What is PSD2?
The European Union’s Revised Payment Services Directive (PSD2), was designed to push the financial services market in Europe in a safe and secure way by amending the ground rules for financial services providers. The directive requires all EU member states to include these new rules in their national laws and regulations.
How does PSD2 work?
Under PSD2, banks and other account-holding institutions in the EU are required to provide APIs for licensed external services providers (so-called Third-Party Providers, or TPPs). After obtaining their license, these TPPs can use the APIs to offer a range of payment and information services; from consumer apps that provide a one-stop overview of all your different bank accounts, to software that helps e-commerce websites facilitate direct payments.
Who can become a TPP?
The directive distinguishes between two types of TPPs: Account Information Service Providers (AISPs), which provide account information services, and Payment Initiation Service Providers (PISPs), which initiate payments. Different licences are issued to reflect the nature of the activity. Businesses can also obtain a TPP license, so that payment and information services can be taken in-house. Potential TPPs und PSD2 include:
- Fintech companies
- Big tech companies
- Merchants
- Banks
- Insurance companies
Why was PSD2 created?
PSD2 was created to promote a more integrated and competitive financial services market in the EU while protecting and strengthening consumer rights. Traditionally, financial and payment services were mostly offered by banks and related institutions, leading to a relatively closed market. This directive has opened the market, allowing easier access for existing businesses as well as fintech companies who can provide agile, innovative payment services for consumers and businesses alike.
How did PSD2 come about?
The directive is nicknamed PSD2 because it is a follow-up of the original Payment Services Directive of 2007. It came into effect in January 2018, and all companies were required to become compliant with the national laws and regulations pertaining to PSD2 by September 2019. The original PSD provided a legal foundation to improve the ease, efficiency and security of cross-border payments within the EU. It was instrumental to the implementation of the Single European Payments Area (SEPA), lowered the barrier to entry for payment institutions, and offered consumers increased freedom of choice in the payment solutions they wished to use.
In 2013, the European Commission proposed a review of PSD due to innovations in the payment services market, which were unaccounted for in the existing regulations. The Commission also noted that the rules from the original directive tended to be applied differently across member states. PSD2 provides updated ground rules for new players on the payment services market while also updating the definitions of the regulations set out in PSD to smooth out any differences between the member states.
What does PSD2 mean?
PSD2 has opened up interesting opportunities for businesses: Integrated payment and information services (whether in-house or provided by an external TPP) improve the customer experience and provide access to a wealth of customer information and insights.
At the same time, PSD2 has brought a number of technical challenges for banks and TPPs. In most cases, IT infrastructure needed to be changed to facilitate TPP access. PSD2 also introduced strict security and authentication requirements that needed to be implemented across all access points.
PSD2 has presented unique opportunities and challenges depending on your business situation.
What does PSD2 mean for Third Party Providers?
The two types of TPP licences reflect the activities that can be provided: services based on account information or payment initiation services. As long as TPPs comply with the security requirements under PSD2, the forms their services might take are near limitless. As such, PSD2 encourages TPPs to come up with innovative propositions that add real value. Some examples include:
- Merchants taking the payments process in-house for a smoother customer experience
- Apps that offer an overview of all your accounts across different banks
- Insurance companies offering instant insurance cover based on recent purchases
- Apps that help you save money based on your spending patterns
- Banks offering quicker and more secure B2B loans
The beauty of this concept is that most TPPs are not subject to the same stringent regulatory burden as traditional banks and are typically not weighed down by the legacy IT infrastructure that constrains most banks. As a result, they can be much more innovative and adaptable, allowing them to meet market demand quickly and efficiently.
Banks and TPPs: A match made in heaven
When PSD2 first came into effect, its requirement to give third parties access to transaction data seemed like a loss for some banks. Yet, this requirement has actually proven to give banks the chance to become more competitive and improve customer relationships. By collaborating with innovative TPP partners or even taking things in-house and applying for their own TPP licence, banks have been able to offer all sorts of customer-focused services to stay one step ahead of the competition.
How TPPs can implement PSD2
Of course, TPPs also need to respect the ground rules laid out by PSD2. After all, consumers are giving them access to highly personal and sensitive information. That is why PSD2 set some strict security requirements in place. The directive focuses on two main areas:
- Strong customer authentication
- Secure communications
To comply with these requirements, TPPs have to build a sophisticated and adaptable infrastructure. A Customer Identity and Access Management (CIAM) platform offers a convenient solution, as it helps you implement things like strong customer authentication, fine-grained access control, and user analytics, while allowing you to connect with banks and other payment services.