Global Acceleration Hub in Silicon Valley

© 2019 Global Acceleration Hub, In Silicon Valley. All Rights Reserved.

Deep Dive - The EU’s revised Payment Services Directive (PSD2)

Every so often, there is a change is government regulations that makes you stop and think, “This will change everything!” The EU’s revised Payment Services Directive (PSD2) is proving to be one of those times.

What exactly is PSD2? It requires Europe’s banks to offer third-party providers greater access to customer data and payment infrastructure and gave banks until 2018 to comply with its mandates. The European Parliament hopes that PSD2 to make it easier, faster, and less expensive for consumers to pay for goods and services, by promoting innovation (especially by third-party providers), enhancing payment security, and standardizing payment systems across Europe.

Prior to PSD2, European banks were protected in large part from disruption by new entrants, primarily in the payments space. That era is over. PSD2 brings the concept of “Open Banking” to the European Union.

Why is this such a important moment for startups in the FinTech space? Simply put, the bank’s monopoly on their customer’s data disappears and as a result, bank customers, both business and consumer, to give third-party providers permission to retrieve their account data from their banks. The third-party providers may then, for example, initiate payments for the users directly from their bank accounts. McKinsey (in their report, “PSD2: Taking advantage of open-banking disruption”) describes it this way:

“PSD2 requires banks to grant qualified third parties automated access to customer transaction accounts, covering both retail and corporate customers. By enabling fintechs, large technology firms, other banks, and even certain retail organizations to go head-to-head with banks as PSPs, PSD2 aims to provide lower costs and higher security for consumers and to afford merchants greater flexibility to differentiate customer experiences, including payments.”

This type of access is enabled by a new concept, Access to Accounts (XS2A) XS2A means banks are required to create and publish their APIs so that merchants can, with the account holder’s permission, access the customer’s bank account. Think of this as a semi-permanent, direct connection between a merchant to your bank account. XS2A enables two new types of players to the financial landscape: PISP and AISP.

  • PISP (Payment Initiation Service Provider) are the service providers initiating a payment on behalf of the user. P2P transfer and bill payment are examples of PISP services we are likely to see when PSD2 is implemented. One important aspect of the new directive is that non-bank payment service providers are guaranteed access to technical infrastructure of shared payment systems on the same conditions as traditional PSPs (non-discriminatory treatment). How might this work? Today, when you pay for something on Amazon using your debit, Amazon takes your debit card information, passes it off to a Mastercard or Visa payment processor, who pulls the money from your bank and then sends the money to Amazon – for a fee of course. Under the new system, Amazon can provide the customer a button to allow access to a banking account. You grant Amazon access to your bank account and Amazon sends an instruction to your bank to deduct the amount and send it directly to Amazon. Mastercard and Visa are completely cut out of the loop. Amazon will remember that connection, until permission is revoked by the account holder.

  • AISP (Account Information Service Provider) are the service providers with access to the account information of bank customers. Such services could analyze a user’s spending behavior or aggregate a user’s account information from several banks into one overview. Whereas the PISP initiates payments, AISPs consolidate information. Let’s use Mint as an example. Mint is the most widely known example of an AISP that consolidates financial information in a single presentation. With PSD2, the Mint user would not give their logins for their various bank and retirement accounts to Mint, but rather would use XS2A standards to provide permission for their account information to be given to Mint by the respective banks, via direct API access.

The XS2A standard mandates a much higher level of security for user authentication. This is addressed with the requirement for PISP’s to implement Strong Customer Authentication (SCA). SCA is achieved through the use of multi-factor authentication. This is authentication based on the use of two or more elements categorized as

  • knowledge (i.e., something only the user knows) – an example of this is a pin code

  • possession (i.e., something only the user possesses) – an example of this is a key fob or a smart phone; and

  • inherence (i.e., something the user is) – an example of this would be a fingerprint or an iris scan.

PSD2 requires 2 factors to be used, but strongly recommends that three factors be used.

The Opportunity for Startups

With PSD2 the European Union is being the most aggressive of any country or trading block in pushing for true open banking. There have been Open API initiatives in Hong Kong and Australia, but this is the first time every bank is being forced to open up.

In the United States, the National Automated Clearing House Association (NACHA) formed an API industry working group with more than 100 banks, associations and consultancy firms such as Accenture, with the goal of defining an API standard for sharing account information, payment initiation, fraud prevention and more. But this is a voluntary, not mandatory, market-driven initiative and banks are still the gatekeepers of their customers’ data. This means they can decide which partners to share data with and which to exclude.

The net result is the for the foreseeable future, Europe will be the hotspot for innovation in payments. It will also be at the forefront of data analytics related to financial transactions.

As a entrepreneur and innovator, what could you do if you could directly access your customer/user’s data (with their permission of course) and analyze spending patterns, do AI driven comparison shopping in the background or bypass credit card processors.

It is impossible to know what will emerge, but it will certainly turn the banking world upside down.