PSD is more tilted towards financial rules and financial rules and financial regulation,
PSD2 is focused on being prescriptive towards defining technical standards and security
PSD2 aims to level the playing field between banks and the new-entrants, by forcing banks allow access to customer account information by these new entrants.
Keep track of happenings in PSD2 ecosystem, go to websites of European Commission, European Banking authority
Like in US,
Example credit cards across multiple banks, I do not have visibility across accounts,
How much am I spending for transportation, food etc.
No hassle for Maya,
Single access for all scouts from a single interface
TPP is communicating with Banks through APIs
Takeaway: All communication is happening through APIs, integration between banks and third parties
Think about the extent to which APIs will be used , each bank talking to each TPP
TPPs include AISPs and PISPs
AISP = Account information service providers : AISPs are providers that can connect to bank accounts and retrieve information from them. A typical example of this would be an investment recommendation service: the service will be able to see how much money a user is saving each month from his income, and provide tailored advice based on his spending patterns.
PISP = Payment information service providers - PISPs are players that can initiate payment transactions. This is a radical change in this industry, as currently there are not many payment options that can take money from one’s account and send them elsewhere. Currently we only have (SEPA) Credit Transfers and debit cards, which are both offered only by the account holder’s own bank. In the future we will probably see several different payment options that can move money from the account, without the need of using a wallet (eg: Paypal)
The Payment Initiation Service Providers (PISPs) stand to gain the most. They have the chance to eat the proverbial “free lunch” by taking it from the Banks (if the banks do nothing, obviously) and walk away with a piece of the pie, too. Users, as often is the case when competition is encouraged, will gain the most. New services will arise in the form of payment methods, intelligence on how to better use each one’s savings, and reusing identification capabilities. The most typical example of payment methods that could become popular is the connection with social networks. Services that enable to send payments directly from messaging apps are already popular in the US, where Venmo stands ahead of the pack, and pleasing investors with steady double digit growth. In Europe we currently don’t have such an example, but by opening up the bank account, players can merge the benefits of instant settlement with the speed of internet messaging. In a couple of years we will be able to ask our colleague to share the bill for lunch and get a notification on facebook that the funds are ready to use, safe in our bank account. The main difference will be that we won’t need wallets anymore (eg: Paypal, PingIt) but we’ll simply ask Whatsapp to connect to our bank account and use our fingerprint to accept a payment request from the colleague next door. No need to open 3 different apps, fiddle with 20+ digit long IBAN codes and double check at the cubicle if the payment arrived alright.
Timelines Some of the current confusion around PSD2 can also be attributable to how the EU legislative process works. For clarity, those timelines might be worth clarifying. The revised payments services directive (PSD2) was first proposed by the European Commission in June 2013, adopted by the Parliament in October 2015 and entered into the Official Journal (OJ) of the EU on 23rdDecember of that year (making it legally binding in all member states). Its ‘entry into force’ (EU jargon for ‘effective from’) was the 12 January 2016 (20 days after publication in the OJ), giving all member states two years to transpose it into national law. All clear and simple, right? Well, yes, except with one major caveat. And that is that all RTS’s to be defined by the EBA have their own timelines. These by and large fall within the two years’ deadline national legislatures have to implement PSD2 – that is to say the 12th Jan 2018. Except for one – the big one. The RTS on strong authentication and secure communication (which we mention above), is subject to a separate timeline. It is intended that this will come into force some 18 months after being adopted by the EU Commission. Given that the earliest foreseen adoption date is Jan 2017, this implies the earliest date this RTS can come into force is September 2018, some 8 months after the deadline for PSD2. The EBA readily admits that given its sensitive nature this date could be pushed out into the calendar year of 2019. To help give some clarity around these timelines we’ve drawn up a ‘PSD2 Timeline’ infographic that some might find useful.
PSD2 contains 117 Articles and covers a number of payment services. These services include: • Enabling cash deposits and withdrawals • Execution of credit transfers, standing orders, direct debits • Payments through cards or similar devices • Issuing of payment instruments (examples cards, wallets) and/or acquiring payment transactions • Money remittances • Payment initiation services and • Account information services
Widens the scope of PSD to include all types of payment acquirers (e-commerce, m-commerce platforms, large networks with payment volumes over 1 million euro per month) a
Seeks to provide customers a choice of service providers by mandating access to account information to Third Party Providers (TPPs) offering “Payment Initiation Services” (PIS) and “Account Information Services” (AIS). These new players by gaining access to customer accounts can offer services in competition to the existing banks with reduced costs Banks will be required to provide access to information to third parties via APIs and strong (two factor) customer authentication. Any loss to intermediaries due to fraudulent transactions arising due to lack of strong authentication should be compensated by AS PSPs.
When will the new rules become applicable? PSD2 will become applicable as of 13 January 2018, except for the security measures outlined in the RTS. These will become applicable 18 months after the date of entry into force of the RTS. Subject to the agreement of the Council and the European Parliament the RTS is due to become applicable around September 2019.
When will strong customer authentication become mandatory? The use of SCA will become mandatory 18 months after the entry into force of the RTS, i.e. once the RTS is published in the Official Journal of the EU, scheduled for September, 2019. This will allow payment service providers, including banks, sufficient time to adapt their security systems to the increased security requirements defined in PSD2.
What makes a good dedicated communication interface? According to the RTS, all communication interfaces, whether dedicated or not, will be subject to a 3-month 'prototype' test and a 3-month 'live' test in market conditions. The test will allow market players to assess the quality of the interfaces put in place by account servicing payment service providers, including banks. A quality dedicated communication interface should offer at all times the same level of availability and performance the interfaces made available to a consumer or a company for directly accessing their payment account online. In addition, a quality dedicated interface should not create obstacles to the provision of payment initiation or account information services. Payment service providers, including banks, will have to define transparent key performance indicators and service level targets for the dedicated communication interfaces, if they decided to set them up. These performance indicators should be at least as stringent as those set for the online payment and banking platforms used by the customers. The Commission is promoting the set-up of a market group, composed of representatives from banks, payment initiation and account information service providers and payment service users. This group will review the quality of dedicated communication interfaces. This follows up on the work carried out by the Euro Retail Payments Board on payment initiation services.
What is PSD2
What is PSD2 Cont..
PSD2 aims to establish a levelplaying fieldbetweenbanks and Third Parties -FinTech's
Major players in the PSD2 Ecosystem:
Data for Third
Define and Control
How will PSD2 alter the landscape?
Bank App Bank App
Not a single view
API Gateway API Gateway
Single view and login
Third Party Providers - TPPs
What arethe types of TPPs impactedby PSD2
PISP - Payment Initiation Services
AISP - Account Information Services
Companies which access customer’s
bank accounts to transact e.g. debit &
Companies which can access customer
account data to provide financial
Regulatory Technical Standards - RTS
PSD2 has defined technicalrules that banks and TPPs haveto adhere to.
The proposed Regulatory Technical Standards on strong customer authentication
and secure communication are key to achieving the objective of the PSD2.
Two Factor Authentication
PSD2 introduces a requirement for strong or 2-factor customer authentication (2FA)
using two or more elements out of the following three:
– Knowledge: something only the user knows (e.g. a password or PIN),
– Possession: something only the user holds (e.g. a card or a token), and
– Inherence: something only the issuer is (e.g. a finger print or voice).
The elements must be independent of each other, meaning that a breach of one does
not compromise the reliability of the others, and they must be designed in a way to
protect the confidentiality of the authentication data.