On November 27, the European Commission (EC) endorsed the much awaited Regulatory Technical Standard (RTS) on strong customer authentication (SCA) and secure communication of the Payment Services Directive (PSD), introducing a novelty to the process, the introduction of an exemption to the so-called “fallback mechanism”. What does this mean however, and how did we get here?
The PSD was originally adopted in 2007 with the purpose of establishing a modern and comprehensive set of rules applicable to all payment services in the EU. In 2013, the EC proposed to review the PSD in order to take account of new types of payment services emerging in the market that had been previously unregulated; the so-called Third Party Players (TPPs or Fintechs). By bringing them within scope of PSD, the EC’s goal was to ensure a level playing field between all payment providers, increase security and boost transparency.
When finally adopted at the end of 2015, PSD II introduced several key changes making it the most advanced piece of “FinTech” legislation of its kind. One of these is a specific mandate to “open up bank accounts” to TPPs while setting in place common and secure channels of communication.
Currently, there are two types of TPPs in the market, the Account Information Service Providers (AISPs) and the Payment Initiation Service Providers (PISPs). The first aggregate data account information held by Payment Service Users (PSU/client) in or one or several Account Servicing Payment Service Providers (ASPSPs/banks). The PISPs on the other hand initiate a payment on behalf of the PSU by impersonating him/her towards their own bank. Another significant element is the introduction of Strong Customer Authentication (SCA) for online payments, which is essentially the need to have a two factor identification in order to ensure that the customer is who they say they are and that they wish to complete a specific transaction.
Since conception, PSD II has always suffered from what has been called the “triangle dilemma”: balancing the wish to open up the online payments market to new payment solutions (competition) and allowing them to evolve (innovation), while at the same time ensuring high levels of security (security). However, achieving this has proven to be a herculean task for all those involved, leading the EC and European Banking Authority to adopt an approach based around the idea that if you cannot make anyone happy, then you must ensure they are all equally unhappy.
Why is this? Perhaps it could be called a “David and Goliath” moment. At present we have new emerging companies that prefer to act first and ask questions later. Naturally there exists also the long-established institutions that have seen their profits most hit by the financial crisis and consequent new EU legislation. The latter group is understandably reluctant to share their piece of the smaller pie on offer. Both sides have valuable and legitimate concerns and plenty at stake, as do consumers who are ultimately the ones using said services.
In the middle of all this, trying to ensure a proper balance between all three sides of the triangle dilemma is the EC, which – returning to our starting point – recently endorsed the most controversial RTS of PSD2, in an attempt to ease concerns from both sides. The solution found is a compromise between allowing TPPs to carry on with their business if a bank dedicated interface (i.e. Application Programming Interface – API) fails or is unavailable and an option that allows banks to avoid setting in place a special mechanism for TPPs to access their own customers online banking interfaces, in case of an extraordinary situation that makes their APIs unavailable.
The power to adopt these RTS is now in the hands of EU legislators. If they chose to adopt them, the EU online payment market will take a significant leap forward. When looking back on this landscape in future it will be appropriate to speak in terms of eras; pre and post-PSD II. Somewhat predictably however, it may only be with the benefit of greater hindsight that a fair assessment of the EC’s attempts to resolve the triangle dilemma can be offered. In the meantime, watch this space.