7 Things Corporates Need To Know About PSD2 and Open Banking

PSD2 is a HOT topic at the moment, and will continue to dominate discussions for the foreseeable future. The revised European Payment Services Directive (PSD2) is multifaceted regulation with implications for banks, technology companies, financial institutions, regulators and most important of all, You and I – the end customers. At first glance, the PSD2 focus seems entirely on retail but there are some things that corporates need to know too!

What is PSD2?

In short, PSD2 (the revised Payment Services Directive) aims to:

  • Simplify and harmonise the rules and regulations for payment services across the European Union
  • Lower costs to the end customer and improve customer security
  • Promote competition and innovation in payments and financial services
  • Enable new players (TPPs – Third Party Providers) to enter financial services by allowing them to:
    • Initiate payments (Payment Initiation Services Providers – PISP)
    • Access bank account information (Account Information Service Providers – AISP)

Keep in mind that PSD2 – the revised Payment Services Directive – came into effect on 13-Jan-2018.

How will PSD2 and Open Banking Affect Corporates?

1. PSD2 Rules Apply to ALL Currencies into/out of the European Union

  • Previously the Payment Services Directive (PSD) rule applied to European Economic Area (EEA) countries and their respective currencies (for example GBP, PLN and of course EUR) only
  • Now the revised Payment services Directive (PSD2) rules apply across the board, to:
    • Payments within the EU/EEA country currencies where the Payment Sending and Beneficiary Banks are in the EU/EEA
    • Payments in any currency where the Payment Sending and Beneficiary Banks are in the EU/EEA
    • Payments in any currency where either the Payment sending OR Beneficiary Bank is in the EU/EEA
      • You may hear these payments referred to as “One Leg Out” transactions

2. All Payments, irrespective of currency, will use “SHA” Shared Payment Charges

  • Previously the Payment Services Directive (PSD) rule mandated that all intra-EEA currency transactions used the SHA (shared the total cost of transaction) charges option
  • Now the revised Payment Services Directive (PSD2) requires that all intra-EEA transactions use SHA charging option
    • The SHA charging option means that the Payment Originator pays their bank charges and the Payment Beneficiary pays their bank charges)
  • Effectively if you were instructing payment fees or payment charges as:
    • BEN – Now along with the beneficiary,  the sender of the payment will incur payment charges
    • OUR – Now the beneficiary will not receive the full amount, they will incur payment fees
    • SHA – No change

You can read more about the difference between BEN, OUR and SHA to understand how these values are used today to determine who will bear the payment charges.

3. An Open Banking Revolution Through API’s

Most of the below unless otherwise stated will come into effect from September 2019 as part of the PSD2 RTS – Regulatory Technical Standards.

In short, banks must implement channels using API technology that will grant non-bank players (the so-called Fintech’s) open access to their customers bank accounts. Importantly these new entrants must be registered by local authorities and must have explicit authority by their customers/corporates to access their account details.  See further details below…

It is clear to see that the banks are worried because Fintech’s see the massive potential to disrupt banking. Fintech companies through their customer focused solutions utilise new technology, and they have an innovative outlook on longstanding problems in various areas across the financial services landscape. Many new players in financial services are focusing on specific customer pain-points and are not hampered by legacy systems, that are stifling many incumbent financial institutions.

This is revolutionary because it literally opens up banking to non-bank participants!

4. New Partners: Payment Initiation Service Providers (PISPs)

This gets to the heart of the PSD2 objective around promoting innovation and competition in financial services, and will allow new players (the Fintech’s) to sit between the traditional relationship between the bank and their corporate customers.

Where access is granted by the customer or corporate, PISPs have the ability to make a payment from their customers bank account.

With PSD2 the European Union is facilitating Payment Service Providers (PSPs) to offer new solutions and where access is granted offer non-bank entities “open access” to traditional banking operations.

5. New Partners: Account Information Service Providers (AISP’s)

This is second part of the “Open Banking” revolution, where non-bank entities will have the ability to access and aggregate balance and transactional account information from many banks into a single portal.

In the past corporates have worked with multiple banks to provide a bank statement (BAI2MT940CAMT.053) and manage any bank specific limitations. Now, with AISP’s you would like to think that the bank limitations are removed and you have an AISP partner that can deliver account statement in a timely, multiple formats and secure manner.

As above, Fintech providers will sit between the bank and corporate and have the ability to provide value added solutions to their customers.

6. Enhance Security through SCA – Strong Customer Authentication

This is all about implementing Two Factor Authentication, in order to validate yourself when accessing online portals you must have at least 2 of the following:

  • Knowledge – something only the user knows, e.g a password
  • Possession – something only the user possesses, e.g. a token
  • Inherence – something the user is, e.g. a fingerprint

For further information, take a read of WTF does PSD2 say about 2FA?

7. Payment Dispute Resolution

These rules come into effect from 13th July, 2018.

In the past payment service providers (PSPs) were obligated to respond to payment complaints within 8 weeks. This has now been drastically reduced to just 15 business days, and in exceptional cases to 35 business days.

Things you wanted to know about PSD2

You’ve seen the PSD2 abbreviation a few times, you know that it’s related to payments, but have no idea what it stands for and how it could impact your business? At first glance, it might seem a bit complicated, but don’t worry — we’re here to help!

So, let’s start from the beginning.

The PSD adopted in 2007 comes with the creation of a single market for payments in the European Union and provides the legal framework for a Single Euro Payments Area (SEPA). The main purpose of this directive was increasing pan-European competition and improving customer rights. In 2015, the European Parliament passed the PSD2, which is meant to provide more innovations and security to European payments than the previous version of the directive.

