Payments Big Bang: Impact of PSD2 on retail banking
Michael McKee, Partner, DLA Piper UK LLP discusses payments competition in European retail banking.
Despite the efforts of challenger banks and the emerging FinTech sector, the European retail banking market remains concentrated. While this partly reflects consumer inertia, it is also a consequence of the advantage which incumbent banks have with respect to customer data and payment infrastructure.
The increasing power of technology to harness datasets for commercial purposes, combined with product tying and the economies of scale enjoyed by larger banks, had led to concern that, without regulatory intervention, this market would solidify further. As Meglena Kuneva, the European Consumer Commissioner noted in 2009, "Personal data is the new oil of the internet and the new currency of the digital world." Prior to PSD2, this data was guarded jealously by a small number of large banks. PSD2 changes the game.
PSD2 - the objectives
The original Payment Services Directive was adopted in 2007 (PSD) to create a single market for payments and provide a legal foundation for the Single Euro Payments Area, an EU payment-integration initiative for the simplification of Euro-denominated bank transfers.
The changes introduced by the second Payment Services Directive (PSD2) came into force on 13 January 2018 and are designed to address technological developments in retail payment services since the PSD. It is hoped that the changes will eventually lead to a more integrated and efficient European payments market, more competition, safer payments and reduced transaction costs for customers.
PSD2 provides a legal foundation for an EU single market for payments, expanding regulation to include a number of newly designated Payment Service Provider entities (PSPs). It imposes limits on transaction fees and "strong customer authentication" requirements, in order to reduce transaction costs and protect customers against the risk of fraud. In particular two new payment services are permitted provided the entity offering them is regulated: payment initiation services and account aggregation services. These new services are game changers in the payments world - particularly payment initiation services whereby regulated third parties can obtain a bank customer's data and initiate payments on behalf of a customer provided the customer consents.
By allowing payment initiators and account aggregators to develop financial services on top of banks' existing infrastructure, PSD2 realigns the regulatory structure of the payments industry away from established incumbents and towards the emerging FinTech challengers. When combined with workstreams such as the UK Open Banking Initiative and changes to the eMoney Directive, PSD2 represents a paradigm shift in the retail payments sector.
PSD2 - "Big Bang" or "shuffling deckchairs"?
The scope of PSD2 is broad, imposing obligations around customer authentication requirements, authorisation and registration, and processes relating to operational and security risk.
In granting regulated third parties access to the online accounts of consumers and businesses, the legislation gives new entrants the ability to leverage existing banks' data, thereby creating a more level playing field for new competitors to offer a range of products and services to banks' existing customers. Ultimately, banks will become platforms providing application programming interfaces (APIs) through which PSPs can offer products and services.
While the regulatory landscape changed overnight on 13 January 2018, any proclamation of a revolution should be tempered by an acknowledgement that it is likely to be some time before the new products and services have an effect. As with any technology, a subset of the population are likely to be early users of the services with the remainder adopting it at a later date.
To this extent the reformation is analogous to developments in contactless payments and online banking. In the long-run both these initiatives revolutionised their respective markets. However, in each instance it took some time for use of the available technology to become widespread among ordinary retail customers.
The technological capabilities in this space are remarkable and in the long-run could transform the consumer landscape. For example, an application developed by Bud, an account information service provider, allows users to view accounts from other providers, set spending limits and analyse consumption habits. Similarly, Saffe, a payment initiation service provider, has developed a mobile payment application which leverages facial recognition technology. This makes a mockery of the caricature of retail banking as a technologically sclerotic market, devoid of innovation and new market entrants.
PSD2 - challenges
It is inevitable that PSD2 will impose implementation challenges for policymakers and market participants. These have been bracketed into concerns around information security, IT costs, divergent consumer outcomes and criticism around the prohibition on screen-scraping.
Information security
Under PSD2, regulated third parties can access a customer's payment account information directly, provided they have the customer's explicit consent. The one carve out from this requirement is "sensitive payment data", which is not defined in either PSD2 or the implementing legislation. This raises the possibility that banks mistakenly disclose sensitive data or, alternatively, redact key pieces of information. The potential for confusion is exacerbated with the expected roll out of the General Data Protection Regulation on 25 May this year, which aims to strengthen data protection for all individuals within the EU.
Banks have also expressed concern that the provision of customer data to third parties could leave them vulnerable to legal challenges in the event that the information security arrangements of those providers are not sufficiently robust. Policymakers have sought to assuage these concerns by requiring certain PSPs to be authorised on the European Banking Authority's register and imposing strong customer authentication requirements to protect against the risk of fraud. PSPs are required to authenticate customers using 2 or more factors based on the customer's knowledge, possession or inherence when they access payment accounts online or initiate electronic payment transactions. These verification methods must be independent of each other, a process known as "dynamic linking".
Given the scale of the implementation challenge, particularly for new entrants, compliance with strong customer authentication will only become mandatory in September 2019.
IT costs and consumer outcomes
New entrants will incur substantial IT costs in implementing the new security requirements whereas existing payment institutions already have (near) system readiness for strong customer authentication. Although costs are already being incurred by banks in developing APIs, a very real cost could arise from increased competition in future. Banks have already incurred costs responding to the competitive threat presented by PSPs, which to date has primarily been through partnering with or investing in existing providers, e.g. HSBC and Bud or ABN Amro and Tink. Smaller players in the retail banking space may find it more difficult to partner with FinTech providers, potentially entrenching the position of the larger banks who can respond more readily to these developments. In addition, it is possible that the improved consumer benefits may flow predominantly to more technologically savvy, and less loyal, customers.
Screen-scraping - a dilemma for policymakers
One area of controversy during the drafting of the legislation was around screen-scraping. This refers to the ability of third parties to access bank accounts on a customer's behalf using the customer's direct access credentials. Screen-scraping is a way of obtaining customer related information and is widely used across retail businesses to harvest information relevant to selling products to the consumer. FinTech firms alleged that outlawing screen-scraping would provide banks with the means to control what data is shared, thereby putting new entrants at a disadvantage. Banks, however, argued that permitting screen-scraping increases the burden of compliance and jeopardises the privacy of client data, cybersecurity and innovation.
The European Commission ultimately agreed to the banking lobby's requested prohibition on screen-scraping, with the caveat that fall back mechanisms were put in place to allow dedicated interfaces offered to be made available to PSPs. There is concern among some market participants that the prohibition on screen-scraping, which becomes effective when the applicable law comes into force in Autumn 2019, will hamper the competitive benefits of PSD2, by giving banks too much control over the data they choose to share.
Conclusion
PSD2 represents a paradigm shift in the regulatory structure of the retail payments space. While the impact will not be fully felt for some time, the regulation has the potential to revolutionise the retail banking sector by facilitating the emergence of a new class of FinTech providers, delivering a range of innovative services to banks' existing customers across API platforms.
Michael McKee would like to thank Neil Millar and Vadym Melnyk from his team for their assistance in the writing of this article.