person on the street can understand. Buyers need to understand the differences between current mechanisms to make payments and the new direct-from-account style payment in the post-PSD2 world. Pro-and-Cons need to be articulated in very simple terms so it is clear to all age groups and backgrounds. PSD2 can benefit the underbanked segment of our society who do not have credit cards and often only have ATM cards that can only be used in certain high-street stores. Being able to pay directly from the bank account will enable them to participate in eCommerce and potentially get better deals.
Similarly, businesses who accept payments from customers need to understand the alternative way to accept payments electronically. They will need to work out how to integrate PSD2 style of payment in their customer journeys. Some retailers with physical stores may also want to offer this style of payment to customers in store via an app for convenience. Currently, other industries appear unaware that these changes are happening in the payments industry. Clearly, incumbents who provide card processing systems to these businesses, may not be motivated to explain the alternative payment option due to the risk of cannibalising their own revenue streams. Fees for processing PSD2 style payments are capped at 2bp (2p for every £1) compared to 1–4% (depending on the scheme) that businesses may be paying today. This can be significant reduction in cost – particularly for those with large volumes of card transactions. In recent years, we have seen several retailers disputing interchange fee and taking legal action. PSD2 may force schemes to lower their fee and increase focus on B2B value-added services and customer loyalty.
As we have seen from the UK’s current account switching service, it takes times for consumers to trust and use a new service even if it benefits them. Launched in 2013, after continuous campaigns across TV, Ratio, Newspaper and online, as of May 2017, at the time of writing this blog, only 3M current accounts were switched using this service. Some people in the industry would regard this as a failure. An estimated £800m have been spent on the scheme so far.
Also, just because there is an alternative way to pay, does not mean that buyers will use it. Using a card issued by a major scheme does have its merits – fraud protection/ loyalty/ concierge to mention a few. Also, to pay direct from your account, the buyer will need to have cleared funds in their account. A credit card issued by a scheme can act as a short-term buffer for many. Whilst retailers would benefit the most from PSD2, they are unlikely to pass on any cost benefits to the buyers – further deter a buyer from paying direct.
2. Universal” APIs and Data Model
Approximately 4,000 financial institutions across EEA are affected by PSD2 and need to expose access to account information or, both account information and payment services via APIs. With no universal standard across EEA (except the UK), all institutions could comply to the regulation in their own way. For example, to comply there are likely to be 6 – 12 APIs. For example – validateTPP, getAccountInfo, getAccountTransactions, getCustomerInfo, initiatePayment, checkPaymentStatus, registerCustomer, checkConsent, unRegister, etc.) there could be at least 4,000 x 6 = 24,000 APIs. And, if we assume that each API will have three versions – current, new and old version for interoperability/ support reasons. This creates at least 24,000 x 3 = 72,000 APIs. Anyone looking to create a universal payment app, or an aggregation app will be consumed by the mammoth task of integration.
Therefore, this may create further fragmentation and oligopoly. In the UK, there is a slightly better environment. UK’s Competition and Markets Authority, is setting those standards and at least 9 UK banks will adopt those standards with a hope that the rest will follow. See these standards here – https://github.com/OpenBankingUK/opendata-api-spec-compiled
Without a consistent, standard API and governance model – this will be a spaghetti mesh of complex integration touch-points and be counter-productive to innovation in the industry and potentially put off new entrants. Several FinTechs in Europe have started a campaign claiming that PSD2 will force them to be dependent on banks. For more details, visit http://www.futureofeuropeanfintech.eu
3. Additional Competing Regulation
Shortly after PSD2 comes into effect, in May 2018, General Data Protection Regulation (GDPR) will be in force. GDPR is a cross-sector regulation that puts more responsibility on data controllers (a retail bank, for example) and processors (an AISP, for example).
GDPR gives customers the right to ask a service provider (bank, retailer, insurer etc.) what data they have about them (data access), request to be forgotten (data erasure) or, port their data to another financial institution.
For a financial institution, it includes physical letters/ emails a customer may have sent to the bank, phone calls that may have been recorded, externally sourced data and interaction/ product/ transactional data. Discovering these data sources, making them accessible in a safe and secure manner is a grand technical challenge.
In context of PSD2, a third-party accessing customer data even with their consent, needs to comply with GDPR. They will need to tell the user what data they are gathering, for what purpose, for how long will the data be kept, who is it shared with and what processing is done on the data. In addition, they must refresh consent every 90 days. Complying with GDPR is onerous and resource intensive. Non-compliance penalties are hefty – 20M Euros or, 4% of annual worldwide turnover.
Onerous nature of GDPR will deter new entrants and new services. Particularly from large financial institutions until they have fully understood the implications of GDPR.
Open Banking and PSD2 has the potential to transform the Financial Services Sector across Europe and beyond. I view this as a once-in-a-lifetime opportunity to shape the future of Finance. The affects are also far reaching. Financial institutions from as far as Japan, Australia, South Africa are already expecting a PSD2-equivallent in their geography. Accepting the inevitable, many organisations have already engaged with their regulators and industry bodies to influence and shape their thinking. However, all eyes are set on Europe for the next few months.
Due to the reasons explained above, I believe that it is very unlikely that PSD2 will have a major impact soon after its implementation deadline for the following reasons:
- Lack of Europe-wide standards for Security, Data and APIs (in that order) will hinder innovation.
- Financial institutions will focus on compliance and will not fully embrace the spirit of PSD2. Additional risk and liability requirements only underpins this.
- Educating the consumers will take much longer than anticipated and much to retailers’ dismay, consumers will not have strong motivations to pay direct.
- Schemes will enhance their customer protection, fee and loyalty programmes.
- Lack of understanding of GDPR and its implementation will delay the introduction of value-added services.