What is PSD2?
Since 2007, payment services in the European Union have been regulated by the PSD1 (Payment Service Directive). More than 10 years later, on 19 February 2019, the PSD2 Directive was introduced with the aim of reforming the European payments market. The introduction of PSD2 is a tremendous development for both businesses and consumers. It will lead to more competition and innovation in the payments market, safer processing of online payments and the advent of a single European payments market. With PSD2, banks lose the exclusive right to access their customers' payment accounts. Banks, providers, retailers and Fintech companies are currently developing new services and applications for businesses and individuals.
What are the changes compared to PSD1?
- Consumers can give third parties access to their payment account. The third party can then start payments for a customer or create an overview of his/her payment account(s). In this way, banks are forced to cooperate with third parties.
- There is no longer a surcharge for payments with standard credit cards such as Mastercard and Visa, for transfers, direct debits and iDEAL transactions. However, there are exceptions such as AMEX, Diners Club and credit cards for the business market.
- In the case of pre-authorisations, debit and credit card payments, it must be clearly stated which amount will be reserved as a temporary deposit. After the delivery of the service or product, the amount of the pre-authorisation must be released immediately. Pre-authorisation includes unmanned petrol stations, car rental companies and hotels for example.
- The 3DS authentication changes. In order to prevent online fraud, an additional authentication step is required, called 'Strong Customer Authentication (SCA)'.
SCA provides a higher level of security for online payments. Depending on the amount and payment method, many payments will be subject to a two-step verification consisting of at least two of the following factors:
- Something you own (a mobile phone or token)
- Something you know (a pin code or password)
- Something you are (a biometric identifier such as a fingerprint or voice recognition)
Two of these three factors must be present to reach SCA.
When will SCA be introduced?
The deadline for SCA was initially 14 September 2019 for all countries where PSD2 is in force. However, it has become clear that not all market parties are ready to facilitate SCA from 14 September. The ultimate goal of reducing the number of fraud cases can therefore lead to conversion losses and friction in the (European) payments market.
The Dutch regulator (DNB) has therefore indicated that, for the time being, no additional authentication will be required for online card payments. The European Banking Authority (EBA) will issue an official statement at the beginning of October with more information about the postponement for all parties involved.
What does this mean for me?
The first regulation, PSD1, was introduced in 2007, and made it possible for non-banks to offer payment services such as iDEAL. PSD2 goes one step further. Account holders can now choose to give others than the bank access to their payment account. As a result of these regulations, more and more payment service providers will stand up and compete with each other. CM Payments is an example of this. We process online payments for organisations and businesses. Payment and information service providers do of course need a license (see 'Which PSD2 requirements do I need to comply with').
This new regulation gives businesses the opportunity to innovate, develop and compete. It develops new services and devises new ways of using existing payment methods. For example, as a business you can ask your customer for access to their (business) account, check in advance whether the required amount is available and then start the payment. This can make payments easier and cheaper. As a business, you can develop apps with which a consumer can budget his expenses, monitor the value of his investments or obtain mortgage advice.
Which PSD2 requirements do I need to comply with
If you as a company want to function as a third party (payment and/or information service), you must be in possession of a licence from De Nederlandsche Bank or another supervisor within the European Union. In addition, you must, of course, comply with the GDPR legislation governing the privacy, storage and use of confidential personal data. This does not automatically mean that you have access to customers' payment accounts. The consumer must explicitly give permission for access to the account. This cannot be regulated carelessly, for example by ticking a box. Third parties should take this seriously. You could think of a combination of smartphone and fingerprint. As a third party, you have access for a maximum of 90 days after permission has been granted. After that, new permission is required.
How does the consumer authorise access?
A third party will only have access to a customer's payment account if the consumer has given his or her explicit consent. The third party must ask for specific permission that is separate from other parts of a contract. In addition, the way to give consent must be unambiguous and consent must be actively given, for example by using a combination of two personal/confidential features. Consent is given per provider and therefore does not automatically apply to all third parties.
The consumer decides who gets access to the bank account, and which apps he or she will use. Thanks to the wave of innovation that has arisen as a result of the introduction of PSD2, specific apps are being developed with which third parties can, for example, gain access to a consumer's financial data so that they can provide them with mortgage or budget advice. Moreover, thanks to strict supervision by various authorities such as De Nederlandsche Bank and the introduction of laws such as the GDPR, the privacy of consumers is guaranteed.
What new services can third parties provide?
PSD2 paves the way for two new payment services: payment initiation services and account information services.
- Payment Initiation Service Providers
Payment Initiation Service Providers are so-called third parties who, in the case of online payments, stay between the consumer and the bank and are given permission to start payments and collect money. This creates competition in the payments market. It also means that, as a web shop owner, you are less dependent on local payment methods and banks, and that you spend less money on contracts with different acquirers. For example, a shop can launch an app to scan and pay for groceries directly.
- Account information services
Account information services may be authorised to access consumers' bank account(s) and give an overview of their revenue and expenses. Businesses can provide their customers with financial advice and help them understand their spending patterns.
What will payments look like in the future?
The world of online payments is ready for renewal. Alternatives to debit and credit card payments can be developed with, for example, new apps that allow a customer to initiate credit transfers. New business models are being developed that make use of financial data. For example, one could think of reading out transaction data in order to be able to offer a customised subscription, or to determine someone's creditworthiness.
Apps can be developed to provide insight into a consumer's spending pattern in order to send customised advertisements and offers, to simplify the creation and sending of personal payment requests (e.g. Tikkie), to develop financial coaching activities and, for example, to connect a 'smart' refrigerator that takes care of stock management and orders, after which a supermarket can start the payment itself. Previously, payment transactions were an exclusive prerogative of banks; PSD2 opens up a world of opportunities for businesses.
10 x PSD2 in short
- What is PSD2?
PSD2 is a new European regulation requiring banks to grant third parties access to payment accounts.
- What is the purpose of PSD2?
The aim of PSD2 is to create a uniform payments market within the European Union.
- What are the main advantages of PSD2?
Major advantages include increasing competition in the European payments market, stimulating innovation in the payments market and ensuring safer payments within the European Union.
- When did the PSD2 came into effect?
PSD2 entered into force in the Netherlands on 19 February 2019.
- What is a payment initiation service provider?
A Payment Initiation Service Provider (PISP) is a third party that can instruct its bank on behalf of the consumer to initiate a payment.
- What is an Account Information Service Provider?
An Account Information Service Provider (AISP) is a third party that can store an overview of payments on behalf of the consumer via payment accounts with one or more banks.
- How can a third party access a payment account?
The third party must be in possession of a licence from a supervisor and will only be granted access after a consumer has given his or her explicit consent.
- How long is the permission valid for?
Permission is valid for 90 days and must then be renewed.
- Who are the supervisors?
In the Netherlands there are 4 supervisors: De Nederlandsche Bank, De Autoriteit Consumenten en Markt, De Autoriteit Financiële Markten en De Autoriteit Persoonsgegevens. In other European countries, similar institutions take care of the supervision.
- What are the possibilities for businesses?
Companies that manifest themselves as third parties can offer their advertisements, offers and advice tailored to their customers needs. Apps that simplify the lives of both businesses and consumers, like Tikkie and Parking Apps, are the future. The Internet of Things is growing explosively, more and more devices are getting their own connection to the Internet, with third parties being able to take care of payments. Third parties can also check whether there is sufficient balance for a write-off and accounting packages can easily be linked to the bank's payment environment.