“PSD2 heralds a new direction in the payments regulation by expanding its scope to include financial technology companies that do not enter the flow of customer funds, a development that some industry players will welcome, while others will strongly oppose” says John Fernandez, Senior Legal & Regulatory Counsel, PPRO Group.
Since the first Payment Services Directive in 2007, advancements in payment technology have continued at rapid pace. Authorising payments via mobile solutions such as Apple Pay, wearable technology or fingerprint recognition have become viable options for consumers at point of sale (POS). Similarly, in the online world, consumers are able to access services that utilise bank account information such as transaction history or their ID to simplify account switching, or to initiate payments from their bank accounts from outside of their online banking ecosystem. This latter field of innovative technology providers – known as “Payment Initiation Service Providers (PISPs)” have quietly established a niche presence within several European markets. So much so, that the European Commission has directly flagged them for inclusion within PSD2.
PISPs are largely FinTech companies that have taken the opportunity to expand in markets where traditional online forms of payment such as credit cards are not prevalent. PISPs have developed payment technologies which allow consumers to make payments online by providing their banking login credentials to a PISP in a secure manner, in order to initiate a payment from their bank account. PISPs provide a low cost manner for consumers to make payments while affording online merchants a method of payment that is secure and not subject to chargebacks. For the most part, these schemes have largely been operating outside of the sphere of direct regulation, however, PSD2 is set to change this course and bring these entities under the umbrella of financial regulated firms.
So what does this mean for these innovators?
PISPs will need to prepare themselves for an application and authorisation process with their domestic regulatory authority before being granted authorisation as a payment institution in order to offer their services. The application will include providing a programme of operations, business plans, descriptions of governance and internal controls as well as security policies. These entities will not be permitted to hold consumer funds and will need to obtain professional indemnity insurance.
The major positive is that these firms will have an official legal framework in which to operate. Banks will no longer be permitted to draft consumer T&Cs which forbid their customers from sharing login credentials in order to authorise payments. Nor will banks be able to shut out PISPs from accessing accounts other than for “objectively justified” reasons related to fraud or unauthorised access.
Many banks may find the increased scope of PSD2 a threat or challenge to their incumbent market position. However, on the contrary it should be viewed as an opportunity to create synergies between FinTech and banking in order for financial service offerings to further evolve. FinTechs are typically smaller, more agile businesses that can act quickly to take advantage of new opportunities, and this will certainly take place. Banks should actively seek out key partnerships with FinTechs in order to leverage the market opportunity they present.
From January 2016, EU regulatory authorities will have a two-year time frame in which to implement PSD2 on a domestic basis. Despite the additional compliance overheads associated with operating in the regulated sector, innovators will be brought into the regulatory spotlight and this should open many doors in terms of creating awareness within markets and improving customer uptake. Twenty four months within an existing business may seem like a long time, but forward planning and effective preparation will be key to surviving the payments evolution and transition into the regulated arena.