What should I know about PSD2?

The revised Payment Services Directive, known as PSD2, includes the rules that must be implemented until 13 January 2018, so that’s why it matters now.

PSD2 is about putting all existing players under one, unified regulatory framework.  It is a directive that requires banks to provide access to their customers’ accounts via open APIs. The new regulation, which is meant to drive innovation on the European market, needs to be transposed into national law of the European Union countries.

To be more precise, one of the most important points covered in PSD2 is XS2A (Access to Account) that allows third parties to access bank accounts to get customer data – only when the customer gives their consent – such as bank account balances or transaction history. Thanks to XS2A, TPPs (third party providers) will access bank accounts in a secure way. This also comes with customer verification and authentication via APIs.

There are a few players included in PSD2

AISPs (Account Information Service Providers) — Providers that use financial institution’s (ASPSPs) API to provide users with their account/accounts information within one application.

ASPSPs (Account Servicing Payment Service Providers) — A customer’s bank, for instance.

PISPs (Payment Initiation Service Providers) — An entity that may access customer account data and initiate transactions without the APSPs prior commercial agreement.

TPPs (Third-Party Providers) which are able to initiate payments through PISPs, directly from the customer’s bank account.

In a few months, it will be possible to use third-party apps to check account balances, pay bills or make purchases without the need for logging to bank account. The payments market will be opened to new entrants, which means more competition will bring greater choices for consumers and lower prices.

Banks used to be self-contained institutions that delivered customers everything that was connected with their finances  — from creating accounts with online access, issuing credit cards to lending money and managing customers’ savings. Today, fintech companies offer more convenient solutions, and with PSD2 all those financial operations within various accounts could be made all available in one application.

Simply put, banks need to open to other companies that might become their competition or partners. In general, third-party providers can build their services on top of banks’ infrastructure. It is considered that the PSD2 will hit bank revenues. According to a Roland Berger report, PSD2 will impact up to 40% of the European banking industry’s income.

The directive is also the answer to the current monopoly that banks have on payment services and customer’s accounts. For banks, following new requirements comes with IT costs increasing. That’s why some of them started working with fintechs or continue to try to make their own solutions that will meet today’s customers’ demands.

What will change

Under the directive, TPPs can deliver to customers aggregated information about one or several payment accounts. Such solution gives customers immediate, real-time information about their finances and lets them manage their money within one application.

Third-party providers can operate anywhere within EU, they just need to follow the regulations of their home country. Moreover, they can play two roles: Account Information Service provider (AISP) and/or Payment Initiation Service Provider (PISP).

AISPs will display all account information in one place while payment initiation service gives the TPP access to a customer’s account to check if there are sufficient funds, initiate payments and then, notify a customer about completed transaction.

Note that third parties have to be licensed and registered, and customers need to give their permission before they initiate an online payment or get access to their account or online services via a TTP. This means that customers can decide how their data will be shared among different companies.

Even though TPPs have access to customer’s information, they are not allowed to store the data. However, third-party providers don’t have to follow all requirements that have to be met by financial institutions.

Security concerns

PSD2 makes customer’s data open to more players than before, so there are questions about what purposes the data can or should be used for.

The main difference is that banks are still required to authenticate users and focus on security, but the access to customer’s account will no longer be restricted only through banking services.

Also with PSD2 comes stronger identity verification during online payments. According to the directive, all banks across the European Union must add at least two-factor Strong Customer Authentication (SCA). This means that payment providers must comply with SCA by delivering a combination of password or PIN with a customer’s physical identification device, or, for instance, fingerprint or voice/face recognition.

Banks also need to deliver effective security, such as fraud detection and precise reporting in case of fraud.

An exam for banks

PSD2 will shape the whole payments market and it will especially impact banks and financial institutions, but also payment providers.

With the new rules, it will be much easier for PSPs to obtain a bank account, so we can see an increasing number of new entrants to the market in the following years. Theoretically, it will create more customer and innovation centric approach. Those who know their customers’ needs better and find out what they struggle with, can offer solutions people want to use.

One of the biggest benefits for consumers is an increase in transparency and greater choice. They won’t be limited to solutions provided by banks, so they could see a potential huge difference.

Banks should not only comply with the new regulations, but also use PSD2 to highly benefit from it. Some of the financial institutions start looking for new opportunities to provide customers with a friendly experience. They work with fintech companies or even acquire them. Some of them, such as HSBC which started testing a platform that lets customers see all their accounts data on one screen, build their own services to attract customers.

However, banking is still considered a conservative industry, as many financial institutions still burden themselves and their customers with aging technology. This is why it’s not that easy for them to adapt their solutions to their customer’s demands.

As the access to bank’s client’s accounts has to come to action in January 2018, banks still have a lot of work to do. This all comes with costs and time-sensitive operations, which may lead to a lowering of their revenue. Banks may benefit from PSD2, but for most of them (especially those with legacy infrastructure) this may be a hard time. With a few months to go, there are possibly many new partnerships and collaborations coming.

What’s next

The opportunities are out there and, with the rapid worldwide emergence of the fintech industry and need for real-time experiences and immediate payments, we can see solutions meeting customers’ needs more effectively.

Banks control their customers’ data, so it’s obvious they’re worried about the EU legislation that comes with opening up sensitive information to third-party platforms.

It’s too early to say how the services of the future will look like, but, for sure, the banking will be easier for most of the consumers, as PSD2 promotes innovation through transparency.

Payments in Europe will be more competitive, faster and cheaper for the end customer, which means more choices and better services. It’s just a matter of time to see companies that build solutions for bank’s customers.